The !dh extension displays the PE header information from a specified module.

 

Usage:

 

!dh [options] <addressOfModule>

 

Options can be:

 

-f Displays file headers.

-s Displays section headers.

-a Displays all header information.

 

Example:

 

0:532> lm

 

start    end        module name

00400000 00427000   mtgdi      (deferred)            

5a700000 5acaf000   mfc90d     (deferred)            

692e0000 69403000   MSVCR90D   (deferred)            

71270000 71283000   dwmapi     (deferred)             

72cf0000 72d70000   UxTheme    (deferred)            

73470000 73475000   MSIMG32    (deferred)            

73b50000 73b5d000   MFC90ENU   (deferred)            

74fd0000 75053000   COMCTL32   (deferred)            

751d0000 751dc000   CRYPTBASE   (deferred)            

751e0000 75240000   SspiCli    (deferred)            

75240000 75259000   sechost    (deferred)            

75260000 75ea6000   SHELL32    (deferred)            

75ee0000 75f8c000   msvcrt     (deferred)            

75fd0000 76060000   GDI32      (deferred)            

76150000 76250000   kernel32   (deferred)            

76250000 762ed000   USP10      (deferred)            

763b0000 76410000   IMM32      (deferred)            

76410000 7649f000   OLEAUT32   (deferred)             

764a0000 764e4000   KERNELBASE   (deferred)            

765c0000 766b0000   RPCRT4     (deferred)            

766b0000 76733000   CLBCatQ    (deferred)            

76a00000 76aa0000   ADVAPI32   (deferred)            

76ce0000 76d37000   SHLWAPI    (deferred)            

76f40000 77040000   USER32     (deferred)            

77040000 7710c000   MSCTF      (deferred)            

77110000 7726b000   ole32      (deferred)            

77640000 7764a000   LPK        (deferred) 

 

Now we use the start address as argument:

 

0:532> !dh -a 5a700000

 

File Type: DLL

FILE HEADER VALUES

     14C machine (i386)

       4 number of sections

488F15C6 time date stamp Tue Jul 29 06:06:14 2008

       0 file pointer to symbol table

       0 number of symbols

      E0 size of optional header

    2102 characteristics

            Executable

            32 bit word machine

            DLL

OPTIONAL HEADER VALUES

     10B magic #

    9.00 linker version

  45B600 size of code

  151A00 size of initialized data

       0 size of uninitialized data

  3F66C0 address of entry point

    1000 base of code

         ----- new -----

5a700000 image base

    1000 section alignment

     200 file alignment

       3 subsystem (Windows CUI)

    5.00 operating system version

    9.00 image version

    5.00 subsystem version

  5AF000 size of image

     400 size of headers

  5B030B checksum

00100000 size of stack reserve

00001000 size of stack commit

00100000 size of heap reserve

00001000 size of heap commit

     140  DLL characteristics

            Dynamic base

            NX compatible

  44D0A0 [    F4A5] address [size] of Export Directory

  448DB8 [      A0] address [size] of Import Directory

  46B000 [  106C18] address [size] of Resource Directory

       0 [       0] address [size] of Exception Directory

  5A7400 [    23F8] address [size] of Security Directory

  572000 [   38D08] address [size] of Base Relocation Directory

    21D0 [      1C] address [size] of Debug Directory

       0 [       0] address [size] of Description Directory

       0 [       0] address [size] of Special Directory

       0 [       0] address [size] of Thread Storage Directory

   59310 [      40] address [size] of Load Configuration Directory

       0 [       0] address [size] of Bound Import Directory

    1000 [     CEC] address [size] of Import Address Table Directory

  4471A4 [     200] address [size] of Delay Import Directory

       0 [       0] address [size] of COR20 Header Directory

       0 [       0] address [size] of Reserved Directory

SECTION HEADER #1

   .text name

  45B545 virtual size

    1000 virtual address

  45B600 size of raw data

     400 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

60000020 flags

         Code

         (no align specified)

         Execute Read

Debug Directories(1)

          Type       Size     Address  Pointer

          cv           28       59358    58758    Format: RSDS, guid, 17, mfc90d.i386.pdb

SECTION HEADER #2

   .data name

    DC3C virtual size

  45D000 virtual address

    7E00 size of raw data

  45BA00 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

C0000040 flags

         Initialized Data

         (no align specified)

         Read Write

SECTION HEADER #3

   .rsrc name

  106C18 virtual size

  46B000 virtual address

  106E00 size of raw data

  463800 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

40000040 flags

         Initialized Data

         (no align specified)

         Read Only

SECTION HEADER #4

  .reloc name

   3CCD4 virtual size

  572000 virtual address

   3CE00 size of raw data

  56A600 file pointer to raw data

       0 file pointer to relocation table

       0 file pointer to line numbers

       0 number of relocations

       0 number of line numbers

42000040 flags

         Initialized Data

         Discardable

         (no align specified)

         Read Only