;******************************************************* ;************* PEdump ********************* ;************* beta version ********************* ;************* Coder- Xanfa ********************* ;************* Compile with FasmW ********************* ;******************************************************* macro display_hexcimal num,zero_display { local x,y,c,bool x = num c = 7 if zero_display eq bool =0 else bool =1 end if display '0x' repeat 8 y = x shr (c shl 2) y = y and 0x0000000F c = c-1 if y < 10 y = y+'0' else y = y+'A'-10 end if if (bool = 0) if (%=8) display y else if (y <> '0') bool = 1 display y end if else display y end if end repeat } ;********************************************* macro displayx x { if x eqtype '' display x else display_hexcimal x end if } ;********************************************* macro displayx [x] { displayx x common display 13,10 } ;********************************************* macro dumpw string,offset { local ww load ww word from offset displayx string,ww } ;********************************************* macro dumpwx offset_start,[string] { common local count count = offset_start forward dumpw string,count count = count+2 } ;********************************************* macro dumpdw string,offset { local ddw load ddw dword from offset displayx string,ddw } ;********************************************* macro dumpdwx offset_start,[string] { common local count count = offset_start forward dumpdw string,count count = count+4 } ;********************************************* macro dump2dwx offset_start,[string] { common local count,dw1,dw2 count = offset_start forward load dw1 dword from count load dw2 dword from count+4 count = count+8 displayx string,dw1,'--------',dw2 } ;********************************************* macro dumpst offset { local b load b byte from (offset) while (b<>0) display b load b byte from (offset+%) end while } ;********************************************* macro RVA_To_Offset _rva*,offset* { local pe,ns load pe dword from 0x3C count= 0 load ns word from pe+6 local rvas1,rvas2,rawoff,addr repeat ns addr= pe+0F8h+(%-1)*28h load rvas1 dword from addr+0Ch if (%< ns) load rvas2 dword from addr+28h+0Ch end if if (%=ns)|((_rva>=rvas1)&(_rva ',string end if } ;********************************************* macro Section_Character_Analys value { Check_Character value,\ 00000008h,'Section should not be padded to next boundary',\ 00000020h,'Section contains code',\ 00000040h,'Section contains initialised data',\ 00000080h,'Section contains uninitialised data',\ 00000200h,'Section contains comments for the linker',\ 00000800h,'Section contents will not become part of image',\ 00001000h,'Section contents comdat (Common Block Data)',\ 00008000h,'Section contents cannot be accessed relative to GP',\ 00100000h,'To 00800000 Boundary alignment settings',\ 01000000h,'Section contains extended relocations',\ 02000000h,'Section can be discarded',\ 04000000h,'Section is not cacheable',\ 08000000h,'Section is pageable',\ 10000000h,'Section is shareable',\ 20000000h,'Section is executable',\ 40000000h,'Section is readable',\ 80000000h,'Section is writable' } ;********************************************* macro Image_Character_Analys value { Check_Character value,\ 0001h,'Relocation info stripped from file',\ 0002h,'File is executable (no unresolved external references)',\ 0004h,'Line numbers stripped from file',\ 0008h,'Local symbols stripped from file',\ 0010h,'Lets OS aggressively trim working set',\ 0020h,'App can handle >2Gb addresses',\ 0080h,'Low bytes of machine word are reversed',\ 0100h,'requires 32-bit WORD machine',\ 0200h,'Debugging info stripped from file into .DBG file',\ 0400h,'If image is on removable media, copy and run from swap file',\ 0800h,'If image is on a network, copy and run from swap file',\ 1000h,'System file',\ 2000h,'File is a DLL',\ 4000h,'File should only be run on a single-processor machine',\ 8000h,'High bytes of machine word are reversed' } ;********************************************* macro