Professional Documents
Culture Documents
***********
**************Stud_Pe The Portable Executable editor working status *********
***********
********************************************************************************
***********
by ChristiG CGSoftLabs
NOTE:
Stud_PE does not execute loaded exe in any way, when "looking" at it!
You won't get infected looking at infected files;
The only way to run loaded exe is by presing "Test'it" button on bottom of Stud_
PE,which
will perform Shell exec command;also take care what plugins you use on loaded ex
e;
v 2.4.0.1 [2 apr 2008]
-fixed a bug with imported functions name lenght;
-added external signature verifier; writed a note about signatures;
-fixed RVA2RAW for UPACK which has EP inside PE HEADER; now imports are shown fi
ne;
-added basic disassembler from hexeditor right click menu;
-fixed showing which export is in fact a forwarder to other dll; like HeapAlloc
in kernel.dll;
-added process memory dumper/viewer; right click on the process you want to insp
ect; you can
use dissasambler (from right click menu inside the hexeditor) to see how the co
de looks at
certain VA; the difference from other (dumpers LordPE, ProcDump, PETools) is t
hat it can dump/view
code blocks protected with PAGE_GUARD or NOACCESS flags.
Note about external signatures
------------------------------we have 2 kind of signatures :
1. relative to entry point (ep_only=true); a number of bytes searched on
ly at a location;
2. absolute (ep_only=false); a number of bytes searched in entire file;
-relative signature can start with an offset (negative or positive) specified by
(offset=x , x can be ie. 5 or -7 relative to entry point); in addition the rela
tive
signature can start with a number of unknown bytes (?? ?? ?? 3E 45 etc), in thi
s case,
the starting number of those bytes will be considered as an positif offset; but
remember,
this is only for (ep_only=true);
Signature rules:-sections with different names; section is ie:"[Name of the Pac
ker v1.0]"
-sections with different signatures; for not wasting time;
-signature bytes must be hex represended (0-9,A-F);
-each signature lenght must be a multiple of 2;
-you can use as separator an empty space between each byte (2 h
ex char)
for good understanding (like: "signature = 00 A2 3F" , the sam
e as
"signature = 00A23F";
-you can use wildcards as "??" if the byte can be everething in
side a signature;
now visible;
-fixed a bug on "Dump section" on Tab "Sections";
-some changes in "Headers" tab;support for Characteristics field;
-new option in HexEditor,view current location relative to file offset,not only
to start of data loaded in hexeditor;
-Relocations viewer;
-"GoHex" option in Virtual2Raw window;you can navigate in hexeditor to a speciff
ic raw offset from there,just select "File Offset";
-small fix on Add NewSection;highRVA is searched for new section;
-chunck support (at the eof) when add/delete new section;
-"Delete Section" option on tab "Sections";
-tab "Sections" will show now extra data (if) found at the end of the file;
-fixed adding/deleting sections on packed exe files, in which sections are not a
ligned in rawdata order (like petite does);
also chunck data on these exes is preserved after adding/deleting sections;
-CheckSum calculator for corresponding header field;
-SizeOfHeaders direct editbox + compare real/header;option to enlarge SizeofHead
ers,rawsize of each section is automatically increased;
(note: the max SizeOfHeaders is 0x1000)
-"Delete Section" will delete also ExtraDat..if selected;
-"GoTo Export Section" option in tab "Functions";
-delete section by the (file.aligned)->rawsize...to delete the entire section,fo
r sections where raw is non_aligned to file alignment;
-fixed a bug when saving exports dir size;
-"GoTo Function Start" on exported functions (0x500 bytes from function start);
-Plugin support based on PEiD sdk;so Stud_PE plugins will be supported by PEid a
lso;
-the plugins dir must be named "Plugins" inside Stud_PE root dir;
Note: to use PEiD plugins you must enable "Identify as PEiD" option;
Note:
-resource viewer won't show all resources (if one resource exist in more than on
e language);
so when updating resources only first resource is preserved;
v 2.0.0.1 [13 jan 2005]
-"View as text" for FileCompare dialog;
-when selected "External DB" on Signature Tab...ListCtrl will be filled up with
packerz name..and number of signatures will be shown;
