Solved

Edit PE Header

Posted on 2004-08-15
15
1,155 Views
Last Modified: 2013-11-13
I need to repair the DOS Header *and* the PE Header.

Using UltraEdit I've figured out that the DOS Header is MZ and is the first 2 characters of the file.

But where is the PE Header in the file?
0
Comment
Question by:savagecat
  • 9
  • 5
15 Comments
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
To find the PE header, seek to offset 60 and read a DWORD. This value you read is the offset of the PE header.

Then you seek to the value you read and make sure you see 4 bytes that say "PE\0\0". After that is the IMAGE_FILE_HEADER...

This is how a PE file is laid out:

IMAGE_DOS_HEADER
PE\0\0
IMAGE_FILE_HEADER
IMAGE_OPTIONAL_HEADER
for (each section) {
    IMAGE_SECTION_HEADER
}

The names I used are the ones used in standard windows headers.
0
 

Author Comment

by:savagecat
Comment Utility
Using UltraEdit, where is offset 60?  Are you referring to 60h?
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
Well, 60 = 3Ch

So you read the four bytes at offset 3Ch. But remember they are stored in little-endian format. Which means:

01234567h is stored as 67 45 23 01
11223344h is stored as 44 33 22 11
etc...

For example, you look at offset 3Ch and see the value F8h.

Then you look at offset F8h and see 50h 45h 00h 00h which is "PE  ". After that is IMAGE_FILE_HEADER, etc.
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
The first two bytes of the file are MZ. The offset of the PE header is stored at 3Ch.

The "offset" is the number of bytes from the beginning.

When you are about to read byte 5, you are at offset 5. Before you read the first byte, you are at offset zero. See? So if you read byte 05h, that is the same thing as "read the byte at offset 05h".
0
 

Author Comment

by:savagecat
Comment Utility
From http://www.savagecat.us/ee/ee01.jpg

Ok, how are you coming up with 3 character entities, and UltraEdit is coming up with 2 character entities?
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
Forget the MZ. That is the DOS header.

I said the offset to the PE header is stored at 0000003C, therefore...

If you look at row 00000030h, look at the number fourth from the right. D8h 00h 00h 00h.

So you then look at row 000000D0. The 8th is in the middle:50 46 00 00 4C etc...

See? 000000D8h is the offset of the PE header in your screenshot.
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
What 3 characters? The 'h' ? That means the number is hex. You showed you knew what 'h' mean so I began using it.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Assisted Solution

by:Dragonmen
Dragonmen earned 50 total points
Comment Utility
0
 

Author Comment

by:savagecat
Comment Utility
adq

my apoligies  - wrong snapshot.

please try again.

http://www.savagecat.us/ee/ee01.jpg

0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
Right, this one is a packed executable. Your cursor is sitting at offset 3Ch, and the value there is D8h.

If you look at offset D8h you'll see a PF header. What gives it away is the UPX UPX that occurs further down.

http://upx.sourceforge.net/
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
UPX executables are compressed.
0
 

Author Comment

by:savagecat
Comment Utility
upx -t says the file is uncompressed
0
 

Author Comment

by:savagecat
Comment Utility
Someone's got  to know where the PE header is.
0
 
LVL 8

Expert Comment

by:adg080898
Comment Utility
> Someone's got  to know where the PE header is.

Yes. Me! :)

Your file is corrupt. Open a known-good exe. Look at offset 3C. The value stored at 3C is the offset of the PE header. The PE header begins with the letters PE.

Believe me, I know what I'm talking about. I wrote a program that BUILDS win32 executables.
0
 
LVL 8

Accepted Solution

by:
adg080898 earned 450 total points
Comment Utility
Look at this:

http://doug.perrycomputerservices.com/ee/pe.gif

I outlined the *beginning* of the PE header in red. The numbers outlined in blue tell you where to look for the PE header.

Your executable is either compressed, or corrupt.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Problem to adjust sheet 1 81
squareUp  challenge 22 104
sumHeights2  challenge 7 75
tidtcpserver connection lost handle 2 41
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
A short article about a problem I had getting the GPS LocationListener working.
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now