After years of procrastinating on this project, I finally managed to complete ‘PEPropPageExt’ – yes, I could have named it better. Since, C++11 has been officially released, the old code in C++98 seemed to do a lot of unnecessary memory copying. Hence, parts of this project has been rewritten to take advantage of the language’s new features. The code has been cleaned, more features have been added and more importantly the code is fault tolerant now.
This project creates a Property page extension (property pages are shown when users right click on a file in Explorer and select ‘Properties’ from the context menu) for Microsoft Portable Executable files – EXE and DLL files. This extension shows various information embedded in binary in these files. These information are valuable for developers who are interested in learning how the compiler has built their application executables.
This build has been given release version number 1.0. The project is still under a freeware license for personal or research usage but is restricted for commercial use. Please refer to this project’s readme page for more details on license agreement and disclaimer.
Before I go about bragging to you about features, I feel some people must be credited whose work has been used in this project:
- udis86, Disassembler Library by Vivek Thampi
- Simple Layout Manager by Daniel Horn
- Rich Signature by Daniel Pistelli
This section will discuss few significant property pages.
This page shows you information about header for old MS-DOS loader. It is followed by a 16-bit disassembly of code whose sole purpose is to display a message “This program cannot run in MSDOS.” when the executable is run in MS-DOS only machine.
Rich Data dialog
Some executables have ‘Rich’ data stored between their MS-DOS and PE headers. This is known to be done by Visual C++ compilers. If there is an embedded data of this kind, you will see the following dialog.
PE Headers is probably the most important dialog among all others. It shows you flags associated with your executable, which minimum version of Windows is being targeted, data directories etc.
This page shows you all the modules that are needed and their subsequent symbols for this file. Both static and delayed modules are shown here. Unmangling both Microsoft and GCC C++ style symbol names are supported. Specifically for GCC unmangling though, DLL files ‘LIBSTDC++-6.DLL’ and ‘LIBGCC_S_SEH-1.DLL’ are required in ‘System32’ directory for delay loader to find. These GCC DLL files are distributed with MinGW installations.
This page shows you an overview of how the virtual address of the image will look like when the Windows Loader has finished mapping the file from disk to memory.
This page gives you an address converter, hash verifier and Hex Viewer/Disassembler.
For .NET developers, this page shows you the Common Language Runtime header and its associated data.
This page shows you information about both native and managed resources. Previewing some types of resources is also be supported. They include icons, bitmaps, string tables, manifest, XML and dialog boxes. Some types of managed resources can also be viewed. If an unknown data format is encountered, it will be shown in hex view.
Frequently Asked Questions
1. How do I install/uninstall this extension?
For installation, first make sure that you have installed Visual C++ 2013 redistributables then copy the DLL files ‘PEPropPageExt.dll’ and ‘ManagedFuncs.dll’ to a convenient location. Open Command Prompt with administrative privileges and navigate to the DLL folder. Enter ‘regsvr32 PEPropPageExt.dll’ to install the product.
To uninstall, enter ‘regsvr32 /u PEPropPageExt.dll’. You may delete the DLL files. NOTE: The ‘ManagedFuncs.dll’ file is loaded by Common Language Runtime and subsequently unloaded by it. A computer restart may be required to unlock this file to delete it.
NOTE: For GNU C++ name unmangling, the DLL files ‘LIBSTDC++-6.DLL’ and ‘LIBGCC_S_SEH-1.DLL’ are needed in the Windows ‘System32’ folder. These files are distributed with MinGW installations.
2. I don’t need all of the tab information, can I hide some of them?
Sure. Navigate to ‘HKCU\Software\SWTBASE\PEPropPageExt\Settings’ and add a new key with the name ‘<SomeThing>’. To hide a specific tab, create a new DWORD value under the key as shown below:
|Hide_AllTabs||When Explorer invokes the extension, the extension silently fails. This is not for uninstallation but for temporary disable.|
|Hide_MSDOSHeaderTab||Hides MSDOSHeader page.|
|Hide_PEHeadersTab||Hides PEHeader page.|
|Hide_SectionsTab||Hides Sections page.|
|Hide_ManifestTab||Hides Manifest page.|
|Hide_ImportsTab||Hides Imports page.|
|Hide_ExportsTab||Hides Exports page.|
|Hide_ResourcesTab||Hides Resources page.|
|Hide_ExceptionTab||Hides Exception page.|
|Hide_BaseRelocTab||Hides Base Relocation page.|
|Hide_DebugTab||Hides Debug page.|
|Hide_LoadConfigTab||Hides Load Configuration page.|
|Hide_TLSTab||Hides Thread Local Storage page.|
|Hide_CLRTab||Hides Common Language Runtime page.|
|Hide_OverviewTab||Hides Overview page.|
|Hide_ToolsTab||Hides Tools page.|
3. How safe is it to use this against broken or malicious files?
If this extension crashes, the whole ‘Explorer.exe’ parent process crashes. Obviously, this is a nuisance for users. Realizing this, the extension checks to verify that any pointer from the file is within the address space of the executable. The mapped executable’s memory is also marked read-only to prevent execution. There are also checks on values to make sure they are not abnormal.
Unfortunately, not everything is covered. For example, C-String has no size value field. So, checking every byte before reading string would make the extension very slow. This may be tackled in future releases.