------------------------------------------------------------------------------- PESnoop 2.0 - Advanced PE32/PE32+/COFF OBJ,LIB command line dumper by yoda ------------------------------------------------------------------------------- version: 2.0 coder: yoda project start: 27th March 2002 coding language: C E-mail: LordPE@gmx.net website: y0da.cjb.net Prolog: ~~~~~~~ Basically I only wanted to code a structure lister for LordPE, like the one of PEBrowse, but because I was currently interested in the changes made to the PE format while porting it to 64bit architectures and a core GUI structure lister isn't really code I can reuse, I developed a full PE32/PE32+ command line dumper with support for related file types (OBJ, LIB). My development environment was this time VS .NET...got to like it quickly. Matt Pietrek's new PE article gave me fine input about the new PE format. I just played some PE32+ files during development of this utility, so I couldn't test all PE element dumpers on them. Please send incompatible/wrong dumped files to me. Usage: PESnoop.EXE (file path) (options) /NOLOGO - skip title, input file path, modus /PE_DH - dump DOS Header /PE_NH - dump NT Headers /PE_SHT - dump SectionHeaderTable /PE_ET - dump ExportTable /PE_IT - dump ImportTable /PE_RT - simple ResourceTree dump /PE_RT+ - advanced ResourceTree dump /PE_ED - dump ExceptionDirectory /PE_RD - dump Relocation blocks /PE_DD - dump DebugDirectory /PE_AD - dump ArchitectureDirectory /PE_TT - dump TLSTable /PE_LCD - dump LoadConfigDirectory /PE_BI - dump BoundImports /PE_DI - dump DelayImports /PE_CD - dump COMDirectory /PE_P - hex dump image partitions /PE_ALL - dump everything /OBJ_FH - dump FileHeader /OBJ_OH - dump OptionalHeader /OBJ_SHT - dump SectionHeaderTable /OBJ_ST - dump SymbolTable /OBJ_S - show Object Module summary /OBJ_ALL - dump everything /LIB_AMH - dump ArchiveMemberHeaders /LIB_ILR - dump ImportLibraryRecords /LIB_LM - dump LinkerMembers /LIB_LNM - dump LongNamesMembers /LIB_OBJ_* - dump structures from Object Module Image Parts /LIB_S - show Library summary /LIB_ALL - dump everything Option flags are handled case insensitive. ToDo: ~~~~~ - possibility dump OMF OBJ/LIB images History: ~~~~~~~~ PESnoop 2.0: (6th Mar 2k2) - ability to dump COFF Object Modules and COFF Libraries - bugfix: - in 'PESnoop.HexDump' - in 'PESnoop.PE_DumpOptionalHeader' PESnoop 1.0a: (1st Mar 2k2) - changed executable icon - corrected a typo - tested successfully some other 64bit PEs PESnoop 1.0: (31th Mar 2k2) - first release Please drop me your comments and so force. yoda