README
¶
pefile-go
Golang implementation of pefile, stripped down to some bare minimums.
To use as a library:
$ go get github.com/awsaba/pefile-go
To install the demo program stub:
$ go install github.com/awsaba/pefile-go/pefile
Features
Some of the tasks that pefile makes possible are:
- Inspecting headers
- Analysis of sections' data
- Parsing exports
Motivations
- Have a golang library for PE file related utilities.
- Projects based on "debug/pefile" would have an awkward split between was it added on by the wrapper lib and what is included in the core go lib.
Dependencies
pefile-go is self-contained. It has no dependecies and currently assumes a little-endian architecture.
Acknowledgements
Major changes from those versions
- No hard-coded lists of ordinals. They were not accurate to those files in recent versions of Windows. If you need them, Microsoft tools can be used to retrieve the public symbols that contains that information, but that is beyond the scope of this project.
- Simpler package layout.
- As much adherence to golang conventions as possible. Hopefully what's left can be configured to be ignored by your editor of choice when running golint.
Additional resources (originally from pefile's readme)
PDFs of posters depicting the PE file format:
- Portable Executable Format shows the full view of the headers and structures defined by the Portable Executable format
- Portable Executable Format. A File Walkthrough Shows a walkthrough over the raw view of an executable file with the PE format fields laid out over the corresponding areas
The following links provide detailed information about the PE format and its structures.
- corkami's wiki page about the PE format has grown to be one of the most in-depth repositories of information about the PE format
- An In-Depth Look into the Win32 Portable Executable File Format
- An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- The Portable Executable File Format
- Get icons from Exe or DLL the PE way
- Solar Eclipse's Tiny PE page at "http://www.phreedom.org/solar/code/tinype/" is no longer available, corkami has a copy of TinyPE here
Documentation
¶
Index ¶
- Constants
- Variables
- func PowerOfTwo(val uint32) bool
- func SetFlags(flagMap map[string]bool, charMap map[string]uint32, characteristic uint32)
- type BaseRelocation
- type BaseRelocationD
- type BaseRelocationEntry
- type BaseRelocationEntryD
- type BoundForwarderRef
- type BoundForwarderRefD
- type BoundImportDescriptor
- type BoundImportDescriptorD
- type COFFFileHeader
- type COFFFileHeaderD
- type DataDirectory
- type DataDirectoryD
- type DebugDirectory
- type DebugDirectoryD
- type DelayImportDescriptor
- type DelayImportDescriptorD
- type DosHeader
- type DosHeaderD
- type ExportData
- type ExportDirectory
- type ExportDirectoryD
- type ImportData
- type ImportData64
- type ImportDescriptor
- type ImportDescriptorD
- type LoadConfigDirectory
- type LoadConfigDirectory64
- type LoadConfigDirectory64D
- type LoadConfigDirectoryD
- type NTHeader
- type NTHeaderD
- type OptionalHeader
- type OptionalHeader64
- type OptionalHeader64D
- type OptionalHeaderD
- type PEFile
- type ResourceDataEntry
- type ResourceDataEntryD
- type ResourceDirectory
- type ResourceDirectoryD
- type ResourceDirectoryEntry
- type ResourceDirectoryEntryD
- type SectionHeader
- type SectionHeaderD
- type String
- type StringD
- type StringFileInfo
- type StringFileInfoD
- type StringTable
- type StringTableD
- type TLSDirectory
- type TLSDirectory64
- type TLSDirectory64D
- type TLSDirectoryD
- type ThunkData
- type ThunkData64
- type ThunkData64D
- type ThunkDataD
- type VSFixedFileInfo
