This article accompanies a number of command line sample applications that wrap some common code of mine. This common code can be used to extract various information from PE files. The four samples are named bitness, pefileuses, dotnetsearch and pdbget. bitness expects a file name as the command line parameter and will tell you if the file passed as an argument is a 32 bit or a 64 bit PE file. It wraps the following common code functions:BOOL IsFile64BitPEFileW(LPCWSTR szFile, PBOOL pbIs64Bits);
BOOL IsFile64BitPEFileA(LPCSTR szFile, PBOOL pbIs64Bits);The parameters should be pretty self-explanatory. If the function succeeds, it returns a non-zero value. If it fails, the return value is FALSE and extended error information is available via GetLastError. In case of success, the out-Parameter pbIs64Bits will contain a non-zero value if the PE file passed as parameter szFile is 64 bits. pefileuses is meant to determine if a given PE file links against a certain DLL or uses a function from a given DLL. It expects 3 command line parameters and optionally a fourth parameter. The first parameter is a number between zero and 2. This number determines whether the import table or the table for delayloaded functions should be scanned or both. Passing "0" means, both tables are scanned. Passing "1" means, only the import table, passing "2" means, only the table for delayloads are scanned. The second parameter is the PE file to be scanned. The third parameter denotes the DLL name that the tables should be scanned for. Finally the fourth parameter is an optional function name. The application will print on stdout whether or not the specified binary links against the given DLL or even uses the optional function name. This tool wraps the following common code functions: BOOL __stdcall PeFileUsesImportA(LPCSTR szPeFile, LPCSTR szDllName,
LPCSTR szFunction,
PBOOL pbUse, DWORD dwFlags);
BOOL __stdcall PeFileUsesImportW(LPCWSTR szPeFile, LPCWSTR szDllName,
LPCWSTR szFunction, PBOOL pbUse,
DWORD dwFlags);The flags to be passed for this function are those that are passed as the first parameter to pefiluses.exe and are defined as such: #define PUI_USE_IMPORT_ONLY 0x1
#define PUI_USE_DELAYLOAD_ONLY 0x2Passing 0L as the dwFlags parameter scans both tables as described above. The other parameters should be pretty self-explanatory. If the function succeeds, it returns a non-zero value. If it fails, the return value is FALSE and extended error information is available via GetLastError. dotnetsearch is a tool to scan an entire directory tree and evaluate each DLL and EXE file found, whether it is a .NET binary.Read more: Codeproject
BOOL IsFile64BitPEFileA(LPCSTR szFile, PBOOL pbIs64Bits);The parameters should be pretty self-explanatory. If the function succeeds, it returns a non-zero value. If it fails, the return value is FALSE and extended error information is available via GetLastError. In case of success, the out-Parameter pbIs64Bits will contain a non-zero value if the PE file passed as parameter szFile is 64 bits. pefileuses is meant to determine if a given PE file links against a certain DLL or uses a function from a given DLL. It expects 3 command line parameters and optionally a fourth parameter. The first parameter is a number between zero and 2. This number determines whether the import table or the table for delayloaded functions should be scanned or both. Passing "0" means, both tables are scanned. Passing "1" means, only the import table, passing "2" means, only the table for delayloads are scanned. The second parameter is the PE file to be scanned. The third parameter denotes the DLL name that the tables should be scanned for. Finally the fourth parameter is an optional function name. The application will print on stdout whether or not the specified binary links against the given DLL or even uses the optional function name. This tool wraps the following common code functions: BOOL __stdcall PeFileUsesImportA(LPCSTR szPeFile, LPCSTR szDllName,
LPCSTR szFunction,
PBOOL pbUse, DWORD dwFlags);
BOOL __stdcall PeFileUsesImportW(LPCWSTR szPeFile, LPCWSTR szDllName,
LPCWSTR szFunction, PBOOL pbUse,
DWORD dwFlags);The flags to be passed for this function are those that are passed as the first parameter to pefiluses.exe and are defined as such: #define PUI_USE_IMPORT_ONLY 0x1
#define PUI_USE_DELAYLOAD_ONLY 0x2Passing 0L as the dwFlags parameter scans both tables as described above. The other parameters should be pretty self-explanatory. If the function succeeds, it returns a non-zero value. If it fails, the return value is FALSE and extended error information is available via GetLastError. dotnetsearch is a tool to scan an entire directory tree and evaluate each DLL and EXE file found, whether it is a .NET binary.Read more: Codeproject
0 comments:
Post a Comment