trashbin

 

version 0.2

10 June 2003
18 May 2004

[contact me]

 

Trashbin is a a tool to look into PE files. It is similar to Microsoft's dumpbin, that is distrubuted with Visual Studio.

Trashbin lets you view standard PE file contents like dumpbin (it can't do somethings that dumpbin does). In addition to the functionality of dumpbin.exe, it can display metadata information in managed (aka .net) PE files. There is a description of trashbin and its functionality in my blog entry here. Read these notes first. 

Please do mail me back about bugs and suggestions.


Download trashbin (src + binary) ~ 42kb

     Trashbin is distributed in source + binary and you are free to do anything with the code you find here. If you intend to use the code as part of another derivative work or part of another project/distribution I expect you to drop me a mail about it and be gracious enough to take my views about it. You are however NOT bound to do this in anyway.

 

Trashbin gives you the following options :
(Notes about trashbin functionality)

    
c:\>trashbin
Spark (?)  Managed(.Net)/Native PE-COFF file viewer. Version 0.2
May 2003, contact: rosh@mvps.org
Last update: May 2004

usage: trashbin <PE filename> [options]

        portable executable info:
        /dos     display dos header
        /sig     display the file signature
        /coff    display coff header
        /pe      display pe/optional header
        /dd      display data directories in pe header
        /sec     display section headers
        /exp     display export table
        /imp     display import table
        /reloc   display relocation information
        /tls     display Thread Local Storage information

        managed info:
        /corhdr          display the common language runtime header
        /mdhdr           display metadata headers
        /md:Strings      display metadata stream #Strings
        /md:Blob         display metadata stream #Blob
        /md:US           display metadata stream #US (user strings)
        /md:GUID         display metadata stream #GUID
        /md:#~           display optimised metadata tables stream-header
        /mdtab           display optimised metadata tables

        other:
        /type    indicates the type of the PE file
        /csv     enable excel compatible, CSV output

        ps. The name trashbin is 'inspired' from dumpbin :)
 
  

 

     
 

Metadata display

  


Given a simple c# prog like this:

    
//csc prog.cs
using System;

class Sample
{
	string MemberString;
	
	string MyString
	{
		get {return MemberString; }
		set {MemberString = value; }
	}
	
	void MemberFunction(int n,string abc)
	{
		for(int i=0;i<n;i++)
			Console.WriteLine("string = {0}","hello "+abc);
	}

	static void Main()
	{
		Sample s = new Sample();
		s.MemberFunction(10, "world");
	}
}
 

Trashbin gives the following output

c:\>trashbin prog.exe /corhdr /mdhdr /md:Strings /md:GUID /md:US /md:Blob /md:#~ /mdtab

IMAGE_COR20_HEADER
	cb = 0x48
	MajorRuntimeVersion = 0x2
	MinorRuntimeVersion = 0
	IMAGE_DATA_DIRECTORY : MetaData
		MetaData.VirtualAddress = 0x20e0
		MetaData.Size = 0x328
	Flags = 0x1
	EntryPointToken = 0x6000004
	Resources = 0
	StrongNameSignature = 0
	IMAGE_DATA_DIRECTORY : CodeManagerTable
		CodeManagerTable.VirtualAddress = 0
		CodeManagerTable.Size = 0
	IMAGE_DATA_DIRECTORY : VTableFixups
		VTableFixups.VirtualAddress = 0
		VTableFixups.Size = 0
	IMAGE_DATA_DIRECTORY : ExportAddressTableJumps
		ExportAddressTableJumps.VirtualAddress = 0
		ExportAddressTableJumps.Size = 0
	IMAGE_DATA_DIRECTORY : ManagedNativeHeader
		ManagedNativeHeader.VirtualAddress = 0
		ManagedNativeHeader.Size = 0
METADATA HEADERS
	Storage Signature:Signature = 0x424a5342 
	Storage Signature:MajorVersion = 0x1 
	Storage Signature:MinorVersion = 0x1 
	Storage Signature:ExtraData = 0 
	Storage Signature:Length = 12 
	Storage Signature:szVersionstring = "v1.0.3705" 

