.pe (parse PE file)
Description of the '.pe' command in HyperDbg.
Command
.pe
Syntax
.pe [header] [FilePath (string)]
.pe [section] [SectionName (string)] [FilePath (string)]
Description
Parses Portable Executable (PE) files and dump sections.
Parameters
[header]
The action for this command is showing headers.
[section]
The action for this command is showing a special section.
[SectionName (string)]
The name of the section to be dumped.
[FilePath (string)]
The file path of the PE file.
Examples
If you want to headers of a PE located at c:\reverse files\myfile.exe.
HyperDbg> .pe header "c:\reverse files\myfile.exe"
Valid Dos Exe File
------------------
Dumping DOS Header Info....
---------------------------
Magic number : MZ
Bytes on last page of file : 0x90
Pages in file : 0x3
Relocation : 0
Size of header in paragraphs : 0x4
Minimum extra paragraphs needed : 0
Maximum extra paragraphs needed : 0xffff
Initial (relative) SS value : 0
Initial SP value : 0xb8
Checksum : 0
Initial IP value : 0
Initial (relative) CS value : 0
File address of relocation table : 0x40
Overlay number : 0
OEM identifier : 0
OEM information(e_oemid specific) : 0
RVA address of PE header : 0x108
===============================================================================
Valid PE64 file
-------------
Dumping COFF/PE Header Info....
--------------------------------
Signature : PE
Machine Architechture : AMD x64
Characteristics : Executable Image, Application can address > 2GB,
Time Stamp : Thu Jan 14 15:45:54 2021
No.sections(size) : 6
No.entries in symbol table : 0
Size of optional header : 240
Dumping PE Optional Header Info....
-----------------------------------
Info of optional Header
-----------------------
Address of Entry Point : 0x2440
Base Address of the Image : 0x140000000
SubSystem type : Windows GUI
Given file is a : PE32+(64)
Size of code segment(.text) : 7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data : 44032
Section Alignment : 0x1000
Major Linker Version : 12
Minor Linker Version : 0
Dumping Sections Header Info....
--------------------------------
Section Info (1 of 6)
---------------------
Section Header name : .text
ActualSize of code or data : 0x1ccf
Virtual Address(RVA) : 0x1000
Size of raw data (rounded to FA) : 0x1e00
Pointer to Raw Data : 0x400
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains executable code, Readable,
Section Info (2 of 6)
---------------------
Section Header name : .rdata
ActualSize of code or data : 0x16ca
Virtual Address(RVA) : 0x3000
Size of raw data (rounded to FA) : 0x1800
Pointer to Raw Data : 0x2200
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains initialized data, Readable,
Section Info (3 of 6)
---------------------
Section Header name : .data
ActualSize of code or data : 0x750
Virtual Address(RVA) : 0x5000
Size of raw data (rounded to FA) : 0x200
Pointer to Raw Data : 0x3a00
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains initialized data, Readable, Writable,
Section Info (4 of 6)
---------------------
Section Header name : .pdata
ActualSize of code or data : 0x294
Virtual Address(RVA) : 0x6000
Size of raw data (rounded to FA) : 0x400
Pointer to Raw Data : 0x3c00
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains initialized data, Readable,
Section Info (5 of 6)
---------------------
Section Header name : .rsrc
ActualSize of code or data : 0x8570
Virtual Address(RVA) : 0x7000
Size of raw data (rounded to FA) : 0x8600
Pointer to Raw Data : 0x4000
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains initialized data, Readable,
Section Info (6 of 6)
---------------------
Section Header name : .reloc
ActualSize of code or data : 0x70
Virtual Address(RVA) : 0x10000
Size of raw data (rounded to FA) : 0x200
Pointer to Raw Data : 0xc600
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains initialized data, Readable,
===============================================================================If you want to see the header + dump of the .text section of the PE file.
HyperDbg> .pe section .text "c:\reverse files\myfile.exe"
Valid Dos Exe File
------------------
Dumping DOS Header Info....
---------------------------
Magic number : MZ
Bytes on last page of file : 0x90
Pages in file : 0x3
Relocation : 0
Size of header in paragraphs : 0x4
Minimum extra paragraphs needed : 0
Maximum extra paragraphs needed : 0xffff
Initial (relative) SS value : 0
Initial SP value : 0xb8
Checksum : 0
Initial IP value : 0
Initial (relative) CS value : 0
File address of relocation table : 0x40
Overlay number : 0
OEM identifier : 0
OEM information(e_oemid specific) : 0
RVA address of PE header : 0x108
===============================================================================
Valid PE64 file
-------------
Dumping COFF/PE Header Info....
--------------------------------
Signature : PE
Machine Architechture : AMD x64
Characteristics : Executable Image, Application can address > 2GB,
Time Stamp : Thu Jan 14 15:45:54 2021
No.sections(size) : 6
No.entries in symbol table : 0
Size of optional header : 240
Dumping PE Optional Header Info....
-----------------------------------
Info of optional Header
-----------------------
Address of Entry Point : 0x2440
Base Address of the Image : 0x140000000
SubSystem type : Windows GUI
Given file is a : PE32+(64)
Size of code segment(.text) : 7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data : 44032
Section Alignment : 0x1000
Major Linker Version : 12
Minor Linker Version : 0
Dumping Sections Header Info....
--------------------------------
Section Info (1 of 6)
---------------------
Section Header name : .text
ActualSize of code or data : 0x1ccf
Virtual Address(RVA) : 0x1000
Size of raw data (rounded to FA) : 0x1e00
Pointer to Raw Data : 0x400
Pointer to Relocations : 0
Pointer to Line numbers : 0
Number of relocations : 0
Number of line numbers : 0
Characteristics : Contains executable code, Readable,
40001000: | 48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc H......Θh...╠╠╠╠
40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc H......ΘX...╠╠╠╠
40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc H......ΘH...╠╠╠╠
40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48 H.T$.L.D$.L.L$ H
40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00 .∞(L.┬L.L$@║....
40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc .¬ ..H.─(├╠╠╠╠╠
40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00 @SH.∞á...H..░?..
40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d H3─H..$....H.┘H.
40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0 T$p╣.... .╥....└
...IOCTL
None
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
Requirements
None
Related
None
Last updated