pe

package module
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 27, 2023 License: Apache-2.0 Imports: 30 Imported by: 0

README

go-pe - A Golang parser for PE files.

This parser is designed to extract high level information about PE files on disk. The information currently provided:

  • RSDS GUID and PDB files.
  • VersionInformation strings.

Documentation

Index

Constants

View Source 
const (
	MAX_NUMBER_OF_SECTIONS           = 1000
	MAX_WIN_CERTIFICATE_LENGTH       = 1024 * 1024
	MAX_IMPORT_TABLE_LENGTH          = 10 * 1024
	MAX_RESOURCE_BLOCKS              = 10 * 1024
	MAX_RESOURCE_DIRECTORY_LENGTH    = 100
	MAX_MESSAGE_LENGTH               = 10 * 1024
	MAX_MESSAGES                     = 100 * 1024
	MAX_RESOURCE_STRING_TABLE_LENGTH = 100 * 1024

	IMAGE_DIRECTORY_ENTRY_ARCHITECTURE   = 7
	IMAGE_DIRECTORY_ENTRY_BASERELOC      = 5
	IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT   = 11
	IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR = 14
	IMAGE_DIRECTORY_ENTRY_DEBUG          = 6
	IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT   = 13
	IMAGE_DIRECTORY_ENTRY_EXCEPTION      = 3
	IMAGE_DIRECTORY_ENTRY_EXPORT         = 0
	IMAGE_DIRECTORY_ENTRY_GLOBALPTR      = 8
	IMAGE_DIRECTORY_ENTRY_IAT            = 12
	IMAGE_DIRECTORY_ENTRY_IMPORT         = 1
	IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG    = 10
	IMAGE_DIRECTORY_ENTRY_RESOURCE       = 2
	IMAGE_DIRECTORY_ENTRY_SECURITY       = 4
	IMAGE_DIRECTORY_ENTRY_TLS            = 9
)

Variables

View Source 
var (
	OIDSPC_PE_IMAGE_DATA_OBJID = []int{1, 3, 6, 1, 4, 1, 311, 2, 1, 15}

	// Reference https://datatracker.ietf.org/doc/html/rfc2315
	OIDIndirectData            = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 4}
	OIDSPC_CAB_DATA_OBJID      = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 2, 1, 25}
	OIDCounterSignature        = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 6}
	OIDCatalogList             = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 12, 1, 1}
	OIDCAT_MEMBERINFO_OBJID    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 12, 2, 2}
	OIDCAT_MEMBERINFO2_OBJID   = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 12, 2, 3}
	OIDNameValueObjId          = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 12, 2, 1}
	OID_CATALOG_LIST_MEMBER_V2 = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 311, 12, 1, 3}
)
View Source 
var (
	PE_DEBUG bool
)

Functions

func CapInt32 

func CapInt32(v int32, max int32) int32

func CapInt64 

func CapInt64(v int64, max int64) int64

func CapUint16 

func CapUint16(v uint16, max uint16) uint16

func CapUint32 

func CapUint32(v uint32, max uint32) uint32

func CapUint64 

func CapUint64(v uint64, max uint64) uint64

func Debug 

func Debug(arg interface{})

func DebugPrint 

func DebugPrint(fmt_str string, v ...interface{})

func GetImports 

func GetImports(nt_header *IMAGE_NT_HEADERS, rva_resolver *RVAResolver) []string

func GetVersionInformation 

func GetVersionInformation(
	nt_header *IMAGE_NT_HEADERS,
	rva_resolver *RVAResolver,
	resource_base int64) *ordereddict.Dict

func IsInExportDir 

func IsInExportDir(dir *IMAGE_DATA_DIRECTORY, va uint32) bool

Is the virtual address within the export directory. 

https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#the-edata-section-image-only

Each entry in the export address table is a field that uses one of
two formats in the following table. If the address specified is not
within the export section (as defined by the address and length
that are indicated in the optional header), the field is an export
RVA, which is an actual address in code or data. Otherwise, the
field is a forwarder RVA, which names a symbol in another DLL.

func PKCS7ToOrderedDict 

func PKCS7ToOrderedDict(self *pkcs7.PKCS7) *ordereddict.Dict

Builds a Dict with information about the PKCS7 structure. This can be consumed by callers who just want to show information about the PKCS7.

func ParseArray_byte 

func ParseArray_byte(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []byte

func ParseArray_uint16 

func ParseArray_uint16(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []uint16

func ParseArray_uint32 

func ParseArray_uint32(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []uint32

func ParseArray_uint64 

func ParseArray_uint64(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []uint64

func ParseAuthenticode 

func ParseAuthenticode(pe *PEFile) (*pkcs7.PKCS7, error)

func ParseInt32 

func ParseInt32(reader io.ReaderAt, offset int64) int32

func ParseString 

func ParseString(reader io.ReaderAt, offset int64, length int64) string

func ParseTerminatedString 

func ParseTerminatedString(reader io.ReaderAt, offset int64) string

func ParseTerminatedUTF16String 

func ParseTerminatedUTF16String(reader io.ReaderAt, offset int64) string

func ParseUTF16String 

func ParseUTF16String(reader io.ReaderAt, offset int64, length int64) string

func ParseUint16 

func ParseUint16(reader io.ReaderAt, offset int64) uint16

func ParseUint32 

func ParseUint32(reader io.ReaderAt, offset int64) uint32

func ParseUint64 

func ParseUint64(reader io.ReaderAt, offset int64) uint64

func ParseUint8 

func ParseUint8(reader io.ReaderAt, offset int64) byte

func RoundUpToWordAlignment 

func RoundUpToWordAlignment(offset int64) int64

func UTF16BytesToUTF8 

func UTF16BytesToUTF8(b []byte, o binary.ByteOrder) string

func UTF16ToString 

func UTF16ToString(in []byte) string

func UTF16ToStringLE 

func UTF16ToStringLE(in []byte) string

func X509ToOrderedDict 

func X509ToOrderedDict(cert *x509.Certificate) *ordereddict.Dict

Types

type AlgorithmIdentifier 

type AlgorithmIdentifier struct {
	Type asn1.ObjectIdentifier
}

type CV_RSDS_HEADER 

type CV_RSDS_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*CV_RSDS_HEADER) Age 

