.pe (parse PE file)

Description of the '.pe' command in HyperDbg.

Command

.pe

Syntax

.pe [header] [FilePath (string)]
.pe [section] [SectionName (string)] [FilePath (string)]

Description

Parses Portable Executable (PE) files and dump sections.

Parameters

[header]

The action for this command is showing headers.

[section]

The action for this command is showing a special section.

[SectionName (string)]

The name of the section to be dumped.

[FilePath (string)]

The file path of the PE file.

Examples

If you want to headers of a PE located at c:\reverse files\myfile.exe.

HyperDbg> .pe header "c:\reverse files\myfile.exe"

Valid Dos Exe File
------------------

Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================

Valid PE64 file
-------------

Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240

Dumping PE Optional Header Info....
-----------------------------------

Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0

Dumping Sections Header Info....
--------------------------------

Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,

Section Info (2 of 6)
---------------------
Section Header name :               .rdata
ActualSize of code or data :        0x16ca
Virtual Address(RVA) :              0x3000
Size of raw data (rounded to FA) :  0x1800
Pointer to Raw Data :               0x2200
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (3 of 6)
---------------------
Section Header name :               .data
ActualSize of code or data :        0x750
Virtual Address(RVA) :              0x5000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0x3a00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable, Writable,

Section Info (4 of 6)
---------------------
Section Header name :               .pdata
ActualSize of code or data :        0x294
Virtual Address(RVA) :              0x6000
Size of raw data (rounded to FA) :  0x400
Pointer to Raw Data :               0x3c00
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (5 of 6)
---------------------
Section Header name :               .rsrc
ActualSize of code or data :        0x8570
Virtual Address(RVA) :              0x7000
Size of raw data (rounded to FA) :  0x8600
Pointer to Raw Data :               0x4000
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,

Section Info (6 of 6)
---------------------
Section Header name :               .reloc
ActualSize of code or data :        0x70
Virtual Address(RVA) :              0x10000
Size of raw data (rounded to FA) :  0x200
Pointer to Raw Data :               0xc600
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains initialized data, Readable,
===============================================================================

If you want to see the header + dump of the .text section of the PE file.

HyperDbg> .pe section .text "c:\reverse files\myfile.exe"

Valid Dos Exe File
------------------

Dumping DOS Header Info....
---------------------------
Magic number :                      MZ
Bytes on last page of file :        0x90
Pages in file :                     0x3
Relocation :                        0
Size of header in paragraphs :      0x4
Minimum extra paragraphs needed :   0
Maximum extra paragraphs needed :   0xffff
Initial (relative) SS value :       0
Initial SP value :                  0xb8
Checksum :                          0
Initial IP value :                  0
Initial (relative) CS value :       0
File address of relocation table :  0x40
Overlay number :                    0
OEM identifier :                    0
OEM information(e_oemid specific) : 0
RVA address of PE header :          0x108
===============================================================================

Valid PE64 file
-------------

Dumping COFF/PE Header Info....
--------------------------------
Signature :                         PE
Machine Architechture :             AMD x64
Characteristics :                   Executable Image, Application can address > 2GB,
Time Stamp :                        Thu Jan 14 15:45:54 2021
No.sections(size) :                 6
No.entries in symbol table :        0
Size of optional header :           240

Dumping PE Optional Header Info....
-----------------------------------

Info of optional Header
-----------------------
Address of Entry Point :            0x2440
Base Address of the Image :         0x140000000
SubSystem type :                    Windows GUI
Given file is a :                   PE32+(64)
Size of code segment(.text) :       7680
Base address of code segment(RVA) : 0x1000
Size of Initialized data :          44032
Section Alignment :                 0x1000
Major Linker Version :              12
Minor Linker Version :              0

