Hex Editor - Binary File Editing Software for Windows
This section provides a set of term definitions that will help you to get accustomed to the Hex Editor Neo's disassembler module.
The Portable Executable (PE) format is a file format for executables, object code, and dynamic-link libraries, used in 32-bit and 64-bit versions of Microsoft Windows operating systems. The term "portable" refers to the format's versatility in numerous environments of operating system software architecture. The PE format is basically a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code. A PE file consists of a number of headers and sections that tell the loader how to map the file into memory.
Hex Editor Neo's disassembler gathers information needed to parse the PE (Portable Executable) file from headers that are located at the beginning of a file.
An executable file (usually the one with .exe or .dll extension) is divided into sections (or segments) that are mapped to memory during load. Different sections can be mapped to different virtual addresses (raw section's size and size of section in memory may differ).
Usually different sections are introduced to split the file into several code/data blocks with different memory protection modes and to provide paging (swapping) mechanism.
Disassembler window allows you to select the section you want to disassemble. A section that contains executable code is usually named ".text" or "CODE".
Virtual address is an address identifying a virtual (non-physical) entity. Virtual Address is used to describe location of data mapped into memory. Physical Address 0x1000 (in file) can be mapped to virtual address 0x401000. Disassembler displays both addresses - physical (column "Raw Address") and virtual (column "Virtual Address"). In case no section information is available for an image, raw offsets cannot be converted to virtual addresses and the column is empty.
Debug symbols is the information about what high-level programming language constructions generated specific piece of machine code in the given executable module. Sometimes it's embedded into the module's binary, or distributed as a separate file, or just discarded during the compilation and/or linking. Symbols enable a person using a debugger to gain additional information about the binary, such as the names of variables and routines from the original source code. This information is sometimes extremely helpful while trying to investigate and fix a crashing application.
Hex Editor Neo uses only part of debug symbols, namely, it is capable of displaying function and variable names where appropriate. It is also capable of automatically locating symbol files for used modules and showing exported function names.