pe

package
v1.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package pe contains different facilities for dealing with Portable Executable specifics and digging out valuable insights from PE.

Index

Constants

View Source 
const (
	// VersionResourceType identifies the version resource type in the resource directory
	VersionResourceType = 16

	// VsVersionInfoString is the UTF16-encoded string that identifies the VS_VERSION_INFO block
	VsVersionInfoString = "VS_VERSION_INFO"

	// VsFileInfoSignature is the file info signature
	VsFileInfoSignature uint32 = 0xFEEF04BD

	// StringFileInfoString is the UTF16-encoded string that identifies the StringFileInfo block
	StringFileInfoString = "StringFileInfo"
	// VarFileInfoString is the UTF16-encoded string that identifies the VarFileInfoString block
	VarFileInfoString = "VarFileInfo"

	// VsVersionInfoStringLength specifies the length of the VS_VERSION_INFO structure
	VsVersionInfoStringLength uint32 = 6
	// StringFileInfoLength specifies length of the StringFileInfo structure
	StringFileInfoLength uint32 = 6
	// StringTableLength specifies the length of the StringTable structure
	StringTableLength uint32 = 6
	// StringLength specifies the length of the String structure
	StringLength uint32 = 6
	// LangIDLength specifies the length of the language identifier string.
	// It is represented as 8-digit hexadecimal number stored as a Unicode string.
	LangIDLength uint32 = 8*2 + 1
)

Variables

View Source 
var (
	// MaxHeaderSize specifies the maximum size of the PE header
	MaxHeaderSize = uint(os.Getpagesize())
	// MinHeaderSize denotes the minimal valid PE header size
	MinHeaderSize = uint(0x100)
	// ErrEmptyVArea represents the error which is returned if the VA area couldn't be read
	ErrEmptyVArea = errors.New("va memory area is empty")
)

Functions

func AlignDword added in v1.10.0 

func AlignDword(offset, base uint32) uint32

AlignDword aligns the offset on a 32-bit boundary.

func DecodeUTF16String added in v1.10.0 

func DecodeUTF16String(b []byte) (string, error)

DecodeUTF16String decodes the UTF16 string from the byte slice.

func ParseVersionResources added in v1.10.0 

func ParseVersionResources(pe *peparser.File) (map[string]string, error)

ParseVersionResources parses file version strings from the version resource directory. This directory contains several structures starting with VS_VERSION_INFO with references to children StringFileInfo structures. In addition, StringFileInfo contains the StringTable structure with String entries describing the name and value of each file version strings.

Types

type Option added in v1.10.0 

type Option func(o *opts)

Option represents the option type for the PE parser.

func WithExcludedImages added in v1.10.0 

func WithExcludedImages(images []string) Option

WithExcludedImages provides a list of image paths for which the parsing is skipped.

func WithSectionEntropy added in v1.10.0 

func WithSectionEntropy() Option

WithSectionEntropy indicates if entropy is calculated for available sections.

func WithSectionMD5 added in v1.10.0 

func WithSectionMD5() Option

WithSectionMD5 indicates if MD5 hash is calculated for available sections.

func WithSections added in v1.10.0 

func WithSections() Option

WithSections indicates section header is parsed.

func WithSymbols added in v1.10.0 

func WithSymbols() Option

WithSymbols indicates import directory is parsed for imported symbols.

func WithVersionResources added in v1.10.0 

func WithVersionResources() Option

WithVersionResources indicates if version resources are parsed from the resource directory.

type String added in v1.10.0 

type String struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

String Represents the organization of data in a file-version resource. It contains a string that describes a specific aspect of a file, for example, a file's version, its copyright notices, or its trademarks.

func (*String) GetOffset added in v1.10.0 

func (s *String) GetOffset(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) uint32

func (*String) Parse added in v1.10.0 

func (s *String) Parse(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) (string, string, error)

type StringFileInfo added in v1.10.0 

type StringFileInfo struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringFileInfo represents the organization of data in a file-version resource. It contains version information that can be displayed for a particular language and code page.

