Special Command—Displaying More PE Header Information with !dh

The !dh extension displays the PE header information from a specified module.

 

Usage:

 

!dh [options] <addressOfModule>

 

Options can be:

 

-f Displays file headers.

-s Displays section headers.

-a Displays all header information.

 

Example:

 

0:532> lm

 

start end module name

00400000 00427000 mtgdi (deferred)

5a700000 5acaf000 mfc90d (deferred)

692e0000 69403000 MSVCR90D (deferred)

71270000 71283000 dwmapi (deferred)

72cf0000 72d70000 UxTheme (deferred)

73470000 73475000 MSIMG32 (deferred)

73b50000 73b5d000 MFC90ENU (deferred)

74fd0000 75053000 COMCTL32 (deferred)

751d0000 751dc000 CRYPTBASE (deferred)

751e0000 75240000 SspiCli (deferred)

75240000 75259000 sechost (deferred)

75260000 75ea6000 SHELL32 (deferred)

75ee0000 75f8c000 msvcrt (deferred)

75fd0000 76060000 GDI32 (deferred)

76150000 76250000 kernel32 (deferred)

76250000 762ed000 USP10 (deferred)

763b0000 76410000 IMM32 (deferred)

76410000 7649f000 OLEAUT32 (deferred)

764a0000 764e4000 KERNELBASE (deferred)

765c0000 766b0000 RPCRT4 (deferred)

766b0000 76733000 CLBCatQ (deferred)

76a00000 76aa0000 ADVAPI32 (deferred)

76ce0000 76d37000 SHLWAPI (deferred)

76f40000 77040000 USER32 (deferred)

77040000 7710c000 MSCTF (deferred)

77110000 7726b000 ole32 (deferred)

77640000 7764a000 LPK (deferred)

 

Now we use the start address as argument:

 

0:532> !dh -a 5a700000

 

File Type: DLL

FILE HEADER VALUES

     14C machine (i386)

       4 number of sections

488F15C6 time date stamp Tue Jul 29 06:06:14 2008

       0 file pointer to symbol table

       0 number of symbols

  E0 size of optional header

    2102 characteristics

            Executable

            32 bit word machine

            DLL

OPTIONAL HEADER VALUES

     10B magic #

    9.00 linker version

  45B600 size of code

  151A00 size of initialized data

       0 size of uninitialized data

  3F66C0 address of entry point

    1000 base of code

         ----- new -----

5a700000 image base

    1000 section alignment

     200 file alignment

       3 subsystem (Windows CUI)

    5.00 operating system version

    9.00 image version

    5.00 subsystem version

  5AF000 size of image

     400 size of headers

  5B030B checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

     140 DLL characteristics

  Dynamic base

            NX compatible

  44D0A0 [ F4A5] address [size] of Export Directory

  448DB8 [ A0] address [size] of Import Directory

  46B000 [ 106C18] address [size] of Resource Directory

       0 [ 0] address [size] of Exception Directory

  5A7400 [ 23F8] address [size] of Security Directory

  572000 [ 38D08] address [size] of Base Relocation Directory

    21D0 [ 1C] address [size] of Debug Directory

       0 [ 0] address [size] of Description Directory

  0 [ 0] address [size] of Special Directory

       0 [ 0] address [size] of Thread Storage Directory

   59310 [ 40] address [size] of Load Configuration Directory

       0 [ 0] address [size] of Bound Import Directory

    1000 [ CEC] address [size] of Import Address Table Directory

  4471A4 [ 200] address [size] of Delay Import Directory

       0 [ 0] address [size] of COR20 Header Directory

       0 [ 0] address [size] of Reserved Directory

SECTION HEADER #1

   .text name

  45B545 virtual size

    1000 virtual address

  45B600 size of raw data

     400 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

60000020 flags

         Code

         (no align specified)

         Execute Read

Debug Directories(1)

          Type Size Address Pointer

          cv 28 59358 58758 Format: RSDS, guid, 17, mfc90d.i386.pdb

SECTION HEADER #2

   .data name

    DC3C virtual size

  45D000 virtual address

    7E00 size of raw data

  45BA00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C0000040 flags

         Initialized Data

         (no align specified)

         Read Write

SECTION HEADER #3

   .rsrc name

  106C18 virtual size

  46B000 virtual address

  106E00 size of raw data

  463800 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         (no align specified)

         Read Only

SECTION HEADER #4

  .reloc name

   3CCD4 virtual size

  572000 virtual address

   3CE00 size of raw data

  56A600 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

      Initialized Data

         Discardable

         (no align specified)

         Read Only