파일을 원하는 형태로 보여주는 툴, Format Visualizer v0.13

PE 파일 뿐만 아니라 이미지 파일등을 분석할 때 포맷에 따라 바이너리 상의 실제 데이터를 확인하는데 약간의 불편함이 따르기 마련입니다. 그래서 만들어본 툴이 바로 FormatVisualizer인데요. 사용법은 간단합니다.

우선 포맷을 확인하고자 하는 파일에 대한 구조를 XML 데이터로 작성합니다. 다음은 FormatVisualizer에서 사용되고 있는 Win32 PE 파일과 BITMAP 파일에 대한 포맷 파일입니다.

<?xml version="1.0"?>
<!-- Portable Executable File format-->
<PE_FILE name="Portable Executable File (32bit version)" signature="0x4D5A" signature_offset="0">
 
  <IMAGE_DOS_HEADER name="DOS Header" comment="Basic Dos Header" >
    <e_magic name="Magic number" size="2" comment="Magic number" />
    <e_cblp name="Bytes on last page of file" size="2" comment="Bytes on last page of file" />
    <e_cp name="Pages in file" size="2" comment="Pages in file" />
    <e_crlc name="e_crlc" size="2" comment="Relocations" />
    <e_cparhdr name="Size of header in paragraphs" size="2" comment="Size of header in paragraphs" />
    <e_minalloc name="Minimum extra paragraphs needed" size="2" comment="Minimum extra paragraphs needed" />
    <e_maxalloc name="Maximum extra paragraphs needed" size="2" comment="Maximum extra paragraphs needed" />
    <e_ss name="Initial (relative) SS value" size="2" comment="Initial (relative) SS value" />
    <e_sp name="Initial SP value" size="2" comment="Initial SP value" />
    <e_csum name="Checksum" size="2" comment="Checksum" />
    <e_ip name="Initial IP value" size="2" comment="Initial IP value" />
    <e_cs name="Initial (relative) CS value" size="2" comment="Initial (relative) CS value" />
    <e_lfarlc name="File address of relocation table" size="2" comment="File address of relocation table" />
    <e_ovno name="Overlay number" size="2" comment="Overlay number" />
    <e_res name="Reserved words" size="8" comment="Reserved words" />
    <e_oemid name="OEM identifier (for e_oeminfo)" size="2" comment="OEM identifier (for e_oeminfo)" />
    <e_oeminfo name="OEM information; e_oemid specific" size="2" comment="OEM information; e_oemid specific" />
    <e_res2 name="Reserved words" size="20" comment="Reserved words" />
    <e_lfanew name="File address of new exe header" size="4" comment="File address of new exe header" />
  </IMAGE_DOS_HEADER>

  <IMAGE_NT_HEADER name="COFF Header" offset="#PE_FILE\IMAGE_DOS_HEADER\e_lfanew">
    <Signature name="Signature" size="4" comment="Signature" />

    <IMAGE_FILE_HEADER>
      <Machine name="Machine" size="2" comment="Machine" />
      <NumberOfSections name="NumberOfSections" size="2" comment="NumberOfSections" />
      <TimeDateStamp name="TimeDateStamp" size="4" comment="TimeDateStamp" />
      <PointerToSymbolTable name="PointerToSymbolTable" size="4" comment="PointerToSymbolTable" />
      <NumberOfSymbols name="NumberOfSymbols" size="4" comment="NumberOfSymbols" />
      <SizeOfOptionalHeader name="SizeOfOptionalHeader" size="2" comment="SizeOfOptionalHeader" />
      <Characteristics name="Characteristics" size="2" comment="Characteristics" />
    </IMAGE_FILE_HEADER>

