Exe File Structure Dumper

1. /*
2.  
3.  
4.                     Program to dump the PE,DOS headers and Hex Dump of particular section
5.                                                                         Sat 03/24/2007
6.                                                                             by
7.                                                                     K.Vineel Kumar Reddy
8.                                                                         In VC++ 6.0
9.  
10.  
11.                     ref : http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
12.                     tools used : Hiew
13.  
14.  
15.  
16.                   BRIEF VIEW OF PE FILE
17.                
18.                 .----------------------.
19.                 |                      |
20.                 |    Other stuff not   |
21.                 |    touched in this   |
22.                 |    program           |
23.                 |                      |
24.                 |----------------------|
25.                 |                      |
26.                 | Various Section like |
27.                 |        .....         |
28.                 |        .....         |
29.         .------>|       .reloc         |
30.         | .---->|       .idata         |
31.         | | .-->|       .data          |
32.         | | | .>|       .text          |
33.         | | | | |----------------------|
34.         '-|-|-|-|                      | <--- Each entry in section table have pointer
35.           '-|-|-|         Section      |      offsets to actual sections
36.             '-|-|     Header or Table  |
37.               '-|                      |      ---.----------------.
38.                 |----------------------|-----/   |   PE Optional  |  1) ImageBase
39.                 |                      |         |    Header      |
40.                 |                      |         |                |
41.                 |        NT Headers    |         |----------------|
42.                 |                      |         |     COFF/PE    |  1) NumberOfSections
43.                 |                      |         |   Header Info  |  2) SizeOfOptionalHeader
44.                 |----------------------|-----    |----------------|
45.                 |         UNUSED       |     \   |   PE Signature |
46.                 |----------------------|      ---'----------------'
47.                 |      MS-DOS stub     |
48.                 |----------------------|
49.                 |         UNUSED       |
50.                 |----------------------|
51.                 |     MS-DOS Header    | <-- Here at 0x3c location we have the offset of NT Header
52.                 '----------------------'
53.  
54.  
55. Structres related to these exe headers
56. --------------------------------------
57. 1)   MS-DOS Header   ---> IMAGE_DOS_HEADER
58. 2)   NT Header       ---> IMAGE_NT_HEADERS --->contain
59.                                            --->IMAGE_FILE_HEADER dealing with COFF/PE Header
60.                                            --->IMAGE_OPTIONAL_HEADER dealing with Optional PE Header
61.  
62. 3)   Section Table   ---> IMAGE_SECTION_HEADER
63.  
64. Key Points
65. ----------
66.  
67.   dosHeader = Memory mapped base address
68.   ntHeader = (IMAGE_NT_HEADER)((DWORD)dosHeader + dosHeader->e_lfanew)
69.   sectionHeader = (IMAGE_SECTION_HEADER)((DWORD)ntHeader + OFFSET(OptionalHeader) + sizeof(OptionalHeader))
70.   each section = (char *)((DWORD)dosHeader + sectionHeader.PointerToRawData)
71.  
72.  
73.                                                                         ASCII ART by
74.                                                                          Vineel :)
75.  
76. */
77.  
78.  
79.  
80.  
81.  
82.  
83.  
84.  
85.  
86. #include<stdio.h>
87. #include<windows.h>
88. #include<time.h>
89. #include<tchar.h>
90.  
91. void Help()
92. {
93.     printf("\nUsage \ntest <path to exe file> [ -h <section> ]\n");
94. }
95. void HexDump(char * p ,int size,int secAddress)
96. {
97.     int i=1,temp=0;
98.     wchar_t buf[18];      //Buffer  to store the character dump displayed at the right side
99.     printf("\n\n%x: |",secAddress);
100.  
101.     buf[temp]    = ' ' ;  //initial space
102.     buf[temp+16] = ' ' ;  //final space
103.     buf[temp+17] =  0  ;  //End of buf
104.     temp++;               //temp = 1;
105.     for( ; i <= size ; i++, p++,temp++)
106.     {
107.         buf[temp] = !iswcntrl((*p)&0xff)? (*p)&0xff :'.';
108.         printf("%-3.2x",(*p)&0xff );
109.  
