Jump to content
Tuts 4 You

PE Parser [assembly]

ding

By ding
in Programming and Coding

Recommended Posts

ding

ding

Posted
Posted (edited)

Hello ,

I started working on my own PE parsing tool in assembly language (MASM) and am using RadASM as my main IDE. 

assume edi:ptr IMAGE_DOS_HEADER
lea eax,[edi].e_magic
invoke SendMessage,hEdit,WM_SETTEXT,0,eax

This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead.

The question here is that what (e_cblp) byte is doing here ? as far as i know e_magic field is just a word sized. e_magic = $5A4D am really confused right now !

 

 

Edited by ding
Link to comment
ding

ding

Posted
  • Author
Posted
43 minutes ago, kao said:

That field has no meaning for Windows (PE) executables. You can put whatever you like there.

It's a part of DOS EXE header. You can find unofficial DOS EXE specifications for example, here: http://www.delorie.com/djgpp/doc/exe/ or here http://www.textfiles.com/programming/FORMATS/exefs.pro.

 

Hi kao, 

Am not sure what do you mean by "You can put whatever you like there" , if you change the "MZ" signature the executable won't run.

I switched to hex view : this displays ($4D5A) = MZ , I guess this is good since all other values will be displayed in hex too ! 

assume edi:ptr IMAGE_DOS_HEADER
xor eax,eax
mov ax,word ptr [edi].e_magic
mov tmp,ax
invoke wsprintf,addr szBuffer,addr magic,tmp

 

 

Link to comment
kao

kao

Posted
Posted

To clarify - I meant the "e_cblp" field you were asking about. You can put any value in it.

"e_magic" of course has to be "MZ".

  • Like 1
Link to comment
LCF-AT

LCF-AT

Posted
Posted

Hi,

you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc.

You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc.

greetz

  • Like 1
Link to comment
ding

ding

Posted
  • Author
Posted (edited)
1 hour ago, LCF-AT said:

Hi,

you dont need to parse the ASCII strings like "MZ" with each other.Just read the hex values and use them to compare it with any other values you did read in hex from any other file etc.

You can use CFF Explorer to see whole PE infos at once.Maybe you wanna do or handle it like that too etc.

greetz

Hi LCF, Happy to see you here 

Am actually Fascinated with "CFF Explorer"  although it's complicated and time consuming to write something similar , however I have the energy to start workign on it.

Regards, 

Edited by ding
Link to comment
ToMKoL

ToMKoL

Posted
Posted (edited)
On 5/31/2020 at 3:40 PM, ding said:

  


assume edi:ptr IMAGE_DOS_HEADER
lea eax,[edi].e_magic
invoke SendMessage,hEdit,WM_SETTEXT,0,eax

This line of code suppose to output the following : " MZ ", it does for some executables exept Delphi executables it shows "MZP" instead.

 

Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid.

 

image.png.36b2358f2cedc78583cf0edf04868bef.png

Edited by ToMKoL
Link to comment
ding

ding

Posted
  • Author
Posted
3 minutes ago, ToMKoL said:

Your assumption is wrong. You're displaying string. So it will display whatever there is till null terminator byte. If You would put there "Hello world" it would display it and it wouldn't matter that Your exe would be invalid.

 

image.png.36b2358f2cedc78583cf0edf04868bef.png

It's string formated using "wsprintf" so it will display the ascii representation of the first two bytes 4D 5A (am not using it) 

I performed a check for the MZ signature in this case when it founds 00 01 instead of 4D 5A it will notify the user that the file is not a valid executable. 

cmp word ptr [edi].e_magic,IMAGE_DOS_SIGNATURE
jnz Error

 

Link to comment
Teddy Rogers

Teddy Rogers

Posted
Posted

It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center.

You can use Windows API's to map, parse, verify and manipulate PE files...

Ted.

Link to comment
ding

ding

Posted
  • Author
Posted (edited)

 

8 hours ago, Teddy Rogers said:

It seems like you may be trying to reinvent the wheel. The PE Format is well documented in the Windows Dev Center.

You can use Windows API's to map, parse, verify and manipulate PE files...

Ted.

Hi Ted, 

Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️

3 hours ago, Bartosz Wójcik said:

Read the f******g documentation right :)

Hi Bartosz , nice to see you here

As I said before it's all about knowledge , am not interesed in ready PE Parsers ... 

I've already read Goppit's tutorial why should I read the documentation again ?

(masm32/include/windows.inc) + "win32api.HLP" is all what I need for the moment.

 

Greetz

 

Edited by ding
Link to comment
Teddy Rogers

Teddy Rogers

Posted
Posted
On 6/2/2020 at 4:55 AM, ding said:

Am not trying to reinvent the wheel , I want to apply what I've learned in Goppit's tutorial and to learn more about assembly language . ☺️

All good. Wanted to be sure you knew the documentation existed and there are Windows API's to help speed up development.

I just realised Portable Executable Format (PE) category in Downloads should have had quite a bit of information on this topic. I have not yet uploaded the files. Will try to do it over the weekend, there will likely be some useful information for you there...

Ted.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...