pe

package module
v1.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2024 License: MIT Imports: 27 Imported by: 20

README

Saferwall logo

Portable Executable Parser

GoDoc Go Version Report Card codecov GitHub Workflow Status

pe is a go package for parsing the portable executable file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.

Table of content

Features

  • Works with PE32/PE32+ file format.
  • Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
  • MS DOS header.
  • Rich Header (calculate checksum and hash).
  • NT Header (file header + optional header).
  • COFF symbol table and string table.
  • Sections headers + entropy calculation.
  • Data directories
    • Import Table + ImpHash calculation.
    • Export Table
    • Resource Table
    • Exceptions Table
    • Security Table + Authentihash calculation.
    • Relocations Table
    • Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
    • TLS Table
    • Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
    • Bound Import Table
    • Delay Import Table
    • COM Table (CLR Metadata Header, Metadata Table Streams)
  • Report several anomalies

Installing

Using this go package is easy. First, use go get to install the latest version of the library. This command will install the pedumper executable along with the library and its dependencies:

go get -u github.com/saferwall/pe

Next, include pe package in your application:

import "github.com/saferwall/pe"

Using the library

package main

import (
	peparser "github.com/saferwall/pe"
)

func main() {
    filename := "C:\\Binaries\\notepad.exe"
    pe, err := peparser.New(filename, &peparser.Options{})
	if err != nil {
		log.Fatalf("Error while opening file: %s, reason: %v", filename, err)
    }

    err = pe.Parse()
    if err != nil {
        log.Fatalf("Error while parsing file: %s, reason: %v", filename, err)
    }
}

Start by instantiating a pe object by called the New() method, which takes the file path to the file to be parsed and some optional options.

Afterwards, a call to the Parse() method will give you access to all the different part of the PE format, directly accessible to be used. Here is the definition of the struct:

type File struct {
	DOSHeader    ImageDOSHeader
	RichHeader   RichHeader
	NtHeader     ImageNtHeader
	COFF         COFF
	Sections     []Section
	Imports      []Import
	Export       Export
	Debugs       []DebugEntry
	Relocations  []Relocation
	Resources    ResourceDirectory
	TLS          TLSDirectory
	LoadConfig   LoadConfig
	Exceptions   []Exception
	Certificates Certificate
	DelayImports []DelayImport
	BoundImports []BoundImportDescriptorData
	GlobalPtr    uint32
	CLR          CLRData
	IAT          []IATEntry
	Header       []byte
	data         mmap.MMap
	closer       io.Closer
	Is64         bool
	Is32         bool
	Anomalies    []string
	size         uint32
	f            *os.File
	opts         *Options
}
PE Header

As mentionned before, all members of the struct are directly (no getters) accessible, additionally, the fields types has been preserved as the spec defines them, that means if you need to show the prettified version of an int type, you have to call the corresponding helper function.

fmt.Printf("Magic is: 0x%x\n", pe.DosHeader.Magic)
fmt.Printf("Signature is: 0x%x\n", pe.NtHeader.Signature)
fmt.Printf("Machine is: 0x%x, Meaning: %s\n", pe.NtHeader.FileHeader.Machine, pe.PrettyMachineType())

Output:

Magic is: 0x5a4d
Signature is: 0x4550
Machine is: 0x8664, Meaning: x64
Rich Header

Example:

richHeader, _ := json.Marshal(pe.RichHeader)
fmt.Print(prettyPrint(richHeader))

Output:

{
    "XorKey": 2796214951,
    "CompIDs": [
        {
            "MinorCV": 27412,
            "ProdID": 257,
            "Count": 4,
            "Unmasked": 16870164
        },
        {
            "MinorCV": 30729,
            "ProdID": 147,
            "Count": 193,
            "Unmasked": 9664521
        },
        {
            "MinorCV": 0,
            "ProdID": 1,
            "Count": 1325,
            "Unmasked": 65536
        },
        {
            "MinorCV": 27412,
            "ProdID": 260,
            "Count": 9,
            "Unmasked": 17066772
        },
        {
            "MinorCV": 27412,
            "ProdID": 259,
            "Count": 3,
            "Unmasked": 17001236
        },
        {
            "MinorCV": 27412,
            "ProdID": 256,
            "Count": 1,
            "Unmasked": 16804628
        },
        {
            "MinorCV": 27412,
            "ProdID": 269,
            "Count": 209,
            "Unmasked": 17656596
        },
        {
            "MinorCV": 27412,
            "ProdID": 255,
            "Count": 1,
            "Unmasked": 16739092
        },
        {
            "MinorCV": 27412,
            "ProdID": 258,
            "Count": 1,
            "Unmasked": 16935700
        }
    ],
    "DansOffset": 128,
    "Raw": "47vE9afaqqan2qqmp9qqprOxq6ej2qqmrqI5pmbaqqan2qumit+qprOxrqeu2qqms7Gpp6TaqqazsaqnptqqprOxp6d22qqms7FVpqbaqqazsainptqqplJpY2in2qqm"
}
Iterating over sections
for _, sec := range pe.Sections {
    fmt.Printf("Section Name : %s\n", sec.NameString())
    fmt.Printf("Section VirtualSize : %x\n", sec.Header.VirtualSize)
    fmt.Printf("Section Flags : %x, Meaning: %v\n\n",
        sec.Header.Characteristics, sec.PrettySectionFlags())
}

Output:

Section Name : .text
Section VirtualSize : 2ea58
Section Flags : 60500060, Meaning: [Align8Bytes Readable Align16Bytes Executable Contains Code Initialized Data Align1Bytes]

Section Name : .data
Section VirtualSize : 58
Section Flags : c0500040, Meaning: [Readable Initialized Data Writable Align1Bytes Align16Bytes Align8Bytes]

Section Name : .rdata
Section VirtualSize : 18d0
Section Flags : 40600040, Meaning: [Align2Bytes Align8Bytes Readable Initialized Data Align32Bytes]

...

Roadmap

  • imports MS-styled names demangling
  • PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table

Fuzz Testing

To validate the parser we use the go-fuzz and a corpus of known malformed and tricky PE files from corkami.

Projects Using This Library

Fibratus

Fibratus A modern tool for Windows kernel exploration and tracing with a focus on security.

References

Documentation

Index

Constants

View Source 
const (
	// An unknown value that is ignored by all tools.
	ImageDebugTypeUnknown = 0

	// The COFF debug information (line numbers, symbol table, and string table).
	// This type of debug information is also pointed to by fields in the file headers.
	ImageDebugTypeCOFF = 1

	// The Visual C++ debug information.
	ImageDebugTypeCodeView = 2

	// The frame pointer omission (FPO) information. This information tells the
	// debugger how to interpret nonstandard stack frames, which use the EBP
	// register for a purpose other than as a frame pointer.
	ImageDebugTypeFPO = 3

	// The location of DBG file.
	ImageDebugTypeMisc = 4

	// A copy of .pdata section.
	ImageDebugTypeException = 5

	// Reserved.
	ImageDebugTypeFixup = 6

	// The mapping from an RVA in image to an RVA in source image.
	ImageDebugTypeOMAPToSrc = 7

	// The mapping from an RVA in source image to an RVA in image.
	ImageDebugTypeOMAPFromSrc = 8

	// Reserved for Borland.
	ImageDebugTypeBorland = 9

	// Reserved.
	ImageDebugTypeReserved = 10

	// Reserved.
	ImageDebugTypeCLSID = 11

	// Visual C++ features (/GS counts /sdl counts and guardN counts).
	ImageDebugTypeVCFeature = 12

	// Pogo aka PGO aka Profile Guided Optimization.
	ImageDebugTypePOGO = 13

	// Incremental Link Time Code Generation (iLTCG).
	ImageDebugTypeILTCG = 14

	// Intel MPX.
	ImageDebugTypeMPX = 15

	// PE determinism or reproducibility.
	ImageDebugTypeRepro = 16

	// Extended DLL characteristics bits.
	ImageDebugTypeExDllCharacteristics = 20
)

The following values are defined for the Type field of the debug directory entry:

View Source 
const (
	// CVSignatureRSDS represents the CodeView signature 'SDSR'.
	CVSignatureRSDS = 0x53445352

	// CVSignatureNB10 represents the CodeView signature 'NB10'.
	CVSignatureNB10 = 0x3031424e
)
View Source 
const (
	// FrameFPO indicates a frame of type FPO.
	FrameFPO = 0x0

	// FrameTrap indicates a frame of type Trap.
	FrameTrap = 0x1

	// FrameTSS indicates a frame of type TSS.
	FrameTSS = 0x2

	// FrameNonFPO indicates a frame of type Non-FPO.
	FrameNonFPO = 0x3
)
View Source 
const (
	// POGOTypePGU represents a signature for an undocumented PGO sub type.
	POGOTypePGU = 0x50475500
	// POGOTypePGI represents a signature for an undocumented PGO sub type.
	POGOTypePGI = 0x50474900
	// POGOTypePGO represents a signature for an undocumented PGO sub type.
	POGOTypePGO = 0x50474F00
	// POGOTypeLTCG represents a signature for an undocumented PGO sub type.
	POGOTypeLTCG = 0x4c544347
)
View Source 
const (
	// The image file contains IL code only, with no embedded native unmanaged
	// code except the start-up stub (which simply executes an indirect jump to
	// the CLR entry point).
	COMImageFlagsILOnly = 0x00000001

	// The image file can be loaded only into a 32-bit process.
	COMImageFlags32BitRequired = 0x00000002

	// This flag is obsolete and should not be set. Setting it—as the IL
	// assembler allows, using the .corflags directive—will render your module
	// un-loadable.
	COMImageFlagILLibrary = 0x00000004

	// The image file is protected with a strong name signature.
	COMImageFlagsStrongNameSigned = 0x00000008

	// The executable’s entry point is an unmanaged method. The EntryPointToken/
	// EntryPointRVA field of the CLR header contains the RVA of this native
	// method. This flag was introduced in version 2.0 of the CLR.
	COMImageFlagsNativeEntrypoint = 0x00000010

	// The CLR loader and the JIT compiler are required to track debug
	// information about the methods. This flag is not used.
	COMImageFlagsTrackDebugData = 0x00010000

	// The image file can be loaded into any process, but preferably into a
	// 32-bit process. This flag can be only set together with flag
	// COMIMAGE_FLAGS_32BITREQUIRED. When set, these two flags mean the image
	// is platformneutral, but prefers to be loaded as 32-bit when possible.
	// This flag was introduced in CLR v4.0
	COMImageFlags32BitPreferred = 0x00020000
)

COM+ Header entry point flags.

View Source 
const (
	// V-table slots are 32-bits in size.
	CORVTable32Bit = 0x01

	// V-table slots are 64-bits in size.
	CORVTable64Bit = 0x02

	//  The thunk created by the common language runtime must provide data
	// marshaling between managed and unmanaged code.
	CORVTableFromUnmanaged = 0x04

	// The thunk created by the common language runtime must provide data
	// marshaling between managed and unmanaged code. Current appdomain should
	// be selected to dispatch the call.
	CORVTableFromUnmanagedRetainAppDomain = 0x08

	// Call most derived method described by
	CORVTableCallMostDerived = 0x10
)

V-table constants.

View Source 
const (
	// The current module descriptor.
	Module = 0
	// Class reference descriptors.
	TypeRef = 1
	// Class or interface definition descriptors.
	TypeDef = 2
	// A class-to-fields lookup table, which does not exist in optimized
	// metadata (#~ stream).
	FieldPtr = 3
	// Field definition descriptors.
	Field = 4
	// A class-to-methods lookup table, which does not exist in
	// optimized metadata (#~ stream).
	MethodPtr = 5
	// Method definition descriptors.
	MethodDef = 6
	// A method-to-parameters lookup table, which does not exist in optimized
	// metadata (#~ stream).
	ParamPtr = 7
	// Parameter definition descriptors.
	Param = 8
	// Interface implementation descriptors.
	InterfaceImpl = 9
	// Member (field or method) reference descriptors.
	MemberRef = 10
	// Constant value descriptors that map the default values stored in the
	// #Blob stream to respective fields, parameters, and properties.
	Constant = 11
	// Custom attribute descriptors.
	CustomAttribute = 12
	// Field or parameter marshaling descriptors for managed/unmanaged
	// inter-operations.
	FieldMarshal = 13
	// Security descriptors.
	DeclSecurity = 14
	// Class layout descriptors that hold information about how the loader
	// should lay out respective classes.
	ClassLayout = 15
	// Field layout descriptors that specify the offset or ordinal of
	// individual fields.
	FieldLayout = 16
	// Stand-alone signature descriptors. Signatures per se are used in two
	// capacities: as composite signatures of local variables of methods and as
	// parameters of the call indirect (calli) IL instruction.
	StandAloneSig = 17
	// A class-to-events mapping table. This is not an intermediate lookup
	// table, and it does exist in optimized metadata.
	EventMap = 18
	// An event map–to–events lookup table, which does not exist in optimized
	// metadata (#~ stream).
	EventPtr = 19
	// Event descriptors.
	Event = 20
	// A class-to-properties mapping table. This is not an intermediate lookup
	// table, and it does exist in optimized metadata.
	PropertyMap = 21
	// A property map–to–properties lookup table, which does not exist in
	// optimized metadata (#~ stream).
	PropertyPtr = 22
	// Property descriptors.
	Property = 23
	// Method semantics descriptors that hold information about which method is
	// associated with a specific property or event and in what capacity.
	MethodSemantics = 24
	// Method implementation descriptors.
	MethodImpl = 25
	// Module reference descriptors.
	ModuleRef = 26
	// Type specification descriptors.
	TypeSpec = 27
	// Implementation map descriptors used for the platform invocation
	// (P/Invoke) type of managed/unmanaged code inter-operation.
	ImplMap = 28
	// Field-to-data mapping descriptors.
	FieldRVA = 29
	// Edit-and-continue log descriptors that hold information about what
	// changes have been made to specific metadata items during in-memory
	// editing. This table does not exist in optimized metadata (#~ stream)
	ENCLog = 30
	// Edit-and-continue mapping descriptors. This table does not exist in
	// optimized metadata (#~ stream).
	ENCMap = 31
	// The current assembly descriptor, which should appear only in the prime
	// module metadata.
	Assembly = 32
	// This table is unused.
	AssemblyProcessor = 33
	// This table is unused.
	AssemblyOS = 34
	// Assembly reference descriptors.
	AssemblyRef = 35
	// This table is unused.
	AssemblyRefProcessor = 36
	// This table is unused.
	AssemblyRefOS = 37
	// File descriptors that contain information about other files in the
	// current assembly.
	FileMD = 38
	// Exported type descriptors that contain information about public classes
	// exported by the current assembly, which are declared in other modules of
	// the assembly. Only the prime module of the assembly should carry this
	// table.
	ExportedType = 39
	// Managed resource descriptors.
	ManifestResource = 40
	// Nested class descriptors that provide mapping of nested classes to their
	// respective enclosing classes.
	NestedClass = 41
	//  Type parameter descriptors for generic (parameterized) classes and
	// methods.
	GenericParam = 42
	// Generic method instantiation descriptors.
	MethodSpec = 43
	// Descriptors of constraints specified for type parameters of generic
	// classes and methods
	GenericParamConstraint = 44
)

Metadata Tables constants.

View Source 
const (
	StringStream = 0
	GUIDStream   = 1
	BlobStream   = 2
)

Heaps Streams Bit Positions.

View Source 
const (

	// UnwFlagNHandler - The function has no handler.
	UnwFlagNHandler = uint8(0x0)

	// UnwFlagEHandler - The function has an exception handler that should
	// be called when looking for functions that need to examine exceptions.
	UnwFlagEHandler = uint8(0x1)

	// UnwFlagUHandler - The function has a termination handler that should
	// be called when unwinding an exception.
	UnwFlagUHandler = uint8(0x2)

	// UnwFlagChainInfo - This unwind info structure is not the primary one
	// for the procedure. Instead, the chained unwind info entry is the contents
	// of a previous RUNTIME_FUNCTION entry. For information, see Chained unwind
	// info structures. If this flag is set, then the UNW_FLAG_EHANDLER and
	// UNW_FLAG_UHANDLER flags must be cleared. Also, the frame register and
	// fixed-stack allocation field must have the same values as in the primary
	// unwind info.
	UnwFlagChainInfo = uint8(0x4)
)
View Source 
const (
	// Push a nonvolatile integer register, decrementing RSP by 8. The
	// operation info is the number of the register. Because of the constraints
	// on epilogs, UWOP_PUSH_NONVOL unwind codes must appear first in the
	// prolog and correspondingly, last in the unwind code array. This relative
	// ordering applies to all other unwind codes except UWOP_PUSH_MACHFRAME.
	UwOpPushNonVol = UnwindOpType(0)

	// Allocate a large-sized area on the stack. There are two forms. If the
	// operation info equals 0, then the size of the allocation divided by 8 is
	// recorded in the next slot, allowing an allocation up to 512K - 8. If the
	// operation info equals 1, then the unscaled size of the allocation is
	// recorded in the next two slots in little-endian format, allowing
	// allocations up to 4GB - 8.
	UwOpAllocLarge = UnwindOpType(1)

	// Allocate a small-sized area on the stack. The size of the allocation is
	// the operation info field * 8 + 8, allowing allocations from 8 to 128
	// bytes.
	UwOpAllocSmall = UnwindOpType(2)

	// Establish the frame pointer register by setting the register to some
	// offset of the current RSP. The offset is equal to the Frame Register
	// offset (scaled) field in the UNWIND_INFO * 16, allowing offsets from 0
	// to 240. The use of an offset permits establishing a frame pointer that
	// points to the middle of the fixed stack allocation, helping code density
	// by allowing more accesses to use short instruction forms. The operation
	// info field is reserved and shouldn't be used.
	UwOpSetFpReg = UnwindOpType(3)

	// Save a nonvolatile integer register on the stack using a MOV instead of
	// a PUSH. This code is primarily used for shrink-wrapping, where a
	// nonvolatile register is saved to the stack in a position that was
	// previously allocated. The operation info is the number of the register.
	// The scaled-by-8 stack offset is recorded in the next unwind operation
	// code slot, as described in the note above.
	UwOpSaveNonVol = UnwindOpType(4)

	// Save a nonvolatile integer register on the stack with a long offset,
	// using a MOV instead of a PUSH. This code is primarily used for
	// shrink-wrapping, where a nonvolatile register is saved to the stack in a
	// position that was previously allocated. The operation info is the number
	// of the register. The unscaled stack offset is recorded in the next two
	// unwind operation code slots, as described in the note above.
	UwOpSaveNonVolFar = UnwindOpType(5)

	// For version 1 of the UNWIND_INFO structure, this code was called
	// UWOP_SAVE_XMM and occupied 2 records, it retained the lower 64 bits of
	// the XMM register, but was later removed and is now skipped. In practice,
	// this code has never been used.
	// For version 2 of the UNWIND_INFO structure, this code is called
	// UWOP_EPILOG, takes 2 entries, and describes the function epilogue.
	UwOpEpilog = UnwindOpType(6)

	// For version 1 of the UNWIND_INFO structure, this code was called
	// UWOP_SAVE_XMM_FAR and occupied 3 records, it saved the lower 64 bits of
	// the XMM register, but was later removed and is now skipped. In practice,
	// this code has never been used.
	// For version 2 of the UNWIND_INFO structure, this code is called
	// UWOP_SPARE_CODE, takes 3 entries, and makes no sense.
	UwOpSpareCode = UnwindOpType(7)

	// Save all 128 bits of a nonvolatile XMM register on the stack. The
	// operation info is the number of the register. The scaled-by-16 stack
	// offset is recorded in the next slot.
	UwOpSaveXmm128 = UnwindOpType(8)

	// Save all 128 bits of a nonvolatile XMM register on the stack with a long
	// offset. The operation info is the number of the register. The unscaled
	// stack offset is recorded in the next two slots.
	UwOpSaveXmm128Far = UnwindOpType(9)

	// Push a machine frame. This unwind code is used to record the effect of a
	// hardware interrupt or exception.
	UwOpPushMachFrame = UnwindOpType(10)

	// UWOP_SET_FPREG_LARGE is a CLR Unix-only extension to the Windows AMD64
	// unwind codes. It is not part of the standard Windows AMD64 unwind codes
	// specification. UWOP_SET_FPREG allows for a maximum of a 240 byte offset
	// between RSP and the frame pointer, when the frame pointer is
	// established. UWOP_SET_FPREG_LARGE has a 32-bit range scaled by 16. When
	// UWOP_SET_FPREG_LARGE is used, UNWIND_INFO.FrameRegister must be set to
	// the frame pointer register, and UNWIND_INFO.FrameOffset must be set to
	// 15 (its maximum value). UWOP_SET_FPREG_LARGE is followed by two
	// UNWIND_CODEs that are combined to form a 32-bit offset (the same as
	// UWOP_SAVE_NONVOL_FAR). This offset is then scaled by 16. The result must
	// be less than 2^32 (that is, the top 4 bits of the unscaled 32-bit number
	// must be zero). This result is used as the frame pointer register offset
	// from RSP at the time the frame pointer is established. Either
	// UWOP_SET_FPREG or UWOP_SET_FPREG_LARGE can be used, but not both.
	UwOpSetFpRegLarge = UnwindOpType(11)
)

_UNWIND_OP_CODES

View Source 
const (
	// TinyPESize On Windows XP (x32) the smallest PE executable is 97 bytes.
	TinyPESize = 97

	// FileAlignmentHardcodedValue represents the value which PointerToRawData
	// should be at least equal or bigger to, or it will be rounded to zero.
	// According to http://corkami.blogspot.com/2010/01/parce-que-la-planche-aura-brule.html
	// if PointerToRawData is less that 0x200 it's rounded to zero.
	FileAlignmentHardcodedValue = 0x200
)
View Source 
const (
	// ImageGuardFlagFIDSuppressed indicates that the call target is explicitly
	// suppressed (do not treat it as valid for purposes of CFG).
	ImageGuardFlagFIDSuppressed = 0x1

	// ImageGuardFlagExportSuppressed indicates that the call target is export
	// suppressed. See Export suppression for more details.
	ImageGuardFlagExportSuppressed = 0x2
)

GFIDS table entry flags.

View Source 
const (
	// ImageGuardCfInstrumented indicates that the module performs control flow
	// integrity checks using system-supplied support.
	ImageGuardCfInstrumented = 0x00000100

	// ImageGuardCfWInstrumented indicates that the module performs control
	// flow and write integrity checks.
	ImageGuardCfWInstrumented = 0x00000200

	// ImageGuardCfFunctionTablePresent indicates that the module contains
	// valid control flow target metadata.
	ImageGuardCfFunctionTablePresent = 0x00000400

	// ImageGuardSecurityCookieUnused indicates that the module does not make
	// use of the /GS security cookie.
	ImageGuardSecurityCookieUnused = 0x00000800

	// ImageGuardProtectDelayLoadIAT indicates that the module supports read
	// only delay load IAT.
	ImageGuardProtectDelayLoadIAT = 0x00001000

	// ImageGuardDelayLoadIATInItsOwnSection indicates that the Delayload
	// import table in its own .didat section (with nothing else in it) that
	// can be freely reprotected.
	ImageGuardDelayLoadIATInItsOwnSection = 0x00002000

	// ImageGuardCfExportSuppressionInfoPresent indicates that the module
	// contains suppressed export information. This also infers that the
	// address taken IAT table is also present in the load config.
	ImageGuardCfExportSuppressionInfoPresent = 0x00004000

	// ImageGuardCfEnableExportSuppression indicates that the module enables
	// suppression of exports.
	ImageGuardCfEnableExportSuppression = 0x00008000

	// ImageGuardCfLongJumpTablePresent indicates that the module contains
	// long jmp target information.
	ImageGuardCfLongJumpTablePresent = 0x00010000
)

The GuardFlags field contains a combination of one or more of the following flags and subfields:

View Source 
const (
	// ImageGuardCfFunctionTableSizeMask indicates that the mask for the
	// subfield that contains the stride of Control Flow Guard function table
	// entries (that is, the additional count of bytes per table entry).
	ImageGuardCfFunctionTableSizeMask = 0xF0000000

	// ImageGuardCfFunctionTableSizeShift indicates the shift to right-justify
	// Guard CF function table stride.
	ImageGuardCfFunctionTableSizeShift = 28
)
View Source 
const (
	ImageDynamicRelocationGuardRfPrologue = 0x00000001
	ImageDynamicRelocationGuardREpilogue  = 0x00000002
)
View Source 
const (
	ImageEnclaveLongIDLength  = 32
	ImageEnclaveShortIDLength = 16
)

Software enclave information.

View Source 
const (
	// ImageEnclaveImportMatchNone indicates that none of the identifiers of the
	// image need to match the value in the import record.
	ImageEnclaveImportMatchNone = 0x00000000

	// ImageEnclaveImportMatchUniqueId indicates that the value of the enclave
	// unique identifier of the image must match the value in the import record.
	// Otherwise, loading of the image fails.
	ImageEnclaveImportMatchUniqueID = 0x00000001

	// ImageEnclaveImportMatchAuthorId indicates that the value of the enclave
	// author identifier of the image must match the value in the import record.
	// Otherwise, loading of the image fails. If this flag is set and the import
	// record indicates an author identifier of all zeros, the imported image
	// must be part of the Windows installation.
	ImageEnclaveImportMatchAuthorID = 0x00000002

	// ImageEnclaveImportMatchFamilyId indicates that the value of the enclave
	// family identifier of the image must match the value in the import record.
	// Otherwise, loading of the image fails.
	ImageEnclaveImportMatchFamilyID = 0x00000003

	// ImageEnclaveImportMatchImageId indicates that the value of the enclave
	// image identifier must match the value in the import record. Otherwise,
	// loading of the image fails.
	ImageEnclaveImportMatchImageID = 0x00000004
)
View Source 
const (

	// The DOS MZ executable format is the executable file format used
	// for .EXE files in DOS.
	ImageDOSSignature   = 0x5A4D // MZ
	ImageDOSZMSignature = 0x4D5A // ZM

	// The New Executable (abbreviated NE or NewEXE) is a 16-bit .exe file
	// format, a successor to the DOS MZ executable format. It was used in
	// Windows 1.0–3.x, multitasking MS-DOS 4.0, OS/2 1.x, and the OS/2 subset
	// of Windows NT up to version 5.0 (Windows 2000). A NE is also called a
	// segmented executable.
	ImageOS2Signature = 0x454E

	// Linear Executable is an executable file format in the EXE family.
	// It was used by 32-bit OS/2, by some DOS extenders, and by Microsoft
	// Windows VxD files. It is an extension of MS-DOS EXE, and a successor
	// to NE (New Executable).
	ImageOS2LESignature = 0x454C

	// There are two main varieties of LE executables:
	// LX (32-bit), and LE (mixed 16/32-bit).
	ImageVXDSignature = 0x584C

	// Terse Executables have a 'VZ' signature.
	ImageTESignature = 0x5A56

	// The Portable Executable (PE) format is a file format for executables,
	// object code, DLLs and others used in 32-bit and 64-bit versions of
	// Windows operating systems.
	ImageNTSignature = 0x00004550 // PE00
)

Image executable types

View Source 
const (
	ImageNtOptionalHeader32Magic = 0x10b
	ImageNtOptionalHeader64Magic = 0x20b
	ImageROMOptionalHeaderMagic  = 0x10
)

Optional Header magic

View Source 
const (
	ImageFileMachineUnknown   = ImageFileHeaderMachineType(0x0)    // The contents of this field are assumed to be applicable to any machine type
	ImageFileMachineAM33      = ImageFileHeaderMachineType(0x1d3)  // Matsushita AM33
	ImageFileMachineAMD64     = ImageFileHeaderMachineType(0x8664) // x64
	ImageFileMachineARM       = ImageFileHeaderMachineType(0x1c0)  // ARM little endian
	ImageFileMachineARM64     = ImageFileHeaderMachineType(0xaa64) // ARM64 little endian
	ImageFileMachineARMNT     = ImageFileHeaderMachineType(0x1c4)  // ARM Thumb-2 little endian
	ImageFileMachineEBC       = ImageFileHeaderMachineType(0xebc)  // EFI byte code
	ImageFileMachineI386      = ImageFileHeaderMachineType(0x14c)  // Intel 386 or later processors and compatible processors
	ImageFileMachineIA64      = ImageFileHeaderMachineType(0x200)  // Intel Itanium processor family
	ImageFileMachineM32R      = ImageFileHeaderMachineType(0x9041) // Mitsubishi M32R little endian
	ImageFileMachineMIPS16    = ImageFileHeaderMachineType(0x266)  // MIPS16
	ImageFileMachineMIPSFPU   = ImageFileHeaderMachineType(0x366)  // MIPS with FPU
	ImageFileMachineMIPSFPU16 = ImageFileHeaderMachineType(0x466)  // MIPS16 with FPU
	ImageFileMachinePowerPC   = ImageFileHeaderMachineType(0x1f0)  // Power PC little endian
	ImageFileMachinePowerPCFP = ImageFileHeaderMachineType(0x1f1)  // Power PC with floating point support
	ImageFileMachineR4000     = ImageFileHeaderMachineType(0x166)  // MIPS little endian
	ImageFileMachineRISCV32   = ImageFileHeaderMachineType(0x5032) // RISC-V 32-bit address space
	ImageFileMachineRISCV64   = ImageFileHeaderMachineType(0x5064) // RISC-V 64-bit address space
	ImageFileMachineRISCV128  = ImageFileHeaderMachineType(0x5128) // RISC-V 128-bit address space
	ImageFileMachineSH3       = ImageFileHeaderMachineType(0x1a2)  // Hitachi SH3
	ImageFileMachineSH3DSP    = ImageFileHeaderMachineType(0x1a3)  // Hitachi SH3 DSP
	ImageFileMachineSH4       = ImageFileHeaderMachineType(0x1a6)  // Hitachi SH4
	ImageFileMachineSH5       = ImageFileHeaderMachineType(0x1a8)  // Hitachi SH5
	ImageFileMachineTHUMB     = ImageFileHeaderMachineType(0x1c2)  // Thumb
	ImageFileMachineWCEMIPSv2 = ImageFileHeaderMachineType(0x169)  // MIPS little-endian WCE v2
)

Image file machine types

View Source 
const (
	// Image file only. This flag indicates that the file contains no base
	// relocations and must be loaded at its preferred base address. In the
	// case of base address conflict, the OS loader reports an error. This flag
	// should not be set for managed PE files.
	ImageFileRelocsStripped = 0x0001

	// Flag indicates that the file is an image file (EXE or DLL). This flag
	// should be set for managed PE files. If it is not set, this generally
	// indicates a linker error (i.e. no unresolved external references).
	ImageFileExecutableImage = 0x0002

	// COFF line numbers have been removed. This flag should be set for managed
	// PE files because they do not use the debug information embedded in the
	// PE file itself. Instead, the debug information is saved in accompanying
	// program database (PDB) files.
	ImageFileLineNumsStripped = 0x0004

	// COFF symbol table entries for local symbols have been removed. This flag
	// should be set for managed PE files, for the reason given in the preceding
	// entry.
	ImageFileLocalSymsStripped = 0x0008

	// Aggressively trim the working set.
	ImageFileAggressiveWSTrim = 0x0010

	// Application can handle addresses beyond the 2GB range. This flag should
	// not be set for pure-IL managed PE files of versions 1.0 and 1.1 but can
	// be set for v2.0+ files.
	ImageFileLargeAddressAware = 0x0020

	// Little endian.
	ImageFileBytesReservedLow = 0x0080

	// Machine is based on 32-bit architecture. This flag is usually set by
	// the current versions of code generators producing managed PE files.
	// Version 2.0 and newer, however, can produce 64-bit specific images,
	// which don’t have this flag set.
	ImageFile32BitMachine = 0x0100

	// Debug information has been removed from the image file.
	ImageFileDebugStripped = 0x0200

	// If the image file is on removable media, copy and run it from the swap
	// file.
	ImageFileRemovableRunFromSwap = 0x0400

	// If the image file is on a network, copy and run it from the swap file.
	ImageFileNetRunFromSwap = 0x0800

	// The image file is a system file (for example, a device driver). This flag
	ImageFileSystem = 0x1000

	// The image file is a DLL rather than an EXE. It cannot be directly run.
	ImageFileDLL = 0x2000

	// The image file should be run on a uniprocessor machine only.
	ImageFileUpSystemOnly = 0x4000

	// Big endian.
	ImageFileBytesReservedHigh = 0x8000
)

The Characteristics field contains flags that indicate attributes of the object or image file.

