FAR PE viewer
exe.dll v2.4 beta 9 09.07.2003

:  

   ,   
 portable executable(exe,dll,ocx  ),  - 
-   ,    .

       .
      
  .

     e-mail:radik_h@yahoo.com
    http://exedll.chat.ru


1.  .
====================
  ,  
 ,    .
pe:somexe.exe

       .
pe:somepe.exe param1=2ff param2=3352312
    ( h   
  ).
         
    , 
      .
    , 
pe:Window=1 Active=0
   
pe:W=1 A=0

pe:somepe.exe FileAlignment=0
pe:somepr.exe F=0

     "  "
   pe:Window=1

:
----------
     .
 
~~~~~~~~~~~~~~~~~~~~
A[ctive]
  1 -  
  0 -     
		pe:Active=1

		pe:some.exe Active=1
     

De[layImport]
I[mport]
E[xport]
R[esource]
Rel[ocation]
  1 -  
  0 -  
     

D[emangler]
  0 -  
  1 -   ida.wll
       IDA 4.17   .
  2 -   bordebug.dll
       bordebug.dll, 
	     __BorDebugUnmangle(char *, char *, unsigned int, char *, char *, int).
  3 -   imagehlp.dll
        .
  4 -   HaronDemangle.dll
       HaronDemangle.dll.

i[mport] -           

  0 -       ,   
           
  1 -    .idata

S[plit] -            .
  0 -      .   
      .
  1 -           .

W[indow]
  1 -   

i.e.
 pe:calc.exe Demangler=3 Resource=0
        
 pe:Demangler=4 Resource=0 Export=1 Active=1

 
~~~~~~~~~~~~~~~~~~
PE
Machine
NumberOfSections
TimeDateStamp
PointerToSymbolTable
NumberOfSymbols
SizeOfOptionalHeader
Characteristics

 
~~~~~~~~~~~~~~~~~~~~~~~~
Magic
MajorLinkerVersion
MinorLinkerVersion
SizeOfCode
SizeOfInitializedData
SizeOfUninitializedData
AddressOfEntryPoint
BaseOfCode
BaseOfData
ImageBase
SectionAlignment
F[ileAlignment]
MajorOperatingSystemVersion
MinorOperatingSystemVersion
MajorImageVersion
MinorImageVersion
MajorSubsystemVersion
MinorSubsystemVersion
Win32VersionValue
SizeOfImage
SizeOfHeaders
CheckSum
Interface
DllCharacteristics
SizeOfStackReserve
SizeOfStackCommit
SizeOfHeapReserve
SizeOfHeapCommit
LoaderFlags
NumberOfRvaAndSizes

F[ileAlignment]      
  .
  FileAlignment     .

   0 (pe:name F=),       .

   200h:
1)      12  
2)      0Ch
3)     200h;
4)  ,     
FileAlignment(    FileAlignment=1    )
      ;
5)     .
i.e.
pe:modplug.exe FileAlignment=1

2.  .
=============
	    dmp    .
         
  .     ,    
  .
    :
 .
 // 
 ;   
 .
 DB  
 DW  
 DD  
.
      , 
    a  f ,    h  .
i.e.
DB   0ca
     0DF
DW   6666
     4EC
DD   0dead10ad
     0
ASCII .
 DB "   CP-1251" 
Unicode .
 DW " Unicode"

     .
  \\  \
  \n   0ah
  \r    0dh
  \t        9h
  \"  
.     .  .
Name_1	DB	ff

3. .
==========
	    ,   .  ,
  40   ,     
4  ..  .      
 ,    .  
   .
    ,       
 PE      .
	         
  ,        
DataDirectory,    IMAGE_OPTIONAL_HEADER(winnt.h).
   ,     .
          
   .

4. .
=========
	   Export, Import, Resource, Relocation
    ,        
(.edata, .idata, .rsrc, .reloc ).
	          
  .   :
1.
	() ()    
 .        . 
          .

2.
	          
    :
	)       
	           ,
	          ;
	)  Relocation  Resource  ;
	)        ,
	         ;
	)      ;
	)    ,    
	   pe (     );
	)     
	 (     ?)
Export
~~~~~~
	      ,  
   .    
.       
(     ).  
  "".
i.e.
 exe.dll
GetStartupInfo.360014dd		12

     ,     .
         