Dumping Sections Header Info....
--------------------------------

Section Info (1 of 6)
---------------------
Section Header name :               .text
ActualSize of code or data :        0x1ccf
Virtual Address(RVA) :              0x1000
Size of raw data (rounded to FA) :  0x1e00
Pointer to Raw Data :               0x400
Pointer to Relocations :            0
Pointer to Line numbers :           0
Number of relocations :             0
Number of line numbers :            0
Characteristics :                   Contains executable code, Readable,

40001000: | 48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc  H......Θh...╠╠╠╠
40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc  H......ΘX...╠╠╠╠
40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc  H......ΘH...╠╠╠╠
40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48  H.T$.L.D$.L.L$ H
40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00  .∞(L.┬L.L$@║....
40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc   .¬ ..H.─(├╠╠╠╠╠
40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00  @SH.∞á...H..░?..
40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d  H3─H..$....H.┘H.
40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0  T$p╣.... .╥....└

...

IOCTL

None

Remarks

This command will continue the debuggee for some time (in Debugger Mode). This means that you lose the current context (registers & memory) after executing this command.

Requirements

None

Previous.sym (load pdb symbols)Next.logopen (open log file)

Last updated 9 months ago

HyperDbg> .pe header "c:\reverse files\myfile.exe" Valid Dos Exe File ------------------ Dumping DOS Header Info.... --------------------------- Magic number : MZ Bytes on last page of file : 0x90 Pages in file : 0x3 Relocation : 0 Size of header in paragraphs : 0x4 Minimum extra paragraphs needed : 0 Maximum extra paragraphs needed : 0xffff Initial (relative) SS value : 0 Initial SP value : 0xb8 Checksum : 0 Initial IP value : 0 Initial (relative) CS value : 0 File address of relocation table : 0x40 Overlay number : 0 OEM identifier : 0 OEM information(e_oemid specific) : 0 RVA address of PE header : 0x108 =============================================================================== Valid PE64 file ------------- Dumping COFF/PE Header Info.... -------------------------------- Signature : PE Machine Architechture : AMD x64 Characteristics : Executable Image, Application can address > 2GB, Time Stamp : Thu Jan 14 15:45:54 2021 No.sections(size) : 6 No.entries in symbol table : 0 Size of optional header : 240 Dumping PE Optional Header Info.... ----------------------------------- Info of optional Header ----------------------- Address of Entry Point : 0x2440 Base Address of the Image : 0x140000000 SubSystem type : Windows GUI Given file is a : PE32+(64) Size of code segment(.text) : 7680 Base address of code segment(RVA) : 0x1000 Size of Initialized data : 44032 Section Alignment : 0x1000 Major Linker Version : 12 Minor Linker Version : 0 Dumping Sections Header Info.... -------------------------------- Section Info (1 of 6) --------------------- Section Header name : .text ActualSize of code or data : 0x1ccf Virtual Address(RVA) : 0x1000 Size of raw data (rounded to FA) : 0x1e00 Pointer to Raw Data : 0x400 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains executable code, Readable, Section Info (2 of 6) --------------------- Section Header name : .rdata ActualSize of code or data : 0x16ca Virtual Address(RVA) : 0x3000 Size of raw data (rounded to FA) : 0x1800 Pointer to Raw Data : 0x2200 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains initialized data, Readable, Section Info (3 of 6) --------------------- Section Header name : .data ActualSize of code or data : 0x750 Virtual Address(RVA) : 0x5000 Size of raw data (rounded to FA) : 0x200 Pointer to Raw Data : 0x3a00 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains initialized data, Readable, Writable, Section Info (4 of 6) --------------------- Section Header name : .pdata ActualSize of code or data : 0x294 Virtual Address(RVA) : 0x6000 Size of raw data (rounded to FA) : 0x400 Pointer to Raw Data : 0x3c00 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains initialized data, Readable, Section Info (5 of 6) --------------------- Section Header name : .rsrc ActualSize of code or data : 0x8570 Virtual Address(RVA) : 0x7000 Size of raw data (rounded to FA) : 0x8600 Pointer to Raw Data : 0x4000 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains initialized data, Readable, Section Info (6 of 6) --------------------- Section Header name : .reloc ActualSize of code or data : 0x70 Virtual Address(RVA) : 0x10000 Size of raw data (rounded to FA) : 0x200 Pointer to Raw Data : 0xc600 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains initialized data, Readable, ===============================================================================

