Class PE
What's PeInfo??
PeInfo? is an easy to use class to dump information out of an Portable Executable.
What's PE?
PE (Portable Executable) is the file format for executable files under Windows. The most famous file type is *.exe, but there are others too like: *.dll for dynamic link libraries, *.sys for device drivers and so on.
The PE file is easy structured: Firstly there are some header data and then it's sections. Usually there are different sections: .text section for the application code, .bss for uninitialised data, .rdata is for read-only data and .data for every other variable type. All Resources are stored in the .rsrc section.
Normally, an application uses some functions provided by DLL files, like: kernel32.dll, user32.dll. These DLL files and their functions are stored in the Import Table. There is a link to the function from the DLL.
In a DLL file is an Export Tables, where all exported functions are shown and their addresses. The function can be found using their name or sometimes using the corresponding Ordinal (ie. 4 [it's an example only!])!
The class helps me ...
- reading basic information like AddressOfEntryPoint?, ImageBase?, SizeOfCode?, ...
- getting information out of a sections and the values
- getting information regarding the Import Table and the values
- getting information regarding the Export Table and the values
- converting RVA values to offsets ;-)
Examples
Are not available by now. If you're german-speaker register at this great D forum and get the archive from THIS POST.CLICK HERE ;-)
Still in progress
Some parts are still in progress and I have to talk first to Chris Miller. ;)
See you later,
b-sec (you find me at irc.freenode.net, #d, #d.de)