Clive Turvey has written some excellent tools for extracting information from Windows PE executable (exe, dll, sys, etc.) files, and from Windows PDB debug symbol files. Clive has given me permission to host these.
Download zip file containing dumppe, dumppdb, dumplx, and guid.dat and win32_dll_ord.dat files (see below): clive_turvey_utils_dumppe_dumppdb.zip
I will be using these tools (among many others) in a forthcoming six-hour video from Packt on Software Reverse Engineering.
dumppe command-line options:
Usage : DumpPE [options] <Win32 PE Portable Executable> Options : -quiet Suppress copyright string -disasm Rough disassembly -disasm:start,length -disasm:400DE,1FE -disasm:+offset,length -disasm:+DE,1FE -disasm:!symbol -disasm:!start -def <File> Disassembler definition file -dat <File> Specify Ordinal database file -guid <File> Specify GUID database file -getsym Pull symbols from Microsoft Symbol Server -path <Path> Alternate path for PDB symbols -pdb <File> Specify PDB symbol file -reloc Display base relocations -checksum Calculate Checksum -resource Display resource section -nosym Suppress symbolic output
The combination of -getsym and -disasm is particularly useful, providing much of the functionality available for Win32 disassembly in IDA Pro.
The -guid option will use a file such as guid.dat (in the zip file) to improve disassembly by providing text names for UUIDs/GUIDs in the code.
The -dat option will use a file such as win32_dll_ord.dat (in the zip file) to improve disassembly by providing text names for module.ordinal imports (e.g. OLEAUT32.7 is SysStringLen).
====
For more information on PDB files, and source code for a Microsoft PDB dumper, see https://github.com/Microsoft/microsoft-pdb; Microsoft’s cvdump works with PDB files and is available at https://github.com/Microsoft/microsoft-pdb/tree/master/cvdump.
cvdump help:
Microsoft (R) Debugging Information Dumper Version 14.00.23611 Copyright (C) Microsoft Corporation. All rights reserved. Usage: cvdump [-?] [-asmin] [-coffsymrva] [-fixup] [-fpo] [-ftm] [-g] [-h] [-headers] [-id] [-inll] [-illines] [-l] [-m] [-MXXX] [-omapf] [-omapt] [-p] [-pdata] [-pdbpath] [-s] [-seccontrib] [-sf] [-S] [-t] [-tmap] [-tmw] [-ttm] [-x] [-xdata] [-xme] [-xmi] file -asmin Merged assembly input -fixup Debug fixups (PDB only) -fpo FPO data -ftm Function token map -g Global Symbols -h Header (section table) -headers Section Headers (PDB only) -id IDs -inll Inlinee lines -illines IL lines -l Source lines -m Modules -MXXX XXX = Module number to dump -omapf OMAP From Source (PDB only) -omapt OMAP To Source (PDB only) -p Publics -pdata Function Table Entries (PDB only) -pdbpath PDB search details -s Symbols -seccontrib Section contributions (PDB only) -sf Sorted source file list -stringtable String table -S Dump static symbols only -t Types -tmap Token Map (PDB only) -tmw Type UDT Mismatches -ttm Type token map -x Segment Map -xdata Exception Data (PDB only) -xme Cross module export IDs -xmi Cross module import IDs file Executable file to dump
cvdump -pdbpath <pe_file> is especially useful when the results are piped through a C++ demangling utility such as Microsoft undname, or vc++filt, or submitted to the online demangler (https://demangler.com/).