0

There is a lot of tools designed to help analyzing portable executable files. For example PE Explorer. We can load .exe file into it and check things like number of sections, section alignment or virtual addresses of particular sections.

Is there any similar tool which allows me to do the same but for a portable executable already loaded into memory? Without access to it's .exe file?

EDIT:

Maybe I will try to clarify what I'm trying to achieve. Lets say (like @0x90 suggested) that I have two applications or maybe even three applications.

app1.exe - executed by user, creates new process basing on app3.exe and modifies its memory by putting app2.exe into it.

app2.exe - Injected into app3.exe memory by app1.exe.

app3.exe - Used to create the new process.

I have sources of all of three applications. I'm simply trying to learn about windows internals by practical exercises with injecting/Processes Hollowing. I have some bug in app1.exe which leads to:

The application was unable to start correctly (0xc0000018).

And I'm trying to find a way to debug this situation. My idea was to compare PE on disk with PE in memory and check if it looks correct. I was surprised that I can't find tool designed for such a propose.

Adam
  • 2,254
  • 3
  • 24
  • 42

1 Answers1

1

For clarity, the application you wish to examine shall be called App1 while the application which loads the PE files contents into memory shall be called App2.

To my knowledge, all major disassemblers work on files. This is due to the fact that App1 will be mapped into the address space of App2.

Your easiest solution is to dump the executable to disk from memory.

If you control the source of App2, this step is trivial.

If you don't, you will need to attack a debugger, identify the exact memory range where the PE file resides and use the debugger's functionality to dump that memory range to disk.

0x90
  • 6,079
  • 2
  • 36
  • 55