PeView is a command-line interactive Windows PE file parser developed and implemented using C/C++. It is widely used in the unpacking and analysis of samples such as viruses, Trojans, etc. This tool can currently parse 32/64 bits after several iterations Most of the general parameters of the executable program, and built-in functions such as various structure query and conversion, are basically available for use in work.
The parameters currently supported by PeView are as follows;
| Order | describe |
|---|---|
| open | Open PE file |
| Dos | Show file DOS header structure |
| Nt | Show file NT header structure |
| DataDirectory | Show data directory structure |
| Section | Display file section table information |
| ImportAll | Show all import table information |
| ImportDll | Show all imported DLL libraries |
| ImportByName | Query the functions imported in the specified import table |
| ImportByFunction | Query whether the specified function exists in the import table |
| export | Show all export table information |
| FixRelocPage | Show relocation table pagination |
| FixReloc | Show all relocation table location entries |
| FixRelocRVA | Display the relocation table in the specified RVA |
| Resource | Display the current PE file resource list |
| GetHexAscii | Get the hexadecimal format in the specified text (pass in decimal) |
| Dasm Foa | Disassemble the data within the file offset (passed in decimal) |
| ScanPE | Scan the current PE program for hooks (the program needs to be running) |
| add | Built-in hexadecimal addition calculator |
| Sub | Built-in hexadecimal subtraction calculator |
| VaToFoa | Convert VA address to FOA address (hexadecimal) |
| Foa To Va | Convert FOA address to VA address (hexadecimal) |
| RvaToFoa | Convert RVA address to FOA address (hexadecimal) |
| CheckSelf | Check the protection mode you have enabled or verify the signature |
| Fingerprint | Try to identify the target fingerprint through the built-in feature library |
| GetProcAddr | Get the memory address of a specific function in a DLL |
Open PE file: useOpenOpen the file at one time, and only after opening can other operations be performed on it. To open the file, you need to useOpencommand and path.
[Pe View] # Open --path d:\\Win32Project.exe [+] 已读入文件
Query PE header data: There are two PE header query commands, useDosTo query the DOS header, useNtThe command can query the NT header, and currently only common fields are listed.
[Pe View] # Dos
----------------------------------------------------------------------
十六进制 十进制
----------------------------------------------------------------------
DOS标志: 00005A4D 00023117
文件最后一页的字节数: 00000090 00000144
文件中的页面: 00000003 00000003
重定位: 00000000 00000000
段落中标题的大小: 00000004 00000004
至少需要额外段落: 00000000 00000000
所需的最大额外段落数: 0000FFFF 00065535
初始(相对)SS值: 00000000 00000000
初始SP值: 000000B8 00000184
校验和: 00000000 00000000
初始IP值: 00000000 00000000
初始(相对)CS值: 00000000 00000000
重新定位表的文件地址: 00000040 00000064
叠加编号: 00000000 00000000
保留字: 012B001C 19595292
OEM标识符 00000000 00000000
OEM信息 012B0028 19595304
PE指针: 00000100 00000256
----------------------------------------------------------------------
[Pe View] # Nt
----------------------------------------------------------------------
十六进制 十进制
----------------------------------------------------------------------
NT标志: 0x00004550 00017744
运行平台: 0x0000014C 00000332
区段数目: 0x00000005 00000005
时间日期标志: 0x640C0869 1678510185
特征值: 0x00000102 00000258
可选头部大小: 0x000000E0 00000224
文件符号标志: 0x00000000 00000000
文件符号指针: 0x00000000 00000000
入口点: 0x000015BB 00005563
镜像基址: 0x00400000 04194304
镜像大小: 0x00007000 00028672
代码基址: 0x00001000 00004096
内存对齐: 0x00001000 00004096
文件对齐: 0x00000200 00000512
子系统: 0x00000002 00000002
首部大小: 0x00000400 00001024
校验和: 0x00000000 00000000
RVA 数及大小: 0x00000010 00000016
主操作系统版本: 0x00000006 00000006
从操作系统版本: 0x00000000 00000000
主映像版本: 0x00000000 00000000
从映像版本: 0x00000000 00000000
主子系统版本: 0x00000006 00000006
从子系统版本: 0x00000000 00000000
Win32版本: 0x00000000 00000000
DLL标识: 0x00008140 00033088
SizeOfStackReserve: 0x00100000 01048576
SizeOfStackCommit: 0x00001000 00004096
SizeOfHeapReserve: 0x00100000 01048576
SizeOfHeapCommit: 0x00001000 00004096
LoaderFlags: 0x00000000 00000000
----------------------------------------------------------------------Query the data catalog table: Query data catalog table executableDataDirectorycommand acquisition, which includes theRVA,FOA,Sizeand other basic information.
