.pe (parse PE file)
Description of the '.pe' command in HyperDbg.
Command
.pe
Syntax
.pe [header] [FilePath (string)].pe [section] [SectionName (string)] [FilePath (string)]
Description
Parses Portable Executable (PE) files and dump sections.
Parameters
[header]
The action for this command is showing headers.
[section]
The action for this command is showing a special section.
[SectionName (string)]
The name of the section to be dumped.
[FilePath (string)]
The file path of the PE file.
Examples
If you want to headers of a PE located at
c:\reverse files\myfile.exe.1
HyperDbg> .pe header c:\reverse files\myfile.exe
2
​
3
Valid Dos Exe File
4
------------------
5
​
6
Dumping DOS Header Info....
7
---------------------------
8
Magic number : MZ
9
Bytes on last page of file : 0x90
10
Pages in file : 0x3
11
Relocation : 0
12
Size of header in paragraphs : 0x4
13
Minimum extra paragraphs needed : 0
14
Maximum extra paragraphs needed : 0xffff
15
Initial (relative) SS value : 0
16
Initial SP value : 0xb8
17
Checksum : 0
18
Initial IP value : 0
19
Initial (relative) CS value : 0
20
File address of relocation table : 0x40
21
Overlay number : 0
22
OEM identifier : 0
23
OEM information(e_oemid specific) : 0
24
RVA address of PE header : 0x108
25
===============================================================================
26
​
27
Valid PE64 file
28
-------------
29
​
30
Dumping COFF/PE Header Info....
31
--------------------------------
32
Signature : PE
33
Machine Architechture : AMD x64
34
Characteristics : Executable Image, Application can address > 2GB,
35
Time Stamp : Thu Jan 14 15:45:54 2021
36
No.sections(size) : 6
37
No.entries in symbol table : 0
38
Size of optional header : 240
39
​
40
Dumping PE Optional Header Info....
41
-----------------------------------
42
​
43
Info of optional Header
44
-----------------------
45
Address of Entry Point : 0x2440
46
Base Address of the Image : 0x140000000
47
SubSystem type : Windows GUI
48
Given file is a : PE32+(64)
49
Size of code segment(.text) : 7680
50
Base address of code segment(RVA) : 0x1000
51
Size of Initialized data : 44032
52
Section Alignment : 0x1000
53
Major Linker Version : 12
54
Minor Linker Version : 0
55
​
56
Dumping Sections Header Info....
57
--------------------------------
58
​
59
Section Info (1 of 6)
60
---------------------
61
Section Header name : .text
62
ActualSize of code or data : 0x1ccf
63
Virtual Address(RVA) : 0x1000
64
Size of raw data (rounded to FA) : 0x1e00
65
Pointer to Raw Data : 0x400
66
Pointer to Relocations : 0
67
Pointer to Line numbers : 0
68
Number of relocations : 0
69
Number of line numbers : 0
70
Characteristics : Contains executable code, Readable,
71
​
72
Section Info (2 of 6)
73
---------------------
74
Section Header name : .rdata
75
ActualSize of code or data : 0x16ca
76
Virtual Address(RVA) : 0x3000
77
Size of raw data (rounded to FA) : 0x1800
78
Pointer to Raw Data : 0x2200
79
Pointer to Relocations : 0
80
Pointer to Line numbers : 0
81
Number of relocations : 0
82
Number of line numbers : 0
83
Characteristics : Contains initialized data, Readable,
84
​
85
Section Info (3 of 6)
86
---------------------
87
Section Header name : .data
88
ActualSize of code or data : 0x750
89
Virtual Address(RVA) : 0x5000
90
Size of raw data (rounded to FA) : 0x200
91
Pointer to Raw Data : 0x3a00
92
Pointer to Relocations : 0
93
Pointer to Line numbers : 0
94
Number of relocations : 0
95
Number of line numbers : 0
96
Characteristics : Contains initialized data, Readable, Writable,
97
​
98
Section Info (4 of 6)
99
---------------------
100
Section Header name : .pdata
101
ActualSize of code or data : 0x294
102
Virtual Address(RVA) : 0x6000
103
Size of raw data (rounded to FA) : 0x400
104
Pointer to Raw Data : 0x3c00
105
Pointer to Relocations : 0
106
Pointer to Line numbers : 0
107
Number of relocations : 0
108
Number of line numbers : 0
109
Characteristics : Contains initialized data, Readable,
110
​
111
Section Info (5 of 6)
112
---------------------
113
Section Header name : .rsrc
114
ActualSize of code or data : 0x8570
115
Virtual Address(RVA) : 0x7000
116
Size of raw data (rounded to FA) : 0x8600
117
Pointer to Raw Data : 0x4000
118
Pointer to Relocations : 0
119
Pointer to Line numbers : 0
120
Number of relocations : 0
121
Number of line numbers : 0
122
Characteristics : Contains initialized data, Readable,
123
​
124
Section Info (6 of 6)
125
---------------------
126
Section Header name : .reloc
127
ActualSize of code or data : 0x70
128
Virtual Address(RVA) : 0x10000
129
Size of raw data (rounded to FA) : 0x200
130
Pointer to Raw Data : 0xc600
131
Pointer to Relocations : 0
132
Pointer to Line numbers : 0
133
Number of relocations : 0
134
Number of line numbers : 0
135
Characteristics : Contains initialized data, Readable,
136
===============================================================================
Copied!