func (self *CV_RSDS_HEADER) Age() uint32

func (*CV_RSDS_HEADER) DebugString 

func (self *CV_RSDS_HEADER) DebugString() string

func (*CV_RSDS_HEADER) Filename 

func (self *CV_RSDS_HEADER) Filename() string

func (*CV_RSDS_HEADER) GUID 

func (self *CV_RSDS_HEADER) GUID() *GUID

func (*CV_RSDS_HEADER) GUIDAge 

func (self *CV_RSDS_HEADER) GUIDAge() string

func (*CV_RSDS_HEADER) Signature 

func (self *CV_RSDS_HEADER) Signature() string

func (*CV_RSDS_HEADER) Size 

func (self *CV_RSDS_HEADER) Size() int

type CabHash 

type CabHash struct {
	Type   OIDSequence
	Digest []byte
}

A hash descriptor for a file or cab in the catalog

type CatNameValue 

type CatNameValue struct {
	Items []NameValue
}

func (CatNameValue) Walk 

func (self CatNameValue) Walk(out *ordereddict.Dict)

type CatalogList 

type CatalogList struct {
	Digest  []byte
	Members []asn1.RawValue `asn1:"set,optional"`
}

func (CatalogList) Walk 

func (self CatalogList) Walk(out *ordereddict.Dict)

type CatalogMemberSet 

type CatalogMemberSet struct {
	Type  asn1.ObjectIdentifier
	Value asn1.RawValue `asn1:"optional"`
}

func (CatalogMemberSet) Walk 

func (self CatalogMemberSet) Walk(out *ordereddict.Dict)

type CertificateTrustList 

type CertificateTrustList struct {
	Type         OIDSequence
	Digest       []byte
	Time         time.Time
	MemberOID    OIDSequence
	CatalogList  []CatalogList
	CatNameValue CatNameValue `asn1:"tag:0"`
}

type DebugStringer 

type DebugStringer interface {
	DebugString() string
}

type DigestInfo 

type DigestInfo struct {
	DigestAlgorithm pkix.AlgorithmIdentifier
	Digest          []byte
}

type Directory 

type Directory struct {
	Timestamp    time.Time `json:"Timestamp"`
	TimestampRaw uint32
	Size         uint32
	FileAddress  uint32
	SectionName  string
}

type Enumeration 

type Enumeration struct {
	Value uint64
	Name  string
}

func (Enumeration) DebugString 

func (self Enumeration) DebugString() string

type FileHeader 

type FileHeader struct {
	Machine          string `json:"Machine"`
	TimeDateStamp    string `json:"TimeDateStamp"`
	TimeDateStampRaw uint32 `json:"TimeDateStampRaw"`
	Characteristics  uint16 `json:"Characteristics"`
	ImageBase        uint64 `json:"ImageBase"`
}

type GENERIC_DIRECTORY 

type GENERIC_DIRECTORY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*GENERIC_DIRECTORY) DebugString 

func (self *GENERIC_DIRECTORY) DebugString() string

func (*GENERIC_DIRECTORY) Size 

func (self *GENERIC_DIRECTORY) Size() int

func (*GENERIC_DIRECTORY) TimeDateStamp 

func (self *GENERIC_DIRECTORY) TimeDateStamp() *UnixTimeStamp32

type GUID 

type GUID struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*GUID) Data1 

func (self *GUID) Data1() uint32

func (*GUID) Data2 

func (self *GUID) Data2() uint16

func (*GUID) Data3 

func (self *GUID) Data3() uint16

func (*GUID) Data4 

func (self *GUID) Data4() []byte

func (*GUID) DebugString 

func (self *GUID) DebugString() string

func (*GUID) Size 

func (self *GUID) Size() int

type Hashes 

type Hashes struct {
	MD5    hash.Hash
	SHA1   hash.Hash
	SHA256 hash.Hash
}

type IMAGE_DATA_DIRECTORY 

type IMAGE_DATA_DIRECTORY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func ParseArray_IMAGE_DATA_DIRECTORY 

func ParseArray_IMAGE_DATA_DIRECTORY(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []*IMAGE_DATA_DIRECTORY

func (*IMAGE_DATA_DIRECTORY) DebugString 

func (self *IMAGE_DATA_DIRECTORY) DebugString() string

func (*IMAGE_DATA_DIRECTORY) DirSize 

func (self *IMAGE_DATA_DIRECTORY) DirSize() uint32

func (*IMAGE_DATA_DIRECTORY) Size 

func (self *IMAGE_DATA_DIRECTORY) Size() int

func (*IMAGE_DATA_DIRECTORY) VirtualAddress 

func (self *IMAGE_DATA_DIRECTORY) VirtualAddress() uint32

type IMAGE_DEBUG_DIRECTORY 

type IMAGE_DEBUG_DIRECTORY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_DEBUG_DIRECTORY) AddressOfRawData 

func (self *IMAGE_DEBUG_DIRECTORY) AddressOfRawData() uint32

func (*IMAGE_DEBUG_DIRECTORY) DebugString 

func (self *IMAGE_DEBUG_DIRECTORY) DebugString() string

func (*IMAGE_DEBUG_DIRECTORY) Size 

func (self *IMAGE_DEBUG_DIRECTORY) Size() int

func (*IMAGE_DEBUG_DIRECTORY) TimeDateStamp 

func (self *IMAGE_DEBUG_DIRECTORY) TimeDateStamp() *UnixTimeStamp32

func (*IMAGE_DEBUG_DIRECTORY) Type 

func (self *IMAGE_DEBUG_DIRECTORY) Type() *Enumeration

type IMAGE_DOS_HEADER 

type IMAGE_DOS_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_DOS_HEADER) DebugString 

func (self *IMAGE_DOS_HEADER) DebugString() string

func (*IMAGE_DOS_HEADER) E_lfanew 

func (self *IMAGE_DOS_HEADER) E_lfanew() int32

func (*IMAGE_DOS_HEADER) E_magic 

func (self *IMAGE_DOS_HEADER) E_magic() uint16

func (*IMAGE_DOS_HEADER) NTHeader 

func (self *IMAGE_DOS_HEADER) NTHeader() *IMAGE_NT_HEADERS

func (*IMAGE_DOS_HEADER) Size 

func (self *IMAGE_DOS_HEADER) Size() int

type IMAGE_EXPORT_DESCRIPTOR 

type IMAGE_EXPORT_DESCRIPTOR struct {
	Ordinal   int
	Name      string
	RVA       int64
	Forwarder string
	DLLName   string
}

type IMAGE_EXPORT_DIRECTORY 

type IMAGE_EXPORT_DIRECTORY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_EXPORT_DIRECTORY) AddressOfFunctions 