      .   .
i.e.
 SomeName.36001234

 SomeName.1234

        
.

Import
~~~~~~
	    .
      
       
,        .
..     kernel32.dll WriteFile,
  
 PE:exe.dll\36000000\KERNEL32.dll
 WriteFileA.0000c014		735
      call [36000c014]  
WriteFileA  kernel32.dll.
     ,  
, .
   f.80000002.80000002.0005f028
  ,      .
   f.bff75423.bff75423.0005f028
      
 .

i.e.
  GetModuleHandleA  win98 se   
 f.bff77716.bff77716.0005f02	294

  .

      
  .    pe:S=0   .

  :
	)    Import.       ,
              ,  
 	      .
	)       Import.
	)    Export        
	  Import.
	)          Import.
 ,   .

DelayImport
~~~~~~~~~~~
	      Import.  .

Resource
~~~~~~~~
	   .   
         ,
  .     .
         exer.lng ,  
     ,    .
     {t, n, l}.

i.e.
tnl
  
Type/Name/Language

a lnt
  
Language/Type/Name

    . ,   ,
         '_'
	      pL_Languages. 
  ,    
ResName( ResNameNew),  ,    
  .
	        ,  
(  )      .rsrc
i.e.
  2     
_6E
6E
      
6E
0000006E
     ,
    .

Relocation
~~~~~~~~~~
	  4-     
 .
	       .

	      .
  -  .
  -   -  
	4-  .
  -  (     RelType).
  -    (  winnt.h
  IMAGE_REL_BASED_ABSOLUTE).
	        ,
  (  )      .reloc

5. .
=========
	    ,  
 .  ,    
 .

6. Trap.
========
    PELord.

	  "  "   "Trap" 
  ,    
, WinMain  DllMain .
     SoftIce bpint 3    "Trap".

       VC(  
	  'Debug').

	  ,   ,  
	        ( 0x55).
	     ,  
	   ( eb eip 55).
	    .

      ,  
  ,     ,
   .
	    <<>> ,    
  .       
  .

[!]  5        .

         exer.lng.

---------------------------------------------------------------------------------
char *ResName[]={
"0",
"CURSOR",
"BITMAP",
"ICON",
"MENU",
"DIALOG",      
"STRING",      
"FONTDIR",     
"FONT",        
"ACCELERATOR", 
"RCDATA",      
"MESSAGETABLE",
"GROUP_CURSOR",
"13",
"GROUP_ICON",
"15",
"VERSION",
"DLGINCLUDE",
"18",
"PLUG&PLAY",
"VXD",
"ANICURSOR",
"ANIICON",
"HTML"};

char *ResNameNew[]={
"BITMAP(new)",
"MENU(new)",
"DIALOG(new)"};

Lang pL_Languages[]=
{
 {MAKELANGID(LANG_NEUTRAL,SUBLANG_NEUTRAL), "Language neutral"},
 {MAKELANGID(LANG_NEUTRAL,SUBLANG_DEFAULT), "User default"},
 {MAKELANGID(LANG_NEUTRAL,SUBLANG_SYS_DEFAULT), "System default"},

 {MAKELANGID(LANG_AFRIKAANS, 1), "AFRIKAANS"},
 {MAKELANGID(LANG_ALBANIAN, 1), "ALBANIAN"},
 
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_SAUDI_ARABIA), "Arabic (Saudi Arabia)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_IRAQ), "Arabic (Iraq)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_EGYPT), "Arabic (Egypt)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_LIBYA), "Arabic (Libya)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_ALGERIA ), "Arabic (Algeria)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_MOROCCO), "Arabic (Morocco)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_TUNISIA), "Arabic (Tunisia)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_OMAN), "Arabic (Oman)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_YEMEN), "Arabic (Yemen)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_SYRIA), "Arabic (Syria)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_JORDAN), "Arabic (Jordan)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_LEBANON), "Arabic (Lebanon)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_KUWAIT), "Arabic (Kuwait)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_UAE), "Arabic (U.A.E)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_BAHRAIN), "Arabic (Bahrain)"},
 {MAKELANGID(LANG_ARABIC,SUBLANG_ARABIC_QATAR), "Arabic (Qatar)"},


