README

pefile-go

Golang implementation of pefile, stripped down to some bare minimums.

To use as a library:

  $ go get github.com/awsaba/pefile-go

To install the demo program stub:

  $ go install github.com/awsaba/pefile-go/pefile

Features

Some of the tasks that pefile makes possible are:

  • Inspecting headers
  • Analysis of sections' data
  • Parsing exports

Motivations

  • Have a golang library for PE file related utilities.
  • Projects based on "debug/pefile" would have an awkward split between was it added on by the wrapper lib and what is included in the core go lib.

Dependencies

pefile-go is self-contained. It has no dependecies and currently assumes a little-endian architecture.

Acknowledgements

Major changes from those versions

  • No hard-coded lists of ordinals. They were not accurate to those files in recent versions of Windows. If you need them, Microsoft tools can be used to retrieve the public symbols that contains that information, but that is beyond the scope of this project.
  • Simpler package layout.
  • As much adherence to golang conventions as possible. Hopefully what's left can be configured to be ignored by your editor of choice when running golint.

Additional resources (originally from pefile's readme)

PDFs of posters depicting the PE file format:

The following links provide detailed information about the PE format and its structures.

Expand ▾ Collapse ▴

Documentation

Index

Constants

View Source
const (
	// MaxStringLength limits the length of a string to be retrieved from the file.
	// It's there to prevent loading massive amounts of data from memory mapped
	// files. Strings longer than 1MB should be rather rare.
	// FIXME: not referenced/used anywhere?
	MaxStringLength = 0x100000 // 2^20

	IMAGE_DOS_SIGNATURE   = 0x5A4D
	IMAGE_DOSZM_SIGNATURE = 0x4D5A
	IMAGE_NE_SIGNATURE    = 0x454E
	IMAGE_LE_SIGNATURE    = 0x454C
	IMAGE_LX_SIGNATURE    = 0x584C
	IMAGE_TE_SIGNATURE    = 0x5A56 // Terse Executables have a 'VZ' signature

	IMAGE_NT_SIGNATURE               = 0x00004550
	IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
	IMAGE_ORDINAL_FLAG               = uint32(0x80000000)
	IMAGE_ORDINAL_FLAG64             = uint64(0x8000000000000000)
	OPTIONAL_HEADER_MAGIC_PE         = 0x10b
	OPTIONAL_HEADER_MAGIC_PE_PLUS    = 0x20b
	FILE_ALIGNMENT_HARDCODED_VALUE   = 0x200
)

Variables

View Source
var DebugTypes = map[string]uint32{
	"IMAGE_DEBUG_TYPE_UNKNOWN":       0,
	"IMAGE_DEBUG_TYPE_COFF":          1,
	"IMAGE_DEBUG_TYPE_CODEVIEW":      2,
	"IMAGE_DEBUG_TYPE_FPO":           3,
	"IMAGE_DEBUG_TYPE_MISC":          4,
	"IMAGE_DEBUG_TYPE_EXCEPTION":     5,
	"IMAGE_DEBUG_TYPE_FIXUP":         6,
	"IMAGE_DEBUG_TYPE_OMAP_TO_SRC":   7,
	"IMAGE_DEBUG_TYPE_OMAP_FROM_SRC": 8,
	"IMAGE_DEBUG_TYPE_BORLAND":       9,
	"IMAGE_DEBUG_TYPE_RESERVED10":    10,
	"IMAGE_DEBUG_TYPE_CLSID":         11,
}

DebugTypes is a lookup from the string name to flag value

View Source
var DirectoryEntryTypes = map[uint32]string{
	0:  "IMAGE_DIRECTORY_ENTRY_EXPORT",
	1:  "IMAGE_DIRECTORY_ENTRY_IMPORT",
	2:  "IMAGE_DIRECTORY_ENTRY_RESOURCE",
	3:  "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
	4:  "IMAGE_DIRECTORY_ENTRY_SECURITY",
	5:  "IMAGE_DIRECTORY_ENTRY_BASERELOC",
	6:  "IMAGE_DIRECTORY_ENTRY_DEBUG",
	7:  "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
	8:  "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
	9:  "IMAGE_DIRECTORY_ENTRY_TLS",
	10: "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
	11: "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
	12: "IMAGE_DIRECTORY_ENTRY_IAT",
	13: "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
	14: "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
	15: "IMAGE_DIRECTORY_ENTRY_RESERVED",
}

DirectoryEntryTypes provides names for the entries in the data directory header

View Source
var DllCharacteristics = map[string]uint32{
	"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA":       0x0020,
	"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE":          0x0040,
	"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY":       0x0080,
	"IMAGE_DLLCHARACTERISTICS_NX_COMPAT":             0x0100,
	"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION":          0x0200,
	"IMAGE_DLLCHARACTERISTICS_NO_SEH":                0x0400,
	"IMAGE_DLLCHARACTERISTICS_NO_BIND":               0x0800,
	"IMAGE_DLLCHARACTERISTICS_APPCONTAINER":          0x1000,
	"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER":            0x2000,
	"IMAGE_DLLCHARACTERISTICS_GUARD_CF":              0x4000,
	"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE": 0x8000,
}

