PE Look (pelook) v1.74 build 2206160 - PE/COFF dump and conversion tool
copyright (c) bytepointer.com 2016-2022
syntax:
pelook [options] <input_file>
[display options]
-h - display PE header info
-o - dump entrypoint code bytes (see -os)
-s - display PE section memory map of memory/image
-t - dump data directory table
-i - dump imports directory table
-e - dump exports directory table
-c - dump resource directory tree
-f - dump load config directory table
-tls - dump tls directory table
-p - search for and display paths to import modules
-r - dump PE relocations
-rh - display decoded fields of MS "Rich" Header (if present)
-n - dump CLR (.NET) metadata tables (if any)
-v - display version resource (if any)
-xf - dump .pdata exception func table (amd64 only)
-d - show DOS header info
[conversion options]
-cp <uint> - convert pointer to image-file offset
-cf <uint> - convert image-file offset to pointer
[misc options]
-b <uint> - override preferred load address (base) of image
-os <uint> - with -o option, dump specified code size (default=32)
-l - output timestamps in local timezone / default=GMT/unaltered
-q - quiet mode; disables some verbose messages and displays concise
information for the following options: i,e
-x - disable colors
-? - this help
NOTES:
-If no conversion or display options are specified, the default is to display
with the following options enabled: -hstv; otherwise only those display
options chosen will apply.
-Conversions between pointer and file offsets take into account the mapping
for the current PE image as well as the default or overridden load base.
-The CLR metadata table support is compatible with .NET Framework versions 1.1
and earlier, although will still work with many files produced with later
versions, depending on the embedded tables.
-Numbers given for the options above default to base-10; to specify hex or
binary values, please prefix with "0x" or "0b" respectively.