 {MAKELANGID(LANG_ARMENIAN, 1), "ARMENIAN"},
 {MAKELANGID(LANG_ASSAMESE, 1), "ASSAMESE"},
 
 {MAKELANGID(LANG_AZERI,SUBLANG_AZERI_LATIN), "Azeri (Latin)"},
 {MAKELANGID(LANG_AZERI,SUBLANG_AZERI_CYRILLIC), "Azeri (Cyrillic)"},

 {MAKELANGID(LANG_BASQUE, 1), "BASQUE"},
 {MAKELANGID(LANG_BELARUSIAN, 1), "BELARUSIAN"},
 {MAKELANGID(LANG_BENGALI  , 1), "BENGALI"},
 {MAKELANGID(LANG_BULGARIAN, 1), "BULGARIAN"},
 {MAKELANGID(LANG_CATALAN  , 1), "CATALAN"},
 
 {MAKELANGID(LANG_CHINESE  ,SUBLANG_CHINESE_TRADITIONAL), "Chinese (Taiwan Region)"},
 {MAKELANGID(LANG_CHINESE  ,SUBLANG_CHINESE_SIMPLIFIED), "Chinese (PR China)"},
 {MAKELANGID(LANG_CHINESE  ,SUBLANG_CHINESE_HONGKONG), "Chinese (Hong Kong)"},
 {MAKELANGID(LANG_CHINESE  ,SUBLANG_CHINESE_SINGAPORE), "Chinese (Singapore)"},
 {MAKELANGID(LANG_CHINESE  ,SUBLANG_CHINESE_MACAU), "Chinese (Macau)"},
 
 {MAKELANGID(LANG_CROATIAN , 1), "CROATIAN"},
 {MAKELANGID(LANG_CZECH    , 1), "CZECH"},
 {MAKELANGID(LANG_DANISH   , 1), "DANISH"},

 {MAKELANGID(LANG_DUTCH    ,SUBLANG_DUTCH), "Dutch"},
 {MAKELANGID(LANG_DUTCH    ,SUBLANG_DUTCH_BELGIAN), "Dutch (Belgian)"},
 
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_US), "English (USA)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_UK), "English (UK)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_AUS), "English (Australian)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_CAN), "English (Canadian)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_NZ), "English (New Zealand)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_EIRE), "English (Irish)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_SOUTH_AFRICA), "English (South Africa)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_JAMAICA), "English (Jamaica)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_CARIBBEAN), "English (Caribbean)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_BELIZE), "English (Belize)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_TRINIDAD), "English (Trinidad)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_ZIMBABWE), "English (Zimbabwe)"},
 {MAKELANGID(LANG_ENGLISH  ,SUBLANG_ENGLISH_PHILIPPINES), "English (Philippines)"},

 {MAKELANGID(LANG_ESTONIAN , 1), "ESTONIAN"},
 {MAKELANGID(LANG_FAEROESE , 1), "FAEROESE"},
 {MAKELANGID(LANG_FARSI    , 1), "FARSI"},
 {MAKELANGID(LANG_FINNISH  , 1), "FINNISH"},
 
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH), "French"},
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH_BELGIAN), "French (Belgian)"},
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH_CANADIAN), "French (Canadian)"},
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH_SWISS), "French (Swiss)"},
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH_LUXEMBOURG), "French (Luxembourg)"},
 {MAKELANGID(LANG_FRENCH  ,SUBLANG_FRENCH_MONACO), "French (Monaco)"},