[Pe View] # DataDirectory ------------------------------------------------------------------------------------------------------- 编号 目录RVA 目录FOA Size长度(十进制) Size长度(十六进制) 功能描述 ------------------------------------------------------------------------------------------------------- 001 0x00000000 0xFFFFFFFF 00000000 0x00000000 Export symbols 002 0x0001A1E0 0x00006DE0 00000080 0x00000050 Import symbols 003 0x0001B000 0x00007800 00009612 0x0000258C Resources 004 0x00000000 0xFFFFFFFF 00000000 0x00000000 Exception 005 0x00000000 0xFFFFFFFF 00000000 0x00000000 Security 006 0x0001E000 0x00009E00 00000972 0x000003CC Base relocation 007 0x00016820 0x00005020 00000056 0x00000038 Debug 008 0x00000000 0xFFFFFFFF 00000000 0x00000000 Copyright string 009 0x00000000 0xFFFFFFFF 00000000 0x00000000 Globalptr 010 0x00000000 0xFFFFFFFF 00000000 0x00000000 TLS 011 0x00017560 0x00005D60 00000064 0x00000040 Loadconfiguration 012 0x00000000 0xFFFFFFFF 00000000 0x00000000 Bound Import 013 0x0001A000 0x00006C00 00000480 0x000001E0 IAT 014 0x00000000 0xFFFFFFFF 00000000 0x00000000 Delay Import 015 0x00000000 0xFFFFFFFF 00000000 0x00000000 COM descriptor 016 0x00000000 0xFFFFFFFF 00000000 0x00000000 NoUse -------------------------------------------------------------------------------------------------------
Query section table: The section table in the query program can useSectioncommand query.
[Pe View] # Section ---------------------------------------------------------------------------------------------------- 编号 节区名称 虚拟偏移 虚拟大小 实际偏移 实际大小 节区属性 ---------------------------------------------------------------------------------------------------- 1 .textbss 0x00001000 0x00010000 0x00000000 0x00000000 0xE00000A0 2 .text 0x00011000 0x00004366 0x00000400 0x00004400 0x60000020 3 .rdata 0x00016000 0x00002069 0x00004800 0x00002200 0x40000040 4 .data 0x00019000 0x00000769 0x00006A00 0x00000200 0xC0000040 5 .idata 0x0001A000 0x00000AB9 0x00006C00 0x00000C00 0x40000040 6 .rsrc 0x0001B000 0x0000258C 0x00007800 0x00002600 0x40000040 7 .reloc 0x0001E000 0x00000599 0x00009E00 0x00000600 0x42000040 ----------------------------------------------------------------------------------------------------
Query all imported tables: The query for importing tables has multiple commands, among whichImportAllUsed to query all imported modules and the imported functions of the module.
[Pe View] # ImportAll --------------------------------------------------------------------------------------------------- Hint值 API序号 文件RVA VA地址 函数名称 模块: [ USER32.dll ] --------------------------------------------------------------------------------------------------- [ 547] 000107838 0000713E 0041A53E LoadIconW [ 545] 000107824 00007130 0041A530 LoadCursorW [ 233] 000107812 00007124 0041A524 EndPaint [ 14] 000107798 00007116 0041A516 BeginPaint [ 855] 000107782 00007106 0041A506 UpdateWindow [ 829] 000107758 000070EE 0041A4EE TranslateAcceleratorW ----------------------------------------------------------------------------------------------------- Hint值 API序号 文件RVA VA地址 函数名称 模块: [ KERNEL32.dll ] ----------------------------------------------------------------------------------------------------- [ 615] 000108820 00007514 0041A914 GetModuleHandleW [ 611] 000108798 000074FE 0041A8FE GetModuleFileNameW [ 414] 000108784 000074F0 0041A8F0 FreeLibrary [ 1443] 000108768 000074E0 0041A8E0 VirtualQuery [ 674] 000108750 000074CE 0041A8CE GetProcessHeap [ 819] 000108738 000074C2 0041A8C2 HeapFree
Query all imported libraries: To query which dynamic link libraries are imported in the program, you can useImportDllcommand to get it.
