Thread: PEval

  1. #1
    Disrupting the universe Mad_guy's Avatar
    Join Date
    Jun 2005


    Over the past... Hour or two, I have been making something in order to test a few concepts on my system, memory mapped files, the PE header, etc. etc.. Anyway, I eventually got to my program, PEval. It's a simple program that pokes around an executable for data, gives you info over sections, yada yada. It's exceptionally simple, and I made it out of boredom, but I really really really really REALLY wanted to ........ around with IMAGE_DOS_HEADER and IMAGE_NT_HEADERS and check out the PE file.

    I got a lot of coded based off this EPO heuristics scanner, as you should be able to see. While this absolutely awesome book by Matt Pietrek, "Windows 95 Systems Programming Secrets" covers a lot about the PE header, I had to take some concepts from Piotr Bania to get it to work. I'm sure there was an MSDN article/journal entry I could have read to get the exact same info though (probably where piotr got that info himself :P)

    When the application was 'done' for lack of a better word, I hit a snag that really ........ed me off, I put:

    pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(PIMAGE_SECTION_HEADERS));

    Instead of:

    pSecHdr = (PIMAGE_SECTION_HEADER)(((DWORD)pMapview + pDosHdr->e_elfanew)+sizeof(IMAGE_NT_HEADERS));

    The first one would just go like 4 bytes ahead (since PIMAGE means it's a pointer) while the other one would jump over the PE header since I'm giving it an absolute value of a structure. So it'd give me garbage for names like 'dk' or 'L' instead of '.tls' or '.rsrc'. That really made me mad. But it's fixed now, and I now know to go back and reference RVAs appropriately and never add something to a sizeof with a pointer as a parameter, ick.

    I also hit another snag with somehow corrupting PE files, I don't know why either, I attempt to copy a string ("void") into a sections name if it had no name, and it somehow corrupted it, odd. Oh well, that was an easy fix and I suspected that's where it was happening because it's the only place where I write to the process itself instead of just referencing crap.

    Anyway, now it's done. If you would like the source it is here (compiles with digital mars and open watcom, and should compile with just about every other compiler on earth), and if you are too lazy to compile and would like a binary copy, that can be found here.

    Also, please do not post in this thread about how it 'crashes when you try it on a .jpg' or something of that sort, I already know about that, and I figured it out when I planned to have it originally scan a tmp file as opposed to your real executable to avoid corruption, but when I tried scanning the PE signature on the tmp file, something went wrong. Yes, I know about it.

  2. #2
    Registered User
    Join Date
    Sep 2004
    Now you just need to take the next step and make it a disassembler

  3. #3
    Registered Luser cwr's Avatar
    Join Date
    Jul 2005
    Sydney, Australia
    This code is Windows specific, won't compile outside of a Windows environment, and therefore Windows programming forum.

Popular pages Recent additions subscribe to a feed