DllCharacteristics flags define some OS specific functionality

View Source
var ImageCharacteristics = map[string]uint32{
	"IMAGE_FILE_RELOCS_STRIPPED":         0x0001,
	"IMAGE_FILE_EXECUTABLE_IMAGE":        0x0002,
	"IMAGE_FILE_LINE_NUMS_STRIPPED":      0x0004,
	"IMAGE_FILE_LOCAL_SYMS_STRIPPED":     0x0008,
	"IMAGE_FILE_AGGRESIVE_WS_TRIM":       0x0010,
	"IMAGE_FILE_LARGE_ADDRESS_AWARE":     0x0020,
	"IMAGE_FILE_16BIT_MACHINE":           0x0040,
	"IMAGE_FILE_BYTES_REVERSED_LO":       0x0080,
	"IMAGE_FILE_32BIT_MACHINE":           0x0100,
	"IMAGE_FILE_DEBUG_STRIPPED":          0x0200,
	"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP": 0x0400,
	"IMAGE_FILE_NET_RUN_FROM_SWAP":       0x0800,
	"IMAGE_FILE_SYSTEM":                  0x1000,
	"IMAGE_FILE_DLL":                     0x2000,
	"IMAGE_FILE_UP_SYSTEM_ONLY":          0x4000,
	"IMAGE_FILE_BYTES_REVERSED_HI":       0x8000,
}

ImageCharacteristics is a lookup from the string name to flag value

Instantiated as Pe.COFFFileHeader.Flags

View Source
var Lang = map[string]uint32{
	"LANG_NEUTRAL":        0x00,
	"LANG_INVARIANT":      0x7f,
	"LANG_AFRIKAANS":      0x36,
	"LANG_ALBANIAN":       0x1c,
	"LANG_ARABIC":         0x01,
	"LANG_ARMENIAN":       0x2b,
	"LANG_ASSAMESE":       0x4d,
	"LANG_AZERI":          0x2c,
	"LANG_BASQUE":         0x2d,
	"LANG_BELARUSIAN":     0x23,
	"LANG_BENGALI":        0x45,
	"LANG_BULGARIAN":      0x02,
	"LANG_CATALAN":        0x03,
	"LANG_CHINESE":        0x04,
	"LANG_CROATIAN":       0x1a,
	"LANG_CZECH":          0x05,
	"LANG_DANISH":         0x06,
	"LANG_DIVEHI":         0x65,
	"LANG_DUTCH":          0x13,
	"LANG_ENGLISH":        0x09,
	"LANG_ESTONIAN":       0x25,
	"LANG_FAEROESE":       0x38,
	"LANG_FARSI":          0x29,
	"LANG_FINNISH":        0x0b,
	"LANG_FRENCH":         0x0c,
	"LANG_GALICIAN":       0x56,
	"LANG_GEORGIAN":       0x37,
	"LANG_GERMAN":         0x07,
	"LANG_GREEK":          0x08,
	"LANG_GUJARATI":       0x47,
	"LANG_HEBREW":         0x0d,
	"LANG_HINDI":          0x39,
	"LANG_HUNGARIAN":      0x0e,
	"LANG_ICELANDIC":      0x0f,
	"LANG_INDONESIAN":     0x21,
	"LANG_ITALIAN":        0x10,
	"LANG_JAPANESE":       0x11,
	"LANG_KANNADA":        0x4b,
	"LANG_KASHMIRI":       0x60,
	"LANG_KAZAK":          0x3f,
	"LANG_KONKANI":        0x57,
	"LANG_KOREAN":         0x12,
	"LANG_KYRGYZ":         0x40,
	"LANG_LATVIAN":        0x26,
	"LANG_LITHUANIAN":     0x27,
	"LANG_MACEDONIAN":     0x2f,
	"LANG_MALAY":          0x3e,
	"LANG_MALAYALAM":      0x4c,
	"LANG_MANIPURI":       0x58,
	"LANG_MARATHI":        0x4e,
	"LANG_MONGOLIAN":      0x50,
	"LANG_NEPALI":         0x61,
	"LANG_NORWEGIAN":      0x14,
	"LANG_ORIYA":          0x48,
	"LANG_POLISH":         0x15,
	"LANG_PORTUGUESE":     0x16,
	"LANG_PUNJABI":        0x46,
	"LANG_ROMANIAN":       0x18,
	"LANG_RUSSIAN":        0x19,
	"LANG_SANSKRIT":       0x4f,
	"LANG_SERBIAN":        0x1a,
	"LANG_SINDHI":         0x59,
	"LANG_SLOVAK":         0x1b,
	"LANG_SLOVENIAN":      0x24,
	"LANG_SPANISH":        0x0a,
	"LANG_SWAHILI":        0x41,
	"LANG_SWEDISH":        0x1d,
	"LANG_SYRIAC":         0x5a,
	"LANG_TAMIL":          0x49,
	"LANG_TATAR":          0x44,
	"LANG_TELUGU":         0x4a,
	"LANG_THAI":           0x1e,
	"LANG_TURKISH":        0x1f,
	"LANG_UKRAINIAN":      0x22,
	"LANG_URDU":           0x20,
	"LANG_UZBEK":          0x43,
	"LANG_VIETNAMESE":     0x2a,
	"LANG_GAELIC":         0x3c,
	"LANG_MALTESE":        0x3a,
	"LANG_MAORI":          0x28,
	"LANG_RHAETO_ROMANCE": 0x17,
	"LANG_SAAMI":          0x3b,
	"LANG_SORBIAN":        0x2e,
	"LANG_SUTU":           0x30,
	"LANG_TSONGA":         0x31,
	"LANG_TSWANA":         0x32,
	"LANG_VENDA":          0x33,
	"LANG_XHOSA":          0x34,
	"LANG_ZULU":           0x35,
	"LANG_ESPERANTO":      0x8f,
	"LANG_WALON":          0x90,
	"LANG_CORNISH":        0x91,
	"LANG_WELSH":          0x92,
	"LANG_BRETON":         0x93,
}