func (self *IMAGE_EXPORT_DIRECTORY) AddressOfFunctions() uint32

func (*IMAGE_EXPORT_DIRECTORY) AddressOfNameOrdinals 

func (self *IMAGE_EXPORT_DIRECTORY) AddressOfNameOrdinals() uint32

func (*IMAGE_EXPORT_DIRECTORY) AddressOfNames 

func (self *IMAGE_EXPORT_DIRECTORY) AddressOfNames() uint32

func (*IMAGE_EXPORT_DIRECTORY) Base 

func (self *IMAGE_EXPORT_DIRECTORY) Base() uint32

func (*IMAGE_EXPORT_DIRECTORY) DLLName 

func (self *IMAGE_EXPORT_DIRECTORY) DLLName(rva_resolver *RVAResolver) string

func (*IMAGE_EXPORT_DIRECTORY) DebugString 

func (self *IMAGE_EXPORT_DIRECTORY) DebugString() string

func (*IMAGE_EXPORT_DIRECTORY) Name 

func (self *IMAGE_EXPORT_DIRECTORY) Name() uint32

func (*IMAGE_EXPORT_DIRECTORY) NumberOfFunctions 

func (self *IMAGE_EXPORT_DIRECTORY) NumberOfFunctions() uint32

func (*IMAGE_EXPORT_DIRECTORY) NumberOfNames 

func (self *IMAGE_EXPORT_DIRECTORY) NumberOfNames() uint32

func (*IMAGE_EXPORT_DIRECTORY) Size 

func (self *IMAGE_EXPORT_DIRECTORY) Size() int

func (*IMAGE_EXPORT_DIRECTORY) TimeDateStamp 

func (self *IMAGE_EXPORT_DIRECTORY) TimeDateStamp() *UnixTimeStamp32

type IMAGE_FILE_HEADER 

type IMAGE_FILE_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_FILE_HEADER) Characteristics 

func (self *IMAGE_FILE_HEADER) Characteristics() uint16

func (*IMAGE_FILE_HEADER) DebugString 

func (self *IMAGE_FILE_HEADER) DebugString() string

func (*IMAGE_FILE_HEADER) Machine 

func (self *IMAGE_FILE_HEADER) Machine() *Enumeration

func (*IMAGE_FILE_HEADER) NumberOfSections 

func (self *IMAGE_FILE_HEADER) NumberOfSections() uint16

func (*IMAGE_FILE_HEADER) Size 

func (self *IMAGE_FILE_HEADER) Size() int

func (*IMAGE_FILE_HEADER) SizeOfOptionalHeader 

func (self *IMAGE_FILE_HEADER) SizeOfOptionalHeader() uint16

func (*IMAGE_FILE_HEADER) TimeDateStamp 

func (self *IMAGE_FILE_HEADER) TimeDateStamp() *UnixTimeStamp32

func (*IMAGE_FILE_HEADER) TimeDateStampRaw 

func (self *IMAGE_FILE_HEADER) TimeDateStampRaw() uint32

type IMAGE_IMPORT_BY_NAME 

type IMAGE_IMPORT_BY_NAME struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
}

func (*IMAGE_IMPORT_BY_NAME) DebugString 

func (self *IMAGE_IMPORT_BY_NAME) DebugString() string

func (*IMAGE_IMPORT_BY_NAME) Name 

func (self *IMAGE_IMPORT_BY_NAME) Name() string

func (*IMAGE_IMPORT_BY_NAME) Size 

func (self *IMAGE_IMPORT_BY_NAME) Size() int

type IMAGE_IMPORT_DESCRIPTOR 

type IMAGE_IMPORT_DESCRIPTOR struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_IMPORT_DESCRIPTOR) Characteristics 

func (self *IMAGE_IMPORT_DESCRIPTOR) Characteristics() uint32

func (*IMAGE_IMPORT_DESCRIPTOR) DLLName 

func (self *IMAGE_IMPORT_DESCRIPTOR) DLLName(rva_resolver *RVAResolver) string

func (*IMAGE_IMPORT_DESCRIPTOR) DebugString 

func (self *IMAGE_IMPORT_DESCRIPTOR) DebugString() string

func (*IMAGE_IMPORT_DESCRIPTOR) Functions32 

func (self *IMAGE_IMPORT_DESCRIPTOR) Functions32(rva_resolver *RVAResolver) []string

func (*IMAGE_IMPORT_DESCRIPTOR) Functions64 

func (self *IMAGE_IMPORT_DESCRIPTOR) Functions64(rva_resolver *RVAResolver) []string

func (*IMAGE_IMPORT_DESCRIPTOR) Name 

func (self *IMAGE_IMPORT_DESCRIPTOR) Name() uint32

func (*IMAGE_IMPORT_DESCRIPTOR) OriginalFirstThunk 

func (self *IMAGE_IMPORT_DESCRIPTOR) OriginalFirstThunk() uint32

func (*IMAGE_IMPORT_DESCRIPTOR) Size 

func (self *IMAGE_IMPORT_DESCRIPTOR) Size() int

type IMAGE_NT_HEADERS 

type IMAGE_NT_HEADERS struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_NT_HEADERS) DataDirectory 

func (self *IMAGE_NT_HEADERS) DataDirectory(index int64) *IMAGE_DATA_DIRECTORY

func (*IMAGE_NT_HEADERS) DebugDirectory 

func (self *IMAGE_NT_HEADERS) DebugDirectory(
	rva_resolver *RVAResolver) (*IMAGE_DEBUG_DIRECTORY, error)

func (*IMAGE_NT_HEADERS) DebugString 

func (self *IMAGE_NT_HEADERS) DebugString() string

func (*IMAGE_NT_HEADERS) ExportDirectory 

func (self *IMAGE_NT_HEADERS) ExportDirectory(
	rva_resolver *RVAResolver) (*IMAGE_EXPORT_DIRECTORY, error)

func (*IMAGE_NT_HEADERS) ExportTable 

func (self *IMAGE_NT_HEADERS) ExportTable(
	rva_resolver *RVAResolver) []*IMAGE_EXPORT_DESCRIPTOR

func (*IMAGE_NT_HEADERS) FileHeader 

func (self *IMAGE_NT_HEADERS) FileHeader() *IMAGE_FILE_HEADER

func (*IMAGE_NT_HEADERS) ImportDirectory 

func (self *IMAGE_NT_HEADERS) ImportDirectory(
	rva_resolver *RVAResolver) []*IMAGE_IMPORT_DESCRIPTOR

func (*IMAGE_NT_HEADERS) OptionalHeader 

func (self *IMAGE_NT_HEADERS) OptionalHeader() *IMAGE_OPTIONAL_HEADER

func (*IMAGE_NT_HEADERS) ParseSecurityInfo 

func (self *IMAGE_NT_HEADERS) ParseSecurityInfo() (*pkcs7.PKCS7, error)

func (*IMAGE_NT_HEADERS) RSDS 

func (self *IMAGE_NT_HEADERS) RSDS(
	rva_resolver *RVAResolver) (*CV_RSDS_HEADER, error)