View Source 
const (
	ImageSubsystemUnknown                = 0  // An unknown subsystem.
	ImageSubsystemNative                 = 1  // Device drivers and native Windows processes
	ImageSubsystemWindowsGUI             = 2  // The Windows graphical user interface (GUI) subsystem.
	ImageSubsystemWindowsCUI             = 3  // The Windows character subsystem
	ImageSubsystemOS2CUI                 = 5  // The OS/2 character subsystem.
	ImageSubsystemPosixCUI               = 7  // The Posix character subsystem.
	ImageSubsystemNativeWindows          = 8  // Native Win9x driver
	ImageSubsystemWindowsCEGUI           = 9  // Windows CE
	ImageSubsystemEFIApplication         = 10 // An Extensible Firmware Interface (EFI) application
	ImageSubsystemEFIBootServiceDriver   = 11 // An EFI driver with boot services
	ImageSubsystemEFIRuntimeDriver       = 12 // An EFI driver with run-time services
	ImageSubsystemEFIRom                 = 13 // An EFI ROM image .
	ImageSubsystemXBOX                   = 14 // XBOX.
	ImageSubsystemWindowsBootApplication = 16 // Windows boot application.
)

Subsystem values of an OptionalHeader.

View Source 
const (
	ImageDllCharacteristicsReserved1            = 0x0001 // Reserved, must be zero.
	ImageDllCharacteristicsReserved2            = 0x0002 // Reserved, must be zero.
	ImageDllCharacteristicsReserved4            = 0x0004 // Reserved, must be zero.
	ImageDllCharacteristicsReserved8            = 0x0008 // Reserved, must be zero.
	ImageDllCharacteristicsHighEntropyVA        = 0x0020 // Image can handle a high entropy 64-bit virtual address space
	ImageDllCharacteristicsDynamicBase          = 0x0040 // DLL can be relocated at load time.
	ImageDllCharacteristicsForceIntegrity       = 0x0080 // Code Integrity checks are enforced.
	ImageDllCharacteristicsNXCompact            = 0x0100 // Image is NX compatible.
	ImageDllCharacteristicsNoIsolation          = 0x0200 // Isolation aware, but do not isolate the image.
	ImageDllCharacteristicsNoSEH                = 0x0400 // Does not use structured exception (SE) handling. No SE handler may be called in this image.
	ImageDllCharacteristicsNoBind               = 0x0800 // Do not bind the image.
	ImageDllCharacteristicsAppContainer         = 0x1000 // Image must execute in an AppContainer
	ImageDllCharacteristicsWdmDriver            = 0x2000 // A WDM driver.
	ImageDllCharacteristicsGuardCF              = 0x4000 // Image supports Control Flow Guard.
	ImageDllCharacteristicsTerminalServiceAware = 0x8000 // Terminal Server aware.

)

DllCharacteristics values of an OptionalHeader

View Source 
const (
	// The base relocation is skipped. This type can be used to pad a block.
	ImageRelBasedAbsolute = 0

	// The base relocation adds the high 16 bits of the difference to the 16-bit
	// field at offset. The 16-bit field represents the high value of a 32-bit word.
	ImageRelBasedHigh = 1

	// The base relocation adds the low 16 bits of the difference to the 16-bit
	// field at offset. The 16-bit field represents the low half of a 32-bit word.
	ImageRelBasedLow = 2

	// The base relocation applies all 32 bits of the difference to the 32-bit
	// field at offset.
	ImageRelBasedHighLow = 3

	// The base relocation adds the high 16 bits of the difference to the 16-bit
	// field at offset. The 16-bit field represents the high value of a 32-bit
	// word. The low 16 bits of the 32-bit value are stored in the 16-bit word
	// that follows this base relocation. This means that this base relocation
	// occupies two slots.
	ImageRelBasedHighAdj = 4

	// The relocation interpretation is dependent on the machine type.
	// When the machine type is MIPS, the base relocation applies to a MIPS jump
	// instruction.
	ImageRelBasedMIPSJmpAddr = 5

	// This relocation is meaningful only when the machine type is ARM or Thumb.
	// The base relocation applies the 32-bit address of a symbol across a
	// consecutive MOVW/MOVT instruction pair.
	ImageRelBasedARMMov32 = 5

	// This relocation is only meaningful when the machine type is RISC-V. The
	// base relocation applies to the high 20 bits of a 32-bit absolute address.
	ImageRelBasedRISCVHigh20 = 5

	// Reserved, must be zero.
	ImageRelReserved = 6

	// This relocation is meaningful only when the machine type is Thumb.
	// The base relocation applies the 32-bit address of a symbol to a
	// consecutive MOVW/MOVT instruction pair.
	ImageRelBasedThumbMov32 = 7

	// This relocation is only meaningful when the machine type is RISC-V.
	// The base relocation applies to the low 12 bits of a 32-bit absolute
	// address formed in RISC-V I-type instruction format.
	ImageRelBasedRISCVLow12i = 7

	// This relocation is only meaningful when the machine type is RISC-V.
	// The base relocation applies to the low 12 bits of a 32-bit absolute
	// address formed in RISC-V S-type instruction format.
	ImageRelBasedRISCVLow12s = 8

	// The relocation is only meaningful when the machine type is MIPS.
	// The base relocation applies to a MIPS16 jump instruction.
	ImageRelBasedMIPSJmpAddr16 = 9

	// The base relocation applies the difference to the 64-bit field at offset.
	ImageRelBasedDir64 = 10
)

The Type field of the relocation record indicates what kind of relocation should be performed. Different relocation types are defined for each type of machine.

View Source 
const (
	LangNeutral       ResourceLang = 0x00 // Default custom (MUI) locale language
	LangUserDefault   ResourceLang = 0x01 // User default locale language
	LangSystemDefault ResourceLang = 0x02 // System default locale language
	LangInvariant     ResourceLang = 0x7F // Invariant locale language

	SubLangNeutral           ResourceSubLang = 0x00 // Neutral sub-language
	SubLangInvariant         ResourceSubLang = 0x00 // Invariant sub-language
	SubLangDefault           ResourceSubLang = 0x01 // User default sub-language
	SubLangSysDefault        ResourceSubLang = 0x02 // System default sub-language
	SubLangCustomDefault     ResourceSubLang = 0x03 // Default custom sub-language
	SubLangCustomUnspecified ResourceSubLang = 0x04 // Unspecified custom sub-language
	SubLangMUICustomDefault  ResourceSubLang = 0x05 // Default custom MUI sub-language
)

Special resource (sub)language identifiers.

View Source 
const (
	RTCursor       ResourceType = iota + 1      // Hardware-dependent cursor resource.
	RTBitmap                    = 2             // Bitmap resource.
	RTIcon                      = 3             // Hardware-dependent icon resource.
	RTMenu                      = 4             // Menu resource.
	RTDialog                    = 5             // Dialog box.
	RTString                    = 6             // String-table entry.
	RTFontDir                   = 7             // Font directory resource.
	RTFont                      = 8             // Font resource.
	RTAccelerator               = 9             // Accelerator table.
	RTRCdata                    = 10            // Application-defined resource (raw data).
	RTMessageTable              = 11            // Message-table entry.
	RTGroupCursor               = RTCursor + 11 // Hardware-independent cursor resource.
	RTGroupIcon                 = RTIcon + 11   // Hardware-independent icon resource.
	RTVersion                   = 16            // Version resource.
	RTDlgInclude                = 17            // Dialog include entry.
	RTPlugPlay                  = 19            // Plug and Play resource.
	RTVxD                       = 20            // VXD.
	RTAniCursor                 = 21            // Animated cursor.
	RTAniIcon                   = 22            // Animated icon.
	RTHtml                      = 23            // HTML resource.
	RTManifest                  = 24            // Side-by-Side Assembly Manifest.
)

Predefined Resource Types.

View Source 
const (
	// DansSignature ('DanS' as dword) is where the rich header struct starts.
	DansSignature = 0x536E6144

	// RichSignature ('0x68636952' as dword) is where the rich header struct ends.
	RichSignature = "Rich"

	// AnoDansSigNotFound is reported when rich header signature was found, but
	AnoDansSigNotFound = "Rich Header found, but could not locate DanS " +
		"signature"

	// AnoPaddingDwordNotZero is reported when rich header signature leading
	// padding DWORDs are not equal to 0.
	AnoPaddingDwordNotZero = "Rich header found: 3 leading padding DWORDs " +
		"not found after DanS signature"
)
View Source 
const (
	// ImageSectionReserved1 for future use.
	ImageSectionReserved1 = 0x00000000

	// ImageSectionReserved2 for future use.
	ImageSectionReserved2 = 0x00000001

	// ImageSectionReserved3 for future use.
	ImageSectionReserved3 = 0x00000002

	// ImageSectionReserved4 for future use.
	ImageSectionReserved4 = 0x00000004

	// ImageSectionTypeNoPad indicates the section should not be padded to the next
	// boundary. This flag is obsolete and is replaced by ImageSectionAlign1Bytes.
	// This is valid only for object files.
	ImageSectionTypeNoPad = 0x00000008

	// ImageSectionReserved5 for future use.
	ImageSectionReserved5 = 0x00000010

	// ImageSectionCntCode indicates the section contains executable code.
	ImageSectionCntCode = 0x00000020

	// ImageSectionCntInitializedData indicates the section contains initialized
	// data.
	ImageSectionCntInitializedData = 0x00000040

	// ImageSectionCntUninitializedData indicates the section contains uninitialized
	// data.
	ImageSectionCntUninitializedData = 0x00000080

	// ImageSectionLnkOther is reserved for future use.
	ImageSectionLnkOther = 0x00000100

	// ImageSectionLnkInfo indicates the section contains comments or other
	// information. The .drectve section has this type. This is valid for
	// object files only.
	ImageSectionLnkInfo = 0x00000200

	// ImageSectionReserved6 for future use.
	ImageSectionReserved6 = 0x00000400

	// ImageSectionLnkRemove indicates the section will not become part of the image
	// This is valid only for object files.
	ImageSectionLnkRemove = 0x00000800

	// ImageSectionLnkComdat indicates the section contains COMDAT data. For more
	// information, see COMDAT Sections (Object Only). This is valid only for
	// object files.
	ImageSectionLnkCOMDAT = 0x00001000

	// ImageSectionGpRel indicates the section contains data referenced through the
	// global pointer (GP).
	ImageSectionGpRel = 0x00008000

	// ImageSectionMemPurgeable is reserved for future use.
	ImageSectionMemPurgeable = 0x00020000

	// ImageSectionMem16Bit is reserved for future use.
	ImageSectionMem16Bit = 0x00020000

	// ImageSectionMemLocked is reserved for future use.
	ImageSectionMemLocked = 0x00040000

	// ImageSectionMemPreload is reserved for future use.
	ImageSectionMemPreload = 0x00080000

	// ImageSectionAlign1Bytes indicates to align data on a 1-byte boundary.
	// Valid only for object files.
	ImageSectionAlign1Bytes = 0x00100000

	// ImageSectionAlign2Bytes indicates to align data on a 2-byte boundary.
	// Valid only for object files.
	ImageSectionAlign2Bytes = 0x00200000

	// ImageSectionAlign4Bytes indicates to align data on a 4-byte boundary.
	// Valid only for object files.
	ImageSectionAlign4Bytes = 0x00300000

	// ImageSectionAlign8Bytes indicates to align data on a 8-byte boundary.
	// Valid only for object files.
	ImageSectionAlign8Bytes = 0x00400000

	// ImageSectionAlign16Bytes indicates to align data on a 16-byte boundary.
	// Valid only for object files.
	ImageSectionAlign16Bytes = 0x00500000

	// ImageSectionAlign32Bytes indicates to align data on a 32-byte boundary.
	// Valid only for object files.
	ImageSectionAlign32Bytes = 0x00600000

	// ImageSectionAlign64Bytes indicates to align data on a 64-byte boundary.
	// Valid only for object files.
	ImageSectionAlign64Bytes = 0x00700000

	// ImageSectionAlign128Bytes indicates to align data on a 128-byte boundary.
	// Valid only for object files.
	ImageSectionAlign128Bytes = 0x00800000

	// ImageSectionAlign256Bytes indicates to align data on a 256-byte boundary.
	// Valid only for object files.
	ImageSectionAlign256Bytes = 0x00900000

	// ImageSectionAlign512Bytes indicates to align data on a 512-byte boundary.
	// Valid only for object files.
	ImageSectionAlign512Bytes = 0x00A00000

	// ImageSectionAlign1024Bytes indicates to align data on a 1024-byte boundary.
	// Valid only for object files.
	ImageSectionAlign1024Bytes = 0x00B00000

	// ImageSectionAlign2048Bytes indicates to align data on a 2048-byte boundary.
	// Valid only for object files.
	ImageSectionAlign2048Bytes = 0x00C00000

	// ImageSectionAlign4096Bytes indicates to align data on a 4096-byte boundary.
	// Valid only for object files.
	ImageSectionAlign4096Bytes = 0x00D00000

	// ImageSectionAlign8192Bytes indicates to align data on a 8192-byte boundary.
	// Valid only for object files.
	ImageSectionAlign8192Bytes = 0x00E00000

	// ImageSectionLnkMRelocOvfl indicates the section contains extended
	// relocations.
	ImageSectionLnkMRelocOvfl = 0x01000000

	// ImageSectionMemDiscardable indicates the section can be discarded as needed.
	ImageSectionMemDiscardable = 0x02000000

	// ImageSectionMemNotCached indicates the  section cannot be cached.
	ImageSectionMemNotCached = 0x04000000

	// ImageSectionMemNotPaged indicates the section is not pageable.
	ImageSectionMemNotPaged = 0x08000000

	// ImageSectionMemShared indicates the section can be shared in memory.
	ImageSectionMemShared = 0x10000000

	// ImageSectionMemExecute indicates the section can be executed as code.
	ImageSectionMemExecute = 0x20000000

	// ImageSectionMemRead indicates the section can be read.
	ImageSectionMemRead = 0x40000000

	// ImageSectionMemWrite indicates the section can be written to.
	ImageSectionMemWrite = 0x80000000
)
View Source 
const (
	// WinCertRevision1_0 represents the WIN_CERT_REVISION_1_0 Version 1,
	// legacy version of the Win_Certificate structure.
	// It is supported only for purposes of verifying legacy Authenticode
	// signatures
	WinCertRevision1_0 = 0x0100

	// WinCertRevision2_0 represents the WIN_CERT_REVISION_2_0. Version 2
	// is the current version of the Win_Certificate structure.
	WinCertRevision2_0 = 0x0200
)

The options for the WIN_CERTIFICATE Revision member include (but are not limited to) the following.

View Source 
const (
	// Certificate contains an X.509 Certificate (Not Supported)
	WinCertTypeX509 = 0x0001

	// Certificate contains a PKCS#7 SignedData structure.
	WinCertTypePKCSSignedData = 0x0002

	// Reserved.
	WinCertTypeReserved1 = 0x0003

	// Terminal Server Protocol Stack Certificate signing (Not Supported).
	WinCertTypeTSStackSigned = 0x0004
)

The options for the WIN_CERTIFICATE CertificateType member include (but are not limited to) the items in the following table. Note that some values are not currently supported.

View Source 
const (

	// MaxDefaultSymbolsCount represents the default maximum number of COFF
	// symbols to parse. Some malware uses a fake huge NumberOfSymbols that
	// can cause an OOM exception.
	// Example: 0000e876c5b712b6b7b3ce97f757ddd918fb3dbdc5a3938e850716fbd841309f
	MaxDefaultCOFFSymbolsCount = 0x10000

	// MaxCOFFSymStrLength represents the maximum string length of a COFF symbol
	// to read.
	MaxCOFFSymStrLength = 0x50

	// ImageSymTypeNull indicates no type information or unknown base type.
	// Microsoft tools use this setting.
	ImageSymTypeNull = 0

	// ImageSymTypeVoid indicates no type no valid type; used with void pointers and functions.
	ImageSymTypeVoid = 1

	// ImageSymTypeChar indicates a character (signed byte).
	ImageSymTypeChar = 2

	// ImageSymTypeShort indicates a 2-byte signed integer.
	ImageSymTypeShort = 3

	// ImageSymTypeInt indicates a natural integer type (normally 4 bytes in
	// Windows).
	ImageSymTypeInt = 4

	// ImageSymTypeLong indicates a 4-byte signed integer.
	ImageSymTypeLong = 5

	// ImageSymTypeFloat indicates a 4-byte floating-point number.
	ImageSymTypeFloat = 6

	// ImageSymTypeDouble indicates an 8-byte floating-point number.
	ImageSymTypeDouble = 7

	// ImageSymTypeStruct indicates a structure.
	ImageSymTypeStruct = 8

	// ImageSymTypeUnion indicates a union.
	ImageSymTypeUnion = 9

	// ImageSymTypeEnum indicates an enumerated type.
	ImageSymTypeEnum = 10

	// ImageSymTypeMoe A member of enumeration (a specific value).
	ImageSymTypeMoe = 11

	// ImageSymTypeByte indicates a byte; unsigned 1-byte integer.
	ImageSymTypeByte = 12

	// ImageSymTypeWord indicates a word; unsigned 2-byte integer.
	ImageSymTypeWord = 13

	// ImageSymTypeUint indicates an unsigned integer of natural size
	// (normally, 4 bytes).
	ImageSymTypeUint = 14

	// ImageSymTypeDword indicates an unsigned 4-byte integer.
	ImageSymTypeDword = 15

	// ImageSymClassEndOfFunction indicates a special symbol that represents
	// the end of function, for debugging purposes.
	ImageSymClassEndOfFunction = 0xff

	// ImageSymClassNull indicates no assigned storage class.
	ImageSymClassNull = 0

	// ImageSymClassAutomatic indicates automatic (stack) variable. The Value
	// field specifies the stack frame offset.
	ImageSymClassAutomatic = 1

	// ImageSymClassExternal indicates a value that Microsoft tools use for
	// external symbols. The Value field indicates the size if the section
	// number is IMAGE_SYM_UNDEFINED (0). If the section number is not zero,
	// then the Value field specifies the offset within the section.
	ImageSymClassExternal = 2

	// ImageSymClassStatic indicates the offset of the symbol within the
	// section. If the Value field is zero, then the symbol represents a
	// section name.
	ImageSymClassStatic = 3

	// ImageSymClassRegister indicates a register variable. The Value field
	// specifies the register number.
	ImageSymClassRegister = 4

	// ImageSymClassExternalDef indicates a symbol that is defined externally.
	ImageSymClassExternalDef = 5

	// ImageSymClassLabel indicates a code label that is defined within the
	// module. The Value field specifies the offset of the symbol within the
	// section.
	ImageSymClassLabel = 6

	// ImageSymClassUndefinedLabel indicates a reference to a code label that
	// is not defined.
	ImageSymClassUndefinedLabel = 7

	// ImageSymClassMemberOfStruct indicates the structure member. The Value
	// field specifies the n th member.
	ImageSymClassMemberOfStruct = 8

	// ImageSymClassArgument indicates a formal argument (parameter) of a
	// function. The Value field specifies the n th argument.
	ImageSymClassArgument = 9

	// ImageSymClassStructTag indicates the structure tag-name entry.
	ImageSymClassStructTag = 10

	// ImageSymClassMemberOfUnion indicates a union member. The Value field
	// specifies the n th member.
	ImageSymClassMemberOfUnion = 11

	// ImageSymClassUnionTag indicates the structure tag-name entry.
	ImageSymClassUnionTag = 12

	// ImageSymClassTypeDefinition indicates a typedef entry.
	ImageSymClassTypeDefinition = 13

	// ImageSymClassUndefinedStatic indicates a static data declaration.
	ImageSymClassUndefinedStatic = 14

	// ImageSymClassEnumTag indicates an enumerated type tagname entry.
	ImageSymClassEnumTag = 15

	// ImageSymClassMemberOfEnum indicates a member of an enumeration. The
	// Value field specifies the n th member.
	ImageSymClassMemberOfEnum = 16

	// ImageSymClassRegisterParam indicates a register parameter.
	ImageSymClassRegisterParam = 17

	// ImageSymClassBitField indicates a bit-field reference. The Value field
	// specifies the n th bit in the bit field.
	ImageSymClassBitField = 18

	// ImageSymClassBlock indicates a .bb (beginning of block) or .eb (end of
	// block) record. The Value field is the relocatable address of the code
	// location.
	ImageSymClassBlock = 100

	// ImageSymClassFunction indicates a value that Microsoft tools use for
	// symbol records that define the extent of a function: begin function (.bf
	// ), end function ( .ef ), and lines in function ( .lf ). For .lf
	// records, the Value field gives the number of source lines in the
	// function. For .ef records, the Value field gives the size of the
	// function code.
	ImageSymClassFunction = 101

	// ImageSymClassEndOfStruct indicates an end-of-structure entry.
	ImageSymClassEndOfStruct = 102

	// ImageSymClassFile indicates a value that Microsoft tools, as well as
	// traditional COFF format, use for the source-file symbol record. The
	// symbol is followed by auxiliary records that name the file.
	ImageSymClassFile = 103

	// ImageSymClassSsection indicates a definition of a section (Microsoft
	// tools use STATIC storage class instead).
	ImageSymClassSsection = 104

	// ImageSymClassWeakExternal indicates a weak external. For more
	// information, see Auxiliary Format 3: Weak Externals.
	ImageSymClassWeakExternal = 24

	// ImageSymClassClrToken indicates a CLR token symbol. The name is an ASCII
	// string that consists of the hexadecimal value of the token. For more
	// information, see CLR Token Definition (Object Only).
	ImageSymClassClrToken = 25

	// ImageSymUndefined indicates that the symbol record is not yet assigned a
	// section. A value of zero indicates that a reference to an external
	// symbol is defined elsewhere. A value of non-zero is a common symbol with
	// a size that is specified by the value.
	ImageSymUndefined = 0

	// ImageSymAbsolute indicates that the symbol has an absolute
	// (non-relocatable) value and is not an address.
	ImageSymAbsolute = -1

	// ImageSymDebug indicates that the symbol provides general type or
	// debugging information but does not correspond to a section. Microsoft
	// tools use this setting along with .file records (storage class FILE).
	ImageSymDebug = -2
)
View Source 
const (
	// VersionResourceType identifies the version resource type in the resource directory
	VersionResourceType = 16

	// VsVersionInfoString is the UTF16-encoded string that identifies the VS_VERSION_INFO block
	VsVersionInfoString = "VS_VERSION_INFO"

	// VsFileInfoSignature is the file info signature
	VsFileInfoSignature uint32 = 0xFEEF04BD

	// StringFileInfoString is the UTF16-encoded string that identifies the StringFileInfo block
	StringFileInfoString = "StringFileInfo"
	// VarFileInfoString is the UTF16-encoded string that identifies the VarFileInfoString block
	VarFileInfoString = "VarFileInfo"

	// VsVersionInfoStringLength specifies the length of the VS_VERSION_INFO structure
	VsVersionInfoStringLength uint32 = 6
	// StringFileInfoLength specifies length of the StringFileInfo structure
	StringFileInfoLength uint32 = 6
	// StringTableLength specifies the length of the StringTable structure
	StringTableLength uint32 = 6
	// StringLength specifies the length of the String structure
	StringLength uint32 = 6
	// LangIDLength specifies the length of the language identifier string.
	// It is represented as 8-digit hexadecimal number stored as a Unicode string.
	LangIDLength uint32 = 8*2 + 1
)
View Source 
const (
	// AnoInvalidGlobalPtrReg is reported when the global pointer register offset is outide the image.
	AnoInvalidGlobalPtrReg = "Global pointer register offset outside of PE image"
)
View Source 
const (
	// ImageDllCharacteristicsExCETCompat indicates that the image is CET
	// compatible.
	ImageDllCharacteristicsExCETCompat = 0x0001
)
View Source 
const (
	// MaxDefaultRelocEntriesCount represents the default maximum number of
	// relocations entries to parse. Some malware uses a fake huge reloc entries that
	// can slow significantly the parser.
	// Example:  01008963d32f5cc17b64c31446386ee5b36a7eab6761df87a2989ba9394d8f3d
	MaxDefaultRelocEntriesCount = 0x1000
)
View Source 
const (
	// MaxStringLength represents the maximum length of a string to be retrieved
	// from the file. It's there to prevent loading massive amounts of data from
	// memory mapped files. Strings longer than 0x100B should be rather rare.
	MaxStringLength = uint32(0x100)
)

Variables

View Source 
var (

	// AnoPEHeaderOverlapDOSHeader is reported when the PE headers overlaps with the DOS header.
	AnoPEHeaderOverlapDOSHeader = "PE header overlaps with DOS header"

	// AnoPETimeStampNull is reported when the file header timestamp is 0.
	AnoPETimeStampNull = "file header timestamp set to 0"

	// AnoPETimeStampFuture is reported when the file header timestamp is more
	// than one day ahead of the current date timestamp.
	AnoPETimeStampFuture = "file header timestamp set to 0"

	// NumberOfSections is reported when number of sections is larger or equal than 10.
	AnoNumberOfSections10Plus = "number of sections is 10+"

	// AnoNumberOfSectionsNull is reported when sections count's is 0.
	AnoNumberOfSectionsNull = "number of sections is 0"

	// AnoSizeOfOptionalHeaderNull is reported when size of optional header is 0.
	AnoSizeOfOptionalHeaderNull = "size of optional header is 0"

	// AnoUncommonSizeOfOptionalHeader32 is reported when size of optional
	// header for PE32 is larger than 0xE0.
	AnoUncommonSizeOfOptionalHeader32 = "size of optional header is larger than 0xE0 (PE32)"

	// AnoUncommonSizeOfOptionalHeader64 is reported when size of optional
	// header for PE32+ is larger than 0xF0.
	AnoUncommonSizeOfOptionalHeader64 = "size of optional header is larger than 0xF0 (PE32+)"

	// AnoAddressOfEntryPointNull is reported when address of entry point is 0.
	AnoAddressOfEntryPointNull = "address of entry point is 0"

	// AnoAddressOfEPLessSizeOfHeaders is reported when address of entry point
	// is smaller than size of headers, the file cannot run under Windows.
	AnoAddressOfEPLessSizeOfHeaders = "address of entry point is smaller than size of headers, " +
		"the file cannot run under Windows 8"

	// AnoImageBaseNull is reported when the image base is null.
	AnoImageBaseNull = "image base is 0"

	// AnoDanSMagicOffset is reported when the `DanS` magic offset is different than 0x80.
	AnoDanSMagicOffset = "`DanS` magic offset is different than 0x80"

	// ErrInvalidFileAlignment is reported when file alignment is larger than
	//  0x200 and not a power of 2.
	ErrInvalidFileAlignment = "FileAlignment larger than 0x200 and not a power of 2"

	// ErrInvalidSectionAlignment is reported when file alignment is lesser
	// than 0x200 and different from section alignment.
	ErrInvalidSectionAlignment = "FileAlignment lesser than 0x200 and different from section alignment"

	// AnoMajorSubsystemVersion is reported when MajorSubsystemVersion has a
	// value different than the standard 3 --> 6.
	AnoMajorSubsystemVersion = "MajorSubsystemVersion is outside 3<-->6 boundary"

	// AnonWin32VersionValue is reported when Win32VersionValue is different than 0
	AnonWin32VersionValue = "Win32VersionValue is a reserved field, must be set to zero"

