PE Explorer (Work in progress)

July 16, 2016

no comments

The other day I wanted to take a look at a DLL file and see its imports, exports, resources and other interesting information. There are several tools out there that show part of this information, some of which are not free, so I thought why not create a Portable Executable (PE) Viewer for myself? If nothing else, at least to gain a better understanding of the PE format.

The PE format is called “Portable” because it’s not essentially tied to Windows and can represent files on any OS. The format has evolved over the years but still retains its backwards compatibility. The updated document can be downloaded from Microsoft (and other sources) here.

To gain some headway, I used the PEFile class available from the excellent CLRMD project on Github. This project is aimed at getting .NET/CLR info on running processes or dump files. The PEFile class is just there to support finding information on an associated PDB, but it’s useful to get the main PE header information. That said, the class is very basic and has no facilities to get imports, exports, resources and other sections that make up a PE file – but it’s a start.

Information stored in the PE file is referenced using something called Relative Virtual Addresses (RVAs), which are essentially addresses based on the Image Base address if the image file would have loaded in its preferred address. The PE Explorer loads the file as a data file, so every RVA must be converted to an offset from the start of the file. The aforementioned PEFile class retrieves a PEHeader object that has this facility built in with the RvaToFileOffset method.

Here’s a screenshot of PEExplorer that has loaded Notepad.exe:

The General tab is always there and shows information based on the PE Header, such as default stack size commit and reserve, version of linker, various flags and much more. I’ve added a search textbox at the top to help find attributes of interest faster.

On the left is a tree view of the available information. At the time of writing only Imports, Exports and Resources are extracted. The list should grow with time (my free time, that is J). Double clicking a node opens the corresponding tab. In the Notepad example, there are no exports, as notepad is an executable and not a DLL.

Here’s the imports tab:

The left list hosts all imported libraries. By selecting a library, the actual imports are shown on the right. As with the general tab, search text boxes exist. The undecorated name shows a C++ method in C++ syntax as opposed to a mangled name.

The resources tab looks like this:

The resources are shown on the left. Currently viewers exist for icons, cursors, bitmaps and strings. The list would expand in the future. All other resources are shown with a simple hex view like so:

This is just the initial version, but it already proved useful for some research I’m doing for the Windows Internals book.

The project is hosted on Github here.

A ready to run ZIP file can be downloaded from here.

Enjoy!

Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*