TDUMP.EXE, the File Dumping Utility

From RAD Studio
Jump to: navigation, search

Go Up to Command-Line Utilities Index

TDUMP.EXE produces a file dump that shows the structure of a file.

TDUMP breaks apart a file structurally and uses the file's extension to determine the output display format. TDUMP recognizes many file formats, including .EXE, .OBJ, and .LIB files. If TDUMP does not recognize an extension, it produces a hexadecimal dump of the file. You can control the output format by using the TDUMP command-line options when you start the program.

TDUMP's ability to peek at a file's inner structure displays not only a file's contents, but also how a file is constructed. Moreover, because TDUMP verifies that a file's structure matches its extension, you can also use TDUMP to test file integrity.

TDUMP can read its input from stdin by redirecting (using a greater than symbol >) or piping (using a vertical bar |).

TDUMP64.EXE is the 64-bit Windows file dumping utility, and has the same options and syntax as TDUMP.EXE.

Command-Line Syntax

TDUMP [<options>] <inputfile> [<listfile>] 

Here:

  • <inputfile> is the file whose structure you want to display (or "dump").
  • <listfile> is an optional output filename (you can also use the standard redirection command >).
  • <options> are any of the TDUMP command-line options.


To display the command-line help, enter:

tdump

or

tdump -?

to display the extended command-line help screen.


Command-Line Options

You can use either the / or the - prefix character before options. For example, these two commands are equivalent:

TDUMP -e1 -v demo.exe 
TDUMP /el /v demo.exe 

TDUMP.EXE supports the command-line options listed in the following table:

TDUMP Command-Line Options

Option Description
-?

Shows the extended help screen.

-a
-a7

TDUMP automatically adjusts its output display according to the file type. You can force a file to be displayed as ASCII by including the -a or -a7 option.

  • -a -- produces an ASCII file display, which shows the offset and the contents in displayable ASCII characters. A character that is not displayable (like a control character) appears as a period.
  • -a7 -- converts high-ASCII characters to their low-ASCII equivalents. This is useful if the file you are dumping sets high-ASCII characters as flags.
-b#

Allows you to display information beginning at a specified decimal # offset (prefix hex with 0x). For example, if you want a dump of MYFILE starting from offset 100, you would use:
TDUMP -b100 MYFILE

-C

Causes TDUMP to dump information found in COFF format files (.OBJ and .LIB). This option is useful when linking with Microsoft .OBJ and .LIB files. (COFF only.)

-d

Causes TDUMP to dump any C++Builder 32-bit debug information found in the .OBJ file. If you do not specify this option, TDUMP displays raw data only. (OMF only.)

-e
-ea[:v]
-ed
-ee[=x]
-eh
-eiID
-el
-em[=x]
-em.[x]
-ep
-er
-es[=x]
-et
-ex

All these options force TDUMP to display the file as an executable (.EXE/DLL) file.
An executable file display consists in information contained within a file that is used by the operating system when loading a file. If symbolic debugging information is present, TDUMP displays it.
TDUMP displays information for DOS executable files, NEW style executable files (16-bit Windows and OS/2 .EXEs and DLLs), Linear Executable files, and Portable Executable (PE) files used by 32-bit Windows (Windows 95/98/Me, Windows NT/2000/XP, and so on).

  • -e -- Displays file as an Executable (EXE/DLL, DOS, Win16, OS/2, PE).
  • -ea[:v] -- Defines how to display Exports. (PE only.)
    • -ea -- Displays all Exports unsorted.
    • -ea:v -- Displays all Exports unsorted by RVA.
By default, dumps only named exports, sorting on the name.
  • -ed -- Disables EXE debug information.
  • -ee[=x] -- Lists Exports only from EXE/DLL (optional x lists matches only). (PE only.)
  • -eh -- Disable EXE headers display. (Elf only.)
  • -eiID -- Includes only .EXE table ID (HDR, OBJ, FIX, NAM, ENT). (PE only.)
  • -el -- Suppresses line numbers in the display.
  • -em[=x] -- Lists Imports only from EXE/DLL (optional x lists matches only). (PE only.)
  • -em.[x] -- Lists Imported modules only from EXE/DLL (optional x search string). (PE only.)
  • -ep -- Disables EXE PE header display. (PE only.)
  • -er -- Prevents the relocation table from displaying.
  • -es[=x] -- Hex dump of program sections. Use x to specify the particular section. (Elf only.)
  • -et -- Disable EXE symbol tables. (Elf only.)
  • -ex -- Prevents the display of New style executable information. This means TDUMP only displays information for the DOS "stub" programs.
-h[O|=x]

Displays the dump file in hexadecimal (hex) format.

  • O -- can be:
    • r -- Prints offsets relative to the starting offset.
    • a -- Prints absolute offsets.
  • =x -- Beginning file offset (same as -b#).

The hex format consists of a column of offset numbers, 16 columns of hex numbers, and their ASCII equivalents (a period appears where no displayable ASCII character occurs.)
If TDUMP does not recognize the input file's extension, it displays the file in hex format (unless an option is used to indicate another format).

-iID

Specifies the debug tables' ID to use. ID=[?/abc...rst]. (Not Elf.)

-xID

Specifies the debug tables' ID to exclude. ID=[?/abc...rst]. (Not Elf.)