If you want to see the header + dump of the
.text section of the PE file.1
HyperDbg> .pe section .text c:\reverse files\myfile.exe
2
​
3
Valid Dos Exe File
4
------------------
5
​
6
Dumping DOS Header Info....
7
---------------------------
8
Magic number : MZ
9
Bytes on last page of file : 0x90
10
Pages in file : 0x3
11
Relocation : 0
12
Size of header in paragraphs : 0x4
13
Minimum extra paragraphs needed : 0
14
Maximum extra paragraphs needed : 0xffff
15
Initial (relative) SS value : 0
16
Initial SP value : 0xb8
17
Checksum : 0
18
Initial IP value : 0
19
Initial (relative) CS value : 0
20
File address of relocation table : 0x40
21
Overlay number : 0
22
OEM identifier : 0
23
OEM information(e_oemid specific) : 0
24
RVA address of PE header : 0x108
25
===============================================================================
26
​
27
Valid PE64 file
28
-------------
29
​
30
Dumping COFF/PE Header Info....
31
--------------------------------
32
Signature : PE
33
Machine Architechture : AMD x64
34
Characteristics : Executable Image, Application can address > 2GB,
35
Time Stamp : Thu Jan 14 15:45:54 2021
36
No.sections(size) : 6
37
No.entries in symbol table : 0
38
Size of optional header : 240
39
​
40
Dumping PE Optional Header Info....
41
-----------------------------------
42
​
43
Info of optional Header
44
-----------------------
45
Address of Entry Point : 0x2440
46
Base Address of the Image : 0x140000000
47
SubSystem type : Windows GUI
48
Given file is a : PE32+(64)
49
Size of code segment(.text) : 7680
50
Base address of code segment(RVA) : 0x1000
51
Size of Initialized data : 44032
52
Section Alignment : 0x1000
53
Major Linker Version : 12
54
Minor Linker Version : 0
55
​
56
Dumping Sections Header Info....
57
--------------------------------
58
​
59
Section Info (1 of 6)
60
---------------------
61
Section Header name : .text
62
ActualSize of code or data : 0x1ccf
63
Virtual Address(RVA) : 0x1000
64
Size of raw data (rounded to FA) : 0x1e00
65
Pointer to Raw Data : 0x400
66
Pointer to Relocations : 0
67
Pointer to Line numbers : 0
68
Number of relocations : 0
69
Number of line numbers : 0
70
Characteristics : Contains executable code, Readable,
71
​
72
40001000: |48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc H......Θh...â• â• â• â•
73
40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc H......ΘX...â• â• â• â•
74
40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc H......ΘH...â• â• â• â•
75
40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48 H.T$.L.D$.L.L$ H
76
40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00 .∞(L.┬L.[email protected]║....
77
40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc  .¬ ..H.─(├╠╠╠╠â•
78
40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00 @SH.∞á...H..░?..
79
40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d H3─H..$....H.┘H.
80
40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0 T$p╣.... .╥....└
81
​
82
...
Copied!
IOCTL
None
Remarks
This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.
Requirements
None
Related
None
Last modified 29d ago
Copy link
Edit on GitHub