func (*IMAGE_NT_HEADERS) ResourceDirectory 

func (self *IMAGE_NT_HEADERS) ResourceDirectory(
	rva_resolver *RVAResolver) (*IMAGE_RESOURCE_DIRECTORY, error)

func (*IMAGE_NT_HEADERS) SectionByName 

func (self *IMAGE_NT_HEADERS) SectionByName(name string) *IMAGE_SECTION_HEADER

func (*IMAGE_NT_HEADERS) Sections 

func (self *IMAGE_NT_HEADERS) Sections() []*IMAGE_SECTION_HEADER

func (*IMAGE_NT_HEADERS) Signature 

func (self *IMAGE_NT_HEADERS) Signature() uint32

func (*IMAGE_NT_HEADERS) Size 

func (self *IMAGE_NT_HEADERS) Size() int

type IMAGE_OPTIONAL_HEADER 

type IMAGE_OPTIONAL_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_OPTIONAL_HEADER) CheckSum 

func (self *IMAGE_OPTIONAL_HEADER) CheckSum() uint32

func (*IMAGE_OPTIONAL_HEADER) DataDirectory 

func (self *IMAGE_OPTIONAL_HEADER) DataDirectory() []*IMAGE_DATA_DIRECTORY

func (*IMAGE_OPTIONAL_HEADER) DebugString 

func (self *IMAGE_OPTIONAL_HEADER) DebugString() string

func (*IMAGE_OPTIONAL_HEADER) ImageBase 

func (self *IMAGE_OPTIONAL_HEADER) ImageBase() uint32

func (*IMAGE_OPTIONAL_HEADER) Magic 

func (self *IMAGE_OPTIONAL_HEADER) Magic() uint16

func (*IMAGE_OPTIONAL_HEADER) Size 

func (self *IMAGE_OPTIONAL_HEADER) Size() int

func (*IMAGE_OPTIONAL_HEADER) SizeOfHeaders 

func (self *IMAGE_OPTIONAL_HEADER) SizeOfHeaders() uint32

type IMAGE_OPTIONAL_HEADER64 

type IMAGE_OPTIONAL_HEADER64 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_OPTIONAL_HEADER64) DataDirectory 

func (self *IMAGE_OPTIONAL_HEADER64) DataDirectory() []*IMAGE_DATA_DIRECTORY

func (*IMAGE_OPTIONAL_HEADER64) DebugString 

func (self *IMAGE_OPTIONAL_HEADER64) DebugString() string

func (*IMAGE_OPTIONAL_HEADER64) ImageBase 

func (self *IMAGE_OPTIONAL_HEADER64) ImageBase() uint64

func (*IMAGE_OPTIONAL_HEADER64) Magic 

func (self *IMAGE_OPTIONAL_HEADER64) Magic() uint16

func (*IMAGE_OPTIONAL_HEADER64) Size 

func (self *IMAGE_OPTIONAL_HEADER64) Size() int

func (*IMAGE_OPTIONAL_HEADER64) SizeOfHeaders 

func (self *IMAGE_OPTIONAL_HEADER64) SizeOfHeaders() uint32

type IMAGE_RESOURCE_DATA_ENTRY 

type IMAGE_RESOURCE_DATA_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_RESOURCE_DATA_ENTRY) CodePage 

func (self *IMAGE_RESOURCE_DATA_ENTRY) CodePage() uint32

func (*IMAGE_RESOURCE_DATA_ENTRY) DataSize 

func (self *IMAGE_RESOURCE_DATA_ENTRY) DataSize() uint32

func (*IMAGE_RESOURCE_DATA_ENTRY) DebugString 

func (self *IMAGE_RESOURCE_DATA_ENTRY) DebugString() string

func (*IMAGE_RESOURCE_DATA_ENTRY) OffsetToData 

func (self *IMAGE_RESOURCE_DATA_ENTRY) OffsetToData() uint32

func (*IMAGE_RESOURCE_DATA_ENTRY) Size 

func (self *IMAGE_RESOURCE_DATA_ENTRY) Size() int

type IMAGE_RESOURCE_DIRECTORY 

type IMAGE_RESOURCE_DIRECTORY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_RESOURCE_DIRECTORY) DebugString 

func (self *IMAGE_RESOURCE_DIRECTORY) DebugString() string

func (*IMAGE_RESOURCE_DIRECTORY) Entries 

func (self *IMAGE_RESOURCE_DIRECTORY) Entries() []*IMAGE_RESOURCE_DIRECTORY_ENTRY

func (*IMAGE_RESOURCE_DIRECTORY) NumberOfIdEntries 

func (self *IMAGE_RESOURCE_DIRECTORY) NumberOfIdEntries() uint16

func (*IMAGE_RESOURCE_DIRECTORY) NumberOfNamedEntries 

func (self *IMAGE_RESOURCE_DIRECTORY) NumberOfNamedEntries() uint16

func (*IMAGE_RESOURCE_DIRECTORY) Size 

func (self *IMAGE_RESOURCE_DIRECTORY) Size() int

func (*IMAGE_RESOURCE_DIRECTORY) TimeDateStamp 

func (self *IMAGE_RESOURCE_DIRECTORY) TimeDateStamp() *UnixTimeStamp32

type IMAGE_RESOURCE_DIRECTORY_ENTRY 

type IMAGE_RESOURCE_DIRECTORY_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func ParseArray_IMAGE_RESOURCE_DIRECTORY_ENTRY 

func ParseArray_IMAGE_RESOURCE_DIRECTORY_ENTRY(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []*IMAGE_RESOURCE_DIRECTORY_ENTRY

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) DataIsDirectory 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) DataIsDirectory() uint64

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) DebugString 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) DebugString() string

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) NameIsString 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) NameIsString() uint64

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) NameOffset 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) NameOffset() uint64

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) NameString 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) NameString(
	resource_base int64) string

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) OffsetToData 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) OffsetToData() uint64

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) OffsetToDirectory 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) OffsetToDirectory() uint64

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) Size 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) Size() int