func (*StringFileInfo) GetOffset added in v1.10.0 

func (s *StringFileInfo) GetOffset(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) uint32

func (*StringFileInfo) GetStringTableOffset added in v1.10.0 

func (s *StringFileInfo) GetStringTableOffset(offset uint32) uint32

func (*StringFileInfo) Parse added in v1.10.0 

func (s *StringFileInfo) Parse(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) (string, error)

type StringTable added in v1.10.0 

type StringTable struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringTable represents the organization of data in a file-version resource. It contains language and code page formatting information for the version strings

func (*StringTable) GetOffset added in v1.10.0 

func (s *StringTable) GetOffset(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) uint32

func (*StringTable) GetStringOffset added in v1.10.0 

func (s *StringTable) GetStringOffset(offset uint32, e peparser.ResourceDirectoryEntry) uint32

func (*StringTable) Parse added in v1.10.0 

func (s *StringTable) Parse(rva uint32, e peparser.ResourceDirectoryEntry, pe *peparser.File) error

type VsFixedFileInfo added in v1.10.0 

type VsFixedFileInfo struct {
	// Signature contains the value 0xFEEF04BD. This is used
	// with the `key` member of the VS_VERSIONINFO structure
	// when searching a file for the VS_FIXEDFILEINFO structure.
	Signature uint32
	// StructVer is the binary version number of this structure.
	// The high-order word of this member contains the major version
	// number, and the low-order word contains the minor version number.
	StructVer uint32
	// FileVersionMS denotes the most significant 32 bits of the file's
	// binary version number.
	FileVersionMS uint32
	// FileVersionLS denotes the least significant 32 bits of the file's
	// binary version number.
	FileVersionLS uint32
	// ProductVersionMS represents the most significant 32 bits of the
	// binary version number of the product with which this file was distributed.
	ProductVersionMS uint32
	// ProductVersionLS represents the most significant 32 bits of the
	// binary version number of the product with which this file was distributed.
	ProductVersionLS uint32
	// FileFlagMask contains a bitmask that specifies the valid bits in FileFlags.
	// A bit is valid only if it was defined when the file was created.
	FileFlagMask uint32
	// FileFlags contains a bitmask that specifies the Boolean attributes of the file.
	// For example, the file contains debugging information or is compiled with debugging
	// features enabled if FileFlags is equal to 0x00000001L (VS_FF_DEBUG).
	FileFlags uint32
	// FileOS represents the operating system for which this file was designed.
	FileOS uint32
	// FileType describes the general type of file.
	FileType uint32
	// FileSubtype specifies the function of the file. The possible values depend on the value of FileType.
	FileSubtype uint32
	// FileDateMS are the most significant 32 bits of the file's 64-bit binary creation date and time stamp.
	FileDateMS uint32
	// FileDateLS are the least significant 32 bits of the file's 64-bit binary creation date and time stamp.
	FileDateLS uint32
}

VsFixedFileInfo contains version information for a file. This information is language and code page independent.

func (*VsFixedFileInfo) GetOffset added in v1.10.0 

func (f *VsFixedFileInfo) GetOffset(e peparser.ResourceDirectoryEntry, pe *peparser.File) uint32

func (*VsFixedFileInfo) GetStringFileInfoOffset added in v1.10.0 

func (f *VsFixedFileInfo) GetStringFileInfoOffset(e peparser.ResourceDirectoryEntry) uint32

func (*VsFixedFileInfo) Parse added in v1.10.0 

func (f *VsFixedFileInfo) Parse(e peparser.ResourceDirectoryEntry, pe *peparser.File) error

func (*VsFixedFileInfo) Size added in v1.10.0 

func (f *VsFixedFileInfo) Size() uint32

Size returns the size of this structure in bytes.

type VsVersionInfo added in v1.10.0 

type VsVersionInfo struct {
	// Length is the length, in bytes, of the VS_VERSIONINFO structure.
	// This length does not include any padding that aligns any
	// subsequent version resource data on a 32-bit boundary.
	Length uint16
	// ValueLength is the length, in bytes, of arbitrary data associated
	// with the VS_VERSIONINFO structure.
	// This value is zero if there is no any data associated with the
	// current version structure.
	ValueLength uint16
	// Type represents as many zero words as necessary to align the StringFileInfo
	// and VarFileInfo structures on a 32-bit boundary. These bytes are not included
	// in ValueLength.
	Type uint16
}

VsVersionInfo represents the organization of data in a file-version resource. It is the root structure that contains all other file-version information structures.

func (*VsVersionInfo) Parse added in v1.10.0 

func (v *VsVersionInfo) Parse(e peparser.ResourceDirectoryEntry, pe *peparser.File) error

Parse parses the VS_VERSIONINFO structure from resource directory entry.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.