Recent

Author Topic: PE Dump / PEDUMP / PE Viewer utility  (Read 8218 times)

440bx

  • Hero Member
  • *****
  • Posts: 3030
Re: PE Dump / PEDUMP utility
« Reply #15 on: March 30, 2020, 10:21:44 am »
Thank you! Will test that when I'm back home. :)
You're welcome.  Hopefully, it will be useful to you.

By the way: in case you're interested and bored here is an archive containing Alpha, MIPS and PowerPC binaries. ;)
Thank you. If I ever get involved with one of those architectures, those files will come in handy. 
FPC v3.0.4 and Lazarus 1.8.2 on Windows 7 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 3030
Re: PE Dump / PEDUMP utility
« Reply #16 on: May 13, 2020, 06:25:20 am »

Don't download this version, download the UPDATE (July 2022) below which corrects a few bugs and adds capabilities not present in the version attached to this post.




UPDATE (May 2020)

Attached to this post is version 1.10 of PeBytesF, a PEDUMP/PE Viewer type of utility.

Version 1.10 (the version attached to this post) adds handling the undocumented UWOP_EPILOG unwind code found in the exceptions directory.

It also allows for a rare case created by Borland compilers (and possibly others), where a directory of size zero (0) actually exists, i.e, is present, in a section of the PE file. 

this version does not dump ARM32 and/or ARM64 PE files, it only processes PE files for the Intel/AMD architectures.  The version that handles ARM32 & ARM64 PE files is attached to the post https://forum.lazarus.freepascal.org/index.php/topic,46617.msg354933.html#msg354933

NOTE:

The ARM32 and ARM64 version recognize the presence of an exceptions directory but, unlike v1.00 and v1.10 (both for Intel/AMD), they only display directory information, not any details about the entries contained in it.  For this reason, the handling of UWOP_EPILOG does not apply to them, since the directory is not dumped/output.

« Last Edit: August 28, 2022, 04:53:16 am by 440bx »
FPC v3.0.4 and Lazarus 1.8.2 on Windows 7 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 3030
Re: PE Dump / PEDUMP utility
« Reply #17 on: July 30, 2022, 07:58:16 am »
UPDATE (July 2022)

Attached to this post is version 1.20 of PeBytesF, a PEDUMP/PE Viewer type of utility.

This version corrects a few bugs and adds a few capabilities.


corrected bugs

1. sometimes the program would encounter an invalid value and internally report that it encountered an error which caused the program to terminate early but, no indication that an error was encountered was reported.  IOW, the program reported that it had terminated normally instead of abnormally.

2. the program failed to account for the fact that some LOAD CONFIG tables _may_ include an additional byte of flags. This caused the program to encounter invalid Rvas because it included the flags byte as part of the rva.  This caused the program to end prematurely (but no indication that a problem was found was reported upon termination - see above bug) the output of multiple tables were affected by this bug.

3. the routine used to output the value of function pointers found in the LOAD CONFIG directory failed to account for the program's bitness.  It always considered the pointer to be a 64bit pointer which caused an obviously incorrect 64bit pointer to be output for a 32bit PE file.

4. the program failed to account for the fact that section numbers in the COFF symbol table are 1 based. This caused an invalid pointer to the used as a section name when the COFF section was 0 (IMAGE_SYM_UNDEFINED.) The program's output routines detected the bad pointer and caused a blank line to be output.


enhancements

1. added the necessary functions to output tables that were added after Win7 in the LOAD CONFIG directory.

2. added code to detect _some_ errors in a PE file (malformed PE files) and emit a warning when they are found. 

3. changed the formatting of some of the tables (strictly aesthetics)

4. the program has been tested with 32bit and 64bit PE files from Win XP, Win 7 SP1, Win 10 21H2 and the initial release of Win 11.


limitations

Version 2 Image dynamic relocations that may be found in the LOAD_CONFIG_DIRECTORY are not output because no AMD32/64 PE file that uses version 2 could be found.  if the program encounters a file that uses the version 2 format, it emits a warning and skips the table.


other

Most programs are dumped in fractions of a second, however, some programs, notably 64bit programs can take as long as a little over a minute to dump.  This is because, some 64bit programs include hundreds of thousands of entries in the exceptions directory _and_ some of the tables in the LOAD_CONFIG directory can also be very large (several tens of thousands of entries.)  Formatting and outputting all those entries takes time.

Other programs that take more than just a few seconds to dump are those that include a large number of DWARF symbols, e.g, Lazarus.exe and gdb.exe among large programs with a large number of debugging symbols.




this version does not dump ARM32 and/or ARM64 PE files, it only processes PE files for the Intel/AMD architectures.  The version that handles ARM32 & ARM64 PE files is attached to the post https://forum.lazarus.freepascal.org/index.php/topic,46617.msg354933.html#msg354933

Please note that the bugs in the ARM32/64 version have NOT been corrected.  This is because, I don't have an extensive test suite for ARM CPUs to ensure the corrections work properly on that platform.
FPC v3.0.4 and Lazarus 1.8.2 on Windows 7 64bit.

 

TinyPortal © 2005-2018