	Storage Header:fFlags = 0 
	Storage Header:nStreams = 5 

0	Stream Hdr:Offset = 0x6c
	Stream Hdr:cbStream = 0x154
	Stream Hdr:Name = #~

1	Stream Hdr:Offset = 0x1c0
	Stream Hdr:cbStream = 0xd0
	Stream Hdr:Name = #Strings

2	Stream Hdr:Offset = 0x290
	Stream Hdr:cbStream = 0x38
	Stream Hdr:Name = #US

3	Stream Hdr:Offset = 0x2c8
	Stream Hdr:cbStream = 0x10
	Stream Hdr:Name = #GUID

4	Stream Hdr:Offset = 0x2d8
	Stream Hdr:cbStream = 0x50
	Stream Hdr:Name = #Blob

METADATA STREAM #US
0x1, (25 bytes)
    Txt: s.t.r.i.n.g.........0....
    Hex: 73 00 74 00 72 00 69 00 6e 00 67 00 20 00 3d 00 20 00 7b 00 30 00 7d 00 00 
0x1B, (13 bytes)
    Txt: h.e.l.l.o....
    Hex: 68 00 65 00 6c 00 6c 00 6f 00 20 00 00 
0x29, (11 bytes)
    Txt: w.o.r.l.d..
    Hex: 77 00 6f 00 72 00 6c 00 64 00 00 
METADATA STREAM #Blob
0x1, (8 bytes)
    Txt: .z.V.4..
    Hex: b7 7a 5c 56 19 34 e0 89 
0xA, (2 bytes)
    Txt: ..
    Hex: 06 0e 
0xD, (3 bytes)
    Txt: ...
    Hex: 20 00 0e 
0x11, (4 bytes)
    Txt: ....
    Hex: 20 01 01 0e 
0x16, (5 bytes)
    Txt: .....
    Hex: 20 02 01 08 0e 
0x1C, (3 bytes)
    Txt: ...
    Hex: 00 00 01 
0x20, (3 bytes)
    Txt: ...
    Hex: 20 00 01 
0x24, (3 bytes)
    Txt: ...
    Hex: 28 00 0e 
0x28, (5 bytes)
    Txt: .....
    Hex: 20 02 01 02 02 
0x2E, (3 bytes)
    Txt: ...
    Hex: 07 01 0e 
0x32, (5 bytes)
    Txt: .....
    Hex: 00 02 0e 0e 0e 
0x38, (5 bytes)
    Txt: .....
    Hex: 00 02 01 0e 1c 
0x3E, (3 bytes)
    Txt: ...
    Hex: 07 01 08 
0x42, (4 bytes)
    Txt: ....
    Hex: 07 01 12 08 
0x47, (6 bytes)
    Txt: ......
    Hex: 01 00 00 01 00 00 
METADATA STREAM #Strings
	Offset : "String"
	0x1    : ""
	0xA    : "hw.exe"
	0x11   : "mscorlib"
	0x1A   : "System"
	0x21   : "Object"
	0x28   : "Sample"
	0x2F   : "MemberString"
	0x3C   : "get_MyString"
	0x49   : "set_MyString"
	0x56   : "MemberFunction"
	0x65   : "Main"
	0x6A   : ".ctor"
	0x70   : "MyString"
	0x79   : "System.Diagnostics"
	0x8C   : "DebuggableAttribute"
	0xA0   : "hw"
	0xA3   : "value"
	0xA9   : "n"
	0xAB   : "abc"
	0xAF   : "String"
	0xB6   : "Concat"
	0xBD   : "Console"
	0xC5   : "WriteLine"
METADATA STREAM #GUID
0.	{D257D91B-405B9591-52003AA1-48217D7D}
METADATA STREAM #~
	TABLES HEADER
		MajorVersion = 1
		MinorVersion = 0
		HeapSizes = 0
			#String Index = 2 bytes wide
			#GUID Index = 2 bytes wide
			#Blob Index = 2 bytes wide
		Valid  = 0x00000901a21557
		Sorted = 0x0002003301fa00

	METADATA Tables
		RID. 	           TableName	[No of Rows]
		0. 	              Module	[1] 	Row=10 bytes
		1. 	             TypeRef	[4] 	Row=6 bytes
		2. 	             TypeDef	[2] 	Row=14 bytes
		4. 	               Field	[1] 	Row=6 bytes
		6. 	              Method	[5] 	Row=14 bytes
		8. 	               Param	[3] 	Row=6 bytes
		10. 	           MemberRef	[4] 	Row=6 bytes
		12. 	     CustomAttribute	[1] 	Row=6 bytes
		17. 	       StandAloneSig	[3] 	Row=2 bytes
		21. 	         PropertyMap	[1] 	Row=4 bytes
		23. 	            Property	[1] 	Row=6 bytes
		24. 	     MethodSemantics	[2] 	Row=6 bytes
		32. 	            Assembly	[1] 	Row=22 bytes
		35. 	         AssemblyRef	[1] 	Row=20 bytes
	Table Count = 14
METADATA TABLES

