-
Notifications
You must be signed in to change notification settings - Fork 133
Usage
Fernando Mercês edited this page Jan 12, 2021
·
6 revisions
readpe is the right tool for parsing PE files without infer anything regarding its fields and values. Using readpe you can see all basic PE file information. For example, in order to see the Optional Header, you could run:
$ readpe --header optional putty.exe
Optional/Image header
Magic number: 0x10b (PE32)
Linker major version: 7
Linker minor version: 10
Size of .text section: 0x5c000
Size of .data section: 0x27000
Size of .bss section: 0
Entrypoint: 0x54eb0
Address of .text section: 0x1000
Address of .data section: 0x5d000
ImageBase: 0x400000
Alignment of sections: 0x1000
Alignment factor: 0x1000
Major version of required OS: 4
Minor version of required OS: 0
Major version of image: 0
Minor version of image: 0
Major version of subsystem: 4
Minor version of subsystem: 0
Size of image: 0x84000
Size of headers: 0x1000
Checksum: 0
Subsystem required: 0x2 (IMAGE_SUBSYSTEM_WINDOWS_GUI)
DLL characteristics: 0
DLL characteristics names
Size of stack to reserve: 0x100000
Size of stack to commit: 0x1000
Size of heap space to reserve: 0x100000
Size of heap space to commit: 0x1000
Hint: The Magic Number is 0x10b for PE32 files and 0x20b for PE32+ files.
In order to parse pev tools output you can use the -f or --format option. The following example will output the DOS Header in HTML:
$ readpe --format html --header dos putty.exe
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>src/build/readpe --format html --header dos /home/user/PUTTY.EXE</title>
</head>
<body>
<div class="object">
<h2>DOS Header</h2>
<p><span class="key"><b>Magic number</b></span>: <span class="value">0x5a4d (MZ)</span></p>
<p><span class="key"><b>Bytes in last page</b></span>: <span class="value">144</span></p>
<p><span class="key"><b>Pages in file</b></span>: <span class="value">3</span></p>
<p><span class="key"><b>Relocations</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>Size of header in paragraphs</b></span>: <span class="value">4</span></p>
<p><span class="key"><b>Minimum extra paragraphs</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>Maximum extra paragraphs</b></span>: <span class="value">65535</span></p>
<p><span class="key"><b>Initial (relative) SS value</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>Initial SP value</b></span>: <span class="value">0xb8</span></p>
<p><span class="key"><b>Initial IP value</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>Initial (relative) CS value</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>Address of relocation table</b></span>: <span class="value">0x40</span></p>
<p><span class="key"><b>Overlay number</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>OEM identifier</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>OEM information</b></span>: <span class="value">0</span></p>
<p><span class="key"><b>PE header offset</b></span>: <span class="value">0xf8</span></p>
</div>
</body>
</html>
By combining readpe output with grep you could easily get the PE file entrypoint in CSV format by filtering the readpe output:
$ readpe --format csv --header optional putty.exe | grep ^Entry
Entrypoint,0x4f125
With readpe you can inspect the PE sections as well. Use -S option to see information about all PE sections, just like this:
$ readpe -S putty.exe
Sections
Section
Name: .text
Virtual Address: 0x1000
Physical Address: 0x5bd41
Size: 0x5c000 (376832 bytes)
Pointer To Data: 0x1000
Relocations: 0
Characteristics: 0x60000020
Characteristic Names
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
Section
Name: .rdata
Virtual Address: 0x5d000
Physical Address: 0x1ceda
Size: 0x1d000 (118784 bytes)
Pointer To Data: 0x5d000
Relocations: 0
Characteristics: 0x40000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
Section
Name: .data
Virtual Address: 0x7a000
Physical Address: 0x5924
Size: 0x2000 (8192 bytes)
Pointer To Data: 0x7a000
Relocations: 0
Characteristics: 0xc0000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
Section
Name: .rsrc
Virtual Address: 0x80000
Physical Address: 0x3b90
Size: 0x4000 (16384 bytes)
Pointer To Data: 0x7c000
Relocations: 0
Characteristics: 0x40000040
Characteristic Names
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
To list all data directories in a PE file, you can use -d option:
$ readpe -d putty.exe
Data directories
Directory
IMAGE_DIRECTORY_ENTRY_IMPORT: 0x78378 (240 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_RESOURCE: 0x80000 (15248 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG: 0x78318 (72 bytes)
Directory
IMAGE_DIRECTORY_ENTRY_IAT: 0x5d000 (1292 bytes)
If the executable has an import directory you may want to see a list of imported functions using the -i or --imports option:
$ readpe -i putty.exe
Imported functions
Library
Name: ADVAPI32.dll
Functions
Function
Name: RegCloseKey
Function
Name: RegQueryValueExA
Function
Name: RegOpenKeyA
Function
Name: GetUserNameA
Function
Name: EqualSid
Function
Name: CopySid
Library
Name: COMCTL32.dll
Functions
Function
Ordinal: 14
Function
Ordinal: 15
Function
Ordinal: 17
Function
Ordinal: 13
Library
Name: comdlg32.dll
Functions
Function
Name: ChooseColorA
Function
Name: ChooseFontA
You can also see the exported functions by using -e or --exports option if that's applicable to your target binary.