110.         if(i%16 == 0){    //print the chracter dump to the right   
111.             _putws(buf);
112.             if(i+1<=size)printf("%x: ",secAddress+=16);
113.             temp=0;
114.         }
115.         if(i%4==0)printf("|");
116.     }
117.     if(i%16!=0){
118.         buf[temp]=0;
119.         for(;i%16!=0;i++)
120.             printf("%-3.2c",' ');
121.         _putws(buf);
122.     }
123. }
124.  
125. main(int argc , char ** argv){
126.    
127.     int i=0;
128.     HANDLE hMapObject,hFile;            //File Mapping Object
129.     LPVOID lpBase;                      //Pointer to the base memory of mapped file
130.     PIMAGE_DOS_HEADER dosHeader;        //Pointer to DOS Header
131.     PIMAGE_NT_HEADERS ntHeader;         //Pointer to NT Header
132.     IMAGE_FILE_HEADER header;           //Pointer to image file header of NT Header
133.     IMAGE_OPTIONAL_HEADER opHeader;     //Optional Header of PE files present in NT Header structure
134.     PIMAGE_SECTION_HEADER pSecHeader;   //Section Header or Section Table Header
135.     if(argc>1){
136.        
137.         //Open the Exe File
138.         hFile = CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
139.         if(hFile == INVALID_HANDLE_VALUE){printf("\nERROR : Could not open the file specified\n"); goto info;};
140.        
141.         //Mapping Given EXE file to Memory
142.         hMapObject = CreateFileMapping(hFile,NULL,PAGE_READONLY,0,0,NULL);
143.         lpBase = MapViewOfFile(hMapObject,FILE_MAP_READ,0,0,0);
144.        
145.         //Get the DOS Header Base
146.         dosHeader = (PIMAGE_DOS_HEADER)lpBase;// 0x04000000
147.        
148.         //Check for Valid DOS file
149.         if(dosHeader->e_magic == IMAGE_DOS_SIGNATURE){
150.             //Dump the Dos Header info
151.             printf("\nValid Dos Exe File\n------------------\n");
152.             printf("\nDumping DOS Header Info....\n---------------------------");
153.             printf("\n%-36s%s ","Magic number : ",dosHeader->e_magic==0x5a4d?"MZ(Mark Zbikowski)":"-");
154.             printf("\n%-36s%#x","Bytes on last page of file :",dosHeader->e_cblp);
155.             printf("\n%-36s%#x","Pages in file : ",dosHeader->e_cp);
156.             printf("\n%-36s%#x","Relocation : ",dosHeader->e_crlc);
157.             printf("\n%-36s%#x","Size of header in paragraphs : ",dosHeader->e_cparhdr);
158.             printf("\n%-36s%#x","Minimum extra paragraphs needed : ",dosHeader->e_minalloc);
159.             printf("\n%-36s%#x","Maximum extra paragraphs needed : ",dosHeader->e_maxalloc);
160.             printf("\n%-36s%#x","Initial (relative) SS value : ",dosHeader->e_ss);
161.             printf("\n%-36s%#x","Initial SP value : ",dosHeader->e_sp);
162.             printf("\n%-36s%#x","Checksum : ",dosHeader->e_csum);
163.             printf("\n%-36s%#x","Initial IP value : ",dosHeader->e_ip);
164.             printf("\n%-36s%#x","Initial (relative) CS value : ",dosHeader->e_cs);
165.             printf("\n%-36s%#x","File address of relocation table : ",dosHeader->e_lfarlc);
166.             printf("\n%-36s%#x","Overlay number : ",dosHeader->e_ovno);
167.             printf("\n%-36s%#x","OEM identifier : ",dosHeader->e_oemid);
168.             printf("\n%-36s%#x","OEM information(e_oemid specific) :",dosHeader->e_oeminfo);
169.             printf("\n%-36s%#x","RVA address of PE header : ",dosHeader->e_lfanew);
170.             printf("\n===============================================================================\n");
171.         }
172.         else {
173.             printf("\nGiven File is not a valid DOS file\n");
174.             goto end;
175.         }
176.        