- type VSFixedFileInfoD
- type VSVersionInfo
- type VSVersionInfoD
- type Var
- type VarD
Constants ¶
View Source
const ( // MaxStringLength limits the length of a string to be retrieved from the file. // It's there to prevent loading massive amounts of data from memory mapped // files. Strings longer than 1MB should be rather rare. // FIXME: not referenced/used anywhere? MaxStringLength = 0x100000 // 2^20 IMAGE_DOS_SIGNATURE = 0x5A4D IMAGE_DOSZM_SIGNATURE = 0x4D5A IMAGE_NE_SIGNATURE = 0x454E IMAGE_LE_SIGNATURE = 0x454C IMAGE_LX_SIGNATURE = 0x584C IMAGE_TE_SIGNATURE = 0x5A56 // Terse Executables have a 'VZ' signature IMAGE_NT_SIGNATURE = 0x00004550 IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 IMAGE_ORDINAL_FLAG = uint32(0x80000000) IMAGE_ORDINAL_FLAG64 = uint64(0x8000000000000000) OPTIONAL_HEADER_MAGIC_PE = 0x10b OPTIONAL_HEADER_MAGIC_PE_PLUS = 0x20b FILE_ALIGNMENT_HARDCODED_VALUE = 0x200 )
Variables ¶
View Source
var DebugTypes = map[string]uint32{
"IMAGE_DEBUG_TYPE_UNKNOWN": 0,
"IMAGE_DEBUG_TYPE_COFF": 1,
"IMAGE_DEBUG_TYPE_CODEVIEW": 2,
"IMAGE_DEBUG_TYPE_FPO": 3,
"IMAGE_DEBUG_TYPE_MISC": 4,
"IMAGE_DEBUG_TYPE_EXCEPTION": 5,
"IMAGE_DEBUG_TYPE_FIXUP": 6,
"IMAGE_DEBUG_TYPE_OMAP_TO_SRC": 7,
"IMAGE_DEBUG_TYPE_OMAP_FROM_SRC": 8,
"IMAGE_DEBUG_TYPE_BORLAND": 9,
"IMAGE_DEBUG_TYPE_RESERVED10": 10,
"IMAGE_DEBUG_TYPE_CLSID": 11,
}
DebugTypes is a lookup from the string name to flag value
View Source
var DirectoryEntryTypes = map[uint32]string{
0: "IMAGE_DIRECTORY_ENTRY_EXPORT",
1: "IMAGE_DIRECTORY_ENTRY_IMPORT",
2: "IMAGE_DIRECTORY_ENTRY_RESOURCE",
3: "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
4: "IMAGE_DIRECTORY_ENTRY_SECURITY",
5: "IMAGE_DIRECTORY_ENTRY_BASERELOC",
6: "IMAGE_DIRECTORY_ENTRY_DEBUG",
7: "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
8: "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
9: "IMAGE_DIRECTORY_ENTRY_TLS",
10: "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
11: "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
12: "IMAGE_DIRECTORY_ENTRY_IAT",
13: "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
14: "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
15: "IMAGE_DIRECTORY_ENTRY_RESERVED",
}
DirectoryEntryTypes provides names for the entries in the data directory header
View Source
var DllCharacteristics = map[string]uint32{
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA": 0x0020,
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE": 0x0040,
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY": 0x0080,
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT": 0x0100,
"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION": 0x0200,
"IMAGE_DLLCHARACTERISTICS_NO_SEH": 0x0400,
"IMAGE_DLLCHARACTERISTICS_NO_BIND": 0x0800,
"IMAGE_DLLCHARACTERISTICS_APPCONTAINER": 0x1000,
"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER": 0x2000,
"IMAGE_DLLCHARACTERISTICS_GUARD_CF": 0x4000,
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE": 0x8000,
}
DllCharacteristics flags define some OS specific functionality
View Source
var ImageCharacteristics = map[string]uint32{
"IMAGE_FILE_RELOCS_STRIPPED": 0x0001,
"IMAGE_FILE_EXECUTABLE_IMAGE": 0x0002,
"IMAGE_FILE_LINE_NUMS_STRIPPED": 0x0004,
"IMAGE_FILE_LOCAL_SYMS_STRIPPED": 0x0008,
"IMAGE_FILE_AGGRESIVE_WS_TRIM": 0x0010,
"IMAGE_FILE_LARGE_ADDRESS_AWARE": 0x0020,
"IMAGE_FILE_16BIT_MACHINE": 0x0040,
"IMAGE_FILE_BYTES_REVERSED_LO": 0x0080,
"IMAGE_FILE_32BIT_MACHINE": 0x0100,
"IMAGE_FILE_DEBUG_STRIPPED": 0x0200,
"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP": 0x0400,
"IMAGE_FILE_NET_RUN_FROM_SWAP": 0x0800,
"IMAGE_FILE_SYSTEM": 0x1000,
"IMAGE_FILE_DLL": 0x2000,