Lang language definitions

View Source
var MachineTypes = map[string]uint16{
	"IMAGE_FILE_MACHINE_UNKNOWN":   0,
	"IMAGE_FILE_MACHINE_I386":      0x014c,
	"IMAGE_FILE_MACHINE_R3000":     0x0162,
	"IMAGE_FILE_MACHINE_R4000":     0x0166,
	"IMAGE_FILE_MACHINE_R10000":    0x0168,
	"IMAGE_FILE_MACHINE_WCEMIPSV2": 0x0169,
	"IMAGE_FILE_MACHINE_ALPHA":     0x0184,
	"IMAGE_FILE_MACHINE_SH3":       0x01a2,
	"IMAGE_FILE_MACHINE_SH3DSP":    0x01a3,
	"IMAGE_FILE_MACHINE_SH3E":      0x01a4,
	"IMAGE_FILE_MACHINE_SH4":       0x01a6,
	"IMAGE_FILE_MACHINE_SH5":       0x01a8,
	"IMAGE_FILE_MACHINE_ARM":       0x01c0,
	"IMAGE_FILE_MACHINE_THUMB":     0x01c2,
	"IMAGE_FILE_MACHINE_ARMNT":     0x01c4,
	"IMAGE_FILE_MACHINE_AM33":      0x01d3,
	"IMAGE_FILE_MACHINE_POWERPC":   0x01f0,
	"IMAGE_FILE_MACHINE_POWERPCFP": 0x01f1,
	"IMAGE_FILE_MACHINE_IA64":      0x0200,
	"IMAGE_FILE_MACHINE_MIPS16":    0x0266,
	"IMAGE_FILE_MACHINE_ALPHA64":   0x0284,
	"IMAGE_FILE_MACHINE_AXP64":     0x0284,
	"IMAGE_FILE_MACHINE_MIPSFPU":   0x0366,
	"IMAGE_FILE_MACHINE_MIPSFPU16": 0x0466,
	"IMAGE_FILE_MACHINE_TRICORE":   0x0520,
	"IMAGE_FILE_MACHINE_CEF":       0x0cef,
	"IMAGE_FILE_MACHINE_EBC":       0x0ebc,
	"IMAGE_FILE_MACHINE_AMD64":     0x8664,
	"IMAGE_FILE_MACHINE_M32R":      0x9041,
	"IMAGE_FILE_MACHINE_CEE":       0xc0ee,
}

MachineTypes is a lookup from string name to the value of the flag

View Source
var RelocationTypes = map[string]uint32{
	"IMAGE_REL_BASED_ABSOLUTE":       0,
	"IMAGE_REL_BASED_HIGH":           1,
	"IMAGE_REL_BASED_LOW":            2,
	"IMAGE_REL_BASED_HIGHLOW":        3,
	"IMAGE_REL_BASED_HIGHADJ":        4,
	"IMAGE_REL_BASED_MIPS_JMPADDR":   5,
	"IMAGE_REL_BASED_SECTION":        6,
	"IMAGE_REL_BASED_REL":            7,
	"IMAGE_REL_BASED_MIPS_JMPADDR16": 9,
	"IMAGE_REL_BASED_IA64_IMM64":     9,
	"IMAGE_REL_BASED_DIR64":          10,
	"IMAGE_REL_BASED_HIGH3ADJ":       11,
}

RelocationTypes is map from the string name to the flag value

View Source
var ResourceType = map[string]uint32{
	"RT_CURSOR":       1,
	"RT_BITMAP":       2,
	"RT_ICON":         3,
	"RT_MENU":         4,
	"RT_DIALOG":       5,
	"RT_STRING":       6,
	"RT_FONTDIR":      7,
	"RT_FONT":         8,
	"RT_ACCELERATOR":  9,
	"RT_RCDATA":       10,
	"RT_MESSAGETABLE": 11,
	"RT_GROUP_CURSOR": 12,
	"RT_GROUP_ICON":   14,
	"RT_VERSION":      16,
	"RT_DLGINCLUDE":   17,
	"RT_PLUGPLAY":     19,
	"RT_VXD":          20,
	"RT_ANICURSOR":    21,
	"RT_ANIICON":      22,
	"RT_HTML":         23,
	"RT_MANIFEST":     24,
}

