{"id":19409872,"url":"https://github.com/dsuarezv/pewalker","last_synced_at":"2025-07-12T13:07:48.600Z","repository":{"id":151789762,"uuid":"266216530","full_name":"dsuarezv/PEWalker","owner":"dsuarezv","description":"A playground to test PE file structures (Portable Executable)","archived":false,"fork":false,"pushed_at":"2022-04-10T08:27:52.000Z","size":13077,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-31T08:18:54.280Z","etag":null,"topics":["authenticode","csharp","pe","pef","portable-executable"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dsuarezv.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-22T22:06:36.000Z","updated_at":"2025-03-15T11:55:46.000Z","dependencies_parsed_at":null,"dependency_job_id":"e3c788fe-a409-46b9-b9a8-520b02c5a63f","html_url":"https://github.com/dsuarezv/PEWalker","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/dsuarezv/PEWalker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsuarezv%2FPEWalker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsuarezv%2FPEWalker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsuarezv%2FPEWalker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsuarezv%2FPEWalker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dsuarezv","download_url":"https://codeload.github.com/dsuarezv/PEWalker/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dsuarezv%2FPEWalker/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264995576,"owners_count":23694989,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authenticode","csharp","pe","pef","portable-executable"],"created_at":"2024-11-10T12:13:54.744Z","updated_at":"2025-07-12T13:07:48.581Z","avatar_url":"https://github.com/dsuarezv.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PE walker\n\nThis is just a toy project I made while attending the course II Experto Universitario en Ingeniería Inversa e Inteligencia Malware at Universidad de Málaga. \n\nThis code contains a parser of the PE (Portable Executable) structure. By default it prints the details of the different sections, in various colors. Here is a screenshot: \n\n![](screenshots/01.png)\n\nThe PE format is the executable format used in Windows, for both EXE and DLL files. [It is well documented in MSDN](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format). \n\nThis project is not meant as a full command line utility, it's more a collection of code fragments that can be used from other code to perform specific actions on executable files. I will eventually make it a library. Who knows, maybe a proper Windows GUI. Will depend on how the course evolves.\n\nThe original goal was to patch an exe file signed with authenticode and still keep the signature valid, thus the name AuthentiPatcher. There are certain places in the PE format that are not validated by the signature and they can be used to hide payloads.\n\n## Usage\n\nOut of the box, the program can dump the contents of the PE headers. Invoke it with the exe file you want to analyze:\n\n authentipatcher print c:\\windows\\system32\\calc.exe\n\nThis will print all the fields it knows about in the console: \n\n![](screenshots/sections.png)\n\n### Patching files\n\nThe tool can also append a payload at the end of the certificates area, if invoked with some more arguments. The signature of the file should still be valid after this. \n\n authentipatcher addauthpayload \u003cinputfile\u003e \u003cpayloadfile\u003e \u003coutputfile\u003e\n\nThere are some requirements for this to work: \n\n* The payload size must be a mutiple of 8. This is required by the PE format. \n* The