"IMAGE_FILE_UP_SYSTEM_ONLY": 0x4000,
"IMAGE_FILE_BYTES_REVERSED_HI": 0x8000,
}
ImageCharacteristics is a lookup from the string name to flag value
Instantiated as Pe.COFFFileHeader.Flags
View Source
var Lang = map[string]uint32{
"LANG_NEUTRAL": 0x00,
"LANG_INVARIANT": 0x7f,
"LANG_AFRIKAANS": 0x36,
"LANG_ALBANIAN": 0x1c,
"LANG_ARABIC": 0x01,
"LANG_ARMENIAN": 0x2b,
"LANG_ASSAMESE": 0x4d,
"LANG_AZERI": 0x2c,
"LANG_BASQUE": 0x2d,
"LANG_BELARUSIAN": 0x23,
"LANG_BENGALI": 0x45,
"LANG_BULGARIAN": 0x02,
"LANG_CATALAN": 0x03,
"LANG_CHINESE": 0x04,
"LANG_CROATIAN": 0x1a,
"LANG_CZECH": 0x05,
"LANG_DANISH": 0x06,
"LANG_DIVEHI": 0x65,
"LANG_DUTCH": 0x13,
"LANG_ENGLISH": 0x09,
"LANG_ESTONIAN": 0x25,
"LANG_FAEROESE": 0x38,
"LANG_FARSI": 0x29,
"LANG_FINNISH": 0x0b,
"LANG_FRENCH": 0x0c,
"LANG_GALICIAN": 0x56,
"LANG_GEORGIAN": 0x37,
"LANG_GERMAN": 0x07,
"LANG_GREEK": 0x08,
"LANG_GUJARATI": 0x47,
"LANG_HEBREW": 0x0d,
"LANG_HINDI": 0x39,
"LANG_HUNGARIAN": 0x0e,
"LANG_ICELANDIC": 0x0f,
"LANG_INDONESIAN": 0x21,
"LANG_ITALIAN": 0x10,
"LANG_JAPANESE": 0x11,
"LANG_KANNADA": 0x4b,
"LANG_KASHMIRI": 0x60,
"LANG_KAZAK": 0x3f,
"LANG_KONKANI": 0x57,
"LANG_KOREAN": 0x12,
"LANG_KYRGYZ": 0x40,
"LANG_LATVIAN": 0x26,
"LANG_LITHUANIAN": 0x27,
"LANG_MACEDONIAN": 0x2f,
"LANG_MALAY": 0x3e,
"LANG_MALAYALAM": 0x4c,
"LANG_MANIPURI": 0x58,
"LANG_MARATHI": 0x4e,
"LANG_MONGOLIAN": 0x50,
"LANG_NEPALI": 0x61,
"LANG_NORWEGIAN": 0x14,
"LANG_ORIYA": 0x48,
"LANG_POLISH": 0x15,
"LANG_PORTUGUESE": 0x16,
"LANG_PUNJABI": 0x46,
"LANG_ROMANIAN": 0x18,
"LANG_RUSSIAN": 0x19,
"LANG_SANSKRIT": 0x4f,
"LANG_SERBIAN": 0x1a,
"LANG_SINDHI": 0x59,
"LANG_SLOVAK": 0x1b,
"LANG_SLOVENIAN": 0x24,
"LANG_SPANISH": 0x0a,
"LANG_SWAHILI": 0x41,
"LANG_SWEDISH": 0x1d,
"LANG_SYRIAC": 0x5a,
"LANG_TAMIL": 0x49,
"LANG_TATAR": 0x44,
"LANG_TELUGU": 0x4a,
"LANG_THAI": 0x1e,
"LANG_TURKISH": 0x1f,
"LANG_UKRAINIAN": 0x22,
"LANG_URDU": 0x20,
"LANG_UZBEK": 0x43,
"LANG_VIETNAMESE": 0x2a,
"LANG_GAELIC": 0x3c,
"LANG_MALTESE": 0x3a,
"LANG_MAORI": 0x28,
"LANG_RHAETO_ROMANCE": 0x17,
"LANG_SAAMI": 0x3b,
"LANG_SORBIAN": 0x2e,
"LANG_SUTU": 0x30,
"LANG_TSONGA": 0x31,
"LANG_TSWANA": 0x32,
"LANG_VENDA": 0x33,
"LANG_XHOSA": 0x34,
"LANG_ZULU": 0x35,
"LANG_ESPERANTO": 0x8f,
"LANG_WALON": 0x90,
"LANG_CORNISH": 0x91,
"LANG_WELSH": 0x92,
"LANG_BRETON": 0x93,
}
Lang language definitions
View Source
var MachineTypes = map[string]uint16{
"IMAGE_FILE_MACHINE_UNKNOWN": 0,
"IMAGE_FILE_MACHINE_I386": 0x014c,
"IMAGE_FILE_MACHINE_R3000": 0x0162,
"IMAGE_FILE_MACHINE_R4000": 0x0166,
"IMAGE_FILE_MACHINE_R10000": 0x0168,
"IMAGE_FILE_MACHINE_WCEMIPSV2": 0x0169,
"IMAGE_FILE_MACHINE_ALPHA": 0x0184,
"IMAGE_FILE_MACHINE_SH3": 0x01a2,
"IMAGE_FILE_MACHINE_SH3DSP": 0x01a3,
"IMAGE_FILE_MACHINE_SH3E": 0x01a4,
"IMAGE_FILE_MACHINE_SH4": 0x01a6,
"IMAGE_FILE_MACHINE_SH5": 0x01a8,
"IMAGE_FILE_MACHINE_ARM": 0x01c0,
"IMAGE_FILE_MACHINE_THUMB": 0x01c2,
"IMAGE_FILE_MACHINE_ARMNT": 0x01c4,
"IMAGE_FILE_MACHINE_AM33": 0x01d3,
"IMAGE_FILE_MACHINE_POWERPC": 0x01f0,
"IMAGE_FILE_MACHINE_POWERPCFP": 0x01f1,
"IMAGE_FILE_MACHINE_IA64": 0x0200,
"IMAGE_FILE_MACHINE_MIPS16": 0x0266,
"IMAGE_FILE_MACHINE_ALPHA64": 0x0284,
"IMAGE_FILE_MACHINE_AXP64": 0x0284,
"IMAGE_FILE_MACHINE_MIPSFPU": 0x0366,
"IMAGE_FILE_MACHINE_MIPSFPU16": 0x0466,
"IMAGE_FILE_MACHINE_TRICORE": 0x0520,
"IMAGE_FILE_MACHINE_CEF": 0x0cef,
"IMAGE_FILE_MACHINE_EBC": 0x0ebc,
"IMAGE_FILE_MACHINE_AMD64": 0x8664,
"IMAGE_FILE_MACHINE_M32R": 0x9041,
"IMAGE_FILE_MACHINE_CEE": 0xc0ee,
}
MachineTypes is a lookup from string name to the value of the flag
View Source
var RelocationTypes = map[string]uint32{
"IMAGE_REL_BASED_ABSOLUTE": 0,
"IMAGE_REL_BASED_HIGH": 1,
"IMAGE_REL_BASED_LOW": 2,
