Questions tagged [pe]
a file format for Windows executables, object code, DLLs, and more. Commonly found extensions of PE files include .exe, .dll, .ocx, .sys, and .scr.
253
questions
43
votes
3
answers
28k
views
Unpacking binaries in a generic way
I find that more and more often binaries are being packed with exe protectors such as upx, aspack etc. I tried to follow a few tutorials on how to unpack them but the examples are often quite easy ...
42
votes
8
answers
82k
views
Is there any way to decompile a .NET assembly or program?
Are there any tools available to take an already compiled .dll or .exe file that you know was compiled from C# or Visual Basic and obtain the original source code from it?
40
votes
5
answers
136k
views
How do you reverse engineer an EXE "compiled" with PyInstaller
Having recently watched/read a presentation given by Dave Kennedy at DEF CON 20 [PDF], I'd like to know how to decompile a Python script compiled with PyInstaller.
In his presentation, he is creating ...
22
votes
4
answers
8k
views
Check if exe is 64-bit
How to check if Windows executable is 64-bit reading only its binary. Without executing it and not using any tools like the SDK tool dumpbin.exe with the /headers option.
20
votes
10
answers
8k
views
Determining if a file is managed code or not
How can I quickly tell if a EXE or DLL I have is managed code or not?
I spent some time recently trying to disassemble a file and then later learned through some traces in the code that I could have ...
19
votes
4
answers
15k
views
Checking if an .exe is actually a .jar wrapped in an .exe
Let's say I have a .jar file and wrap it into a .exe using any number of free utilities out there, like JSmooth.
Would it be possible to tell, given just the .exe, if it was generated using one such ...
14
votes
2
answers
10k
views
windows - Why is the imagebase default 0x400000?
Having stumbled upon this question (and answer): https://stackoverflow.com/questions/2170843/va-virtual-adress-rva-relative-virtual-address on my quest for understanding Windows' PE format, I'm ...
14
votes
2
answers
609
views
Any way to represent the file-memory relation in a Portable Executable (PE) file?
I am looking for a way to automatically represent the relation between the content of a PE file and how it would be loaded in memory - either an IDA plugin, a combination of pefile script+R/SVG...
...
11
votes
3
answers
4k
views
Is there any way to get my own image base without calling any WinAPI functions, such as GetModuleHandle?
Is there any way to get the image base of an .exe without calling WinAPI functions (i.e. imported functions) so that it can't be easily viewed in a disassembler/debugger?
I've been thinking of ...
10
votes
2
answers
13k
views
PE .rdata section contents
According to MSDN, the .rdata section of a PE should contain the debug directory and the description string. I've read elsewhere that it contains read-only program data. Dumping several files, I found ...
10
votes
1
answer
16k
views
How .reloc Section is used in PE file?
I have read document pecoff_v83 of Microsoft. In The .reloc section part, I have read:
The Fix-Up Table contains entries for all fixups in the image. The Total Fix-Up Data Size in the Optional ...
9
votes
3
answers
10k
views
How can one extract the appended data of a Portable Executable?
How do you reliably extract appended data in a Portable Executable?
9
votes
1
answer
578
views
Loading Windows executable - unexpected data appended at beginning sections after loading in memory
Few days after asking the question I realised I misinterpreted my original findings. It seems .rdata section on file is copied directly to memory, but then first 36 bytes are overwritten by loader ...
8
votes
3
answers
2k
views
Ripping/pasting code into an executable using Olly
I'm working with some x86 assembly code and I need to rip from one executable and paste that code into another.
Originally, I had an executable that was meant to accept two command line parameters and ...
8
votes
1
answer
1k
views
Can I set entry point at code in PE headers?
If I set something like 0x00000040 (my code is located at this address), then the program crashes with this error:
The application was unable to start correctly (0xc000007b)
But if I jmp from the ...