analitics

Pages

Showing posts with label pefile. Show all posts
Showing posts with label pefile. Show all posts

Wednesday, August 23, 2023

Python 3.11.0 : Testing PE executable files x64 with capstone and pefile python modules.

You need to install the capstone python module.
pip install capstone --user
Collecting capstone
  Obtaining dependency information for capstone from https://files.pythonhosted.org/packages/d0/dd/b28df50316ca193
  
  dd1275a4c47115a720796d
  
  9e1501c1888c4bfa5dc2260/capstone-5.0.1-py3-none-win_amd64.whl.metadata
  
  Downloading capstone-5.0.1-py3-none-win_amd64.whl.metadata (3.5 kB)
Downloading capstone-5.0.1-py3-none-win_amd64.whl (1.3 MB)
   ---------------------------------------- 1.3/1.3 MB 1.6 MB/s eta 0:00:00
Installing collected packages: capstone
Successfully installed capstone-5.0.1
You need to install the pefile.
pip install pefile --user
Collecting pefile
  Downloading pefile-2023.2.7-py3-none-any.whl (71 kB)
     ---------------------------------------- 71.8/71.8 kB 564.7 kB/s eta 0:00:00
Installing collected packages: pefile
Successfully installed pefile-2023.2.7
I used an old simple PE64 executable create with fasm tool from this source code:
format PE64 GUI 5.0
entry start
include 'INCLUDE\win64a.inc'
section '.text' code readable executable
  start:
        push    rbp
        invoke  GetModuleHandle,0
        invoke  DialogBoxParam,rax,37,HWND_DESKTOP,DialogProc,0
        invoke  ExitProcess,0
proc DialogProc uses rbx rsi rdi,hWnd,wMsg,wParam,lParam
        mov             [hWnd],rcx
        mov             [wMsg],rdx
        mov             [wParam],r8
        mov             [lParam],r9

        cmp     [wMsg],WM_COMMAND
        je      wmcommand
        cmp     [wMsg],WM_CLOSE
        je      wmclose
        cmp     [wMsg],WM_SYSCOMMAND
        je      wmsyscommand
        xor     rax,rax
        jmp     finish
wmsyscommand:
        cmp     [wParam],SC_RESTORE
        je      sc_restore
        invoke  DefWindowProc,[hWnd],[wMsg],[wParam],[lParam]
        ret
   sc_restore:
        invoke  AnimateWindow,[hWnd],DWORD 1000,0x00040004      ;HERE IT IS
        invoke  ShowWindow,[hWnd],SW_RESTORE
        mov     rax,1
        ret
wmcommand:
        cmp     [wParam],BN_CLICKED shl 16 + IDOK
        jne     processed
        invoke  ShowWindow,[hWnd],SW_MINIMIZE
        ret
wmclose:
        invoke  EndDialog,[hWnd],0
processed:
        mov     rax,1
        ret ; this no need and use cmp to get error
;        cmp rax,0
;        je show_error
;        show_error:
;        invoke  GetLastError ;must call this first and save the result before doing anything else
;        invoke  wsprintf,...
;        invoke  MessageBox,...
finish:
        ret
endp
section '.idata' import data readable writeable
  library kernel,'KERNEL32.DLL',\
          user,'USER32.DLL'
  import kernel,\
         GetModuleHandle,'GetModuleHandleA',\
         ExitProcess,'ExitProcess'
  import user,\
         DialogBoxParam,'DialogBoxParamA',\
         CheckRadioButton,'CheckRadioButton',\
         GetDlgItemText,'GetDlgItemTextA',\
         IsDlgButtonChecked,'IsDlgButtonChecked',\
         MessageBox,'MessageBoxA',\
         DefWindowProc,'DefWindowProcA',\
         EndDialog,'EndDialog',\
         AnimateWindow,'AnimateWindow',\
         ShowWindow,'ShowWindow'
section '.rsrc' resource data readable
  directory RT_DIALOG,dialogs
  resource dialogs,\
           37,LANG_ENGLISH+SUBLANG_DEFAULT,demonstration
  dialog demonstration,'Create message box',70,70,190,175,WS_CAPTION+WS_POPUP+WS_SYSMENU+DS_MODALFRAME
       dialogitem 'BUTTON','OK',IDOK,85,150,45,15,WS_VISIBLE+WS_TABSTOP+BS_DEFPUSHBUTTON
  enddialog
This is the source code for python script:
import pefile
from capstone import *

exe_file = 'test_001_no_err_imp.EXE'
pe = pefile.PE(exe_file)