ResourceType names and flag values

View Source
var SectionCharacteristics = map[string]uint32{
	"IMAGE_SCN_TYPE_REG":    0x00000000,
	"IMAGE_SCN_TYPE_DSECT":  0x00000001,
	"IMAGE_SCN_TYPE_NOLOAD": 0x00000002,
	"IMAGE_SCN_TYPE_GROUP":  0x00000004,
	"IMAGE_SCN_TYPE_NO_PAD": 0x00000008,
	"IMAGE_SCN_TYPE_COPY":   0x00000010,

	"IMAGE_SCN_CNT_CODE":               0x00000020,
	"IMAGE_SCN_CNT_INITIALIZED_DATA":   0x00000040,
	"IMAGE_SCN_CNT_UNINITIALIZED_DATA": 0x00000080,

	"IMAGE_SCN_LNK_OTHER":  0x00000100,
	"IMAGE_SCN_LNK_INFO":   0x00000200,
	"IMAGE_SCN_LNK_OVER":   0x00000400,
	"IMAGE_SCN_LNK_REMOVE": 0x00000800,
	"IMAGE_SCN_LNK_COMDAT": 0x00001000,

	"IMAGE_SCN_MEM_PROTECTED":     0x00004000,
	"IMAGE_SCN_NO_DEFER_SPEC_EXC": 0x00004000,
	"IMAGE_SCN_GPREL":             0x00008000,
	"IMAGE_SCN_MEM_FARDATA":       0x00008000,
	"IMAGE_SCN_MEM_SYSHEAP":       0x00010000,
	"IMAGE_SCN_MEM_PURGEABLE":     0x00020000,
	"IMAGE_SCN_MEM_16BIT":         0x00020000,
	"IMAGE_SCN_MEM_LOCKED":        0x00040000,
	"IMAGE_SCN_MEM_PRELOAD":       0x00080000,

	"IMAGE_SCN_ALIGN_1BYTES":    0x00100000,
	"IMAGE_SCN_ALIGN_2BYTES":    0x00200000,
	"IMAGE_SCN_ALIGN_4BYTES":    0x00300000,
	"IMAGE_SCN_ALIGN_8BYTES":    0x00400000,
	"IMAGE_SCN_ALIGN_16BYTES":   0x00500000,
	"IMAGE_SCN_ALIGN_32BYTES":   0x00600000,
	"IMAGE_SCN_ALIGN_64BYTES":   0x00700000,
	"IMAGE_SCN_ALIGN_128BYTES":  0x00800000,
	"IMAGE_SCN_ALIGN_256BYTES":  0x00900000,
	"IMAGE_SCN_ALIGN_512BYTES":  0x00A00000,
	"IMAGE_SCN_ALIGN_1024BYTES": 0x00B00000,
	"IMAGE_SCN_ALIGN_2048BYTES": 0x00C00000,
	"IMAGE_SCN_ALIGN_4096BYTES": 0x00D00000,
	"IMAGE_SCN_ALIGN_8192BYTES": 0x00E00000,
	"IMAGE_SCN_ALIGN_MASK":      0x00F00000,

	"IMAGE_SCN_LNK_NRELOC_OVFL": 0x01000000,
	"IMAGE_SCN_MEM_DISCARDABLE": 0x02000000,
	"IMAGE_SCN_MEM_NOT_CACHED":  0x04000000,
	"IMAGE_SCN_MEM_NOT_PAGED":   0x08000000,
	"IMAGE_SCN_MEM_SHARED":      0x10000000,
	"IMAGE_SCN_MEM_EXECUTE":     0x20000000,
	"IMAGE_SCN_MEM_READ":        0x40000000,
	"IMAGE_SCN_MEM_WRITE":       0x80000000,
}

SectionCharacteristics is a lookup from the string name to flag value

View Source
var Sublang = map[string]uint32{}/* 103 elements not displayed */

Sublang sublanguage definitions

View Source
var SubsystemTypes = map[string]uint32{
	"IMAGE_SUBSYSTEM_UNKNOWN":                  0,
	"IMAGE_SUBSYSTEM_NATIVE":                   1,
	"IMAGE_SUBSYSTEM_WINDOWS_GUI":              2,
	"IMAGE_SUBSYSTEM_WINDOWS_CUI":              3,
	"IMAGE_SUBSYSTEM_OS2_CUI":                  5,
	"IMAGE_SUBSYSTEM_POSIX_CUI":                7,
	"IMAGE_SUBSYSTEM_NATIVE_WINDOWS":           8,
	"IMAGE_SUBSYSTEM_WINDOWS_CE_GUI":           9,
	"IMAGE_SUBSYSTEM_EFI_APPLICATION":          10,
	"IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER":  11,
	"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER":       12,
	"IMAGE_SUBSYSTEM_EFI_ROM":                  13,
	"IMAGE_SUBSYSTEM_XBOX":                     14,
	"IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION": 16,
}

SubsystemTypes is a lookup from the string name to flag value

Functions

func PowerOfTwo

func PowerOfTwo(val uint32) bool

PowerOfTwo Returns whether this value is a power of 2

func SetFlags

func SetFlags(flagMap map[string]bool, charMap map[string]uint32, characteristic uint32)

SetFlags takes the binary flag value read from the guest, checks it against all the key-values in charMap, and sets the corresponding values in the passed in flagMap

