pefile

package module
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 9, 2019 License: MIT Imports: 14 Imported by: 0

README

go-pefile

Parsing Pefile (Portable Executable) in Golang

Documentation

Index

Constants

View Source 
const (
	MAX_STRING_LENGTH = 0x100000 // 2^20

	IMAGE_DOS_SIGNATURE   = 0x5A4D
	IMAGE_DOSZM_SIGNATURE = 0x4D5A
	IMAGE_NE_SIGNATURE    = 0x454E
	IMAGE_LE_SIGNATURE    = 0x454C
	IMAGE_LX_SIGNATURE    = 0x584C
	IMAGE_TE_SIGNATURE    = 0x5A56 // Terse Executables have a 'VZ' signature

	IMAGE_NT_SIGNATURE               = 0x00004550
	IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
	IMAGE_ORDINAL_FLAG               = uint32(0x80000000)
	IMAGE_ORDINAL_FLAG64             = uint64(0x8000000000000000)
	OPTIONAL_HEADER_MAGIC_PE         = 0x10b
	OPTIONAL_HEADER_MAGIC_PE_PLUS    = 0x20b
	FILE_ALIGNMENT_HARDCODED_VALUE   = 0x200
)

This will set a maximum length of a string to be retrieved from the file. 

It's there to prevent loading massive amounts of data from memory mapped
files. Strings longer than 1MB should be rather rare.

Variables

View Source 
var INVALID_IMP_NAME = []byte("*invalid*")
View Source 
var OLEAUT_32_ORD_NAMES = map[uint64]string{}/* 398 elements not displayed */
View Source 
var OrdNames = map[string]map[uint64]string{
	"ws2_32.dll":   WS2_32_ORD_NAMES,
	"wsock32.dll":  WS2_32_ORD_NAMES,
	"oleaut32.dll": OLEAUT_32_ORD_NAMES,
}
View Source 
var VALID_DOS_NAME = regexp.MustCompile("^[\\pL\\pN!//$%&'\\(\\)`\\-@^_\\{\\}~+,.;=\\[\\]]+$")

Valid FAT32 8.3 short filename characters according to: 

http://en.wikipedia.org/wiki/8.3_filename

This will help decide whether DLL ASCII names are likely to be valid or otherwise corrupt data

The filename length is not checked because the DLLs filename can be longer that the 8.3

View Source 
var VALID_FUNC_NAME = regexp.MustCompile(`^[\pL\pN_\?@$\(\)]+$`)

Check if a imported name uses the valid accepted characters expected in mangled function names. If the symbol's characters don't fall within this charset we will assume the name is invalid

View Source 
var WS2_32_ORD_NAMES = map[uint64]string{}/* 117 elements not displayed */

Functions

func Max 

func Max(x, y uint32) uint32

func Min 

func Min(x, y uint32) uint32

func OrdLookup 

func OrdLookup(libname string, ord uint64, makeName bool) string

func PowerOfTwo 

func PowerOfTwo(val uint32) bool

Returns whether this value is a power of 2

Types

type ByVAddr 

type ByVAddr []*lib.SectionHeader

func (ByVAddr) Len 

func (self ByVAddr) Len() int

func (ByVAddr) Less 

func (s ByVAddr) Less(i, j int) bool

func (ByVAddr) Swap 

func (self ByVAddr) Swap(i, j int)

type PEFile 

type PEFile struct {
	Filename          string
	DosHeader         *lib.DosHeader
	NTHeader          *lib.NTHeader
	FileHeader        *lib.FileHeader
	OptionalHeader    *lib.OptionalHeader
	OptionalHeader64  *lib.OptionalHeader64
	Sections          []*lib.SectionHeader
	ImportDescriptors []*lib.ImportDescriptor
	ExportDirectory   *lib.ExportDirectory
	// contains filtered or unexported fields
}

The representation of the PEFile with some helpful abstractions

func NewPEFile 

func NewPEFile(filename string) (pe *PEFile, err error)

func (*PEFile) Close added in v1.0.2 

func (self *PEFile) Close() error

func (*PEFile) GetData 

func (self *PEFile) GetData(section *lib.SectionHeader) []byte

func (*PEFile) GetImpHash 

func (self *PEFile) GetImpHash() string

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.