UPDATE (July 2022)NOTE: download the November 2022 update (v1.30) below instead of this one.Attached to this post is version
1.20 of PeBytesF, a PEDUMP/PE Viewer type of utility.
This version corrects a few bugs and adds a few capabilities.
corrected bugs1. sometimes the program would encounter an invalid value and internally report that it encountered an error which caused the program to terminate early but, no indication that an error was encountered was reported. IOW, the program reported that it had terminated normally instead of abnormally.
2. the program failed to account for the fact that some LOAD CONFIG tables _may_ include an additional byte of flags. This caused the program to encounter invalid Rvas because it included the flags byte as part of the rva. This caused the program to end prematurely (but no indication that a problem was found was reported upon termination - see above bug) the output of multiple tables were affected by this bug.
3. the routine used to output the value of function pointers found in the LOAD CONFIG directory failed to account for the program's bitness. It always considered the pointer to be a 64bit pointer which caused an obviously incorrect 64bit pointer to be output for a 32bit PE file.
4. the program failed to account for the fact that section numbers in the COFF symbol table are 1 based. This caused an invalid pointer to the used as a section name when the COFF section was 0 (IMAGE_SYM_UNDEFINED.) The program's output routines detected the bad pointer and caused a blank line to be output.
enhancements1. added the necessary functions to output tables that were added after Win7 in the LOAD CONFIG directory.
2. added code to detect _some_ errors in a PE file (malformed PE files) and emit a warning when they are found.
3. changed the formatting of some of the tables (strictly aesthetics)
4. the program has been tested with 32bit and 64bit PE files from Win XP, Win 7 SP1, Win 10 21H2 and the initial release of Win 11.
limitationsVersion 2 Image dynamic relocations that may be found in the LOAD_CONFIG_DIRECTORY are not output because no AMD32/64 PE file that uses version 2 could be found. if the program encounters a file that uses the version 2 format, it emits a warning and skips the table.
otherMost programs are dumped in fractions of a second, however, some programs, notably 64bit programs can take as long as a little over a minute to dump. This is because, some 64bit programs include hundreds of thousands of entries in the exceptions directory _and_ some of the tables in the LOAD_CONFIG directory can also be very large (several tens of thousands of entries.) Formatting and outputting all those entries takes time.
Other programs that take more than just a few seconds to dump are those that include a large number of DWARF symbols, e.g, Lazarus.exe and gdb.exe among large programs with a large number of debugging symbols.
this version does
not dump ARM32 and/or ARM64 PE files, it only processes PE files for the Intel/AMD architectures. The version that handles ARM32 & ARM64 PE files is attached to the post
https://forum.lazarus.freepascal.org/index.php/topic,46617.msg354933.html#msg354933 Please note that the bugs in the ARM32/64 version have NOT been corrected. This is because, I don't have an extensive test suite for ARM CPUs to ensure the corrections work properly on that platform.