Parsing the Portable Executable File Format

Download Source Code and Example

The WINPE project is basically a conversion of Matt Pietreks PEDUMP
Program from a DOS based application to an Windows MFC based app. It
demonstrates Parsing PE files and displaying each section in a seperate view.

A WIN32 PE file or better know as a .EXE or .DLL file is broken up into sections.
WINPE handles these sections in its own separate view. The views are
Dynamically switched depending on the View option selected. WINPE also
Provides Printing and Print Preview and since the font selection has a lot to do
With how the print will look the app also provides for font selection on both the
Display and printout. Print Preview was required in order to allow the user to
Find and select the page range for printing so that the entire EXE or DLL does
Not have to be printed.

WINPE is implemented as a SDI app. The Document class however does not use
The serialize function since the actual file is not read, it is loaded as a memory mapped
File by the document class and a pointer to the memory mapped file can be returned
To the view on request. Each View contains the code to process the PE section data
that is to be displayed. WINPE by default provides a HEXDUMP of the file upon
opening. The HEXDUMP will work on any file type, however if the file is not a
EXE or DLL all other view options are disabled via CmdUI interface.































CmainFrame


Handles most of menu messages. The OnViewChange function Determines which view was requested and dynamically switches The Documents current View. The OnFrameView function is A message handler that allows the document class to ensure That the CDumpXView is always the default View.


CwinpeDoc


Memory maps the PE file (or any other file). The OnOpenDocument Function determines what kind of file is being processed and then Either enables or disables the View options.


CdebugDirView


Displays the data associated with the PE files Debug Directory.


CDumpXView


The HEXDUMP View.


CExportView


Displays the data associated with the PE files Export section.The Export section contains the names of the Functions that This DLL or EXE exports. For example, to see the names of the
Functions exported by ICMP.DLL.


CImportView


Displays the data associated with the PE files Import section.The Import section contains the names of the DLLs and their Correspnding functions that are used or Imported into this DLL or EXE.


CHeaderView


Displays the PE file Header.



CResourceView


Displays the Names and resource IDs and their types. Example. The names and IDs of all the Bitmaps that Were compiled into this EXE or DLL.


CSectionTblView


Displays the PE Section Table.


The WINPE program was written to make life a little easier. When writing
The Nettools program I found myself having to constantly go back into
DOS and run DUMPBIN or PEDUMP to see what functions were available
In the ICMP and INETMIB1 DLL and to see what DLLs were being used
By PING,TRACERT and NETSTAT. In order to print the data I had to
Redirect the output to a file then use WordPad to print the pages I was interested
In studying. This is how I gathered some of the info required to write Nettools.

Of Course WINPE does not support ALL of the PEDUMP and DUMPBIN
Options but it does support the ones I use most.

Known Problems

  • The CscrolView does not work on Win95.
  • Due to CScrollView limits on WIN95 only 32k of data will display in the hexdump.
    (all other views will work correctly I was too lazy to write the scrolling code
    in a CView.

Tested on NT4.0 with MS/VC++ 4.2.

Reference Materials Used.

See Microsoft Systems Journal at http://www.microsoft.com/msj
for more info on the following. I believe the source code to HEXDUMP and PEDUMP can
also be obtained there.



Programming Windows 95 with MFC by Prosise.
The HEXDUMP example was used to create the DumpXView.

WIN95 Systems Programming Secrets by Matt Pietrek.
The best book ever written on WIN95 and WIN32 internals.
Contains the source to PEDUMP.

Developing Pro apps for NT and 95 using MFC
http://www.iftech.com/mfc
The Print and Preview sections were very helpful.

Microsoft also provides some samples and documentation.

The Portable Executable File Format from Top to Bottom
http://www.microsoft.com/win32dev/base/pefile.htm

Managing Memory-Mapped Files in Win32
http://www.microsoft.com/win32dev/base/mmfile.htm


Last updated: 14 April 1998

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read