[RID=0] Table Module
     [  DATA]Generation [STRING]Name     [  GUID]Mvid     [  GUID]EncId    [  GUID]EncBaseId 
   1.[  0x  ]0          [  0x  ]A        [  0x  ]1        [  0x  ]0        [  0x  ]0         

[RID=1] Table TypeRef
     [CI:75 ]ResolutionScope [STRING]Name     [STRING]Namespace 
   1.[RID:35] 1              [  0x  ]21       [  0x  ]1A        
   2.[RID:35] 1              [  0x  ]8C       [  0x  ]79        
   3.[RID:35] 1              [  0x  ]AF       [  0x  ]1A        
   4.[RID:35] 1              [  0x  ]BD       [  0x  ]1A        

[RID=2] Table TypeDef
     [  DATA]Flags    [STRING]Name     [STRING]Namespace [CI:64 ]Extends  [RID: 4]FieldList [RID: 6]MethodList 
   1.[  0x  ]0        [  0x  ]1        [  0x  ]0         [RID: 2] 0       [RID: 4] 1        [RID: 6] 1         
   2.[  0x  ]100000   [  0x  ]28       [  0x  ]0         [RID: 1] 1       [RID: 4] 1        [RID: 6] 1         

[RID=4] Table Field
     [  DATA]Flags    [STRING]Name     [  BLOB]Signature 
   1.[  0x  ]1        [  0x  ]2F       [  0x  ]A         

[RID=6] Table Method
     [  DATA]RVA      [  DATA]ImplFlags [  DATA]Flags    [STRING]Name     [  BLOB]Signature [RID: 8]ParamList 
   1.[  0x  ]2050     [  0x  ]0         [  0x  ]881      [  0x  ]3C       [  0x  ]D         [RID: 8] 1        
   2.[  0x  ]2068     [  0x  ]0         [  0x  ]881      [  0x  ]49       [  0x  ]11        [RID: 8] 1        
   3.[  0x  ]207C     [  0x  ]0         [  0x  ]81       [  0x  ]56       [  0x  ]16        [RID: 8] 2        
   4.[  0x  ]20AC     [  0x  ]0         [  0x  ]91       [  0x  ]65       [  0x  ]1C        [RID: 8] 4        
   5.[  0x  ]20CC     [  0x  ]0         [  0x  ]1886     [  0x  ]6A       [  0x  ]20        [RID: 8] 4        

[RID=8] Table Param
     [  DATA]Flags    [  DATA]Sequence [STRING]Name     
   1.[  0x  ]0        [  0x  ]1        [  0x  ]A3       
   2.[  0x  ]0        [  0x  ]1        [  0x  ]A9       
   3.[  0x  ]0        [  0x  ]2        [  0x  ]AB       

[RID=10] Table MemberRef
     [CI:69 ]Class    [STRING]Name     [  BLOB]Signature 
   1.[RID: 1] 2       [  0x  ]6A       [  0x  ]28        
   2.[RID: 1] 3       [  0x  ]B6       [  0x  ]32        
   3.[RID: 1] 4       [  0x  ]C5       [  0x  ]38        
   4.[RID: 1] 1       [  0x  ]6A       [  0x  ]20        

[RID=12] Table CustomAttribute
     [CI:66 ]Parent   [CI:74 ]Type     [  BLOB]Value    
   1.[RID:32] 1       [RID:10] 1       [  0x  ]47       

[RID=32] Table Assembly
     [  DATA]HashAlgId [  DATA]MajorVersion [  DATA]MinorVersion [  DATA]BuildNumber [  DATA]RevisionNumber [  DATA]Flags    [  BLOB]PublicKey [STRING]Name     [STRING]Locale   
   1.[  0x  ]8004      [  0x  ]0            [  0x  ]0            [  0x  ]0           [  0x  ]0              [  0x  ]0        [  0x  ]0         [  0x  ]A0       [  0x  ]0        

[RID=35] Table AssemblyRef
     [  DATA]MajorVersion [  DATA]MinorVersion [  DATA]BuildNumber [  DATA]RevisionNumber [  DATA]Flags    [  BLOB]PublicKeyOrToken [STRING]Name     [STRING]Locale   [  BLOB]HashValue 
   1.[  0x  ]1            [  0x  ]0            [  0x  ]CE4         [  0x  ]0              [  0x  ]0        [  0x  ]1                [  0x  ]11       [  0x  ]0        [  0x  ]0