README
¶
WIP
This project is a work in progress. The implementation is incomplete and subject to change. The documentation can be inaccurate.
pe
The pe project implements access to the Portable Executable (PE) file format.
Documentation
Documentation provided by GoDoc.
- pe: implements access to the Portable Executable (PE) file format.
Public domain
The source code and any original content of this repository is hereby released into the public domain.
Documentation
¶
Overview ¶
Package pe implements access to the Portable Executable (PE) file format.
ref: http://msdn.microsoft.com/en-us/gg463119.aspx ref: https://docs.microsoft.com/en-us/windows/desktop/debug/pe-format
Index ¶
- Constants
- type Arch
- type DLLFlag
- type DOSHeader
- type DataDirectory
- type FPOData
- type FPODataRaw
- type File
- func (file *File) DOSHeader() (doshdr *DOSHeader, err error)
- func (file *File) DOSStub() ([]byte, error)
- func (file *File) FileHeader() (fileHdr *FileHeader, err error)
- func (file *File) OptHeader() (opthdr *OptHeader, err error)
- func (file *File) Overlay() ([]byte, error)
- func (file *File) Parse() error
- func (file *File) SectHeaders() (sectHdrs []*SectHeader, err error)
- func (file *File) Section(sectHdr *SectHeader) (data []byte, err error)
- type FileHeader
- type Flag
- type FrameType
- type ImageDebugDirectory
- type ImageDebugType
- type OptHeader
- type OptHeader32
- type OptState
- type ReadAtSeeker
- type SectFlag
- type SectHeader
- type Subsystem
- type Time
Constants ¶
View Source
const ( DataDirExportTable = 0 // Export table. DataDirImportTable = 1 // Import table. DataDirResourceTable = 2 // Resource table. DataDirExceptionTable = 3 // Exception table. DataDirCertificateTable = 4 // Certificate table. DataDirBaseRelocationTable = 5 // Base relocation table. DataDirDebug = 6 // Debugging information. DataDirArchitecture = 7 // Architecture-specific data. DataDirGlobalPtr = 8 // Global pointer register. DataDirTLSTable = 9 // Thread local storage (TLS) table. DataDirLoadConfigTable = 10 // Load configuration table. DataDirBoundImport = 11 // Bound import table. DataDirIAT = 12 // Import address table. DataDirDelayImportDescriptor = 13 // Delay import descriptor. DataDirCLRHeader = 14 // CLR header. DataDirReserved = 15 // Reserved. )
Data directory indices.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Arch ¶
type Arch uint16
Arch specifies the architecture of the computer.
type DLLFlag ¶
type DLLFlag uint16
DLLFlag is a bitfield which specifies the DLL characteristics of an image.
const ( // DLLFlagDynBase indicates that the DLL can be relocated at load time. DLLFlagDynBase DLLFlag = 0x0040 // DLLFlagForceIntegrity forces code integrity checks. DLLFlagForceIntegrity DLLFlag = 0x0080 // DLLFlagCanDEP indicates that the image is compatible with data execution // prevention (DEP). DLLFlagCanDEP DLLFlag = 0x0100 // DLLFlagNoIsolation indicates that the image shouldn't be isolated. DLLFlagNoIsolation DLLFlag = 0x0200 // DLLFlagNoSEH indicates that the image doesn't use structured exception // handling (SEH). No handlers can be called in this image. DLLFlagNoSEH DLLFlag = 0x0400 // DLLFlagNoBind specifies that the linker shouldn't bind the image. DLLFlagNoBind DLLFlag = 0x0800 // DLLFlagWDMDriver represents a Windows Driver Model (WDM) driver. DLLFlagWDMDriver DLLFlag = 0x2000 // DLLFlagCanRDS indicates that the image is remove desktop service (RDS) // aware. DLLFlagCanRDS DLLFlag = 0x8000 )
DLL characteristics.
type DOSHeader ¶
type DOSHeader struct {
// Size of the last page in bytes. A page is normally 512 bytes, but the last
// page may contain between 1 and 512 bytes.
LastPageSize uint16
// Number of pages in the file.
NPage uint16
// Number of entires in the relocation table.
NReloc uint16
// Size of header in paragraphs. A paragraph is 16 bytes.
NHdrPar uint16
// Minimum extra paragraphs needed.
MinAlloc uint16
// Maximum extra paragraphs needed.
MaxAlloc uint16
// Initial (relative) SS value.
SS uint16
// Initial SP value.