	// AnoInvalidPEChecksum is reported when the optional header checksum field
	// is different from what it should normally be.
	AnoInvalidPEChecksum = "optional header checksum is invalid"

	// AnoNumberOfRvaAndSizes is reported when NumberOfRvaAndSizes is different than 16.
	AnoNumberOfRvaAndSizes = "optional header NumberOfRvaAndSizes != 16"

	// AnoReservedDataDirectoryEntry is reported when the last data directory entry is not zero.
	AnoReservedDataDirectoryEntry = "last data directory entry is a reserved field, must be set to zero"

	// AnoCOFFSymbolsCount is reported when the number of COFF symbols is absurdly high.
	AnoCOFFSymbolsCount = "COFF symbols count is absurdly high"

	// AnoRelocationEntriesCount is reported when the number of relocation entries is absurdly high.
	AnoRelocationEntriesCount = "relocation entries count is absurdly high"
)

Anomalies found in a PE

View Source 
var (
	ErrExportMaxOrdEntries       = "Export directory contains more than max ordinal entries"
	ErrExportManyRepeatedEntries = "Export directory contains many repeated entries"
	AnoNullNumberOfFunctions     = "Export directory contains zero number of functions"
	AnoNullAddressOfFunctions    = "Export directory contains zero address of functions"
)
View Source 
var (

	// ErrInvalidPESize is returned when the file size is less that the smallest
	// PE file size possible.ErrImageOS2SignatureFound
	ErrInvalidPESize = errors.New("not a PE file, smaller than tiny PE")

	// ErrDOSMagicNotFound is returned when file is potentially a ZM executable.
	ErrDOSMagicNotFound = errors.New("DOS Header magic not found")

	// ErrInvalidElfanewValue is returned when e_lfanew is larger than file size.
	ErrInvalidElfanewValue = errors.New("invalid e_lfanew value. Probably not a PE file")

	// ErrInvalidNtHeaderOffset is returned when the NT Header offset is beyond
	// the image file.
	ErrInvalidNtHeaderOffset = errors.New(
		"invalid NT Header Offset. NT Header Signature not found")

	// ErrImageOS2SignatureFound is returned when signature is for a NE file.
	ErrImageOS2SignatureFound = errors.New(
		"not a valid PE signature. Probably a NE file")

	// ErrImageOS2LESignatureFound is returned when signature is for a LE file.
	ErrImageOS2LESignatureFound = errors.New(
		"not a valid PE signature. Probably an LE file")

	// ErrImageVXDSignatureFound is returned when signature is for a LX file.
	ErrImageVXDSignatureFound = errors.New(
		"not a valid PE signature. Probably an LX file")

	// ErrImageTESignatureFound is returned when signature is for a TE file.
	ErrImageTESignatureFound = errors.New(
		"not a valid PE signature. Probably a TE file")

	// ErrImageNtSignatureNotFound is returned when PE magic signature is not found.
	ErrImageNtSignatureNotFound = errors.New(
		"not a valid PE signature. Magic not found")

	// ErrImageNtOptionalHeaderMagicNotFound is returned when optional header
	// magic is different from PE32/PE32+.
	ErrImageNtOptionalHeaderMagicNotFound = errors.New(
		"not a valid PE signature. Optional Header magic not found")

	// ErrImageBaseNotAligned is reported when the image base is not aligned to 64K.
	ErrImageBaseNotAligned = errors.New(
		"corrupt PE file. Image base not aligned to 64 K")

	// AnoImageBaseOverflow is reported when the image base + SizeOfImage is
	// larger than 80000000h/FFFF080000000000h in PE32/P32+.
	AnoImageBaseOverflow = "Image base beyond allowed address"

	// ErrInvalidSectionFileAlignment is reported when section alignment is less than a
	// PAGE_SIZE and section alignment != file alignment.
	ErrInvalidSectionFileAlignment = errors.New("corrupt PE file. Section " +
		"alignment is less than a PAGE_SIZE and section alignment != file alignment")

	// AnoInvalidSizeOfImage is reported when SizeOfImage is not multiple of
	// SectionAlignment.
	AnoInvalidSizeOfImage = "Invalid SizeOfImage value, should be multiple " +
		"of SectionAlignment"

	// ErrOutsideBoundary is reported when attempting to read an address beyond
	// file image limits.
	ErrOutsideBoundary = errors.New("reading data outside boundary")
)

Errors

View Source 
var (
	// AnoInvalidThunkAddressOfData is reported when thunk address is too spread out.
	AnoInvalidThunkAddressOfData = "Thunk Address Of Data too spread out"

	// AnoManyRepeatedEntries is reported when import directory contains many
	// entries have the same RVA.
	AnoManyRepeatedEntries = "Import directory contains many repeated entries"

	// AnoAddressOfDataBeyondLimits is reported when Thunk AddressOfData goes
	// beyond limits.
	AnoAddressOfDataBeyondLimits = "Thunk AddressOfData beyond limits"

	// AnoImportNoNameNoOrdinal is reported when an import entry does not have
	// a name neither an ordinal, most probably malformed data.
	AnoImportNoNameNoOrdinal = "Must have either an ordinal or a name in an import"

	// ErrDamagedImportTable is reported when the IAT and ILT table length is 0.
	ErrDamagedImportTable = errors.New(
		"damaged Import Table information. ILT and/or IAT appear to be broken")
)
View Source 
var (
	// ErrInvalidBaseRelocVA is reposed when base reloc lies outside of the image.
	ErrInvalidBaseRelocVA = errors.New("invalid relocation information." +
		" Base Relocation VirtualAddress is outside of PE Image")

	// ErrInvalidBasicRelocSizeOfBloc is reposed when base reloc is too large.
	ErrInvalidBasicRelocSizeOfBloc = errors.New("invalid relocation " +
		"information. Base Relocation SizeOfBlock too large")
)
View Source 
var (
	ErrNoOverlayFound = errors.New("pe does not have overlay data")
)

error

View Source 
var (
	// ErrSecurityDataDirInvalidCertHeader is reported when the certificate
	// header in the security directory is invalid.
	ErrSecurityDataDirInvalid = errors.New(
		`invalid certificate header in security directory`)
)
View Source 
var OleAut32OrdNames = map[uint64]string{}/* 398 elements not displayed */

OleAut32OrdNames maps ordinals to names.

View Source 
var OpInfoRegisters = map[uint8]string{
	// contains filtered or unexported fields
}

OpInfoRegisters maps registers to string.

View Source 
var OrdNames = map[string]map[uint64]string{
	"ws2_32.dll":   WS232OrdNames,
	"wsock32.dll":  WS232OrdNames,
	"oleaut32.dll": OleAut32OrdNames,
}

OrdNames maps the dll names to ordinal names.

View Source 
var WS232OrdNames = map[uint64]string{}/* 117 elements not displayed */

WS232OrdNames maps ordinals to name.

Functions

func DecodeUTF16String added in v1.4.2 

func DecodeUTF16String(b []byte) (string, error)

DecodeUTF16String decodes the UTF16 string from the byte slice.

func IsBitSet added in v1.0.2 

func IsBitSet(n uint64, pos int) bool

IsBitSet returns true when a bit on a particular position is set.

func IsPrintable 

func IsPrintable(s string) bool

IsPrintable checks weather a string is printable.

func IsValidDosFilename 

func IsValidDosFilename(filename string) bool

IsValidDosFilename returns true if the DLL name is likely to be valid. Valid FAT32 8.3 short filename characters according to: http://en.wikipedia.org/wiki/8.3_filename The filename length is not checked because the DLLs filename can be longer that the 8.3

func IsValidFunctionName 

func IsValidFunctionName(functionName string) bool

IsValidFunctionName checks if an imported name uses the valid accepted characters expected in mangled function names. If the symbol's characters don't fall within this charset we will assume the name is invalid.

func Max 

func Max(x, y uint32) uint32

Max returns the larger of x or y.

func MetadataTableIndexToString added in v1.4.1 

func MetadataTableIndexToString(k int) string

MetadataTableIndexToString returns the string representation of the metadata table index.

func Min 

func Min(values []uint32) uint32

Min returns the min number in a slice.

func OrdLookup 

func OrdLookup(libname string, ord uint64, makeName bool) string

OrdLookup returns API name given an ordinal.

func PrettyResourceLang added in v1.3.9 

func PrettyResourceLang(lang ResourceLang, subLang int) string

PrettyResourceLang prettifies the resource lang and sub lang.

func PrettyUnwindInfoHandlerFlags 

func PrettyUnwindInfoHandlerFlags(flags uint8) []string

PrettyUnwindInfoHandlerFlags returns the string representation of the `flags` field of the unwind info structure.

func ProdIDtoStr 

func ProdIDtoStr(prodID uint16) string

ProdIDtoStr maps product ids to MS internal names. list from: https://github.com/kirschju/richheader

func ProdIDtoVSversion 

func ProdIDtoVSversion(prodID uint16) string

ProdIDtoVSversion retrieves the Visual Studio version from product id. list from: https://github.com/kirschju/richheader

func SectionAttributeDescription 

func SectionAttributeDescription(section string) string

SectionAttributeDescription maps a section attribute to a friendly name.

func StringifyGuardFlags 

func StringifyGuardFlags(flags uint32) []string

StringifyGuardFlags returns list of strings which describes the GuardFlags.

Types

type AssemblyOSTableRow added in v1.4.7 

type AssemblyOSTableRow struct {
	OSPlatformID   uint32 `json:"os_platform_id"`   // a 4-byte constant
	OSMajorVersion uint32 `json:"os_major_version"` // a 4-byte constant
	OSMinorVersion uint32 `json:"os_minor_version"` // a 4-byte constant
}

AssemblyOS 0x22

type AssemblyProcessorTableRow added in v1.4.7 

type AssemblyProcessorTableRow struct {
	Processor uint32 `json:"processor"` // a 4-byte constant
}

AssemblyProcessor 0x21

type AssemblyRefOSTableRow added in v1.4.7 

type AssemblyRefOSTableRow struct {
	OSPlatformId   uint32 `json:"os_platform_id"`   // a 4-byte constant
	OSMajorVersion uint32 `json:"os_major_version"` // a 4-byte constant
	OSMinorVersion uint32 `json:"os_minor_version"` // a 4-byte constan)
	AssemblyRef    uint32 `json:"assembly_ref"`     // an index into the AssemblyRef table
}

AssemblyRefOS 0x25

type AssemblyRefProcessorTableRow added in v1.4.7 

type AssemblyRefProcessorTableRow struct {
	Processor   uint32 `json:"processor"`    // a 4-byte constant
	AssemblyRef uint32 `json:"assembly_ref"` // an index into the AssemblyRef table
}

AssemblyRefProcessor 0x24

type AssemblyRefTableRow added in v1.4.7 

type AssemblyRefTableRow struct {
	MajorVersion     uint16 `json:"major_version"`       // a 2-byte constant
	MinorVersion     uint16 `json:"minor_version"`       // a 2-byte constant
	BuildNumber      uint16 `json:"build_number"`        // a 2-byte constant
	RevisionNumber   uint16 `json:"revision_number"`     // a 2-byte constant
	Flags            uint32 `json:"flags"`               // a 4-byte bitmask of type AssemblyFlags, §II.23.1.2
	PublicKeyOrToken uint32 `json:"public_key_or_token"` // an index into the Blob heap, indicating the public key or token that identifies the author of this Assembly
	Name             uint32 `json:"name"`                // an index into the String heap
	Culture          uint32 `json:"culture"`             // an index into the String heap
	HashValue        uint32 `json:"hash_value"`          // an index into the Blob heap
}

AssemblyRef 0x23

type AssemblyTableRow added in v1.4.7 

type AssemblyTableRow struct {
	// a 4-byte constant of type AssemblyHashAlgorithm, §II.23.1.1
	HashAlgId uint32 `json:"hash_alg_id"`
	// a 2-byte constant
	MajorVersion uint16 `json:"major_version"`
	// a 2-byte constant
	MinorVersion uint16 `json:"minor_version"`
	// a 2-byte constant
	BuildNumber uint16 `json:"build_number"`
	// a 2-byte constant
	RevisionNumber uint16 `json:"revision_number"`
	// a 4-byte bitmask of type AssemblyFlags, §II.23.1.2
	Flags uint32 `json:"flags"`
	// an index into the Blob heap
	PublicKey uint32 `json:"public_key"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into the String heap
	Culture uint32 `json:"culture"`
}

Assembly 0x20

type AuthenticodeContent added in v1.4.5 

type AuthenticodeContent struct {
	HashFunction crypto.Hash
	HashResult   []byte
}

AuthenticodeContent provides a simplified view on SpcIndirectDataContent, which specifies the ASN.1 encoded values of the authenticode signature content.

type BoundForwardedRefData 

type BoundForwardedRefData struct {
	Struct ImageBoundForwardedRef `json:"struct"`
	Name   string                 `json:"name"`
}

BoundForwardedRefData represents the struct in addition to the dll name.

type BoundImportDescriptorData 

type BoundImportDescriptorData struct {
	Struct        ImageBoundImportDescriptor `json:"struct"`
	Name          string                     `json:"name"`
	ForwardedRefs []BoundForwardedRefData    `json:"forwarded_refs"`
}

BoundImportDescriptorData represents the descriptor in addition to forwarded refs.

type CFGFunction 

type CFGFunction struct {
	// RVA of the target CFG call.
	RVA uint32 `json:"rva"`

	// Flags attached to each GFIDS entry if any call targets have metadata.
	Flags       ImageGuardFlagType `json:"flags"`
	Description string             `json:"description"`
}

type CFGIATEntry 

type CFGIATEntry struct {
	RVA         uint32 `json:"rva"`
	IATValue    uint32 `json:"iat_value"`
	INTValue    uint32 `json:"int_value"`
	Description string `json:"description"`
}

type CLRData 

type CLRData struct {
	CLRHeader                  ImageCOR20Header          `json:"clr_header"`
	MetadataHeader             MetadataHeader            `json:"metadata_header"`
	MetadataStreamHeaders      []MetadataStreamHeader    `json:"metadata_stream_headers"`
	MetadataStreams            map[string][]byte         `json:"-"`
	MetadataTablesStreamHeader MetadataTableStreamHeader `json:"metadata_tables_stream_header"`
	MetadataTables             map[int]*MetadataTable    `json:"metadata_tables"`
	StringStreamIndexSize      int                       `json:"-"`
	GUIDStreamIndexSize        int                       `json:"-"`
	BlobStreamIndexSize        int                       `json:"-"`
}

CLRData embeds the Common Language Runtime Header structure as well as the Metadata header structure.

type COFF 

type COFF struct {
	SymbolTable       []COFFSymbol `json:"symbol_table"`
	StringTable       []string     `json:"string_table"`
	StringTableOffset uint32       `json:"string_table_offset"`
	// Map the symbol offset => symbol name.
	StringTableM map[uint32]string `json:"-"`
}

COFF holds properties related to the COFF format.

type COFFSymbol 

type COFFSymbol struct {
	// The name of the symbol, represented by a union of three structures. An
	// array of 8 bytes is used if the name is not more than 8 bytes long.
	// union {
	//    BYTE     ShortName[8];
	//    struct {
	//        DWORD   Short;     // if 0, use LongName
	//        DWORD   Long;      // offset into string table
	//    } Name;
	//    DWORD   LongName[2];    // PBYTE  [2]
	// } N;
	Name [8]byte `json:"name"`

	// The value that is associated with the symbol. The interpretation of this
	// field depends on SectionNumber and StorageClass. A typical meaning is
	// the relocatable address.
	Value uint32 `json:"value"`

	// The signed integer that identifies the section, using a one-based index
	// into the section table. Some values have special meaning.
	// See "Section Number Values."
	SectionNumber int16 `json:"section_number"`

	// A number that represents type. Microsoft tools set this field to
	// 0x20 (function) or 0x0 (not a function). For more information,
	// see Type Representation.
	Type uint16 `json:"type"`

	// An enumerated value that represents storage class.
	// For more information, see Storage Class.
	StorageClass uint8 `json:"storage_class"`

	// The number of auxiliary symbol table entries that follow this record.
	NumberOfAuxSymbols uint8 `json:"number_of_aux_symbols"`
}

COFFSymbol represents an entry in the COFF symbol table, which it is an array of records, each 18 bytes long. Each record is either a standard or auxiliary symbol-table record. A standard record defines a symbol or name and has the following format.

func (*COFFSymbol) SectionNumberName 

func (symbol *COFFSymbol) SectionNumberName(pe *File) string

SectionNumberName returns the name of the section corresponding to a section symbol number if any.

func (*COFFSymbol) String 

func (symbol *COFFSymbol) String(pe *File) (string, error)

String returns the representation of the symbol name.

type COMImageFlagsType added in v1.4.1 

type COMImageFlagsType uint32

COMImageFlagsType represents a COM+ header entry point flag type.

func (COMImageFlagsType) String added in v1.4.1 

func (flags COMImageFlagsType) String() []string

String returns a string interpretation of a COMImageFlags type.

type CVHeader 

type CVHeader struct {
	// CodeView signature, equal to `NB10`.
	Signature CVSignature `json:"signature"`

	// CodeView offset. Set to 0, because debug information is stored in a
	// separate file.
	Offset uint32 `json:"offset"`
}

CVHeader represents the the CodeView header struct to the PDB 2.0 file.

type CVInfoPDB20 added in v1.3.9 

type CVInfoPDB20 struct {
	// Points to the CodeView header structure.
	CVHeader CVHeader `json:"cv_header"`

	// The time when debug information was created (in seconds since 01.01.1970).
	Signature uint32 `json:"signature"`

	// Ever-incrementing value, which is initially set to 1 and incremented every
	// time when a part of the PDB file is updated without rewriting the whole file.
	Age uint32 `json:"age"`

	// Null-terminated name of the PDB file. It can also contain full or partial
	// path to the file.
	PDBFileName string `json:"pdb_file_name"`
}

CVInfoPDB20 represents the the CodeView data block of a PDB 2.0 file.

type CVInfoPDB70 added in v1.3.9 

type CVInfoPDB70 struct {
	// CodeView signature, equal to `RSDS`.
	CVSignature CVSignature `json:"cv_signature"`

	// A unique identifier, which changes with every rebuild of the executable and PDB file.
	Signature GUID `json:"signature"`

	// Ever-incrementing value, which is initially set to 1 and incremented every
	// time when a part of the PDB file is updated without rewriting the whole file.
	Age uint32 `json:"age"`

	// Null-terminated name of the PDB file. It can also contain full or partial
	// path to the file.
	PDBFileName string `json:"pdb_file_name"`
}

CVInfoPDB70 represents the the CodeView data block of a PDB 7.0 file.

type CVSignature added in v1.3.9 

type CVSignature uint32

CVSignature represents a CodeView signature.

func (CVSignature) String added in v1.3.9 

func (s CVSignature) String() string

String returns a string interpretation of a CodeView signature.

type CertInfo 

type CertInfo struct {
	// The certificate authority (CA) that charges customers to issue
	// certificates for them.
	Issuer string `json:"issuer"`

	// The subject of the certificate is the entity its public key is associated
	// with (i.e. the "owner" of the certificate).
	Subject string `json:"subject"`

	// The certificate won't be valid before this timestamp.
	NotBefore time.Time `json:"not_before"`

	// The certificate won't be valid after this timestamp.
	NotAfter time.Time `json:"not_after"`

	// The serial number MUST be a positive integer assigned by the CA to each
	// certificate. It MUST be unique for each certificate issued by a given CA
	// (i.e., the issuer name and serial number identify a unique certificate).
	// CAs MUST force the serialNumber to be a non-negative integer.
	// For convenience, we convert the big int to string.
	SerialNumber string `json:"serial_number"`

	// The identifier for the cryptographic algorithm used by the CA to sign
	// this certificate.
	SignatureAlgorithm x509.SignatureAlgorithm `json:"signature_algorithm"`

	// The Public Key Algorithm refers to the public key inside the certificate.
	// This certificate is used together with the matching private key to prove
	// the identity of the peer.
	PublicKeyAlgorithm x509.PublicKeyAlgorithm `json:"public_key_algorithm"`
}

CertInfo wraps the important fields of the pkcs7 structure. This is what we what keep in JSON marshalling.

type Certificate 

type Certificate struct {
	Header           WinCertificate      `json:"header"`
	Content          pkcs7.PKCS7         `json:"-"`
	SignatureContent AuthenticodeContent `json:"-"`
	SignatureValid   bool                `json:"signature_valid"`
	Raw              []byte              `json:"-"`
	Info             CertInfo            `json:"info"`
	Verified         bool                `json:"verified"`
}

Certificate directory.

type ClassLayoutTableRow added in v1.4.7 

type ClassLayoutTableRow struct {
	// a 2-byte constant
	PackingSize uint16 `json:"packing_size"`
	// a 4-byte constant
	ClassSize uint32 `json:"class_size"`
	// an index into the TypeDef table
	Parent uint32 `json:"parent"`
}

ClassLayout 0x0f

type CodeRange 

type CodeRange struct {
	Begin   uint32 `json:"begin"`
	Length  uint32 `json:"length"`
	Machine uint8  `json:"machine"`
}

type CompID 

type CompID struct {
	// The minor version information for the compiler used when building the product.
	MinorCV uint16 `json:"minor_compiler_version"`

	// Provides information about the identity or type of the objects used to
	// build the PE32.
	ProdID uint16 `json:"product_id"`

	// Indicates how often the object identified by the former two fields is
	// referenced by this PE32 file.
	Count uint32 `json:"count"`

	// The raw @comp.id structure (unmasked).
	Unmasked uint32 `json:"unmasked"`
}

CompID represents the `@comp.id` structure.

type CompilerIAT 

type CompilerIAT struct {
	RVA         uint32 `json:"rva"`
	Value       uint32 `json:"value"`
	Description string `json:"description"`
}

type ConstantTableRow added in v1.4.7 

type ConstantTableRow struct {
	// a 1-byte constant, followed by a 1-byte padding zero
	Type uint8 `json:"type"`
	// padding zero
	Padding uint8 `json:"padding"`
	// padding zero
	// an index into the Param, Field, or Property table; more precisely,
	// a HasConstant (§II.24.2.6) coded index
	Parent uint32 `json:"parent"`
	// an index into the Blob heap
	Value uint32 `json:"value"`
}

Constant 0x0b

type CustomAttributeTableRow added in v1.4.7 

type CustomAttributeTableRow struct {
	// an index into a metadata table that has an associated HasCustomAttribute
	// (§II.24.2.6) coded index
	Parent uint32 `json:"parent"`
	// an index into the MethodDef or MemberRef table; more precisely,
	// a CustomAttributeType (§II.24.2.6) coded index
	Type uint32 `json:"type"`
	// an index into the Blob heap
	Value uint32 `json:"value"`
}

CustomAttribute 0x0c

type DVRT 

type DVRT struct {
	ImageDynamicRelocationTable `json:"image_dynamic_relocation_table"`
	Entries                     []RelocEntry `json:"entries"`
}

DVRT represents the Dynamic Value Relocation Table. The DVRT was originally introduced back in the Windows 10 Creators Update to improve kernel address space layout randomization (KASLR). It allowed the memory manager’s page frame number (PFN) database and page table self-map to be assigned dynamic addresses at runtime. The DVRT is stored directly in the binary and contains a series of relocation entries for each symbol (i.e. address) that is to be relocated. The relocation entries are themselves arranged in a hierarchical fashion grouped first by symbol and then by containing page to allow for a compact description of all locations in the binary that reference a relocatable symbol. Reference: https://techcommunity.microsoft.com/t5/windows-os-platform-blog/mitigating-spectre-variant-2-with-retpoline-on-windows/ba-p/295618

type DataDirectory 

type DataDirectory struct {
	// The RVA of the data structure.
	VirtualAddress uint32 `json:"virtual_address"`
	// The size in bytes of the data structure referred to.
	Size uint32 `json:"size"`
}

DataDirectory represents an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file. The data directory table starts at offset 96 in a 32-bit PE header and at offset 112 in a 64-bit PE header. Each entry in the data directory table contains the RVA and size of a table or a string that this particular directory entry describes;this information is used by the operating system.

type DebugEntry 

type DebugEntry struct {
	// Points to the image debug entry structure.
	Struct ImageDebugDirectory `json:"struct"`

	// Holds specific information about the debug type entry.
	Info interface{} `json:"info"`

	// Type of the debug entry.
	Type string `json:"type"`
}

DebugEntry wraps ImageDebugDirectory to include debug directory type.

type DeclSecurityTableRow added in v1.4.7 

type DeclSecurityTableRow struct {
	// a 2-byte value
	Action uint16 `json:"action"`
	// an index into the TypeDef, MethodDef, or Assembly table;
	// more precisely, a HasDeclSecurity (§II.24.2.6) coded index
	Parent uint32 `json:"parent"`
	// // an index into the Blob heap
	PermissionSet uint32 `json:"permission_set"`
}

DeclSecurity 0x0e

type DelayImport 

type DelayImport struct {
	Offset     uint32                     `json:"offset"`
	Name       string                     `json:"name"`
	Functions  []ImportFunction           `json:"functions"`
	Descriptor ImageDelayImportDescriptor `json:"descriptor"`
}

DelayImport represents an entry in the delay import table.

type DigestInfo added in v1.4.5 

type DigestInfo struct {
	DigestAlgorithm pkix.AlgorithmIdentifier
	Digest          []byte
}

type DllCharacteristicsExType added in v1.3.9 

type DllCharacteristicsExType uint32

DllCharacteristicsExType represents a DLL Characteristics type.

func (DllCharacteristicsExType) String added in v1.3.9 

func (flag DllCharacteristicsExType) String() string

String returns a string interpretation of Dll Characteristics Ex.

type Enclave 

type Enclave struct {

	// Points to either ImageEnclaveConfig32{} or ImageEnclaveConfig64{}.
	Config interface{} `json:"config"`

	Imports []ImageEnclaveImport `json:"imports"`
}

type EventMapTableRow added in v1.4.7 

type EventMapTableRow struct {
	// an index into the TypeDef table
	Parent uint32 `json:"parent"`
	// an index into the Event table
	EventList uint32 `json:"event_list"`
}

EventMap 0x12

type EventTableRow added in v1.4.7 

type EventTableRow struct {
	// a 2-byte bitmask of type EventAttributes, §II.23.1.4
	EventFlags uint16 `json:"event_flags"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into a TypeDef, a TypeRef, or TypeSpec table; more precisely,
	// a TypeDefOrRef (§II.24.2.6) coded index)
	EventType uint32 `json:"event_type"`
}

Event 0x14

type Exception 

type Exception struct {
	RuntimeFunction ImageRuntimeFunctionEntry `json:"runtime_function"`
	UnwindInfo      UnwindInfo                `json:"unwind_info"`
}

Exception represent an entry in the function table.

type Export 

type Export struct {
	Functions []ExportFunction     `json:"functions"`
	Struct    ImageExportDirectory `json:"struct"`
	Name      string               `json:"name"`
}

Export represent the export table.

type ExportFunction 

type ExportFunction struct {
	Ordinal      uint32 `json:"ordinal"`
	FunctionRVA  uint32 `json:"function_rva"`
	NameOrdinal  uint32 `json:"name_ordinal"`
	NameRVA      uint32 `json:"name_rva"`
	Name         string `json:"name"`
	Forwarder    string `json:"forwarder"`
	ForwarderRVA uint32 `json:"forwarder_rva"`
}

ExportFunction represents an imported function in the export table.

type ExportedTypeTableRow added in v1.4.7 

type ExportedTypeTableRow struct {
	Flags          uint32 `json:"flags"`          // a 4-byte bitmask of type TypeAttributes, §II.23.1.15
	TypeDefId      uint32 `json:"type_def_id"`    // a 4-byte index into a TypeDef table of another module in this Assembly
	TypeName       uint32 `json:"type_name"`      // an index into the String heap
	TypeNamespace  uint32 `json:"type_namespace"` // an index into the String heap
	Implementation uint32 `json:"implementation"` // an index (more precisely, an Implementation (§II.24.2.6) coded index
}

ExportedType 0x27

type FPOData 

type FPOData struct {
	// The offset of the first byte of the function code.
	OffsetStart uint32 `json:"offset_start"`

	// The number of bytes in the function.
	ProcSize uint32 `json:"proc_size"`

	// The number of local variables.
	NumLocals uint32 `json:"num_locals"`

	// The size of the parameters, in DWORDs.
	ParamsSize uint16 `json:"params_size"`

	// The number of bytes in the function prolog code.
	PrologLength uint8 `json:"prolog_length"`

	// The number of registers saved.
	SavedRegsCount uint8 `json:"saved_regs_count"`

	// A variable that indicates whether the function uses structured exception handling.
	HasSEH uint8 `json:"has_seh"`

	// A variable that indicates whether the EBP register has been allocated.
	UseBP uint8 `json:"use_bp"`

	// Reserved for future use.
	Reserved uint8 `json:"reserved"`

	// A variable that indicates the frame type.
	FrameType FPOFrameType `json:"frame_type"`
}

FPOData represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used. The structure is used to locate the base of the call frame.

type FPOFrameType added in v1.3.9 

type FPOFrameType uint8

FPOFrameType represents the type of a FPO frame.

func (FPOFrameType) String added in v1.3.9 

func (ft FPOFrameType) String() string

String returns a string interpretation of the FPO frame type.

type FieldLayoutTableRow added in v1.4.7 

type FieldLayoutTableRow struct {
	Offset uint32 `json:"offset"` // a 4-byte constant
	Field  uint32 `json:"field"`  // an index into the Field table
}

FieldLayout 0x10

type FieldMarshalTableRow added in v1.4.7 

type FieldMarshalTableRow struct {
	// an index into Field or Param table; more precisely,
	// a HasFieldMarshal (§II.24.2.6) coded index
	Parent uint32 `json:"parent"`
	// an index into the Blob heap
	NativeType uint32 `json:"native_type"`
}

FieldMarshal 0x0d

type FieldRVATableRow added in v1.4.7 

type FieldRVATableRow struct {
	// 4-byte constant
	RVA uint32 `json:"rva"`
	// an index into Field table
	Field uint32 `json:"field"`
}

