Tech Juice

The dumpbin.exe tool is included with Visual Studio, and its a great way to get details on the structure of a Windows Portable Executable or COFF file. For those of you who don’t know: the Portable Executable format is used by Windows for .exe files, and it is based on COFF. You can run it from the Visual Studio Command Prompt.

Now if you want all information you would use dumpbin /all bla.exe. This gives you all the information on the structure of the file, but it also print all the ‘raw’ content: the CPU instructions. This will leave you with a dump that is very hard to read. To omit the raw content use the following command:

dumpbin /all /rawdata:none bla.exe

This will print ALL the information about the file, except the raw data. You can also save the output to a file.

dumpbin /all /rawdata:none bla.exe > bla.exe.txt

This will save the dump to bla.exe.txt in the same directory. Running this command on C:\Windows\notepad.exe generates this output:

Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation.  All rights reserved.
 
Dump of file notepad.exe
 
PE signature found
 
File Type: EXECUTABLE IMAGE
 
FILE HEADER VALUES
    14C machine (x86)
    4 number of sections
    4A5BC60F time date stamp Tue Jul 14 01:41:03 2009
    0 file pointer to symbol table
    0 number of symbols
    E0 size of optional header
    102 characteristics
    Executable
    32 bit word machine
 
        ...much more>

Here are some great resources on executable formats if you are interested:

• MSDN: An In-Depth Look into the Win32 Portable Executable File Format
• Linker and Loaders by John R. Levine