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) Traverse 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) Traverse(
	resource_base int64) []*IMAGE_RESOURCE_DATA_ENTRY

func (*IMAGE_RESOURCE_DIRECTORY_ENTRY) Type 

func (self *IMAGE_RESOURCE_DIRECTORY_ENTRY) Type() *Enumeration

type IMAGE_SECTION_HEADER 

type IMAGE_SECTION_HEADER struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_SECTION_HEADER) Characteristics 

func (self *IMAGE_SECTION_HEADER) Characteristics() uint32

func (*IMAGE_SECTION_HEADER) Data 

func (self *IMAGE_SECTION_HEADER) Data() io.ReaderAt

func (*IMAGE_SECTION_HEADER) DebugString 

func (self *IMAGE_SECTION_HEADER) DebugString() string

func (*IMAGE_SECTION_HEADER) Name 

func (self *IMAGE_SECTION_HEADER) Name() string

func (*IMAGE_SECTION_HEADER) Permissions 

func (self *IMAGE_SECTION_HEADER) Permissions() string

func (*IMAGE_SECTION_HEADER) PointerToRawData 

func (self *IMAGE_SECTION_HEADER) PointerToRawData() uint32

func (*IMAGE_SECTION_HEADER) Size 

func (self *IMAGE_SECTION_HEADER) Size() int

func (*IMAGE_SECTION_HEADER) SizeOfRawData 

func (self *IMAGE_SECTION_HEADER) SizeOfRawData() uint32

func (*IMAGE_SECTION_HEADER) VirtualAddress 

func (self *IMAGE_SECTION_HEADER) VirtualAddress() uint32

type IMAGE_THUNK_DATA32 

type IMAGE_THUNK_DATA32 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_THUNK_DATA32) AddressOfData 

func (self *IMAGE_THUNK_DATA32) AddressOfData() uint32

func (*IMAGE_THUNK_DATA32) DebugString 

func (self *IMAGE_THUNK_DATA32) DebugString() string

func (*IMAGE_THUNK_DATA32) ForwarderString 

func (self *IMAGE_THUNK_DATA32) ForwarderString() uint32

func (*IMAGE_THUNK_DATA32) Function 

func (self *IMAGE_THUNK_DATA32) Function() uint32

func (*IMAGE_THUNK_DATA32) Ordinal 

func (self *IMAGE_THUNK_DATA32) Ordinal() uint32

func (*IMAGE_THUNK_DATA32) Size 

func (self *IMAGE_THUNK_DATA32) Size() int

type IMAGE_THUNK_DATA64 

type IMAGE_THUNK_DATA64 struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*IMAGE_THUNK_DATA64) AddressOfData 

func (self *IMAGE_THUNK_DATA64) AddressOfData() uint64

func (*IMAGE_THUNK_DATA64) DebugString 

func (self *IMAGE_THUNK_DATA64) DebugString() string

func (*IMAGE_THUNK_DATA64) ForwarderString 

func (self *IMAGE_THUNK_DATA64) ForwarderString() uint64

func (*IMAGE_THUNK_DATA64) Function 

func (self *IMAGE_THUNK_DATA64) Function() uint64

func (*IMAGE_THUNK_DATA64) Ordinal 

func (self *IMAGE_THUNK_DATA64) Ordinal() uint64

func (*IMAGE_THUNK_DATA64) Size 

func (self *IMAGE_THUNK_DATA64) Size() int

type KV 

type KV struct {
	Type  OIDSequence
	Value asn1.RawValue `asn1:"optional"`
}

func (KV) Walk 

func (self KV) Walk(out *ordereddict.Dict)

type KVString 

type KVString struct {
	Key     string
	Unknown int
	Value   []byte
}

Arbitrary kv string with metadata

type MESSAGE_RESOURCE_BLOCK 

type MESSAGE_RESOURCE_BLOCK struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func ParseArray_MESSAGE_RESOURCE_BLOCK 

func ParseArray_MESSAGE_RESOURCE_BLOCK(profile *PeProfile, reader io.ReaderAt, offset int64, count int) []*MESSAGE_RESOURCE_BLOCK

func (*MESSAGE_RESOURCE_BLOCK) DebugString 

func (self *MESSAGE_RESOURCE_BLOCK) DebugString() string

func (*MESSAGE_RESOURCE_BLOCK) HighId 

func (self *MESSAGE_RESOURCE_BLOCK) HighId() uint32

func (*MESSAGE_RESOURCE_BLOCK) LowId 

func (self *MESSAGE_RESOURCE_BLOCK) LowId() uint32

func (*MESSAGE_RESOURCE_BLOCK) Messages 

func (self *MESSAGE_RESOURCE_BLOCK) Messages() []*Message

Each block contains a list of entries.

func (*MESSAGE_RESOURCE_BLOCK) OffsetToEntries 

func (self *MESSAGE_RESOURCE_BLOCK) OffsetToEntries() uint32

func (*MESSAGE_RESOURCE_BLOCK) Size 

func (self *MESSAGE_RESOURCE_BLOCK) Size() int

type MESSAGE_RESOURCE_DATA 

type MESSAGE_RESOURCE_DATA struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*MESSAGE_RESOURCE_DATA) Blocks 

func (self *MESSAGE_RESOURCE_DATA) Blocks() []*MESSAGE_RESOURCE_BLOCK

func (*MESSAGE_RESOURCE_DATA) DebugString 

func (self *MESSAGE_RESOURCE_DATA) DebugString() string

func (*MESSAGE_RESOURCE_DATA) Messages 

func (self *MESSAGE_RESOURCE_DATA) Messages() []*Message

func (*MESSAGE_RESOURCE_DATA) NumberOfBlocks 

func (self *MESSAGE_RESOURCE_DATA) NumberOfBlocks() uint32

func (*MESSAGE_RESOURCE_DATA) Size 

func (self *MESSAGE_RESOURCE_DATA) Size() int

type MESSAGE_RESOURCE_ENTRY 

type MESSAGE_RESOURCE_ENTRY struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*MESSAGE_RESOURCE_ENTRY) DebugString 

func (self *MESSAGE_RESOURCE_ENTRY) DebugString() string

func (*MESSAGE_RESOURCE_ENTRY) Flags 

func (self *MESSAGE_RESOURCE_ENTRY) Flags() uint16

func (*MESSAGE_RESOURCE_ENTRY) Length 

func (self *MESSAGE_RESOURCE_ENTRY) Length() uint16

func (*MESSAGE_RESOURCE_ENTRY) Message 

func (self *MESSAGE_RESOURCE_ENTRY) Message() string

func (*MESSAGE_RESOURCE_ENTRY) Size 

func (self *MESSAGE_RESOURCE_ENTRY) Size() int

func (*MESSAGE_RESOURCE_ENTRY) Text 

func (self *MESSAGE_RESOURCE_ENTRY) Text() string

type Message 

type Message struct {
	Id      int64
	EventId int
	Message string
}

type NameValue 

type NameValue struct {
	Type  asn1.ObjectIdentifier
	Value asn1.RawValue
}

func (NameValue) Walk 

func (self NameValue) Walk(out *ordereddict.Dict)

type OIDSequence 

type OIDSequence struct {
	Type asn1.ObjectIdentifier
}

func (OIDSequence) Equal 

func (self OIDSequence) Equal(in asn1.ObjectIdentifier) bool

type OIDWithParamers 

type OIDWithParamers struct {
	Type   asn1.ObjectIdentifier
	Params asn1.RawValue `asn1:"set,optional"`
}