# find text section
offset = False
for section in pe.sections:
    if section.Name == b'.text\x00\x00\x00':
        offset = section.VirtualAddress
        codePtr = section.PointerToRawData
        codeEndPtr = codePtr+section.SizeOfRawData
        break

code = pe.get_memory_mapped_image()[codePtr:codeEndPtr]

# start disassembling text section
md = Cs(CS_ARCH_X86, CS_MODE_32)
md.detail = True
if offset:
    for i in md.disasm(code, offset):
        print('0x%x:\t%s\t%s' % (i.address, i.mnemonic, i.op_str))
This is the result:
python capstone_test_001.py
0x1000: push    ebp
0x1001: dec     eax
0x1002: sub     esp, 0x20
0x1005: dec     eax
0x1006: mov     ecx, 0
0x100c: call    dword ptr [0x105e]
0x1012: dec     eax
0x1013: add     esp, 0x20
0x1016: dec     eax
0x1017: sub     esp, 0x30
0x101a: dec     eax
0x101b: mov     ecx, eax
0x101d: dec     eax
0x101e: mov     edx, 0x25
0x1024: dec     ecx
0x1025: mov     eax, 0
0x102b: dec     ecx
0x102c: mov     ecx, 0x40105a
0x1032: dec     eax
0x1033: mov     dword ptr [esp + 0x20], 0
0x103b: call    dword ptr [0x109f]
0x1041: dec     eax
0x1042: add     esp, 0x30
0x1045: dec     eax
0x1046: sub     esp, 0x20
0x1049: dec     eax
0x104a: mov     ecx, 0
0x1050: call    dword ptr [0x1022]
0x1056: dec     eax
0x1057: add     esp, 0x20
0x105a: push    ebp
0x105b: dec     eax
0x105c: mov     ebp, esp
0x105e: dec     eax
0x105f: sub     esp, 8
0x1062: push    ebx
0x1063: push    esi
0x1064: push    edi
0x1065: dec     eax
0x1066: mov     dword ptr [ebp + 0x10], ecx
0x1069: dec     eax
0x106a: mov     dword ptr [ebp + 0x18], edx
0x106d: dec     esp
0x106e: mov     dword ptr [ebp + 0x20], eax
0x1071: dec     esp
0x1072: mov     dword ptr [ebp + 0x28], ecx
0x1075: dec     eax
0x1076: cmp     dword ptr [ebp + 0x18], 0x111
0x107d: je      0x1110
0x1083: dec     eax
0x1084: cmp     dword ptr [ebp + 0x18], 0x10
0x1088: je      0x1135
0x108e: dec     eax
0x108f: cmp     dword ptr [ebp + 0x18], 0x112
0x1096: je      0x10a0
0x1098: dec     eax
0x1099: xor     eax, eax
0x109b: jmp     0x115a
0x10a0: dec     eax
0x10a1: cmp     dword ptr [ebp + 0x20], 0xf120
0x10a8: je      0x10cd
0x10aa: dec     eax
0x10ab: sub     esp, 0x20
0x10ae: dec     eax
0x10af: mov     ecx, dword ptr [ebp + 0x10]
0x10b2: dec     eax
0x10b3: mov     edx, dword ptr [ebp + 0x18]
0x10b6: dec     esp
0x10b7: mov     eax, dword ptr [ebp + 0x20]
0x10ba: dec     esp
0x10bb: mov     ecx, dword ptr [ebp + 0x28]
0x10be: call    dword ptr [0x1024]
0x10c4: dec     eax
0x10c5: add     esp, 0x20
0x10c8: pop     edi
0x10c9: pop     esi
0x10ca: pop     ebx
0x10cb: leave
0x10cc: ret
0x10cd: dec     eax
0x10ce: sub     esp, 0x20
0x10d1: dec     eax
0x10d2: mov     ecx, dword ptr [ebp + 0x10]
0x10d5: mov     edx, 0x3e8
0x10da: dec     ecx
0x10db: mov     eax, 0x40004
0x10e1: call    dword ptr [0x1011]
0x10e7: dec     eax
0x10e8: add     esp, 0x20
0x10eb: dec     eax
0x10ec: sub     esp, 0x20
0x10ef: dec     eax
0x10f0: mov     ecx, dword ptr [ebp + 0x10]
0x10f3: dec     eax
0x10f4: mov     edx, 9
0x10fa: call    dword ptr [0x1000]
0x1100: dec     eax
0x1101: add     esp, 0x20
0x1104: dec     eax
0x1105: mov     eax, 1
0x110b: pop     edi
0x110c: pop     esi
0x110d: pop     ebx
0x110e: leave
0x110f: ret
0x1110: dec     eax
0x1111: cmp     dword ptr [ebp + 0x20], 1
0x1115: jne     0x114e
0x1117: dec     eax
0x1118: sub     esp, 0x20
0x111b: dec     eax
0x111c: mov     ecx, dword ptr [ebp + 0x10]