    <IMAGE_OPTIONAL_HEADER>
      <Magic name="Magic" size="2" comment="Magic" />
      <MajorLinkerVersion name="MajorLinkerVersion" size="1" comment="MajorLinkerVersion" />
      <MinorLinkerVersion name="MinorLinkerVersion" size="1" comment="MinorLinkerVersion" />
      <SizeOfCode name="SizeOfCode" size="4" comment="SizeOfCode" />
      <SizeOfInitializedData name="SizeOfInitializedData" size="4" comment="SizeOfInitializedData" />
      <SizeOfUninitializedData name="SizeOfUninitializedData" size="4" comment="SizeOfUninitializedData" />
      <AddressOfEntryPoint name="AddressOfEntryPoint" size="4" comment="AddressOfEntryPoint" />
      <BaseOfCode name="BaseOfCode" size="4" comment="BaseOfCode" />
      <BaseOfData name="BaseOfData" size="4" comment="BaseOfData" />
      <ImageBase name="ImageBase" size="4" comment="ImageBase" />
      <SectionAlignment name="SectionAlignment" size="4" comment="SectionAlignment" />
      <FileAlignment name="FileAlignment" size="4" comment="FileAlignment" />
      <MajorOperatingSystemVersion name="MajorOperatingSystemVersion" size="2" comment="MajorOperatingSystemVersion" />
      <MinorOperatingSystemVersion name="MinorOperatingSystemVersion" size="2" comment="MinorOperatingSystemVersion" />
      <MajorImageVersion name="MajorImageVersion" size="2" comment="MajorImageVersion" />
      <MinorImageVersion name="MinorImageVersion" size="2" comment="MinorImageVersion" />
      <MajorSubsystemVersion name="MajorSubsystemVersion" size="2" comment="MajorSubsystemVersion" />
      <MinorSubsystemVersion name="MinorSubsystemVersion" size="2" comment="MinorSubsystemVersion" />
      <Win32VersionValue name="Win32VersionValue" size="4" comment="Win32VersionValue" />
      <SizeOfImage name="SizeOfImage" size="4" comment="SizeOfImage" />
      <SizeOfHeaders name="SizeOfHeaders" size="4" comment="SizeOfHeaders" />
      <CheckSum name="CheckSum" size="4" comment="CheckSum" />
      <Subsystem name="Subsystem" size="2" comment="Subsystem" />
      <DllCharacteristics name="DllCharacteristics" size="2" comment="DllCharacteristics" />
      <SizeOfStackReserve name="SizeOfStackReserve" size="4" comment="SizeOfStackReserve" />
      <SizeOfStackCommit name="SizeOfStackCommit" size="4" comment="SizeOfStackCommit" />
      <SizeOfHeapReserve name="SizeOfHeapReserve" size="4" comment="SizeOfHeapReserve" />
      <SizeOfHeapCommit name="SizeOfHeapCommit" size="4" comment="SizeOfHeapCommit" />
      <LoaderFlags name="LoaderFlags" size="4" comment="LoaderFlags" />
      <NumberOfRvaAndSizes name="NumberOfRvaAndSizes" size="4" comment="NumberOfRvaAndSizes" />