 {MAKELANGID(LANG_GEORGIAN , 1), "GEORGIAN"},

 {MAKELANGID(LANG_GERMAN   ,SUBLANG_GERMAN), "German"},
 {MAKELANGID(LANG_GERMAN   ,SUBLANG_GERMAN_SWISS), "German (Swiss)"},
 {MAKELANGID(LANG_GERMAN   ,SUBLANG_GERMAN_AUSTRIAN), "German (Austrian)"},
 {MAKELANGID(LANG_GERMAN   ,SUBLANG_GERMAN_LUXEMBOURG), "German (Luxembourg)"},
 {MAKELANGID(LANG_GERMAN   ,SUBLANG_GERMAN_LIECHTENSTEIN), "German (Liechtenstein)"},

 {MAKELANGID(LANG_GREEK    , 1), "GREEK"},
 {MAKELANGID(LANG_GUJARATI , 1), "GUJARATI"},
 {MAKELANGID(LANG_HEBREW   , 1), "HEBREW"},
 {MAKELANGID(LANG_HINDI    , 1), "HINDI"},
 {MAKELANGID(LANG_HUNGARIAN, 1), "HUNGARIAN"},
 {MAKELANGID(LANG_ICELANDIC, 1), "ICELANDIC"},
 {MAKELANGID(LANG_INDONESIAN, 1), "INDONESIAN"},

 {MAKELANGID(LANG_ITALIAN  ,SUBLANG_ITALIAN), "Italian"},
 {MAKELANGID(LANG_ITALIAN  ,SUBLANG_ITALIAN_SWISS), "Italian (Swiss)"},

 {MAKELANGID(LANG_JAPANESE , 1), "JAPANESE"},
 {MAKELANGID(LANG_KANNADA  , 1), "KANNADA"},
 
 {MAKELANGID(LANG_KASHMIRI ,SUBLANG_KASHMIRI_INDIA), "Kashmiri (India)"},
 
 {MAKELANGID(LANG_KAZAK    , 1), "KAZAK"},
 {MAKELANGID(LANG_KONKANI  , 1), "KONKANI"},
 {MAKELANGID(LANG_KOREAN   ,SUBLANG_KOREAN), "Korean (Extended Wansung)"},
 {MAKELANGID(LANG_LATVIAN  , 1), "LATVIAN"},

 {MAKELANGID(LANG_LITHUANIAN,SUBLANG_LITHUANIAN), "Lithuanian"},
 {MAKELANGID(LANG_LITHUANIAN,SUBLANG_LITHUANIAN_CLASSIC), "Lithuanian (Classic)"},

 {MAKELANGID(LANG_MACEDONIAN, 1), "MACEDONIAN"},

 {MAKELANGID(LANG_MALAY     ,SUBLANG_MALAY_MALAYSIA), "Malay (Malaysia)"},
 {MAKELANGID(LANG_MALAY     ,SUBLANG_MALAY_BRUNEI_DARUSSALAM), "Malay (Brunei Darussalam)"},

 {MAKELANGID(LANG_MALAYALAM , 1), "MALAYALAM"},
 {MAKELANGID(LANG_MANIPURI  , 1), "MANIPURI"},
 {MAKELANGID(LANG_MARATHI   , 1), "MARATHI"},
 {MAKELANGID(LANG_NEPALI    ,SUBLANG_NEPALI_INDIA), "Nepali (India)"},

 {MAKELANGID(LANG_NORWEGIAN ,SUBLANG_NORWEGIAN_BOKMAL), "Norwegian (Bokmal)"},
 {MAKELANGID(LANG_NORWEGIAN ,SUBLANG_NORWEGIAN_NYNORSK), "Norwegian (Nynorsk)"},

 {MAKELANGID(LANG_ORIYA     , 1), "ORIYA"},
 {MAKELANGID(LANG_POLISH    , 1), "POLISH"},
 
 {MAKELANGID(LANG_PORTUGUESE,SUBLANG_PORTUGUESE), "Portuguese"},
 {MAKELANGID(LANG_PORTUGUESE,SUBLANG_PORTUGUESE_BRAZILIAN), "Portuguese (Brazilian)"},

