Special Command—Displaying More PE Header Information with !dh


The !dh extension displays the PE header information from a specified module.


 



Usage:


 



!dh [options] <addressOfModule>



 


Options can be:



 


-f Displays file headers.


-s Displays section headers.


-a Displays all header information.



 


Example:



 


0:532> lm


 


start    end        module name


00400000 00427000   mtgdi      (deferred)            


5a700000 5acaf000   mfc90d     (deferred)            


692e0000 69403000   MSVCR90D   (deferred)            


71270000 71283000   dwmapi     (deferred)             


72cf0000 72d70000   UxTheme    (deferred)            


73470000 73475000   MSIMG32    (deferred)            


73b50000 73b5d000   MFC90ENU   (deferred)            


74fd0000 75053000   COMCTL32   (deferred)            


751d0000 751dc000   CRYPTBASE   (deferred)            


751e0000 75240000   SspiCli    (deferred)            


75240000 75259000   sechost    (deferred)            


75260000 75ea6000   SHELL32    (deferred)            


75ee0000 75f8c000   msvcrt     (deferred)            


75fd0000 76060000   GDI32      (deferred)            


76150000 76250000   kernel32   (deferred)            


76250000 762ed000   USP10      (deferred)            


763b0000 76410000   IMM32      (deferred)            


76410000 7649f000   OLEAUT32   (deferred)             


764a0000 764e4000   KERNELBASE   (deferred)            


765c0000 766b0000   RPCRT4     (deferred)            


766b0000 76733000   CLBCatQ    (deferred)            


76a00000 76aa0000   ADVAPI32   (deferred)            


76ce0000 76d37000   SHLWAPI    (deferred)            


76f40000 77040000   USER32     (deferred)            


77040000 7710c000   MSCTF      (deferred)            


77110000 7726b000   ole32      (deferred)            


77640000 7764a000   LPK        (deferred) 


 



Now we use the start address as argument:



 


0:532> !dh -a 5a700000



 


File Type: DLL


FILE HEADER VALUES


     14C machine (i386)


       4 number of sections


488F15C6 time date stamp Tue Jul 29 06:06:14 2008



       0 file pointer to symbol table


       0 number of symbols


      E0 size of optional header


    2102 characteristics


            Executable


            32 bit word machine


            DLL



OPTIONAL HEADER VALUES


     10B magic #


    9.00 linker version


  45B600 size of code


  151A00 size of initialized data


       0 size of uninitialized data


  3F66C0 address of entry point


    1000 base of code


         —– new —–


5a700000 image base


    1000 section alignment


     200 file alignment


       3 subsystem (Windows CUI)


    5.00 operating system version


    9.00 image version


    5.00 subsystem version


  5AF000 size of image


     400 size of headers


  5B030B checksum


00100000 size of stack reserve


00001000 size of stack commit


00100000 size of heap reserve


00001000 size of heap commit


     140  DLL characteristics


            Dynamic base


            NX compatible


  44D0A0 [    F4A5] address [size] of Export Directory


  448DB8 [      A0] address [size] of Import Directory


  46B000 [  106C18] address [size] of Resource Directory


       0 [       0] address [size] of Exception Directory


  5A7400 [    23F8] address [size] of Security Directory


  572000 [   38D08] address [size] of Base Relocation Directory


    21D0 [      1C] address [size] of Debug Directory


       0 [       0] address [size] of Description Directory


       0 [       0] address [size] of Special Directory


       0 [       0] address [size] of Thread Storage Directory


   59310 [      40] address [size] of Load Configuration Directory


       0 [       0] address [size] of Bound Import Directory


    1000 [     CEC] address [size] of Import Address Table Directory


  4471A4 [     200] address [size] of Delay Import Directory


       0 [       0] address [size] of COR20 Header Directory


       0 [       0] address [size] of Reserved Directory




SECTION HEADER #1


   .text name


  45B545 virtual size


    1000 virtual address


  45B600 size of raw data


     400 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


60000020 flags


         Code


         (no align specified)


         Execute Read




Debug Directories(1)


          Type       Size     Address  Pointer


          cv           28       59358    58758    Format: RSDS, guid, 17, mfc90d.i386.pdb



SECTION HEADER #2


   .data name


    DC3C virtual size


  45D000 virtual address


    7E00 size of raw data


  45BA00 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


C0000040 flags


         Initialized Data


         (no align specified)


         Read Write



SECTION HEADER #3


   .rsrc name


  106C18 virtual size


  46B000 virtual address


  106E00 size of raw data


  463800 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


40000040 flags


         Initialized Data


         (no align specified)


         Read Only



SECTION HEADER #4


  .reloc name


   3CCD4 virtual size


  572000 virtual address


   3CE00 size of raw data


  56A600 file pointer to raw data


       0 file pointer to relocation table


       0 file pointer to line numbers


       0 number of relocations


       0 number of line numbers


42000040 flags


         Initialized Data


         Discardable


         (no align specified)


         Read Only

Comments (0)