HyperDbg Documentation
CommunityDownloadResearchTutorialhwdbg
  • HyperDbg
  • Getting Started
    • Quick Start
    • FAQ
    • Build & Install
    • Attach to HyperDbg
      • Attach to a remote machine
      • Attach to local machine
      • Start a new process
      • Attach to a running process
  • Using HyperDbg
    • Prerequisites
      • Operation Modes
      • How to create a condition?
      • How to create an action?
      • Signatures
    • User-mode Debugging
      • Principles
      • Examples
        • basics
        • events
          • Getting Results of a System-call
    • Kernel-mode Debugging
      • Principles
      • Examples
        • beginning
          • Connecting To HyperDbg
          • Configuring Symbol Server/Path
        • basics
          • Setting Breakpoints & Stepping Instructions
          • Displaying & Editing & Searching Memory
          • Showing & Modifying Registers and Flags
          • Switching to a Specific Process or Thread
          • Mapping Data & Create Structures, and Enums From Symbols
        • events
          • Managing Events
          • Hooking Any Function
          • Intercepting All SYSCALLs
          • Monitoring Accesses To Structures
          • Triggering Special Instructions
          • Identifying System Behavior
        • Scripting Language Examples
    • Software Development Kit (SDK)
      • Events
        • Conditions
        • Actions
      • IOCTL
        • Event Registration
  • Commands
    • Debugging Commands
      • ? (evaluate and execute expressions and scripts in debuggee)
      • ~ (display and change the current operating core)
      • a (assemble virtual address)
      • load (load the kernel modules)
      • unload (unload the kernel modules)
      • status (show the debuggee status)
      • events (show and modify active/disabled events)
      • p (step-over)
      • t (step-in)
      • i (instrumentation step-in)
      • gu (step-out or go up)
      • r (read or modify registers)
      • bp (set breakpoint)
      • bl (list breakpoints)
      • be (enable breakpoints)
      • bd (disable breakpoints)
      • bc (clear and remove breakpoints)
      • g (continue debuggee or processing kernel packets)
      • x (examine symbols and find functions and variables address)
      • db, dc, dd, dq (read virtual memory)
      • eb, ed, eq (edit virtual memory)
      • sb, sd, sq (search virtual memory)
      • u, u64, u2, u32 (disassemble virtual address)
      • k, kd, kq (display stack backtrace)
      • dt (display and map virtual memory to structures)
      • struct (make structures, enums, data types from symbols)
      • sleep (wait for specific time in the .script command)
      • pause (break to the debugger and pause processing kernel packets)
      • print (evaluate and print expression in debuggee)
      • lm (view loaded modules)
      • cpu (check cpu supported technologies)
      • rdmsr (read model-specific register)
      • wrmsr (write model-specific register)
      • flush (remove pending kernel buffers and messages)
      • prealloc (reserve pre-allocated pools)
      • preactivate (pre-activate special functionalities)
      • output (create output source for event forwarding)
      • test (test functionalities)
      • settings (configures different options and preferences)
      • exit (exit from the debugger)
    • Meta Commands
      • .help (show the help of commands)
      • .debug (prepare and connect to debugger)
      • .connect (connect to a session)
      • .disconnect (disconnect from a session)
      • .listen (listen on a port and wait for the debugger to connect)
      • .status (show the debugger status)
      • .start (start a new process)
      • .restart (restart the process)
      • .attach (attach to a process)
      • .detach (detach from the process)
      • .switch (show the list and switch between active debugging processes)
      • .kill (terminate the process)
      • .process, .process2 (show the current process and switch to another process)
      • .thread, .thread2 (show the current thread and switch to another thread)
      • .pagein (bring the page into the RAM)
      • .dump (save the virtual memory into a file)
      • .formats (show number formats)
      • .script (run batch script commands)
      • .sympath (set the symbol server)
      • .sym (load pdb symbols)
      • .pe (parse PE file)
      • .logopen (open log file)
      • .logclose (close log file)
      • .cls (clear the screen)
    • Extension Commands
      • !a (assemble physical address)
      • !pte (display page-level address and entries)
      • !db, !dc, !dd, !dq (read physical memory)
      • !eb, !ed, !eq (edit physical memory)
      • !sb, !sd, !sq (search physical memory)
      • !u, !u64, !u2, !u32 (disassemble physical address)
      • !dt (display and map physical memory to structures)
      • !track (track and map function calls and returns to the symbols)
      • !epthook (hidden hook with EPT - stealth breakpoints)