Machine_Analys value { Check_Character value,\ 014Ch,'Intel 386',\ 014Dh,'Intel 486',\ 014Eh,'Intel 586',\ 0200h,'Intel 64-bit',\ 0162h,'MIPS' } ;********************************************* macro Optional_Magic_Analys value { Check_Character value,\ 010Bh,'32-bit executable image',\ 020Bh,'64-bit executable image',\ 0107h,'ROM image' } ;********************************************* ;********************************************* ;********************************************* macro Dump_Dos_Header { displayx '' displayx '*************DOS HEADER***************************' displayx '' dumpwx 0,\ 'Magic DOS signature: ',\ 'Bytes on last page of file: ',\ 'Pages in file: ',\ 'Relocations: ',\ 'Size of header in paragraphs: ',\ 'Minimum extra paragraphs needed: ',\ 'Maximum extra paragraphs needed: ',\ 'Initial (relative) SS value: ',\ 'Initial SP value: ',\ 'Checksum: ',\ 'Initial IP value: ',\ 'Initial (relative) CS value: ',\ 'File address of relocation table: ',\ 'Overlay number: ',\ 'Reserved words: ',\ 'OEM identifier: ',\ 'OEM information: ',\ 'Reserved words: ' dumpdw 'PE header offset: ',0x3C } ;********************************************* macro Dump_PE_Header { displayx '' displayx '*************PE HEADER***************************' displayx '' local pe load pe dword from 0x3C dumpdw 'PE Signature: ',pe dumpw 'Machine: ',pe+4 local machine load machine word from pe+4 Machine_Analys machine dumpw 'Number Of Sections: ',pe+6 dumpdwx pe+8,\ 'TimeDateStamp: ',\ 'PointerToSymbolTable: ',\ 'NumberOfSymbols: ' dumpwx pe+14h,\ 'SizeOfOptionalHeader: ',\ 'Characteristics: ' local character load character word from pe+16h Image_Character_Analys character displayx '-------------optional header---------------------------' dumpw 'Magic: ',pe+18h local op_magic load op_magic word from pe+18h Optional_Magic_Analys op_magic local bb load bb byte from pe+1ah displayx 'MajorLinkerVersion: ',bb load bb byte from pe+1bh displayx 'MinorLinkerVersion: ',bb dumpdwx pe+1Ch,\ 'SizeOfCode: ',\ 'SizeOfInitializedData: ',\ 'SizeOfUninitializedData: ',\ 'RVA Of EntryPoint: ',\ 'BaseOfCode: ',\ 'BaseOfData: ',\ 'ImageBase: ',\ 'SectionAlignment: ',\ 'FileAlignment: ' dumpwx pe+40h,\ 'MajorOperatingSystemVersion: ',\ 'MinorOperatingSystemVersion: ',\ 'MajorImageVersion: ',\ 'MinorImageVersion: ',\ 'MajorSubsystemVersion: ',\ 'MinorSubsystemVersion: ' dumpdwx pe+4Ch,\ 'Reserved1: ',\ 'SizeOfImage: ',\ 'SizeOfHeaders: ',\ 'CheckSum: ' dumpwx pe+5Ch,\ 'Subsystem: ',\ 'DllCharacteristics: ' dumpdwx pe+60h,\ 'SizeOfStackReserve: ',\ 'SizeOfStackCommit: ',\ 'SizeOfHeapReserve: ',\ 'SizeOfHeapCommit: ',\ 'LoaderFlags: ',\ 'NumberOfRvaAndSizes: ' displayx '-------------data directory---------------------------' displayx 'Directory--------RVA---------Size' dump2dwx pe+78h,\ 'Export: ',\ 'Import: ',\ 'Resource: ',\ 'Exception: ',\ 'Security: ',\ 'Fixups: ',\ 'Debug: ',\ 'Description: ',\ 'MIPS GP: ',\ 'TLS: ',\ 'Load Config: ',\ 'Bound Import: ',\ 'Import Table: ',\ 'Delay Import: ',\ 'COM Runtime: ',\ ': ' } ;********************************************* macro Dump_Section_Table { local pe load pe dword from 0x3C displayx '' displayx '*************SECTION TABLE***************************' displayx '' local numSection load numSection word from pe+6 local addr,count,character repeat numSection count=% addr = pe+0F8h+(count-1)*28h displayx '-------------------------------------------------------------' displayx '^^^^^^^^^^ Section ',count,' ^^^^^^^^^^' display 'Name: "' dumpst addr displayx '"' dumpdwx addr+8,\ 'Vitual Size: ',\ 'RVA of section: ',\ 'Size of Raw data: ',\ 'Raw offset: ',\ 'pointerToRelocations: ',\ 'PointerToLinenumbers: ' dumpwx addr+20h,\ 'NumberOfRelocations: ',\ 'NumberOfLineNumbers: ' dumpdw 'Characteristics: ',addr+24h load character dword from addr+24h Section_Character_Analys character end repeat } ;********************************************* macro Dump_Export_Table { displayx '' displayx '*************EXPORT