-l
-le[=x]
-li[=x]

Displays the output file in library (.LIB) file format. (OMF LIB only.)
A library file is a collection of object files (see the -o option for more on object files).
The library file dump displays library-specific information, object files, and records in the object file.

  • -li -- Tells TDUMP to display a short form of IMPDEF records when dumping import libraries. You can also specify a search string using the following syntax:
-li=<string>
For example, this command:
tdump -li=codeptr import32.lib
results in the following output:
Impdef:(ord) KERNEL32.0336=ISBADCODEPTR
This output shows that the function is exported by ordinal, whose ordinal value is 336 (decimal). In addition, the output displays the module and function name.
If you enter the following command:
tdump -li=walk import32.lib
TDUMP displays:
Impdef:(name) KERNEL32.????=HEAPWALK
This shows the output of a function exported by name.
  • -le -- Tells TDUMP to display a short form of the EXDEF records when dumping OBJ files. You can also specify a search string using the following syntax:
-le=<string>
-lm[=x]

Display dump of members (x lists matches only). (ELF LIB only.)

-lh

Display list of members in archive. (ELF LIB only.)

-lt

Display exported symbols in archive. (ELF LIB only.)

-m

Leaves C++ names occurring in object files, executable files, and Debugger symbolic information files in "mangled" format. This option is helpful in determining how the C++ compiler "mangles" a given function name and its arguments. (Not Elf.)

-M

Display MACH file. (MACH only.)

-ns

Disable support for redirecting stdin.

-o
-oc
-oiID[=x]
-oxID[=x]

These options command to displays the file as an object (.OBJ) file. (OMF only.)

  • -o -- displays the file as an object (.OBJ) file. An object file display contains descriptions of the command records that pass commands and data to the linker, telling it how to create an .EXE file. The display format shows each record and its associated data on a record-by-record basis.
  • -oc -- causes TDUMP to perform a cyclic redundancy test (CRC) on each encountered record. The display differs from the -o display only if an erroneous CRC check is encountered (the TDUMP CRC value differs from the record's CRC byte).
  • -oi<ID> -- includes only specified OMF record types in the object module dump.
-ox<ID>[=x] -- excludes specified OMF record types from the object module dump.
Replace <ID> with the name of the record to be displayed. For instance:
TDUMP -oiPUBDEF MYMODULE.OBJ produces an object module display for MYMODULE.OBJ that displays only the PUBDEF records.
The -ox and -oi options are helpful in finding errors that occur during linking. By examining the spelling and case of the EXTDEF symbol and the PUBDEF symbol, you can resolve many linking problems. For instance, if you receive an "unresolved external" message from the linker, use
TDUMP -oiEXTDEF to display the external definitions occurring in the module causing the error. Then, use:
TDUMP -oiPUBDEF on the module containing the public symbol the linker could not match.
Another use for the -oi switch is to check the names and sizes of the segments generated in a particular module. For instance:
TDUMP -oiSEGDEF MYMODULE.OBJ displays the names, attributes, and sizes of all of the segments in MYMODULE.

Note: To get a list of record types for -oi and -ox, use the command-line options -oi? and -ox?.

-q

Suppress copyright message.

-r

Causes TDUMP to display raw data. (OMF only.)

-R

Causes TDUMP to dump relocation tables from 32-bit PE (Win32) format images. The default is to suppress these dumps. (PE only.)

-s[=x]
-su[=x]
-s[xx]

Tells TDUMP to display strings.

  • -s[=x] -- By default -s displays all strings in a given file. x = search string. You can specify a string, or part of a string, using the following syntax:
-s=<string>
For example, the command:
TDUMP -s=black GoGame.exe
results in the following output of all strings containing black:
56840  IDI_BLACK
81965: Capture Black
85038: black.bmp
The optional string argument is case-insensitive. To specify several words of a string, use quotation marks. For example:
TDUMP -s="game of go" GoGame.exe
  • -su[=x] -- tells TDUMP to display Unix-style strings, meaning with no offset (or decimal offsets, -h for hex). The -su[=x] option is used in the same manner as -s[=x]. Optional x string argument defines the search string.
For example, the command:
TDUMP -su=black GoGame.exe
results in the following output:
IDI_BLACK
Capture Black
black.bmp
  • -s[xx] -- Displays viewable strings. xx can be:
    • # -- Minimum string length to look for (default: 4).
    • b# -- Beginning file offset (-b# is the same as -sb#).
    • e# -- Ending file offset.
    • f -- Format (wrap) long strings.
    • s -- Search string with case sensitivity (default: no).
-t#

Ending file offset -b# for display (prefix hex with 0x). (Elf only.)

-ua

Unassembles to asm source. (OMF only.)

-um

Displays mangled names as unmangled. You do not need to reformat the text to edit out only the mangled names before using this option. You can pass output that has mangled names anywhere in the text, and only the mangled names will be affected. (Not Elf.)

-v

Verbose display. (OMF and COFF only.)
If used with an .OBJ or .LIB file, TDUMP produces a hexadecimal dump of the record's contents without any comments about the records.
If you use TDUMP on a debugger symbol table, it displays the information tables in the order in which it encounters them. TDUMP does not combine information from several tables to give a more meaningful display on a per-module basis.

-w
-wq[#]

Defines how to use wildcards in file specifications.

  • -w -- Allows wildcards in file specifications.
  • -wq[#] -- Wildcards quiet switch. # is width.

See Also