I found a rather peculiar edge case, which is not currently handled by libpeconv (and if it is, I am too dumb to figure it out). Consider following scenario:

Payload is an executable PE with stripped relocs, its imagebase is 0x400000. My loader accounts for this with an explicit section layout, like so:

Name     Start    End      R W X D Class
-------- -------- -------- - - - - -----
.payload 00401000 20401000 R W . . BSS	 
.og_bss  20401000 20402000 R W . . BSS	 
.og_text 20402000 20414000 R . X . CODE 
.og_data 20414000 20415000 R W . . DATA 

The loader maps EXE payload into the .payload section, patches what's needed and jumps to its OEP. This technique is called Process Hiving, I believe. I'm using it as an alternative to DLL load order hijacking method (aka proxy DLLs) in my game modding framework.

If payload is not reloc-stripped, the loader will relocate it into the .payload section anyway.

I do not call VirtualAlloc at all, VirtualProtect is used to set appropriate section flags before jumping to the OEP.

My long-term goal is to have per-game targeted Linux compat patches as well - stuff like replacing XInput/WndProc with SDL2, replacing d3d9 with dxvk, etc. It would be nice for libpeconv to support Linux as well. taviso/loadlibrary is Linux-only and it feels redundant to have two separate dependencies of identical nature.

Similar approach is used in the following projects

• FiveM /code/client/launcher/ExecutableLoader.cpp
• open-iw5 /src/std_include.cpp

Using the sample loader project on an Unreal Engine 4 compiled binary crashes with a null access within the initterm call in __scrt_common_main_seh.

So far I haven't been able to locate the cause of this, I have tried disabling reloc but had no success.

Note that the function called by initterm uses TLS, I am thinking that maybe run_tls_callbacks may not work correctly or that some additional TLS code is required.

Hello hasherezade,

I believe there's a bug in libpeconv where a malware that doesn't have any relocation blocks returns the status: -1 in pe-sieve (with /jlvl 2) and thus is not processed.

I found that the specific malware I tested with doesn't have any relocation blocks (using your great PE-Bear tool):

It's happening in this function: peconv::process_relocation_table which I see you already addressed the issue when relocation blocks are null in this fix #22 .

A friend of mine (Ron, who found the memory leak in pe-sieve) came up with a potential fix which I tested and works. Basically the function has to return true in the case there's nothing to relocate. We added bool NoBlocks = true which is set to false if there are valid blocks and is used for the return value condition.

bool peconv::process_relocation_table(IN PVOID modulePtr, IN SIZE_T moduleSize, IN RelocBlockCallback *callback)
{
    IMAGE_DATA_DIRECTORY* relocDir = peconv::get_directory_entry((const BYTE*)modulePtr, IMAGE_DIRECTORY_ENTRY_BASERELOC);
    if (relocDir == NULL) {
#ifdef _DEBUG
        std::cout << "[!] WARNING: no relocation table found!\n";
#endif
        return false;
    }
    if (!validate_ptr(modulePtr, moduleSize, relocDir, sizeof(IMAGE_DATA_DIRECTORY))) {
        std::cerr << "[!] Invalid relocDir pointer\n";
        return false;
    }
    DWORD maxSize = relocDir->Size;
    DWORD relocAddr = relocDir->VirtualAddress;
    bool is64b = is64bit((BYTE*)modulePtr);

    IMAGE_BASE_RELOCATION* reloc = NULL;

    DWORD parsedSize = 0;
    DWORD validBlocks = 0;
    bool NoBlocks = true;

    while (parsedSize < maxSize) {
        reloc = (IMAGE_BASE_RELOCATION*)(relocAddr + parsedSize + (ULONG_PTR)modulePtr);
        if (!validate_ptr(modulePtr, moduleSize, reloc, sizeof(IMAGE_BASE_RELOCATION))) {
#ifdef _DEBUG
            std::cerr << "[-] Invalid address of relocations\n";
#endif
            return false;
        }
        if (reloc->SizeOfBlock == 0) {
            break;
        }
        size_t entriesNum = (reloc->SizeOfBlock - 2 * sizeof(DWORD)) / sizeof(WORD);
        DWORD page = reloc->VirtualAddress;