SP uint16
// The checksum word contains the one's complement of the summation of all
// words in the executable file (excluding itself).
Checksum uint16
// Initial IP value.
IP uint16
// Initial (relative) CS value.
CS uint16
// File offset of the relocation table.
RelocTblOffset uint16
// Overlay number.
OverlayNum uint16
// Reserved.
Res [4]uint16
// OEM identifier (for OEMInfo).
OEMID uint16
// OEM information; OEMID specific.
OEMInfo uint16
// Reserved.
Res2 [10]uint16
// File offset of the PE header.
PEHdrOffset uint32
}
A DOSHeader contains information about the executable environment of 16-bit DOS binaries. It is prepended by the DOS signature: "MZ" (Mark Zbikowski).
type DataDirectory ¶
type DataDirectory struct {
// Relative address of the table.
RelAddr uint32
// Size of the table in bytes.
Size uint32
}
A DataDirectory contains the location and size of various data structures.
type FPOData ¶
type FPOData struct {
// The offset of the first byte of the function code.
OffsetStart uint32
// The number of bytes in the function.
FuncSize uint32
// The number of local variables.
NLocals uint64
// The size of the parameters, in bytes.
Params uint32
// The number of bytes in the function prolog code.
Prolog uint8
// The number of registers saved.
Regs uint8
// A variable that indicates whether the function uses structured
// exception handling.
HasSEH bool
// A variable that indicates whether the EBP register has been
// allocated.
UseBP bool
// Reserved for future use.
Reserved uint8
// A variable that indicates the frame type.
Frame FrameType
}
FPOData represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used. The structure is used to locate the base of the call frame.
func ParseFPOData ¶
func ParseFPOData(raw FPODataRaw) FPOData
ParseFPOData parses the given raw data structure as an FPO data structure.
type FPODataRaw ¶
type FPODataRaw struct {
// The offset of the first byte of the function code.
OffsetStart uint32
// The number of bytes in the function.
FuncSize uint32
// The number of local variables / 4.
NLocals uint32
// The size of the parameters / 4.
Params uint16
// The number of bytes in the function prolog code.
Prolog uint8
// Bitfield of data.
//
// // The number of registers saved.
// Regs : 3 bits
// // A variable that indicates whether the function uses structured
// // exception handling.
// HasSEH : 1 bit
// // A variable that indicates whether the EBP register has been
// // allocated.
// UseBP : 1 bit
// // Reserved for future use.
// Reserved : 1 bit
// // A variable that indicates the frame type.
// Frame : 2 bits
Bitfield uint8
}
FPODataRaw represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used. The structure is used to locate the base of the call frame.
ref: https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-fpo_data
type File ¶
File represents a Portable Executable (PE) file.
func New ¶
func New(r ReadAtSeeker) (file *File, err error)
New returns a new File for accessing the PE binary of r.
func Open ¶
Open returns a new File for accessing the PE binary at path.
Note: The Close method of the file must be called when finished using it.
func (*File) FileHeader ¶
func (file *File) FileHeader() (fileHdr *FileHeader, err error)
FileHeader returns the file header of file.
func (*File) Overlay ¶
Overlay returns the overlay of the PE fil (i.e. any optional bytes directly succeeding the image).
func (*File) SectHeaders ¶
func (file *File) SectHeaders() (sectHdrs []*SectHeader, err error)
SectHeaders returns the section headers of file.
type FileHeader ¶
type FileHeader struct {
// The architecture of the computer.
Arch Arch
// Number of sections.
NSection uint16
// Image creation date and time; measured in seconds since the Unix Epoch.
Created Time
// File offset of the symbol table, or zero if no symbol table exists.
SymTblOffset uint32
// Number of symbols in the symbol table.
NSymbol uint32
// Size of the optional header in bytes.
OptHdrSize uint16
// A bitfield which specifies the characteristics of the executable.