-updated external signature database up to 120 new signs;
-fixed some linker warnings;
-performed a dump of iexplore.exe on xp sp2..and noticed that it runs..in compat
ibility mode :)) version "Side - by - side";
-fixed a bug in packer search engine;
-fixed a bug introduced in previous version when selecting to GoTo EP in Section
s popup menu;
-Stud_Pe has now support for Dos files;View/Edit Dos header in HexEditor;
-CompareFiles supports DOS files only in binary mode;
-option to add another tool [ie: dosfile signature scanner];
for Gtui (http://philip.helger.com/gt/) file format analyzer the cmd line is "
* /wf";
-added link to this file in "Help" menu;
v 1.9.0.0 [26 december 2004]
-added support for external file signatures;
-the external database is used in exclusion with internal one;so when you check
"external db" internal search will not be performed;
-see packsig.txt for syntax;
-you must use "Hard" mode detection,for searching signatures that are not at the
EntryPoint but in all the file;
29 august 2002
-fixed functions for deleting resources on win2k..(not deleting some string type
/name resources);
-fixes on UpdateResource9x() and resource dislpay routine;
22 august 2002
-yesterday i've lost the boot loader partition of my hdd...and for 24h because m
y latest backup was damaged (damn easy cd creator!) i was a ded person;
-but miracle...my brother fix it manualy..and now all my projects are safe..and
i'm still coding;
-UpdateResource for win9x... :) from codeguru sample...fix some buggies on that
sample;on win2k still using that damn unfinished Kernel32!UpdateResource()
...u can see the diffrences;now StudPe can add/delete/replace resource on win9x;
There are some limitations:the resource dir must be the last(raw and rva)
(tips: standard files u can strip reloc) that dir is enlarging if add more resou
rces;if the size of that .rsrc
dir fits in the original size(deleting or adding small resources) the update wil
l work;
-the UpdateResource it will not work for sure on packed exes :(..
8 august 2002
-fixed a bug when dropdown a file over Stud_PE;
-finished Delete_Resource function;
-Replace_Resource done;support Ico/Bmp files ...for beginning;
-fix a bug caused by exports with name more than 128 characters;
-discovered .dll's with EP==0...;p
7 august 2002
-some workaround at ResourceUpdate functions;figured out how VisualStudio use th
at function to delete a resource,because the thing with lpData==NULL suckz;
now delete resource works fine :)
-updated PackerSignature database up to 303..from peid 0.8;
11 mai 2002
-detectie cand se dragheaza .lnk peste icoana;
-avansez cu descoperirile in UpdateResource ;pp
10 mai 2002
-de vo 2 zile lucru la AddNewResource;pe win2k incepe sa mearga insa pe w98 apar
neste erori mai ales cand adaug resurse cu type string;
-am lucrat la o clasa derivata din CEdit..pentru controalele din AddNewRes wnd;
29 aprilie 2002
-fix la show exportz care nu aveau nume...descoperit cand am uncercat sa vad win
inet.dll;
27 aprilie 2002
-bitmap preview;
-save as .bin;
-detectie pentru .bmp .jpg .gif;
26 aprilie 2002
-refacut neste functzii pe la resurse;
-se pot salva dialoagele si bitmapurile;
22 aprilie 2002
-inceput lucrul la un file_compare,si am terminat comparatia binara;mai trebe ce
a PE;
21 aprilie 2002
28-martie 2002
-adaugat metoda 2 de gasire a resurselor(ico/cur) cand exele e packed;
-inlataurat o constrangere care verifica pDosHdr->e_lfarlc < 0x40...;
-integrat in sell la click dreapta pe exe,dll...hmm am cautat ceva pana am desco
perit cum se face...si apiul GetCommandLine;
-reparat un bug cand se vedeau exeuri cu dos_headerele mici..si adaugat niste re
strictii in plus la resursele ce nu exista;
-lol..cel mai kool revers de l-am facut..o zi mi-a luat sa ripuiesc baza de date
cu semnaturi de packere din peid;
-n-am mai avut rabdare sa codez keile ptru registru asa ca n-au aninstal..deci t
rebe sterse manual..:)
27-martie 2002
-am inceput acest nfo..pentru ca proiectul capata proportii;
-.ico si .cur sunt aratate acum corect in cadran (le-am centrat);
-adaugat Rva(Adresa Virtuala Relativa la Imagebase) la selectare unei resurse...
si posibilitatea de a salva din HexViewer in PE;
-"advanced tree in hex"..acum inainteaza editorului destule date pentru a putea
modifica PE-ul;
-cand se trece mouse-ul peste imagine...aceasta "se agatza" de el;
download here:
http://www.cgsoftlabs.ro
discussion forum:
http://makephpbb.com/phpbb/index.php?mforum=cgsoftlabs