Project 3: PE Header Dump Tool

A command-line utility that reads a .exe or .dll file and prints key information from its PE headers, like the target machine type, number of sections, and timestamp. A simplified dumpbin /headers.

Quick Reference

Attribute Value
Primary Language C
Alternative Languages C++
Difficulty Level 2: Intermediate
Time Estimate 1-2 weeks
Knowledge Area Binary Formats / Windows Executables
Tooling PE file format
Prerequisites Project 2, comfort with pointers, pointer arithmetic, and type casting.

What You Will Build

A command-line utility that reads a .exe or .dll file and prints key information from its PE headers, like the target machine type, number of sections, and timestamp. A simplified dumpbin /headers.

Why It Matters

This project builds core skills that appear repeatedly in real-world systems and tooling.

Core Challenges

  • Reading a binary file → maps to using CreateFile and ReadFile correctly
  • Mapping PE structures → maps to casting pointers to IMAGE_DOS_HEADER, IMAGE_NT_HEADERS, etc.
  • Navigating the PE format → maps to following offsets like e_lfanew to find the main headers
  • Distinguishing 32-bit vs. 64-bit headers → maps to checking the OptionalHeader.Magic field

Key Concepts

  • PE Header Structure: “Windows Internals, Part 2, 7th Edition” - Chapter 7
  • File Mapping: “Windows System Programming, 4th Edition” - Chapter 7 (An alternative to ReadFile)
  • Data Alignment and Struct Packing: “Expert C Programming” by Peter van der Linden - Chapter 2

Real-World Outcome

> ./pe_dumper.exe C:\Windows\System32\kernel32.dll
Parsing 'C:\Windows\System32\kernel32.dll'...

DOS Header:
  Magic: MZ
  PE Header Offset: 0x000000F8

NT Headers:
  Signature: PE
  Machine: x64 (0x8664)
  NumberOfSections: 12
  Timestamp: 2025-11-20 10:30:00
  SizeOfOptionalHeader: 240
  Characteristics: Executable Image, DLL

Optional Header:
  Magic: PE32+ (0x20b)
  ImageBase: 0x00007FF84A9F0000
  Subsystem: Windows GUI

Implementation Guide

  1. Reproduce the simplest happy-path scenario.
  2. Build the smallest working version of the core feature.
  3. Add input validation and error handling.
  4. Add instrumentation/logging to confirm behavior.
  5. Refactor into clean modules with tests.

Milestones

  • Milestone 1: Minimal working program that runs end-to-end.
  • Milestone 2: Correct outputs for typical inputs.
  • Milestone 3: Robust handling of edge cases.
  • Milestone 4: Clean structure and documented usage.

Validation Checklist

  • Output matches the real-world outcome example
  • Handles invalid inputs safely
  • Provides clear errors and exit codes
  • Repeatable results across runs

References

  • Main guide: LEARN_WINDOWS_SYSTEMS_PROGRAMMING_CPP.md
  • “Practical Malware Analysis” by Sikorski & Honig (for its excellent PE format breakdown)