Thread: exe headers

  1. #1
    Registered User
    Join Date
    Sep 2009
    Posts
    37

    exe headers

    i try to no i browse my physical memory for exe files and i wanna know how i can find out
    wich name this exe has ?? is ther a posibility to find out?

    Example output of my programm:
    Physical ADDRESS: 0x0003CFFF
    4D5A
    OffsetPE: D0
    PE? is PE
    Maschine ID: 4C01
    DATETIME: B1130000


    ## its just gets the PE header in the right way

    Physical ADDRESS: 0x003FCFE1
    4D5A
    OffsetPE: 80
    PE? is NE
    Maschine ID: 9800
    DATETIME: 07800000

  2. #2
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    GetModuleFileName, maybe?

  3. #3
    Registered User
    Join Date
    Sep 2009
    Posts
    37
    how i should use getmodulefile name if i try 2 find the exe in the RAM?

    for example an 245 byte output directly from Physcial memry in HEX, (an exe was found):
    ADDRESS AT: 0x0003CFFF
    4D 5A = MZ
    OffsetPE: D0
    PE? is PE
    Maschine ID: 4C01
    DATETIME: B1130000
    4D 5A F1 00 01 00 00 00 04 00 00 00 FF FF 00 00 B8 00 00 00
    00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    80 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68
    69 73 20 70 72 6F 67 72 61 6D 20 72 65 71 75 69 72 65 73 20
    4D 69 63 72 6F 73 6F 66 74 20 57 69 6E 64 6F 77 73 2E 0D 0A
    24 00 00 00 00 00 00 00 4E 45 05 3C 98 00 01 00 00 00 00 00
    00 83 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    25 00 40 00 40 00 8C 00 98 00 98 00 19 01 00 00 00 00 04 00
    00 00 02 00 00 00 00 00 00 00 00 03 04 00 0F 80 01 00 00 00
    00 00 14 00 02 00 30 1C 01 80 00 00 00 00 07 80 01 00 00 00
    00 00 16 00 10 00 50 0C 01 80 00 00 00 00 08 80 02 00 00 00
    00 00 26 00 92 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00
    00 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 E0 00 00 00 0E 1F BA 0E 00 B4 09 CD 21 B8 01
    4C CD 21 54 68 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E
    6F 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 6D 6F 64
    65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 8A 4E 4E 9B CE 2F 20
    C8 CE 2F 20 C8 CE 2F 20 C8 0D 20 2F C8 CA 2F 20 C8 CE 2F 21
    C8 4F 2F 20 C8 0D 20 7D C8 DD 2F 20 C8 0D 20 7F C8 C7 2F 20
    C8 0D 20 7C C8 CF 2F 20 C8 0D 20 7E C8 CF 2F 20 C8 0D 20 40
    C8 C5 2F 20 C8 0D 20 7A C8 CF 2F 20 C8 52 69 63 68 CE 2F 20
    C8 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 86 BF 02
    48 00 00 00 00 00 00 00 00 E0

    its an beginning of an exe header
    Last edited by punkywow; 09-29-2009 at 02:21 PM.

  4. #4
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    Just pass the EXE address itself to the function (eg: the first parameter).

  5. #5
    Registered User
    Join Date
    Sep 2009
    Posts
    37
    why should a physical adress be the same like the handle of the module?
    the only thing i can imagine is translation from physical 2 virutal, and mybe the entrypoint of the exe as parameter .. but i dont know exactly how getmodulefile name is working u know?

  6. #6
    Registered User
    Join Date
    Sep 2009
    Posts
    37
    anyone knows good reference to all common exe headers and rest of exe structor on windows?

  7. #7
    Registered User
    Join Date
    Sep 2009
    Posts
    37
    yes yes i just found some information about exe headers on google books it seems that the modulename is stored in exe for the default name , it can be found on segmented executables in the segemnt header there is a modulename .

    they say:
    Segmented header:
    Module:
    Module Gives the name of the application as specified in the NAME statement of the DEF file used to create the file or the name assumed by default

    so i can get the name of an exe if its compiled like this, but i dont know more now because i just started to be intrested in EXE headers.

    moreinfos:
    EXEHDR Output Segmented Executable File The first part of the EXEHDR output for a segmented executable file appears as follows Module Description Data Initial CS IP Initial SS SP Extra stack allocation DGROUP The meaning of each field is described in the following list Modul e Gives the name of the application as specified in the NAME statement of the DEF file used to create the file or the name assumed by default Description Gives the text of the DESCRIPTION statement of the DEF file or the description assumed by default Data Indicates the program's default data segment DGROUP type SHARED NONSHARED or NONE This type can be specified in a DEF file Initial CS IP Gives the application's starting address Initial SS SP Gives the value of the initial stack pointer which gives the location of the initial stack Extra stack allocation Gives the size in bytes of the stack specified in hexadecimal

    what u all think about that'?

  8. #8
    Guest Sebastiani's Avatar
    Join Date
    Aug 2001
    Location
    Waterloo, Texas
    Posts
    5,708
    Quote Originally Posted by punkywow View Post
    why should a physical adress be the same like the handle of the module?
    the only thing i can imagine is translation from physical 2 virutal, and mybe the entrypoint of the exe as parameter .. but i dont know exactly how getmodulefile name is working u know?
    It really isn't an issue of physical vs. virtual. Virtual memory basically just allows you to manipulate memory as if it were a single, contigious block of physical memory, even though it may actually be internally mapped elsewhere.

    Anyway, to answer your question, many Windows API functions expect the base address of an executable. You'll normally see it as an HINSTANCE or HMODULE parameter, but these are really one and the same - the address of a PE file in memory.

    Quote Originally Posted by punkywow View Post
    anyone knows good reference to all common exe headers and rest of exe structor on windows?
    I've got some bad news for you: The PE format is one of the most poorly documented formats *ever*. The official Microsoft specs are riddled with numerous errors, inconsistencies, and omissions. Others have done a decent job of bridging the gap, but even then there are some uncovered areas. In any case, you'll need to pull all the information together yourself and do a lot of "reading between the lines". Anyway, the best places to start would probably be Levuelsmeyer's writings on the subject, Matt Pietrek's articles, and the Microsoft specification (maybe even in that order).

    More bad news: The PE specification is *huge* - to cover it completely would require an entire book, easily. And with the addition of .NET to the format, things have gotten a lot more complicated, too. So, needless to say, you've got your work cut out for you.

  9. #9
    Registered User
    Join Date
    Sep 2009
    Posts
    37
    Last edited by punkywow; 09-30-2009 at 04:12 AM. Reason: found another link

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. how to run an exe command in c++ and get back the results?
    By mitilkhatoon in forum C++ Programming
    Replies: 5
    Last Post: 09-21-2006, 06:00 PM
  2. Headers that use each other
    By nickname_changed in forum C++ Programming
    Replies: 7
    Last Post: 10-03-2003, 04:25 AM
  3. Close another exe from another exe??
    By Tony in forum Windows Programming
    Replies: 1
    Last Post: 06-12-2002, 07:19 AM
  4. insert another exe into exe
    By lliero in forum C Programming
    Replies: 8
    Last Post: 04-12-2002, 12:22 PM
  5. adding bytes to EXE to call another EXE
    By lliero in forum C Programming
    Replies: 2
    Last Post: 03-30-2002, 07:23 AM