"IMAGE_REL_BASED_HIGHLOW": 3,
"IMAGE_REL_BASED_HIGHADJ": 4,
"IMAGE_REL_BASED_MIPS_JMPADDR": 5,
"IMAGE_REL_BASED_SECTION": 6,
"IMAGE_REL_BASED_REL": 7,
"IMAGE_REL_BASED_MIPS_JMPADDR16": 9,
"IMAGE_REL_BASED_IA64_IMM64": 9,
"IMAGE_REL_BASED_DIR64": 10,
"IMAGE_REL_BASED_HIGH3ADJ": 11,
}
RelocationTypes is map from the string name to the flag value
View Source
var ResourceType = map[string]uint32{
"RT_CURSOR": 1,
"RT_BITMAP": 2,
"RT_ICON": 3,
"RT_MENU": 4,
"RT_DIALOG": 5,
"RT_STRING": 6,
"RT_FONTDIR": 7,
"RT_FONT": 8,
"RT_ACCELERATOR": 9,
"RT_RCDATA": 10,
"RT_MESSAGETABLE": 11,
"RT_GROUP_CURSOR": 12,
"RT_GROUP_ICON": 14,
"RT_VERSION": 16,
"RT_DLGINCLUDE": 17,
"RT_PLUGPLAY": 19,
"RT_VXD": 20,
"RT_ANICURSOR": 21,
"RT_ANIICON": 22,
"RT_HTML": 23,
"RT_MANIFEST": 24,
}
ResourceType names and flag values
View Source
var SectionCharacteristics = map[string]uint32{
"IMAGE_SCN_TYPE_REG": 0x00000000,
"IMAGE_SCN_TYPE_DSECT": 0x00000001,
"IMAGE_SCN_TYPE_NOLOAD": 0x00000002,
"IMAGE_SCN_TYPE_GROUP": 0x00000004,
"IMAGE_SCN_TYPE_NO_PAD": 0x00000008,
"IMAGE_SCN_TYPE_COPY": 0x00000010,
"IMAGE_SCN_CNT_CODE": 0x00000020,
"IMAGE_SCN_CNT_INITIALIZED_DATA": 0x00000040,
"IMAGE_SCN_CNT_UNINITIALIZED_DATA": 0x00000080,
"IMAGE_SCN_LNK_OTHER": 0x00000100,
"IMAGE_SCN_LNK_INFO": 0x00000200,
"IMAGE_SCN_LNK_OVER": 0x00000400,
"IMAGE_SCN_LNK_REMOVE": 0x00000800,
"IMAGE_SCN_LNK_COMDAT": 0x00001000,
"IMAGE_SCN_MEM_PROTECTED": 0x00004000,
"IMAGE_SCN_NO_DEFER_SPEC_EXC": 0x00004000,
"IMAGE_SCN_GPREL": 0x00008000,
"IMAGE_SCN_MEM_FARDATA": 0x00008000,
"IMAGE_SCN_MEM_SYSHEAP": 0x00010000,
"IMAGE_SCN_MEM_PURGEABLE": 0x00020000,
"IMAGE_SCN_MEM_16BIT": 0x00020000,
"IMAGE_SCN_MEM_LOCKED": 0x00040000,
"IMAGE_SCN_MEM_PRELOAD": 0x00080000,
"IMAGE_SCN_ALIGN_1BYTES": 0x00100000,
"IMAGE_SCN_ALIGN_2BYTES": 0x00200000,
"IMAGE_SCN_ALIGN_4BYTES": 0x00300000,
"IMAGE_SCN_ALIGN_8BYTES": 0x00400000,
"IMAGE_SCN_ALIGN_16BYTES": 0x00500000,
"IMAGE_SCN_ALIGN_32BYTES": 0x00600000,
"IMAGE_SCN_ALIGN_64BYTES": 0x00700000,
"IMAGE_SCN_ALIGN_128BYTES": 0x00800000,
"IMAGE_SCN_ALIGN_256BYTES": 0x00900000,
"IMAGE_SCN_ALIGN_512BYTES": 0x00A00000,
"IMAGE_SCN_ALIGN_1024BYTES": 0x00B00000,
"IMAGE_SCN_ALIGN_2048BYTES": 0x00C00000,
"IMAGE_SCN_ALIGN_4096BYTES": 0x00D00000,
"IMAGE_SCN_ALIGN_8192BYTES": 0x00E00000,
"IMAGE_SCN_ALIGN_MASK": 0x00F00000,
"IMAGE_SCN_LNK_NRELOC_OVFL": 0x01000000,
"IMAGE_SCN_MEM_DISCARDABLE": 0x02000000,
"IMAGE_SCN_MEM_NOT_CACHED": 0x04000000,
"IMAGE_SCN_MEM_NOT_PAGED": 0x08000000,
"IMAGE_SCN_MEM_SHARED": 0x10000000,
"IMAGE_SCN_MEM_EXECUTE": 0x20000000,
"IMAGE_SCN_MEM_READ": 0x40000000,
"IMAGE_SCN_MEM_WRITE": 0x80000000,
}
SectionCharacteristics is a lookup from the string name to flag value
View Source
var Sublang = map[string]uint32{}/* 103 elements not displayed */
Sublang sublanguage definitions
View Source
var SubsystemTypes = map[string]uint32{
"IMAGE_SUBSYSTEM_UNKNOWN": 0,
"IMAGE_SUBSYSTEM_NATIVE": 1,
"IMAGE_SUBSYSTEM_WINDOWS_GUI": 2,
"IMAGE_SUBSYSTEM_WINDOWS_CUI": 3,
"IMAGE_SUBSYSTEM_OS2_CUI": 5,
"IMAGE_SUBSYSTEM_POSIX_CUI": 7,
"IMAGE_SUBSYSTEM_NATIVE_WINDOWS": 8,
"IMAGE_SUBSYSTEM_WINDOWS_CE_GUI": 9,
"IMAGE_SUBSYSTEM_EFI_APPLICATION": 10,
"IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER": 11,
"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER": 12,
"IMAGE_SUBSYSTEM_EFI_ROM": 13,
"IMAGE_SUBSYSTEM_XBOX": 14,
"IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION": 16,
}
SubsystemTypes is a lookup from the string name to flag value
Functions ¶
func PowerOfTwo ¶
PowerOfTwo Returns whether this value is a power of 2
Types ¶
type BaseRelocation ¶
type BaseRelocation struct {
Data BaseRelocationD
FileOffset uint32