        BASE_RELOCATION_ENTRY* block = (BASE_RELOCATION_ENTRY*)((ULONG_PTR)reloc + sizeof(DWORD) + sizeof(DWORD));
        if (!validate_ptr(modulePtr, moduleSize, block, sizeof(BASE_RELOCATION_ENTRY))) {
            std::cerr << "[-] Invalid address of relocations block\n";
            return false;
        }
        if (!is_empty_reloc_block(block, entriesNum, page, modulePtr, moduleSize)) {
            if (process_reloc_block(block, entriesNum, page, modulePtr, moduleSize, is64b, callback)) {
                validBlocks++;
                NoBlocks = false;
            }
            else {
                // the block was malformed
                return false;
            }
        }
        parsedSize += reloc->SizeOfBlock;
    }
    return (NoBlocks || validBlocks != 0);

Thank you, and keep up the fantastic work!

Terry

Here is code,

    size_t v_size = 0;
    LPCTSTR pe_path = "C:\\windows\\notepad.exe";
    BYTE* my_pe = peconv::load_pe_executable(pe_path, v_size);

    if (!my_pe) {
        return -1;
    }

    peconv::set_main_module_in_peb((HMODULE)my_pe);
    
    peconv::run_tls_callbacks(my_pe, v_size);
    
    DWORD ep_rva = peconv::get_entry_point_rva(my_pe);
    if (!ep_rva) {
        return -2;
    }
    ULONG_PTR ep_va = ep_rva + (ULONG_PTR) my_pe;

    int (*new_main)() = (int(*)())ep_va;

    return new_main();

Thanks

Not all the fields to be relocated need to have RVA falling into the range of the loaded PE.
For example:

So, marking the field as incorrect basing on: va < imageBase or rva > imageSize check is invalid.

This may be simply due to my gap in knowledge / understanding of memory management in DLLs.

I'm trying to load a PE into memory from a DLL, using the basic example.
Loading works when I've used an EXE to do it, but not a DLL. A terminal prompt opens and execution 'hangs'. It did work for one PE32 (specifically Dbgview.exe), but not for others (calc.exe and some custom exes).

In case it's relevant, loading is happening from the DllMain of my DLL, which is executed by a PE32.

Are there any plans to make libpeconv platform independent?

In case of import recovery, libPeConv is supposed to first search if the appropriate imports' names are already present in the binary, and if so, to use them and write them back to the destroyed thunks.
However, there is a bug that causes that sometimes the appropriate names are not found, although they are present.

• Test case:
  75b38f62b2479165e8da79b23edc24145261854f1870031b281716827f82fa95
  • The invalid situation:
    
    The last thunk is filled with an ordinal (this happens if the name was not found).
    The imported address belongs to the function WaitForSingleObject:
    
    Looking into the binary, we can see that the proper record containing this name is present:
    
  • The fixed version should look like this:
    

In hooks.h, class PatchBackup:

Var "sourcePtr" not initialized inside the constructor

C2440 'default argument': cannot convert from 'LPWSTR' to 'const LPSTR'

peconv::ALIGNED_BUF load_resource_data(OUT size_t &out_size, const int res_id, const LPCSTR res_type = RT_RCDATA, HMODULE hInstance = nullptr);

I quoted the Lib file in the Unicode project and I would report it wrong. How should I be compatible with him

Aren't you tired of me yet? ;)

In exports_mapper.cpp, ExportsMapper::add_to_lookup:

std::map<DWORD, char*> rva_to_name;

In fix_imports.cpp, size_t map_addresses_to_functions:

std::setstd::string currDllNames;

auto on_res_entry_found = [](
    BYTE* modulePtr,
    IMAGE_RESOURCE_DIRECTORY_ENTRY* root_dir,
    IMAGE_RESOURCE_DATA_ENTRY* curr_entry
    ) {
        return true;
};

peconv::parse_resources(execute_pe, on_res_entry_found);

I found that "root_dir" is always the first,
maybe I'm wrong. I hope there are relevant examples.

I tried loading some windows built in PEs (with basic example code) like whoami.exe, hostname.exe, ipconfig.exe, some of them just return nothing to stdout and some of them return The specified resource type cannot be found in the image file.
How can i solve it ?

Is it possible to map a DLL in another process?

Example:

• 0f5a21b7179f3a8958a3bae8e9b9fb49220a708c4f6335459b0aa14c3a7cc937 - Formbook payload (with padding)
  The raw form of this file was invalidly detected as mapped.

