Dump PE file

I am using some tool to check a PE file (dll or exe) depends, most free tool support 32bits file.
So I decided to write an tool support 32bits and 64bits PE file.

The PE struct is defined in MinGW’s headers. So What I need to do is write a parser and make some test.

the PE file is like this

An example PE header is

Both EXE and DLL file, the first 128 bytes is the same. This a DOS program, which print that message above. The MAGIC is “MZ”

Then is `e_lfanew`, which is `80 00 00 00`, point to new NT header.

the NT header is:

The Opt Header is difference between 32bits and 64bits!
The first WORD of Opt header is magic, for 32bits is 0x010B, 64bits is 0x020B.

So we can write a script to show PE type

which will output like `file` command:

For more details, see the source code

https://github.com/buaabyl/pedump

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License

This entry was posted in Writing and tagged , , , , . Bookmark the permalink.