      • !epthook2 (hidden hook with EPT - detours)
      • !monitor (monitor read/write/execute to a range of memory)
      • !syscall, !syscall2 (hook system-calls)
      • !sysret, !sysret2 (hook SYSRET instruction execution)
      • !mode (detect kernel-to-user and user-to-kernel transitions)
      • !cpuid (hook CPUID instruction execution)
      • !msrread (hook RDMSR instruction execution)
      • !msrwrite (hook WRMSR instruction execution)
      • !tsc (hook RDTSC/RDTSCP instruction execution)
      • !pmc (hook RDPMC instruction execution)
      • !vmcall (hook hypercalls)
      • !exception (hook first 32 entries of IDT)
      • !interrupt (hook external device interrupts)
      • !dr (hook access to debug registers)
      • !ioin (hook IN instruction execution)
      • !ioout (hook OUT instruction execution)
      • !hide (enable transparent-mode)
      • !unhide (disable transparent-mode)
      • !measure (measuring and providing details for transparent-mode)
      • !va2pa (convert a virtual address to physical address)
      • !pa2va (convert physical address to virtual address)
      • !dump (save the physical memory into a file)
      • !pcitree (show PCI/PCIe device tree)
      • !pcicam (dump the PCI/PCIe configuration space)
      • !idt (show Interrupt Descriptor Table entries)
      • !apic (dump local APIC entries in XAPIC and X2APIC modes)
      • !ioapic (dump I/O APIC)
    • Scripting Language
      • Assumptions & Evaluations
      • Variables & Assignments
      • Casting & Type-awareness
      • Conditionals & Loops
      • Constants & Functions
      • Debugger Script (DS)
      • Examples
        • view system state (registers, memory, variables)
        • change system state (registers, memory, variables)
        • trace function calls
        • pause the debugger conditionally
        • conditional breakpoints and events
        • patch the normal sequence of execution
        • access to a shared variable from different cores
        • count occurrences of events
      • Functions
        • debugger
          • pause
        • events
          • event_enable
          • event_disable
          • event_clear
          • event_sc
          • event_inject
          • event_inject_error_code
          • flush
        • exports
          • print
          • printf
        • interlocked
          • interlocked_compare_exchange
          • interlocked_decrement
          • interlocked_exchange
          • interlocked_exchange_add
          • interlocked_increment
        • memory
          • check_address
          • eb, ed, eq
          • eb_pa, ed_pa, eq_pa
          • memcpy
          • memcpy_pa
          • memcmp
          • virtual_to_physical
          • physical_to_virtual
        • diassembler
          • disassemble_len
          • disassemble_len32
        • spinlocks
          • spinlock_lock
          • spinlock_lock_custom_wait
          • spinlock_unlock
        • timings
          • rdtsc
          • rdtscp
          • microsleep
        • strings
          • strlen
          • wcslen
          • strcmp
          • strncmp
          • wcscmp
          • wcsncmp
    • Commands Map
  • Tips & Tricks
    • Considerations
      • Basic concepts in Intel VT-x
      • VMX root-mode vs VMX non-root mode
      • The "unsafe" behavior
      • Script engine in VMX non-root mode
      • Difference between process and thread switching commands
      • Accessing Invalid Address
      • Transparent Mode
    • Nested-Virtualization Environments
      • Supported Virtual Machines
      • Run HyperDbg on VMware
      • Run HyperDbg on Hyper-V
      • Supporting VMware/Hyper-V
      • VMware backdoor I/O ports
    • Misc
      • Event forwarding
      • Event short-circuiting
      • Event calling stage
      • Instant events
      • Message overflow
      • Customize build
        • Increase Communication Buffer Size
        • Number of EPT Hooks in One Page
        • Change Script Engine Limitations
      • Enable and disable events in Debugger Mode
      • Switch to New Process Layout
  • Contribution
    • Style Guide
      • Coding style
      • Command style
      • Doxygen style
    • Logo & Artworks
  • Design
    • Features
      • VMM (Module)
        • Control over NMIs
        • VMX root-mode compatible message tracing
        • Design of !epthook
        • Design of !epthook2
        • Design of !monitor
        • Design of !syscall & !sysret
        • Design of !exception & !interrupt
    • Debugger Internals
      • Events
      • Conditions
      • Actions
      • Kernel Debugger
        • Design Perspective
        • Connection
  • Links
    • Twitter
    • Telegram
    • Discord
    • Matrix
    • Mastodon
    • YouTube
    • hwdbg (Chip Debugger)
    • Doxygen
    • Contribution
Powered by GitBook
On this page
  • Command
  • Syntax
  • Description
  • Parameters
  • Examples
  • IOCTL
  • Remarks
  • Requirements
  • Related
Edit on GitHub
  1. Commands
  2. Meta Commands