The same payload without padding appended is detected as raw:

• c0ee1071e444f415f8b62856a0896f3b22e563f1bb4f03d14142583efe49a565

I found another reinterpret_cast<…>-related compile error when cross-building with x86_64-w64-mingw32-g++ (GCC) 8.3-win32 20190406:

$WORK/libpeconv/src/exports_lookup.cpp: In function ‘INT_PTR (* peconv::get_exported_func(PVOID, LPSTR))()’:
$WORK/libpeconv/src/exports_lookup.cpp:114:85: error: cast from ‘LPSTR’ {aka ‘char*’} to ‘DWORD’ {aka ‘long unsigned int’} loses precision [-fpermissive]
 return get_export_by_ord(modulePtr, exp, reinterpret_cast<DWORD>(wanted_name));
                                                                             ^

$WORK/libpeconv/src/exports_lookup.cpp: In member function ‘virtual INT_PTR (* peconv::export_based_resolver::resolve_func(LPSTR, LPSTR))()’:
$WORK/libpeconv/src/exports_lookup.cpp:158:96: error: cast from ‘LPSTR’ {aka ‘char*’} to ‘DWORD’ {aka ‘long unsigned int’} loses precision [-fpermissive]
 !] Cound not get the function: "<< reinterpret_cast<DWORD>(func_name) <<" from exports!" << std::endl;

My environment:

• windows 11: 22000.2295
• Visuall C++ 2022 Comunity
• cmake

I run the tests by : tests.exe 18 test_case7\test_case7.exe.

I got the outputs：

Trying to set up exceptions: test_case7\test_case7.exe
[+] Found exception table of: 126 entries
[+] Valid exception entries: 126 entries
[+] The exception table was added
tests::test_load_with_exception_table: Throwing exception:
Calling entry point:
make_exception1: Throwing exception:
Exception handled: STATUS_BREAKPOINT
make_exception2: Throwing exception:
Exception handled: STATUS_INTEGER_DIVIDE_BY_ZERO

Then the tests.exe exit. but "Exception captured by the caller" has never been triggered.

If i add a new function in test_case7:

void make_exception3()
{
    std::cout << __FUNCTION__ << ": Throwing exception and not catch:" << std::endl;
    RaiseException(STATUS_INTEGER_DIVIDE_BY_ZERO, 0, 0, 0);
}

Then the tests.exe captured the new excption.

So, is this a bug?

PS：I'm sorry for my English, I used a translation tool.

In exported_func.cpp, peconv::get_dll_shortname:

std::size_t ext = str.find_last_of("."); =>
std::size_t ext = str.find_last_of('.');

Hi there,
I am trying to load a DLL from a byte array with the load_pe_module function. I tried replicating the methods in https://github.com/hasherezade/libpeconv/blob/master/tests/test_load_ntdll.cpp. But when i call a function from the loaded DLL i am getting an access violation exception :(

#include <Windows.h>

#include <peconv.h>
#include "Payload.h"

//typedef int (*moduleMainProc)();
int(_cdecl* moduleMain) () = NULL;

int main()
{
	size_t v_size = 0;
	BYTE* payloadModule = peconv::load_pe_module(
		payload, 
		sizeof(payload), 
		v_size, 
		true, 
		true
	);
	if (!payloadModule) {
		return -1;
	}

	bool is64 = peconv::is64bit(payloadModule);
	FARPROC nOffset = peconv::get_exported_func(payloadModule, (LPSTR)"main");
	if (nOffset == nullptr) {
		return -1;
	}

	int (*loaded_pe_entry)(void) = (int (*)(void)) nOffset;
	return loaded_pe_entry();
	
	//moduleMain = (int(_cdecl*) ()) nOffset;
	//return moduleMain();
}

Am i doing something wrong or is there an issue with the lib or my dll?
This is the dll that im using: https://github.com/11philip22/DllShellSimple

Hey hasherzade, I'm a big fan of your tools.
I've done a bit of fuzzing & found some bugs.

Machine specs

Windows 10 Pro, 21H2, ASLR-off

Description

Basically, I've ran a modified version of your test project project_template that uses libpeconv (32 bit), with different inputs until I received a few crashes.