      <DATA_DIRECTORY name="DATA_DIRECTORY" comment="DATA_DIRECTORY">
        <IMAGE_DIRECTORY_ENTRY_EXPORT  name="IMAGE_DIRECTORY_ENTRY_EXPORT" comment="Export Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_EXPORT>
        <IMAGE_DIRECTORY_ENTRY_IMPORT  name="IMAGE_DIRECTORY_ENTRY_IMPORT" comment="Import Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_IMPORT>
        <IMAGE_DIRECTORY_ENTRY_RESOURCE  name="IMAGE_DIRECTORY_ENTRY_RESOURCE" comment="Resource Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_RESOURCE>
        <IMAGE_DIRECTORY_ENTRY_EXCEPTION  name="IMAGE_DIRECTORY_ENTRY_EXCEPTION" comment="Exception Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_EXCEPTION>
        <IMAGE_DIRECTORY_ENTRY_SECURITY  name="IMAGE_DIRECTORY_ENTRY_SECURITY" comment="Security Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_SECURITY>
        <IMAGE_DIRECTORY_ENTRY_BASERELOC  name="IMAGE_DIRECTORY_ENTRY_BASERELOC" comment="Base Relocation Table">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_BASERELOC>
        <IMAGE_DIRECTORY_ENTRY_DEBUG  name="IMAGE_DIRECTORY_ENTRY_DEBUG" comment="Debug Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_DEBUG>
        <IMAGE_DIRECTORY_ENTRY_ARCHITECTURE  name="IMAGE_DIRECTORY_ENTRY_ARCHITECTURE" comment="Architecture Specific Data">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_ARCHITECTURE>
        <IMAGE_DIRECTORY_ENTRY_GLOBALPTR  name="IMAGE_DIRECTORY_ENTRY_GLOBALPTR" comment="RVA of GP">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_GLOBALPTR>
        <IMAGE_DIRECTORY_ENTRY_TLS  name="IMAGE_DIRECTORY_ENTRY_TLS" comment="TLS Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_TLS>
        <IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG  name="IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG" comment="Load Configuration Directory">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG>
        <IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT  name="IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT" comment="Bound Import Directory in headers">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT>
        <IMAGE_DIRECTORY_ENTRY_IAT  name="IMAGE_DIRECTORY_ENTRY_IAT" comment="Import Address Table">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_IAT>
        <IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT  name="IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT" comment="Delay Load Import Descriptors">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT>
        <IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR  name="IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR" comment="COM Runtime descriptor">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR>
        <IMAGE_DIRECTORY_ENTRY_RESERVED  name="IMAGE_DIRECTORY_ENTRY_RESERVED" comment="Reserved">
          <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
          <Size name="Size" size="4" comment="Size" />
        </IMAGE_DIRECTORY_ENTRY_RESERVED>
      </DATA_DIRECTORY>
    </IMAGE_OPTIONAL_HEADER>
  </IMAGE_NT_HEADER>

  <FM_COMMAND_REPEAT count="#PE_FILE\IMAGE_NT_HEADER\IMAGE_FILE_HEADER\NumberOfSections">
    <IMAGE_SECTION_HEADER comment="IMAGE_SECTION_HEADER">
      <Name name="Name" size="8" comment="Name" />
      <PhysicalAddress name="PhysicalAddress" size="4" comment="PhysicalAddress" />
      <VirtualAddress name="VirtualAddress" size="4" comment="VirtualAddress" />
      <SizeOfRawData name="SizeOfRawData" size="4" comment="SizeOfRawData" />
      <PointerToRawData name="PointerToRawData" size="4" comment="PointerToRawData" />
      <PointerToRelocations name="PointerToRelocations" size="4" comment="PointerToRelocations" />
      <PointerToLinenumbers name="PointerToLinenumbers" size="4" comment="PointerToLinenumbers" />
      <NumberOfRelocations name="NumberOfRelocations" size="2" comment="NumberOfRelocations" />
      <NumberOfLinenumbers name="NumberOfLinenumbers" size="2" comment="NumberOfLinenumbers" />
      <Characteristics name="Characteristics" size="4" comment="Characteristics" />
    </IMAGE_SECTION_HEADER>
  </FM_COMMAND_REPEAT>
</PE_FILE>

특정 값을 참조하거나 오프셋등을 얻어올 수 있으며 섹션 헤더와 같이 반복되는 구조체도 작성이 가능합니다.
이렇게 XML 파일을 준비했다면 이제 원하는 파일을 열어서 내용을 확인하면 됩니다.

1. 파일을 연다. [File]-[Open File...]
2. 포맷 파일을 연다. [File]-[Open Format File...]

원하시는 내용은 왼쪽에 있는 트리를 선택해서 확인하실 수 있습니다. 뿐만 아니라 바이너리 뷰에서 마우스 오른쪽 버튼을 클릭하시면 반대로 해당 바이너리 위치의 값이 어떤 데이터를 나타내는지를 확인할 수도 있습니다.

저는 PE 파일이나 이미지 파일 분석할 때 유용하게 사용하고 있습니다.

제공하는 프로그램을 실행하기 위해서는 .NET Framework 3.x 버전이 필요합니다.

FormatVisualizer013.zip