No announcement yet.

Type declare for PE Header

  • Filter
  • Time
  • Show
Clear All
new posts

  • Type declare for PE Header

    Has anyone a pe Header type declaration ?



  • #2
    Hi there,

    found what i'm looking for. _IMAGE_NT_HEADERS is already
    defined as IMAGE_NT_HEADERS in




    • #3

      I have a stupid question; What is PE and what does it stand for?

      Regards, Jules
      Best regards


      • #4
        Portable Executable

        Sorry only answer half your question the first time round.

        PE files are the executables for windows and it setup the format and the
        structure of the file. where sections begin and end and where and what
        kind of data is in the file, that sort of thing.

        There are also LE (Forgot what that stands for) and those are mostly
        Driver files.

        There is also ME (Which is the initials of the person who created that format)
        And those are DOS files. they are also embedded into PE and LE files and
        prints the message "This program requires windows" or something like

        There are also other formats used by UNIX and Be and other systems.
        But those are the main one for Windows.

        mailto:[email protected][email protected]</A>

        [This message has been edited by KevinVoell (edited July 19, 2000).]


        • #5
          for an example of extracting and using pe information have a look





          • #6

            Portable Executable file format is the native format in 32 bit windows,
            LE (linear executable) was the last Microsoft attempt in 16 bit before
            it was abandoned and VxD files are in that older format from 16 bit

            The MZ header at the start of a PE file is the DOS stub that prevents the
            program from crashing if it is started in DOS. It is not all that commonly
            known but the instance handle is the start address of the PE memory image
            in memory and with the windows 32 bit format, everything is loaded into
            memory including the DOS stub. If you read the first 2 bytes at the address
            of the instance handle, it will be MZ.

            The memory is normally readable so you can read it and write it to disk to
            have a look at how the image load. You will notice that the image is split
            into sections and that they are aligned. If you want to get the image of
            another EXE file, it is a sequence of CreateProcess() ReadProcessMemory().

            PE files normally load at &H400000 so if you are interested, you can get
            the loaded image of another process and write it to disk. It tends to be
            useful in decompressing PE files or decrypting them as they must do this
            to load in memory.


            [email protected]

            hutch at movsd dot com
            The MASM Forum



            • #7

              Please could you answer to my private emails, thank you.

              Patrice Terrier
              mailto[email protected][email protected]</A>
              Patrice Terrier
              Addons: GDImage.DLL 32/64-bit (Graphic library), WinLIFT.DLL 32/64-bit (Skin Engine).


              • #8
                It's still clear as mud to me.

                Thanks any everyone!
                Regards, Jules
                Best regards


                • #9
                  Originally posted by Steve Hutchesson:
                  If you read the first 2 bytes at the address of the instance handle, it will be MZ.
                  Somebody knows, if to read (Pb) exe by LoadLibrary, it possible to find in memory whole/part of Exe image on HDD ?
                  For example, I want to correct some bytes in Exe ("control sum").

                  General scheme is following.
                  I start a program (x.bas) from IDE. Program understands that it's not patched, defines offsets for control
                  (CodePtr(Label1) - hInstance ... CodePtr(Label2) - hInstance) and calls Patch.Exe.
                  Patch.Exe loads x.exe by LoadLibrary, calculates changes, corrects x.exe on HDD and restarts it.

                  Patched x.exe (for customers) during execution will test itself to avoid "gifts".

                  [This message has been edited by Semen Matusovski (edited July 23, 2000).]


                  • #10
                    The following piece of code shows how to get information from the loaded
                    image of your own running application. PowerBASIC EXE files are of the
                    Portable Executable (PE) type which loads the DOS stub as well as the
                    application code. The trick is that the instance handle for the application
                    is actually the start address in memory of your application's image.

                    If I understand what Semen wants to do, just know what the offset from the
                    start of the disk file is that you wish to check and then read it directly
                    in memory to test it and do what you need with the test later. If you need
                    to access specific parts of the PE header, you will need to use the
                    appropriate structures to get the correct member and this must be referenced
                    from the beginning of the PE header.

                        cnt& = 1024             ' number of bytes to read
                        a$  = space$(cnt&)      ' allocate buffer
                        lp& = StrPtr(a$)        ' get its address
                        ! mov ecx, cnt&         ; count in ECX
                        ! mov esi, hInstance    ; instance handle in ESI
                        ! mov edi, lp&          ; buffer address in EDI
                        ! rep movsb             ; copy bytes
                        mz$ = left$(a$,2)       ' read 1st 2 bytes
                        MessageBox hWin,ByCopy mz$,"Start of DOS stub", _
                                   %MB_OK or %MB_ICONINFORMATION
                        PE& = instr(a$,"PE"+chr$(0,0)) - 1  ' correct to zero offset
                        MessageBox hWin,ByCopy hex$(PE&,8)+" hex","Address of PE header", _
                                   %MB_OK or %MB_ICONINFORMATION

                    [email protected]

                    hutch at movsd dot com
                    The MASM Forum