I've analyzed the crashes and then classified them into two groups based on behavior.

Crash 1

Reproduction: The crash is reproducible in 100% of executions.

To reproduce, use "id_000001_00_EXCEPTION_ACCESS_VIOLATION".

Crash type: An access violation is caused at pe_raw_to_virtual.cpp in function sections_virtual_to_raw at line 95 -> memcpy(section_raw_ptr, section_mapped, sec_size);.

It seems that during the memcpy call, there is an attempt to copy from an unallocated page in memory. Basically, there's an attempt to read beyond heap bounds.

0:000> g
(33b4.3020): Access violation - code c0000005 (!!! second chance !!!)
eax=006df71f ebx=002b8000 ecx=ffffc71f edx=ffffff00 esi=006e3000 edi=001e47e1
eip=6de0395e esp=004ffd9c ebp=004ffe00 iopl=0         nv up ei ng nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
VCRUNTIME140D!memcpy+0x4e:
6de0395e f3a4            rep movs byte ptr es:[edi],byte ptr [esi]

*Note: eax = section_raw_ptr, ecx = section_mapped, edx = sec_size. The bug occurs even when the sec_size isn't unproportionally huge.

Call stack:

**Call stack: (Windbg)**
```windbg
0:000> k
 # ChildEBP RetAddr      
00 00baf9ac 0019db43     VCRUNTIME140D!memcpy+0x4e [d:\a01\_work\11\s\src\vctools\crt\vcruntime\src\string\i386\memcpy.asm @ 194] 
01 00bafa0c 0019d58b     project_template!sections_raw_to_virtual+0x563 [..\libpeconv_tpl\libpeconv\libpeconv\src\pe_raw_to_virtual.cpp @ 94] 
02 00bafa50 0019883b     project_template!peconv::pe_raw_to_virtual+0x15b [..\libpeconv_tpl\libpeconv\libpeconv\src\pe_raw_to_virtual.cpp @ 134] 
03 00bafa7c 001989e0     project_template!peconv::load_pe_module+0xbb [..\libpeconv_tpl\libpeconv\libpeconv\src\pe_loader.cpp @ 50] 
04 00bafa9c 00192be8     project_template!peconv::load_pe_executable+0x20 [..\libpeconv_tpl\libpeconv\libpeconv\src\pe_loader.cpp @ 82] 
05 00bafacc 00192d94     project_template!load_payload+0x78 [..\libpeconv_tpl\project_template\main.cpp @ 39] 
...

Why/When the bug occurs:

There are checks in sections_raw_to_virtual() to make sure that the virtual sections/addresses aren't out of bounds (lines 55,60,64 in pe_raw_to_virtual.cpp), but they aren't able to catch the issue due to an Integer Overflow bug (to be more precise, it's a size_t overflow/wrap-around).

1. When sec_size is too large, (for example 0xffffff00 as in "id_000001_00_EXCEPTION_ACCESS_VIOLATION") it causes an Integer overflow that wraps around 0, and thus the if statement (next_sec->VirtualAddress + sec_size) > destBufferSize) is equals to false. This can occur at least two times, in lines 55 & 64.
2. There's an Integer overflow in line 53, in a redundant variable raw_end. This isn't a big issue since the variable isn't being used anywhere else in the code, but it's a good idea to remove it either way.

Crash 2

Reproduction: The crash is reproducible in 100% of executions.

To reproduce, use "id_000002_00_EXCEPTION_ACCESS_VIOLATION".

Crash type:: A INVALID_POINTER_READ occurs at pe_virtual_to_raw.cpp in function sections_virtual_to_raw

at line 47 -> if (next_sec->PointerToRawData == 0 || next_sec->SizeOfRawData == 0).

The program tries to read next_sec->PointerToRawData but it points to a memory location that doesn't belong to the program's address space.

42    for (WORD i = 0; i < fileHdr->NumberOfSections; i++) {
43        PIMAGE_SECTION_HEADER next_sec = (PIMAGE_SECTION_HEADER)((ULONGLONG)secptr + (IMAGE_SIZEOF_SECTION_HEADER * i));
44        if (!validate_ptr((const LPVOID)payload, destBufferSize, next_sec, IMAGE_SIZEOF_SECTION_HEADER)) {
45            return false;
46        }
47        if (next_sec->PointerToRawData == 0 || next_sec->SizeOfRawData == 0) { // Bug here - read access violation
48            continue; //skipping empty
49        }
50        LPVOID section_mapped = destBuffer + next_sec->VirtualAddress;

Exploitability & Mitigations

In crash 1 we should be able to control the parameters to the memcpy, which may cause a Heap B.O. Either way, you should add a check for Integer overflows (or wrapping around behavior) at the mentioned lines to avoid undefined behavior.

