Various improvements for readpe #200
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
pali
commented
Oct 9, 2023
pali
commented
- Add new machines types
- Add image characteristic IMAGE_FILE_16BIT_MACHINE
- Add missing image dll characteristics
- Add missing subsystems
- Recognize all known section characteristics
- Add support for parsing loader flags
- Validate size of PE optional header
- Add support for parsing long section names
- Add support for parsing PE object files
- Add support for parsing PE ROM files
- Add machine type for old Alpha
- Add IMAGE_FILE_MACHINE_OMNI
- Add support for parsing Win32VersionValue
- Update information about IMAGE_FILE_BYTES_REVERSED
- Remove NE signature check
- Show PE signature if present in readpe output
IMAGE_FILE_MACHINE_POWERPCBE from https://github.com/microsoft/microsoft-pdb/blob/master/cvdump/dumppdb.cpp#L19 IMAGE_FILE_MACHINE_ARM64EC from https://learn.microsoft.com/en-us/windows/arm/arm64ec IMAGE_FILE_MACHINE_ARM64X from https://learn.microsoft.com/en-us/windows/arm/arm64x-pe IMAGE_FILE_MACHINE_CHPE_X86 from Windows 10 WDK 10.0.16299.0 ntimage.h IMAGE_FILE_MACHINE_LOONGARCH32 from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types IMAGE_FILE_MACHINE_LOONGARCH64 from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types IMAGE_FILE_MACHINE_RISCV32 from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types IMAGE_FILE_MACHINE_RISCV64 from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types IMAGE_FILE_MACHINE_RISCV128 from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#machine-types
It is defined in DDK's ntimage.h file.
IMAGE_LIBRARY_PROCESS_* from PECOFF 4.0 spec (archived at https://bytepointer.com/resources/pecoff_v4.0.htm) IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics IMAGE_DLLCHARACTERISTICS_APPCONTAINER from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics IMAGE_DLLCHARACTERISTICS_GUARD_CF from https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics IMAGE_DLLCHARACTERISTICS_X86_THUNK from WDK ntimage.h and US6385567 patent (https://patents.google.com/patent/US6385567) Note that IMAGE_LIBRARY_PROCESS_* and IMAGE_DLLCHARACTERISTICS_X86_THUNK are only for DLL files; IMAGE_DLLCHARACTERISTICS_APPCONTAINER is for EXE files. IMAGE_DLLCHARACTERISTICS_X86_THUNK and IMAGE_DLLCHARACTERISTICS_APPCONTAINER have really same number flags.
Subsystem 4 is mentioned WDK ntimage.h as Old Windows CE subsystem Subsystem 8 is supported by MSVC4 LINK.EXE by /SUBSYSTEM:MMOSA flag and refers to MMOSA Native Win32E (embedded) API (https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-97-18.doc) Subsystem 17 (IMAGE_SUBSYSTEM_XBOX_CODE_CATALOG) is defined in Windows 10 SDK 1607 winnt.h
Information was gathered from various versions of SDK files ntimage.h, winnt.h and pecoff*.doc documents and also from behavior of MSVC40 CL.EXE (including M68K version), LINK.EXE and DUMPBIN.EXE. Machine type M68K has its own meaning of some flags (PROTECTED, FARDATA, SYSHEAP, PURGEABLE, LOCKED, PRELOAD) which are specific for the old classic Mac OS memory management. Some of these M68K specific flags have same values as other non-M68K flags, so parsing of section characteristics is machine type dependent. Fix also printing section characteristics names, handle IMAGE_SCN_ALIGN_* enum correctly (it is enum inside of bitfield) and always print all names, including those which should not be used for particular file type. This allows to easily inspect generated PE binary if it does not have some additional characteristics which it should not have.
Loader flags for DLL libraries are defined in older PECOFF 4.0 spec (archived at https://bytepointer.com/resources/pecoff_v4.0.htm) Loader flags for application executables are defined in WDK ntimage.h file Note that IMAGE_LOADER_FLAGS_BREAK_ON_LOAD and IMAGE_LOADER_FLAGS_COMPLUS have really same value.
SizeOfOptionalHeader is size of IMAGE_OPTIONAL_HEADER_32 and size of all directories entries (which is variable count and can be also zero).
Long section names are stored in string table and name in the section field contains a slash that is followed by an ASCII representation of a decimal number that is an offset into the string table.
Object file does not have neither MZ header nor PE\0\0 signature nor optional header.
PE ROM file does not have neither MZ header nor PE\0\0 signature. PE ROM file has either MAGIC_ROM optional header (for machine types R3000, R4000, R10000, ALPHA) or MAGIC_PE32 optional header (for all other machine types like: I386, MPPC_601, POWERPC, ...). When MAGIC_ROM optional header is present then PE Characteristics flags have different meaning. PE ROM file can be created by older LINK.EXE (from MSVC 4.0 or older) via /ROM command line switch. All information was taken from LINK.EXE behavior and DUMPBIN.EXE outputs.
During NT/Alpha development, the magic number definition in Alpha images was incremented by one. Old Alpha value is described in Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek, March 1994: https://web.archive.org/web/20080905063304/http://msdn.microsoft.com/en-us/magazine/ms809762.aspx
Machine type 0xace1 is Microsoft OMNI VM (omniprox.dll).
Meaning of Win32VersionValue is described at https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/api/pebteb/peb/index.htm
Microsoft PE 32-Bit LINK.EXE Version 1.00 (part of NT 3.1 SDK) always sets both IMAGE_FILE_BYTES_REVERSED_LO and IMAGE_FILE_BYTES_REVERSED_HI bits but produced PE executables do not have any word reversed. New Microsoft Linker versions do not set these bits anymore. Nowadays these bits are not set by any linker, they are deprecated and so their original meaning was forgotten. Both bits are in the same bit position of in each byte of the short word and so any of them can be tested, so 16-bit test mask is endian independent. It was designed that both bits are set when bytes of the word are reversed from CPU defaults (e.g. Big Endian I386 PE binary would have both bits as the default word ordering for I386 is Little Endian). But because PE executables produced by the NT 3.1 SDK do not follow it, these bits are unreliable and mostly useless.
libpe/readpe does not support parsing 16-bit Windows NE structures, so it does not make sense to try detect NE signature. Note that detection never worked because NE signature is just 16-bit "NE", not 32-bit "NE\0\0".
PE ROM files and PE object files do not have PE\0\0 signature. To easily figure out this fact, show PE signature in the readpe output.
|
@GoGoOtaku if you need some help or some explanation of something there, just ask me. |
|
First of all: Thank you very much for this. My biggest issue is that I know very little about PE ROMs and none of my test executables are ROMs. I didn't like And again thank you very much. |
You can generate x86 PE ROM binary very easily by MSVC4 linker. Other machine types can be generated by flags:
But you need either compiler for those machine types or you can use a trick that MSVC linker can take also binary resource file and generate from it PE executable. Flags like
Feel free to invent other / better name and rename the function. |
This is merged now |
|
I merged manually due to some conflicts and github doesn't like this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.