[Pe View] # ImportDll ---------------------------------------------------------------------- 序号 文件偏移FOA 相对偏移RVA DLL名称 ---------------------------------------------------------------------- 1 0x0000714A 0x00000000 USER32.dll 2 0x000072AE 0x00000000 MSVCR120D.dll 3 0x00007528 0x00000000 KERNEL32.dll ----------------------------------------------------------------------
Query specific DLL import table: To query the imported functions imported in the dynamic link library specified in the program, you can useImportByNamecommand to get it.
[Pe View] # ImportByName --dll KERNEL32.dll --------------------------------------------------------------------------------- 序号 文件偏移FOA 相对偏移RVA 导入函数 [ 当前模块: KERNEL32.dll ] --------------------------------------------------------------------------------- 615 0x00007514 0x0001A914 GetModuleHandleW 611 0x000074FE 0x0001A8FE GetModuleFileNameW 414 0x000074F0 0x0001A8F0 FreeLibrary 1443 0x000074E0 0x0001A8E0 VirtualQuery 674 0x000074CE 0x0001A8CE GetProcessHeap 819 0x000074C2 0x0001A8C2 HeapFree 815 0x000074B6 0x0001A8B6 HeapAlloc 254 0x000074A6 0x0001A8A6 DecodePointer ---------------------------------------------------------------------------------
Query the location of a specific function: It is used to verify whether the specified function is introduced in the specified program, you can useImportByFunctioncommand to get it.
[Pe View] # ImportByFunction --function HeapAlloc ------------------------------------------------------------------- 序号 FOA地址 VA地址 所在DLL ------------------------------------------------------------------- [ 815] 000074B6 0041A8B6 KERNEL32.dll ------------------------------------------------------------------- [Pe View] # [Pe View] # ImportByFunction --function wcscpy_s ------------------------------------------------------------------- 序号 FOA地址 VA地址 所在DLL ------------------------------------------------------------------- [ 1990] 00007368 0041A768 MSVCR120D.dll -------------------------------------------------------------------
Query export table: Used to query the export table in the program, you can useExportCommand query, here we need to switch to the DLL and then query.
[Pe View] # Open --path d://SecurityPE.dll [+] 已读入文件 [Pe View] # [Pe View] # Export ----------------------------------------------------------------------- 序号 导出RVA地址 导出VA地址 导出FOA地址 导出函数 ----------------------------------------------------------------------- 1 00003760 0x10003760 0x00002B60 CreateObject -----------------------------------------------------------------------
Query relocation items: Used to query all relocation items in the program, you can useFixReloccommand query.
[Pe View] # FixReloc -------------------------------------------------------------------- 起始RVA 类型 重定位RVA 重定位地址 修正RVA -------------------------------------------------------------------- 00011000 3 0001151C 0041A178 0001A178 00011000 3 00011592 00419138 00019138 00011000 3 000115B6 00419140 00019140 00011000 3 000115BB 00419208 00019208 00011000 3 000115C3 0041A188 0001A188 00011000 3 000115E7 0041A180 0001A180 00011000 3 000115FA 0041A16C 0001A16C 00011000 3 0001166F 00419000 00019000 00011000 3 00011689 00411195 00011195 --------------------------------------------------------------------
Query relocation table pagination: Used to display the relocation pagination, you can useFixRelocPagecommand query.
[Pe View] # FixRelocPage ---------------------------------------------------------------------- 映像基址: 00400000 虚拟偏移: 0001E000 重定位表基址: 001C9E00 ---------------------------------------------------------------------- 起始RVA: 00011000 块长度: 0200 重定位个数: 0096 起始RVA: 00012000 块长度: 0292 重定位个数: 0142 起始RVA: 00013000 块长度: 0296 重定位个数: 0144 起始RVA: 00014000 块长度: 0108 重定位个数: 0050 起始RVA: 00016000 块长度: 0028 重定位个数: 0010 起始RVA: 00017000 块长度: 0048 重定位个数: 0020 ----------------------------------------------------------------------
Query to relocate in-page pagination: It is used to query the pages in the relocation RVA page. This function is used when the RVA needs to be obtained.