0x111f: dec     eax
0x1120: mov     edx, 6
0x1126: call    dword ptr [0xfd4]
0x112c: dec     eax
0x112d: add     esp, 0x20
0x1130: pop     edi
0x1131: pop     esi
0x1132: pop     ebx
0x1133: leave
0x1134: ret
0x1135: dec     eax
0x1136: sub     esp, 0x20
0x1139: dec     eax
0x113a: mov     ecx, dword ptr [ebp + 0x10]
0x113d: dec     eax
0x113e: mov     edx, 0
0x1144: call    dword ptr [0xfa6]
0x114a: dec     eax
0x114b: add     esp, 0x20
0x114e: dec     eax
0x114f: mov     eax, 1
0x1155: pop     edi
0x1156: pop     esi
0x1157: pop     ebx
0x1158: leave
0x1159: ret
0x115a: pop     edi
0x115b: pop     esi
0x115c: pop     ebx
0x115d: leave
0x115e: ret
0x115f: add     byte ptr [eax], al
0x1161: add     byte ptr [eax], al
0x1163: add     byte ptr [eax], al
0x1165: add     byte ptr [eax], al
0x1167: add     byte ptr [eax], al
0x1169: add     byte ptr [eax], al
0x116b: add     byte ptr [eax], al
0x116d: add     byte ptr [eax], al
0x116f: add     byte ptr [eax], al
0x1171: add     byte ptr [eax], al
0x1173: add     byte ptr [eax], al
0x1175: add     byte ptr [eax], al
0x1177: add     byte ptr [eax], al
0x1179: add     byte ptr [eax], al
0x117b: add     byte ptr [eax], al
0x117d: add     byte ptr [eax], al
0x117f: add     byte ptr [eax], al
0x1181: add     byte ptr [eax], al
0x1183: add     byte ptr [eax], al
0x1185: add     byte ptr [eax], al
0x1187: add     byte ptr [eax], al
0x1189: add     byte ptr [eax], al
0x118b: add     byte ptr [eax], al
0x118d: add     byte ptr [eax], al
0x118f: add     byte ptr [eax], al
0x1191: add     byte ptr [eax], al
0x1193: add     byte ptr [eax], al
0x1195: add     byte ptr [eax], al
0x1197: add     byte ptr [eax], al
0x1199: add     byte ptr [eax], al
0x119b: add     byte ptr [eax], al
0x119d: add     byte ptr [eax], al
0x119f: add     byte ptr [eax], al
0x11a1: add     byte ptr [eax], al
0x11a3: add     byte ptr [eax], al
0x11a5: add     byte ptr [eax], al
0x11a7: add     byte ptr [eax], al
0x11a9: add     byte ptr [eax], al
0x11ab: add     byte ptr [eax], al
0x11ad: add     byte ptr [eax], al
0x11af: add     byte ptr [eax], al
0x11b1: add     byte ptr [eax], al
0x11b3: add     byte ptr [eax], al
0x11b5: add     byte ptr [eax], al
0x11b7: add     byte ptr [eax], al
0x11b9: add     byte ptr [eax], al
0x11bb: add     byte ptr [eax], al
0x11bd: add     byte ptr [eax], al
0x11bf: add     byte ptr [eax], al
0x11c1: add     byte ptr [eax], al
0x11c3: add     byte ptr [eax], al
0x11c5: add     byte ptr [eax], al
0x11c7: add     byte ptr [eax], al
0x11c9: add     byte ptr [eax], al
0x11cb: add     byte ptr [eax], al
0x11cd: add     byte ptr [eax], al
0x11cf: add     byte ptr [eax], al
0x11d1: add     byte ptr [eax], al
0x11d3: add     byte ptr [eax], al
0x11d5: add     byte ptr [eax], al
0x11d7: add     byte ptr [eax], al
0x11d9: add     byte ptr [eax], al
0x11db: add     byte ptr [eax], al
0x11dd: add     byte ptr [eax], al
0x11df: add     byte ptr [eax], al
0x11e1: add     byte ptr [eax], al
0x11e3: add     byte ptr [eax], al
0x11e5: add     byte ptr [eax], al
0x11e7: add     byte ptr [eax], al
0x11e9: add     byte ptr [eax], al
0x11eb: add     byte ptr [eax], al
0x11ed: add     byte ptr [eax], al
0x11ef: add     byte ptr [eax], al
0x11f1: add     byte ptr [eax], al
0x11f3: add     byte ptr [eax], al
0x11f5: add     byte ptr [eax], al
0x11f7: add     byte ptr [eax], al
0x11f9: add     byte ptr [eax], al
0x11fb: add     byte ptr [eax], al
0x11fd: add     byte ptr [eax], al