func (OIDWithParamers) Equal 

func (self OIDWithParamers) Equal(in asn1.ObjectIdentifier) bool

type OffsetReader 

type OffsetReader struct {
	// contains filtered or unexported fields
}

func (OffsetReader) ReadAt 

func (self OffsetReader) ReadAt(buff []byte, off int64) (int, error)

type Options 

type Options struct {
	MaxResourceDirectoryDepth int
}

type PEFile 

type PEFile struct {
	FileHeader FileHeader `json:"FileHeader"`
	GUIDAge    string     `json:"GUIDAge"`
	PDB        string     `json:"PDB"`
	Sections   []*Section `json:"Sections"`
	// contains filtered or unexported fields
}

func NewPEFile 

func NewPEFile(reader io.ReaderAt) (*PEFile, error)

func NewPEFileWithSize 

func NewPEFileWithSize(reader io.ReaderAt, max_size int64) (*PEFile, error)

func (PEFile) AsDict 

func (self PEFile) AsDict() *ordereddict.Dict

func (*PEFile) CalcHash 

func (self *PEFile) CalcHash() *Hashes

Hashing algorithm description in "Windows Authenticode Portable Executable Signature Format" http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/authenticode_pe.docx

func (*PEFile) CalcHashToDict 

func (self *PEFile) CalcHashToDict() *ordereddict.Dict

func (*PEFile) Exports 

func (self *PEFile) Exports() []string

Delay calculating these until absolutely necessary.

func (*PEFile) Forwards 

func (self *PEFile) Forwards() []string

func (*PEFile) GetDirectories 

func (self *PEFile) GetDirectories() *ordereddict.Dict

List all the PE directories

func (*PEFile) GetMessages 

func (self *PEFile) GetMessages() []*Message

func (*PEFile) ImpHash 

func (self *PEFile) ImpHash() string

Calculate the import table hash https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

func (*PEFile) Imports 

func (self *PEFile) Imports() []string

Delay calculating these until absolutely necessary.

func (PEFile) Members 

func (self PEFile) Members() []string

func (*PEFile) Resources 

func (self *PEFile) Resources() []*ordereddict.Dict

func (*PEFile) VersionInformation 

func (self *PEFile) VersionInformation() *ordereddict.Dict

type PeProfile 

type PeProfile struct {
	Off_CV_RSDS_HEADER_Signature                         int64
	Off_CV_RSDS_HEADER_GUID                              int64
	Off_CV_RSDS_HEADER_Age                               int64
	Off_CV_RSDS_HEADER_Filename                          int64
	Off_MESSAGE_RESOURCE_BLOCK_LowId                     int64
	Off_MESSAGE_RESOURCE_BLOCK_HighId                    int64
	Off_MESSAGE_RESOURCE_BLOCK_OffsetToEntries           int64
	Off_MESSAGE_RESOURCE_DATA_NumberOfBlocks             int64
	Off_MESSAGE_RESOURCE_DATA__Blocks                    int64
	Off_MESSAGE_RESOURCE_ENTRY_Length                    int64
	Off_MESSAGE_RESOURCE_ENTRY_Flags                     int64
	Off_MESSAGE_RESOURCE_ENTRY_Text                      int64
	Off_PrefixedString_Length                            int64
	Off_PrefixedString__Buffer                           int64
	Off_ResourceString_Length                            int64
	Off_ResourceString_ValueLength                       int64
	Off_ResourceString_Type                              int64
	Off_ResourceString_Key                               int64
	Off_StringFileInfo_Length                            int64
	Off_StringFileInfo_ValueLength                       int64
	Off_StringFileInfo_Type                              int64
	Off_StringFileInfo_Key                               int64
	Off_StringTable_Length                               int64
	Off_StringTable_ValueLength                          int64
	Off_StringTable_Type                                 int64
	Off_StringTable_Key                                  int64
	Off_VS_VERSIONINFO_Length                            int64
	Off_VS_VERSIONINFO_ValueLength                       int64
	Off_VS_VERSIONINFO_Type                              int64
	Off_VS_VERSIONINFO_szKey                             int64
	Off_WIN_CERTIFICATE_Length                           int64
	Off_WIN_CERTIFICATE_Revision                         int64
	Off_WIN_CERTIFICATE_CertificateType                  int64
	Off_GENERIC_DIRECTORY_TimeDateStamp                  int64
	Off_GUID_Data1                                       int64
	Off_GUID_Data2                                       int64
	Off_GUID_Data3                                       int64
	Off_GUID_Data4                                       int64
	Off_IMAGE_DATA_DIRECTORY_DirSize                     int64
	Off_IMAGE_DATA_DIRECTORY_VirtualAddress              int64
	Off_IMAGE_DEBUG_DIRECTORY_AddressOfRawData           int64
	Off_IMAGE_DEBUG_DIRECTORY_TimeDateStamp              int64
	Off_IMAGE_DEBUG_DIRECTORY_Type                       int64
	Off_IMAGE_DOS_HEADER_E_lfanew                        int64
	Off_IMAGE_DOS_HEADER_E_magic                         int64
	Off_IMAGE_EXPORT_DIRECTORY_AddressOfFunctions        int64
	Off_IMAGE_EXPORT_DIRECTORY_AddressOfNameOrdinals     int64
	Off_IMAGE_EXPORT_DIRECTORY_AddressOfNames            int64
	Off_IMAGE_EXPORT_DIRECTORY_Base                      int64
	Off_IMAGE_EXPORT_DIRECTORY_Name                      int64
	Off_IMAGE_EXPORT_DIRECTORY_NumberOfFunctions         int64
	Off_IMAGE_EXPORT_DIRECTORY_NumberOfNames             int64
	Off_IMAGE_EXPORT_DIRECTORY_TimeDateStamp             int64
	Off_IMAGE_EXPORT_DIRECTORY_ordinals                  int64
	Off_IMAGE_EXPORT_DIRECTORY_names                     int64
	Off_IMAGE_EXPORT_DIRECTORY_funcs64                   int64
	Off_IMAGE_FILE_HEADER_Characteristics                int64
	Off_IMAGE_FILE_HEADER_Machine                        int64
	Off_IMAGE_FILE_HEADER_NumberOfSections               int64
	Off_IMAGE_FILE_HEADER_SizeOfOptionalHeader           int64
	Off_IMAGE_FILE_HEADER_TimeDateStamp                  int64
	Off_IMAGE_FILE_HEADER_TimeDateStampRaw               int64
	Off_IMAGE_IMPORT_BY_NAME_Name                        int64
	Off_IMAGE_IMPORT_DESCRIPTOR_Characteristics          int64
	Off_IMAGE_IMPORT_DESCRIPTOR_Name                     int64
	Off_IMAGE_IMPORT_DESCRIPTOR_OriginalFirstThunk       int64
	Off_IMAGE_NT_HEADERS_FileHeader                      int64
	Off_IMAGE_NT_HEADERS_OptionalHeader                  int64
	Off_IMAGE_NT_HEADERS_Signature                       int64
	Off_IMAGE_OPTIONAL_HEADER_CheckSum                   int64
	Off_IMAGE_OPTIONAL_HEADER_DataDirectory              int64
	Off_IMAGE_OPTIONAL_HEADER_ImageBase                  int64
	Off_IMAGE_OPTIONAL_HEADER_Magic                      int64
	Off_IMAGE_OPTIONAL_HEADER_SizeOfHeaders              int64
	Off_IMAGE_OPTIONAL_HEADER64_DataDirectory            int64
	Off_IMAGE_OPTIONAL_HEADER64_ImageBase                int64
	Off_IMAGE_OPTIONAL_HEADER64_Magic                    int64
	Off_IMAGE_OPTIONAL_HEADER64_SizeOfHeaders            int64
	Off_IMAGE_RESOURCE_DATA_ENTRY_OffsetToData           int64
	Off_IMAGE_RESOURCE_DATA_ENTRY_DataSize               int64
	Off_IMAGE_RESOURCE_DATA_ENTRY_CodePage               int64
	Off_IMAGE_RESOURCE_DIRECTORY_NumberOfIdEntries       int64
	Off_IMAGE_RESOURCE_DIRECTORY_NumberOfNamedEntries    int64
	Off_IMAGE_RESOURCE_DIRECTORY_TimeDateStamp           int64
	Off_IMAGE_RESOURCE_DIRECTORY__Entries                int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_Type              int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_DataIsDirectory   int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_NameIsString      int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_NameOffset        int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_OffsetToData      int64
	Off_IMAGE_RESOURCE_DIRECTORY_ENTRY_OffsetToDirectory int64
	Off_IMAGE_SECTION_HEADER_Characteristics             int64
	Off_IMAGE_SECTION_HEADER_Name                        int64
	Off_IMAGE_SECTION_HEADER_PointerToRawData            int64
	Off_IMAGE_SECTION_HEADER_SizeOfRawData               int64
	Off_IMAGE_SECTION_HEADER_VirtualAddress              int64
	Off_IMAGE_THUNK_DATA32_AddressOfData                 int64
	Off_IMAGE_THUNK_DATA32_ForwarderString               int64
	Off_IMAGE_THUNK_DATA32_Function                      int64
	Off_IMAGE_THUNK_DATA32_Ordinal                       int64
	Off_IMAGE_THUNK_DATA64_AddressOfData                 int64
	Off_IMAGE_THUNK_DATA64_ForwarderString               int64
	Off_IMAGE_THUNK_DATA64_Function                      int64
	Off_IMAGE_THUNK_DATA64_Ordinal                       int64
}

