Skip to main content

Windows PE File structure (windbg)

·2 mins
OffensiveSecurity ExploitDev debugger
Table of Contents

Step by step how to inspect the PE structure files using windbg debugger. The most import field is e_elfanew at offset 0x3c. It give access to the IMAGE NT HEADERS. If you want to know how to extract Export Directory Table or AddressOfNames and NumberofNames

BASE ADDRESS OF KERNEL32 #

0:003> lm m kernel32
Browse full module list
start    end        module name
756f0000 7578a000   KERNEL32   (pdb symbols)          c:\symbols\kernel32.pdb\6BD7A18B40AE3CF0058AFBC34E25A4371\kernel32.pdb

IMAGE DOS HEADER #

    0:003> dt ntdll!_IMAGE_DOS_HEADER 756f0000
   +0x000 e_magic          : 0x5a4d
   +0x002 e_cblp           : 0x90
   +0x004 e_cp             : 3
   +0x006 e_crlc           : 0
   +0x008 e_cparhdr        : 4
   +0x00a e_minalloc       : 0
   +0x00c e_maxalloc       : 0xffff
   +0x00e e_ss             : 0
   +0x010 e_sp             : 0xb8
   +0x012 e_csum           : 0
   +0x014 e_ip             : 0
   +0x016 e_cs             : 0
   +0x018 e_lfarlc         : 0x40
   +0x01a e_ovno           : 0
   +0x01c e_res            : [4] 0
   +0x024 e_oemid          : 0
   +0x026 e_oeminfo        : 0
   +0x028 e_res2           : [10] 0
   +0x03c e_lfanew         : 0n232

IMAGE NT HEADERS #

We convert e_lfanew offset to hexadecimal, ?0n232 -> 0xe8.

0:003> dt ntdll!_IMAGE_NT_HEADERS 756f0000 + 0xe8
   +0x000 Signature        : 0x4550
   +0x004 FileHeader       : _IMAGE_FILE_HEADER
   +0x018 OptionalHeader   : _IMAGE_OPTIONAL_HEADER

IMAGE OPTIONAL HEADER #

Here we can dump the IMAGE OPTIONAL HEADER at offset 0x18. Here we see important fields like AddressOfEntryPoint, DllCharacteristics and DataDirectory

0:003> dt ntdll!_IMAGE_OPTIONAL_HEADER 756f0000 + 0xe8 + 0x18
   +0x000 Magic            : 0x10b
   +0x002 MajorLinkerVersion : 0xe ''
   +0x003 MinorLinkerVersion : 0x14 ''
   +0x004 SizeOfCode       : 0x86000
   +0x008 SizeOfInitializedData : 0x13000
   +0x00c SizeOfUninitializedData : 0
   +0x010 AddressOfEntryPoint : 0x1cfa0
   +0x014 BaseOfCode       : 0x1000
   +0x018 BaseOfData       : 0x87000
   +0x01c ImageBase        : 0x756f0000
   +0x020 SectionAlignment : 0x1000
   +0x024 FileAlignment    : 0x1000
   +0x028 MajorOperatingSystemVersion : 0xa
   +0x02a MinorOperatingSystemVersion : 0
   +0x02c MajorImageVersion : 0xa
   +0x02e MinorImageVersion : 0
   +0x030 MajorSubsystemVersion : 0xa
   +0x032 MinorSubsystemVersion : 0
   +0x034 Win32VersionValue : 0
   +0x038 SizeOfImage      : 0x9a000
   +0x03c SizeOfHeaders    : 0x1000
   +0x040 CheckSum         : 0xa9760
   +0x044 Subsystem        : 3
   +0x046 DllCharacteristics : 0x4140
   +0x048 SizeOfStackReserve : 0x40000
   +0x04c SizeOfStackCommit : 0x1000
   +0x050 SizeOfHeapReserve : 0x100000
   +0x054 SizeOfHeapCommit : 0x1000
   +0x058 LoaderFlags      : 0
   +0x05c NumberOfRvaAndSizes : 0x10
   +0x060 DataDirectory    : [16] _IMAGE_DATA_DIRECTORY