English English  Deutsch Deutsch

home  products  pe explorer  feature tour


PE File Integrity and Reported Image Size Deviation Handling Under Windows 9x/ME and NT/2000/XP/Vista

PE Explorer provides two functions that are automatically performed when opening a file: error checking, and unpacking files compressed with UPX/Upack/NSPack using the Plug-In subsystem.

Download a 30 day trial version of PE Explorer     Buy the Full Version

If opening a file produces an error, PE Explorer opens that file in Safe mode. While in Safe mode, the data that caused the error can not be operated on. This does not guarantee that the excluded file data is error free, but in many cases allows you to work with damaged files (e.g. compressed files).

For example, if the Import section follows the Resource section, you normally cannot open such a file in a binary analyzer. PE Explorer provides a solution by enabling you to to work with damaged/packed/crypted files and examine the inner workings of applications and dll's.

When opening a file produces an error, the following message will be shown:

Safe Mode

One of the first things that PE Explorer does when it loads a PE file is to verify the file's integrity. It does this by checking and analyzing various values from the headers and inner structures of the file.

The SizeOfImage value from the Headers Info panel is calculated on the basis of the physical sizes of the file's composite sections. It is important that the ultimate physical size of the file should equal the sum of the SizeOfImage value and the SizeOfHeaders value. The SizeOfHeaders value includes the DOS Stub and is rounded up to the nearest multiple of the FileAlignment value. In an executable file the physical size of a section should ALWAYS be aligned on the boundary size defined by the FileAlignment value and displayed by the Headers Info panel in PE Explorer.

Certain other header values are treated differently depending on which flavor of Windows (9x/ME or NT/XP) is being used, in particular the SizeOfRawData and PointerToRawData values displayed by the Section Headers panel.

When a user executes a PE file, the operating system determines how much memory to allocate for the file by reading the SizeOfRawData values from each section header in the file. Each flavor of Windows proceeds from this determination in a slightly different fashion.

Every version of Windows NT (including 2000 and XP) adds the HeaderSize to the sum of the SizeOfRawData values from each section and checks the result against the SizeOfImage value obtained from the PE file's optional header. If the calculated value is greater than the reported SizeOfImage value, the discrepancy is registered as a fatal error, the continued loading of the damaged file is blocked, and the user receives a "This file is not a valid Win32 application" message. Otherwise, loading continues and control is passed to the particular file.

In contrast, Windows 9x/ME performs a significantly more relaxed header inspection, only checking for validity before passing control to the PE file. If at some point during the execution of a pe file an attempt is made to access a memory area that the SizeOfRawData values indicate is located inside the SizeOfImage boundary, but that actually happens to be located outside of this boundary, the operating system terminates the program and the user receives the all too familiar "This program has performed an illegal operation and will be shutdown" message.

Certainly, the deviation in physical size is not always fatal. The physical size of a section might be reduced at the expense of the section alignment, for example, but there is no guarantee that the executable file will never try to access these addresses. It is to the credit of the considerably more advanced NT architecture that files with this kind of deviation are prevented from executing in the first place.

When PE Explorer encounters this kind of discrepancy while verifying the integrity of a file the following warning dialog is issued (a sample dialog shown):

A sample warning dialog

This offers the user the option to expand the last section of the file as a way to compensate for the deviation between the SizeOfImage value from the header and the actual physical size of the file. PE Explorer also requires this fix be made in order for subsequent operations on the file to proceed normally.

We highly recommend that you respond [Yes] to this dialog should you encounter it. It will save you from a lot of potential troubles! Especially if you are not an expert in PE file structures or not well versed with the interactions between the values found in the various PE file headers.

When saving a new image file, PE Explorer automatically attempts to correct for deviations of this sort by recalculating the appropriate header values. In most cases, further manipulation of these values is not required.

For more on File Repair, see also Section Header Editor

Feature Tour  
 prev | next 



PE Explorer
View Screenshots

Download a 30 day trial version of PE Explorer Buy the Full Version