target executable should not have debug symbols. This is not normal in signed files, but if there are, they will be overwritten and the signature validation will fail in that case. \n\nIt will modify the size of this section, both the length here and the size of the Certificate data diretory that points here:\n\n![](screenshots/certdata.png)\n\n### Dumping parts of the file\n\n dump command usage\n authentipatch dump \u003cformat\u003e \u003cfilename\u003e \u003coffset\u003e [size]\n format can be any of:\n hex 00 4F 3B AB 00 44 01 0A 00 4F 3B AB 00 44 01 0A\n sx \\x00\\x4F\\x3B\\xAB\\x00\\x44\\x01\\x0A\\x00\\x4F\\x3B\\xAB\\x00\\x44\\x01\\x0A\n zx 0x00,0x4F,0x3B,0xAB,0x00,0x44,0x01,0x0A,0x00,0x4F,0x3B,0xAB,0x00,0x44,0x01,0x0A\n offset can be any of:\n section name: .text In this case, size can be used but is not required.\n decimal value: 34563 Size required\n hex value: 0x34A63 Size required\n Samples:\n authentipatch dump sx c:\\windows\\system32\\calc.exe .text\n authentipatch dump hex c:\\windows\\system32\\calc.exe .text\n authentipatch dump raw c:\\windows\\system32\\calc.exe 307200 0x345\n\n\n## Building\n\nThe code is written in C# for dotnet core 3.1, but will probably work in previous versions (I haven't tested). Install the dotnetcore SDK in your platform and you are ready to roll. \n\nFor console colors, it uses the great C# [Pastel library](https://github.com/silkfire/Pastel). Color ANSI codes will not be generated when the output is redirected to a file. \n\n## API\n\nThe interesting part is the PeParser class. Provided with a file, it will parse the PE header and the different fields can be enumerated or filtered:\n\n using (var parser = new PeParser(inputFile))\n {\n parser.Parse();\n\n var certSize = parser.Find(null, \"Size of Certificate table\").FirstOrDefault();\n Console.WriteLine($\"Size: {certSize.ULongValue}\");\n Console.WriteLine($\"Offset {certSize.Offset}\");\n }\n\n## Sample output\n\nHere is a list of the full report generated for now by the tool: \n\n [i] File: c:\\windows\\system32\\ntdll.dll\n \n OFFSET GROUP TYPE NAME VALUE(hex COMMENT\n 0 DOS WORD Signature 5A4D \n 2 DOS BYTES BODY NOT Parsed 0 \n 3C DOS DWORD Pointer to PE Header D8 \n D8 COFF Header DWORD Signature 4550 \n DC COFF Header WORD Machine 8664 \n DE COFF Header WORD Number of sections 9 \n E0 COFF Header DWORD TimeDateStamp B29ECF52 \n E4 COFF Header DWORD Pointer to Symbol Table 0 \n E8 COFF Header DWORD Number of Symbols (deprecated) 0 \n EC COFF Header WORD Size of optional Header F0 \n EE COFF Header WORD Characteristics 2022 \n F0 COFF common fields WORD Signature 20B PE32+\n F2 COFF common fields WORD Linker version F0E \n F4 COFF common fields DWORD Size of code (sum of all sections) 115800 \n F8 COFF common fields DWORD Size of initialized data D3600 \n FC COFF common fields DWORD Size of uninitialized data 0 \n 100 COFF common fields DWORD Address of entry point (RVA) 0 \n 104 COFF common fields DWORD Base of code (RVA) 1000 \n 108 Windows fields QWORD ImageBase 180000000 \n 110 Windows fields DWORD Section alignment 1000 \n 114 Windows fields DWORD File alignment 200 \n 118 Windows fields WORD Major operating system version A \n 11A Windows fields WORD Minor operating system version 0 \n 11C Windows fields WORD Major image version A \n 11E Windows fields WORD Minor image version 0 \n 120 Windows fields WORD Major subsystem version A \n 122 Windows fields WORD Minor subsystem version 0 \n 124 Windows fields DWORD Win32 version value 0 \n 128 Windows fields DWORD Size of image 1F0000 \n 12C Windows fields