Thursday, February 8, 2018

Python 2.7 : Testing the pefile python module.

The pefile is a python module to read and work with PE (Portable Executable) files.
The install of this python module is very easy with the pip tool.
I tested the default example create with FASM to see if this is working well:
This is the source code:
; Example of 64-bit PE program
format PE64 GUI
entry start

section '.text' code readable executable

  start:
        sub     rsp,8*5         ; reserve stack for API use and make stack dqword aligned

        mov     r9d,0
        lea     r8,[_caption]
        lea     rdx,[_message]
        mov     rcx,0
        call    [MessageBoxA]

        mov     ecx,eax
        call    [ExitProcess]

section '.data' data readable writeable

  _caption db 'Win64 assembly program',0
  _message db 'Hello World!',0

section '.idata' import data readable writeable

  dd 0,0,0,RVA kernel_name,RVA kernel_table
  dd 0,0,0,RVA user_name,RVA user_table
  dd 0,0,0,0,0

  kernel_table:
    ExitProcess dq RVA _ExitProcess
    dq 0
  user_table:
    MessageBoxA dq RVA _MessageBoxA
    dq 0

  kernel_name db 'KERNEL32.DLL',0
  user_name db 'USER32.DLL',0

  _ExitProcess dw 0
    db 'ExitProcess',0
  _MessageBoxA dw 0
    db 'MessageBoxA',0  
The python script I used to test this python module is this:
import sys
from sys import argv
import mmap
import pefile

fp = open(argv[1],"r")
map = mmap.mmap(fp.fileno(),0,access=mmap.ACCESS_READ)
pe = pefile.PE(data=map[:])
print pe
The output is this:
C:\Python27>python.exe pe.py PE64DEMO.EXE
----------Parsing Warnings----------

Byte 0x00 makes up 87.5488% of the file's contents. This may indicate truncation / malformation.

----------DOS_HEADER----------

[IMAGE_DOS_HEADER]
0x0 0x0 e_magic: 0x5A4D
0x2 0x2 e_cblp: 0x80
0x4 0x4 e_cp: 0x1
0x6 0x6 e_crlc: 0x0
0x8 0x8 e_cparhdr: 0x4
0xA 0xA e_minalloc: 0x10
0xC 0xC e_maxalloc: 0xFFFF
0xE 0xE e_ss: 0x0
0x10 0x10 e_sp: 0x140
0x12 0x12 e_csum: 0x0
0x14 0x14 e_ip: 0x0
0x16 0x16 e_cs: 0x0
0x18 0x18 e_lfarlc: 0x40
0x1A 0x1A e_ovno: 0x0
0x1C 0x1C e_res:
0x24 0x24 e_oemid: 0x0
0x26 0x26 e_oeminfo: 0x0
0x28 0x28 e_res2:
0x3C 0x3C e_lfanew: 0x80