Should be called after reading raw header data out of the file to fill in convience structs

Types

type BaseRelocation

type BaseRelocation struct {
	Data       BaseRelocationD
	FileOffset uint32
	Size       uint32
}

BaseRelocation wrapper

func (*BaseRelocation) String

func (br *BaseRelocation) String() string

type BaseRelocationD

type BaseRelocationD struct {
	VirtualAddress uint32
	SizeOfBlock    uint32
}

BaseRelocationD raw field data read from the file

type BaseRelocationEntry

type BaseRelocationEntry struct {
	Data       BaseRelocationEntryD
	FileOffset uint32
	Size       uint32
}

BaseRelocationEntry wrapper

func (*BaseRelocationEntry) String

func (bre *BaseRelocationEntry) String() string

type BaseRelocationEntryD

type BaseRelocationEntryD struct {
	Data uint16
}

BaseRelocationEntryD raw field data read from the file

type BoundForwarderRef

type BoundForwarderRef struct {
	Data       BoundForwarderRefD
	FileOffset uint32
	Size       uint32
}

BoundForwarderRef wrapper

func (*BoundForwarderRef) String

func (bfr *BoundForwarderRef) String() string

type BoundForwarderRefD

type BoundForwarderRefD struct {
	TimeDateStamp    uint32
	OffsetModuleName uint16
	Reserved         uint16
}

BoundForwarderRefD raw field data from file

type BoundImportDescriptor

type BoundImportDescriptor struct {
	Data       BoundImportDescriptorD
	FileOffset uint32
	Size       uint32
}

BoundImportDescriptor wrapper

func (*BoundImportDescriptor) String

func (bid *BoundImportDescriptor) String() string

type BoundImportDescriptorD

type BoundImportDescriptorD struct {
	TimeDateStamp               uint32
	OffsetModuleName            uint16
	NumberOfModuleForwarderRefs uint16
}

BoundImportDescriptorD raw field data read from file

type COFFFileHeader

type COFFFileHeader struct {
	Data       COFFFileHeaderD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

COFFFileHeader wrapper

func (*COFFFileHeader) String

func (fh *COFFFileHeader) String() string

type COFFFileHeaderD

type COFFFileHeaderD struct {
	Machine              uint16
	NumberOfSections     uint16
	TimeDateStamp        uint32
	PointerToSymbolTable uint32
	NumberOfSymbols      uint32
	SizeOfOptionalHeader uint16
	Characteristics      uint16
}

COFFFileHeaderD raw data field read from the file

type DataDirectory

type DataDirectory struct {
	Data       DataDirectoryD
	FileOffset uint32
	Name       string
	Size       uint32
}

DataDirectory wrapper

func (*DataDirectory) String

func (dd *DataDirectory) String() string

type DataDirectoryD

type DataDirectoryD struct {
	VirtualAddress uint32
	Size           uint32
}

DataDirectoryD raw data field read from the file

type DebugDirectory

type DebugDirectory struct {
	Data       DebugDirectoryD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

DebugDirectory wrapper

func (*DebugDirectory) String

func (dd *DebugDirectory) String() string

type DebugDirectoryD

type DebugDirectoryD struct {
	Characteristics  uint32
	TimeDateStamp    uint32
	MajorVersion     uint16
	MinorVersion     uint16
	Type             uint32
	SizeOfData       uint32
	AddressOfRawData uint32
	PointerToRawData uint32
}

DebugDirectoryD raw field data read from the file

type DelayImportDescriptor

type DelayImportDescriptor struct {
	Data       DelayImportDescriptorD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

DelayImportDescriptor wrapper

func (*DelayImportDescriptor) String

func (did *DelayImportDescriptor) String() string

type DelayImportDescriptorD

type DelayImportDescriptorD struct {
	DIgrAttrs     uint32
	DIszName      uint32
	DIphmod       uint32
	DIpIAT        uint32
	DIpINT        uint32
	DIpBoundIAT   uint32
	DIpUnloadIAT  uint32
	DIdwTimeStamp uint32
}

DelayImportDescriptorD raw data field read from the file

type DosHeader

type DosHeader struct {
	Data       DosHeaderD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

DosHeader wrapper

func (*DosHeader) String

func (dh *DosHeader) String() string

type DosHeaderD

type DosHeaderD struct {
	E_magic    uint16
	E_cblp     uint16
	E_cp       uint16
	E_crlc     uint16
	E_cparhd   uint16
	E_minalloc uint16
	E_maxalloc uint16
	E_ss       uint16
	E_sp       uint16
	E_csum     uint16
	E_ip       uint16
	E_cs       uint16
	E_lfarlc   uint16
	E_ovno     uint16
	E_res      [8]uint8
	E_oemid    uint16
	E_oeminfo  uint16
	E_res2     [20]uint8
	E_lfanew   uint32
}

DosHeaderD raw data field read from the file

type ExportData

type ExportData struct {
	Ordinal         uint16
	OrdinalOffset   uint32
	Address         uint32
	AddressOffset   uint32
	Name            []byte //
	NameOffset      uint32 //
	Forwarder       []byte
	ForwarderOffset uint32
}