FieldRVA 0x1d

type FieldTableRow added in v1.4.7 

type FieldTableRow struct {
	// a 2-byte bitmask of type FieldAttributes, §II.23.1.5
	Flags uint16 `json:"flags"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into the Blob heap
	Signature uint32 `json:"signature"`
}

Field 0x04

type File 

type File struct {
	DOSHeader    ImageDOSHeader              `json:"dos_header,omitempty"`
	RichHeader   RichHeader                  `json:"rich_header,omitempty"`
	NtHeader     ImageNtHeader               `json:"nt_header,omitempty"`
	COFF         COFF                        `json:"coff,omitempty"`
	Sections     []Section                   `json:"sections,omitempty"`
	Imports      []Import                    `json:"imports,omitempty"`
	Export       Export                      `json:"export,omitempty"`
	Debugs       []DebugEntry                `json:"debugs,omitempty"`
	Relocations  []Relocation                `json:"relocations,omitempty"`
	Resources    ResourceDirectory           `json:"resources,omitempty"`
	TLS          TLSDirectory                `json:"tls,omitempty"`
	LoadConfig   LoadConfig                  `json:"load_config,omitempty"`
	Exceptions   []Exception                 `json:"exceptions,omitempty"`
	Certificates Certificate                 `json:"certificates,omitempty"`
	DelayImports []DelayImport               `json:"delay_imports,omitempty"`
	BoundImports []BoundImportDescriptorData `json:"bound_imports,omitempty"`
	GlobalPtr    uint32                      `json:"global_ptr,omitempty"`
	CLR          CLRData                     `json:"clr,omitempty"`
	IAT          []IATEntry                  `json:"iat,omitempty"`
	Anomalies    []string                    `json:"anomalies,omitempty"`
	Header       []byte

	FileInfo

	OverlayOffset int64
	// contains filtered or unexported fields
}

A File represents an open PE file.

func New 

func New(name string, opts *Options) (*File, error)

New instantiates a file instance with options given a file name.

func NewBytes added in v1.0.3 

func NewBytes(data []byte, opts *Options) (*File, error)

NewBytes instantiates a file instance with options given a memory buffer.

func (*File) Authentihash 

func (pe *File) Authentihash() []byte

Authentihash generates the SHA256 pe image file hash. The relevant sections to exclude during hashing are:

  • The location of the checksum
  • The location of the entry of the Certificate Table in the Data Directory
  • The location of the Certificate Table.

func (*File) AuthentihashExt added in v1.4.1 

func (pe *File) AuthentihashExt(hashers ...hash.Hash) [][]byte

AuthentihashExt generates pe image file hashes using the given hashers. The relevant sections to exclude during hashing are:

  • The location of the checksum
  • The location of the entry of the Certificate Table in the Data Directory
  • The location of the Certificate Table.

func (*File) COFFStringTable 

func (pe *File) COFFStringTable() error

COFFStringTable retrieves the list of strings in the COFF string table if any.

func (*File) Checksum 

func (pe *File) Checksum() uint32

Checksum calculates the PE checksum as generated by CheckSumMappedFile().

func (*File) Close 

func (pe *File) Close() error

Close closes the File.

func (*File) GetAnomalies 

func (pe *File) GetAnomalies() error

GetAnomalies reportes anomalies found in a PE binary. These nomalies does prevent the Windows loader from loading the files but is an interesting features for malware analysis.

func (*File) GetData added in v1.1.1 

func (pe *File) GetData(rva, length uint32) ([]byte, error)

GetData returns the data given an RVA regardless of the section where it lies on.

func (*File) GetDelayImportEntryInfoByRVA 

func (pe *File) GetDelayImportEntryInfoByRVA(rva uint32) (DelayImport, int)

GetDelayImportEntryInfoByRVA return an import function + index of the entry given an RVA.

func (*File) GetExportFunctionByRVA 

func (pe *File) GetExportFunctionByRVA(rva uint32) ExportFunction

GetExportFunctionByRVA return an export function given an RVA.

func (*File) GetImportEntryInfoByRVA 

func (pe *File) GetImportEntryInfoByRVA(rva uint32) (Import, int)

GetImportEntryInfoByRVA return an import function + index of the entry given an RVA.

func (*File) GetMetadataStreamIndexSize added in v1.0.2 

func (pe *File) GetMetadataStreamIndexSize(BitPosition int) int

GetMetadataStreamIndexSize returns the size of indexes to read into a particular heap.

func (*File) GetOffsetFromRva added in v1.2.0 

func (pe *File) GetOffsetFromRva(rva uint32) uint32

GetOffsetFromRva returns the file offset corresponding to this RVA.

func (*File) GetRVAFromOffset added in v1.1.1 

func (pe *File) GetRVAFromOffset(offset uint32) uint32

GetRVAFromOffset returns an RVA given an offset.

func (*File) GetStringFromData added in v1.0.2 

func (pe *File) GetStringFromData(offset uint32, data []byte) []byte

GetStringFromData returns ASCII string from within the data.

func (*File) ImpHash 

func (pe *File) ImpHash() (string, error)

ImpHash calculates the import hash. Algorithm: Resolving ordinals to function names when they appear Converting both DLL names and function names to all lowercase Removing the file extensions from imported module names Building and storing the lowercased string . in an ordered list Generating the MD5 hash of the ordered list

func (*File) IsDLL 

func (pe *File) IsDLL() bool

IsDLL returns true if the PE file is a standard DLL.

func (*File) IsDriver 

func (pe *File) IsDriver() bool

IsDriver returns true if the PE file is a Windows driver.

func (*File) IsEXE 

func (pe *File) IsEXE() bool

IsEXE returns true if the PE file is a standard executable.

func (*File) NewOverlayReader added in v1.2.3 

func (pe *File) NewOverlayReader() (*io.SectionReader, error)

NewOverlayReader returns a new ReadSeeker reading the PE overlay data.

func (*File) Overlay added in v1.2.3 

func (pe *File) Overlay() ([]byte, error)

Overlay returns the overlay of the PE file.

func (*File) OverlayLength added in v1.2.3 

func (pe *File) OverlayLength() int64

func (*File) Parse 

func (pe *File) Parse() error

Parse performs the file parsing for a PE binary.

func (*File) ParseCOFFSymbolTable 

func (pe *File) ParseCOFFSymbolTable() error

ParseCOFFSymbolTable parses the COFF symbol table. The symbol table is inherited from the traditional COFF format. It is distinct from Microsoft Visual C++ debug information. A file can contain both a COFF symbol table and Visual C++ debug information, and the two are kept separate. Some Microsoft tools use the symbol table for limited but important purposes, such as communicating COMDAT information to the linker. Section names and file names, as well as code and data symbols, are listed in the symbol table.

func (*File) ParseDOSHeader 

func (pe *File) ParseDOSHeader() (err error)

ParseDOSHeader parses the DOS header stub. Every PE file begins with a small MS-DOS stub. The need for this arose in the early days of Windows, before a significant number of consumers were running it. When executed on a machine without Windows, the program could at least print out a message saying that Windows was required to run the executable.

func (*File) ParseDataDirectories 

func (pe *File) ParseDataDirectories() error

ParseDataDirectories parses the data directories. The DataDirectory is an array of 16 structures. Each array entry has a predefined meaning for what it refers to.

func (*File) ParseNTHeader 

func (pe *File) ParseNTHeader() (err error)

ParseNTHeader parse the PE NT header structure referred as IMAGE_NT_HEADERS. Its offset is given by the e_lfanew field in the IMAGE_DOS_HEADER at the beginning of the file.

func (*File) ParseRichHeader 

func (pe *File) ParseRichHeader() error

ParseRichHeader parses the rich header struct.

func (*File) ParseSectionHeader 

func (pe *File) ParseSectionHeader() (err error)

ParseSectionHeader parses the PE section headers. Each row of the section table is, in effect, a section header. It must immediately follow the PE header.

func (*File) ParseVersionResources added in v1.4.2 

func (pe *File) ParseVersionResources() (map[string]string, error)

ParseVersionResources parses file version strings from the version resource directory. This directory contains several structures starting with VS_VERSION_INFO with references to children StringFileInfo structures. In addition, StringFileInfo contains the StringTable structure with String entries describing the name and value of each file version strings.

func (*File) PrettyCOFFTypeRepresentation 

func (pe *File) PrettyCOFFTypeRepresentation(k uint16) string

PrettyCOFFTypeRepresentation returns the string representation of the `Type` field of a COFF table entry.

func (*File) PrettyOptionalHeaderMagic added in v1.3.6 

func (pe *File) PrettyOptionalHeaderMagic() string

PrettyOptionalHeaderMagic returns the string representations of the `Magic` field of ImageOptionalHeader.

func (*File) ReadBytesAtOffset 

func (pe *File) ReadBytesAtOffset(offset, size uint32) ([]byte, error)

ReadBytesAtOffset returns a byte array from offset.

func (*File) ReadUint16 

func (pe *File) ReadUint16(offset uint32) (uint16, error)

ReadUint16 read a uint16 from a buffer.

func (*File) ReadUint32 

func (pe *File) ReadUint32(offset uint32) (uint32, error)

ReadUint32 read a uint32 from a buffer.

func (*File) ReadUint64 

func (pe *File) ReadUint64(offset uint32) (uint64, error)

ReadUint64 read a uint64 from a buffer.

func (*File) ReadUint8 

func (pe *File) ReadUint8(offset uint32) (uint8, error)

ReadUint8 read a uint8 from a buffer.

func (*File) RichHeaderChecksum 

func (pe *File) RichHeaderChecksum() uint32

RichHeaderChecksum calculate the Rich Header checksum.

func (*File) RichHeaderHash added in v1.2.4 

func (pe *File) RichHeaderHash() string

RichHeaderHash calculate the Rich Header hash.

type FileInfo added in v1.2.7 

type FileInfo struct {
	Is32           bool
	Is64           bool
	HasDOSHdr      bool
	HasRichHdr     bool
	HasCOFF        bool
	HasNTHdr       bool
	HasSections    bool
	HasExport      bool
	HasImport      bool
	HasResource    bool
	HasException   bool
	HasCertificate bool
	HasReloc       bool
	HasDebug       bool
	HasArchitect   bool
	HasGlobalPtr   bool
	HasTLS         bool
	HasLoadCFG     bool
	HasBoundImp    bool
	HasIAT         bool
	HasDelayImp    bool
	HasCLR         bool
	HasOverlay     bool
	IsSigned       bool
}

FileInfo represents the PE file information struct.

type FileTableRow added in v1.4.7 

type FileTableRow struct {
	Flags     uint32 `json:"flags"`      // a 4-byte bitmask of type FileAttributes, §II.23.1.6
	Name      uint32 `json:"name"`       // an index into the String heap
	HashValue uint32 `json:"hash_value"` // an index into the Blob heap
}

File 0x26

type GUID 

type GUID struct {
	Data1 uint32
	Data2 uint16
	Data3 uint16
	Data4 [8]byte
}

GUID is a 128-bit value consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by one group of 12 hexadecimal digits.

func (GUID) String added in v1.3.9 

func (g GUID) String() string

String returns the string representation of a GUID.

type GenericParamConstraintTableRow added in v1.4.7 

type GenericParamConstraintTableRow struct {
	Owner      uint32 `json:"owner"`      // an index into the GenericParam table, specifying to which generic parameter this row refers
	Constraint uint32 `json:"constraint"` // an index into the TypeDef, TypeRef, or TypeSpec tables, specifying from which class this generic parameter is constrained to derive; or which interface this generic parameter is constrained to implement; more precisely, a TypeDefOrRef (§II.24.2.6) coded index
}

GenericParamConstraint 0x2c

type GenericParamTableRow added in v1.4.7 

type GenericParamTableRow struct {
	Number uint16 `json:"number"` // the 2-byte index of the generic parameter, numbered left-to-right, from zero
	Flags  uint16 `json:"flags"`  // a 2-byte bitmask of type GenericParamAttributes, §II.23.1.7
	Owner  uint32 `json:"owner"`  // an index into the TypeDef or MethodDef table, specifying the Type or Method to which this generic parameter applies; more precisely, a TypeOrMethodDef (§II.24.2.6) coded index
	Name   uint32 `json:"name"`   // a non-null index into the String heap, giving the name for the generic parameter
}

GenericParam 0x2a

type HybridPE 

type HybridPE struct {
	CHPEMetadata interface{}   `json:"chpe_metadata"`
	CodeRanges   []CodeRange   `json:"code_ranges"`
	CompilerIAT  []CompilerIAT `json:"compiler_iat"`
}

type IATEntry 

type IATEntry struct {
	Index   uint32      `json:"index"`
	Rva     uint32      `json:"rva"`
	Value   interface{} `json:"value,omitempty"`
	Meaning string      `json:"meaning"`
}

IATEntry represents an entry inside the IAT.

type ImageARMRuntimeFunctionEntry 

type ImageARMRuntimeFunctionEntry struct {
	// Function Start RVA is the 32-bit RVA of the start of the function. If
	// the function contains thumb code, the low bit of this address must be set.
	BeginAddress uint32 `bitfield:",functionstart" json:"begin_address"`

	// Flag is a 2-bit field that indicates how to interpret the remaining
	// 30 bits of the second .pdata word. If Flag is 0, then the remaining bits
	// form an Exception Information RVA (with the low two bits implicitly 0).
	// If Flag is non-zero, then the remaining bits form a Packed Unwind Data
	// structure.
	Flag uint8 `json:"flag"`

	/* Exception Information RVA or Packed Unwind Data.

	Exception Information RVA is the address of the variable-length exception
	information structure, stored in the .xdata section.
	This data must be 4-byte aligned.

	Packed Unwind Data is a compressed description of the operations required
	to unwind from a function, assuming a canonical form. In this case, no
	.xdata record is required. */
	ExceptionFlag uint32 `json:"exception_flag"`
}

ImageARMRuntimeFunctionEntry represents the function table entry for the ARM platform.

type ImageBaseRelocation 

type ImageBaseRelocation struct {
	// The image base plus the page RVA is added to each offset to create the
	// VA where the base relocation must be applied.
	VirtualAddress uint32 `json:"virtual_address"`

	// The total number of bytes in the base relocation block, including the
	// Page RVA and Block Size fields and the Type/Offset fields that follow.
	SizeOfBlock uint32 `json:"size_of_block"`
}

ImageBaseRelocation represents the IMAGE_BASE_RELOCATION structure. Each chunk of base relocation data begins with an IMAGE_BASE_RELOCATION structure.

type ImageBaseRelocationEntry 

type ImageBaseRelocationEntry struct {
	// Locate data that must be reallocated in buffer (data being an address
	// we use pointer of pointer).
	Data uint16 `json:"data"`

	// The offset of the relocation. This value plus the VirtualAddress
	// in IMAGE_BASE_RELOCATION is the complete RVA.
	Offset uint16 `json:"offset"`

	// A value that indicates the kind of relocation that should be performed.
	// Valid relocation types depend on machine type.
	Type ImageBaseRelocationEntryType `json:"type"`
}

ImageBaseRelocationEntry represents an image base relocation entry.

type ImageBaseRelocationEntryType added in v1.4.1 

type ImageBaseRelocationEntryType uint8

ImageBaseRelocationEntryType represents the type of an in image base relocation entry.

func (ImageBaseRelocationEntryType) String added in v1.4.1 

func (t ImageBaseRelocationEntryType) String(pe *File) string

String returns the string representation of the `Type` field of a base reloc entry.

type ImageBoundForwardedRef 

type ImageBoundForwardedRef struct {
	TimeDateStamp    uint32 `json:"time_date_stamp"`
	OffsetModuleName uint16 `json:"offset_module_name"`
	Reserved         uint16 `json:"reserved"`
}

ImageBoundForwardedRef represents the IMAGE_BOUND_FORWARDER_REF.

type ImageBoundImportDescriptor 

type ImageBoundImportDescriptor struct {
	// TimeDateStamp is just the value from the Exports information of the DLL
	// which is being imported from.
	TimeDateStamp uint32 `json:"time_date_stamp"`
	// Offset of the DLL name counted from the beginning of the BOUND_IMPORT table.
	OffsetModuleName uint16 `json:"offset_module_name"`
	// Number of forwards,
	NumberOfModuleForwarderRefs uint16 `json:"number_of_module_forwarder_refs"`
}

ImageBoundImportDescriptor represents the IMAGE_BOUND_IMPORT_DESCRIPTOR.

type ImageCHPEMetadataX86 added in v1.3.9 

type ImageCHPEMetadataX86 struct {
	Version                                  uint32 `json:"version"`
	CHPECodeAddressRangeOffset               uint32 `json:"chpe_code_address_range_offset"`
	CHPECodeAddressRangeCount                uint32 `json:"chpe_code_address_range_count"`
	WoWA64ExceptionHandlerFunctionPtr        uint32 `json:"wow_a64_exception_handler_function_ptr"`
	WoWA64DispatchCallFunctionPtr            uint32 `json:"wow_a64_dispatch_call_function_ptr"`
	WoWA64DispatchIndirectCallFunctionPtr    uint32 `json:"wow_a64_dispatch_indirect_call_function_ptr"`
	WoWA64DispatchIndirectCallCfgFunctionPtr uint32 `json:"wow_a64_dispatch_indirect_call_cfg_function_ptr"`
	WoWA64DispatchRetFunctionPtr             uint32 `json:"wow_a64_dispatch_ret_function_ptr"`
	WoWA64DispatchRetLeafFunctionPtr         uint32 `json:"wow_a64_dispatch_ret_leaf_function_ptr"`
	WoWA64DispatchJumpFunctionPtr            uint32 `json:"wow_a64_dispatch_jump_function_ptr"`
	CompilerIATPointer                       uint32 `json:"compiler_iat_pointer"`       // Present if Version >= 2
	WoWA64RDTSCFunctionPtr                   uint32 `json:"wow_a64_rdtsc_function_ptr"` // Present if Version >= 3
}

ImageCHPEMetadataX86 represents the X86_IMAGE_CHPE_METADATA_X86.

type ImageCOR20Header 

type ImageCOR20Header struct {

	// Size of the header in bytes.
	Cb uint32 `json:"cb"`

	// Major number of the minimum version of the runtime required to run the
	// program.
	MajorRuntimeVersion uint16 `json:"major_runtime_version"`

	// Minor number of the version of the runtime required to run the program.
	MinorRuntimeVersion uint16 `json:"minor_runtime_version"`

	// RVA and size of the metadata.
	MetaData ImageDataDirectory `json:"meta_data"`

	// Bitwise flags indicating attributes of this executable.
	Flags COMImageFlagsType `json:"flags"`

	// Metadata identifier (token) of the entry point for the image file; can
	// be 0 for DLL images. This field identifies a method belonging to this
	// module or a module containing the entry point method.
	// In images of version 2.0 and newer, this field may contain RVA of the
	// embedded native entry point method.
	// union {
	//
	// If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is not set,
	// EntryPointToken represents a managed entrypoint.
	//	DWORD               EntryPointToken;
	//
	// If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set,
	// EntryPointRVA represents an RVA to a native entrypoint
	//	DWORD               EntryPointRVA;
	//};
	EntryPointRVAorToken uint32 `json:"entry_point_rva_or_token"`

	// This is the blob of managed resources. Fetched using
	// code:AssemblyNative.GetResource and code:PEFile.GetResource and accessible
	// from managed code from System.Assembly.GetManifestResourceStream. The
	// metadata has a table that maps names to offsets into this blob, so
	// logically the blob is a set of resources.
	Resources ImageDataDirectory `json:"resources"`

	// RVA and size of the hash data for this PE file, used by the loader for
	// binding and versioning. IL assemblies can be signed with a public-private
	// key to validate who created it. The signature goes here if this feature
	// is used.
	StrongNameSignature ImageDataDirectory `json:"strong_name_signature"`

	// RVA and size of the Code Manager table. In the existing releases of the
	// runtime, this field is reserved and must be set to 0.
	CodeManagerTable ImageDataDirectory `json:"code_manager_table"`

	// RVA and size in bytes of an array of virtual table (v-table) fixups.
	// Among current managed compilers, only the VC++ linker and the IL
	// assembler can produce this array.
	VTableFixups ImageDataDirectory `json:"vtable_fixups"`

	// RVA and size of an array of addresses of jump thunks. Among managed
	// compilers, only the VC++ of versions pre-8.0 could produce this table,
	// which allows the export of unmanaged native methods embedded in the
	// managed PE file. In v2.0+ of CLR this entry is obsolete and must be set
	// to 0.
	ExportAddressTableJumps ImageDataDirectory `json:"export_address_table_jumps"`

	// Reserved for precompiled images; set to 0
	// NGEN images it points at a code:CORCOMPILE_HEADER structure
	ManagedNativeHeader ImageDataDirectory `json:"managed_native_header"`
}

ImageCOR20Header represents the CLR 2.0 header structure.

type ImageCORVTableFixup 

type ImageCORVTableFixup struct {
	RVA   uint32 `json:"rva"`   // Offset of v-table array in image.
	Count uint16 `json:"count"` // How many entries at location.
	Type  uint16 `json:"type"`  // COR_VTABLE_xxx type of entries.
}

ImageCORVTableFixup defines the v-table fixups that contains the initializing information necessary for the runtime to create the thunks. Non VOS v-table entries. Define an array of these pointed to by IMAGE_COR20_HEADER.VTableFixups. Each entry describes a contiguous array of v-table slots. The slots start out initialized to the meta data token value for the method they need to call. At image load time, the CLR Loader will turn each entry into a pointer to machine code for the CPU and can be called directly.

type ImageDOSHeader added in v1.2.1 

type ImageDOSHeader struct {
	// Magic number.
	Magic uint16 `json:"magic"`

	// Bytes on last page of file.
	BytesOnLastPageOfFile uint16 `json:"bytes_on_last_page_of_file"`

	// Pages in file.
	PagesInFile uint16 `json:"pages_in_file"`

	// Relocations.
	Relocations uint16 `json:"relocations"`

	// Size of header in paragraphs.
	SizeOfHeader uint16 `json:"size_of_header"`

	// Minimum extra paragraphs needed.
	MinExtraParagraphsNeeded uint16 `json:"min_extra_paragraphs_needed"`

	// Maximum extra paragraphs needed.
	MaxExtraParagraphsNeeded uint16 `json:"max_extra_paragraphs_needed"`

	// Initial (relative) SS value.
	InitialSS uint16 `json:"initial_ss"`

	// Initial SP value.
	InitialSP uint16 `json:"initial_sp"`

	// Checksum.
	Checksum uint16 `json:"checksum"`

	// Initial IP value.
	InitialIP uint16 `json:"initial_ip"`

	// Initial (relative) CS value.
	InitialCS uint16 `json:"initial_cs"`

	// File address of relocation table.
	AddressOfRelocationTable uint16 `json:"address_of_relocation_table"`

	// Overlay number.
	OverlayNumber uint16 `json:"overlay_number"`

	// Reserved words.
	ReservedWords1 [4]uint16 `json:"reserved_words_1"`

	// OEM identifier.
	OEMIdentifier uint16 `json:"oem_identifier"`

	// OEM information.
	OEMInformation uint16 `json:"oem_information"`

	// Reserved words.
	ReservedWords2 [10]uint16 `json:"reserved_words_2"`

	// File address of new exe header (Elfanew).
	AddressOfNewEXEHeader uint32 `json:"address_of_new_exe_header"`
}

ImageDOSHeader represents the DOS stub of a PE.

type ImageDataDirectory 

type ImageDataDirectory struct {

	// The relative virtual address of the table.
	VirtualAddress uint32 `json:"virtual_address"`

	// The size of the table, in bytes.
	Size uint32 `json:"size"`
}

ImageDataDirectory represents the directory format.

type ImageDebugDirectory 

type ImageDebugDirectory struct {
	// Reserved, must be 0.
	Characteristics uint32 `json:"characteristics"`

	// The time and date that the debug data was created.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// The major version number of the debug data format.
	MajorVersion uint16 `json:"major_version"`

	// The minor version number of the debug data format.
	MinorVersion uint16 `json:"minor_version"`

	// The format of debugging information. This field enables support of
	// multiple debuggers.
	Type ImageDebugDirectoryType `json:"type"`

	// The size of the debug data (not including the debug directory itself).
	SizeOfData uint32 `json:"size_of_data"`

	//The address of the debug data when loaded, relative to the image base.
	AddressOfRawData uint32 `json:"address_of_raw_data"`

	// The file pointer to the debug data.
	PointerToRawData uint32 `json:"pointer_to_raw_data"`
}

ImageDebugDirectory represents the IMAGE_DEBUG_DIRECTORY structure. This directory indicates what form of debug information is present and where it is. This directory consists of an array of debug directory entries whose location and size are indicated in the image optional header.

type ImageDebugDirectoryType added in v1.3.9 

type ImageDebugDirectoryType uint32

ImageDebugDirectoryType represents the type of a debug directory.

func (ImageDebugDirectoryType) String added in v1.3.9 

func (t ImageDebugDirectoryType) String() string

String returns the string representation of a debug entry type.

type ImageDebugMisc 

type ImageDebugMisc struct {
	// The type of data carried in the `Data` field.
	DataType uint32 `json:"data_type"`

	// The length of this structure in bytes, including the entire Data field
	// and its NUL terminator (rounded to four byte multiple.)
	Length uint32 `json:"length"`

	// The encoding of the Data field. True if data is unicode string.
	Unicode bool `json:"unicode"`

	// Reserved.
	Reserved [3]byte `json:"reserved"`

	// Actual data.
	Data string `json:"data"`
}

ImageDebugMisc represents the IMAGE_DEBUG_MISC structure.

type ImageDelayImportDescriptor 

type ImageDelayImportDescriptor struct {
	// As yet, no attribute flags are defined. The linker sets this field to zero
	// in the image. This field can be used to extend the record by indicating
	// the presence of new fields, or it can be used to indicate behaviors to
	// the delay or unload helper functions.
	Attributes uint32 `json:"attributes"`

	// The name of the DLL to be delay-loaded resides in the read-only data
	// section of the image. It is referenced through the szName field.
	Name uint32 `json:"name"`

	// The handle of the DLL to be delay-loaded is in the data section of the
	// image. The phmod field points to the handle. The supplied delay-load
	// helper uses this location to store the handle to the loaded DLL.
	ModuleHandleRVA uint32 `json:"module_handle_rva"`

	// The delay import address table (IAT) is referenced by the delay import
	// descriptor through the pIAT field. The delay-load helper updates these
	// pointers with the real entry points so that the thunks are no longer in
	// the calling loop
	ImportAddressTableRVA uint32 `json:"import_address_table_rva"`

	// The delay import name table (INT) contains the names of the imports that
	// might require loading. They are ordered in the same fashion as the
	// function pointers in the IAT.
	ImportNameTableRVA uint32 `json:"import_name_table_rva"`

	// The delay bound import address table (BIAT) is an optional table of
	// IMAGE_THUNK_DATA items that is used along with the timestamp field
	// of the delay-load directory table by a post-process binding phase.
	BoundImportAddressTableRVA uint32 `json:"bound_import_address_table_rva"`

	// The delay unload import address table (UIAT) is an optional table of
	// IMAGE_THUNK_DATA items that the unload code uses to handle an explicit
	// unload request. It consists of initialized data in the read-only section
	// that is an exact copy of the original IAT that referred the code to the
	// delay-load thunks. On the unload request, the library can be freed,
	// the *phmod cleared, and the UIAT written over the IAT to restore
	// everything to its preload state.
	UnloadInformationTableRVA uint32 `json:"unload_information_table_rva"`

	// 0 if not bound, otherwise, date/time of the target DLL.
	TimeDateStamp uint32 `json:"time_date_stamp"`
}

ImageDelayImportDescriptor represents the _IMAGE_DELAYLOAD_DESCRIPTOR structure.

type ImageDirectoryEntry added in v1.3.6 

type ImageDirectoryEntry int

ImageDirectoryEntry represents an entry inside the data directories. 

const (
	ImageDirectoryEntryExport       ImageDirectoryEntry = iota // Export Table
	ImageDirectoryEntryImport                                  // Import Table
	ImageDirectoryEntryResource                                // Resource Table
	ImageDirectoryEntryException                               // Exception Table
	ImageDirectoryEntryCertificate                             // Certificate Directory
	ImageDirectoryEntryBaseReloc                               // Base Relocation Table
	ImageDirectoryEntryDebug                                   // Debug
	ImageDirectoryEntryArchitecture                            // Architecture Specific Data
	ImageDirectoryEntryGlobalPtr                               // The RVA of the value to be stored in the global pointer register.
	ImageDirectoryEntryTLS                                     // The thread local storage (TLS) table
	ImageDirectoryEntryLoadConfig                              // The load configuration table
	ImageDirectoryEntryBoundImport                             // The bound import table
	ImageDirectoryEntryIAT                                     // Import Address Table
	ImageDirectoryEntryDelayImport                             // Delay Import Descriptor
	ImageDirectoryEntryCLR                                     // CLR Runtime Header
	ImageDirectoryEntryReserved                                // Must be zero
	ImageNumberOfDirectoryEntries                              // Tables count.
)

DataDirectory entries of an OptionalHeader

func (ImageDirectoryEntry) String added in v1.3.6 

func (entry ImageDirectoryEntry) String() string

String stringify the data directory entry.

type ImageDynamicRelocation32 

type ImageDynamicRelocation32 struct {
	// Symbol field identifies one of the existing types of dynamic relocations
	// so far (values 3, 4 and 5).
	Symbol uint32 `json:"symbol"`

	// Then, for each page, there is a block that starts with a relocation entry.
	// BaseRelocSize represents the size of the block.
	BaseRelocSize uint32 `json:"base_reloc_size"`
}

ImageDynamicRelocation32 represents the 32-bit version of a reloc entry.

