Hi all!

Where can I found a tool (with source code is better :-))
for check if a PE Win32 file is valid or invalid ?

I need this tool for separate corrupted files.

Thank you

How accurate should be the check?

I think you could try looking at Iczelion's PE tutorials, if I recall correctly there's a initial PE check in every tute.

sennaspy, define "valid".

And what did YOU do to attempt to determine if there is one already available on the net? You did not say whether you attempted to find one for yourself and that is something we require of posters here.

You need to make an effort to help yourself before you ask others for help. If you have already attempt to find such a "tool," how would we know?

Now actually read the FAQ!

Regards,

In few times, if you run an exe file, Windows show the error: "not a valid win32 file"... but this error is displayed only if run exe file... I need a tool or any other program for detect if a .exe file is valid or invalid WITHOUT need run it.

In other words... how detect if a PE Win32 file is corrupted or not without need run the file.

Thank you

if you just need a basic analysis you can easily code it yourself, that take a dozen of lines in asm.
Take a look at Portable Executable File Format, you can find, like ZaiRoN has say, a basic test function in Iczelion's PE Tutorials.

the dialog this file is not valid win32 application is spawned by shell32.dll by

Call stack of main thread, item 19
Address=0006E6FC
Stack=774A9444
Procedure / arguments=? SHELL32.ShellMessageBoxW
Called from=SHELL32.774A943F
Frame=0006E694

this is a part of ShellExecuteW() last error

ERROR_BAD_EXE_FORMAT (000000C1)

Call stack of main thread, item 23
Address=0006EB9C
Stack=77418D4D
Procedure / arguments=SHELL32.ShellExecuteExW
Called from=SHELL32.77418D48
Frame=0006EB98


this api simply checks if the file has an MZ header or not if there is no MZ header it spits out that dialog box

so if you are concerned with only that messagebox simply code a
CreateFile() ReadFile() lstrcmp((char *)result string "MZ",2)
and discard anything that fails here as invalid pe file
in a loop say

for f = file 1 to n do {CreateFile() ReadFile() if!(lstrcmp((char *)result string "MZ",2)) {discard this file} }


if you want to check this out
open notepad and save a blank file as foo.exe and double click it you will get that messagebox

now type MZ in another notepad and save it as foo1.exe and double click it
you will see it starts a commandprompt and closes
so this shexecuteW thinks that this file is valid dos executable and tries to run it as such

and in first case it didnt find even Mz so it spat out that messagebox

A PE file, invalid on one OS (= Windows version), might be perfectly valid on another OS, and vice versa. So, there's no general "Valid/Invalid" answer - you have to link it to a particular OS.

yes, gigaman is right. different versions of windows are more "lenient" than others when it comes to the pe file format. and checking for "full validity" pretty much means writing your own loader -- validating sections, imports, etc.
it is not a trivial task.

You can try PeVerify module ("http://hiew.ru/hem.html") for Hiew ("http://hiew.ru/").

http://hiew.ru/hem.html
http://hiew.ru/

P.S. About imports: PE file without imports will not run on Win2k, but will run on WinXP. In plus WinXP will load dll without ".dll" extension for ex.: "kernel32" instead of "kernel32.dll". Such fie will be 'valid' only for WinXP.


EDIT Kayaker: Jupiter, embedded links such as those don't work in any forum other than the Blogs forum. I reposted the direct links in order.

I find that the pefile python Library from Ero Carrerra to be one of the best PE parsers and manipulators (this is included in the Python lib for ID). You could also take a look at PEid.

You can take a look at ReactOS source code, the PE loader tries to be as close to the Windows NT+ one (And was based off the PE Spec + hacks that Microsoft implemented that were found through feeding it garbage PEs which actually do load when they shouldn't).

Be aware that on Windows NT+, there are multiple compiler/linker-specific hacks which make modify a PE to allow it to load (ReactOS does not implement those).

So as everyone said, "Valid PE" is a very lax term...

As already pointed out by Ionescu, the term Valid PE is indeed a very lax one. Moreover, checking a .NET assembly is even more complicated, since you'd have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there's already a tool that does that provided by the .NET framework. However, that tool isn't perfect either and doesn't check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn't help. But let's not go OT, I just wanted to say that this topic triggered my interest because it was a good opportunity to test the CFF Explorer's scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it's a script (thus opensource) it can be expanded easily.

You can find it in the extension repository:

http://www.woodmann.com/collaborative/tools/PE_Validator_Script

Here are the current checks:

-- check CRC32 (useful for drivers)
-- check number of rva and sizes
-- check image size
-- check sections
-- check that EP is valid
-- check that EP is in code
-- check that the EP section is executable
-- check data directories RVAs
-- check whether the API IsDebuggerPresent is imported

Don't be too serious about it, it's just a thing I did for fun.