TABLE**********************' displayx '' local et,pe load pe dword from 0x3C load et dword from pe+78h if (et<>0) RVA_To_Offset et,et dumpdwx et,\ 'Characteristics: ',\ 'TimeDateStamp: ' dumpwx et+8,\ 'MajorVersion: ',\ 'MinorVersion: ' dumpdwx et+0Ch,\ 'RVAofDLLname: ',\ 'BaseOrdinal: ',\ 'NumberOfFunctions: ',\ 'NumberOfNames: ',\ 'RVA of EAT: ',\ 'RVA of ENT: ',\ 'RVA of EOT: ' displayx '----------------------------------' local x load x dword from et+0Ch RVA_To_Offset x,x display 'Internal Name: ' dumpst x displayx '' displayx 'Functions exported by name: ' displayx 'Ord-------VA-------------Name' local arrayname,arrayaddress,arrayordinal load arrayaddress dword from et+1Ch load arrayname dword from et+20h load arrayordinal dword from et+24h RVA_To_Offset arrayname,arrayname RVA_To_Offset arrayaddress,arrayaddress RVA_To_Offset arrayordinal,arrayordinal local numFunc,numName,ImageBase,baseOrd load numFunc dword from et+14h load numName dword from et+18h load baseOrd dword from et+10h load ImageBase dword from pe+34h local name,addr,count,Ord,cn count= 0 repeat numFunc cn =%-1 display_hexcimal (baseOrd+cn) display ' - ' load addr dword from arrayaddress+cn*4 display_hexcimal addr+ImageBase, if (count ' dumpst name count= count+1 break end if end repeat end if displayx '' end repeat else displayx 'Not present !' end if } ;********************************************* macro Dump_Import_Table { displayx '' displayx '*************IMPORT TABLE**********************' local it,pe load pe dword from 0x3C load it dword from pe+80h if (it<>0) RVA_To_Offset it,it local bool Check_Zero_Byte it,14h,bool local tb,name,d,n,hint while (~bool) tb=% displayx '' displayx '-------------- Import library ',tb,'--------------' tb= it+(%-1)*14h load name dword from tb+0Ch RVA_To_Offset name,name display 'Library Name: ' dumpst name displayx '' displayx '--------------------------------------' dumpdwx tb,\ 'RVA OriginalFirstThunk: ',\ 'TimeDateStamp: ',\ 'ForwarderChain: ',\ 'RVA Of Name: ',\ 'RVA FirstThunk: ' displayx '--------------------------------------' display 'Functions Imported from: ' dumpst name displayx '' displayx 'Hint-------Name' load d dword from tb RVA_To_Offset d,d load n dword from d while (n<>0) if ((n and 0xF0000000)<>0x80000000) RVA_To_Offset n,n load hint word from n display_hexcimal hint display ' <- ' dumpst n+2 else displayx (n and 0x0FFFFFFF) end if displayx '' load n dword from d+%*4 end while Check_Zero_Byte tb+14h,14h,bool end while else displayx 'Not present !' end if } ;********************************************* macro PEdump target { if target eqtype '' virtual at 0 file target:0 local file_size file_size=$ displayx '------------------------------------------------------------' displayx 'Dumping file: ',target displayx 'File size: ',file_size,' bytes' displayx '------------------------------------------------------------' load bb word from 0 if (bb='MZ')|(bb='ZM') Dump_Dos_Header load bb dword from 0x3C if (bb<(file_size))&(bb>0) load bb word from bb if (bb='PE') Dump_PE_Header Dump_Section_Table Dump_Export_Table Dump_Import_Table display '' else displayx "Error: This isn't a PE file !" end if else displayx "Error: This isn't a PE file !" end if else displayx "Error: No 'MZ' Signature => No .EXE file !" end if end virtual else displayx 'Error: Paramater must be quote string for file name !' end if } ;********************************************* macro PEdump [f] { common displayx 'List file to Dump:' forward displayx f common displayx '############################################################' forward PEdump f } ;************************************************************** ;****** Implementation **************************************** ;************************************************************** displayx "--PEdump--" displayx "Coder - Xanfa" displayx "Using Fasm's interpretative language !" displayx "------------------------------------------------------------" PEdump 'c:\windows\system32\kernel32.dll',\ 'c:\windows\system32\user32.dll'