type ImageDynamicRelocation32v2 

type ImageDynamicRelocation32v2 struct {
	HeaderSize    uint32 `json:"header_size"`
	FixupInfoSize uint32 `json:"fixup_info_size"`
	Symbol        uint32 `json:"symbol"`
	SymbolGroup   uint32 `json:"symbol_group"`
	Flags         uint32 `json:"flags"`
}

type ImageDynamicRelocation64 

type ImageDynamicRelocation64 struct {
	// Symbol field identifies one of the existing types of dynamic relocations
	// so far (values 3, 4 and 5).
	Symbol uint64 `json:"symbol"`

	// Then, for each page, there is a block that starts with a relocation entry.
	// BaseRelocSize represents the size of the block.
	BaseRelocSize uint32 `json:"base_reloc_size"`
}

ImageDynamicRelocation64 represents the 64-bit version of a reloc entry.

type ImageDynamicRelocation64v2 

type ImageDynamicRelocation64v2 struct {
	HeaderSize    uint32 `json:"header_size"`
	FixupInfoSize uint32 `json:"fixup_info_size"`
	Symbol        uint64 `json:"symbol"`
	SymbolGroup   uint32 `json:"symbol_group"`
	Flags         uint32 `json:"flags"`
}

type ImageDynamicRelocationTable 

type ImageDynamicRelocationTable struct {
	// Until now, there is only one version of the DVRT header (1)..
	Version uint32 `json:"version"`
	// Size represents the number of bytes after the header that contains
	// retpoline information.
	Size uint32 `json:"size"`
}

ImageDynamicRelocationTable represents the DVRT header.

type ImageEnclaveConfig32 

type ImageEnclaveConfig32 struct {

	// The size of the IMAGE_ENCLAVE_CONFIG32 structure, in bytes.
	Size uint32 `json:"size"`

	// If the size of IMAGE_ENCLAVE_CONFIG32 that the image loader can process is
	// less than MinimumRequiredConfigSize, the enclave cannot be run securely.
	// If MinimumRequiredConfigSize is zero, the minimum size of the
	// IMAGE_ENCLAVE_CONFIG32 structure that the image loader must be able to
	// process in order for the enclave to be usable is assumed to be the size
	// of the structure through and including the MinimumRequiredConfigSize member.
	MinimumRequiredConfigSize uint32 `json:"minimum_required_config_size"`

	// A flag that indicates whether the enclave permits debugging.
	PolicyFlags uint32 `json:"policy_flags"`

	// The number of images in the array of images that the ImportList member
	// points to.
	NumberOfImports uint32 `json:"number_of_imports"`

	// The relative virtual address of the array of images that the enclave
	// image may import, with identity information for each image.
	ImportList uint32 `json:"import_list"`

	// The size of each image in the array of images that the ImportList member
	// points to.
	ImportEntrySize uint32 `json:"import_entry_size"`

	// The family identifier that the author of the enclave assigned to the enclave.
	FamilyID [ImageEnclaveShortIDLength]uint8 `json:"family_id"`

	// The image identifier that the author of the enclave assigned to the enclave.
	ImageID [ImageEnclaveShortIDLength]uint8 `json:"image_id"`

	// The version number that the author of the enclave assigned to the enclave.
	ImageVersion uint32 `json:"image_version"`

	// The security version number that the author of the enclave assigned to
	// the enclave.
	SecurityVersion uint32 `json:"security_version"`

	// The expected virtual size of the private address range for the enclave,
	// in bytes.
	EnclaveSize uint32 `json:"enclave_size"`

	// The maximum number of threads that can be created within the enclave.
	NumberOfThreads uint32 `json:"number_of_threads"`

	// A flag that indicates whether the image is suitable for use as the
	// primary image in the enclave.
	EnclaveFlags uint32 `json:"enclave_flags"`
}

type ImageEnclaveConfig64 

type ImageEnclaveConfig64 struct {

	// The size of the IMAGE_ENCLAVE_CONFIG32 structure, in bytes.
	Size uint32 `json:"size"`

	// If the size of IMAGE_ENCLAVE_CONFIG32 that the image loader can process
	// is less than MinimumRequiredConfigSize, the enclave cannot be run securely.
	// If MinimumRequiredConfigSize is zero, the minimum size of the
	// IMAGE_ENCLAVE_CONFIG32 structure that the image loader must be able to
	// process in order for the enclave to be usable is assumed to be the size
	// of the structure through and including the MinimumRequiredConfigSize member.
	MinimumRequiredConfigSize uint32 `json:"minimum_required_config_size"`

	// A flag that indicates whether the enclave permits debugging.
	PolicyFlags uint32 `json:"policy_flags"`

	// The number of images in the array of images that the ImportList member
	// points to.
	NumberOfImports uint32 `json:"number_of_imports"`

	// The relative virtual address of the array of images that the enclave
	// image may import, with identity information for each image.
	ImportList uint32 `json:"import_list"`

	// The size of each image in the array of images that the ImportList member
	// points to.
	ImportEntrySize uint32 `json:"import_entry_size"`

	// The family identifier that the author of the enclave assigned to the enclave.
	FamilyID [ImageEnclaveShortIDLength]uint8 `json:"family_id"`

	// The image identifier that the author of the enclave assigned to the enclave.
	ImageID [ImageEnclaveShortIDLength]uint8 `json:"image_id"`

	// The version number that the author of the enclave assigned to the enclave.
	ImageVersion uint32 `json:"image_version"`

	// The security version number that the author of the enclave assigned to the enclave.
	SecurityVersion uint32 `json:"security_version"`

	// The expected virtual size of the private address range for the enclave,in bytes.
	EnclaveSize uint64 `json:"enclave_size"`

	// The maximum number of threads that can be created within the enclave.
	NumberOfThreads uint32 `json:"number_of_threads"`

	// A flag that indicates whether the image is suitable for use as the primary
	// image in the enclave.
	EnclaveFlags uint32 `json:"enclave_flags"`
}

type ImageEnclaveImport 

type ImageEnclaveImport struct {

	// The type of identifier of the image that must match the value in the import record.
	MatchType uint32 `json:"match_type"`

	// The minimum enclave security version that each image must have for the
	// image to be imported successfully. The image is rejected unless its
	// enclave security version is equal to or greater than the minimum value in
	// the import record. Set the value in the import record to zero to turn off
	// the security version check.
	MinimumSecurityVersion uint32 `json:"minimum_security_version"`

	// The unique identifier of the primary module for the enclave, if the
	// MatchType member is IMAGE_ENCLAVE_IMPORT_MATCH_UNIQUE_ID. Otherwise,
	// the author identifier of the primary module for the enclave..
	UniqueOrAuthorID [ImageEnclaveLongIDLength]uint8 `json:"unique_or_author_id"`

	// The family identifier of the primary module for the enclave.
	FamilyID [ImageEnclaveShortIDLength]uint8 `json:"family_id"`

	// The image identifier of the primary module for the enclave.
	ImageID [ImageEnclaveShortIDLength]uint8 `json:"image_id"`

	// The relative virtual address of a NULL-terminated string that contains
	// the same value found in the import directory for the image.
	ImportName uint32 `json:"import_name"`

	// Reserved.
	Reserved uint32 `json:"reserved"`
}

ImageEnclaveImport defines a entry in the array of images that an enclave can import.

type ImageEpilogueDynamicRelocationHeader 

type ImageEpilogueDynamicRelocationHeader struct {
	EpilogueCount               uint32 `json:"epilogue_count"`
	EpilogueByteCount           uint8  `json:"epilogue_byte_count"`
	BranchDescriptorElementSize uint8  `json:"branch_descriptor_element_size"`
	BranchDescriptorCount       uint8  `json:"branch_descriptor_count"`
}

type ImageExportDirectory 

type ImageExportDirectory struct {
	// Reserved, must be 0.
	Characteristics uint32 `json:"characteristics"`

	// The time and date that the export data was created.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// The major version number.
	//The major and minor version numbers can be set by the user.
	MajorVersion uint16 `json:"major_version"`

	// The minor version number.
	MinorVersion uint16 `json:"minor_version"`

	// The address of the ASCII string that contains the name of the DLL.
	// This address is relative to the image base.
	Name uint32 `json:"name"`

	// The starting ordinal number for exports in this image. This field
	// specifies the starting ordinal number for the export address table.
	// It is usually set to 1.
	Base uint32 `json:"base"`

	// The number of entries in the export address table.
	NumberOfFunctions uint32 `json:"number_of_functions"`

	// The number of entries in the name pointer table. This is also the number
	// of entries in the ordinal table.
	NumberOfNames uint32 `json:"number_of_names"`

	// The address of the export address table, relative to the image base.
	AddressOfFunctions uint32 `json:"address_of_functions"`

	// The address of the export name pointer table, relative to the image base.
	// The table size is given by the Number of Name Pointers field.
	AddressOfNames uint32 `json:"address_of_names"`

	// The address of the ordinal table, relative to the image base.
	AddressOfNameOrdinals uint32 `json:"address_of_name_ordinals"`
}

ImageExportDirectory represents the IMAGE_EXPORT_DIRECTORY structure. The export directory table contains address information that is used to resolve imports to the entry points within this image.

type ImageFileHeader 

type ImageFileHeader struct {
	// The number that identifies the type of target machine.
	Machine ImageFileHeaderMachineType `json:"machine"`

	// The number of sections. This indicates the size of the section table,
	// which immediately follows the headers.
	NumberOfSections uint16 `json:"number_of_sections"`

	// // The low 32 bits of the number of seconds since 00:00 January 1, 1970
	// (a C run-time time_t value), that indicates when the file was created.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// // The file offset of the COFF symbol table, or zero if no COFF symbol
	// table is present. This value should be zero for an image because COFF
	// debugging information is deprecated.
	PointerToSymbolTable uint32 `json:"pointer_to_symbol_table"`

	// The number of entries in the symbol table. This data can be used to
	// locate the string table, which immediately follows the symbol table.
	// This value should be zero for an image because COFF debugging information
	// is deprecated.
	NumberOfSymbols uint32 `json:"number_of_symbols"`

	// The size of the optional header, which is required for executable files
	// but not for object files. This value should be zero for an object file.
	SizeOfOptionalHeader uint16 `json:"size_of_optional_header"`

	// The flags that indicate the attributes of the file.
	Characteristics ImageFileHeaderCharacteristicsType `json:"characteristics"`
}

ImageFileHeader contains infos about the physical layout and properties of the file.

type ImageFileHeaderCharacteristicsType added in v1.4.1 

type ImageFileHeaderCharacteristicsType uint16

ImageFileHeaderCharacteristicsType represents the type of the image file header `Characteristics` field.

func (ImageFileHeaderCharacteristicsType) String added in v1.4.1 

func (t ImageFileHeaderCharacteristicsType) String() []string

String returns the string representations of the `Characteristics` field of the IMAGE_FILE_HEADER.

type ImageFileHeaderMachineType added in v1.4.1 

type ImageFileHeaderMachineType uint16

ImageFileHeaderMachineType represents the type of the image file header `Machine“ field.

func (ImageFileHeaderMachineType) String added in v1.4.1 

func (t ImageFileHeaderMachineType) String() string

String returns the string representations of the `Machine` field of the IMAGE_FILE_HEADER.

type ImageGuardFlagType added in v1.3.9 

type ImageGuardFlagType uint8

ImageGuardFlagType represents the type for load configuration image guard flags.

func (ImageGuardFlagType) String added in v1.3.9 

func (flag ImageGuardFlagType) String() string

String returns a string interpretation of the load config directory image guard flag.

type ImageImportControlTransferDynamicRelocation added in v1.3.9 

type ImageImportControlTransferDynamicRelocation struct {
	PageRelativeOffset uint16 `json:"page_relative_offset"` // (12 bits)
	// 1 - the opcode is a CALL
	// 0 - the opcode is a JMP.
	IndirectCall uint16 `json:"indirect_call"` // (1 bit)
	IATIndex     uint32 `json:"iat_index"`     // (19 bits)
}

ImageImportControlTransferDynamicRelocation represents the Imported Address Retpoline (type 3), size = 4 bytes.

type ImageImportDescriptor 

type ImageImportDescriptor struct {
	// The RVA of the import lookup/name table (INT). This table contains a name
	// or ordinal for each import. The INT is an array of IMAGE_THUNK_DATA structs.
	OriginalFirstThunk uint32 `json:"original_first_thunk"`

	// The stamp that is set to zero until the image is bound. After the image
	// is bound, this field is set to the time/data stamp of the DLL.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// The index of the first forwarder reference (-1 if no forwarders).
	ForwarderChain uint32 `json:"forwarder_chain"`

	// The address of an ASCII string that contains the name of the DLL.
	// This address is relative to the image base.
	Name uint32 `json:"name"`

	// The RVA of the import address table (IAT). The contents of this table are
	// identical to the contents of the import lookup table until the image is bound.
	FirstThunk uint32 `json:"first_thunk"`
}

ImageImportDescriptor describes the remainder of the import information. The import directory table contains address information that is used to resolve fixup references to the entry points within a DLL image. It consists of an array of import directory entries, one entry for each DLL to which the image refers. The last directory entry is empty (filled with null values), which indicates the end of the directory table.

type ImageIndirectControlTransferDynamicRelocation added in v1.3.9 

type ImageIndirectControlTransferDynamicRelocation struct {
	PageRelativeOffset uint16 `json:"page_relative_offset"` // (12 bits)
	IndirectCall       uint8  `json:"indirect_call"`        // (1 bit)
	RexWPrefix         uint8  `json:"rex_w_prefix"`         // (1 bit)
	CfgCheck           uint8  `json:"cfg_check"`            // (1 bit)
	Reserved           uint8  `json:"reserved"`             // (1 bit)
}

ImageIndirectControlTransferDynamicRelocation represents the Indirect Branch Retpoline (type 4), size = 2 bytes.

type ImageLoadConfigCodeIntegrity 

type ImageLoadConfigCodeIntegrity struct {
	// Flags to indicate if CI information is available, etc.
	Flags uint16 `json:"flags"`
	// 0xFFFF means not available
	Catalog       uint16 `json:"catalog"`
	CatalogOffset uint32 `json:"catalog_offset"`
	// Additional bitmask to be defined later
	Reserved uint32 `json:"reserved"`
}

ImageLoadConfigCodeIntegrity Code Integrity in load config (CI).

type ImageLoadConfigDirectory32 

type ImageLoadConfigDirectory32 struct {
	// The actual size of the structure inclusive. May differ from the size
	// given in the data directory for Windows XP and earlier compatibility.
	Size uint32 `json:"size"`

	// Date and time stamp value.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// Major version number.
	MajorVersion uint16 `json:"major_version"`

	// Minor version number.
	MinorVersion uint16 `json:"minor_version"`

	// The global loader flags to clear for this process as the loader starts
	// the process.
	GlobalFlagsClear uint32 `json:"global_flags_clear"`

	// The global loader flags to set for this process as the loader starts the
	// process.
	GlobalFlagsSet uint32 `json:"global_flags_set"`

	// The default timeout value to use for this process's critical sections
	// that are abandoned.
	CriticalSectionDefaultTimeout uint32 `json:"critical_section_default_timeout"`

	// Memory that must be freed before it is returned to the system, in bytes.
	DeCommitFreeBlockThreshold uint32 `json:"de_commit_free_block_threshold"`

	// Total amount of free memory, in bytes.
	DeCommitTotalFreeThreshold uint32 `json:"de_commit_total_free_threshold"`

	// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
	// that they can be replaced with NOP on single processor machines.
	LockPrefixTable uint32 `json:"lock_prefix_table"`

	// Maximum allocation size, in bytes.
	MaximumAllocationSize uint32 `json:"maximum_allocation_size"`

	// Maximum virtual memory size, in bytes.
	VirtualMemoryThreshold uint32 `json:"virtual_memory_threshold"`

	// Process heap flags that correspond to the first argument of the HeapCreate
	// function. These flags apply to the process heap that is created during
	// process startup.
	ProcessHeapFlags uint32 `json:"process_heap_flags"`

	// Setting this field to a non-zero value is equivalent to calling
	// SetProcessAffinityMask with this value during process startup (.exe only)
	ProcessAffinityMask uint32 `json:"process_affinity_mask"`

	// The service pack version identifier.
	CSDVersion uint16 `json:"csd_version"`

	// Must be zero.
	DependentLoadFlags uint16 `json:"dependent_load_flags"`

	// Reserved for use by the system.
	EditList uint32 `json:"edit_list"`

	// A pointer to a cookie that is used by Visual C++ or GS implementation.
	SecurityCookie uint32 `json:"security_cookie"`

	// [x86 only] The VA of the sorted table of RVAs of each valid, unique SE
	// handler in the image.
	SEHandlerTable uint32 `json:"se_handler_table"`

	// [x86 only] The count of unique handlers in the table.
	SEHandlerCount uint32 `json:"se_handler_count"`

	// The VA where Control Flow Guard check-function pointer is stored.
	GuardCFCheckFunctionPointer uint32 `json:"guard_cf_check_function_pointer"`

	// The VA where Control Flow Guard dispatch-function pointer is stored.
	GuardCFDispatchFunctionPointer uint32 `json:"guard_cf_dispatch_function_pointer"`

	// The VA of the sorted table of RVAs of each Control Flow Guard function in
	// the image.
	GuardCFFunctionTable uint32 `json:"guard_cf_function_table"`

	// The count of unique RVAs in the above table.
	GuardCFFunctionCount uint32 `json:"guard_cf_function_count"`

	// Control Flow Guard related flags.
	GuardFlags uint32 `json:"guard_flags"`

	// Code integrity information.
	CodeIntegrity ImageLoadConfigCodeIntegrity `json:"code_integrity"`

	// The VA where Control Flow Guard address taken IAT table is stored.
	GuardAddressTakenIATEntryTable uint32 `json:"guard_address_taken_iat_entry_table"`

	// The count of unique RVAs in the above table.
	GuardAddressTakenIATEntryCount uint32 `json:"guard_address_taken_iat_entry_count"`

	// The VA where Control Flow Guard long jump target table is stored.
	GuardLongJumpTargetTable uint32 `json:"guard_long_jump_target_table"`

	// The count of unique RVAs in the above table.
	GuardLongJumpTargetCount uint32 `json:"guard_long_jump_target_count"`

	DynamicValueRelocTable uint32 `json:"dynamic_value_reloc_table"`

	// Not sure when this was renamed from HybridMetadataPointer.
	CHPEMetadataPointer uint32 `json:"chpe_metadata_pointer"`

	GuardRFFailureRoutine                    uint32 `json:"guard_rf_failure_routine"`
	GuardRFFailureRoutineFunctionPointer     uint32 `json:"guard_rf_failure_routine_function_pointer"`
	DynamicValueRelocTableOffset             uint32 `json:"dynamic_value_reloc_table_offset"`
	DynamicValueRelocTableSection            uint16 `json:"dynamic_value_reloc_table_section"`
	Reserved2                                uint16 `json:"reserved_2"`
	GuardRFVerifyStackPointerFunctionPointer uint32 `json:"guard_rf_verify_stack_pointer_function_pointer"`
	HotPatchTableOffset                      uint32 `json:"hot_patch_table_offset"`
	Reserved3                                uint32 `json:"reserved_3"`
	EnclaveConfigurationPointer              uint32 `json:"enclave_configuration_pointer"`
	VolatileMetadataPointer                  uint32 `json:"volatile_metadata_pointer"`
	GuardEHContinuationTable                 uint32 `json:"guard_eh_continuation_table"`
	GuardEHContinuationCount                 uint32 `json:"guard_eh_continuation_count"`
	GuardXFGCheckFunctionPointer             uint32 `json:"guard_xfg_check_function_pointer"`
	GuardXFGDispatchFunctionPointer          uint32 `json:"guard_xfg_dispatch_function_pointer"`
	GuardXFGTableDispatchFunctionPointer     uint32 `json:"guard_xfg_table_dispatch_function_pointer"`
	CastGuardOSDeterminedFailureMode         uint32 `json:"cast_guard_os_determined_failure_mode"`
	GuardMemcpyFunctionPointer               uint32 `json:"guard_memcpy_function_pointer"`
}

ImageLoadConfigDirectory32 Contains the load configuration data of an image for x86 binaries.

type ImageLoadConfigDirectory64 

type ImageLoadConfigDirectory64 struct {
	// The actual size of the structure inclusive. May differ from the size
	// given in the data directory for Windows XP and earlier compatibility.
	Size uint32 `json:"size"`

	// Date and time stamp value.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// Major version number.
	MajorVersion uint16 `json:"major_version"`

	// Minor version number.
	MinorVersion uint16 `json:"minor_version"`

	// The global loader flags to clear for this process as the loader starts
	// the process.
	GlobalFlagsClear uint32 `json:"global_flags_clear"`

	// The global loader flags to set for this process as the loader starts the
	// process.
	GlobalFlagsSet uint32 `json:"global_flags_set"`

	// The default timeout value to use for this process's critical sections
	// that are abandoned.
	CriticalSectionDefaultTimeout uint32 `json:"critical_section_default_timeout"`

	// Memory that must be freed before it is returned to the system, in bytes.
	DeCommitFreeBlockThreshold uint64 `json:"de_commit_free_block_threshold"`

	// Total amount of free memory, in bytes.
	DeCommitTotalFreeThreshold uint64 `json:"de_commit_total_free_threshold"`

	// [x86 only] The VA of a list of addresses where the LOCK prefix is used so
	// that they can be replaced with NOP on single processor machines.
	LockPrefixTable uint64 `json:"lock_prefix_table"`

	// Maximum allocation size, in bytes.
	MaximumAllocationSize uint64 `json:"maximum_allocation_size"`

	// Maximum virtual memory size, in bytes.
	VirtualMemoryThreshold uint64 `json:"virtual_memory_threshold"`

	// Setting this field to a non-zero value is equivalent to calling
	// SetProcessAffinityMask with this value during process startup (.exe only)
	ProcessAffinityMask uint64 `json:"process_affinity_mask"`

	// Process heap flags that correspond to the first argument of the HeapCreate
	// function. These flags apply to the process heap that is created during
	// process startup.
	ProcessHeapFlags uint32 `json:"process_heap_flags"`

	// The service pack version identifier.
	CSDVersion uint16 `json:"csd_version"`

	// Must be zero.
	DependentLoadFlags uint16 `json:"dependent_load_flags"`

	// Reserved for use by the system.
	EditList uint64 `json:"edit_list"`

	// A pointer to a cookie that is used by Visual C++ or GS implementation.
	SecurityCookie uint64 `json:"security_cookie"`

	// [x86 only] The VA of the sorted table of RVAs of each valid, unique SE
	// handler in the image.
	SEHandlerTable uint64 `json:"se_handler_table"`

	// [x86 only] The count of unique handlers in the table.
	SEHandlerCount uint64 `json:"se_handler_count"`

	// The VA where Control Flow Guard check-function pointer is stored.
	GuardCFCheckFunctionPointer uint64 `json:"guard_cf_check_function_pointer"`

	// The VA where Control Flow Guard dispatch-function pointer is stored.
	GuardCFDispatchFunctionPointer uint64 `json:"guard_cf_dispatch_function_pointer"`

	// The VA of the sorted table of RVAs of each Control Flow Guard function in
	// the image.
	GuardCFFunctionTable uint64 `json:"guard_cf_function_table"`

	// The count of unique RVAs in the above table.
	GuardCFFunctionCount uint64 `json:"guard_cf_function_count"`

	// Control Flow Guard related flags.
	GuardFlags uint32 `json:"guard_flags"`

	// Code integrity information.
	CodeIntegrity ImageLoadConfigCodeIntegrity `json:"code_integrity"`

	// The VA where Control Flow Guard address taken IAT table is stored.
	GuardAddressTakenIATEntryTable uint64 `json:"guard_address_taken_iat_entry_table"`

	// The count of unique RVAs in the above table.
	GuardAddressTakenIATEntryCount uint64 `json:"guard_address_taken_iat_entry_count"`

	// The VA where Control Flow Guard long jump target table is stored.
	GuardLongJumpTargetTable uint64 `json:"guard_long_jump_target_table"`

	// The count of unique RVAs in the above table.
	GuardLongJumpTargetCount uint64 `json:"guard_long_jump_target_count"`

	DynamicValueRelocTable uint64 `json:"dynamic_value_reloc_table"`

	// Not sure when this was renamed from HybridMetadataPointer.
	CHPEMetadataPointer uint64 `json:"chpe_metadata_pointer"`

	GuardRFFailureRoutine                    uint64 `json:"guard_rf_failure_routine"`
	GuardRFFailureRoutineFunctionPointer     uint64 `json:"guard_rf_failure_routine_function_pointer"`
	DynamicValueRelocTableOffset             uint32 `json:"dynamic_value_reloc_table_offset"`
	DynamicValueRelocTableSection            uint16 `json:"dynamic_value_reloc_table_section"`
	Reserved2                                uint16 `json:"reserved_2"`
	GuardRFVerifyStackPointerFunctionPointer uint64 `json:"guard_rf_verify_stack_pointer_function_pointer"`
	HotPatchTableOffset                      uint32 `json:"hot_patch_table_offset"`
	Reserved3                                uint32 `json:"reserved_3"`
	EnclaveConfigurationPointer              uint64 `json:"enclave_configuration_pointer"`
	VolatileMetadataPointer                  uint64 `json:"volatile_metadata_pointer"`
	GuardEHContinuationTable                 uint64 `json:"guard_eh_continuation_table"`
	GuardEHContinuationCount                 uint64 `json:"guard_eh_continuation_count"`
	GuardXFGCheckFunctionPointer             uint64 `json:"guard_xfg_check_function_pointer"`
	GuardXFGDispatchFunctionPointer          uint64 `json:"guard_xfg_dispatch_function_pointer"`
	GuardXFGTableDispatchFunctionPointer     uint64 `json:"guard_xfg_table_dispatch_function_pointer"`
	CastGuardOSDeterminedFailureMode         uint64 `json:"cast_guard_os_determined_failure_mode"`
	GuardMemcpyFunctionPointer               uint64 `json:"guard_memcpy_function_pointer"`
}

ImageLoadConfigDirectory64 Contains the load configuration data of an image for x64 binaries.

type ImageNtHeader 

type ImageNtHeader struct {
	// Signature is a DWORD containing the value 50h, 45h, 00h, 00h.
	Signature uint32 `json:"signature"`

	// IMAGE_NT_HEADERS provides a standard COFF header. It is located
	// immediately after the PE signature. The COFF header provides the most
	// general characteristics of a PE/COFF file, applicable to both object and
	// executable files. It is represented with IMAGE_FILE_HEADER structure.
	FileHeader ImageFileHeader `json:"file_header"`

	// OptionalHeader is of type *OptionalHeader32 or *OptionalHeader64.
	OptionalHeader interface{} `json:"optional_header"`
}

ImageNtHeader represents the PE header and is the general term for a structure named IMAGE_NT_HEADERS.

type ImageOptionalHeader32 

type ImageOptionalHeader32 struct {

	// The unsigned integer that identifies the state of the image file.
	// The most common number is 0x10B, which identifies it as a normal
	// executable file. 0x107 identifies it as a ROM image, and 0x20B identifies
	// it as a PE32+ executable.
	Magic uint16 `json:"magic"`

	// Linker major version number. The VC++ linker sets this field to current
	// version of Visual Studio.
	MajorLinkerVersion uint8 `json:"major_linker_version"`

	// The linker minor version number.
	MinorLinkerVersion uint8 `json:"minor_linker_version"`

	// The size of the code (text) section, or the sum of all code sections
	// if there are multiple sections.
	SizeOfCode uint32 `json:"size_of_code"`

	// The size of the initialized data section (held in the field SizeOfRawData
	// of the respective section header), or the sum of all such sections if
	// there are multiple data sections.
	SizeOfInitializedData uint32 `json:"size_of_initialized_data"`

	// The size of the uninitialized data section (BSS), or the sum of all
	// such sections if there are multiple BSS sections. This data is not part
	// of the disk file and does not have specific values, but the OS loader
	// commits memory space for this data when the file is loaded.
	SizeOfUninitializedData uint32 `json:"size_of_uninitialized_data"`

	// The address of the entry point relative to the image base when the
	// executable file is loaded into memory. For program images, this is the
	// starting address. For device drivers, this is the address of the
	// initialization function. An entry point is optional for DLLs. When no
	// entry point is present, this field must be zero. For managed PE files,
	// this value always points to the common language runtime invocation stub.
	AddressOfEntryPoint uint32 `json:"address_of_entrypoint"`

	// The address that is relative to the image base of the beginning-of-code
	// section when it is loaded into memory.
	BaseOfCode uint32 `json:"base_of_code"`

	// The address that is relative to the image base of the beginning-of-data
	// section when it is loaded into memory. This entry doesn’t exist in the
	// 64-bit Optional header.
	BaseOfData uint32 `json:"base_of_data"`

	// The preferred address of the first byte of image when loaded into memory;
	// must be a multiple of 64 K. The default for DLLs is 0x10000000. The
	// default for Windows CE EXEs is 0x00010000. The default for Windows NT,
	// Windows 2000, Windows XP, Windows 95, Windows 98, and Windows Me is
	// 0x00400000.
	ImageBase uint32 `json:"image_base"`

	// The alignment (in bytes) of sections when they are loaded into memory.
	// It must be greater than or equal to FileAlignment. The default is the
	// page size for the architecture.
	SectionAlignment uint32 `json:"section_alignment"`

	// The alignment factor (in bytes) that is used to align the raw data of
	// sections in the image file. The value should be a power of 2 between 512
	// and 64 K, inclusive. The default is 512. If the SectionAlignment is less
	// than the architecture's page size, then FileAlignment must match
	// SectionAlignment.
	FileAlignment uint32 `json:"file_alignment"`

	// The major version number of the required operating system.
	MajorOperatingSystemVersion uint16 `json:"major_os_version"`

	// The minor version number of the required operating system.
	MinorOperatingSystemVersion uint16 `json:"minor_os_version"`

	// The major version number of the image.
	MajorImageVersion uint16 `json:"major_image_version"`

	// The minor version number of the image.
	MinorImageVersion uint16 `json:"minor_image_version"`