Size uint32
}
BaseRelocation wrapper
func (*BaseRelocation) String ¶
func (br *BaseRelocation) String() string
type BaseRelocationD ¶
BaseRelocationD raw field data read from the file
type BaseRelocationEntry ¶
type BaseRelocationEntry struct {
Data BaseRelocationEntryD
FileOffset uint32
Size uint32
}
BaseRelocationEntry wrapper
func (*BaseRelocationEntry) String ¶
func (bre *BaseRelocationEntry) String() string
type BaseRelocationEntryD ¶
type BaseRelocationEntryD struct {
Data uint16
}
BaseRelocationEntryD raw field data read from the file
type BoundForwarderRef ¶
type BoundForwarderRef struct {
Data BoundForwarderRefD
FileOffset uint32
Size uint32
}
BoundForwarderRef wrapper
func (*BoundForwarderRef) String ¶
func (bfr *BoundForwarderRef) String() string
type BoundForwarderRefD ¶
BoundForwarderRefD raw field data from file
type BoundImportDescriptor ¶
type BoundImportDescriptor struct {
Data BoundImportDescriptorD
FileOffset uint32
Size uint32
}
BoundImportDescriptor wrapper
func (*BoundImportDescriptor) String ¶
func (bid *BoundImportDescriptor) String() string
type BoundImportDescriptorD ¶
type BoundImportDescriptorD struct {
TimeDateStamp uint32
OffsetModuleName uint16
NumberOfModuleForwarderRefs uint16
}
BoundImportDescriptorD raw field data read from file
type COFFFileHeader ¶
type COFFFileHeader struct {
Data COFFFileHeaderD
FileOffset uint32
Flags map[string]bool
Size uint32
}
COFFFileHeader wrapper
func (*COFFFileHeader) String ¶
func (fh *COFFFileHeader) String() string
type COFFFileHeaderD ¶
type COFFFileHeaderD struct {
Machine uint16
NumberOfSections uint16
TimeDateStamp uint32
PointerToSymbolTable uint32
NumberOfSymbols uint32
SizeOfOptionalHeader uint16
Characteristics uint16
}
COFFFileHeaderD raw data field read from the file
type DataDirectory ¶
type DataDirectory struct {
Data DataDirectoryD
FileOffset uint32
Name string
Size uint32
}
DataDirectory wrapper
func (*DataDirectory) String ¶
func (dd *DataDirectory) String() string
type DataDirectoryD ¶
DataDirectoryD raw data field read from the file
type DebugDirectory ¶
type DebugDirectory struct {
Data DebugDirectoryD
FileOffset uint32
Flags map[string]bool
Size uint32
}
DebugDirectory wrapper
func (*DebugDirectory) String ¶
func (dd *DebugDirectory) String() string
type DebugDirectoryD ¶
type DebugDirectoryD struct {
Characteristics uint32
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
Type uint32
SizeOfData uint32
AddressOfRawData uint32
PointerToRawData uint32
}
DebugDirectoryD raw field data read from the file
type DelayImportDescriptor ¶
type DelayImportDescriptor struct {
Data DelayImportDescriptorD
FileOffset uint32
Flags map[string]bool
Size uint32
}
DelayImportDescriptor wrapper
func (*DelayImportDescriptor) String ¶
func (did *DelayImportDescriptor) String() string
type DelayImportDescriptorD ¶
type DelayImportDescriptorD struct {
DIgrAttrs uint32
DIszName uint32
DIphmod uint32
DIpIAT uint32
DIpINT uint32
DIpBoundIAT uint32
DIpUnloadIAT uint32
DIdwTimeStamp uint32
}
DelayImportDescriptorD raw data field read from the file
type DosHeader ¶
type DosHeader struct {
Data DosHeaderD
FileOffset uint32
Flags map[string]bool
Size uint32
}
DosHeader wrapper
type DosHeaderD ¶
type DosHeaderD struct {
E_magic uint16
E_cblp uint16
E_cp uint16
E_crlc uint16
E_cparhd uint16
E_minalloc uint16
E_maxalloc uint16
E_ss uint16
E_sp uint16
E_csum uint16
E_ip uint16
E_cs uint16
E_lfarlc uint16
E_ovno uint16
E_res [8]uint8
E_oemid uint16
E_oeminfo uint16
E_res2 [20]uint8
E_lfanew uint32
}
DosHeaderD raw data field read from the file
type ExportData ¶
type ExportData struct {
Ordinal uint16
OrdinalOffset uint32