At first glance I'd assume the second crush isn't exploitable, but you might want to use Exception handling such as /EHa or SEH when compiling the program.

*Edit: You can find the binaries that crashed the application here: https://github.com/NapongiZero/libpeconvCrashes

It's me again:)

In pe_hdrs_helper.cpp:

    PIMAGE_SECTION_HEADER next_sec = peconv::get_section_hdr(payload, payload_size, i);
    const DWORD next_sec_addr = is_raw ? (next_sec->PointerToRawData) : (next_sec->VirtualAddress);

There might be dereferencing of a potential null pointer "next_sec"

I am trying to cross-build libpeconv (and eventually pe-sieve) on a Debian/buster system using
x86_64-w64-mingw32-g++ (GCC) 8.3-win32 20190406 and am getting the following error:

$WORK/libpeconv/src/imports_loader.cpp: In instantiation of ‘bool FillImportThunks::processThunks_tpl(LPSTR, T_IMAGE_THUNK_DATA*, T_FIELD*, T_FIELD) [with T_FIELD = long unsigned int; T_IMAGE_THUNK_DATA = _IMAGE_THUNK_DATA32; LPSTR = char*; CHAR = char]’:
$WORK/libpeconv/src/imports_loader.cpp:24:107:   required from here
$WORK/libpeconv/src/imports_loader.cpp:60:23: error: cast from ‘FARPROC’ {aka ‘long long int (*)()’} to ‘long unsigned int’ loses precision [-fpermissive]
         (*call_via) = reinterpret_cast<T_FIELD>(hProc);
                       ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Adding -fpermissive to CXXFLAGS as hinted by the compiler makes the problem go away.

hello, i wanna use it in .NET
Can it be?
i'm care about it, also can you please make a tourtial how to build the source? cuz i'm not into C++, thanks.

I haven't tried it on x86 but currently on x64 it is unable to inject notepad.exe into calc.exe other combinations works as shown

I have the same problem with my implementation and i'm unable to find the reason for it

Hello I was wondering if this file is currently in use for compiling the code and what its functionality is. Thank you for the fast response to my earlier issue,

Hello, @hasherezade, In your old video on pe_unmapper (https://youtu.be/1kQibWVSQZA?t=382), when you unmap the file in cmd, you receive a lot of informative information. I've tried the latest build and it doesn't seem to still have this. Is their a way that I can enable logs such as presented in the video?

It is rare, but it may happen in valid PE files, that full blocks are empty:

Example - the files belonging to MS Office:

C:/Program Files/Common Files/microsoft shared/OfficeSoftwareProtectionPlatform/OSPPSVC.EXE
C:/Program Files/Common Files/microsoft shared/OfficeSoftwareProtectionPlatform/OSPPOBJS.DLL

LibPEConv interprets blocks which have all entries empty as invalid blocks.

And then the full Import Table is treated as invalid:

msvc ver 2017 x64 dynamic \\ DEBUG

user32.lib(USER32.dll) : error LNK2001: unresolved external symbol __delayLoadHelper2

set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} /MT")
set(DELAYLOAD_FLAG "/DELAYLOAD:"user32.dll"" )

set (srcs
main.cpp
)

set (hdrs
)

add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs})
set_property(TARGET ${PROJECT_NAME} APPEND_STRING PROPERTY LINK_FLAGS " ${DELAYLOAD_FLAG}")

https://docs.microsoft.com/ru-ru/cpp/build/reference/specifying-dlls-to-delay-load?view=vs-2019

cl t.cpp user32.lib delayimp.lib /link /DELAYLOAD:user32.dll

add std lib delayimp.lib ?

add_executable ( ${PROJECT_NAME} ${hdrs} ${srcs})
target_link_libraries(${PROJECT_NAME} delayimp.lib)
set_property(TARGET ${PROJECT_NAME} APPEND_STRING PROPERTY LINK_FLAGS " ${DELAYLOAD_FLAG}")

Comment the code following the Doxygen format.

get_nt_hrds should be renamed to: get_nt_hdrs

Hi!

In pe_hdrs_helper.cpp:

if (is64bit(payload)) {
    IMAGE_NT_HEADERS64* nt64 = get_nt_hdrs64(payload);
    image_size = nt64->OptionalHeader.SizeOfImage;

There might be dereferencing of a potential null pointer "nt64" and "nt32"

Would you like to replace any double quotes by angle brackets around file names for include statements?