HyperDbg> .pe section .text "c:\reverse files\myfile.exe" Valid Dos Exe File ------------------ Dumping DOS Header Info.... --------------------------- Magic number : MZ Bytes on last page of file : 0x90 Pages in file : 0x3 Relocation : 0 Size of header in paragraphs : 0x4 Minimum extra paragraphs needed : 0 Maximum extra paragraphs needed : 0xffff Initial (relative) SS value : 0 Initial SP value : 0xb8 Checksum : 0 Initial IP value : 0 Initial (relative) CS value : 0 File address of relocation table : 0x40 Overlay number : 0 OEM identifier : 0 OEM information(e_oemid specific) : 0 RVA address of PE header : 0x108 =============================================================================== Valid PE64 file ------------- Dumping COFF/PE Header Info.... -------------------------------- Signature : PE Machine Architechture : AMD x64 Characteristics : Executable Image, Application can address > 2GB, Time Stamp : Thu Jan 14 15:45:54 2021 No.sections(size) : 6 No.entries in symbol table : 0 Size of optional header : 240 Dumping PE Optional Header Info.... ----------------------------------- Info of optional Header ----------------------- Address of Entry Point : 0x2440 Base Address of the Image : 0x140000000 SubSystem type : Windows GUI Given file is a : PE32+(64) Size of code segment(.text) : 7680 Base address of code segment(RVA) : 0x1000 Size of Initialized data : 44032 Section Alignment : 0x1000 Major Linker Version : 12 Minor Linker Version : 0 Dumping Sections Header Info.... -------------------------------- Section Info (1 of 6) --------------------- Section Header name : .text ActualSize of code or data : 0x1ccf Virtual Address(RVA) : 0x1000 Size of raw data (rounded to FA) : 0x1e00 Pointer to Raw Data : 0x400 Pointer to Relocations : 0 Pointer to Line numbers : 0 Number of relocations : 0 Number of line numbers : 0 Characteristics : Contains executable code, Readable, 40001000: | 48 8d 0d 99 | 1c 00 00 e9 | 68 12 00 00 | cc cc cc cc H......Θh...╠╠╠╠ 40001010: | 48 8d 0d 99 | 1c 00 00 e9 | 58 12 00 00 | cc cc cc cc H......ΘX...╠╠╠╠ 40001020: | 48 8d 0d 99 | 1c 00 00 e9 | 48 12 00 00 | cc cc cc cc H......ΘH...╠╠╠╠ 40001030: | 48 89 54 24 | 10 4c 89 44 | 24 18 4c 89 | 4c 24 20 48 H.T$.L.D$.L.L$ H 40001040: | 83 ec 28 4c | 8b c2 4c 8d | 4c 24 40 ba | 04 01 00 00 .∞(L.┬L.L$@║.... 40001050: | ff 15 aa 20 | 00 00 48 83 | c4 28 c3 cc | cc cc cc cc .¬ ..H.─(├╠╠╠╠╠ 40001060: | 40 53 48 81 | ec a0 04 00 | 00 48 8b 05 | b0 3f 00 00 @SH.∞á...H..░?.. 40001070: | 48 33 c4 48 | 89 84 24 90 | 04 00 00 48 | 8b d9 48 8d H3─H..$....H.┘H. 40001080: | 54 24 70 b9 | 04 01 00 00 | ff 15 d2 1f | 00 00 85 c0 T$p╣.... .╥....└ ...

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related

Command

Syntax

Description

Parameters

Examples

IOCTL

Remarks

Requirements

Related