Checking the validity of a PE file is a very difficult task, but checking a .NET assembly is even more complicated, since you have to check the tables integrity, the code integrity, the stack integrity etc. Ok, there's already a tool that does that provided by the .NET framework. However, that tool isn't perfect either and doesn't check some other problems. When I wrote my .NET compiler I spent literally days figuring out what was wrong one time or another time in the format I produced, and the MS tools didn't help. But let's not go OT, I just wanted to say that this a topic on the woodmann forum triggered my interest because it was a good opportunity to test the CFF Explorer's scripting capabilities. So, yesterday I took two hours and wrote a little script (called PE Validator Script) which checks for some of the most common problems in a PE. Since it's a script (thus opensource) it can be expanded easily.

You can find it in the extensions repository:

http://www.woodmann.com/collaborative/tools/PE_Validator_Script

Here are the current checks:

-- check CRC32 (useful for drivers)
-- check number of rva and sizes
-- check image size
-- check sections
-- check that EP is valid
-- check that EP is in code
-- check that the EP section is executable
-- check data directories RVAs
-- check whether the API IsDebuggerPresent is imported

Don't be too serious about it, it's just a thing I did for fun.

Thanks for adding your tool to the CRCETL, I'm sure it will be useful and insteresting to study for many.

Regards,

Thank you JMI. Well, I'd like to post some more useful extensions which are *almost* ready, but I can't find the time. I also have a big article to release but have absolutely no time to finish it... Damn it, I really hate this, I have thousands of good (or less good) ideas and cannot develop them. But, after all, who wants to spend literally his entire life behind a monitor... I don't. And yet, I'm addicted to developing.