.pe (parse PE file)

Description of the '.pe' command in HyperDbg.

Command

.pe

Syntax

.pe [header] [FilePath (string)]

.pe [section] [SectionName (string)] [FilePath (string)]

Description

Parses Portable Executable (PE) files and dump sections.

Parameters

[header]

The action for this command is showing headers.

[section]

The action for this command is showing a special section.

[SectionName (string)]

The name of the section to be dumped.

[FilePath (string)]

The file path of the PE file.

Examples

If you want to headers of a PE located at c:\reverse files\myfile.exe.

HyperDbg> .pe header "c:\reverse files\myfile.exe"

Valid Dos Exe File
------------------

Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================

Valid PE64 file
-------------

Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240

Dumping PE Optional Header Info....
-----------------------------------

Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0

Dumping Sections Header Info....
--------------------------------

Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,

Section Info (2 of 6)
---------------------
Section Header name :               .rdata
ActualSize of code or data :        0x16ca
Virtual Address(RVA) :              0x3000
Size of raw data (rounded to FA) :  0x1800
Pointer to Raw Data :               0x2200
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (3 of 6)
---------------------
Section Header name :               .data
ActualSize of code or data :        0x750
Virtual Address(RVA) :              0x5000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0x3a00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable, Writable,

Section Info (4 of 6)
---------------------
Section Header name :               .pdata
ActualSize of code or data :        0x294
Virtual Address(RVA) :              0x6000
Size of raw data (rounded to FA) :  0x400
Pointer to Raw Data :               0x3c00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (5 of 6)
---------------------
Section Header name :               .rsrc
ActualSize of code or data :        0x8570
Virtual Address(RVA) :              0x7000
Size of raw data (rounded to FA) :  0x8600
Pointer to Raw Data :               0x4000
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (6 of 6)
---------------------
Section Header name :               .reloc
ActualSize of code or data :        0x70
Virtual Address(RVA) :              0x10000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0xc600
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
===============================================================================

If you want to see the header + dump of the .text section of the PE file.

HyperDbg> .pe section .text "c:\reverse files\myfile.exe"

Valid Dos Exe File
------------------

Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================

Valid PE64 file
-------------

Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240

Dumping PE Optional Header Info....
-----------------------------------

Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0

Dumping Sections Header Info....
--------------------------------

Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,

40001000: | 48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc  H......Θh...╠╠╠╠
40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc  H......ΘX...╠╠╠╠
40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc  H......ΘH...╠╠╠╠
40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48  H.T$.L.D$.L.L$ H
40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00  .∞(L.┬L.L$@║....
40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc   .¬ ..H.─(├╠╠╠╠╠
40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00  @SH.∞á...H..░?..
40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d  H3─H..$....H.┘H.
40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0  T$p╣.... .╥....└

...

IOCTL

None

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Related

None

Previous.sym (load pdb symbols)Next.logopen (open log file)

Last updated 9 months ago