func NewPeProfile 

func NewPeProfile() *PeProfile

func (*PeProfile) CV_RSDS_HEADER 

func (self *PeProfile) CV_RSDS_HEADER(reader io.ReaderAt, offset int64) *CV_RSDS_HEADER

func (*PeProfile) GENERIC_DIRECTORY 

func (self *PeProfile) GENERIC_DIRECTORY(reader io.ReaderAt, offset int64) *GENERIC_DIRECTORY

func (*PeProfile) GUID 

func (self *PeProfile) GUID(reader io.ReaderAt, offset int64) *GUID

func (*PeProfile) IMAGE_DATA_DIRECTORY 

func (self *PeProfile) IMAGE_DATA_DIRECTORY(reader io.ReaderAt, offset int64) *IMAGE_DATA_DIRECTORY

func (*PeProfile) IMAGE_DEBUG_DIRECTORY 

func (self *PeProfile) IMAGE_DEBUG_DIRECTORY(reader io.ReaderAt, offset int64) *IMAGE_DEBUG_DIRECTORY

func (*PeProfile) IMAGE_DOS_HEADER 

func (self *PeProfile) IMAGE_DOS_HEADER(reader io.ReaderAt, offset int64) *IMAGE_DOS_HEADER

func (*PeProfile) IMAGE_EXPORT_DIRECTORY 

func (self *PeProfile) IMAGE_EXPORT_DIRECTORY(reader io.ReaderAt, offset int64) *IMAGE_EXPORT_DIRECTORY

func (*PeProfile) IMAGE_FILE_HEADER 

func (self *PeProfile) IMAGE_FILE_HEADER(reader io.ReaderAt, offset int64) *IMAGE_FILE_HEADER

func (*PeProfile) IMAGE_IMPORT_BY_NAME 

func (self *PeProfile) IMAGE_IMPORT_BY_NAME(reader io.ReaderAt, offset int64) *IMAGE_IMPORT_BY_NAME

func (*PeProfile) IMAGE_IMPORT_DESCRIPTOR 

func (self *PeProfile) IMAGE_IMPORT_DESCRIPTOR(reader io.ReaderAt, offset int64) *IMAGE_IMPORT_DESCRIPTOR

func (*PeProfile) IMAGE_NT_HEADERS 

func (self *PeProfile) IMAGE_NT_HEADERS(reader io.ReaderAt, offset int64) *IMAGE_NT_HEADERS

func (*PeProfile) IMAGE_OPTIONAL_HEADER 

func (self *PeProfile) IMAGE_OPTIONAL_HEADER(reader io.ReaderAt, offset int64) *IMAGE_OPTIONAL_HEADER

func (*PeProfile) IMAGE_OPTIONAL_HEADER64 

func (self *PeProfile) IMAGE_OPTIONAL_HEADER64(reader io.ReaderAt, offset int64) *IMAGE_OPTIONAL_HEADER64

func (*PeProfile) IMAGE_RESOURCE_DATA_ENTRY 

func (self *PeProfile) IMAGE_RESOURCE_DATA_ENTRY(reader io.ReaderAt, offset int64) *IMAGE_RESOURCE_DATA_ENTRY

func (*PeProfile) IMAGE_RESOURCE_DIRECTORY 

func (self *PeProfile) IMAGE_RESOURCE_DIRECTORY(reader io.ReaderAt, offset int64) *IMAGE_RESOURCE_DIRECTORY

func (*PeProfile) IMAGE_RESOURCE_DIRECTORY_ENTRY 

func (self *PeProfile) IMAGE_RESOURCE_DIRECTORY_ENTRY(reader io.ReaderAt, offset int64) *IMAGE_RESOURCE_DIRECTORY_ENTRY

func (*PeProfile) IMAGE_SECTION_HEADER 

func (self *PeProfile) IMAGE_SECTION_HEADER(reader io.ReaderAt, offset int64) *IMAGE_SECTION_HEADER

