search

hasherezade / pe-bear

Portable Executable reversing tool with a friendly GUI
https://hshrzd.wordpress.com/pe-bear/
GNU General Public License v2.0
2.62k stars 159 forks source link

How to inspect sections on object code #34

Open RealYukiSan opened 11 months ago

RealYukiSan commented 11 months ago

I tried to compile my source code into object code, and I'm following this tutorial to read the sections in the object file, but it seems that the object file generated by gcc on the windows platform will end up with the PE format (?)

which makes me unable to parse it: readelf: Error: Not an ELF file - it has the wrong magic bytes at the start

then I tried to install the pe-bear tool instead of readelf but the error not supported filetype seems to be not working properly?

please enlighten me.

RealYukiSan commented 11 months ago

here's my example library source code:

int sum(int a, int b) {
    return a+b;
}

then I try to generate the object file with gcc -c arith.c -o arith.o

RealYukiSan commented 11 months ago

Oh yeah, I can use objdump instead of readelf

$ objdump.exe -h arith.o

arith.o:     file format pe-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         00000010  0000000000000000  0000000000000000  0000012c  2**4
                  CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
  1 .data         00000000  0000000000000000  0000000000000000  00000000  2**4
                  ALLOC, LOAD, DATA
  2 .bss          00000000  0000000000000000  0000000000000000  00000000  2**4
                  ALLOC
  3 .rdata        00000010  0000000000000000  0000000000000000  0000013c  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .xdata        00000008  0000000000000000  0000000000000000  0000014c  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .pdata        0000000c  0000000000000000  0000000000000000  00000154  2**2
                  CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
  6 .rdata$zzz    00000030  0000000000000000  0000000000000000  00000160  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
hasherezade commented 11 months ago

hi! I am sorry, but currently PE-bear does not support object files. They are a bit different than the complete PE. I will treat your issue as a feature request, and add the support in the future.

RealYukiSan commented 11 months ago

hi! I am sorry, but currently PE-bear does not support object files. They are a bit different than the complete PE.

It seems the object file generated by gcc on mingw follows the COFF format, right? just want to confirm.

I will treat your issue as a feature request, and add the support in the future.

Thanks! I can't wait for it ^^