ExportData wrapper

func (ExportData) String

func (ed ExportData) String() string

type ExportDirectory

type ExportDirectory struct {
	Data       ExportDirectoryD
	FileOffset uint32
	Flags      map[string]bool
	Exports    []ExportData
	Size       uint32
}

ExportDirectory wrapper

func (*ExportDirectory) String

func (ed *ExportDirectory) String() string

type ExportDirectoryD

type ExportDirectoryD struct {
	Characteristics       uint32
	TimeDateStamp         uint32
	MajorVersion          uint16
	MinorVersion          uint16
	Name                  uint32
	Base                  uint32
	NumberOfFunctions     uint32
	NumberOfNames         uint32
	AddressOfFunctions    uint32
	AddressOfNames        uint32
	AddressOfNameOrdinals uint32
}

ExportDirectoryD raw data field read from the file

type ImportData

type ImportData struct {
	StructTable      ThunkData
	StructIat        ThunkData
	ImportByOrdinal  bool
	Ordinal          uint32
	OrdinalOffset    uint32
	Hint             uint16
	Name             []byte
	NameOffset       uint32
	Bound            uint32
	Address          uint32
	HintNameTableRva uint32
	ThunkOffset      uint32
	ThunkRva         uint32
}

ImportData wrapper

func (ImportData) String

func (id ImportData) String() string

type ImportData64

type ImportData64 struct {
	StructTable      *ThunkData64
	StructIat        *ThunkData64
	ImportByOrdinal  bool
	Ordinal          uint64
	OrdinalOffset    uint64
	Hint             uint16
	Name             []byte
	NameOffset       uint64
	Bound            uint64
	Address          uint64
	HintNameTableRva uint64
	ThunkOffset      uint64
	ThunkRva         uint64
}

ImportData64 64-bit version wrapper

func (ImportData64) String

func (id ImportData64) String() string

type ImportDescriptor

type ImportDescriptor struct {
	Data       ImportDescriptorD
	FileOffset uint32
	Flags      map[string]bool
	Dll        []byte
	Imports    []ImportData
	Imports64  []ImportData64
	Size       uint32
}

ImportDescriptor wrapper

func (*ImportDescriptor) String

func (id *ImportDescriptor) String() string

type ImportDescriptorD

type ImportDescriptorD struct {
	Characteristics uint32
	TimeDateStamp   uint32
	ForwarderChain  uint32
	Name            uint32
	FirstThunk      uint32
}

ImportDescriptorD raw data field read from the file

type LoadConfigDirectory

type LoadConfigDirectory struct {
	Data       LoadConfigDirectoryD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

LoadConfigDirectory wrapper

func (*LoadConfigDirectory) String

func (lcd *LoadConfigDirectory) String() string

type LoadConfigDirectory64

type LoadConfigDirectory64 struct {
	Data       LoadConfigDirectory64D
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

LoadConfigDirectory64 wrapper

func (*LoadConfigDirectory64) String

func (lcd *LoadConfigDirectory64) String() string

type LoadConfigDirectory64D

type LoadConfigDirectory64D struct {
	Size                          uint32
	TimeDateStamp                 uint32
	MajorVersion                  uint16
	MinorVersion                  uint16
	GlobalFlagsClear              uint32
	GlobalFlagsSet                uint32
	CriticalSectionDefaultTimeout uint32
	DeCommitFreeBlockThreshold    uint64
	DeCommitTotalFreeThreshold    uint64
	LockPrefixTable               uint64
	MaximumAllocationSize         uint64
	VirtualMemoryThreshold        uint64
	ProcessAffinityMask           uint64
	ProcessHeapFlags              uint32
	CSDVersion                    uint16
	Reserved1                     uint16
	EditList                      uint64
	SecurityCookie                uint64
	SEHandlerTable                uint64
	SEHandlerCount                uint64
	GuardCFCheckFunctionPointer   uint64
	Reserved2                     uint64
	GuardCFFunctionTable          uint64
	GuardCFFunctionCount          uint64
	GuardFlags                    uint32
}

LoadConfigDirectory64D raw field data read from file

type LoadConfigDirectoryD

type LoadConfigDirectoryD struct {
	Size                          uint32
	TimeDateStamp                 uint32
	MajorVersion                  uint16
	MinorVersion                  uint16
	GlobalFlagsClear              uint32
	GlobalFlagsSet                uint32
	CriticalSectionDefaultTimeout uint32
	DeCommitFreeBlockThreshold    uint32
	DeCommitTotalFreeThreshold    uint32
	LockPrefixTable               uint32
	MaximumAllocationSize         uint32
	VirtualMemoryThreshold        uint32
	ProcessHeapFlags              uint32
	ProcessAffinityMask           uint32
	CSDVersion                    uint16
	Reserved1                     uint16
	EditList                      uint32
	SecurityCookie                uint32
	SEHandlerTable                uint32
	SEHandlerCount                uint32
	GuardCFCheckFunctionPointer   uint32
	Reserved2                     uint32
	GuardCFFunctionTable          uint32
	GuardCFFunctionCount          uint32
	GuardFlags                    uint32
}

LoadConfigDirectoryD raw field contents read from the file

type NTHeader

type NTHeader struct {
	Data       NTHeaderD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