Address uint32
AddressOffset uint32
Name []byte //
NameOffset uint32 //
Forwarder []byte
ForwarderOffset uint32
}
ExportData wrapper
func (ExportData) String ¶
func (ed ExportData) String() string
type ExportDirectory ¶
type ExportDirectory struct {
Data ExportDirectoryD
FileOffset uint32
Flags map[string]bool
Exports []ExportData
Size uint32
}
ExportDirectory wrapper
func (*ExportDirectory) String ¶
func (ed *ExportDirectory) String() string
type ExportDirectoryD ¶
type ExportDirectoryD struct {
Characteristics uint32
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
Name uint32
Base uint32
NumberOfFunctions uint32
NumberOfNames uint32
AddressOfFunctions uint32
AddressOfNames uint32
AddressOfNameOrdinals uint32
}
ExportDirectoryD raw data field read from the file
type ImportData ¶
type ImportData struct {
StructTable ThunkData
StructIat ThunkData
ImportByOrdinal bool
Ordinal uint32
OrdinalOffset uint32
Hint uint16
Name []byte
NameOffset uint32
Bound uint32
Address uint32
HintNameTableRva uint32
ThunkOffset uint32
ThunkRva uint32
}
ImportData wrapper
func (ImportData) String ¶
func (id ImportData) String() string
type ImportData64 ¶
type ImportData64 struct {
StructTable *ThunkData64
StructIat *ThunkData64
ImportByOrdinal bool
Ordinal uint64
OrdinalOffset uint64
Hint uint16
Name []byte
NameOffset uint64
Bound uint64
Address uint64
HintNameTableRva uint64
ThunkOffset uint64
ThunkRva uint64
}
ImportData64 64-bit version wrapper
func (ImportData64) String ¶
func (id ImportData64) String() string
type ImportDescriptor ¶
type ImportDescriptor struct {
Data ImportDescriptorD
FileOffset uint32
Flags map[string]bool
Dll []byte
Imports []ImportData
Imports64 []ImportData64
Size uint32
}
ImportDescriptor wrapper
func (*ImportDescriptor) String ¶
func (id *ImportDescriptor) String() string
type ImportDescriptorD ¶
type ImportDescriptorD struct {
Characteristics uint32
TimeDateStamp uint32
ForwarderChain uint32
Name uint32
FirstThunk uint32
}
ImportDescriptorD raw data field read from the file
type LoadConfigDirectory ¶
type LoadConfigDirectory struct {
Data LoadConfigDirectoryD
FileOffset uint32
Flags map[string]bool
Size uint32
}
LoadConfigDirectory wrapper
func (*LoadConfigDirectory) String ¶
func (lcd *LoadConfigDirectory) String() string
type LoadConfigDirectory64 ¶
type LoadConfigDirectory64 struct {
Data LoadConfigDirectory64D
FileOffset uint32
Flags map[string]bool
Size uint32
}
LoadConfigDirectory64 wrapper
func (*LoadConfigDirectory64) String ¶
func (lcd *LoadConfigDirectory64) String() string
type LoadConfigDirectory64D ¶
type LoadConfigDirectory64D struct {
Size uint32
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
GlobalFlagsClear uint32
GlobalFlagsSet uint32
CriticalSectionDefaultTimeout uint32
DeCommitFreeBlockThreshold uint64
DeCommitTotalFreeThreshold uint64
LockPrefixTable uint64
MaximumAllocationSize uint64
VirtualMemoryThreshold uint64
ProcessAffinityMask uint64
ProcessHeapFlags uint32
CSDVersion uint16
Reserved1 uint16
EditList uint64
SecurityCookie uint64
SEHandlerTable uint64
SEHandlerCount uint64
GuardCFCheckFunctionPointer uint64
Reserved2 uint64
GuardCFFunctionTable uint64
GuardCFFunctionCount uint64
GuardFlags uint32
}
LoadConfigDirectory64D raw field data read from file
type LoadConfigDirectoryD ¶
type LoadConfigDirectoryD struct {
Size uint32
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
GlobalFlagsClear uint32
GlobalFlagsSet uint32
CriticalSectionDefaultTimeout uint32
DeCommitFreeBlockThreshold uint32
DeCommitTotalFreeThreshold uint32
LockPrefixTable uint32
MaximumAllocationSize uint32
VirtualMemoryThreshold uint32
ProcessHeapFlags uint32
