PE Anatomy | .NET Debugging

Module 8 - Portable Executable

File Format

Structure and Content of Executable Image

Identified by Magic Number
How To
Dump File Format	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ db /c4 00007ff6`6d8f0000 00007ff6`6d8f0000 4d 5a 90 00 MZ.. ... 5) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address db : Standard Command, To Display Memory Content /c4 : Option, Specifies 4 Column Width 4d 5a 90 00 : Output, Byte MZ.. : Output, ASCII Character qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; db /c4 {Module Start Address}*; qd

Magic Number

Unique Identification Number of Executable Image

Starts with MZ
How To
Dump Magic Number	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ db /c2 00007ff6`6d8f0000 L2 00007ff6`6d8f0000 4d 5a MZ ... 5) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address db : Standard Command, To Display Memory Content /c2 : Option, Specifies 2 Column Width L2 : Range, 2 Address Range 4d 5a : Output, Magic Number MZ : Output, ASCII Character qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; db /c2 {Module Start Address}* L2; qd

Disk Operating System Header

DOS Header of Executable Image

For Instance Magic, LFA New etc.
How To
Dump DOS Header	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ dt 00007ff6`6d8f0000 ntdll!_IMAGE_DOS_HEADER +0x000 e_magic : 0x5a4d ... +0x03c e_lfanew : 0n240 ... 5) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address dt : Standard Command, To Display Type ntdll : Parameter, Type Module Name _IMAGE_DOS_HEADER : Parameter, Type Name 0x03c : Output, LFA New Offset qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; dt {Module Start Address}* ntdll!_IMAGE_DOS_HEADER; qd

Portable Executable Signature

PE Signature of Executable Image

Starts with PE
How To
Dump PE Signature	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ dt 00007ff6`6d8f0000 ntdll!_IMAGE_DOS_HEADER +0x000 e_magic : 0x5a4d ... +0x03c e_lfanew : 0n240 ... 5) CDB@ db /c4 00007ff6`6d8f0000+0x03c L4 00007ff6`6d8f003c f0 00 00 00 .... ... 6) CDB@ db /c4 00007ff6`6d8f0000+0xf0 L4 00007ff6`6d8f00f0 50 45 00 00 PE.. ... 7) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address dt : Standard Command, To Display Type ntdll : Parameter, Type Module Name _IMAGE_DOS_HEADER : Parameter, Type Name db : Standard Command, To Display Memory Content /c4 : Option, Specifies 4 Column Width 0x03c : Output, LFA New Offset L4 : Range, 4 Address Range f0 00 00 00 : Output, PE Header Offset .... : Output, ASCII Character 50 45 00 00 : Output, PE Signature PE.. : Output, ASCII Character qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; dt {Module Start Address}* ntdll!_IMAGE_DOS_HEADER; db /c4 {Module Start Address}+{LFA New Offset} L4; db /c4 {Module Start Address}+{PE Header Offset} L4; qd

Portable Executable Header

PE Header of Executable Image

For Instance Signature, File Header etc.
How To
Dump PE Header	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ dt 00007ff6`6d8f0000 ntdll!_IMAGE_DOS_HEADER +0x000 e_magic : 0x5a4d ... +0x03c e_lfanew : 0n240 ... 5) CDB@ db /c4 00007ff6`6d8f0000+0x03c L4 00007ff6`6d8f003c f0 00 00 00 .... ... 6) CDB@ dt 00007ff6`6d8f0000+0xf0 ntdll!_IMAGE_NT_HEADERS64 +0x000 Signature : 0x4550 +0x004 FileHeader : _IMAGE_FILE_HEADER ... 7) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard 00007ff6`6d8f0000 : Output, Module Start Address db : Standard Command, To Display Memory Content /c4 : Option, Specifies 4 Column Width 0x03c : Output, LFA New Offset L4 : Range, 4 Address Range f0 00 00 00 : Output, PE Header Offset .... : Output, ASCII Character dt : Standard Command, To Display Type ntdll : Parameter, Type Module Name _IMAGE_NT_HEADERS64 : Parameter, Type Name 0x004 : Output, File Header Offset qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; dt {Module Start Address}* ntdll!_IMAGE_DOS_HEADER; db /c4 {Module Start Address}+{LFA New Offset} L4; db /c4 {Module Start Address}+{PE Header Offset} L4; dt {Module Start Address}+{PE Header Offset} ntdll!_IMAGE_NT_HEADERS64; qd

File Header

File Header of Executable Image

For Instance File, Optional etc.
How To
Dump File Header	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ !dh -f 00007ff6`6d8f0000 File Type: EXECUTABLE IMAGE FILE HEADER VALUES 8664 machine (X64) ... Executable ... OPTIONAL HEADER VALUES 20B magic # ... 2 subsystem (Windows GUI) ... 5) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard !dh : Extension Command, To Dump Header -f : Option, Specifies File Header 00007ff6`6d8f0000 : Parameter, Module Start Address 8664 : Output, 64-Bit CPU Type Executable : Output, EXE Image Type 20B : Output, PE32+ File Format 2 : Output, GUI Subsystem qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; !dh -f {Module Start Address}*; qd

Section Header

Section Header of Executable Image

For Instance Text, Data etc.
How To
Dump Section Header	1) RUN@ cdb.exe -o C:\Windows\System32\notepad.exe Microsoft (R) Windows Debugger Version 10.0.22621.2428 AMD64 ... ntdll!LdrpDoDebuggerBreak+0x30: ... 2) CDB@ .reload Reloading current modules ... 3) CDB@ lm m notepad* Browse full module list start end module name 00007ff6`6d8f0000 00007ff6`6d94a000 notepad (deferred) ... 4) CDB@ !dh -s 00007ff6`6d8f0000 SECTION HEADER #1 .text name ... SECTION HEADER #3 .data name ... 5) CDB@ qd
cdb.exe : Program, CUI Symbolic Debugger -o : Switch, Specifies Target Application C:\Windows\System32\notepad.exe : Parameter, Notepad Application .reload : Meta Command, To Reload Module Symbol lm : Standard Command, To List Module m : Option, Specifies Pattern notepad : Parameter, Module Name * : Parameter, Wildcard !dh : Extension Command, To Dump Header -s : Option, Specifies Section Header 00007ff6`6d8f0000 : Parameter, Module Start Address .text : Output, Executable Code Section .data : Output, Initialized Data Section qd : Standard Command, To Quit and Detach
Alternatively, RUN@ windbg.exe -o C:\Windows\System32\notepad.exe → View → Command (Alt+1) → .reload; lm m notepad; !dh -s {Module Start Address}*; qd