This software may NOT be distributed or bundled with any product
that is sold for commercial profit without the explicit permission
of the author. In cases where the author has consented, the PKUNZIP™
authentication message which normally reads :
Authentic files Verified! # EYC098
Tenth Planet Software International
will additionally indicate the commercial entity to which permission
has been granted. If authentication is not present, please contact
the author to obtain a bona fide copy.
The term FREEWARE refers only to the mode of distribution, the
executables and source are COPYRIGHTED. Reuse of this code in a
commercial application is NOT permitted.
Disclaimer:
The author hereby disclaims all warranties relating to this software,
whether express or implied, including without limitation any implied
warranties of merchantability or fitness for a particular purpose.
The author will not be liable for any special, incidental,
consequential, indirect or similar damages due to loss of data or any
other reason, even if the author or an agent of the author has been
advised of the possibility of such damages. In no event shall the
author's liability for any damages ever exceed the price paid for
the software, regardless of the form of the claim. The person
using the software bears all risk as to the quality and performance
of the software.
DumpPE:
This tool was designed to examine the internal content of Portable
Executable (PE) files or .DBG COFF symbolic debugging files used
with Windows '95 and the Intel x86 version of Windows NT. PE files
use 32-bit code in a semi flat model, and consist of several sections.
Structures with in the PE file are defined within a fixed size header
with variable length components described in directory entries. These
directory entries point to data contained within sections of the PE
file image, and include things like Import, Export, Relocation/Fixup,
Resource and debugging information. COFF symbolic debugging information
may exist in separate .DBG file, or as often is the case with Windows
'95 a .SYM file in a pre-COFF format used by IBM and Microsoft.
Microsoft also now uses .PDB (Program Database) files, the linkers from
MSVC 2.x, 4.x & 5.0 combine Codeview information into a PDB file to
support incremental linking. Most commercial applications lack the
debugging information completely.
In order to expedite the loading process files have a preferred load
address (or base address). If a file can be loaded at this address
no relocations need to occur. Some parts of the Windows '95 Kernel have
a fixed base address, with each component having its own address, and
the relocations removed completely from the file. Such files cannot be
loaded at any other address. The technique of changing the base address
is called rebasing. Another method used to speed loading is the binding
to specific import libraries, each build of a .DLL is uniquely date
coded and has its own .LIB file, when the linker links these imports
it gives the loader hint numbers which are indexes for specific named
functions in the exporting .DLL (this is not the same as an ordinal).
If the version of the .DLL in your system matches the version the linker
used the loader will complete the load time fixes faster. If however
the versions don't match the loader can still do the load time fixes,
but will have to do so by searching and matching function names, the
load can fail at this point if the function name is not present. The
technique of changing the bindings is called rebinding.
The use of ordinals in PE files typically occurs when the use of the
function is being hidden, an undocumented feature perhaps. KERNEL32
from Windows '95 has quite a few as do many other system libraries,
if you tried to use the same ordinals under Windows NT things would
not work as expected. System libraries are not interchangeable between
Window '95 and NT, so you can't take WNASPI32.DLL from Windows '95
and copy it to Windows NT and expect to get 32bit ASPI support.
Windows NT provides a means of forwarding, where the exports of a .DLL
can point to an import of a different .DLL. KERNEL32 from Windows NT
has several functions that are forwarded to NTDLL, KERNEL32.HeapAlloc
for example is forwarded to NTDLL.RtlAllocateHeap. Windows '95 to my
knowledge does not provide forwarding.
A rough disassembler has been added to release 1.21. The disassembler
will use symbols and debug info contained within the PE executable as
well as those within .SYM, .DBG & .PDB files with the same base name
stored in the same directory. Two passes of the code sections are made
so that branch and call locations can be displayed smartly. There is
no attempt at this point to do code/data analysis, so jump tables and
embedded data are likely to degrade the quality of the output.
The use of symbols (which come with the system components of NT) will
dramatically improve the output quality. Optimization Mapping (OMAP)
used by Microsoft to reduce the "Working Set" paging requirements is
also supported. OMAP is a post compilation reordering of an executable
which requires the translation through a supplied table of all debug
and symbolic information. A large number of NT components use this
OMAP data, and it appears that Codeview symbols get corrupted in the
process, so only COFF symbols are used when OMAP translation is used.
Release 1.22 has an experimental KNI (Katmai New Instructions) and
3DNow! disassembler. (July 8, 1998)
Release 1.23 has been compiled as a Win32 Console application, NT is
currently my OS of choice and the PMODE/W DOS Extender no longer seems
to be actively supported. (February 7, 1999)
Release 2.00 improved the disassembler so that it cross references the
internal database and produces more symbols automatically. Data sections
are now dumped out. (July 29, 1999)
Release 2.01 fixed a couple of disassembler issues, and added the
ability to disassemble a portion of the executable. The syntax is
-disasm:start,length where 'start' and 'length' are hex constants.
Example DumpPE foo.dll -disasm:400DE,1FE >foo.lst
(October 7, 1999)
Release 2.10 has an experimental WNI (Willamette New Instructions)
disassembler. (July 24, 2000)
Release 2.20 adds PNI (Prescott New Instructions), a cross referencer,
the ability to disassemble starting at a symbol. The symbol can be a
regular export or import, or one from a PDB or SYM file. Improved the
fixup code to identify ASCII or UNICODE strings within the code space.
If you found this tool to be mildly useful or entertaining please send
me some Email, positive feedback is always good to get and makes writing
FREEWARE worth while.
Clive Turvey, June 1, 2005.
DeKalb, IL., USA & Southampton, ENGLAND.
==== === This FREEWARE product was written by Clive
\\ / th Turvey, an English Electronics Engineer.
\\ /
\\ / Planet It is designed to replace the W32DUMP
\\/ Software utility written by Andrew Schulman.
/\\ International
/ \\ If you like the software, or find a problem
/ \\ clive@tbcnet.com post some Email to clive@tbcnet.com
/ \\
=== ====
Usage : DumpPE [options] <Win32 PE Portable Executable>
I have finished writing Windows Source Version 3, which is now available
from V Communications Inc. Versions one & two of Windows Source were
written by Andrew Schulman.
What is Windows Source?
Windows Source is an add-on to V Communications' Sourcer disassembler
which preprocesses executable, dynamic link library, device drivers and
VxD files for Windows 3.x, Windows '95 & Windows NT. It also provides
support for OS/2 1.x, 2.x & Warp.
Where possible symbolic debug information included in separate .SYM,
.DBG, .PDB files, or included in Codeview or COFF debugging sections.
The version of DumpPE supplied with Windows Source differs from the
version supplied here in that it also generates definition files
which are used by Sourcer to enhance the quality of the disassembly.
This definition file can be modified and extended to further enhance
the listing by adding your own labels and comments.
Although you can disassemble PE executables with DUMPBIN (LINK -DUMP)
the quality will be fairly low, much as it would be with earlier tools
like DEBUG (8086) or SYMDEB (80286). To examine anything beyond a few
subroutines Sourcer & Windows Source will make a much better job, labeling
jump destinations and subroutines.
Windows Source Web Page : http://www.tbcnet.com/~clive/vcomwinp.html
------------------------------------------------------------------------------
For information about V Communications software :
Sourcer, Bios Preprocessor, Windows Source,
System Commander, Partition Commander,
V Communications, Inc., 2290 North First Street,
Suite 101, San Jose, CA 95131-2017.
发表于 2009-9-8 13:42
