.pe (parse PE file)

Command
.pe
Syntax
.pe [header] [FilePath (string)] 
.pe [section] [SectionName (string)] [FilePath (string)]
Description
Parses Portable Executable (PE) files and dump sections.
Parameters
[header]
The action for this command is showing headers.
[section]
The action for this command is showing a special section.
[SectionName (string)]
The name of the section to be dumped.
[FilePath (string)]
The file path of the PE file.
Examples
If you want to headers of a PE located at c:\reverse files\myfile.exe.
HyperDbg> .pe header c:\reverse files\myfile.exe
​
Valid Dos Exe File
------------------
​
Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================
​
Valid PE64 file
-------------
​
Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240
​
Dumping PE Optional Header Info....
-----------------------------------
​
Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0
​
Dumping Sections Header Info....
--------------------------------
​
Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,
​
Section Info (2 of 6)
---------------------
Section Header name :               .rdata
ActualSize of code or data :        0x16ca
Virtual Address(RVA) :              0x3000
Size of raw data (rounded to FA) :  0x1800
Pointer to Raw Data :               0x2200
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
​
Section Info (3 of 6)
---------------------
Section Header name :               .data
ActualSize of code or data :        0x750
Virtual Address(RVA) :              0x5000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0x3a00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable, Writable,
​
Section Info (4 of 6)
---------------------
Section Header name :               .pdata
ActualSize of code or data :        0x294
Virtual Address(RVA) :              0x6000
Size of raw data (rounded to FA) :  0x400
Pointer to Raw Data :               0x3c00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
​
Section Info (5 of 6)
---------------------
Section Header name :               .rsrc
ActualSize of code or data :        0x8570
Virtual Address(RVA) :              0x7000
Size of raw data (rounded to FA) :  0x8600
Pointer to Raw Data :               0x4000
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
​
Section Info (6 of 6)
---------------------
Section Header name :               .reloc
ActualSize of code or data :        0x70
Virtual Address(RVA) :              0x10000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0xc600
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
===============================================================================
If you want to see the header + dump of the .text section of the PE file.
HyperDbg> .pe section .text c:\reverse files\myfile.exe
​
Valid Dos Exe File
------------------
​
Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================
​
Valid PE64 file
-------------
​
Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240
​
Dumping PE Optional Header Info....
-----------------------------------
​
Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0
​
Dumping Sections Header Info....
--------------------------------
​
Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,
​
40001000: |48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc  H......Θh...╠╠╠╠
40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc  H......ΘX...╠╠╠╠
40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc  H......ΘH...╠╠╠╠
40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48  H.T$.L.D$.L.L$ H
40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00  .∞(L.┬L.[email protected]║....
40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc   .¬ ..H.─(├╠╠╠╠╠
40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00  @SH.∞á...H..░?..
40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d  H3─H..$....H.┘H.
40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0  T$p╣.... .╥....└
​
...
IOCTL
None
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
Requirements
None
Related
None
.sym (load pdb symbols)
.logopen (open log file)
Last modified 5mo ago
Copy link
Edit on GitHub
On this page
Command
Syntax
Description
Parameters
Examples
IOCTL
Remarks
Requirements