NTHeader wrapper

func (*NTHeader) String

func (nth *NTHeader) String() string

type NTHeaderD

type NTHeaderD struct {
	Signature uint32
}

NTHeaderD raw data field read from the file

type OptionalHeader

type OptionalHeader struct {
	Data       OptionalHeaderD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
	DataDirs   map[string]DataDirectory
}

OptionalHeader wrapper

func (*OptionalHeader) String

func (od *OptionalHeader) String() string

type OptionalHeader64

type OptionalHeader64 struct {
	Data       OptionalHeader64D
	FileOffset uint32
	Flags      map[string]bool
	DataDirs   map[string]DataDirectory
	Size       uint32
}

OptionalHeader64 wrapper

func (*OptionalHeader64) String

func (oh *OptionalHeader64) String() string

type OptionalHeader64D

type OptionalHeader64D struct {
	Magic                       uint16
	MajorLinkerVersion          uint8
	MinorLinkerVersion          uint8
	SizeOfCode                  uint32
	SizeOfInitializedData       uint32
	SizeOfUninitializedData     uint32
	AddressOfEntryPoint         uint32
	BaseOfCode                  uint32
	BaseOfData                  uint32
	ImageBase                   uint32
	SectionAlignment            uint32
	FileAlignment               uint32
	MajorOperatingSystemVersion uint16
	MinorOperatingSystemVersion uint16
	MajorImageVersion           uint16
	MinorImageVersion           uint16
	MajorSubsystemVersion       uint16
	MinorSubsystemVersion       uint16
	Reserved1                   uint32
	SizeOfImage                 uint32
	SizeOfHeaders               uint32
	CheckSum                    uint32
	Subsystem                   uint16
	DllCharacteristics          uint16
	SizeOfStackReserve          uint64 // Different after this point, specific checks needed
	SizeOfStackCommit           uint64
	SizeOfHeapReserve           uint64
	SizeOfHeapCommit            uint64
	LoaderFlags                 uint32
	NumberOfRvaAndSizes         uint32
}

OptionalHeader64D raw data field read from the file

type OptionalHeaderD

type OptionalHeaderD struct {
	Magic                       uint16
	MajorLinkerVersion          uint8
	MinorLinkerVersion          uint8
	SizeOfCode                  uint32
	SizeOfInitializedData       uint32
	SizeOfUninitializedData     uint32
	AddressOfEntryPoint         uint32
	BaseOfCode                  uint32
	BaseOfData                  uint32
	ImageBase                   uint32
	SectionAlignment            uint32
	FileAlignment               uint32
	MajorOperatingSystemVersion uint16
	MinorOperatingSystemVersion uint16
	MajorImageVersion           uint16
	MinorImageVersion           uint16
	MajorSubsystemVersion       uint16
	MinorSubsystemVersion       uint16
	Reserved1                   uint32
	SizeOfImage                 uint32
	SizeOfHeaders               uint32
	CheckSum                    uint32
	Subsystem                   uint16
	DllCharacteristics          uint16
	SizeOfStackReserve          uint32
	SizeOfStackCommit           uint32
	SizeOfHeapReserve           uint32
	SizeOfHeapCommit            uint32
	LoaderFlags                 uint32
	NumberOfRvaAndSizes         uint32
}

OptionalHeaderD raw data field read from the file

type PEFile

type PEFile struct {
	Filename          string
	DosHeader         DosHeader
	NTHeader          NTHeader
	COFFFileHeader    COFFFileHeader
	OptionalHeader    *OptionalHeader
	OptionalHeader64  *OptionalHeader64
	Sections          []SectionHeader
	ImportDescriptors []ImportDescriptor
	ExportDirectory   *ExportDirectory
	Errors            []error
	// contains filtered or unexported fields
}

PEFile is a representation of the PE/COFF file with some helpful abstractions

func NewPEFile

func NewPEFile(filename string) (pe *PEFile, err error)

NewPEFile attempt to parse a PE file from a file on disk, using mmap

func (*PEFile) Close

func (pe *PEFile) Close() error

Close unmaps the memory mapped DLL file. Any structure retrievals after calling Close are invalidated.

type ResourceDataEntry

type ResourceDataEntry struct {
	Data       ResourceDataEntryD
	FileOffset uint32
	Size       uint32
}

ResourceDataEntry wrapper

func (*ResourceDataEntry) String

func (rde *ResourceDataEntry) String() string

type ResourceDataEntryD

type ResourceDataEntryD struct {
	OffsetToData uint32
	Size         uint32
	CodePage     uint32
	Reserved     uint32
}

ResourceDataEntryD raw data field read from the file

type ResourceDirectory

type ResourceDirectory struct {
	Data       ResourceDirectoryD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

ResourceDirectory wrapper

func (*ResourceDirectory) String

func (rd *ResourceDirectory) String() string

type ResourceDirectoryD

type ResourceDirectoryD struct {
	Characteristics      uint32
	TimeDateStamp        uint32
	MajorVersion         uint16
	MinorVersion         uint16
	NumberOfNamedEntries uint16
	NumberOfIDEntries    uint16
}

ResourceDirectoryD raw data field read from the file

type ResourceDirectoryEntry

type ResourceDirectoryEntry struct {
	Data       ResourceDirectoryEntryD
	FileOffset uint32
	Size       uint32
}

