hey everybody, lets say i've loaded a PE executable into memory and suited it with dos,nt headers structures and now i want to find out its .text/code segement actual(not VA) offset+size how do i do that? is there a win32 api for finding the .text start offset or maybe a pointer from a sturcture that points to the start offset of that s...
I google'd a bit and read http://en.wikipedia.org/wiki/Portable_Executable but i can't seem to find when the Import adress table addresses are written. Does it happen on compilation? Or when the executable is ran? ...
Usually strings (like content/titles of dialog boxes) in .exe files are stored in some sort of resources. But in some recent exes I disassembled/resource-inspected I couldn't find any resources containing the string but it was somehow hardcoded with db's into the program source code. How can I extract and modify strings directly locat...
I have been looking for a way of modifying static strings stored in Windows .exe files in the .rdata section, however I haven't found a real way to do so yet. The whole thing is too complicated to do by hand (in this case by a HEX editor) and so I wanted to know if you have a solution to do so. ...
I already asked a similar question, "PE Header requirements", but I'm not really satisfied with it's answer. I am building an assembler/linker, in Java SE 1.6. I have read about 5 different documentations/specifications about the PE/COFF header and file format, but I'm stuck at a problem: My generated file is not valid, says Windows: "...
How can I retrieve in exe file point where IP is pointing to on the beginning ?? Is it pointing always on the start of .text segment ? ...
I need to write a stub module which, when given a PE (DLL/EXE) as input, will determine whether it is a normal Win32 DLL/EXE or COM DLL/EXE. I need to determine this programatically. Are there any Windows APIs for this purpose? ...
Hello, Is there any attribute or property or method available in type library which tells that whether given type library is in proc COM server or Out of proc COM server. Regards Usman ...
What is a thunk table in relation to the import address table that's used in EXE files to import functions used in external DLLs? Is this thunk table just a table containing 'Thunks' to other functions? ...
Old question: I have an .exe (PE) with IL (.NET) code in it. When it is started, a mscorlib.dll (.NET framework) function is called to start IL code. Can I extract .NET code segment and append it to other program (that calls mscorlib.dll to execute that segment)? New question: I want to append the compiled code from a C# .NET program...
Is there a tool to show whether the calling convention is _cdecl or _stdcall or else? ...
As we know PEiD can detect most common packers, cryptors and compilers for PE files, but can it detect the hard coded stuff(not by 3rd party packers,etc),like software usage date limitation? ...
I just learned ImageBase is specified in PE format,and OS will load it to the exact position for .EXE , then comes the question: what if two .EXE is requiring the same ImageBase location? ...
Is it true that entry-point always belongs to code section? Is the code section consecutive or divided into several blocks? ...
This answer provided a way to create a binary file in linux, is there such a convenient tool for windows? ...
It seems both of them can dump the contents of a binary file, then what's the difference? ...
Is it always at the lowest address of code section? ...
IMO,this should hold: rva = raw - imagebase which is not the case in the graph,why? ...
From the above graphs I know there are 9 sections,but why in the 1st graph it shows 0900? How to read numbers in PE format? ...
Here's the steps to convert from section alignment to file alignment: Find the RVA for the data From the RVA, derive the section to which the data referenced belongs. This is trivial, since sections don’t overlap. The starting addresses of the various sections are available in the file header Find the difference between the RVA and the...