Jump to content
Tuts 4 You

PE Parser [assembly]


ding

Recommended Posts

Hello ,

I started working on my own PE parsing tool in assembly language (MASM) and am using RadASM as my main IDE.

assume edi:ptr IMAGE_DOS_HEADER
lea eax,[edi].e_magic
invoke SendMessage,hEdit,WM_SETTEXT,0,eax

This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead.

The question here is that what (e_cblp) byte is doing here ? as far as i know e_magic field is just a word sized. e_magic = $5A4D am really confused right now !

 

 

Edited by ding (see edit history)
Link to comment
43 minutes ago, kao said:

That field has no meaning for Windows (PE) executables. You can put whatever you like there.

It's a part of DOS EXE header. You can find unofficial DOS EXE specifications for example, here: http://www.delorie.com/djgpp/doc/exe/ or here http://www.textfiles.com/programming/FORMATS/exefs.pro.

 

Hi kao, 

Am not sure what do you mean by "You can put whatever you like there" , if you change the "MZ" signature the executable won't run.

I switched to hex view : this displays ($4D5A) = MZ , I guess this is good since all other values will be displayed in hex too !

assume edi:ptr IMAGE_DOS_HEADER
xor eax,eax
mov ax,word ptr [edi].e_magic
mov tmp,ax
invoke wsprintf,addr szBuffer,addr magic,tmp

 

 

Link to comment

Hi,

you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc.

You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc.

greetz

  • Like 1
Link to comment
1 hour ago, LCF-AT said:

Hi,

you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc.

You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc.

greetz

Hi LCF, Happy to see you here 

Am actually Fascinated with "CFF Explorer"  although it's complicated and time consuming to write something similar , however I have the energy to start workign on it.

Regards, 

Edited by ding (see edit history)
Link to comment
On 5/31/2020 at 3:40 PM, ding said:

 


assume edi:ptr IMAGE_DOS_HEADER
lea eax,[edi].e_magic
invoke SendMessage,hEdit,WM_SETTEXT,0,eax

This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead.

 

Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid.

 

image.png.36b2358f2cedc78583cf0edf04868bef.png

Edited by ToMKoL (see edit history)
Link to comment
3 minutes ago, ToMKoL said:

Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid.

 

image.png.36b2358f2cedc78583cf0edf04868bef.png

It's string formated using "wsprintf" so it will display the ascii representation of the first two bytes 4D 5A (am not using it) 

I performed a check for the MZ signature in this case when it founds 00 01 instead of 4D 5A it will notify the user that the file is not a valid executable.

cmp word ptr [edi].e_magic,IMAGE_DOS_SIGNATURE
jnz Error

 

Link to comment
Teddy Rogers

It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center.

You can use Windows API's to map, parse, verify and manipulate PE files...

Ted.

Link to comment

 

8 hours ago, Teddy Rogers said:

It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center.

You can use Windows API's to map, parse, verify and manipulate PE files...

Ted.

Hi Ted, 

Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️

3 hours ago, Bartosz Wójcik said:

Read the f******g documentation right :)

Hi Bartosz , nice to see you here

As I said before it's all about knowledge , am not interesed in ready PE Parsers ... 

I've already read Goppit's tutorial why should I read the documentation again ?

(masm32/include/windows.inc) + "win32api.HLP" is all what I need for the moment.

 

Greetz

 

Edited by ding (see edit history)
Link to comment
Teddy Rogers
On 6/2/2020 at 4:55 AM, ding said:

Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️

All good. Wanted to be sure you knew the documentation existed and there are Windows API's to help speed up development.

I just realised Portable Executable Format (PE) category in Downloads should have had quite a bit of information on this topic. I have not yet uploaded the files. Will try to do it over the weekend, there will likely be some useful information for you there...

Ted.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...