tags:

views:

54

answers:

3
Q: 

What field of PE Headers tells that whether a valid PE file or not?

Hello,

i need to validate whether given binary is a PE file or not. e.g if I rename jS/HTML or .class files to .exe or .dll , it won't be PE files still then. Parsing PE these files would give me info about this problem. What field indicates that given binary is a valid PE file or not..?

Note : I have checked about "e_magic" field of FileHeader. It always gets populated in case of wrong PE files(i.e js/html/java/class files renamed to .dll/Exe) and does'nt says anything at all about validity of PE.

Regards Usman

+4  A: 

If such a field existed, it'd be too easy to create an invalid exe and mark it as valid on purpose.

You verify that a file is a PE file by reading the PE header and checking values for all fields (the values should belong to valid ranges, should not point outside the file etc).

GSerg  2010-07-14 12:17:56
+1 There are plenty of RVA (relative virtual address) fields to check; these should all point inside the appropriate kind of section in the PE. Once you've done that, however, you still don't know if the binary is malicious.
Tim Robinson  2010-07-14 12:20:26
I don't think he said anything about malicious. He just doesn't want to have someone who is using a file which is obviously not PE as a PE file.
Billy ONeal  2010-07-14 12:27:15
The meaning of 'using' is important here. If the user trusts this binary, and they're going to run it right after this check, then the Windows PE loader will make the necessary validation. If the purpose of this check is to work out whether the binary is trusted then there's a lot of work to do.
Tim Robinson  2010-07-14 12:30:58
+1  A: 

One way is the usage of GetBinaryType function (see http://msdn.microsoft.com/en-us/library/aa364819.aspx) or the usage of SHGetFileInfo with SHGFI_EXETYPE.

Oleg  2010-07-14 12:21:17
A: 

Check the Portable Executable/Common Object File Format Specification. There are three magic values for you to check:

  • The MZ header's magic number at the beginning of the file
  • The PE header's magic number "PE\0\0" at the start of the PE header
  • Version identifier for the optional header, IIRC, it's 0x10b for PE files, and 0x20b for PE+ (x64) files.

Beyond that, you'd have to parse the entire file and look at every processor instruction to ensure it's valid, etc. Several of the files use the COFF spec internally, and you might not have an easy way to distinguish that. PE's format itself was designed with multiple machines, and many different forms of compiled code can be contained while keeping the file valid.

Billy ONeal  2010-07-14 12:22:36
Thanks Billy ONeal for answering.I think just to consider PE header's PE00 byte for making up the decision about PE file validity is enough. I think MZ headers byte just tels you that file is not able to run on DOS mode and Windows required for this that's it. Is'nt?
Usman  2010-07-15 05:39:23

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?