[Pe View] # FixRelocRVA --rva 00017000 ---------------------------------------------------------------------- 起始RVA 类型 重定位RVA 重定位地址 修正RVA ---------------------------------------------------------------------- 00017000 3 00017014 00419350 00019350 00017000 3 00017018 004193A0 000193A0 00017000 3 00017020 00417038 00017038 00017000 3 00017024 00417058 00017058 00017000 3 00017028 0041708C 0001708C 00017000 3 0001702C 004170A8 000170A8 00017000 3 00017030 004170DC 000170DC 00017000 3 0001759C 00419000 00019000 ----------------------------------------------------------------------
Query resource table: For querying resources in the program, useResourceCommand acquisition, currently only the first-level resources can be obtained.
[Pe View] # Resource ------------------------------------------------------------ 资源类型ID 类型 ------------------------------------------------------------ 00000003 图标 00000004 菜单 00000005 对话框 00000006 字符串列表 00000009 快捷键 0000000E 图标组 00000018 24 ------------------------------------------------------------
Check function memory address: For verifying memory addresses in a particular module, useGetProcAddrCommand verification.
[Pe View] # GetProcAddr --dll user32.dll --function MessageBoxA 0x76B12D90 [Pe View] # [Pe View] # GetProcAddr --dll user32.dll --function MessageBoxW 0x76B132B0 [Pe View] # [Pe View] # GetProcAddr --dll user32.dll --function MessageBox 0x0
Check protected mode: Used to check the protected mode enabled by the currently open process.
[Pe View] # CheckSelf -------------------------------------------------- 基址随机化: 是 DEP保护兼容: 是 强制完整性: 否 SEH异常保护: 否 证书签名: 否 --------------------------------------------------
Hex output: It is used to get the hexadecimal machine code of the program, usually the file path, file offset, and read size are passed in.
[Pe View] # GetHexAscii --offset 1024 --len 100 ------------------------------------------------------------------------------- Offset | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | ASCII ------------------------------------------------------------------------------- 00001024 | 55 8B EC 83 EC 24 A1 00 30 40 00 33 C5 89 45 FC | U嬱冹$ 0@ 3艍E 00001040 | 56 8B 35 E0 20 40 00 57 8B 7D 08 6A 64 68 38 34 | V??@ W媫jdh84 00001056 | 40 00 6A 67 57 FF D6 6A 64 68 70 33 40 00 6A 6D | @ jgW謏dhp3@ jm 00001072 | 57 FF D6 8B CF E8 D6 00 00 00 6A 00 57 6A 00 6A | W謰翔 j Wj j 00001088 | 00 6A 00 68 00 00 00 80 6A 00 68 00 00 00 80 68 | j h €j h €h 00001104 | 00 00 CF 00 68 38 34 40 00 68 70 33 40 00 6A 00 | h84@ hp3@ j 00001120 | 89 3D 00
Disassembly function: Used to perform disassembly operations on specific file offsets, viaDasmFoaAnd call the parameters.
[Pe View] # DasmFoa --offset 1024 --len 100 -------------------------------------------------------------------------------- 文件偏移 反汇编指令集 -------------------------------------------------------------------------------- 0x00000400 | push ebp 0x00000401 | mov ebp, esp 0x00000403 | sub esp, 0x24 0x00000406 | mov eax, dword ptr [0x403000] 0x0000040B | xor eax, ebp 0x0000040D | mov dword ptr [ebp - 4], eax 0x00000410 | push esi 0x00000411 | mov esi, dword ptr [0x4020e0] 0x00000417 | push edi 0x00000418 | mov edi, dword ptr [ebp + 8] 0x0000041B | push 0x64 0x0000041D | push 0x403438 0x00000422 | push 0x67 0x00000424 | push edi 0x00000425 | call esi
Scan process hook status: Scans for a hooked state within a particular process, and outputs the original and new machine code if present.