DWORD Size of headers 400 \n 130 Windows fields DWORD Checksum (images not checked) 1ED368 \n 134 Windows fields WORD Subsystem 3 \n 136 Windows fields WORD Dll characteristics 4160 \n 138 Windows fields QWORD Size of Stack Reserve 40000 \n 140 Windows fields QWORD Size of Stack Commit 1000 \n 148 Windows fields QWORD Size of Heap Reserve 100000 \n 150 Windows fields QWORD Size of Heap Commit 1000 \n 158 Windows fields DWORD Loader flags 0 \n 15C Windows fields DWORD Number of RVA and sizes 10 \n 160 Data directories DWORD Export table 14C500 \n 164 Data directories DWORD Size of Export table 1276A \n 168 Data directories DWORD Import table 0 \n 16C Data directories DWORD Size of Import table 0 \n 170 Data directories DWORD Resource table 17F000 \n 174 Data directories DWORD Size of Resource table 6F310 \n 178 Data directories DWORD Exception table 16B000 \n 17C Data directories DWORD Size of Exception table E0A0 \n 180 Data directories DWORD Certificate table 1E1E00 \n 184 Data directories DWORD Size of Certificate table 6660 \n 188 Data directories DWORD Base relocation table 1EF000 \n 18C Data directories DWORD Size of Base relocation table 528 \n 190 Data directories DWORD Debug 120A60 \n 194 Data directories DWORD Size of Debug 54 \n 198 Data directories DWORD Architecture data 0 \n 19C Data directories DWORD Size of Architecture data 0 \n 1A0 Data directories DWORD GlobalPtr (0) 0 \n 1A4 Data directories DWORD Size of GlobalPtr (0) 0 \n 1A8 Data directories DWORD TLS table 0 \n 1AC Data directories DWORD Size of TLS table 0 \n 1B0 Data directories DWORD Load config table 118B10 \n 1B4 Data directories DWORD Size of Load config table 108 \n 1B8 Data directories DWORD Bound import 0 \n 1BC Data directories DWORD Size of Bound import 0 \n 1C0 Data directories DWORD Import address table 0 \n 1C4 Data directories DWORD Size of Import address table 0 \n 1C8 Data directories DWORD Delay import descriptor 0 \n 1CC Data directories DWORD Size of Delay import descriptor 0 \n 1D0 Data directories DWORD COM / CLR runtime header 0 \n 1D4 Data directories DWORD Size of COM / CLR runtime header 0 \n 1D8 Data directories DWORD ?? 0 \n 1DC Data directories DWORD Size of ?? 0 \n 1E0 Section .text BYTES Name 0 .text \n 1E8 Section .text DWORD Virtual size 115406 \n 1EC Section .text DWORD Virtual address 1000 \n 1F0 Section .text DWORD Size of raw data 115600 \n 1F4 Section .text DWORD Pointer to raw data 400 \n 1F8 Section .text DWORD Pointer to relocations 0 \n 1FC Section .text DWORD Pointer to line numbers 0 \n 200 Section .text WORD Number of relocations 0 \n 202 Section .text WORD Number of line elements 0 \n 204 Section .text DWORD Characteristics 60000020 \n 208 Section RT BYTES Name 0 RT \n 210 Section RT DWORD Virtual size 1F9 \n 214 Section RT DWORD Virtual address 117000 \n 218 Section RT DWORD Size of raw data 200 \n 21C Section RT DWORD Pointer to raw data 115A00 \n 220 Section RT DWORD Pointer to relocations 0 \n 224 Section RT DWORD Pointer to line numbers 0 \n 228 Section RT WORD Number of relocations 0 \n 22A Section RT WORD Number of line elements 0 \n 22C Section RT DWORD Characteristics 60000020 \n 230 Section .rdata BYTES Name 0 .rdata \n 238 Section .rdata DWORD Virtual size 46C6A \n 23C Section .rdata DWORD Virtual address 118000 \n 240 Section .rdata DWORD Size of raw data 46E00 \n 244 Section .rdata DWORD Pointer to raw data 115C00 \n 248 Section .rdata DWORD Pointer to relocations 0 \n 24C Section .rdata DWORD Pointer to line numbers 0 \n 250 Section .rdata WORD Number of relocations 0 \n 252 Section .rdata