ProcessAffinityMask uint32
CSDVersion uint16
Reserved1 uint16
EditList uint32
SecurityCookie uint32
SEHandlerTable uint32
SEHandlerCount uint32
GuardCFCheckFunctionPointer uint32
Reserved2 uint32
GuardCFFunctionTable uint32
GuardCFFunctionCount uint32
GuardFlags uint32
}
LoadConfigDirectoryD raw field contents read from the file
type NTHeaderD ¶
type NTHeaderD struct {
Signature uint32
}
NTHeaderD raw data field read from the file
type OptionalHeader ¶
type OptionalHeader struct {
Data OptionalHeaderD
FileOffset uint32
Flags map[string]bool
Size uint32
DataDirs map[string]DataDirectory
}
OptionalHeader wrapper
func (*OptionalHeader) String ¶
func (od *OptionalHeader) String() string
type OptionalHeader64 ¶
type OptionalHeader64 struct {
Data OptionalHeader64D
FileOffset uint32
Flags map[string]bool
DataDirs map[string]DataDirectory
Size uint32
}
OptionalHeader64 wrapper
func (*OptionalHeader64) String ¶
func (oh *OptionalHeader64) String() string
type OptionalHeader64D ¶
type OptionalHeader64D struct {
Magic uint16
MajorLinkerVersion uint8
MinorLinkerVersion uint8
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
BaseOfData uint32
ImageBase uint32
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Reserved1 uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint64 // Different after this point, specific checks needed
SizeOfStackCommit uint64
SizeOfHeapReserve uint64
SizeOfHeapCommit uint64
LoaderFlags uint32
NumberOfRvaAndSizes uint32
}
OptionalHeader64D raw data field read from the file
type OptionalHeaderD ¶
type OptionalHeaderD struct {
Magic uint16
MajorLinkerVersion uint8
MinorLinkerVersion uint8
SizeOfCode uint32
SizeOfInitializedData uint32
SizeOfUninitializedData uint32
AddressOfEntryPoint uint32
BaseOfCode uint32
BaseOfData uint32
ImageBase uint32
SectionAlignment uint32
FileAlignment uint32
MajorOperatingSystemVersion uint16
MinorOperatingSystemVersion uint16
MajorImageVersion uint16
MinorImageVersion uint16
MajorSubsystemVersion uint16
MinorSubsystemVersion uint16
Reserved1 uint32
SizeOfImage uint32
SizeOfHeaders uint32
CheckSum uint32
Subsystem uint16
DllCharacteristics uint16
SizeOfStackReserve uint32
SizeOfStackCommit uint32
SizeOfHeapReserve uint32
SizeOfHeapCommit uint32
LoaderFlags uint32
NumberOfRvaAndSizes uint32
}
OptionalHeaderD raw data field read from the file
type PEFile ¶
type PEFile struct {
Filename string
DosHeader DosHeader
NTHeader NTHeader
COFFFileHeader COFFFileHeader
OptionalHeader *OptionalHeader
OptionalHeader64 *OptionalHeader64
Sections []SectionHeader
ImportDescriptors []ImportDescriptor
ExportDirectory *ExportDirectory
Errors []error
// contains filtered or unexported fields
}
PEFile is a representation of the PE/COFF file with some helpful abstractions
type ResourceDataEntry ¶
type ResourceDataEntry struct {
Data ResourceDataEntryD
FileOffset uint32
Size uint32
}
ResourceDataEntry wrapper
func (*ResourceDataEntry) String ¶
func (rde *ResourceDataEntry) String() string
type ResourceDataEntryD ¶
ResourceDataEntryD raw data field read from the file
type ResourceDirectory ¶
type ResourceDirectory struct {
Data ResourceDirectoryD
FileOffset uint32
Flags map[string]bool
Size uint32
}
ResourceDirectory wrapper
func (*ResourceDirectory) String ¶
func (rd *ResourceDirectory) String() string
type ResourceDirectoryD ¶
type ResourceDirectoryD struct {
Characteristics uint32
TimeDateStamp uint32
MajorVersion uint16
MinorVersion uint16
NumberOfNamedEntries uint16
NumberOfIDEntries uint16
}
ResourceDirectoryD raw data field read from the file
type ResourceDirectoryEntry ¶
type ResourceDirectoryEntry struct {
Data ResourceDirectoryEntryD
FileOffset uint32
