Windows Explorer Property Page Extension for Portable Executables


After years of procrastinating on this project, I finally managed to complete ‘PEPropPageExt’ – yes, I could have named it better. Since, C++11 has been officially released, the old code in C++98 seemed to do a lot of unnecessary memory copying. Hence, parts of this project has been rewritten to take advantage of the language’s new features. The code has been cleaned, more features have been added and more importantly the code is fault tolerant now.

This project creates a Property page extension (property pages are shown when users right click on a file in Explorer and select ‘Properties’ from the context menu) for Microsoft Portable Executable files – EXE and DLL files. This extension shows various information embedded in binary in these files. These information are valuable for developers who are interested in learning how the compiler has built their application executables.

This build has been given release version number 1.0. The project is still under a freeware license for personal or research usage but is restricted for commercial use. Please refer to this project’s readme page for more details on license agreement and disclaimer.

For PEPropPageExt source

Acknowledgements

Before I go about bragging to you about features, I feel some people must be credited whose work has been used in this project:

  • udis86, Disassembler Library by Vivek Thampi
  • Simple Layout Manager by Daniel Horn
  • Rich Signature by Daniel Pistelli

Pages

This section will discuss few significant property pages.

MS-DOS Header

This page shows you information about header for old MS-DOS loader. It is followed by a 16-bit disassembly of code whose sole purpose is to display a message “This program cannot run in MSDOS.” when the executable is run in MS-DOS only machine.

MSDOS Header Page
MSDOS Header Page

Rich Data dialog

Some executables have ‘Rich’ data stored between their MS-DOS and PE headers. This is known to be done by Visual C++ compilers. If there is an embedded data of this kind, you will see the following dialog.

Rich Data dialog
Rich Data dialog

PE Headers

PE Headers is probably the most important dialog among all others. It shows you flags associated with your executable, which minimum version of Windows is being targeted, data directories etc.

PE Headers Page
PE Headers Page

Imports

This page shows you all the modules that are needed and their subsequent symbols for this file. Both static and delayed modules are shown here. Unmangling both Microsoft and GCC C++ style symbol names are supported. Specifically for GCC unmangling though, DLL files ‘LIBSTDC++-6.DLL’ and ‘LIBGCC_S_SEH-1.DLL’ are required in ‘System32’ directory for delay loader to find. These GCC DLL files are distributed with MinGW installations.

Imports Page
Imports Page

Overview

This page shows you an overview of how the virtual address of the image will look like when the Windows Loader has finished mapping the file from disk to memory.

Overview Page
Overview Page

Tools

This page gives you an address converter, hash verifier and Hex Viewer/Disassembler.

Tools Page
Tools Page

CLR Data

For .NET developers, this page shows you the Common Language Runtime header and its associated data.

CLR Data Page
CLR Data Page

Resources

This page shows you information about both native and managed resources. Previewing some types of resources is also be supported. They include icons, bitmaps, string tables, manifest, XML and dialog boxes. Some types of managed resources can also be viewed. If an unknown data format is encountered, it will be shown in hex view.

Resources Page
Resources Page

Frequently Asked Questions

1. How do I install/uninstall this extension?

For installation, first make sure that you have installed Visual C++ 2013 redistributables then copy the DLL files ‘PEPropPageExt.dll’ and ‘ManagedFuncs.dll’ to a convenient location. Open Command Prompt with administrative privileges and navigate to the DLL folder. Enter ‘regsvr32 PEPropPageExt.dll’ to install the product.

To uninstall, enter ‘regsvr32 /u PEPropPageExt.dll’. You may delete the DLL files. NOTE: The ‘ManagedFuncs.dll’ file is loaded by Common Language Runtime and subsequently unloaded by it. A computer restart may be required to unlock this file to delete it.

NOTE: For GNU C++ name unmangling, the DLL files ‘LIBSTDC++-6.DLL’ and ‘LIBGCC_S_SEH-1.DLL’ are needed in the Windows ‘System32’ folder. These files are distributed with MinGW installations.

2. I don’t need all of the tab information, can I hide some of them?

Sure. Navigate to ‘HKCU\Software\SWTBASE\PEPropPageExt\Settings’ and add a new key with the name ‘<SomeThing>’. To hide a specific tab, create a new DWORD value under the key as shown below:

Value Name Description
Hide_AllTabs When Explorer invokes the extension, the extension silently fails. This is not for uninstallation but for temporary disable.
Hide_MSDOSHeaderTab Hides MSDOSHeader page.
Hide_PEHeadersTab Hides PEHeader page.
Hide_SectionsTab Hides Sections page.
Hide_ManifestTab Hides Manifest page.
Hide_ImportsTab Hides Imports page.
Hide_ExportsTab Hides Exports page.
Hide_ResourcesTab Hides Resources page.
Hide_ExceptionTab Hides Exception page.
Hide_BaseRelocTab Hides Base Relocation page.
Hide_DebugTab Hides Debug page.
Hide_LoadConfigTab Hides Load Configuration page.
Hide_TLSTab Hides Thread Local Storage page.
Hide_CLRTab Hides Common Language Runtime page.
Hide_OverviewTab Hides Overview page.
Hide_ToolsTab Hides Tools page.

3. How safe is it to use this against broken or malicious files?

If this extension crashes, the whole ‘Explorer.exe’ parent process crashes. Obviously, this is a nuisance for users. Realizing this, the extension checks to verify that any pointer from the file is within the address space of the executable. The mapped executable’s memory is also marked read-only to prevent execution. There are also checks on values to make sure they are not abnormal.

Unfortunately, not everything is covered. For example, C-String has no size value field. So, checking every byte before reading string would make the extension very slow. This may be tackled in future releases.

Advertisements

Leave a reply here, thanks!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s