PeInfo? is an easy to use class to dump information out of an Portable Executable.
PE (Portable Executable) is the file format for executable files under Windows. The most famous file type is *.exe, but there are others too like: *.dll for dynamic link libraries, *.sys for device drivers and so on.
The PE file is easy structured: Firstly there are some header data and then it's sections. Usually there are different sections: .text section for the application code, .bss for uninitialised data, .rdata is for read-only data and .data for every other variable type. All Resources are stored in the .rsrc section.
Normally, an application uses some functions provided by DLL files, like: kernel32.dll, user32.dll. These DLL files and their functions are stored in the Import Table. There is a link to the function from the DLL.
In a DLL file is an Export Tables, where all exported functions are shown and their addresses. The function can be found using their name or sometimes using the corresponding Ordinal (ie. 4 [it's an example only!])!
The class helps me ...
- reading basic information like AddressOfEntryPoint?, ImageBase?, SizeOfCode?, ...
- getting information out of a sections and the values
- getting information regarding the Import Table and the values
- getting information regarding the Export Table and the values
- converting RVA values to offsets ;-)
Are not available by now. If you're german-speaker register at this great D forum and get the archive from THIS POST.CLICK HERE ;-)
Still in progress
Some parts are still in progress and I have to talk first to Chris Miller. ;)
See you later,
b-sec (you find me at irc.freenode.net, #d, #d.de)