PeLib - A PE File Format Wrapper

[Cypher]

Project:
PeLib

Purpose:
To wrap the PE file format in its entirety, for both read and write operations, and for both files in memory and on disk.

Architectures:
IA-32 (x86)
AMD64 (x64)
IA-64 (Itanium) <-- Compiles fine but needs testing.

Languages:
Written in C++. Sorry, but the API is not C-compatible.
Provided is a solution and project file for VS2008. However you should be able to get it working in your particular compiler with little-to-no work.

Notes:
If you want to use this you need to be prepared for breaking API changes in future versions (meaning, APIs may not be backwards compatible so it will require you to update your source code). If you are not comfortable with this than you may want to wait a while (possibly a long time) until these changes are over.

Reason being, the library is still in very early stages and I need to make some large architectural changes in order to implement certain functionality.

I would love to hear comments/suggestions/criticisms/etc if you have them.

Releases:
[Only registered and activated users can see links. ]
First release. Very basic functionality. Currently wraps NT header, DOS header, TLS dir, Import dir, and Export dir. Only supports files in-memory. Only supports operating on files with the same architecture that the lib is compiled as. Still lots of potential bugs and unchecked pointers.
[Only registered and activated users can see links. ]
Maintenance release. Fixes some critical bugs, some minor bugs, and introduces an example usage project.

[Mirror]

Not sure if I can use this (probably can't I'm too stupid), but you spent lots of time on this I'm guessing so, +5.

[Apoc]

Why must you do this to me?!?!

Now I have to go port this to C#

[wraithZX]

I'll see if I can have a play with it on an IA64 machine here at work.

[ggg898]

Wow, many thanks for once again sharing a very useful software lib. Have no time to look at it now right now. Does it do rebasing?

[Cypher]

Quote:

Originally Posted by ggg898

Wow, many thanks for once again sharing a very useful software lib. Have no time to look at it now right now. Does it do rebasing?

Relocations are something which I am in the process of adding.

You can't rebase a module on disk yet, but I want to be able to relocate a module in-memory. Reason being is I'm writing my own PE loader so I can do a DLL manual mapper and a EXE memory forker.

Rebasing on disk will come later, however the Windows SDK can do that for you already.

[wraithZX]

Quote:

Originally Posted by Cypher

Reason being is I'm writing my own PE loader so I can do a DLL manual mapper and a EXE memory forker.

It seems I'm not the only one.
If you haven't done so, I'd suggest having a look at the ReactOS source on loading modules - it doesn't support everything but it's a nice base to work on the rest of it.

[Cypher]

Quote:

Originally Posted by wraithZX

It seems I'm not the only one.
If you haven't done so, I'd suggest having a look at the ReactOS source on loading modules - it doesn't support everything but it's a nice base to work on the rest of it.

Nah, I'm reversing the Windows PE loader. It's a longer process, but likely to be more accurate.

[flo8464]

Very nice work.

One of the things I ever wanted to do is a rewrite of CreateProcess so I can use it with data in Memory instead of having to set .exe-files on my hdd.

[Cypher]

Quote:

Originally Posted by flo8464

Very nice work.

One of the things I ever wanted to do is a rewrite of CreateProcess so I can use it with data in Memory instead of having to set .exe-files on my hdd.

Thats what I was referring to when I said "EXE memory forker". It's a fairly big job if you want to do it in a stable and reliable manner though. Be prepared to invest a lot of time.

[Cypher]

Post updated with latest revision.

[wraithZX]

PeDump_IA64.exe:

Code:

Export Directory:
  Name: "?Exp1@@YAXXZ". Ordinal: 0000. Function: "00099FE0". 
  Name: "?Exp2@@YAHAEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z". Ordinal: 0001. Function: "000998C8". 
  Name: "?Exp3@@YAXJ@Z". Ordinal: 0002. Function: "00099FE0". 