Please provide builds of pe_unmapper via GitHub releases instead of Google Drive. This would allow it to be included as a package in FLARE VM.

Some pe files have tls callbacks that need to be executed for the pe file to run properly.
Does the library support executing the tls callbacks when mapping and running a pe file from memory?

when i compile the run_pe with the libpeconv within the project, i always get this error, the file is exist, can you help me?

Currently the function is_pe_raw checks where the first section starts. If it starts at the raw address, the PE is recognized as raw format.
However, this way of format detection is inaccurate.

Example - UPX packed sample (raw):

And the same sample loaded in the memory:

The area between the headers and the first section contains artefact of the first section.

In such cases, a PE in virtual format is mistakenly recognized as raw.

Issue:
I have tried to pass arguments to a payload loaded by libpeconv but it wasn't possible directly. So i decided to go a little bit deeper and modified some stack related parts of the code, it was successful but this method is heavily relied on Non-standard methods and requires more or less complicated modifications on the main code.

Is there any possible ongoing features that are not yet published or any other methods that i could use for this matter?

Hello hasherezade,

I hope you don't mind for creating an issue to ask this but I'm wondering about the current state of the libpeconv library,
specifically I would like you to tell your own opinion about the following:

1. How much mature do you consider it in terms of being stable and bug free as it it now?
2. Do you have any plans to add new features and if so which ones?
3. Would you consider improving or changing error handling and reporting if convinced there is a better way of doing it?

I haven't yet studied the PE file format so I'm not in position to answer this on my own but I have plans to reuse the library at some point so the reason I ask this is because I don't want to modify anything unless you yourself consider it stable and future complete.

Regarding my 3rd question, I think error handling can be improved by formatting and reporting exact system error codes including file name and line where the error occurs.
This method can help in finding bugs and improving existing code, I'm not saying you should do it, but that would be first thing I would do.

May I suggest that you add a new badge or section to your readme which would indicate status of the library in terms of those and similar questions asked.

Have a nice day and thank you for sharing your skills with the community.

Hi,
not sure if you'd consider this something useful, this short batch script allows a user to drag & drop a file calling pe_unmapper.exe and presents a simple menu from where the type of unmapping to be applied can be selected, the unmapped file is then saved on the user's desktop:

`@echo off
for /f "tokens=2 delims==" %%a in ('wmic OS Get localdatetime /value') do set "dt=%%a"
set "YY=%dt:~2,2%" & set "YYYY=%dt:~0,4%" & set "MM=%dt:~4,2%" & set "DD=%dt:~6,2%"
set "HH=%dt:~8,2%" & set "Min=%dt:~10,2%" & set "Sec=%dt:~12,2%"

set "fullstamp=%YYYY%%MM%%DD%%HH%%Min%%Sec%"

echo File: "%~1"
echo.

:start
echo Options:
echo --------
echo U : UNMAP (Virtual to Raw)
echo M : MAP (Raw to Virtual)
echo R : REALIGN (Virtual to Raw, where: Raw == Virtual)
echo.
set choice=
set /p choice=Select your option [U, M, R]:
if not "%choice%"=="" set choice=%choice:~0,1%

if "%choice%"=="U" goto main
if "%choice%"=="M" goto main
if "%choice%"=="R" goto main

echo "%choice%" is not valid, please try again.
echo.
goto start

:main
echo.
pe_unmapper.exe /in "%~1" /mode "%choice%" /out %USERPROFILE%\Desktop%fullstamp%-pe_unmapper-mode_%choice%-"%~n1".bin
goto end

:end
echo.
pause

@echo on`

I tried including both peconv.h and compiled libpeconv.lib but I keep getting linker errors. Did I miss something?