	// The major version number of the subsystem.
	MajorSubsystemVersion uint16 `json:"major_subsystem_version"`

	// The minor version number of the subsystem.
	MinorSubsystemVersion uint16 `json:"minor_subsystem_version"`

	// Reserved, must be zero.
	Win32VersionValue uint32 `json:"win32_version_value"`

	// The size (in bytes) of the image, including all headers, as the image
	// is loaded in memory. It must be a multiple of SectionAlignment.
	SizeOfImage uint32 `json:"size_of_image"`

	// The combined size of an MS-DOS stub, PE header, and section headers
	// rounded up to a multiple of FileAlignment.
	SizeOfHeaders uint32 `json:"size_of_headers"`

	// The image file checksum. The algorithm for computing the checksum is
	// incorporated into IMAGHELP.DLL. The following are checked for validation
	// at load time: all drivers, any DLL loaded at boot time, and any DLL
	// that is loaded into a critical Windows process.
	CheckSum uint32 `json:"checksum"`

	// The subsystem that is required to run this image.
	Subsystem ImageOptionalHeaderSubsystemType `json:"subsystem"`

	// For more information, see DLL Characteristics later in this specification.
	DllCharacteristics ImageOptionalHeaderDllCharacteristicsType `json:"dll_characteristics"`

	// Size of virtual memory to reserve for the initial thread’s stack. Only
	// the SizeOfStackCommit field is committed; the rest is available in
	// one-page increments. The default is 1MB for 32-bit images and 4MB for
	// 64-bit images.
	SizeOfStackReserve uint32 `json:"size_of_stack_reserve"`

	// Size of virtual memory initially committed for the initial thread’s
	// stack. The default is one page (4KB) for 32-bit images and 16KB for
	// 64-bit images.
	SizeOfStackCommit uint32 `json:"size_of_stack_commit"`

	// size of the local heap space to reserve. Only SizeOfHeapCommit is
	// committed; the rest is made available one page at a time until the
	// reserve size is reached. The default is 1MB for both 32-bit and 64-bit
	// images.
	SizeOfHeapReserve uint32 `json:"size_of_heap_reserve"`

	// Size of virtual memory initially committed for the process heap. The
	// default is 4KB (one operating system memory page) for 32-bit images and
	// 16KB for 64-bit images.
	SizeOfHeapCommit uint32 `json:"size_of_heap_commit"`

	// Reserved, must be zero.
	LoaderFlags uint32 `json:"loader_flags"`

	// Number of entries in the DataDirectory array; at least 16. Although it
	// is theoretically possible to emit more than 16 data directories, all
	// existing managed compilers emit exactly 16 data directories, with the
	// 16th (last) data directory never used (reserved).
	NumberOfRvaAndSizes uint32 `json:"number_of_rva_and_sizes"`

	// An array of 16 IMAGE_DATA_DIRECTORY structures.
	DataDirectory [16]DataDirectory `json:"data_directories"`
}

ImageOptionalHeader32 represents the PE32 format structure of the optional header. PE32 contains this additional field, which is absent in PE32+.

type ImageOptionalHeader64 

type ImageOptionalHeader64 struct {
	// The unsigned integer that identifies the state of the image file.
	// The most common number is 0x10B, which identifies it as a normal
	// executable file. 0x107 identifies it as a ROM image, and 0x20B identifies
	// it as a PE32+ executable.
	Magic uint16 `json:"magic"`

	// Linker major version number. The VC++ linker sets this field to current
	// version of Visual Studio.
	MajorLinkerVersion uint8 `json:"major_linker_version"`

	// The linker minor version number.
	MinorLinkerVersion uint8 `json:"minor_linker_version"`

	// The size of the code (text) section, or the sum of all code sections
	// if there are multiple sections.
	SizeOfCode uint32 `json:"size_of_code"`

	// The size of the initialized data section (held in the field SizeOfRawData
	// of the respective section header), or the sum of all such sections if
	// there are multiple data sections.
	SizeOfInitializedData uint32 `json:"size_of_initialized_data"`

	// The size of the uninitialized data section (BSS), or the sum of all
	// such sections if there are multiple BSS sections. This data is not part
	// of the disk file and does not have specific values, but the OS loader
	// commits memory space for this data when the file is loaded.
	SizeOfUninitializedData uint32 `json:"size_of_uninitialized_data"`

	// The address of the entry point relative to the image base when the
	// executable file is loaded into memory. For program images, this is the
	// starting address. For device drivers, this is the address of the
	// initialization function. An entry point is optional for DLLs. When no
	// entry point is present, this field must be zero. For managed PE files,
	// this value always points to the common language runtime invocation stub.
	AddressOfEntryPoint uint32 `json:"address_of_entrypoint"`

	// The address that is relative to the image base of the beginning-of-code
	// section when it is loaded into memory.
	BaseOfCode uint32 `json:"base_of_code"`

	// In PE+, ImageBase is 8 bytes size.
	ImageBase uint64 `json:"image_base"`

	// The alignment (in bytes) of sections when they are loaded into memory.
	// It must be greater than or equal to FileAlignment. The default is the
	// page size for the architecture.
	SectionAlignment uint32 `json:"section_alignment"`

	// The alignment factor (in bytes) that is used to align the raw data of
	// sections in the image file. The value should be a power of 2 between 512
	// and 64 K, inclusive. The default is 512. If the SectionAlignment is less
	// than the architecture's page size, then FileAlignment must match SectionAlignment.
	FileAlignment uint32 `json:"file_alignment"`

	// The major version number of the required operating system.
	MajorOperatingSystemVersion uint16 `json:"major_os_version"`

	// The minor version number of the required operating system.
	MinorOperatingSystemVersion uint16 `json:"minor_os_version"`

	// The major version number of the image.
	MajorImageVersion uint16 `json:"major_image_version"`

	// The minor version number of the image.
	MinorImageVersion uint16 `json:"minor_image_version"`

	// The major version number of the subsystem.
	MajorSubsystemVersion uint16 `json:"major_subsystem_version"`

	// The minor version number of the subsystem.
	MinorSubsystemVersion uint16 `json:"minor_subsystem_version"`

	// Reserved, must be zero.
	Win32VersionValue uint32 `json:"win32_version_value"`

	// The size (in bytes) of the image, including all headers, as the image
	// is loaded in memory. It must be a multiple of SectionAlignment.
	SizeOfImage uint32 `json:"size_of_image"`

	// The combined size of an MS-DOS stub, PE header, and section headers
	// rounded up to a multiple of FileAlignment.
	SizeOfHeaders uint32 `json:"size_of_headers"`

	// The image file checksum. The algorithm for computing the checksum is
	// incorporated into IMAGHELP.DLL. The following are checked for validation
	// at load time: all drivers, any DLL loaded at boot time, and any DLL
	// that is loaded into a critical Windows process.
	CheckSum uint32 `json:"checksum"`

	// The subsystem that is required to run this image.
	Subsystem ImageOptionalHeaderSubsystemType `json:"subsystem"`

	// For more information, see DLL Characteristics later in this specification.
	DllCharacteristics ImageOptionalHeaderDllCharacteristicsType `json:"dll_characteristics"`

	// Size of virtual memory to reserve for the initial thread’s stack. Only
	// the SizeOfStackCommit field is committed; the rest is available in
	// one-page increments. The default is 1MB for 32-bit images and 4MB for
	// 64-bit images.
	SizeOfStackReserve uint64 `json:"size_of_stack_reserve"`

	// Size of virtual memory initially committed for the initial thread’s
	// stack. The default is one page (4KB) for 32-bit images and 16KB for
	// 64-bit images.
	SizeOfStackCommit uint64 `json:"size_of_stack_commit"`

	// size of the local heap space to reserve. Only SizeOfHeapCommit is
	// committed; the rest is made available one page at a time until the
	// reserve size is reached. The default is 1MB for both 32-bit and 64-bit
	// images.
	SizeOfHeapReserve uint64 `json:"size_of_heap_reserve"`

	// Size of virtual memory initially committed for the process heap. The
	// default is 4KB (one operating system memory page) for 32-bit images and
	// 16KB for 64-bit images.
	SizeOfHeapCommit uint64 `json:"size_of_heap_commit"`

	// Reserved, must be zero.
	LoaderFlags uint32 `json:"loader_flags"`

	// Number of entries in the DataDirectory array; at least 16. Although it
	// is theoretically possible to emit more than 16 data directories, all
	// existing managed compilers emit exactly 16 data directories, with the
	// 16th (last) data directory never used (reserved).
	NumberOfRvaAndSizes uint32 `json:"number_of_rva_and_sizes"`

	// An array of 16 IMAGE_DATA_DIRECTORY structures.
	DataDirectory [16]DataDirectory `json:"data_directories"`
}

ImageOptionalHeader64 represents the PE32+ format structure of the optional header.

type ImageOptionalHeaderDllCharacteristicsType added in v1.4.1 

type ImageOptionalHeaderDllCharacteristicsType uint16

ImageOptionalHeaderDllCharacteristicsType represents the type of the optional header `DllCharacteristics field.

func (ImageOptionalHeaderDllCharacteristicsType) String added in v1.4.1 

func (t ImageOptionalHeaderDllCharacteristicsType) String() []string

String returns the string representations of the `DllCharacteristics` field of ImageOptionalHeader.

type ImageOptionalHeaderSubsystemType added in v1.4.1 

type ImageOptionalHeaderSubsystemType uint16

ImageOptionalHeaderSubsystemType represents the type of the optional header `Subsystem field.

func (ImageOptionalHeaderSubsystemType) String added in v1.4.1 

func (subsystem ImageOptionalHeaderSubsystemType) String() string

String returns the string representations of the `Subsystem` field of ImageOptionalHeader.

type ImagePGOItem 

type ImagePGOItem struct {
	RVA  uint32 `json:"rva"`
	Size uint32 `json:"size"`
	Name string `json:"name"`
}

ImagePGOItem represents the _IMAGE_POGO_INFO structure.

type ImagePrologueDynamicRelocationHeader 

type ImagePrologueDynamicRelocationHeader struct {
	PrologueByteCount uint8 `json:"prologue_byte_count"`
}

type ImageResourceDataEntry 

type ImageResourceDataEntry struct {
	// The address of a unit of resource data in the Resource Data area.
	OffsetToData uint32 `json:"offset_to_data"`

	// The size, in bytes, of the resource data that is pointed to by the Data
	// RVA field.
	Size uint32 `json:"size"`

	// The code page that is used to decode code point values within the
	// resource data. Typically, the code page would be the Unicode code page.
	CodePage uint32 `json:"code_page"`

	// Reserved, must be 0.
	Reserved uint32 `json:"reserved"`
}

ImageResourceDataEntry Each Resource Data entry describes an actual unit of raw data in the Resource Data area.

type ImageResourceDirectory 

type ImageResourceDirectory struct {
	// Resource flags. This field is reserved for future use. It is currently
	// set to zero.
	Characteristics uint32 `json:"characteristics"`

	// The time that the resource data was created by the resource compiler.
	TimeDateStamp uint32 `json:"time_date_stamp"`

	// The major version number, set by the user.
	MajorVersion uint16 `json:"major_version"`

	// The minor version number, set by the user.
	MinorVersion uint16 `json:"minor_version"`

	// The number of directory entries immediately following the table that use
	// strings to identify Type, Name, or Language entries (depending on the
	// level of the table).
	NumberOfNamedEntries uint16 `json:"number_of_named_entries"`

	// The number of directory entries immediately following the Name entries
	// that use numeric IDs for Type, Name, or Language entries.
	NumberOfIDEntries uint16 `json:"number_of_id_entries"`
}

ImageResourceDirectory represents the IMAGE_RESOURCE_DIRECTORY. This data structure should be considered the heading of a table because the table actually consists of directory entries.

type ImageResourceDirectoryEntry 

type ImageResourceDirectoryEntry struct {
	// Name is used to identify either a type of resource, a resource name, or a
	// resource's language ID.
	Name uint32 `json:"name"`

	// OffsetToData is always used to point to a sibling in the tree, either a
	// directory node or a leaf node.
	OffsetToData uint32 `json:"offset_to_data"`
}

ImageResourceDirectoryEntry represents an entry in the resource directory entries.

type ImageRuntimeFunctionEntry 

type ImageRuntimeFunctionEntry struct {
	// The address of the start of the function.
	BeginAddress uint32 `json:"begin_address"`

	// The address of the end of the function.
	EndAddress uint32 `json:"end_address"`

	// The unwind data info structure is used to record the effects a function
	// has on the stack pointer, and where the nonvolatile registers are saved
	// on the stack.
	UnwindInfoAddress uint32 `json:"unwind_info_address"`
}

ImageRuntimeFunctionEntry represents an entry in the function table on 64-bit Windows (IMAGE_RUNTIME_FUNCTION_ENTRY). Table-based exception handling request a table entry for all functions that allocate stack space or call another function (for example, non-leaf functions).

type ImageSectionHeader 

type ImageSectionHeader struct {

	//  An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8
	// characters long, there is no terminating null. For longer names, this
	// field contains a slash (/) that is followed by an ASCII representation of
	// a decimal number that is an offset into the string table. Executable
	// images do not use a string table and do not support section names longer
	// than 8 characters. Long names in object files are truncated if they are
	// emitted to an executable file.
	Name [8]uint8 `json:"name"`

	// The total size of the section when loaded into memory. If this value is
	// greater than SizeOfRawData, the section is zero-padded. This field is
	// valid only for executable images and should be set to zero for object files.
	VirtualSize uint32 `json:"virtual_size"`

	// For executable images, the address of the first byte of the section
	// relative to the image base when the section is loaded into memory.
	// For object files, this field is the address of the first byte before
	// relocation is applied; for simplicity, compilers should set this to zero.
	// Otherwise, it is an arbitrary value that is subtracted from offsets during
	// relocation.
	VirtualAddress uint32 `json:"virtual_address"`

	// The size of the section (for object files) or the size of the initialized
	// data on disk (for image files). For executable images, this must be a
	// multiple of FileAlignment from the optional header. If this is less than
	// VirtualSize, the remainder of the section is zero-filled. Because the
	// SizeOfRawData field is rounded but the VirtualSize field is not, it is
	// possible for SizeOfRawData to be greater than VirtualSize as well. When
	// a section contains only uninitialized data, this field should be zero.
	SizeOfRawData uint32 `json:"size_of_raw_data"`

	// The file pointer to the first page of the section within the COFF file.
	// For executable images, this must be a multiple of FileAlignment from the
	// optional header. For object files, the value should be aligned on a
	// 4-byte boundary for best performance. When a section contains only
	// uninitialized data, this field should be zero.
	PointerToRawData uint32 `json:"pointer_to_raw_data"`

	// The file pointer to the beginning of relocation entries for the section.
	// This is set to zero for executable images or if there are no relocations.
	PointerToRelocations uint32 `json:"pointer_to_relocations"`

	// The file pointer to the beginning of line-number entries for the section.
	// This is set to zero if there are no COFF line numbers. This value should
	// be zero for an image because COFF debugging information is deprecated.
	PointerToLineNumbers uint32 `json:"pointer_to_line_numbers"`

	// The number of relocation entries for the section.
	// This is set to zero for executable images.
	NumberOfRelocations uint16 `json:"number_of_relocations"`

	// The number of line-number entries for the section. This value should be
	// zero for an image because COFF debugging information is deprecated.
	NumberOfLineNumbers uint16 `json:"number_of_line_numbers"`

	// The flags that describe the characteristics of the section.
	Characteristics uint32 `json:"characteristics"`
}

ImageSectionHeader is part of the section table , in fact section table is an array of Image Section Header each contains information about one section of the whole file such as attribute,virtual offset. the array size is the number of sections in the file. Binary Spec : each struct is 40 byte and there is no padding .

type ImageSwitchableBranchDynamicRelocation added in v1.3.9 

type ImageSwitchableBranchDynamicRelocation struct {
	PageRelativeOffset uint16 `json:"page_relative_offset"` // (12 bits)
	RegisterNumber     uint16 `json:"register_number"`      // (4 bits)
}

ImageSwitchableBranchDynamicRelocation represents the Switchable Retpoline (type 5), size = 2 bytes.

type ImageTLSDirectory32 

type ImageTLSDirectory32 struct {

	// The starting address of the TLS template. The template is a block of data
	// that is used to initialize TLS data.
	StartAddressOfRawData uint32 `json:"start_address_of_raw_data"`

	// The address of the last byte of the TLS, except for the zero fill.
	// As with the Raw Data Start VA field, this is a VA, not an RVA.
	EndAddressOfRawData uint32 `json:"end_address_of_raw_data"`

	// The location to receive the TLS index, which the loader assigns. This
	// location is in an ordinary data section, so it can be given a symbolic
	// name that is accessible to the program.
	AddressOfIndex uint32 `json:"address_of_index"`

	// The pointer to an array of TLS callback functions. The array is
	// null-terminated, so if no callback function is supported, this field
	// points to 4 bytes set to zero.
	AddressOfCallBacks uint32 `json:"address_of_callbacks"`

	// The size in bytes of the template, beyond the initialized data delimited
	// by the Raw Data Start VA and Raw Data End VA fields. The total template
	// size should be the same as the total size of TLS data in the image file.
	// The zero fill is the amount of data that comes after the initialized
	// nonzero data.
	SizeOfZeroFill uint32 `json:"size_of_zero_fill"`

	// The four bits [23:20] describe alignment info. Possible values are those
	// defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment
	// of section in object files. The other 28 bits are reserved for future use.
	Characteristics TLSDirectoryCharacteristicsType `json:"characteristics"`
}

ImageTLSDirectory32 represents the IMAGE_TLS_DIRECTORY32 structure. It Points to the Thread Local Storage initialization section.

type ImageTLSDirectory64 

type ImageTLSDirectory64 struct {
	// The starting address of the TLS template. The template is a block of data
	// that is used to initialize TLS data.
	StartAddressOfRawData uint64 `json:"start_address_of_raw_data"`

	// The address of the last byte of the TLS, except for the zero fill. As
	// with the Raw Data Start VA field, this is a VA, not an RVA.
	EndAddressOfRawData uint64 `json:"end_address_of_raw_data"`

	// The location to receive the TLS index, which the loader assigns. This
	// location is in an ordinary data section, so it can be given a symbolic
	// name that is accessible to the program.
	AddressOfIndex uint64 `json:"address_of_index"`

	// The pointer to an array of TLS callback functions. The array is
	// null-terminated, so if no callback function is supported, this field
	// points to 4 bytes set to zero.
	AddressOfCallBacks uint64 `json:"address_of_callbacks"`

	// The size in bytes of the template, beyond the initialized data delimited
	// by the Raw Data Start VA and Raw Data End VA fields. The total template
	// size should be the same as the total size of TLS data in the image file.
	// The zero fill is the amount of data that comes after the initialized
	// nonzero data.
	SizeOfZeroFill uint32 `json:"size_of_zero_fill"`

	// The four bits [23:20] describe alignment info. Possible values are those
	// defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment
	// of section in object files. The other 28 bits are reserved for future use.
	Characteristics TLSDirectoryCharacteristicsType `json:"characteristics"`
}

ImageTLSDirectory64 represents the IMAGE_TLS_DIRECTORY64 structure. It Points to the Thread Local Storage initialization section.

type ImageThunkData32 

type ImageThunkData32 struct {
	AddressOfData uint32
}

ImageThunkData32 corresponds to one imported function from the executable. The entries are an array of 32-bit numbers for PE32 or an array of 64-bit numbers for PE32+. The ends of both arrays are indicated by an IMAGE_THUNK_DATA element with a value of zero. The IMAGE_THUNK_DATA union is a DWORD with these interpretations: DWORD Function; // Memory address of the imported function DWORD Ordinal; // Ordinal value of imported API DWORD AddressOfData; // RVA to an IMAGE_IMPORT_BY_NAME with the imported API name DWORD ForwarderString;// RVA to a forwarder string

type ImageThunkData64 

type ImageThunkData64 struct {
	AddressOfData uint64
}

ImageThunkData64 is the PE32+ version of IMAGE_THUNK_DATA.

type ImageVolatileMetadata 

type ImageVolatileMetadata struct {
	Size                       uint32 `json:"size"`
	Version                    uint32 `json:"version"`
	VolatileAccessTable        uint32 `json:"volatile_access_table"`
	VolatileAccessTableSize    uint32 `json:"volatile_access_table_size"`
	VolatileInfoRangeTable     uint32 `json:"volatile_info_range_table"`
	VolatileInfoRangeTableSize uint32 `json:"volatile_info_range_table_size"`
}

type ImplMapTableRow added in v1.4.7 

type ImplMapTableRow struct {
	// a 2-byte bitmask of type PInvokeAttributes, §23.1.8
	MappingFlags uint16 `json:"mapping_flags"`
	// an index into the Field or MethodDef table; more precisely,
	// a MemberForwarded (§II.24.2.6) coded index)
	MemberForwarded uint32 `json:"member_forwarded"`
	// an index into the String heap
	ImportName uint32 `json:"import_name"`
	// an index into the ModuleRef table
	ImportScope uint32 `json:"import_scope"`
}

ImplMap 0x1c

type Import 

type Import struct {
	Offset     uint32                `json:"offset"`
	Name       string                `json:"name"`
	Functions  []ImportFunction      `json:"functions"`
	Descriptor ImageImportDescriptor `json:"descriptor"`
}

Import represents an empty entry in the import table.

type ImportFunction 

type ImportFunction struct {
	// An ASCII string that contains the name to import. This is the string that
	// must be matched to the public name in the DLL. This string is case
	// sensitive and terminated by a null byte.
	Name string `json:"name"`

	// An index into the export name pointer table. A match is attempted first
	// with this value. If it fails, a binary search is performed on the DLL's
	// export name pointer table.
	Hint uint16 `json:"hint"`

	// If this is true, import by ordinal. Otherwise, import by name.
	ByOrdinal bool `json:"by_ordinal"`

	// A 16-bit ordinal number. This field is used only if the Ordinal/Name Flag
	// bit field is 1 (import by ordinal). Bits 30-15 or 62-15 must be 0.
	Ordinal uint32 `json:"ordinal"`

	// Name Thunk Value (OFT)
	OriginalThunkValue uint64 `json:"original_thunk_value"`

	// Address Thunk Value (FT)
	ThunkValue uint64 `json:"thunk_value"`

	// Address Thunk RVA.
	ThunkRVA uint32 `json:"thunk_rva"`

	// Name Thunk RVA.
	OriginalThunkRVA uint32 `json:"original_thunk_rva"`
}

ImportFunction represents an imported function in the import table.

type InterfaceImplTableRow added in v1.4.7 

type InterfaceImplTableRow struct {
	// an index into the TypeDef table
	Class uint32 `json:"class"`
	// an index into the TypeDef, TypeRef, or TypeSpec table; more precisely,
	// a TypeDefOrRef (§II.24.2.6) coded index
	Interface uint32 `json:"interface"`
}

InterfaceImpl 0x09

type LoadConfig 

type LoadConfig struct {
	Struct           interface{}       `json:"struct"`
	SEH              []uint32          `json:"seh"`
	GFIDS            []CFGFunction     `json:"gfids"`
	CFGIAT           []CFGIATEntry     `json:"cfgiat"`
	CFGLongJump      []uint32          `json:"cfg_long_jump"`
	CHPE             *HybridPE         `json:"chpe"`
	DVRT             *DVRT             `json:"dvrt"`
	Enclave          *Enclave          `json:"enclave"`
	VolatileMetadata *VolatileMetadata `json:"volatile_metadata"`
}

type ManifestResourceTableRow added in v1.4.7 

type ManifestResourceTableRow struct {
	Offset         uint32 `json:"offset"`         // a 4-byte constant
	Flags          uint32 `json:"flags"`          // a 4-byte bitmask of type ManifestResourceAttributes, §II.23.1.9
	Name           uint32 `json:"name"`           // an index into the String heap
	Implementation uint32 `json:"implementation"` // an index into a File table, a AssemblyRef table, or null; more precisely, an Implementation (§II.24.2.6) coded index
}

ManifestResource 0x28

type MemberRefTableRow added in v1.4.7 

type MemberRefTableRow struct {
	// an index into the MethodDef, ModuleRef,TypeDef, TypeRef, or TypeSpec
	// tables; more precisely, a MemberRefParent (§II.24.2.6) coded index
	Class uint32 `json:"class"`
	// // an index into the String heap
	Name uint32 `json:"name"`
	// an index into the Blob heap
	Signature uint32 `json:"signature"`
}

MembersRef 0x0a

type MetadataHeader 

type MetadataHeader struct {

	// The storage signature, which must be 4-byte aligned:
	// ”Magic” signature for physical metadata, currently 0x424A5342, or, read
	// as characters, BSJB—the initials of four “founding fathers” Brian Harry,
	// Susa Radke-Sproull, Jason Zander, and Bill Evans, who started the
	// runtime development in 1998.
	Signature uint32 `json:"signature"`

	// Major version.
	MajorVersion uint16 `json:"major_version"`

	// Minor version.
	MinorVersion uint16 `json:"minor_version"`

	// Reserved; set to 0.
	ExtraData uint32 `json:"extra_data"`

	// Length of the version string.
	VersionString uint32 `json:"version_string"`

	// Version string.
	Version string `json:"version"`

	// Reserved; set to 0.
	Flags uint8 `json:"flags"`

	// Number of streams.
	Streams uint16 `json:"streams"`
}

MetadataHeader consists of a storage signature and a storage header.

type MetadataStreamHeader 

type MetadataStreamHeader struct {
	// Offset in the file for this stream.
	Offset uint32 `json:"offset"`

	// Size of the stream in bytes.
	Size uint32 `json:"size"`

	// Name of the stream; a zero-terminated ASCII string no longer than 31
	// characters (plus zero terminator). The name might be shorter, in which
	// case the size of the stream header is correspondingly reduced, padded to
	// the 4-byte boundary.
	Name string `json:"name"`
}

MetadataStreamHeader represents a Metadata Stream Header Structure.

type MetadataTable added in v1.0.2 

type MetadataTable struct {
	// The name of the table.
	Name string `json:"name"`

	// Number of columns in the table.
	CountCols uint32 `json:"count_cols"`

	// Every table has a different layout, defined in the ECMA-335 spec.
	// Content abstract the type each table is pointing to.
	Content interface{} `json:"content"`
}

MetadataTable represents the content of a particular table in the metadata. The metadata schema defines 45 tables.

type MetadataTableStreamHeader added in v1.0.2 

type MetadataTableStreamHeader struct {
	// Reserved; set to 0.
	Reserved uint32 `json:"reserved"`

	// Major version of the table schema (1 for v1.0 and v1.1; 2 for v2.0 or later).
	MajorVersion uint8 `json:"major_version"`

	// Minor version of the table schema (0 for all versions).
	MinorVersion uint8 `json:"minor_version"`

	// Binary flags indicate the offset sizes to be used within the heaps.
	// 4-byte unsigned integer offset is indicated by:
	// - 0x01 for a string heap, 0x02 for a GUID heap, and 0x04 for a blob heap.
	// If a flag is not set, the respective heap offset is a 2-byte unsigned integer.
	// A #- stream can also have special flags set:
	// - flag 0x20, indicating that the stream contains only changes made
	// during an edit-and-continue session, and;
	// - flag 0x80, indicating that the  metadata might contain items marked as
	// deleted.
	Heaps uint8 `json:"heaps"`

	// Bit width of the maximal record index to all tables of the metadata;
	// calculated at run time (during the metadata stream initialization).
	RID uint8 `json:"rid"`

	// Bit vector of present tables, each bit representing one table (1 if
	// present).
	MaskValid uint64 `json:"mask_valid"`

	// Bit vector of sorted tables, each bit representing a respective table (1
	// if sorted)
	Sorted uint64 `json:"sorted"`
}

MetadataTableStreamHeader represents the Metadata Table Stream Header Structure.

type MethodDefTableRow added in v1.4.7 

type MethodDefTableRow struct {
	// a 4-byte constant
	RVA uint32 `json:"rva"`
	// a 2-byte bitmask of type MethodImplAttributes, §II.23.1.10
	ImplFlags uint16 `json:"impl_flags"`
	// a 2-byte bitmask of type MethodAttributes, §II.23.1.10
	Flags uint16 `json:"flags"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into the Blob heap
	Signature uint32 `json:"signature"`
	// an index into the Param table
	ParamList uint32 `json:"param_list"`
}

MethodDef 0x06

type MethodImplTableRow added in v1.4.7 

type MethodImplTableRow struct {
	// an index into the TypeDef table
	Class uint32 `json:"class"`
	// an index into the MethodDef or MemberRef table; more precisely, a
	// MethodDefOrRef (§II.24.2.6) coded index
	MethodBody uint32 `json:"method_body"`
	// // an index into the MethodDef or MemberRef table; more precisely, a
	// MethodDefOrRef (§II.24.2.6) coded index
	MethodDeclaration uint32 `json:"method_declaration"`
}

MethodImpl 0x19

type MethodSemanticsTableRow added in v1.4.7 

type MethodSemanticsTableRow struct {
	// a 2-byte bitmask of type MethodSemanticsAttributes, §II.23.1.12
	Semantics uint16 `json:"semantics"`
	// an index into the MethodDef table
	Method uint32 `json:"method"`
	// an index into the Event or Property table; more precisely,
	// a HasSemantics (§II.24.2.6) coded index
	Association uint32 `json:"association"`
}

MethodSemantics 0x18

type MethodSpecTableRow added in v1.4.7 

type MethodSpecTableRow struct {
	Method        uint32 `json:"method"`        // an index into the MethodDef or MemberRef table, specifying to which generic method this row refers; that is, which generic method this row is an instantiation of; more precisely, a MethodDefOrRef (§II.24.2.6) coded index
	Instantiation uint32 `json:"instantiation"` // an index into the Blob heap
}

MethodSpec 0x2b

type ModuleRefTableRow added in v1.4.7 

type ModuleRefTableRow struct {
	// an index into the String heap
	Name uint32 `json:"name"`
}