Flags Flag
}
FileHeader represents a COFF file header. It is prepended by the PE signature: "PE" (Portable Executable).
type Flag ¶
type Flag uint16
Flag is a bitfield which specifies the characteristics of an executable.
const ( // FlagNoReloc indicates that the file contains no relocation information. FlagNoReloc Flag = 1 << iota // FlagExecutable indicates that the file is executable. FlagExecutable // FlagNoLineNums indicates that the file contains no line numbers. FlagNoLineNums // FlagNoSymTbl indicates that the file contains no symbol table. FlagNoSymTbl // FlagLargeAddr indicates that the application can handle addresses larger // than 2 GB. FlagLargeAddr // Flag32bit indicates that the computer supports 32-bit words. Flag32bit // FlagNoDebug indicates that the file contains no debugging information. It // may be present in a separate file. FlagNoDebug // FlagUSBCopyToSwap copies the file from a usb device to the swap before // running it. FlagUSBCopyToSwap // FlagNetCopyToSwap copies the file from the network to the swap before // running it. FlagNetCopyToSwap // FlagSystem indicates that the file is a system file. FlagSystem // FlagDLL indicates that the file is a dynamic link library (DLL). FlagDLL // FlagUniprocessor indicates that the file should only be run on a // uniprocessor computer. FlagUniprocessor )
Executable characteristics.
type FrameType ¶
type FrameType uint8
FrameType specifies the frame type of a function.
type ImageDebugDirectory ¶
type ImageDebugDirectory struct {
// Reserved.
Characteristics uint32
// The time and date the debugging information was created.
TimeDateStamp uint32
// The major version number of the debugging information format.
MajorVersion uint16
// The minor version number of the debugging information format.
MinorVersion uint16
// The format of the debugging information.
Type ImageDebugType
// The size of the debugging information, in bytes. This value does not
// include the debug directory itself.
SizeOfData uint32
// The address of the debugging information when the image is loaded,
// relative to the image base.
AddressOfRawData uint32
// A file pointer to the debugging information.
PointerToRawData uint32
}
ImageDebugDirectory is a debugging information data directory.
type ImageDebugType ¶
type ImageDebugType uint32
ImageDebugType specifies the format of the debugging information pointed to by the debug data directory.
const ( // Unknown value, ignored by all tools. ImageDebugTypeUnknown ImageDebugType = 0 // COFF debugging information (line numbers, symbol table, and string table). // This type of debugging information is also pointed to by fields in the // file headers. ImageDebugTypeCOFF ImageDebugType = 1 // CodeView debugging information. The format of the data block is described // by the CodeView 4.0 specification. ImageDebugTypeCodeView ImageDebugType = 2 // Frame pointer omission (FPO) information. This information tells the // debugger how to interpret nonstandard stack frames, which use the EBP // register for a purpose other than as a frame pointer. ImageDebugTypeFPO ImageDebugType = 3 // Miscellaneous information. ImageDebugTypeMisc ImageDebugType = 4 // Exception information. ImageDebugTypeException ImageDebugType = 5 // Fixup information. ImageDebugTypeFixup ImageDebugType = 6 // The mapping from an RVA in image to an RVA in source image. ImageDebugTypeOMapToSrc ImageDebugType = 7 // The mapping from an RVA in source image to an RVA in image. ImageDebugTypeOMapFromSrc ImageDebugType = 8 // Borland debugging information. ImageDebugTypeBorland ImageDebugType = 9 // Reserved. ImageDebugTypeReserved10 ImageDebugType = 10 // Reserved. ImageDebugTypeCLSID ImageDebugType = 11 // PE determinism or reproducibility. ImageDebugTypeRepro ImageDebugType = 16 )
Debugging information formats.
func (ImageDebugType) String ¶
func (i ImageDebugType) String() string
type OptHeader ¶
type OptHeader struct {
OptHeader32
// Data directories contains the location and size of various data
// structures. The following is a list of data directories as specified by
// index.
//
// 0: Export table.
// 1: Import table.
// 2: Resource table.
// 3: Exception table.
// 4: Certificate table.
// 5: Base relocation table.
// 6: Debugging information.
// 7: Architecture-specific data.
// 8: Global pointer register.
// 9: Thread local storage (TLS) table.
// 10: Load configuration table.
// 11: Bound import table.
// 12: Import address table.
// 13: Delay import descriptor.
// 14: CLR header.
// 15: Reserved.
DataDirs []DataDirectory
}
OptHeader represents an optional header.
type OptHeader32 ¶
type OptHeader32 struct {
// The state of the image file.
State OptState
// Major linker version.
MajorLinkVer uint8
// Minor linker version.
MinorLinkVer uint8
// Size of the code section in bytes, or the sum of all such sections if
// there are multiple code sections.
CodeSize uint32
// Size of the data section in bytes, or the sum of all such sections if
// there are multiple data sections.
DataSize uint32
// Size of the uninitialized data section in bytes, or the sum of all such
// sections if there are multiple uninitialized data sections.