[Pe View] # ScanPE [+] 读入文件长度: 14848 bytes 基址: 012EBC08 [+] 进程模块句柄: 1245184 [+] 进程句柄: 00000088 [+] PE读入状态: 1 [+] 拉伸后长度: 28672 bytes 基址: 012EF610 [+] 修正重定位基址: 1245184 [+] 代码段数量: 1 [+] 虚拟地址: 4096 长度: 3072 实际地址: 1024 0x00130000 | 文件汇编: push ebp | 内存汇编: push ebp | 0x00130001 | 文件汇编: mov ebp, esp | 内存汇编: mov ebp, esp | 0x00130003 | 文件汇编: sub esp, 0x24 | 内存汇编: sub esp, 0x24 | 0x00130006 | 文件汇编: mov eax, dword ptr [0x133000] | 内存汇编: mov eax, dword ptr [0x133000] | 0x0013000B | 文件汇编: xor eax, ebp | 内存汇编: xor eax, ebp | 0x0013000D | 文件汇编: mov dword ptr [ebp - 4], eax | 内存汇编: mov dword ptr [ebp - 4], eax | 0x00130010 | 文件汇编: push esi | 内存汇编: push esi | 0x00130011 | 文件汇编: mov esi, dword ptr [0x1320e0] | 内存汇编: mov esi, dword ptr [0x1320e0] | 0x00130017 | 文件汇编: push edi | 内存汇编: push edi | 0x00130018 | 文件汇编: mov edi, dword ptr [ebp + 8] | 内存汇编: mov edi, dword ptr [ebp + 8] | 0x0013001B | 文件汇编: push 0x64 | 内存汇编: push 0x64 | 0x0013001D | 文件汇编: push 0x133438 | 内存汇编: push 0x133438 | 0x00130022 | 文件汇编: push 0x67 | 内存汇编: push 0x67
Target Fingerprinting: Detect the feature fingerprint of the hard disk of the target program, so as to determine which program is generated by the compiler. Currently, the feature library is not complete and is only used for testing.
[Pe View] # Fingerprint --path d://Win32Project.exe
---------------------------------------------------------------------------------------------------------
原始数据: 55 8B EC 81 EC C4 00 00 00 53 56 57 8D BD 3C FF FF FF B9 31 00 00 00 B8 CC CC CC CC F3 AB 8B 45
磁盘映像: 55 8B EC 81 EC C4 00 00 00 53 56 57 8D BD 3C FF FF FF B9 31 00 00 00 B8 CC CC CC CC F3 AB 8B 45
检测结果: Microsoft Visual C/C++ x86 (2013)
---------------------------------------------------------------------------------------------------------
Hex calculator: Here is a small function to calculate the addition and subtraction of two hexadecimal numbers.
[Pe View] # Add --x 1c --y 2d
1c + 2d =>
HEX= 00000049
DEC= 73
OCT= 111
BIN= 1001001
[Pe View] #
[Pe View] # Sub --x 1c --y 2d
1c - 2d =>
HEX= FFFFFFEF
DEC= -17
OCT= 37777777757
BIN= 11111111111111111111111111101111
File address to virtual address: Convert the address of the machine code of the currently opened program into a virtual address loaded into memory.
[Pe View] # FoaToVa --foa 420
--------------------------------------------------------------------------------
基址: 0x00400000 文件偏移开始: 0x00000400 文件偏移结束: 0x00004800
--------------------------------------------------------------------------------
FOA地址: 0x00000420
---> RVA地址: 0x00011020
---> VA地址: 0x00411020
--------------------------------------------------------------------------------
Virtual address to file address: Convert the memory virtual address of the currently opened program to the address of the file where it resides.
[Pe View] # VaToFoa --va 0x00411020
--------------------------------------------------------------------------------
基址: 0x00400000 所在节区: .text 节开始地址: 0x00411000 节结束地址: 0x00415366
--------------------------------------------------------------------------------
VA地址: 0x00411020
---> RVA地址: 0x00011020
---> FOA地址: 0x00000420
--------------------------------------------------------------------------------
Relative address to file address: Convert the RVA relative memory address of the currently open program into a file offset address.
[Pe View] # RvaToFoa --rva 1024
--------------------------------------------------------------------------------
基址: 0x00400000 所在节区: .textbss 节开始地址: 0x00001000 节结束地址: 0x00011000
--------------------------------------------------------------------------------
RVA地址: 0x00001024
---> VA地址: 0x00401024
---> FOA地址: 0x00000024
--------------------------------------------------------------------------------
project address
#PeView #Homepage #Documentation #Downloads #Windows #File #Analysis #Software #News Fast Delivery