Figuring out executable file format...

Hi!

I’m trying to figure out the windows executable file format in order to get
file dependencies (like Dependency walker adn dumpbin do) of an executable
file.

I have found two ‘file dump’ examples in MSDN, but they don’t seem to get the
information in the same way dumpbin does. Both these examples look for .idata
section to get the import table. If a file doesn’t have it, they don’t print
it. On the other hand, dumpbin always prints import table, even if a file
doesn’t have .idata section.

Where can I find executable file format explained? I have tried searching
MSDN, but no luck.

TIA,

Marko
ICQ: 5990814

“It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do style.”
– Bobby Lo

Check out these links:

http://pr0n.newhackcity.net/~sd/pewrap.html
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/msdn_peeringpe.html

Also I have the PE specs in pdf format if you want me to send them to you

  • Matt

----- Original Message -----
From: “Marko Bozikovic”
To: “NT Developers Interest List”
Sent: Monday, October 23, 2000 12:52 PM
Subject: [ntdev] Figuring out executable file format…

> Hi!
>
> I’m trying to figure out the windows executable file format in order to get
> file dependencies (like Dependency walker adn dumpbin do) of an executable
> file.
>
> I have found two ‘file dump’ examples in MSDN, but they don’t seem to get the
> information in the same way dumpbin does. Both these examples look for .idata
> section to get the import table. If a file doesn’t have it, they don’t print
> it. On the other hand, dumpbin always prints import table, even if a file
> doesn’t have .idata section.
>
> Where can I find executable file format explained? I have tried searching
> MSDN, but no luck.
>
> TIA,
> –
> Marko
> ICQ: 5990814
>
> “It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do style.”
> – Bobby Lo
>
>
> —
> You are currently subscribed to ntdev as: xxxxx@dolce.it
> To unsubscribe send a blank email to $subst(‘Email.Unsub’)
>
>

> Matteo Pelati wrote:

Check out these links:

http://pr0n.newhackcity.net/~sd/pewrap.html
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/msdn_peeringpe.html

Great, thanks!

Also I have the PE specs in pdf format if you want me to send them to you

Yes, please.


Marko
ICQ: 5990814

“It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do style.”
– Bobby Lo

You can find what you need in MSDN Library:

Specifications\Platforms\Microsoft Portable Executable and Common Object
File Format Specification

Hope this helps
Paul

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Marko Bozikovic
Sent: Monday, October 23, 2000 12:53 PM
To: NT Developers Interest List
Subject: [ntdev] Figuring out executable file format…

Hi!

I’m trying to figure out the windows executable file format in order to
get
file dependencies (like Dependency walker adn dumpbin do) of an
executable
file.

I have found two ‘file dump’ examples in MSDN, but they don’t seem to
get the
information in the same way dumpbin does. Both these examples look for
.idata
section to get the import table. If a file doesn’t have it, they don’t
print
it. On the other hand, dumpbin always prints import table, even if a
file
doesn’t have .idata section.

Where can I find executable file format explained? I have tried
searching
MSDN, but no luck.

TIA,

Marko
ICQ: 5990814

“It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do
style.”
– Bobby Lo


You are currently subscribed to ntdev as: xxxxx@compelson.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)

> I have found two ‘file dump’ examples in MSDN, but they don’t seem to get
the

information in the same way dumpbin does. Both these examples look for
.idata
section to get the import table. If a file doesn’t have it, they don’t
print
it. On the other hand, dumpbin always prints import table, even if a file
doesn’t have .idata section.

Relying on .idata is wrong. The import table is described somewhere in the
PE secondary header - one of the image directory entries.
This entry contains RVAs (relative virtual addresses) for the import table.
The section table governs how RVAs are mapped to file offsets.
RVA in an offset from the image base address to the data in the loaded
image
- and the image is loaded section by section. For instance, sections
use 512byte alignment in the file and 4K alignment in the loaded image.
Section table entry contains the:

  • start RVA of the section - “virtual address”.
  • section length (use the raw data length field, I don’t know whether
    virtual data length is ever used).
  • start file offset for the section - “pointer to the raw data”.
    BTW - do not rely on Explorer’s Quick View to view the PE images - rely on
    DUMPBIN, the Explorer’s viewer is buggy - it sometimes truncates the 32bit
    words to 16bit, thus losing data.

Surely, the import table does not require .idata - it can be part of any
other section like .text or .rdata. The start RVA is in image directory - it
can point to any section.

Where can I find executable file format explained?

All necessary stuctures are in WINNT.H in MSVC’s include directory.
I could write the explanation myself - but I have no spare time to do this.
IIRC Matt Pietrek have already done this and his articles are on MSDN.

Max

Thank you all for your speedy answers and help :slight_smile:


Marko
ICQ: 5990814

“It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do style.”
– Bobby Lo

A good “one stop website” is:
http://www.wotsit.org/ http:</http:>
This has the format for literally hundreds of file formats and much more…

Regards,

Paul Bunn, UltraBac.com, 425-644-6000
Microsoft MVP - WindowsNT/2000
http://www.ultrabac.com http:</http:>

-----Original Message-----
From: Matteo Pelati [mailto:xxxxx@dolce.it]
Sent: Monday, October 23, 2000 4:25 AM
To: NT Developers Interest List
Subject: [ntdev] Re: Figuring out executable file format…

Check out these links:

http:
http://pr0n.newhackcity.net/~sd/pewrap.html

http:
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/pefile.html

http:pe.html>
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/msdn_peeringp
e.html</http:></http:></http:>

“Maxim S. Shatskih” wrote:

Relying on .idata is wrong. The import table is described somewhere in the
PE secondary header - one of the image directory entries.
This entry contains RVAs (relative virtual addresses) for the import table.
The section table governs how RVAs are mapped to file offsets.

OK, I can get the headers and sections. But, how do I map an image directory
RVA to a file offset? All addresses in optional header are given relative to
image base, and I can’t find anything that will give me the connection between
a RVA and file offset…

Marko
ICQ: 5990814

“It’s Chin Qu’s deadly sword. I’ll have to use Billy’s Jeet Kun Do style.”
– Bobby Lo

> OK, I can get the headers and sections. But, how do I map an image
directory

RVA to a file offset? All addresses in optional header are given relative
to
image base, and I can’t find anything that will give me the connection
between
a RVA and file offset…

The section table gives you this. Scan all sections to find the one which
contains this RVA (the start RVA of the section is in the section record).
Then use it’s file offset.

Max