Import Directory:
  Module Name: "KERNEL32.dll".
    Name: "GetModuleHandleW". Function: 00000000000AE710.
    Name: "WideCharToMultiByte". Function: 00000000000AE732.
    Name: "MultiByteToWideChar". Function: 00000000000AE748.
    Name: "Sleep". Function: 00000000000AE75E.
    Name: "InitializeCriticalSection". Function: 00000000000AE766.
    Name: "DeleteCriticalSection". Function: 00000000000AE782.
    Name: "EnterCriticalSection". Function: 00000000000AE79A.
    Name: "LeaveCriticalSection". Function: 00000000000AE7B2.
    Name: "TerminateProcess". Function: 00000000000AE7CA.
    Name: "GetCurrentProcess". Function: 00000000000AE7DE.
    Name: "UnhandledExceptionFilter". Function: 00000000000AE7F2.
    Name: "SetUnhandledExceptionFilter". Function: 00000000000AE80E.
    Name: "IsDebuggerPresent". Function: 00000000000AE82C.
    Name: "RtlCaptureContext". Function: 00000000000AE840.
    Name: "GetLastError". Function: 00000000000AE854.
    Name: "HeapFree". Function: 00000000000AE864.
    Name: "RaiseException". Function: 00000000000AE870.
    Name: "RtlPcToFileHeader". Function: 00000000000AE882.
    Name: "RtlLookupFunctionEntry". Function: 00000000000AE896.
    Name: "RtlUnwindEx". Function: 00000000000AE8B0.
    Name: "RtlUnwind2". Function: 00000000000AE8BE.
    Name: "GetVersion". Function: 00000000000AE8CC.
    Name: "GetCPInfo". Function: 00000000000AE8DA.
    Name: "LCMapStringA". Function: 00000000000AE8E6.
    Name: "LCMapStringW". Function: 00000000000AE8F6.
    Name: "GetStringTypeW". Function: 00000000000AE906.
    Name: "RtlVirtualUnwind". Function: 00000000000AE918.
    Name: "HeapAlloc". Function: 00000000000AE92C.
    Name: "EncodePointer". Function: 00000000000AE938.
    Name: "DecodePointer". Function: 00000000000AE948.
    Name: "FlsGetValue". Function: 00000000000AE958.
    Name: "FlsSetValue". Function: 00000000000AE966.
    Name: "FlsFree". Function: 00000000000AE974.
    Name: "SetLastError". Function: 00000000000AE97E.
    Name: "GetCurrentThreadId". Function: 00000000000AE98E.
    Name: "FlsAlloc". Function: 00000000000AE9A4.
    Name: "HeapSetInformation". Function: 00000000000AE9B0.
    Name: "HeapCreate". Function: 00000000000AE9C6.
    Name: "WriteFile". Function: 00000000000AE9D4.
    Name: "GetStdHandle". Function: 00000000000AE9E0.
    Name: "GetModuleFileNameA". Function: 00000000000AE9F0.
    Name: "GetProcAddress". Function: 00000000000AEA06.
    Name: "ExitProcess". Function: 00000000000AEA18.
    Name: "GetModuleFileNameW". Function: 00000000000AEA26.
    Name: "FreeEnvironmentStringsW". Function: 00000000000AEA3C.
    Name: "GetEnvironmentStringsW". Function: 00000000000AEA56.
    Name: "GetCommandLineW". Function: 00000000000AEA70.
    Name: "SetHandleCount". Function: 00000000000AEA82.
    Name: "GetFileType". Function: 00000000000AEA94.
    Name: "GetStartupInfoA". Function: 00000000000AEAA2.
    Name: "QueryPerformanceCounter". Function: 00000000000AEAB4.
    Name: "GetTickCount". Function: 00000000000AEACE.
    Name: "GetCurrentProcessId". Function: 00000000000AEADE.
    Name: "GetSystemTimeAsFileTime". Function: 00000000000AEAF4.
    Name: "GetConsoleCP". Function: 00000000000AEB0E.
    Name: "GetConsoleMode". Function: 00000000000AEB1E.
    Name: "FlushFileBuffers". Function: 00000000000AEB30.
    Name: "GetStringTypeA". Function: 00000000000AEB44.
    Name: "ReadFile". Function: 00000000000AEB56.
    Name: "SetFilePointer". Function: 00000000000AEB62.
    Name: "CloseHandle". Function: 00000000000AEB74.
    Name: "HeapSize". Function: 00000000000AEB82.
    Name: "GetACP". Function: 00000000000AEB8E.
    Name: "GetOEMCP". Function: 00000000000AEB98.
    Name: "IsValidCodePage". Function: 00000000000AEBA4.
    Name: "GetUserDefaultLCID". Function: 00000000000AEBB6.
    Name: "GetLocaleInfoA". Function: 00000000000AEBCC.
    Name: "EnumSystemLocalesA". Function: 00000000000AEBDE.
    Name: "IsValidLocale". Function: 00000000000AEBF4.
    Name: "HeapReAlloc". Function: 00000000000AEC04.
    Name: "LoadLibraryA". Function: 00000000000AEC12.
    Name: "GetLocaleInfoW". Function: 00000000000AEC22.
    Name: "InitializeCriticalSectionAndSpinCount". Function: 00000000000AEC34.
    Name: "WriteConsoleA". Function: 00000000000AEC5C.
    Name: "GetConsoleOutputCP". Function: 00000000000AEC6C.
    Name: "WriteConsoleW". Function: 00000000000AEC82.
    Name: "SetStdHandle". Function: 00000000000AEC92.
    Name: "CreateFileA". Function: 00000000000AECA2.

Tls Directory:
Error! Tls directory invalid.

Sections:
Name: ".text".
Name: ".rdata".
Name: ".pdata".
Name: ".srdata".
Name: ".sdata".
Name: ".data".
Name: ".rsrc".
Name: ".reloc".

...aaand it stalls at that point. Which matches the x64 version, so I guess it's working fine.

[Cypher]

Awesome! Thanks.

I've actually added a whole bunch of features and started on the file-based access and platform-independent file manipulation. Hence the long gap before another release. Still a while off yet because I'm juggling so many different things at once, but it's getting there.

[ramey]

Thanks Cypher, looks great. Also using your new loader you posted on your blog with my new project, which is maybe the 4th rewrite... Don't really know why I keep doing this to myself, but the loader came in handy.

Thanks!