PE Format

TheMSsForum.com: The Microsoft Software Forum

Hi,

I'm trying to parse an executable an i want to catch just a specific section
(this section's name is .mysec)

Ok, i can find my section inside this executable, i can parse this
executable's header BUT i can get the RAW data (the data inside this
specific section). Does anybody here knows how can i do it ? Any Sample ?

Thanks in advance,

Victor
Top

Re: PE Format by William

William
Wed May 11 17:23:34 CDT 2005

"Victor Pereira" <taintmode@yahoo.com.br> wrote in message
news:%23PIyKRnVFHA.3044@TK2MSFTNGP10.phx.gbl...
> Ok, i can find my section inside this executable, i can parse this
> executable's header BUT i can get the RAW data (the data inside this
> specific section). Does anybody here knows how can i do it ? Any Sample ?

You may want to take a look at the PEDUMP ( portable executable dumper)
utility here:

http://www.wheaty.net/downloads.htm

Regards,
Will


Top

Re: PE Format by Victor

Victor
Thu May 12 09:06:52 CDT 2005

William,

I read the pedump and it's helped me alot.

But pedump just dump the headers and i want to dump a section's "payload"
(the raw data inside this section).

Thanks in advance,

Victor
"William DePalo [MVP VC++]" <willd.no.spam@mvps.org> wrote in message
news:u4bcVgnVFHA.2664@TK2MSFTNGP15.phx.gbl...
> "Victor Pereira" <taintmode@yahoo.com.br> wrote in message
> news:%23PIyKRnVFHA.3044@TK2MSFTNGP10.phx.gbl...
> > Ok, i can find my section inside this executable, i can parse this
> > executable's header BUT i can get the RAW data (the data inside this
> > specific section). Does anybody here knows how can i do it ? Any Sample
?
>
> You may want to take a look at the PEDUMP ( portable executable dumper)
> utility here:
>
> http://www.wheaty.net/downloads.htm
>
> Regards,
> Will
>
>


Top

Re: PE Format by William

William
Thu May 12 20:29:52 CDT 2005

"Victor Pereira" <taintmode@yahoo.com.br> wrote in message
news:e1d8fvvVFHA.548@tk2msftngp13.phx.gbl...
> But pedump just dump the headers and i want to dump a section's "payload"
> (the raw data inside this section).

I'd like to help but I don't know of other tools to do the job.

If you want to roll your own solution, what you can do is to write an
application which calls CreateProcess() specifying the image name of your
executable and the DEBUG_ONLY_THIS_PROCESS_FLAG. That makes your solution a
debugger. Then you loop calling WaitForDebugEvent() until you receive the
EXCEPTION_DEBUG_EVENT that informs you that your process is loaded. At that
point you can inspect the map file and call ReadProcessMemory() to dump to
your heart's content.

Regards,
Will


Top

Re: PE Format by Oleg

Oleg
Fri May 13 04:29:55 CDT 2005


> I read the pedump and it's helped me alot.
>
> But pedump just dump the headers and i want to dump a section's "payload"
> (the raw data inside this section).
>

Pedump can dump the section data, see DumpRawSectionData function in Common.cpp
(and use pedump with /H option)

Here is an article with more information, it also contains an updated version of pedump:
http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx

Regards,
Oleg
[VC++ MVP]





Top

Re: PE Format by Victor

Victor
Fri May 13 09:27:33 CDT 2005

Oleg,

Thanks i reading the code :-)

Thanks,

VP
"Oleg Starodumov" <com-dot-debuginfo-at-oleg> wrote in message
news:uA8WX55VFHA.2700@TK2MSFTNGP12.phx.gbl...
>
>> I read the pedump and it's helped me alot.
>>
>> But pedump just dump the headers and i want to dump a section's "payload"
>> (the raw data inside this section).
>>
>
> Pedump can dump the section data, see DumpRawSectionData function in
> Common.cpp
> (and use pedump with /H option)
>
> Here is an article with more information, it also contains an updated
> version of pedump:
> http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
>
> Regards,
> Oleg
> [VC++ MVP]
>
>
>
>
>


Top