177.         //Offset of NT Header is found at 0x3c location in DOS header specified by e_lfanew
178.         //Get the Base of NT Header(PE Header)  = dosHeader + RVA address of PE header
179.         ntHeader = (PIMAGE_NT_HEADERS)((DWORD)(dosHeader) + (dosHeader->e_lfanew));
180.         //Identify for valid PE file  
181.         if(ntHeader->Signature == IMAGE_NT_SIGNATURE){
182.             printf("\nValid PE file \n-------------\n");
183.  
184.             //Dump NT Header Info....
185.             printf("\nDumping COFF/PE Header Info....\n--------------------------------");
186.             printf("\n%-36s%s","Signature :","PE");
187.            
188.            
189.             //Get the IMAGE FILE HEADER Structure
190.             header = ntHeader->FileHeader;
191.            
192.             //Determine Machine Architechture
193.             printf("\n%-36s","Machine Architechture :");
194.             switch(header.Machine){ //Only few are determined (for remaining refer to the above specification)
195.             case 0x0:    printf("All "); break;
196.             case 0x14d:  printf("Intel i860"); break;
197.             case 0x14c:  printf("Intel i386,i486,i586"); break;
198.             case 0x200:  printf("Intel Itanium processor"); break;
199.             case 0x8664: printf("AMD x64"); break;
200.             case 0x162:  printf("MIPS R3000"); break;
201.             case 0x166:  printf("MIPS R4000"); break;
202.             case 0x183:  printf("DEC Alpha AXP"); break;
203.             default:     printf("Not Found"); break;
204.             }
205.             //Determine the characteristics of the given file
206.             printf("\n%-36s","Characteristics : ");
207.             if((header.Characteristics&0x0002) == 0x0002) printf("Executable Image ,");
208.             if((header.Characteristics&0x0020) == 0x0020) printf("Application can address > 2GB ,");
209.             if((header.Characteristics&0x1000) == 0x1000) printf("System file (Kernel Mode Driver(I think)) ,");
210.             if((header.Characteristics&0x2000) == 0x2000) printf("Dll file ,");
211.             if((header.Characteristics&0x4000) == 0x4000) printf("Application runs only in Uniprocessor ,");
212.            
213.            
214.             printf("\n%-36s%s","Time Stamp :",ctime(&(header.TimeDateStamp)));          //Determine Time Stamp
215.             printf("%-36s%d","No.sections(size) :",header.NumberOfSections);            //Determine number of sections
216.             printf("\n%-36s%d","No.entries in symbol table :",header.NumberOfSymbols);
217.             printf("\n%-36s%d","Size of optional header :",header.SizeOfOptionalHeader);
218.            
219.             printf("\n\nDumping PE Optional Header Info....\n-----------------------------------");
220.             //Info about Optional Header
221.             opHeader = ntHeader->OptionalHeader;
222.             //printf("\n\nInfo of optional Header\n-----------------------");
223.             printf("\n%-36s%#x","Address of Entry Point : ",opHeader.AddressOfEntryPoint);
224.             printf("\n%-36s%#x","Base Address of the Image : ",opHeader.ImageBase);
225.             printf("\n%-36s%s","SubSystem type : ",
226.                 opHeader.Subsystem==1?"Device Driver(Native windows Process)":
227.             opHeader.Subsystem==2?"Windows GUI":
228.             opHeader.Subsystem==3?"Windows CLI":
229.             opHeader.Subsystem==9?"Windows CE GUI":
230.             "Unknown"
231.                 );
232.             printf("\n%-36s%s","Given file is a : ",opHeader.Magic==0x20b?"PE32+(64)":"PE32");
233.             printf("\n%-36s%d","Size of code segment(.text) : ",opHeader.SizeOfCode);
234.             printf("\n%-36s%#x","Base address of code segment(RVA) :",opHeader.BaseOfCode);
235.             printf("\n%-36s%d","Size of Initialized data : ",opHeader.SizeOfInitializedData);
236.             printf("\n%-36s%#x","Base address of data segment(RVA) :",opHeader.BaseOfData);
237.             printf("\n%-36s%#x","Section Alignment :",opHeader.SectionAlignment);
238.             printf("\n%-36s%d","Major Linker Version : ",opHeader.MajorLinkerVersion);
239.             printf("\n%-36s%d","Minor Linker Version : ",opHeader.MinorLinkerVersion);             
240.            