 {MAKELANGID(LANG_PUNJABI   , 1), "PUNJABI"},
 {MAKELANGID(LANG_ROMANIAN  , 1), "ROMANIAN"},
 {MAKELANGID(LANG_RUSSIAN   , 1), "Russian"},
 {MAKELANGID(LANG_SANSKRIT  , 1), "SANSKRIT"},

 {MAKELANGID(LANG_SERBIAN   ,SUBLANG_SERBIAN_LATIN), "Serbian (Latin)"},
 {MAKELANGID(LANG_SERBIAN   ,SUBLANG_SERBIAN_CYRILLIC), "Serbian (Cyrillic)"},

 {MAKELANGID(LANG_SINDHI    , 1), "SINDHI"},
 {MAKELANGID(LANG_SLOVAK    , 1), "SLOVAK"},
 {MAKELANGID(LANG_SLOVENIAN , 1), "SLOVENIAN"},

 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH), "Spanish (Castilian)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_MEXICAN), "Spanish (Mexican)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_MODERN), "Spanish (Modern)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_GUATEMALA), "Spanish (Guatemala)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_COSTA_RICA), "Spanish (Costa Rica)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_PANAMA), "Spanish (Panama)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_DOMINICAN_REPUBLIC), "Spanish (Dominican Republic)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_VENEZUELA), "Spanish (Venezuela)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_COLOMBIA), "Spanish (Colombia)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_PERU), "Spanish (Peru)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_ARGENTINA), "Spanish (Argentina)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_ECUADOR), "Spanish (Ecuador)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_CHILE), "Spanish (Chile)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_URUGUAY), "Spanish (Uruguay)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_PARAGUAY), "Spanish (Paraguay)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_BOLIVIA), "Spanish (Bolivia)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_EL_SALVADOR), "Spanish (El Salvador)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_HONDURAS), "Spanish (Honduras)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_NICARAGUA), "Spanish (Nicaragua)"},
 {MAKELANGID(LANG_SPANISH   ,SUBLANG_SPANISH_PUERTO_RICO), "Spanish (Puerto Rico)"},

 {MAKELANGID(LANG_SWAHILI   , 1), "SWAHILI"},

 {MAKELANGID(LANG_SWEDISH   ,SUBLANG_SWEDISH), "Swedish"},
 {MAKELANGID(LANG_SWEDISH   ,SUBLANG_SWEDISH_FINLAND), "Swedish (Finland)"},

 {MAKELANGID(LANG_TAMIL     , 1), "TAMIL"},
 {MAKELANGID(LANG_TATAR     , 1), "Tatar"},
 {MAKELANGID(LANG_TELUGU    , 1), "TELUGU"},
 {MAKELANGID(LANG_THAI      , 1), "THAI"},
 {MAKELANGID(LANG_TURKISH   , 1), "TURKISH"},
 {MAKELANGID(LANG_UKRAINIAN , 1), "UKRAINIAN"},

 {MAKELANGID(LANG_URDU      ,SUBLANG_URDU_PAKISTAN), "Urdu (Pakistan)"},
 {MAKELANGID(LANG_URDU      ,SUBLANG_URDU_INDIA), "Urdu (India)"},

 {MAKELANGID(LANG_UZBEK     ,SUBLANG_UZBEK_LATIN), "Uzbek (Latin)"},
 {MAKELANGID(LANG_UZBEK     ,SUBLANG_UZBEK_CYRILLIC), "Uzbek (Cyrillic)"},

 {MAKELANGID(LANG_VIETNAMESE, 1), "VIETNAMESE"},
 {-1,""}
};

char *RelType[]={
"ABSOLUTE",
"HIGH",
"LOW",
"HIGHLOW",
"HIGHADJ",
"MIPS_JMPADDR",
"SECTION",
"REL32",
"MIPS_JMPADDR16",
"IA64_IMM64",
"DIR64",
"HIGH3ADJ"};