WORD Number of line elements 0 \n 254 Section .rdata DWORD Characteristics 40000040 \n 258 Section .data BYTES Name 0 .data \n 260 Section .data DWORD Virtual size B330 \n 264 Section .data DWORD Virtual address 15F000 \n 268 Section .data DWORD Size of raw data 4000 \n 26C Section .data DWORD Pointer to raw data 15CA00 \n 270 Section .data DWORD Pointer to relocations 0 \n 274 Section .data DWORD Pointer to line numbers 0 \n 278 Section .data WORD Number of relocations 0 \n 27A Section .data WORD Number of line elements 0 \n 27C Section .data DWORD Characteristics C0000040 \n 280 Section .pdata BYTES Name 0 .pdata \n 288 Section .pdata DWORD Virtual size E0A0 \n 28C Section .pdata DWORD Virtual address 16B000 \n 290 Section .pdata DWORD Size of raw data E200 \n 294 Section .pdata DWORD Pointer to raw data 160A00 \n 298 Section .pdata DWORD Pointer to relocations 0 \n 29C Section .pdata DWORD Pointer to line numbers 0 \n 2A0 Section .pdata WORD Number of relocations 0 \n 2A2 Section .pdata WORD Number of line elements 0 \n 2A4 Section .pdata DWORD Characteristics 40000040 \n 2A8 Section .mrdata BYTES Name 0 .mrdata \n 2B0 Section .mrdata DWORD Virtual size 34F0 \n 2B4 Section .mrdata DWORD Virtual address 17A000 \n 2B8 Section .mrdata DWORD Size of raw data 3600 \n 2BC Section .mrdata DWORD Pointer to raw data 16EC00 \n 2C0 Section .mrdata DWORD Pointer to relocations 0 \n 2C4 Section .mrdata DWORD Pointer to line numbers 0 \n 2C8 Section .mrdata WORD Number of relocations 0 \n 2CA Section .mrdata WORD Number of line elements 0 \n 2CC Section .mrdata DWORD Characteristics C0000040 \n 2D0 Section .00cfg BYTES Name 0 .00cfg \n 2D8 Section .00cfg DWORD Virtual size 8 \n 2DC Section .00cfg DWORD Virtual address 17E000 \n 2E0 Section .00cfg DWORD Size of raw data 200 \n 2E4 Section .00cfg DWORD Pointer to raw data 172200 \n 2E8 Section .00cfg DWORD Pointer to relocations 0 \n 2EC Section .00cfg DWORD Pointer to line numbers 0 \n 2F0 Section .00cfg WORD Number of relocations 0 \n 2F2 Section .00cfg WORD Number of line elements 0 \n 2F4 Section .00cfg DWORD Characteristics 40000040 \n 2F8 Section .rsrc BYTES Name 0 .rsrc \n 300 Section .rsrc DWORD Virtual size 6F310 \n 304 Section .rsrc DWORD Virtual address 17F000 \n 308 Section .rsrc DWORD Size of raw data 6F400 \n 30C Section .rsrc DWORD Pointer to raw data 172400 \n 310 Section .rsrc DWORD Pointer to relocations 0 \n 314 Section .rsrc DWORD Pointer to line numbers 0 \n 318 Section .rsrc WORD Number of relocations 0 \n 31A Section .rsrc WORD Number of line elements 0 \n 31C Section .rsrc DWORD Characteristics 40000040 \n 320 Section .reloc BYTES Name 0 .reloc \n 328 Section .reloc DWORD Virtual size 528 \n 32C Section .reloc DWORD Virtual address 1EF000 \n 330 Section .reloc DWORD Size of raw data 600 \n 334 Section .reloc DWORD Pointer to raw data 1E1800 \n 338 Section .reloc DWORD Pointer to relocations 0 \n 33C Section .reloc DWORD Pointer to line numbers 0 \n 340 Section .reloc WORD Number of relocations 0 \n 342 Section .reloc WORD Number of line elements 0 \n 344 Section .reloc DWORD Characteristics 42000040 \n 1E1E00 WIN_CERTIFICATE DWORD Length 6660 \n 1E1E04 WIN_CERTIFICATE WORD Revision 200 WIN_CERT_REVISION_2_0\n 1E1E06 WIN_CERTIFICATE WORD Certificate type 2 WIN_CERT_TYPE_PKCS_SIGNED_DATA\n 1E1E08 WIN_CERTIFICATE BYTES Certificates 0 Size 0x6658\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsuarezv%2Fpewalker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdsuarezv%2Fpewalker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdsuarezv%2Fpewalker/lists"}