Size uint32
}
ResourceDirectoryEntry wrapper
func (*ResourceDirectoryEntry) String ¶
func (rde *ResourceDirectoryEntry) String() string
type ResourceDirectoryEntryD ¶
ResourceDirectoryEntryD raw data field read from the file
type SectionHeader ¶
type SectionHeader struct {
Data SectionHeaderD
FileOffset uint32
Flags map[string]bool
Size uint32
NextHeaderAddr uint32
}
SectionHeader wrapper
func (*SectionHeader) String ¶
func (sh *SectionHeader) String() string
type SectionHeaderD ¶
type SectionHeaderD struct {
Name [8]uint8
Misc uint32
VirtualAddress uint32
SizeOfRawData uint32
PointerToRawData uint32
PointerToRelocations uint32
PointerToLinenumbers uint32
NumberOfRelocations uint16
NumberOfLinenumbers uint16
Characteristics uint32
}
SectionHeaderD raw data field read from the file
type StringFileInfo ¶
type StringFileInfo struct {
Data StringFileInfoD
FileOffset uint32
Size uint32
}
StringFileInfo wrapper
func (*StringFileInfo) String ¶
func (s *StringFileInfo) String() string
type StringFileInfoD ¶
StringFileInfoD raw data field read from the file
type StringTable ¶
type StringTable struct {
Data StringTableD
FileOffset uint32
Size uint32
}
StringTable wrapper
func (*StringTable) String ¶
func (s *StringTable) String() string
type StringTableD ¶
StringTableD raw data field read from the file
type TLSDirectory ¶
type TLSDirectory struct {
Data TLSDirectoryD
FileOffset uint32
Flags map[string]bool
Size uint32
}
TLSDirectory wrapper
func (*TLSDirectory) String ¶
func (tlsd *TLSDirectory) String() string
type TLSDirectory64 ¶
type TLSDirectory64 struct {
Data TLSDirectory64D
FileOffset uint32
Flags map[string]bool
Size uint32
}
TLSDirectory64 wrapper
func (*TLSDirectory64) String ¶
func (tlsd *TLSDirectory64) String() string
type TLSDirectory64D ¶
type TLSDirectory64D struct {
StartAddressOfRawData uint64
EndAddressOfRawData uint64
AddressOfIndex uint64
AddressOfCallBacks uint64
SizeOfZeroFill uint32
Characteristics uint32
}
TLSDirectory64D raw field data read from the file
type TLSDirectoryD ¶
type TLSDirectoryD struct {
StartAddressOfRawData uint32
EndAddressOfRawData uint32
AddressOfIndex uint32
AddressOfCallBacks uint32
SizeOfZeroFill uint32
Characteristics uint32
}
TLSDirectoryD raw field data read from the file
type ThunkData ¶
type ThunkData struct {
Data ThunkDataD
FileOffset uint32
Size uint32
}
ThunkData wrapper
type ThunkData64 ¶
type ThunkData64 struct {
Data ThunkData64D
FileOffset uint32
Size uint32
}
ThunkData64 wrapper
func (*ThunkData64) String ¶
func (t *ThunkData64) String() string
type ThunkData64D ¶
type ThunkData64D struct {
AddressOfData uint64
}
ThunkData64D raw field data read from the file
type ThunkDataD ¶
type ThunkDataD struct {
AddressOfData uint32
}
ThunkDataD raw field data read from the file
type VSFixedFileInfo ¶
type VSFixedFileInfo struct {
Data VSFixedFileInfoD
FileOffset uint32
Size uint32
}
VSFixedFileInfo wrapper
func (*VSFixedFileInfo) String ¶
func (v *VSFixedFileInfo) String() string
type VSFixedFileInfoD ¶
type VSFixedFileInfoD struct {
Signature uint32
StrucVersion uint32
FileVersionMS uint32
FileVersionLS uint32
ProductVersionMS uint32
ProductVersionLS uint32
FileFlagsMask uint32
FileFlags uint32
FileOS uint32
FileType uint32
FileSubtype uint32
FileDateMS uint32
FileDateLS uint32
}
VSFixedFileInfoD raw data field read from the file
type VSVersionInfo ¶
type VSVersionInfo struct {
Data VSVersionInfoD
FileOffset uint32
Size uint32
}
VSVersionInfo wrapper
func (*VSVersionInfo) String ¶
func (v *VSVersionInfo) String() string
type VSVersionInfoD ¶
VSVersionInfoD raw data field read from the file
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.