ResourceDirectoryEntry wrapper

func (*ResourceDirectoryEntry) String

func (rde *ResourceDirectoryEntry) String() string

type ResourceDirectoryEntryD

type ResourceDirectoryEntryD struct {
	Name         uint32
	OffsetToData uint32
}

ResourceDirectoryEntryD raw data field read from the file

type SectionHeader

type SectionHeader struct {
	Data           SectionHeaderD
	FileOffset     uint32
	Flags          map[string]bool
	Size           uint32
	NextHeaderAddr uint32
}

SectionHeader wrapper

func (*SectionHeader) String

func (sh *SectionHeader) String() string

type SectionHeaderD

type SectionHeaderD struct {
	Name                 [8]uint8
	Misc                 uint32
	VirtualAddress       uint32
	SizeOfRawData        uint32
	PointerToRawData     uint32
	PointerToRelocations uint32
	PointerToLinenumbers uint32
	NumberOfRelocations  uint16
	NumberOfLinenumbers  uint16
	Characteristics      uint32
}

SectionHeaderD raw data field read from the file

type String

type String struct {
	Data       StringD
	FileOffset uint32
	Size       uint32
}

String table entry wrapper

func (*String) String

func (s *String) String() string

type StringD

type StringD struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringD raw data field read from the file

type StringFileInfo

type StringFileInfo struct {
	Data       StringFileInfoD
	FileOffset uint32
	Size       uint32
}

StringFileInfo wrapper

func (*StringFileInfo) String

func (s *StringFileInfo) String() string

type StringFileInfoD

type StringFileInfoD struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringFileInfoD raw data field read from the file

type StringTable

type StringTable struct {
	Data       StringTableD
	FileOffset uint32
	Size       uint32
}

StringTable wrapper

func (*StringTable) String

func (s *StringTable) String() string

type StringTableD

type StringTableD struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringTableD raw data field read from the file

type TLSDirectory

type TLSDirectory struct {
	Data       TLSDirectoryD
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

TLSDirectory wrapper

func (*TLSDirectory) String

func (tlsd *TLSDirectory) String() string

type TLSDirectory64

type TLSDirectory64 struct {
	Data       TLSDirectory64D
	FileOffset uint32
	Flags      map[string]bool
	Size       uint32
}

TLSDirectory64 wrapper

func (*TLSDirectory64) String

func (tlsd *TLSDirectory64) String() string

type TLSDirectory64D

type TLSDirectory64D struct {
	StartAddressOfRawData uint64
	EndAddressOfRawData   uint64
	AddressOfIndex        uint64
	AddressOfCallBacks    uint64
	SizeOfZeroFill        uint32
	Characteristics       uint32
}

TLSDirectory64D raw field data read from the file

type TLSDirectoryD

type TLSDirectoryD struct {
	StartAddressOfRawData uint32
	EndAddressOfRawData   uint32
	AddressOfIndex        uint32
	AddressOfCallBacks    uint32
	SizeOfZeroFill        uint32
	Characteristics       uint32
}

TLSDirectoryD raw field data read from the file

type ThunkData

type ThunkData struct {
	Data       ThunkDataD
	FileOffset uint32
	Size       uint32
}

ThunkData wrapper

func (*ThunkData) String

func (t *ThunkData) String() string

type ThunkData64

type ThunkData64 struct {
	Data       ThunkData64D
	FileOffset uint32
	Size       uint32
}

ThunkData64 wrapper

func (*ThunkData64) String

func (t *ThunkData64) String() string

type ThunkData64D

type ThunkData64D struct {
	AddressOfData uint64
}

ThunkData64D raw field data read from the file

type ThunkDataD

type ThunkDataD struct {
	AddressOfData uint32
}

ThunkDataD raw field data read from the file

type VSFixedFileInfo

type VSFixedFileInfo struct {
	Data       VSFixedFileInfoD
	FileOffset uint32
	Size       uint32
}

VSFixedFileInfo wrapper

func (*VSFixedFileInfo) String

func (v *VSFixedFileInfo) String() string

type VSFixedFileInfoD

type VSFixedFileInfoD struct {
	Signature        uint32
	StrucVersion     uint32
	FileVersionMS    uint32
	FileVersionLS    uint32
	ProductVersionMS uint32
	ProductVersionLS uint32
	FileFlagsMask    uint32
	FileFlags        uint32
	FileOS           uint32
	FileType         uint32
	FileSubtype      uint32
	FileDateMS       uint32
	FileDateLS       uint32
}

VSFixedFileInfoD raw data field read from the file

type VSVersionInfo

type VSVersionInfo struct {
	Data       VSVersionInfoD
	FileOffset uint32
	Size       uint32
}

VSVersionInfo wrapper

func (*VSVersionInfo) String

func (v *VSVersionInfo) String() string

type VSVersionInfoD

type VSVersionInfoD struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

VSVersionInfoD raw data field read from the file

type Var

type Var struct {
	Data       VarD
	FileOffset uint32
	Size       uint32
}

Var wrapper

func (*Var) String

func (v *Var) String() string

type VarD

type VarD struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

VarD raw data field read from the file

Directories

Path Synopsis
pefile