BSSSize uint32
// Pointer to the entry point function, relative to the image base.
EntryRelAddr uint32
// Pointer to the beginning of the code section, relative to the image base.
CodeBase uint32
// Pointer to the beginning of the data section, relative to the image base.
DataBase uint32
// The base address is the starting-address of a memory-mapped EXE or DLL.
// The default value for DLLs is 0x10000000 and the default value for
// applications is 0x00400000.
ImageBase uint32
// The virtual address of each section is aligned to a multiple of this
// value. The default section alignment is the page size of the system.
SectAlign uint32
// The file offset of each section is aligned to a multiple of this value.
// The default file alignment is 512.
FileAlign uint32
// Major operating system version.
MajorOSVer uint16
// Minor operating system version.
MinorOSVer uint16
// Major image version.
MajorImageVer uint16
// Minor image version.
MinorImageVer uint16
// Major subsystem version.
MajorSubsystemVer uint16
// Minor subsystem version.
MinorSubsystemVer uint16
// Reserved.
Res uint32
// Size of the image, in bytes, including all headers. Must be a multiple of
// SectAlign.
ImageSize uint32
// The combined size of the following items, rounded to a multiple of
// FileAlign.
// * The PEHdrOffset member of the DOSHeader.
// * The 4 byte PE-signature.
// * The FileHeader.
// * The OptHeader.
// * All section headers.
HdrSize uint32
// The checksum is an additive checksum of the file.
Checksum uint32
// The subsystem required to run an image.
Subsystem Subsystem
// A bitfield which specifies the DLL characteristics of the image.
Flags DLLFlag
// The number of bytes to reserve for the stack.
ReserveStackSize uint32
// The size of the stack at load time.
InitStackSize uint32
// The number of bytes to reserve for the heap.
ReserveHeapSize uint32
// The size of the heap at load time.
InitHeapSize uint32
// Obsolete.
LoaderFlags uint32
// Number of data directories.
NDataDir uint32
}
OptHeader32 represents a 32-bit optional header.
type ReadAtSeeker ¶
ReadAtSeeker is the interface that wraps the basic ReadAt and Seek methods.
type SectFlag ¶
type SectFlag uint32
SectFlag is a bitfield which specifies the characteristics of a section.
const ( // SectFlagCode indicates that the section contains executable code. SectFlagCode SectFlag = 0x00000020 // SectFlagData indicates that the section contains initialized data. SectFlagData SectFlag = 0x00000040 // SectFlagBSS indicates that the section contains uninitialized data. SectFlagBSS SectFlag = 0x00000080 // SectFlagLinkInfo indicates that the section contains comments or other // information. Only valid for object files. SectFlagLinkInfo SectFlag = 0x00000200 // SectFlagLinkRemove indicates that the section will not become part of the // image. Only valid for object files. SectFlagLinkRemove SectFlag = 0x00000800 // SectFlagLinkCOMDAT indicates that the section contains COMDAT data. Only // valid for object files. SectFlagLinkCOMDAT SectFlag = 0x00001000 // SectFlagDeferSpecExc resets speculative exception handling bits in the TLB // entries for this section. SectFlagDeferSpecExc SectFlag = 0x00004000 // SectFlagGPRef indicates that the section contains data referenced through // the global pointer. SectFlagGPRef SectFlag = 0x00008000 // SectFlagObjAlign1 aligns data on a 1-byte boundary. Only valid for object // files. SectFlagObjAlign1 SectFlag = 0x00100000 // SectFlagObjAlign2 aligns data on a 2-byte boundary. Only valid for object // files. SectFlagObjAlign2 SectFlag = 0x00200000 // SectFlagObjAlign4 aligns data on a 4-byte boundary. Only valid for object // files. SectFlagObjAlign4 SectFlag = 0x00300000 // SectFlagObjAlign8 aligns data on a 8-byte boundary. Only valid for object // files. SectFlagObjAlign8 SectFlag = 0x00400000 // SectFlagObjAlign16 aligns data on a 16-byte boundary. Only valid for // object files. SectFlagObjAlign16 SectFlag = 0x00500000 // SectFlagObjAlign32 aligns data on a 32-byte boundary. Only valid for // object files. SectFlagObjAlign32 SectFlag = 0x00600000 // SectFlagObjAlign64 aligns data on a 64-byte boundary. Only valid for // object files. SectFlagObjAlign64 SectFlag = 0x00700000 // SectFlagObjAlign128 aligns data on a 128-byte boundary. Only valid for // object files. SectFlagObjAlign128 SectFlag = 0x00800000 // SectFlagObjAlign256 aligns data on a 256-byte boundary. Only valid for // object files. SectFlagObjAlign256 SectFlag = 0x00900000 // SectFlagObjAlign512 aligns data on a 512-byte boundary. Only valid for // object files. SectFlagObjAlign512 SectFlag = 0x00A00000 // SectFlagObjAlign1024 aligns data on a 1024-byte boundary. Only valid for // object files. SectFlagObjAlign1024 SectFlag = 0x00B00000 // SectFlagObjAlign2048 aligns data on a 2048-byte boundary. Only valid for // object files. SectFlagObjAlign2048 SectFlag = 0x00C00000 // SectFlagObjAlign4096 aligns data on a 4096-byte boundary. Only valid for // object files. SectFlagObjAlign4096 SectFlag = 0x00D00000 // SectFlagObjAlign8192 aligns data on a 8192-byte boundary. Only valid for // object files. SectFlagObjAlign8192 SectFlag = 0x00E00000 // SectFlagRelocsOverflow indicates that there are more relocations than can // be represented by the 16-bit value in the section header. If the value of // Relocs in the section header is 0xFFFF, the actual relocation count is // stored in the RelAddr field of the first relocation. SectFlagRelocsOverflow SectFlag = 0x01000000 // SectFlagMemDiscard indicates that the section memory can be discarded as // needed. SectFlagMemDiscard SectFlag = 0x02000000 // SectFlagMemNoCache indicates that the section memory cannot be cached. SectFlagMemNoCache SectFlag = 0x04000000 // SectFlagMemNoPage indicates that the section memory cannot be paged. SectFlagMemNoPage SectFlag = 0x08000000 SectFlagMemShared SectFlag = 0x10000000 // SectFlagMemExec indicates that the section memory can be executed. SectFlagMemExec SectFlag = 0x20000000 // SectFlagMemRead indicates that the section memory can be read. SectFlagMemRead SectFlag = 0x40000000 // SectFlagMemWrite indicates that the section memory can be written to. SectFlagMemWrite SectFlag = 0x80000000 )
type SectHeader ¶
type SectHeader struct {
// Section name.
Name string
// The total size of the section when loaded into memory. The raw section is
// zero-padded to fit.
VirtSize uint32
// Address of the section, relative to the image base.
RelAddr uint32
// The file size of the section.
Size uint32
// File offset of the section. This value is zero for sections that only
// contain uninitialized data.
Offset uint32
// File offset to the relocation entries of the section. This value is zero
// for sections that have no relocations.
RelocsOffset uint32
// File offset to the line-number entries of the section. This value is zero
// for sections that have no COFF line-numbers.
LineNumsOffset uint32
// Number of relocation entries for the section.
NReloc uint16
// Number of line-number entries for the section.
NLineNum uint16
// A bitfield which specifies the characteristics of the section.
Flags SectFlag
}
SectHeader represents a section header.
type Subsystem ¶
type Subsystem uint16
Subsystem specifies the subsystem required to run an image.
const ( // SubsystemUnknown represents an unknown subsystem. SubsystemUnknown Subsystem = iota // SubsystemNative represents a device driver or native system process; no // subsystem required. SubsystemNative // SubsystemWinGUI represents a Windows graphical user interface (GUI) // subsystem. SubsystemWinGUI // SubsystemWinCLI represents a Window command line interface (CLI) // subsystem. SubsystemWinCLI // SubsystemOS2CLI represents a OS/2 CLI subsystem. SubsystemOS2CLI // SubsystemPOSIXCLI represents a POSIX CLI subsystem. SubsystemPOSIXCLI // SubsystemWinCEGUI represents a Windows CE GUI subsystem. SubsystemWinCEGUI // SubsystemEFIApp represents an Extensible Firmware Interface (EFI) // application. SubsystemEFIApp // SubsystemEFIBootDriver represents an EFI driver with boot services. SubsystemEFIBootDriver // SubsystemEFIRuntimeDriver represents an EFI driver with run-time services. SubsystemEFIRuntimeDriver // SubsystemEFIROM represents an EFI ROM image. SubsystemEFIROM // SubsystemXbox represents an Xbox system. SubsystemXbox // SubsystemWinBootApp represents a boot application. SubsystemWinBootApp )
Subsystems.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.