• The move is TARGETED for 19 September 2018
  • The new URL for the community will be community.osr.com
  • There will be a new email address for those who contribute via email
  • More detailed information, and updates, can be found at the OSR Developer's Blog
Questions/problems/issues may be addressed to the CommunityMove alias at OSR.COM.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
Posting to the list has been temporarily disabled
  Message 1 of 3  
06 Mar 18 18:30
Albert
xxxxxx@gmail.com
Join Date: 08 Aug 2005
Posts To This List: 321
PE File typing

I am looking for ways to identify different kinds of PE files like services, versus DLLs versus drivers versus regular PE exe files. Is there a way ti classify all this from the PE headers, or is the only way to assertively do this is to look at the export tables? thanks Al --
  Message 2 of 3  
06 Mar 18 21:48
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10257
PE File typing

The PE header can tell you kernel VS user mode. A service exe is the same a normal exe, so no, the PE header won't tell you. You have to look to at the imports to infer what the binary's runtime functionality is. Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com <xxxxx@lists.osr.com> Sent: Tuesday, March 6, 2018 3:29:15 PM To: Windows System Software Devs Interest List Subject: [ntdev] PE File typing I am looking for ways to identify different kinds of PE files like services, versus DLLs versus drivers versus regular PE exe files. Is there a way ti classify all this from the PE headers, or is the only way to assertively do this is to look at the export tables? thanks Al --- NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at --
  Message 3 of 3  
07 Mar 18 04:42
raj r
xxxxxx@gmail.com
Join Date: 20 Jul 2006
Posts To This List: 322
PE File typing

you can use pefile in python :\>cat pyel.py import pefile pe = pefile.PE("c:\\windows\\system32\\calc.exe") print pe.is_dll() print pe.is_driver() print pe.is_exe() :\>python pyel.py False False True as doron replied you cant differentiate betwwen a normal exe and exe for service On 3/7/18, xxxxx@microsoft.com <xxxxx@lists.osr.com> wrote: > The PE header can tell you kernel VS user mode. A service exe is the same a > normal exe, so no, the PE header won't tell you. You have to look to at the > imports to infer what the binary's runtime functionality is. > > Bent from my phone > ________________________________ > From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> > on behalf of xxxxx@gmail.com <xxxxx@lists.osr.com> > Sent: Tuesday, March 6, 2018 3:29:15 PM > To: Windows System Software Devs Interest List <...excess quoted lines suppressed...>
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
Posting to the list has been temporarily disabled.

All times are GMT -5. The time now is 16:48.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license