----------NT_HEADERS----------

[IMAGE_NT_HEADERS]
0x80 0x0 Signature: 0x4550

----------FILE_HEADER----------

[IMAGE_FILE_HEADER]
0x84 0x0 Machine: 0x8664
0x86 0x2 NumberOfSections: 0x3
0x88 0x4 TimeDateStamp: 0x5A1954AF [Sat Nov 25 11:31:59 2017 UTC]
0x8C 0x8 PointerToSymbolTable: 0x0
0x90 0xC NumberOfSymbols: 0x0
0x94 0x10 SizeOfOptionalHeader: 0xF0
0x96 0x12 Characteristics: 0x2F
Flags: IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED

----------OPTIONAL_HEADER----------

[IMAGE_OPTIONAL_HEADER64]
0x98 0x0 Magic: 0x20B
0x9A 0x2 MajorLinkerVersion: 0x1
0x9B 0x3 MinorLinkerVersion: 0x49
0x9C 0x4 SizeOfCode: 0x200
0xA0 0x8 SizeOfInitializedData: 0x400
0xA4 0xC SizeOfUninitializedData: 0x0
0xA8 0x10 AddressOfEntryPoint: 0x1000
0xAC 0x14 BaseOfCode: 0x1000
0xB0 0x18 ImageBase: 0x400000
0xB8 0x20 SectionAlignment: 0x1000
0xBC 0x24 FileAlignment: 0x200
0xC0 0x28 MajorOperatingSystemVersion: 0x1
0xC2 0x2A MinorOperatingSystemVersion: 0x0
0xC4 0x2C MajorImageVersion: 0x0
0xC6 0x2E MinorImageVersion: 0x0
0xC8 0x30 MajorSubsystemVersion: 0x5
0xCA 0x32 MinorSubsystemVersion: 0x0
0xCC 0x34 Reserved1: 0x0
0xD0 0x38 SizeOfImage: 0x4000
0xD4 0x3C SizeOfHeaders: 0x200
0xD8 0x40 CheckSum: 0xECAF
0xDC 0x44 Subsystem: 0x2
0xDE 0x46 DllCharacteristics: 0x0
0xE0 0x48 SizeOfStackReserve: 0x1000
0xE8 0x50 SizeOfStackCommit: 0x1000
0xF0 0x58 SizeOfHeapReserve: 0x10000
0xF8 0x60 SizeOfHeapCommit: 0x0
0x100 0x68 LoaderFlags: 0x0
0x104 0x6C NumberOfRvaAndSizes: 0x10
DllCharacteristics:

----------PE Sections----------

[IMAGE_SECTION_HEADER]
0x188 0x0 Name: .text
0x190 0x8 Misc: 0x2D
0x190 0x8 Misc_PhysicalAddress: 0x2D
0x190 0x8 Misc_VirtualSize: 0x2D
0x194 0xC VirtualAddress: 0x1000
0x198 0x10 SizeOfRawData: 0x200
0x19C 0x14 PointerToRawData: 0x200
0x1A0 0x18 PointerToRelocations: 0x0
0x1A4 0x1C PointerToLinenumbers: 0x0
0x1A8 0x20 NumberOfRelocations: 0x0
0x1AA 0x22 NumberOfLinenumbers: 0x0
0x1AC 0x24 Characteristics: 0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 0.540255 (Min=0.0, Max=8.0)
MD5 hash: 54edeb1437149ccc09183b623e3be7b8
SHA-1 hash: c473f3db5ca81084db3489ab3519832ded9cc28c
SHA-256 hash: 74e9ff7d6902292d9a8ad93174aef46596f8f1fe9eb5dd72b9ebc99f8bd2ecfb
SHA-512 hash: 070610baa66d6efcbb2cc7e935c2afd2686068818c00b772b3e62de103389cecbc6c309976e10860a974532a1018fba9da50effb64c60f533433dbb808ba088c

[IMAGE_SECTION_HEADER]
0x1B0 0x0 Name: .data
0x1B8 0x8 Misc: 0x24
0x1B8 0x8 Misc_PhysicalAddress: 0x24
0x1B8 0x8 Misc_VirtualSize: 0x24
0x1BC 0xC VirtualAddress: 0x2000
0x1C0 0x10 SizeOfRawData: 0x200
0x1C4 0x14 PointerToRawData: 0x400
0x1C8 0x18 PointerToRelocations: 0x0
0x1CC 0x1C PointerToLinenumbers: 0x0
0x1D0 0x20 NumberOfRelocations: 0x0
0x1D2 0x22 NumberOfLinenumbers: 0x0
0x1D4 0x24 Characteristics: 0xC0000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Entropy: 0.627189 (Min=0.0, Max=8.0)
MD5 hash: 6684d4efed7dc864e5bbb0280faa841b
SHA-1 hash: 0214a59237a9020d3fa41419107a59f276a95e5f
SHA-256 hash: 23ae47e7bfb842935b35775428fe9c5df5c3f46fa46c2da2e93a27ba031ae091
SHA-512 hash: 60eeefcb47e1e63584342049a66d4539ab4b580190faf9d2629e0db1336933835c207e419060cce08cfec430e2f1e13a90cac7abfb05679ed5d84dac8997f12f