241.            
242.            
243.             printf("\n\nDumping Sections Header Info....\n--------------------------------");
244.            
245.             //Retrive a pointer to First Section Header(or Section Table Entry)
246.            
247.            
248.             for(pSecHeader = IMAGE_FIRST_SECTION(ntHeader),i=0;i<ntHeader->FileHeader.NumberOfSections;i++,pSecHeader++){  
249.                 printf("\n\nSection Info (%d of %d)",i+1,ntHeader->FileHeader.NumberOfSections);
250.                 printf("\n---------------------");
251.                 printf("\n%-36s%s","Section Header name : ", pSecHeader->Name);
252.                 printf("\n%-36s%#x","ActualSize of code or data : ", pSecHeader->Misc.VirtualSize);
253.                 printf("\n%-36s%#x","Virtual Address(RVA) :", pSecHeader->VirtualAddress);
254.                 printf("\n%-36s%#x","Size of raw data (rounded to FA) : ", pSecHeader->SizeOfRawData);
255.                 printf("\n%-36s%#x","Pointer to Raw Data : ", pSecHeader->PointerToRawData);
256.                 printf("\n%-36s%#x","Pointer to Relocations : ", pSecHeader->PointerToRelocations);
257.                 printf("\n%-36s%#x","Pointer to Line numbers : ", pSecHeader->PointerToLinenumbers);
258.                 printf("\n%-36s%#x","Number of relocations : ", pSecHeader->NumberOfRelocations);
259.                 printf("\n%-36s%#x","Number of line numbers : ", pSecHeader->NumberOfLinenumbers);
260.                 printf("\n%-36s%s","Characteristics : ","Contains ");
261.                 if((pSecHeader->Characteristics&0x20)==0x20)printf("executable code, ");
262.                 if((pSecHeader->Characteristics&0x40)==0x40)printf("initialized data, ");
263.                 if((pSecHeader->Characteristics&0x80)==0x80)printf("uninitialized data, ");
264.                 if((pSecHeader->Characteristics&0x80)==0x80)printf("uninitialized data, ");
265.                 if((pSecHeader->Characteristics&0x200)==0x200)printf("comments and linker commands, ");
266.                 if((pSecHeader->Characteristics&0x10000000)==0x10000000)printf("shareable data(via DLLs), ");
267.                 if((pSecHeader->Characteristics&0x40000000)==0x40000000)printf("Readable, ");
268.                 if((pSecHeader->Characteristics&0x80000000)==0x80000000)printf("Writable, ");
269.                
270.                
271.                 // If -h or /h option is given then provide HexDump
272.                 if(argc==4&& (!strcmpi(argv[2],"-h")||!strcmpi(argv[2],"/h"))){
273.                     if(!strcmpi(argv[3],pSecHeader->Name))
274.                         if(pSecHeader->SizeOfRawData!=0)
275.                         HexDump((char *)((DWORD)dosHeader + pSecHeader->PointerToRawData) , pSecHeader->SizeOfRawData , opHeader.ImageBase + pSecHeader->VirtualAddress);
276.                 }
277.                
278.             }
279.            
280.            
281.             printf("\n===============================================================================\n");
282.         }
283.         else goto end;
284.        
285. end:
286.         //UnMaping
287.         UnmapViewOfFile(lpBase);
288.         CloseHandle(hMapObject);
289.     }
290.     else Help();
291. info:
292.    
293.     printf("\
294.             \
295.             \
296.                             This Program is written by\
297.                             K.Vineel Kumar Reddy.\
298.                                     III/IV IT\
299.                             Gayathri Vidya Parishad college of Eng.\
300.             \
301.             \
302.             ");
303. }