ModuleRef 0x1a

type ModuleTableRow added in v1.0.2 

type ModuleTableRow struct {
	// a 2-byte value, reserved, shall be zero
	Generation uint16 `json:"generation"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into the Guid heap; simply a Guid used to distinguish between
	// two versions of the same module
	Mvid uint32 `json:"mvid"`
	// an index into the Guid heap; reserved, shall be zero
	EncID uint32 `json:"enc_id"`
	// an index into the Guid heap; reserved, shall be zero
	EncBaseID uint32 `json:"enc_base_id"`
}

Module 0x00

type NestedClassTableRow added in v1.4.7 

type NestedClassTableRow struct {
	NestedClass    uint32 `json:"nested_class"`    // an index into the TypeDef table
	EnclosingClass uint32 `json:"enclosing_class"` // an index into the TypeDef table
}

NestedClass 0x29

type Options 

type Options struct {

	// Parse only the PE header and do not parse data directories, by default (false).
	Fast bool

	// Includes section entropy, by default (false).
	SectionEntropy bool

	// Maximum COFF symbols to parse, by default (MaxDefaultCOFFSymbolsCount).
	MaxCOFFSymbolsCount uint32

	// Maximum relocations to parse, by default (MaxDefaultRelocEntriesCount).
	MaxRelocEntriesCount uint32

	// Disable certificate validation, by default (false).
	DisableCertValidation bool

	// Disable signature validation, by default (false).
	DisableSignatureValidation bool

	// A custom logger.
	Logger log.Logger

	// OmitExportDirectory determines if export directory parsing is skipped, by default (false).
	OmitExportDirectory bool

	// OmitImportDirectory determines if import directory parsing is skipped, by default (false).
	OmitImportDirectory bool

	// OmitExceptionDirectory determines if exception directory parsing is skipped, by default (false).
	OmitExceptionDirectory bool

	// OmitResourceDirectory determines if resource directory parsing is skipped, by default (false).
	OmitResourceDirectory bool

	// OmitSecurityDirectory determines if security directory parsing is skipped, by default (false).
	OmitSecurityDirectory bool

	// OmitRelocDirectory determines if relocation directory parsing is skipped, by default (false).
	OmitRelocDirectory bool

	// OmitDebugDirectory determines if debug directory parsing is skipped, by default (false).
	OmitDebugDirectory bool

	// OmitArchitectureDirectory determines if architecture directory parsing is skipped, by default (false).
	OmitArchitectureDirectory bool

	// OmitGlobalPtrDirectory determines if global pointer directory parsing is skipped, by default (false).
	OmitGlobalPtrDirectory bool

	// OmitTLSDirectory determines if TLS directory parsing is skipped, by default (false).
	OmitTLSDirectory bool

	// OmitLoadConfigDirectory determines if load config directory parsing is skipped, by default (false).
	OmitLoadConfigDirectory bool

	// OmitBoundImportDirectory determines if bound import directory parsing is skipped, by default (false).
	OmitBoundImportDirectory bool

	// OmitIATDirectory determines if IAT directory parsing is skipped, by default (false).
	OmitIATDirectory bool

	// OmitDelayImportDirectory determines if delay import directory parsing is skipped, by default (false).
	OmitDelayImportDirectory bool

	// OmitCLRHeaderDirectory determines if CLR header directory parsing is skipped, by default (false).
	OmitCLRHeaderDirectory bool
}

Options that influence the PE parsing behaviour.

type POGO 

type POGO struct {
	// Signature represents the PGO sub type.
	Signature POGOType       `json:"signature"`
	Entries   []ImagePGOItem `json:"entries"`
}

POGO structure contains information related to the Profile Guided Optimization. PGO is an approach to optimization where the compiler uses profile information to make better optimization decisions for the program.

type POGOType added in v1.3.9 

type POGOType uint32

POGOType represents a POGO type.

func (POGOType) String added in v1.3.9 

func (p POGOType) String() string

String returns a string interpretation of a POGO type.

type ParamTableRow added in v1.4.7 

type ParamTableRow struct {
	// a 2-byte bitmask of type ParamAttributes, §II.23.1.13
	Flags uint16 `json:"flags"`
	// a 2-byte constant
	Sequence uint16 `json:"sequence"`
	// an index into the String heap
	Name uint32 `json:"name"`
}

Param 0x08

type PropertyMapTableRow added in v1.4.7 

type PropertyMapTableRow struct {
	// an index	into the TypeDef table
	Parent uint32 `json:"parent"`
	// an index into the Property table
	PropertyList uint32 `json:"property_list"`
}

PropertyMap 0x15

type PropertyTableRow added in v1.4.7 

type PropertyTableRow struct {
	// a 2-byte bitmask of type PropertyAttributes, §II.23.1.14
	Flags uint16 `json:"flags"`
	// an index into the String heap
	Name uint32 `json:"name"`
	// an index into the Blob heap
	Type uint32 `json:"type"`
}

Property 0x17

type REPRO 

type REPRO struct {
	Size uint32 `json:"size"`
	Hash []byte `json:"hash"`
}

type Range added in v1.2.4 

type Range struct {
	Start uint32
	End   uint32
}

type RangeTableEntry 

type RangeTableEntry struct {
	RVA  uint32 `json:"rva"`
	Size uint32 `json:"size"`
}

type RelRange added in v1.2.4 

type RelRange struct {
	Start  uint32
	Length uint32
}

type RelocBlock 

type RelocBlock struct {
	ImgBaseReloc ImageBaseRelocation `json:"img_base_reloc"`
	TypeOffsets  []interface{}       `json:"type_offsets"`
}

type RelocEntry 

type RelocEntry struct {
	// Could be ImageDynamicRelocation32{} or ImageDynamicRelocation64{}
	ImageDynamicRelocation interface{}  `json:"image_dynamic_relocation"`
	RelocBlocks            []RelocBlock `json:"reloc_blocks"`
}

type Relocation 

type Relocation struct {
	// Points to the ImageBaseRelocation structure.
	Data ImageBaseRelocation `json:"data"`

	// holds the list of entries for each chunk.
	Entries []ImageBaseRelocationEntry `json:"entries"`
}

Relocation represents the relocation table which holds the data that needs to be relocated.

type ResourceDataEntry 

type ResourceDataEntry struct {

	// IMAGE_RESOURCE_DATA_ENTRY structure.
	Struct ImageResourceDataEntry `json:"struct"`

	// Primary language ID.
	Lang ResourceLang `json:"lang"`

	// Sub language ID.
	SubLang ResourceSubLang `json:"sub_lang"`
}

ResourceDataEntry represents a resource data entry.

type ResourceDirectory 

type ResourceDirectory struct {
	// IMAGE_RESOURCE_DIRECTORY structure.
	Struct ImageResourceDirectory `json:"struct"`

	// list of entries.
	Entries []ResourceDirectoryEntry `json:"entries"`
}

ResourceDirectory represents resource directory information.

type ResourceDirectoryEntry 

type ResourceDirectoryEntry struct {
	// IMAGE_RESOURCE_DIRECTORY_ENTRY structure.
	Struct ImageResourceDirectoryEntry `json:"struct"`

	// If the resource is identified by name this attribute will contain the
	// name string. Empty string otherwise. If identified by id, the id is
	// available at `ID` field.
	Name string `json:"name"`

	// The resource identifier.
	ID uint32 `json:"id"`

	// IsResourceDir tell us if the entry is pointing to a resource directory or
	// a resource data entry.
	IsResourceDir bool `json:"is_resource_dir"`

	// If this entry has a lower level directory this attribute will point to
	// the ResourceDirData instance representing it.
	Directory ResourceDirectory `json:"directory"`

	// If this entry has no further lower directories and points to the actual
	// resource data, this attribute will reference the corresponding
	// ResourceDataEntry instance.
	Data ResourceDataEntry `json:"data"`
}

ResourceDirectoryEntry represents a resource directory entry.

type ResourceLang added in v1.3.9 

type ResourceLang uint32

ResourceLang represents a resource language. 

const (
	// Afrikaans (af)
	LangAfrikaans ResourceLang = 0x0036
	// Albanian (sq)
	LangAlbanian ResourceLang = 0x001C
	// Alsatian (gsw)
	LangAlsatian ResourceLang = 0x0084
	// Amharic (am)
	LangAmharic ResourceLang = 0x005E
	// Arabic (ar)
	LangArabic ResourceLang = 0x0001
	// Armenian (hy)
	LangArmenian ResourceLang = 0x002B
	// Assamese (as)
	LangAssamese ResourceLang = 0x004D
	// Azerbaijani (Latin) (az)
	LangAzerbaijaniLatin ResourceLang = 0x002C
	// Bangla (bn)
	LangBangla ResourceLang = 0x0045
	// Bashkir (ba)
	LangBashkir ResourceLang = 0x006D
	// Basque (eu)
	LangBasque ResourceLang = 0x002D
	// Belarusian (be)
	LangBelarusian ResourceLang = 0x0023
	// Bosnian (Latin) (bs)
	LangBosnianLatin ResourceLang = 0x781A
	// Breton (br)
	LangBreton ResourceLang = 0x007E
	// Bulgarian (bg)
	LangBulgarian ResourceLang = 0x0002
	// Burmese (my)
	LangBurmese ResourceLang = 0x0055
	// Catalan (ca)
	LangCatalan ResourceLang = 0x0003
	// Central Kurdish (ku)
	LangCentralKurdish ResourceLang = 0x0092
	// Cherokee (chr)
	LangCherokee ResourceLang = 0x005C
	// Chinese (Simplified) (zh)
	LangChineseSimplified ResourceLang = 0x7804
	// Corsican (co)
	LangCorsican ResourceLang = 0x0083
	// Croatian (hr)
	LangCroatian ResourceLang = 0x001A
	// Czech (cs)
	LangCzech ResourceLang = 0x0005
	// Danish (da)
	LangDanish ResourceLang = 0x0006
	// Dari (prs)
	LangDari ResourceLang = 0x008C
	// Divehi (dv)
	LangDivehi ResourceLang = 0x0065
	// Dutch (nl)
	LangDutch ResourceLang = 0x0013
	// English (en)
	LangEnglish ResourceLang = 0x0009
	// Estonian (et)
	LangEstonian ResourceLang = 0x0025
	// Faroese (fo)
	LangFaroese ResourceLang = 0x0038
	// Filipino (fil)
	LangFilipino ResourceLang = 0x0064
	// Finnish (fi)
	LangFinnish ResourceLang = 0x000B
	// French (fr)
	LangFrench ResourceLang = 0x000C
	// Frisian (fy)
	LangFrisian ResourceLang = 0x0062
	// Fulah (ff)
	LangFulah ResourceLang = 0x0067
	// Fulah (Latin) (ff-Latn)
	LangFulahLatin ResourceLang = 0x7C67
	// Galician (gl)
	LangGalician ResourceLang = 0x0056
	// Georgian (ka)
	LangGeorgian ResourceLang = 0x0037
	// German (de)
	LangGerman ResourceLang = 0x0007
	// Greek (el)
	LangGreek ResourceLang = 0x0008
	// Greenlandic (kl)
	LangGreenlandic ResourceLang = 0x006F
	// Guarani (gn)
	LangGuarani ResourceLang = 0x0074
	// Gujarati (gu)
	LangGujarati ResourceLang = 0x0047
	// Hausa (Latin) (ha)
	LangHausaLatin ResourceLang = 0x0068
	// Hawaiian (haw)
	LangHawaiian ResourceLang = 0x0075
	// Hebrew (he)
	LangHebrew ResourceLang = 0x000D
	// Hindi (hi)
	LangHindi ResourceLang = 0x0039
	// Hungarian (hu)
	LangHungarian ResourceLang = 0x000E
	// Icelandic (is)
	LangIcelandic ResourceLang = 0x000F
	// Igbo (ig)
	LangIgbo ResourceLang = 0x0070
	// Indonesian (id)
	LangIndonesian ResourceLang = 0x0021
	// Inuktitut (Latin) (iu)
	LangInuktitutLatin ResourceLang = 0x005D
	// Irish (ga)
	LangIrish ResourceLang = 0x003C
	// Italian (it)
	LangItalian ResourceLang = 0x0010
	// Japanese (ja)
	LangJapanese ResourceLang = 0x0011
	// Kannada (kn)
	LangKannada ResourceLang = 0x004B
	// Kashmiri (ks)
	LangKashmiri ResourceLang = 0x0060
	// Kazakh (kk)
	LangKazakh ResourceLang = 0x003F
	// Khmer (km)
	LangKhmer ResourceLang = 0x0053
	// K'iche (quc)
	LangKiche ResourceLang = 0x0086
	// Kinyarwanda (rw)
	LangKinyarwanda ResourceLang = 0x0087
	// Kiswahili (sw)
	LangKiswahili ResourceLang = 0x0041
	// Konkani (kok)
	LangKonkani ResourceLang = 0x0057
	// Korean (ko)
	LangKorean ResourceLang = 0x0012
	// Kyrgyz (ky)
	LangKyrgyz ResourceLang = 0x0040
	// Lao (lo)
	LangLao ResourceLang = 0x0054
	// Latvian (lv)
	LangLatvian ResourceLang = 0x0026
	// Lithuanian (lt)
	LangLithuanian ResourceLang = 0x0027
	// Lower Sorbian (dsb)
	LangLowerSorbian ResourceLang = 0x7C2E
	// Luxembourgish (lb)
	LangLuxembourgish ResourceLang = 0x006E
	// Macedonian (mk)
	LangMacedonian ResourceLang = 0x002F
	// Malay (ms)
	LangMalay ResourceLang = 0x003E
	// Malayalam (ml)
	LangMalayalam ResourceLang = 0x004C
	// Maltese (mt)
	LangMaltese ResourceLang = 0x003A
	// Maori (mi)
	LangMaori ResourceLang = 0x0081
	// Mapudungun (arn)
	LangMapudungun ResourceLang = 0x007A
	// Marathi (mr)
	LangMarathi ResourceLang = 0x004E
	// Mohawk (moh)
	LangMohawk ResourceLang = 0x007C
	// Mongolian (Cyrillic) (mn)
	LangMongolianCyrillic ResourceLang = 0x0050
	// Nepali (ne)
	LangNepali ResourceLang = 0x0061
	// Norwegian (Bokmal) (no)
	LangNorwegianBokmalNo ResourceLang = 0x0014
	// Norwegian (Bokmal) (nb)
	LangNorwegianBokmal ResourceLang = 0x7C14
	// Norwegian (Nynorsk) (nn)
	LangNorwegianNynorsk ResourceLang = 0x7814
	// Occitan (oc)
	LangOccitan ResourceLang = 0x0082
	// Odia (or)
	LangOdia ResourceLang = 0x0048
	// Oromo (om)
	LangOromo ResourceLang = 0x0072
	// Pashto (ps)
	LangPashto ResourceLang = 0x0063
	// Persian (fa)
	LangPersian ResourceLang = 0x0029
	// Polish (pl)
	LangPolish ResourceLang = 0x0015
	// Portuguese (pt)
	LangPortuguese ResourceLang = 0x0016
	// Punjabi (pa)
	LangPunjabi ResourceLang = 0x0046
	// Quechua (quz)
	LangQuechua ResourceLang = 0x006B
	// Romanian (ro)
	LangRomanian ResourceLang = 0x0018
	// Romansh (rm)
	LangRomansh ResourceLang = 0x0017
	// Russian (ru)
	LangRussian ResourceLang = 0x0019
	// Sakha (sah)
	LangSakha ResourceLang = 0x0085
	// Sami (Inari) (smn)
	LangSamiInari ResourceLang = 0x703B
	// Sami (Lule) (smj)
	LangSamiLule ResourceLang = 0x7C3B
	// Sami (Northern) (se)
	LangSamiNorthern ResourceLang = 0x003B
	// Sami (Skolt) (sms)
	LangSamiSkolt ResourceLang = 0x743B
	// Sami (Southern) (sma)
	LangSamiSouthern ResourceLang = 0x783B
	// Sanskrit (sa)
	LangSanskrit ResourceLang = 0x004F
	// Scottish Gaelic (gd)
	LangScottishGaelic ResourceLang = 0x0091
	// Serbian (Latin) (sr)
	LangSerbianLatin ResourceLang = 0x7C1A
	// Sesotho Sa Leboa (nso)
	LangSesothoSaLeboa ResourceLang = 0x006C
	// Setswana (tn)
	LangSetswana ResourceLang = 0x0032
	// Sindhi (sd)
	LangSindhi ResourceLang = 0x0059
	// Sinhala (si)
	LangSinhala ResourceLang = 0x005B
	// Slovak (sk)
	LangSlovak ResourceLang = 0x001B
	// Slovenian (sl)
	LangSlovenian ResourceLang = 0x0024
	// Somali (so)
	LangSomali ResourceLang = 0x0077
	// Sotho (st)
	LangSotho ResourceLang = 0x0030
	// Spanish (es)
	LangSpanish ResourceLang = 0x000A
	// Swedish (sv)
	LangSwedish ResourceLang = 0x001D
	// Syriac (syr)
	LangSyriac ResourceLang = 0x005A
	// Tajik (Cyrillic) (tg)
	LangTajikCyrillic ResourceLang = 0x0028
	// Tamazight (Latin) (tzm)
	LangTamazightLatin ResourceLang = 0x005F
	// Tamil (ta)
	LangTamil ResourceLang = 0x0049
	// Tatar (tt)
	LangTatar ResourceLang = 0x0044
	// Telugu (te)
	LangTelugu ResourceLang = 0x004A
	// Thai (th)
	LangThai ResourceLang = 0x001E
	// Tibetan (bo)
	LangTibetan ResourceLang = 0x0051
	// Tigrinya (ti)
	LangTigrinya ResourceLang = 0x0073
	// Tsonga (ts)
	LangTsonga ResourceLang = 0x0031
	// Turkish (tr)
	LangTurkish ResourceLang = 0x001F
	// Turkmen (tk)
	LangTurkmen ResourceLang = 0x0042
	// Ukrainian (uk)
	LangUkrainian ResourceLang = 0x0022
	// Upper Sorbian (hsb)
	LangUpperSorbian ResourceLang = 0x002E
	// Urdu (ur)
	LangUrdu ResourceLang = 0x0020
	// Uyghur (ug)
	LangUyghur ResourceLang = 0x0080
	// Uzbek (Latin) (uz)
	LangUzbekLatin ResourceLang = 0x0043
	// Venda (ve)
	LangVenda ResourceLang = 0x0033
	// Vietnamese (vi)
	LangVietnamese ResourceLang = 0x002A
	// Welsh (cy)
	LangWelsh ResourceLang = 0x0052
	// Wolof (wo)
	LangWolof ResourceLang = 0x0088
	// Xhosa (xh)
	LangXhosa ResourceLang = 0x0034
	// Yi (ii)
	LangYi ResourceLang = 0x0078
	// Yoruba (yo)
	LangYoruba ResourceLang = 0x006A
	// Zulu (zu)
	LangZulu ResourceLang = 0x0035
)

All resource language identifiers.

func (ResourceLang) String added in v1.3.9 

func (lang ResourceLang) String() string

String stringify the resource language.

type ResourceSubLang added in v1.3.9 

type ResourceSubLang uint32

ResourceSubLang represents a resource sub language. 