[IMAGE_SECTION_HEADER]
0x1D8 0x0 Name: .idata
0x1E0 0x8 Misc: 0x90
0x1E0 0x8 Misc_PhysicalAddress: 0x90
0x1E0 0x8 Misc_VirtualSize: 0x90
0x1E4 0xC VirtualAddress: 0x3000
0x1E8 0x10 SizeOfRawData: 0x200
0x1EC 0x14 PointerToRawData: 0x600
0x1F0 0x18 PointerToRelocations: 0x0
0x1F4 0x1C PointerToLinenumbers: 0x0
0x1F8 0x20 NumberOfRelocations: 0x0
0x1FA 0x22 NumberOfLinenumbers: 0x0
0x1FC 0x24 Characteristics: 0xC0000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Entropy: 0.996929 (Min=0.0, Max=8.0)
MD5 hash: 073b9b0656f7ca77d968f183a1ceb909
SHA-1 hash: acefe438c7bfef7362b87519349c5a7b251aa43d
SHA-256 hash: 016761b2d3b31ed8eeddccc9f56e6338978171a0082c066cbf2b28cecd77566a
SHA-512 hash: a5fb7ace9108f63c96c9da239fc5077106cf3ffe8e31a1ab0a11b589a8e6af9e66d23c38060c157a3e34125bc5af495c770e48bc00172a5c8ec78b34794628b3

----------Directories----------

[IMAGE_DIRECTORY_ENTRY_EXPORT]
0x108 0x0 VirtualAddress: 0x0
0x10C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IMPORT]
0x110 0x0 VirtualAddress: 0x3000
0x114 0x4 Size: 0x90
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
0x118 0x0 VirtualAddress: 0x0
0x11C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
0x120 0x0 VirtualAddress: 0x0
0x124 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_SECURITY]
0x128 0x0 VirtualAddress: 0x0
0x12C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
0x130 0x0 VirtualAddress: 0x0
0x134 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DEBUG]
0x138 0x0 VirtualAddress: 0x0
0x13C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
0x140 0x0 VirtualAddress: 0x0
0x144 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
0x148 0x0 VirtualAddress: 0x0
0x14C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_TLS]
0x150 0x0 VirtualAddress: 0x0
0x154 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
0x158 0x0 VirtualAddress: 0x0
0x15C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
0x160 0x0 VirtualAddress: 0x0
0x164 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_IAT]
0x168 0x0 VirtualAddress: 0x0
0x16C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
0x170 0x0 VirtualAddress: 0x0
0x174 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
0x178 0x0 VirtualAddress: 0x0
0x17C 0x4 Size: 0x0
[IMAGE_DIRECTORY_ENTRY_RESERVED]
0x180 0x0 VirtualAddress: 0x0
0x184 0x4 Size: 0x0

----------Imported symbols----------

[IMAGE_IMPORT_DESCRIPTOR]
0x600 0x0 OriginalFirstThunk: 0x0
0x600 0x0 Characteristics: 0x0
0x604 0x4 TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
0x608 0x8 ForwarderChain: 0x0
0x60C 0xC Name: 0x305C
0x610 0x10 FirstThunk: 0x303C

KERNEL32.DLL.ExitProcess Hint[0]

[IMAGE_IMPORT_DESCRIPTOR]
0x614 0x0 OriginalFirstThunk: 0x0
0x614 0x0 Characteristics: 0x0
0x618 0x4 TimeDateStamp: 0x0 [Thu Jan 01 00:00:00 1970 UTC]
0x61C 0x8 ForwarderChain: 0x0
0x620 0xC Name: 0x3069
0x624 0x10 FirstThunk: 0x304C

USER32.DLL.MessageBoxA Hint[0]