Questions tagged [pe]
a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.
253
questions
0
votes
0
answers
39
views
Why mov empty block to register?
Why MOV a bunch of 00s to register?
I have seen these empty blocks a lot of times being referenced this way.
0
votes
0
answers
22
views
Dumping all import symbols from x64dbg
I want to export the symbol addresses from all loaded modules in x64dbg. I know I can do this DLL-by-DLL from the Symbols tab (click on one module > right click in table > Copy > Export Table)...
2
votes
2
answers
105
views
Tracing all functions in executable conditionally, to find function of interest
I would like to alter the behavior of some executable (in my case, a videogame). One way of doing this is to hook function calls (e.g., a function like Player::ReceiveDamage) and adjust parameters/...
0
votes
2
answers
83
views
Does a Windows MSI/installer function similarly to a portable file in PE format?
I'm trying to determine whether a Windows MSI or installer .exe is considered the same as a portable file .exe in the Portable Executable (PE) format, or if it's considered a dropper. What are the ...
0
votes
0
answers
45
views
How do I force IDA to reload PE Header and/or segments?
Introduction
I started analyzing an exe, added many comments, structs, byte patches, etc.
After 2 months of working on this file I used CFF Explorer to add a new section at the end of it called "....
1
vote
1
answer
86
views
Ghidra not displaying member function call
On lines 67, 70 and 77 ghidra makes a call to what I assume is a member function, but it does not show me which member function. Why is that?
Example from line 70:
(**(code **)(*(longlong *)metaStream ...
0
votes
0
answers
40
views
How to embed PE files to another PE files
So what I want to do basically is what BDFproxy does on the go, I want to modify a file (on the disk) to embed another PE in it and have both working, it does not matter if they work concurrently or ...
0
votes
0
answers
54
views
Executable Opcodes of Windows Image File Seem Offset from My Calculations
Background:
I'm trying to manually disassemble a practice executable file for practice.
https://github.com/stryker2k2/dbg-demo/blob/master/assem/assem_0x00.asm
Issue:
When I take a look at what I ...
20
votes
10
answers
8k
views
Determining if a file is managed code or not
How can I quickly tell if a EXE or DLL I have is managed code or not?
I spent some time recently trying to disassemble a file and then later learned through some traces in the code that I could have ...
3
votes
3
answers
2k
views
Exports that redirects to other library
I'm writing an analog of GetProcAddress function. When looking inside the export table I see the exports like this in advapi32.dll for example:
.text:4C362BAA aEventregister db 'EventRegister',0 ;...
1
vote
2
answers
291
views
advapi32.dll changes name of function during forwarding of exports
I'm trying myself at writing a manual mapper, for injection of DLLs into other processes.
I've come to the point, where I've written a simple "Hello World" .dll, that I'm trying to inject ...
3
votes
2
answers
297
views
Inspect executable binary similarity
I've found a company in China selling a software that is clearly a copy of my own work. For context, this is actually a physical product that comes with a Ubuntu computer and the software pre-...
0
votes
1
answer
151
views
How to convert variable to struct member in IDA?
I'm working on a windows program which is walking PEB Ldr list. the related types are as follows:
struct LDR_DATA_TABLE_ENTRY {
LIST_ENTRY InLoadOrderLinks; // offset = 0, size = 0x10
...
0
votes
0
answers
42
views
Exe self-modifies strings searched in debugger
I'm studying a Windows binary file and while searching for some string I noticed the EXE modifies the searched string, e.g., if I search "This is a string", it's modified to "his is a ...
2
votes
2
answers
202
views
How can I extract *.c file hidden in an executable file (SkiFree)
I am a person interested of old games (MS DOS and 16 bit Windows only) and programming. In 2020, I saw an article about hacking SkiFree somewhere on the internet and soon as I followed the ...