const (
	// Afrikaans South Africa (af-ZA)
	SubLangAfrikaansSouthAfrica ResourceSubLang = iota
	// Albanian Albania (sq-AL)
	SubLangAlbanianAlbania
	// Alsatian France (gsw-FR)
	SubLangAlsatianFrance
	// Amharic Ethiopia (am-ET)
	SubLangAmharicEthiopia
	// Arabic Algeria (ar-DZ)
	SubLangArabicAlgeria
	// Arabic Bahrain (ar-BH)
	SubLangArabicBahrain
	// Arabic Egypt (ar-EG)
	SubLangArabicEgypt
	// Arabic Iraq (ar-IQ)
	SubLangArabicIraq
	// Arabic Jordan (ar-JO)
	SubLangArabicJordan
	// Arabic Kuwait (ar-KW)
	SubLangArabicKuwait
	// Arabic Lebanon (ar-LB)
	SubLangArabicLebanon
	// Arabic Libya (ar-LY)
	SubLangArabicLibya
	// Arabic Morocco (ar-MA)
	SubLangArabicMorocco
	// Arabic Oman (ar-OM)
	SubLangArabicOman
	// Arabic Qatar (ar-QA)
	SubLangArabicQatar
	// Arabic Saudi Arabia (ar-SA)
	SubLangArabicSaudiArabia
	// Arabic Syria (ar-SY)
	SubLangArabicSyria
	// Arabic Tunisia (ar-TN)
	SubLangArabicTunisia
	// Arabic U.a.e. (ar-AE)
	SubLangArabicUae
	// Arabic Yemen (ar-YE)
	SubLangArabicYemen
	// Armenian Armenia (hy-AM)
	SubLangArmenianArmenia
	// Assamese India (as-IN)
	SubLangAssameseIndia
	// Azerbaijani (Cyrillic) (az-Cyrl)
	SubLangAzerbaijaniCyrillic
	// Azerbaijani (Cyrillic) Azerbaijan (az-Cyrl-AZ)
	SubLangAzerbaijaniCyrillicAzerbaijan
	// Azerbaijani (Latin) (az-Latn)
	SubLangAzerbaijaniLatin
	// Azerbaijani (Latin) Azerbaijan (az-Latn-AZ)
	SubLangAzerbaijaniLatinAzerbaijan
	// Bangla Bangladesh (bn-BD)
	SubLangBanglaBangladesh
	// Bangla India (bn-IN)
	SubLangBanglaIndia
	// Bashkir Russia (ba-RU)
	SubLangBashkirRussia
	// Basque Spain (eu-ES)
	SubLangBasqueSpain
	// Belarusian Belarus (be-BY)
	SubLangBelarusianBelarus
	// Bosnian (Cyrillic) (bs-Cyrl)
	SubLangBosnianCyrillic
	// Bosnian (Cyrillic) Bosnia And Herzegovina (bs-Cyrl-BA)
	SubLangBosnianCyrillicBosniaAndHerzegovina
	// Bosnian (Latin) (bs-Latn)
	SubLangBosnianLatin
	// Bosnian (Latin) Bosnia And Herzegovina (bs-Latn-BA)
	SubLangBosnianLatinBosniaAndHerzegovina
	// Breton France (br-FR)
	SubLangBretonFrance
	// Bulgarian Bulgaria (bg-BG)
	SubLangBulgarianBulgaria
	// Burmese Myanmar (my-MM)
	SubLangBurmeseMyanmar
	// Catalan Spain (ca-ES)
	SubLangCatalanSpain
	// Central Atlas Tamazight (Arabic) Morocco (tzm-ArabMA)
	SubLangCentralAtlasTamazightArabicMorocco
	// Central Kurdish (ku-Arab)
	SubLangCentralKurdish
	// Central Kurdish Iraq (ku-Arab-IQ)
	SubLangCentralKurdishIraq
	// Cherokee (chr-Cher)
	SubLangCherokee
	// Cherokee United States (chr-Cher-US)
	SubLangCherokeeUnitedStates
	// Chinese (Simplified) (zh-Hans)
	SubLangChineseSimplified
	// Chinese (Simplified) People's Republic Of China (zh-CN)
	SubLangChineseSimplifiedPeoplesRepublicOfChina
	// Chinese (Simplified) Singapore (zh-SG)
	SubLangChineseSimplifiedSingapore
	// Chinese (Traditional) (zh-Hant)
	SubLangChineseTraditional
	// Chinese (Traditional) Hong Kong S.a.r. (zh-HK)
	SubLangChineseTraditionalHongKongSar
	// Chinese (Traditional) Macao S.a.r. (zh-MO)
	SubLangChineseTraditionalMacaoSar
	// Chinese (Traditional) Taiwan (zh-TW)
	SubLangChineseTraditionalTaiwan
	// Corsican France (co-FR)
	SubLangCorsicanFrance
	// Croatian Croatia (hr-HR)
	SubLangCroatianCroatia
	// Croatian (Latin) Bosnia And Herzegovina (hr-BA)
	SubLangCroatianLatinBosniaAndHerzegovina
	// Czech Czech Republic (cs-CZ)
	SubLangCzechCzechRepublic
	// Danish Denmark (da-DK)
	SubLangDanishDenmark
	// Dari Afghanistan (prs-AF)
	SubLangDariAfghanistan
	// Divehi Maldives (dv-MV)
	SubLangDivehiMaldives
	// Dutch Belgium (nl-BE)
	SubLangDutchBelgium
	// Dutch Netherlands (nl-NL)
	SubLangDutchNetherlands
	// Dzongkha Bhutan (dz-BT)
	SubLangDzongkhaBhutan
	// English Australia (en-AU)
	SubLangEnglishAustralia
	// English Belize (en-BZ)
	SubLangEnglishBelize
	// English Canada (en-CA)
	SubLangEnglishCanada
	// English Caribbean (en-029)
	SubLangEnglishCaribbean
	// English Hong Kong (en-HK)
	SubLangEnglishHongKong
	// English India (en-IN)
	SubLangEnglishIndia
	// English Ireland (en-IE)
	SubLangEnglishIreland
	// English Jamaica (en-JM)
	SubLangEnglishJamaica
	// English Malaysia (en-MY)
	SubLangEnglishMalaysia
	// English New Zealand (en-NZ)
	SubLangEnglishNewZealand
	// English Republic Of The Philippines (en-PH)
	SubLangEnglishRepublicOfThePhilippines
	// English Singapore (en-SG)
	SubLangEnglishSingapore
	// English South Africa (en-ZA)
	SubLangEnglishSouthAfrica
	// English Trinidad And Tobago (en-TT)
	SubLangEnglishTrinidadAndTobago
	// English United Arab Emirates (en-AE)
	SubLangEnglishUnitedArabEmirates
	// English United Kingdom (en-GB)
	SubLangEnglishUnitedKingdom
	// English United States (en-US)
	SubLangEnglishUnitedStates
	// English Zimbabwe (en-ZW)
	SubLangEnglishZimbabwe
	// Estonian Estonia (et-EE)
	SubLangEstonianEstonia
	// Faroese Faroe Islands (fo-FO)
	SubLangFaroeseFaroeIslands
	// Filipino Philippines (fil-PH)
	SubLangFilipinoPhilippines
	// Finnish Finland (fi-FI)
	SubLangFinnishFinland
	// French Belgium (fr-BE)
	SubLangFrenchBelgium
	// French Cameroon (fr-CM)
	SubLangFrenchCameroon
	// French Canada (fr-CA)
	SubLangFrenchCanada
	// French Caribbean (fr-029)
	SubLangFrenchCaribbean
	// French Congo, Drc (fr-CD)
	SubLangFrenchCongoDrc
	// French Côte D'ivoire (fr-CI)
	SubLangFrenchCôteDivoire
	// French France (fr-FR)
	SubLangFrenchFrance
	// French Haiti (fr-HT)
	SubLangFrenchHaiti
	// French Luxembourg (fr-LU)
	SubLangFrenchLuxembourg
	// French Mali (fr-ML)
	SubLangFrenchMali
	// French Morocco (fr-MA)
	SubLangFrenchMorocco
	// French Principality Of Monaco (fr-MC)
	SubLangFrenchPrincipalityOfMonaco
	// French Reunion (fr-RE)
	SubLangFrenchReunion
	// French Senegal (fr-SN)
	SubLangFrenchSenegal
	// French Switzerland (fr-CH)
	SubLangFrenchSwitzerland
	// Frisian Netherlands (fy-NL)
	SubLangFrisianNetherlands
	// Fulah Nigeria (ff-NG)
	SubLangFulahNigeria
	// Fulah (Latin) Nigeria (ff-Latn-NG)
	SubLangFulahLatinNigeria
	// Fulah Senegal (ff-Latn-SN)
	SubLangFulahSenegal
	// Galician Spain (gl-ES)
	SubLangGalicianSpain
	// Georgian Georgia (ka-GE)
	SubLangGeorgianGeorgia
	// German Austria (de-AT)
	SubLangGermanAustria
	// German Germany (de-DE)
	SubLangGermanGermany
	// German Liechtenstein (de-LI)
	SubLangGermanLiechtenstein
	// German Luxembourg (de-LU)
	SubLangGermanLuxembourg
	// German Switzerland (de-CH)
	SubLangGermanSwitzerland
	// Greek Greece (el-GR)
	SubLangGreekGreece
	// Greenlandic Greenland (kl-GL)
	SubLangGreenlandicGreenland
	// Guarani Paraguay (gn-PY)
	SubLangGuaraniParaguay
	// Gujarati India (gu-IN)
	SubLangGujaratiIndia
	// Hausa (Latin) (ha-Latn)
	SubLangHausaLatin
	// Hausa (Latin) Nigeria (ha-Latn-NG)
	SubLangHausaLatinNigeria
	// Hawaiian United States (haw-US)
	SubLangHawaiianUnitedStates
	// Hebrew Israel (he-IL)
	SubLangHebrewIsrael
	// Hindi India (hi-IN)
	SubLangHindiIndia
	// Hungarian Hungary (hu-HU)
	SubLangHungarianHungary
	// Icelandic Iceland (is-IS)
	SubLangIcelandicIceland
	// Igbo Nigeria (ig-NG)
	SubLangIgboNigeria
	// Indonesian Indonesia (id-ID)
	SubLangIndonesianIndonesia
	// Inuktitut (Latin) (iu-Latn)
	SubLangInuktitutLatin
	// Inuktitut (Latin) Canada (iu-Latn-CA)
	SubLangInuktitutLatinCanada
	// Inuktitut (Syllabics) (iu-Cans)
	SubLangInuktitutSyllabics
	// Inuktitut (Syllabics) Canada (iu-Cans-CA)
	SubLangInuktitutSyllabicsCanada
	// Irish Ireland (ga-IE)
	SubLangIrishIreland
	// Italian Italy (it-IT)
	SubLangItalianItaly
	// Italian Switzerland (it-CH)
	SubLangItalianSwitzerland
	// Japanese Japan (ja-JP)
	SubLangJapaneseJapan
	// Kannada India (kn-IN)
	SubLangKannadaIndia
	// Kanuri (Latin) Nigeria (kr-Latn-NG)
	SubLangKanuriLatinNigeria
	// Kashmiri Perso-Arabic (ks-Arab)
	SubLangKashmiriPersoArabic
	// Kashmiri (Devanagari) India (ks-Deva-IN)
	SubLangKashmiriDevanagariIndia
	// Kazakh Kazakhstan (kk-KZ)
	SubLangKazakhKazakhstan
	// Khmer Cambodia (km-KH)
	SubLangKhmerCambodia
	// K'iche Guatemala (quc-Latn-GT)
	SubLangKicheGuatemala
	// Kinyarwanda Rwanda (rw-RW)
	SubLangKinyarwandaRwanda
	// Kiswahili Kenya (sw-KE)
	SubLangKiswahiliKenya
	// Konkani India (kok-IN)
	SubLangKonkaniIndia
	// Korean Korea (ko-KR)
	SubLangKoreanKorea
	// Kyrgyz Kyrgyzstan (ky-KG)
	SubLangKyrgyzKyrgyzstan
	// Lao Lao P.d.r. (lo-LA)
	SubLangLaoLaoPdr
	// Latin Vatican City (la-VA)
	SubLangLatinVaticanCity
	// Latvian Latvia (lv-LV)
	SubLangLatvianLatvia
	// Lithuanian Lithuania (lt-LT)
	SubLangLithuanianLithuania
	// Lower Sorbian Germany (dsb-DE)
	SubLangLowerSorbianGermany
	// Luxembourgish Luxembourg (lb-LU)
	SubLangLuxembourgishLuxembourg
	// Macedonian North Macedonia (mk-MK)
	SubLangMacedonianNorthMacedonia
	// Malay Brunei Darussalam (ms-BN)
	SubLangMalayBruneiDarussalam
	// Malay Malaysia (ms-MY)
	SubLangMalayMalaysia
	// Malayalam India (ml-IN)
	SubLangMalayalamIndia
	// Maltese Malta (mt-MT)
	SubLangMalteseMalta
	// Maori New Zealand (mi-NZ)
	SubLangMaoriNewZealand
	// Mapudungun Chile (arn-CL)
	SubLangMapudungunChile
	// Marathi India (mr-IN)
	SubLangMarathiIndia
	// Mohawk Canada (moh-CA)
	SubLangMohawkCanada
	// Mongolian (Cyrillic) (mn-Cyrl)
	SubLangMongolianCyrillic
	// Mongolian (Cyrillic) Mongolia (mn-MN)
	SubLangMongolianCyrillicMongolia
	// Mongolian (Traditional Mongolian) (mn-Mong)
	SubLangMongolianTraditionalMongolian
	// Mongolian (Traditional Mongolian) People's Republic Of China (mn-MongCN)
	SubLangMongolianTraditionalMongolianPeoplesRepublicOfChina
	// Mongolian (Traditional Mongolian) Mongolia (mn-MongMN)
	SubLangMongolianTraditionalMongolianMongolia
	// Nepali India (ne-IN)
	SubLangNepaliIndia
	// Nepali Nepal (ne-NP)
	SubLangNepaliNepal
	// Norwegian (Bokmal) Norway (nb-NO)
	SubLangNorwegianBokmalNorway
	// Norwegian (Nynorsk) Norway (nn-NO)
	SubLangNorwegianNynorskNorway
	// Occitan France (oc-FR)
	SubLangOccitanFrance
	// Odia India (or-IN)
	SubLangOdiaIndia
	// Oromo Ethiopia (om-ET)
	SubLangOromoEthiopia
	// Pashto Afghanistan (ps-AF)
	SubLangPashtoAfghanistan
	// Persian Iran (fa-IR)
	SubLangPersianIran
	// Polish Poland (pl-PL)
	SubLangPolishPoland
	// Portuguese Brazil (pt-BR)
	SubLangPortugueseBrazil
	// Portuguese Portugal (pt-PT)
	SubLangPortuguesePortugal
	// Pseudo Language Pseudo Locale For East Asian/Complex Script Localization Testing (qps-ploca)
	SubLangPseudoLanguagePseudoLocaleForEastAsianComplexScriptLocalizationTesting
	// Pseudo Language Pseudo Locale Used For Localization Testing (qps-ploc)
	SubLangPseudoLanguagePseudoLocaleUsedForLocalizationTesting
	// Pseudo Language Pseudo Locale Used For Localization Testing Of Mirrored Locales (qps-plocm)
	SubLangPseudoLanguagePseudoLocaleUsedForLocalizationTestingOfMirroredLocales
	// Punjabi (pa-Arab)
	SubLangPunjabi
	// Punjabi India (pa-IN)
	SubLangPunjabiIndia
	// Punjabi Islamic Republic Of Pakistan (pa-Arab-PK)
	SubLangPunjabiIslamicRepublicOfPakistan
	// Quechua Bolivia (quz-BO)
	SubLangQuechuaBolivia
	// Quechua Ecuador (quz-EC)
	SubLangQuechuaEcuador
	// Quechua Peru (quz-PE)
	SubLangQuechuaPeru
	// Romanian Moldova (ro-MD)
	SubLangRomanianMoldova
	// Romanian Romania (ro-RO)
	SubLangRomanianRomania
	// Romansh Switzerland (rm-CH)
	SubLangRomanshSwitzerland
	// Russian Moldova (ru-MD)
	SubLangRussianMoldova
	// Russian Russia (ru-RU)
	SubLangRussianRussia
	// Sakha Russia (sah-RU)
	SubLangSakhaRussia
	// Sami (Inari) Finland (smn-FI)
	SubLangSamiInariFinland
	// Sami (Lule) Norway (smj-NO)
	SubLangSamiLuleNorway
	// Sami (Lule) Sweden (smj-SE)
	SubLangSamiLuleSweden
	// Sami (Northern) Finland (se-FI)
	SubLangSamiNorthernFinland
	// Sami (Northern) Norway (se-NO)
	SubLangSamiNorthernNorway
	// Sami (Northern) Sweden (se-SE)
	SubLangSamiNorthernSweden
	// Sami (Skolt) Finland (sms-FI)
	SubLangSamiSkoltFinland
	// Sami (Southern) Norway (sma-NO)
	SubLangSamiSouthernNorway
	// Sami (Southern) Sweden (sma-SE)
	SubLangSamiSouthernSweden
	// Sanskrit India (sa-IN)
	SubLangSanskritIndia
	// Scottish Gaelic United Kingdom (gd-GB)
	SubLangScottishGaelicUnitedKingdom
	// Serbian (Cyrillic) (sr-Cyrl)
	SubLangSerbianCyrillic
	// Serbian (Cyrillic) Bosnia And Herzegovina (sr-Cyrl-BA)
	SubLangSerbianCyrillicBosniaAndHerzegovina
	// Serbian (Cyrillic) Montenegro (sr-Cyrl-ME)
	SubLangSerbianCyrillicMontenegro
	// Serbian (Cyrillic) Serbia (sr-Cyrl-RS)
	SubLangSerbianCyrillicSerbia
	// Serbian (Cyrillic) Serbia And Montenegro (Former) (sr-Cyrl-CS)
	SubLangSerbianCyrillicSerbiaAndMontenegroFormer
	// Serbian (Latin) (sr-Latn)
	SubLangSerbianLatin
	// Serbian (Latin) Bosnia And Herzegovina (sr-Latn-BA)
	SubLangSerbianLatinBosniaAndHerzegovina
	// Serbian (Latin) Montenegro (sr-Latn-ME)
	SubLangSerbianLatinMontenegro
	// Serbian (Latin) Serbia (sr-Latn-RS)
	SubLangSerbianLatinSerbia
	// Serbian (Latin) Serbia And Montenegro (Former) (sr-Latn-CS)
	SubLangSerbianLatinSerbiaAndMontenegroFormer
	// Sesotho Sa Leboa South Africa (nso-ZA)
	SubLangSesothoSaLeboaSouthAfrica
	// Setswana Botswana (tn-BW)
	SubLangSetswanaBotswana
	// Setswana South Africa (tn-ZA)
	SubLangSetswanaSouthAfrica
	// Sindhi (sd-Arab)
	SubLangSindhi
	// Sindhi Islamic Republic Of Pakistan (sd-Arab-PK)
	SubLangSindhiIslamicRepublicOfPakistan
	// Sinhala Sri Lanka (si-LK)
	SubLangSinhalaSriLanka
	// Slovak Slovakia (sk-SK)
	SubLangSlovakSlovakia
	// Slovenian Slovenia (sl-SI)
	SubLangSlovenianSlovenia
	// Somali Somalia (so-SO)
	SubLangSomaliSomalia
	// Sotho South Africa (st-ZA)
	SubLangSothoSouthAfrica
	// Spanish Argentina (es-AR)
	SubLangSpanishArgentina
	// Spanish Bolivarian Republic Of Venezuela (es-VE)
	SubLangSpanishBolivarianRepublicOfVenezuela
	// Spanish Bolivia (es-BO)
	SubLangSpanishBolivia
	// Spanish Chile (es-CL)
	SubLangSpanishChile
	// Spanish Colombia (es-CO)
	SubLangSpanishColombia
	// Spanish Costa Rica (es-CR)
	SubLangSpanishCostaRica
	// Spanish Cuba (es-CU)
	SubLangSpanishCuba
	// Spanish Dominican Republic (es-DO)
	SubLangSpanishDominicanRepublic
	// Spanish Ecuador (es-EC)
	SubLangSpanishEcuador
	// Spanish El Salvador (es-SV)
	SubLangSpanishElSalvador
	// Spanish Guatemala (es-GT)
	SubLangSpanishGuatemala
	// Spanish Honduras (es-HN)
	SubLangSpanishHonduras
	// Spanish Latin America (es-419)
	SubLangSpanishLatinAmerica
	// Spanish Mexico (es-MX)
	SubLangSpanishMexico
	// Spanish Nicaragua (es-NI)
	SubLangSpanishNicaragua
	// Spanish Panama (es-PA)
	SubLangSpanishPanama
	// Spanish Paraguay (es-PY)
	SubLangSpanishParaguay
	// Spanish Peru (es-PE)
	SubLangSpanishPeru
	// Spanish Puerto Rico (es-PR)
	SubLangSpanishPuertoRico
	// Spanish Spain (es-ES_tradnl)
	SubLangSpanishSpainTraditional
	// Spanish Spain (es-ES)
	SubLangSpanishSpain
	// Spanish United States (es-US)
	SubLangSpanishUnitedStates
	// Spanish Uruguay (es-UY)
	SubLangSpanishUruguay
	// Swedish Finland (sv-FI)
	SubLangSwedishFinland
	// Swedish Sweden (sv-SE)
	SubLangSwedishSweden
	// Syriac Syria (syr-SY)
	SubLangSyriacSyria
	// Tajik (Cyrillic) (tg-Cyrl)
	SubLangTajikCyrillic
	// Tajik (Cyrillic) Tajikistan (tg-Cyrl-TJ)
	SubLangTajikCyrillicTajikistan
	// Tamazight (Latin) (tzm-Latn)
	SubLangTamazightLatin
	// Tamazight (Latin) Algeria (tzm-Latn-DZ)
	SubLangTamazightLatinAlgeria
	// Tamil India (ta-IN)
	SubLangTamilIndia
	// Tamil Sri Lanka (ta-LK)
	SubLangTamilSriLanka
	// Tatar Russia (tt-RU)
	SubLangTatarRussia
	// Telugu India (te-IN)
	SubLangTeluguIndia
	// Thai Thailand (th-TH)
	SubLangThaiThailand
	// Tibetan People's Republic Of China (bo-CN)
	SubLangTibetanPeoplesRepublicOfChina
	// Tigrinya Eritrea (ti-ER)
	SubLangTigrinyaEritrea
	// Tigrinya Ethiopia (ti-ET)
	SubLangTigrinyaEthiopia
	// Tsonga South Africa (ts-ZA)
	SubLangTsongaSouthAfrica
	// Turkish Turkey (tr-TR)
	SubLangTurkishTurkey
	// Turkmen Turkmenistan (tk-TM)
	SubLangTurkmenTurkmenistan
	// Ukrainian Ukraine (uk-UA)
	SubLangUkrainianUkraine
	// Upper Sorbian Germany (hsb-DE)
	SubLangUpperSorbianGermany
	// Urdu India (ur-IN)
	SubLangUrduIndia
	// Urdu Islamic Republic Of Pakistan (ur-PK)
	SubLangUrduIslamicRepublicOfPakistan
	// Uyghur People's Republic Of China (ug-CN)
	SubLangUyghurPeoplesRepublicOfChina
	// Uzbek (Cyrillic) (uz-Cyrl)
	SubLangUzbekCyrillic
	// Uzbek (Cyrillic) Uzbekistan (uz-Cyrl-UZ)
	SubLangUzbekCyrillicUzbekistan
	// Uzbek (Latin) (uz-Latn)
	SubLangUzbekLatin
	// Uzbek (Latin) Uzbekistan (uz-Latn-UZ)
	SubLangUzbekLatinUzbekistan
	// Valencian Spain (ca-ESvalencia)
	SubLangValencianSpain
	// Venda South Africa (ve-ZA)
	SubLangVendaSouthAfrica
	// Vietnamese Vietnam (vi-VN)
	SubLangVietnameseVietnam
	// Welsh United Kingdom (cy-GB)
	SubLangWelshUnitedKingdom
	// Wolof Senegal (wo-SN)
	SubLangWolofSenegal
	// Xhosa South Africa (xh-ZA)
	SubLangXhosaSouthAfrica
	// Yi People's Republic Of China (ii-CN)
	SubLangYiPeoplesRepublicOfChina
	// Yiddish World (yi-001)
	SubLangYiddishWorld
	// Yoruba Nigeria (yo-NG)
	SubLangYorubaNigeria
	// Zulu South Africa (zu-ZA)
	SubLangZuluSouthAfrica
)

All resource sub-language identifiers.

func (ResourceSubLang) String added in v1.3.9 

func (subLang ResourceSubLang) String() string

String stringify the resource sub language.

type ResourceType added in v1.3.9 

type ResourceType int

ResourceType represents a resource type.

func (ResourceType) String added in v1.3.9 

func (rt ResourceType) String() string

String stringify the resource type.

type RichHeader 

type RichHeader struct {
	XORKey     uint32   `json:"xor_key"`
	CompIDs    []CompID `json:"comp_ids"`
	DansOffset int      `json:"dans_offset"`
	Raw        []byte   `json:"raw"`
}

RichHeader is a structure that is written right after the MZ DOS header. It consists of pairs of 4-byte integers. And it is also encrypted using a simple XOR operation using the checksum as the key. The data between the magic values encodes the ‘bill of materials’ that were collected by the linker to produce the binary.

type ScopeRecord added in v1.3.5 

type ScopeRecord struct {
	// This value indicates the offset of the first instruction within a __try
	// block located in the function.
	BeginAddress uint32 `json:"begin_address"`

	// This value indicates the offset to the instruction after the last
	// instruction within the __try block (conceptually the __except statement).
	EndAddress uint32 `json:"end_address"`

	// This value indicates the offset to the function located within the
	// parentheses of the __except() statement. In the documentation you'll
	// find this routine called the "exception handler" or "exception filter".
	HandlerAddress uint32 `json:"handler_address"`

	// This value indicates the offset to the first instruction in the __except
	// block associated with the __try block.
	JumpTarget uint32 `json:"jump_target"`
}

type ScopeTable added in v1.3.5 

type ScopeTable struct {
	// The count of scope records.
	Count uint32 `json:"count"`

	// A array of scope record.
	ScopeRecords []ScopeRecord `json:"scope_records"`
}

ScopeTable represents a variable length structure containing a count followed by Count "scope records". While the RUNTIME_FUNCTION describes the entire range of a function that contains SEH, the SCOPE_TABLE describes each of the individual __try/__except blocks within the function.

type Section 

type Section struct {
	Header ImageSectionHeader `json:"header"`
	// Entropy represents the section entropy. This field is not always populated
	// depending on weather entropy calculation is enabled. The reason behind
	// using a float64 pointer instead of a float64 is to distinguish between
	// the case when the section entropy is equal to zero and the case when the
	// entropy is equal to nil - meaning that it was never calculated.
	Entropy *float64 `json:"entropy,omitempty"`
}

Section represents a PE section header, plus additional data like entropy.

func (*Section) CalculateEntropy 

func (section *Section) CalculateEntropy(pe *File) float64

CalculateEntropy calculates section entropy.

func (*Section) Contains 

func (section *Section) Contains(rva uint32, pe *File) bool

Contains checks whether the section contains a given RVA.

func (*Section) Data 

func (section *Section) Data(start, length uint32, pe *File) []byte

Data returns a data chunk from a section.

func (*Section) NextHeaderAddr 

func (section *Section) NextHeaderAddr(pe *File) uint32

NextHeaderAddr returns the VirtualAddress of the next section.

func (*Section) PrettySectionFlags added in v1.1.0 

func (section *Section) PrettySectionFlags() []string

PrettySectionFlags returns the string representations of the `Flags` field of section header.

func (*Section) String added in v1.3.7 

func (section *Section) String() string

String stringifies the section name.

type SpcAttributeTypeAndOptionalValue added in v1.4.5 

type SpcAttributeTypeAndOptionalValue struct {
	Type  asn1.ObjectIdentifier
	Value SpcPeImageData `asn1:"optional"`
}

type SpcIndirectDataContent added in v1.4.5 

type SpcIndirectDataContent struct {
	Data          SpcAttributeTypeAndOptionalValue
	MessageDigest DigestInfo
}

type SpcPeImageData added in v1.4.5 

type SpcPeImageData struct {
	Flags asn1.BitString
	File  asn1.RawValue
}

type StandAloneSigTableRow added in v1.4.7 

type StandAloneSigTableRow struct {
	Signature uint32 `json:"signature"` // an index into the Blob heap
}

StandAloneSig 0x11

type String added in v1.4.2 

type String struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

String Represents the organization of data in a file-version resource. It contains a string that describes a specific aspect of a file, for example, a file's version, its copyright notices, or its trademarks.

func (*String) GetOffset added in v1.4.2 

func (s *String) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32

type StringFileInfo added in v1.4.2 

type StringFileInfo struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringFileInfo represents the organization of data in a file-version resource. It contains version information that can be displayed for a particular language and code page.

func (*StringFileInfo) GetOffset added in v1.4.2 

func (s *StringFileInfo) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32

func (*StringFileInfo) GetStringTableOffset added in v1.4.2 

func (s *StringFileInfo) GetStringTableOffset(offset uint32) uint32

type StringTable added in v1.4.2 

type StringTable struct {
	Length      uint16
	ValueLength uint16
	Type        uint16
}

StringTable represents the organization of data in a file-version resource. It contains language and code page formatting information for the version strings

func (*StringTable) GetOffset added in v1.4.2 

func (s *StringTable) GetOffset(rva uint32, e ResourceDirectoryEntry, pe *File) uint32

func (*StringTable) GetStringOffset added in v1.4.2 

func (s *StringTable) GetStringOffset(offset uint32, e ResourceDirectoryEntry) uint32

type TLSDirectory 

type TLSDirectory struct {

	// of type *IMAGE_TLS_DIRECTORY32 or *IMAGE_TLS_DIRECTORY64 structure.
	Struct interface{} `json:"struct"`

	// of type []uint32 or []uint64.
	Callbacks interface{} `json:"callbacks"`
}

TLSDirectory represents tls directory information with callback entries.

type TLSDirectoryCharacteristicsType added in v1.3.9 

type TLSDirectoryCharacteristicsType uint32

TLSDirectoryCharacteristicsType represents the type of a TLS directory Characteristics.

func (TLSDirectoryCharacteristicsType) String added in v1.3.9 

func (characteristics TLSDirectoryCharacteristicsType) String() string

String returns the string representations of the `Characteristics` field of TLS directory.

type ThunkData32 

type ThunkData32 struct {
	ImageThunkData ImageThunkData32
	Offset         uint32
}

type ThunkData64 

type ThunkData64 struct {
	ImageThunkData ImageThunkData64
	Offset         uint32
}

type TypeDefTableRow added in v1.4.7 

type TypeDefTableRow struct {
	// a 4-byte bitmask of type TypeAttributes, §II.23.1.15
	Flags uint32 `json:"flags"`
	// an index into the String heap
	TypeName uint32 `json:"type_name"`
	// an index into the String heap
	TypeNamespace uint32 `json:"type_namespace"`
	// an index into the TypeDef, TypeRef, or TypeSpec table; more precisely,
	// a TypeDefOrRef (§II.24.2.6) coded index
	Extends uint32 `json:"extends"`
	// an index into the Field table; it marks the first of a contiguous run
	// of Fields owned by this Type
	FieldList uint32 `json:"field_list"`
	// an index into the MethodDef table; it marks the first of a contiguous
	// run of Methods owned by this Type
	MethodList uint32 `json:"method_list"`
}

TypeDef 0x02

type TypeRefTableRow added in v1.4.7 

type TypeRefTableRow struct {
	// an index into a Module, ModuleRef, AssemblyRef or TypeRef table, or null;
	// more precisely, a ResolutionScope (§II.24.2.6) coded index.
	ResolutionScope uint32 `json:"resolution_scope"`
	// an index into the String heap
	TypeName uint32 `json:"type_name"`
	// an index into the String heap
	TypeNamespace uint32 `json:"type_namespace"`
}

TypeRef 0x01

type TypeSpecTableRow added in v1.4.7 

type TypeSpecTableRow struct {
	// an index into the Blob heap
	Signature uint32 `json:"signature"`
}

TypeSpec 0x1b

type UnwindCode 

type UnwindCode struct {
	// Offset (from the beginning of the prolog) of the end of the instruction
	// that performs is operation, plus 1 (that is, the offset of the start of
	// the next instruction).
	CodeOffset uint8 `json:"code_offset"`

	// The unwind operation code.
	UnwindOp UnwindOpType `json:"unwind_op"`

	// Operation info.
	OpInfo uint8 `json:"op_info"`

	// Allocation size.
	Operand     string `json:"operand"`
	FrameOffset uint16 `json:"frame_offset"`
}

UnwindCode is used to record the sequence of operations in the prolog that affect the nonvolatile registers and RSP. Each code item has this format: 

 typedef union _UNWIND_CODE {
    struct {
        UCHAR CodeOffset;
        UCHAR UnwindOp : 4;
        UCHAR OpInfo : 4;
    } DUMMYUNIONNAME;

    struct {
        UCHAR OffsetLow;
        UCHAR UnwindOp : 4;
        UCHAR OffsetHigh : 4;
    } EpilogueCode;

    USHORT FrameOffset;
} UNWIND_CODE, *PUNWIND_CODE;

It provides information about the amount of stack space allocated, the location of saved non-volatile registers, and whether or not a frame register is used and what relation it has to the rest of the stack.

type UnwindInfo 

type UnwindInfo struct {
	// (3 bits) Version number of the unwind data, currently 1 and 2.
	Version uint8 `json:"version"`

	// (5 bits) Three flags are currently defined above.
	Flags uint8 `json:"flags"`

	// Length of the function prolog in bytes.
	SizeOfProlog uint8 `json:"size_of_prolog"`

	// The number of slots in the unwind codes array. Some unwind codes,
	// for example, UWOP_SAVE_NONVOL, require more than one slot in the array.
	CountOfCodes uint8 `json:"count_of_codes"`

	// If nonzero, then the function uses a frame pointer (FP), and this field
	// is the number of the nonvolatile register used as the frame pointer,
	// using the same encoding for the operation info field of UNWIND_CODE nodes.
	FrameRegister uint8 `json:"frame_register"`

	// If the frame register field is nonzero, this field is the scaled offset
	// from RSP that is applied to the FP register when it's established. The
	// actual FP register is set to RSP + 16 * this number, allowing offsets
	// from 0 to 240. This offset permits pointing the FP register into the
	// middle of the local stack allocation for dynamic stack frames, allowing
	// better code density through shorter instructions. (That is, more
	// instructions can use the 8-bit signed offset form.)
	FrameOffset uint8 `json:"frame_offset"`

	// An array of items that explains the effect of the prolog on the
	// nonvolatile registers and RSP. See the section on UNWIND_CODE for the
	// meanings of individual items. For alignment purposes, this array always
	// has an even number of entries, and the final entry is potentially
	// unused. In that case, the array is one longer than indicated by the
	// count of unwind codes field.
	UnwindCodes []UnwindCode `json:"unwind_codes"`

	// Address of exception handler when UNW_FLAG_EHANDLER is set.
	ExceptionHandler uint32 `json:"exception_handler"`

	// If flag UNW_FLAG_CHAININFO is set, then the UNWIND_INFO structure ends
	// with three UWORDs. These UWORDs represent the RUNTIME_FUNCTION
	// information for the function of the chained unwind.
	FunctionEntry ImageRuntimeFunctionEntry `json:"function_entry"`
}

UnwindInfo represents the _UNWIND_INFO structure. It is used to record the effects a function has on the stack pointer, and where the nonvolatile registers are saved on the stack.

type UnwindOpType added in v1.4.1 

type UnwindOpType uint8

UnwindOpType represents the type of an unwind opcode.

func (UnwindOpType) String added in v1.4.1 

func (uo UnwindOpType) String() string

String returns the string representation of the an unwind opcode.

type VCFeature 

type VCFeature struct {
	PreVC11 uint32 `json:"pre_vc11"`
	CCpp    uint32 `json:"C/C++"`
	Gs      uint32 `json:"/GS"`
	Sdl     uint32 `json:"/sdl"`
	GuardN  uint32 `json:"guardN"`
}

type VolatileMetadata 

type VolatileMetadata struct {
	Struct         ImageVolatileMetadata `json:"struct"`
	AccessRVATable []uint32              `json:"access_rva_table"`
	InfoRangeTable []RangeTableEntry     `json:"info_range_table"`
}

type VsFixedFileInfo added in v1.4.2 

type VsFixedFileInfo struct {
	// Signature contains the value 0xFEEF04BD. This is used
	// with the `key` member of the VS_VERSIONINFO structure
	// when searching a file for the VS_FIXEDFILEINFO structure.
	Signature uint32 `json:"signature"`
	// StructVer is the binary version number of this structure.
	// The high-order word of this member contains the major version
	// number, and the low-order word contains the minor version number.
	StructVer uint32 `json:"struct_ver"`
	// FileVersionMS denotes the most significant 32 bits of the file's
	// binary version number.
	FileVersionMS uint32 `json:"file_version_ms"`
	// FileVersionLS denotes the least significant 32 bits of the file's
	// binary version number.
	FileVersionLS uint32 `json:"file_version_ls"`
	// ProductVersionMS represents the most significant 32 bits of the
	// binary version number of the product with which this file was distributed.
	ProductVersionMS uint32 `json:"product_version_ms"`
	// ProductVersionLS represents the most significant 32 bits of the
	// binary version number of the product with which this file was distributed.
	ProductVersionLS uint32 `json:"product_version_ls"`
	// FileFlagMask contains a bitmask that specifies the valid bits in FileFlags.
	// A bit is valid only if it was defined when the file was created.
	FileFlagMask uint32 `json:"file_flag_mask"`
	// FileFlags contains a bitmask that specifies the Boolean attributes of the file.
	// For example, the file contains debugging information or is compiled with debugging
	// features enabled if FileFlags is equal to 0x00000001L (VS_FF_DEBUG).
	FileFlags uint32 `json:"file_flags"`
	// FileOS represents the operating system for which this file was designed.
	FileOS uint32 `json:"file_os"`
	// FileType describes the general type of file.
	FileType uint32 `json:"file_type"`
	// FileSubtype specifies the function of the file. The possible values depend on the value of FileType.
	FileSubtype uint32 `json:"file_subtype"`
	// FileDateMS are the most significant 32 bits of the file's 64-bit binary creation date and time stamp.
	FileDateMS uint32 `json:"file_date_ms"`
	// FileDateLS are the least significant 32 bits of the file's 64-bit binary creation date and time stamp.
	FileDateLS uint32 `json:"file_date_ls"`
}

VsFixedFileInfo contains version information for a file. This information is language and code page independent.

func (*VsFixedFileInfo) GetOffset added in v1.4.2 

func (f *VsFixedFileInfo) GetOffset(e ResourceDirectoryEntry, pe *File) uint32

func (*VsFixedFileInfo) GetStringFileInfoOffset added in v1.4.2 

func (f *VsFixedFileInfo) GetStringFileInfoOffset(e ResourceDirectoryEntry) uint32

func (*VsFixedFileInfo) Size added in v1.4.2 

func (f *VsFixedFileInfo) Size() uint32

Size returns the size of this structure in bytes.

type VsVersionInfo added in v1.4.2 

type VsVersionInfo struct {
	// Length is the length, in bytes, of the VS_VERSIONINFO structure.
	// This length does not include any padding that aligns any
	// subsequent version resource data on a 32-bit boundary.
	Length uint16 `json:"length"`
	// ValueLength is the length, in bytes, of arbitrary data associated
	// with the VS_VERSIONINFO structure.
	// This value is zero if there is no any data associated with the
	// current version structure.
	ValueLength uint16 `json:"value_length"`
	// Type represents as many zero words as necessary to align the StringFileInfo
	// and VarFileInfo structures on a 32-bit boundary. These bytes are not included
	// in ValueLength.
	Type uint16 `json:"type"`
}

VsVersionInfo represents the organization of data in a file-version resource. It is the root structure that contains all other file-version information structures.

type WinCertificate 

type WinCertificate struct {
	// Specifies the length, in bytes, of the signature.
	Length uint32 `json:"length"`

	// Specifies the certificate revision.
	Revision uint16 `json:"revision"`

	// Specifies the type of certificate.
	CertificateType uint16 `json:"certificate_type"`
}

WinCertificate encapsulates a signature used in verifying executable files.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.