Cyber Learnings

My journey through the infosec domain

Finding the PE Magic header using Windbg

I have been learning Windbg lately and try to apply what I have learnt via simple experiments on Window files. Here is how I was able to extract the magic header – MZ of an EXE image.

After opening the binary into Windbg, First, lets get the image base address using lm (load modules).

0:000> lm  # to get the module base address
start    end        module name
00a50000 00a73000   HelloDbg C (private pdb symbols)  C:\ProgramData\dbg\sym\HelloDbg.pdb\115EBB8E4E7B4730A323E4C9AFB9EE7B1\HelloDbg.pdb
5c9f0000 5caa4000   MSVCP140D   (deferred)             
5cab0000 5cc5e000   ucrtbased   (deferred)             
5cc60000 5cc7e000   VCRUNTIME140D   (deferred)             
76460000 76550000   KERNEL32   (deferred)             
76900000 76b79000   KERNELBASE   (deferred)             
77540000 776f2000   ntdll      (pdb symbols)          C:\ProgramData\dbg\sym\wntdll.pdb\9D732CF61DD0259871FCB5A4FCC2ED551\wntdll.pdb

The base address is 00a50000.

Using hxD, we know that the MZ bytes are located at the beginning of the PE file in the DOS_HEADER.

Technique 1 : Dump the first 2 words (8 bytes) starting from the base address.

0:000> db 00a50000 L 2   
00a50000  4d 5a                                            MZ

Technique 2: using dc with the base address 

0:000> dc 00a50000
00a50000 00905a4d 00000003 00000004 0000ffff MZ……..

Technique 3: using .imgscan

0:000> .imgscan
MZ at 00a50000, prot 00000002, type 01000000 - size 23000
  Name: HelloDbg.exe
MZ at 5c9f0000, prot 00000002, type 01000000 - size b4000
  Name: MSVCP140D.dll
MZ at 5cab0000, prot 00000002, type 01000000 - size 1ae000
  Name: ucrtbased.dll
MZ at 5cc60000, prot 00000002, type 01000000 - size 1e000
  Name: VCRUNTIME140D.dll
MZ at 76460000, prot 00000002, type 01000000 - size f0000
  Name: KERNEL32.dll
MZ at 76900000, prot 00000002, type 01000000 - size 279000
  Name: KERNELBASE.dll
MZ at 77530000, prot 00000002, type 01000000 - size a000
  Name: wow64cpu.dll
MZ at 77540000, prot 00000002, type 01000000 - size 1b2000
  Name: ntdll.dll

Technique 4: using dt (display type) and Python

0:000> dt _IMAGE_DOS_HEADER e_magic 00a50000
HelloDbg!_IMAGE_DOS_HEADER
   +0x000 e_magic : 0x5a4d

Python code to get ascii value of 0x5a4d
>>> hs = "4d5a"    # little endian reordering
>>> bs = bytes.fromhex(hs)
>>> bs.decode("ASCII")
'MZ'

REFERENCES:

raghavan

, , ,
, , ,

Leave a comment