func (*PeProfile) IMAGE_THUNK_DATA32 

func (self *PeProfile) IMAGE_THUNK_DATA32(reader io.ReaderAt, offset int64) *IMAGE_THUNK_DATA32

func (*PeProfile) IMAGE_THUNK_DATA64 

func (self *PeProfile) IMAGE_THUNK_DATA64(reader io.ReaderAt, offset int64) *IMAGE_THUNK_DATA64

func (*PeProfile) MESSAGE_RESOURCE_BLOCK 

func (self *PeProfile) MESSAGE_RESOURCE_BLOCK(reader io.ReaderAt, offset int64) *MESSAGE_RESOURCE_BLOCK

func (*PeProfile) MESSAGE_RESOURCE_DATA 

func (self *PeProfile) MESSAGE_RESOURCE_DATA(reader io.ReaderAt, offset int64) *MESSAGE_RESOURCE_DATA

func (*PeProfile) MESSAGE_RESOURCE_ENTRY 

func (self *PeProfile) MESSAGE_RESOURCE_ENTRY(reader io.ReaderAt, offset int64) *MESSAGE_RESOURCE_ENTRY

func (*PeProfile) PrefixedString 

func (self *PeProfile) PrefixedString(reader io.ReaderAt, offset int64) *PrefixedString

func (*PeProfile) ResourceString 

func (self *PeProfile) ResourceString(reader io.ReaderAt, offset int64) *ResourceString

func (*PeProfile) StringFileInfo 

func (self *PeProfile) StringFileInfo(reader io.ReaderAt, offset int64) *StringFileInfo

func (*PeProfile) StringTable 

func (self *PeProfile) StringTable(reader io.ReaderAt, offset int64) *StringTable

func (*PeProfile) TagVS_FIXEDFILEINFO 

func (self *PeProfile) TagVS_FIXEDFILEINFO(reader io.ReaderAt, offset int64) *TagVS_FIXEDFILEINFO

func (*PeProfile) UnixTimeStamp32 

func (self *PeProfile) UnixTimeStamp32(reader io.ReaderAt, offset int64) *UnixTimeStamp32

func (*PeProfile) VS_VERSIONINFO 

func (self *PeProfile) VS_VERSIONINFO(reader io.ReaderAt, offset int64) *VS_VERSIONINFO

func (*PeProfile) WIN_CERTIFICATE 

func (self *PeProfile) WIN_CERTIFICATE(reader io.ReaderAt, offset int64) *WIN_CERTIFICATE

type PrefixedString 

type PrefixedString struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*PrefixedString) DebugString 

func (self *PrefixedString) DebugString() string

func (*PrefixedString) Length 

func (self *PrefixedString) Length() uint16

func (*PrefixedString) Size 

func (self *PrefixedString) Size() int

func (*PrefixedString) String 

func (self *PrefixedString) String() string

A prefixed string contains a length followed by the UTF16 string.

type RVAResolver 

type RVAResolver struct {
	// For now very simple O(n) search.
	Runs      []*Run
	ImageBase uint64
	Is64Bit   bool
}

func NewRVAResolver 

func NewRVAResolver(header *IMAGE_NT_HEADERS) *RVAResolver

func (*RVAResolver) GetFileAddress 

func (self *RVAResolver) GetFileAddress(offset uint32) (uint32, error)

type ReaderWrapper 

type ReaderWrapper struct {
	// contains filtered or unexported fields
}

func NewReaderWrapper 

func NewReaderWrapper(reader io.ReaderAt) *ReaderWrapper

func (*ReaderWrapper) CopyRange 

func (self *ReaderWrapper) CopyRange(writer io.Writer, start, end int64)

func (*ReaderWrapper) Read 

func (self *ReaderWrapper) Read(p []byte) (n int, err error)

func (*ReaderWrapper) Seek 

func (self *ReaderWrapper) Seek(offset int64)

func (*ReaderWrapper) Tell 

func (self *ReaderWrapper) Tell() int64

type ResourceString 

type ResourceString struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*ResourceString) DebugString 

func (self *ResourceString) DebugString() string

func (*ResourceString) Key 

func (self *ResourceString) Key() string

func (*ResourceString) Length 

func (self *ResourceString) Length() uint16

func (*ResourceString) Size 

func (self *ResourceString) Size() int

func (*ResourceString) Type 

func (self *ResourceString) Type() uint16

func (*ResourceString) Value 

func (self *ResourceString) Value() string

func (*ResourceString) ValueLength 

func (self *ResourceString) ValueLength() uint16

type Run 

type Run struct {
	VirtualAddress  uint32
	VirtualEnd      uint32
	PhysicalAddress uint32
}

An RVA resolver maps a VirtualAddress to a file physical address. When the physical file is mapped into memory, sections in the file are mapped at different memory addresses. Internally the PE file contains pointers to those virtual addresses. This means we need to convert these pointers to mapped memory back into the file so we can read their data. The RVAResolver is responsible for this - it is populated from the header's sections.

type Section 

type Section struct {
	Perm       string `json:"Perm"`
	Name       string `json:"Name"`
	FileOffset int64  `json:"FileOffset"`
	VMA        uint64 `json:"VMA"`
	RVA        uint64 `json:"RVA"`
	Size       int64  `json:"Size"`
}

type SpcAttributeTypeAndOptionalValue 

type SpcAttributeTypeAndOptionalValue struct {
	Type  asn1.ObjectIdentifier
	Value SpcPeImageData `asn1:"tag:2,optional"`
}

type SpcIndirectDataContent 

type SpcIndirectDataContent struct {
	Data          SpcAttributeTypeAndOptionalValue
	MessageDigest DigestInfo
}

type SpcPeImageData 

type SpcPeImageData struct {
	Flags asn1.BitString
	//	Flags []asn1.RawValue `asn1:"tag:0,optional"`
	File asn1.RawValue
}

type SpcSpOpusInfo 

type SpcSpOpusInfo struct {
	ProgramName string
	MoreInfo    string
}

type SpcString 

type SpcString struct {
	Unicode []byte `asn1:"tag:0"`
}

type StringFileInfo 

type StringFileInfo struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*StringFileInfo) DebugString 

func (self *StringFileInfo) DebugString() string

func (*StringFileInfo) Key 

func (self *StringFileInfo) Key() string

func (*StringFileInfo) Length 

func (self *StringFileInfo) Length() uint16

func (*StringFileInfo) Size 

func (self *StringFileInfo) Size() int

func (*StringFileInfo) StringTable 

func (self *StringFileInfo) StringTable() []*StringTable

func (*StringFileInfo) Type 

func (self *StringFileInfo) Type() uint16

func (*StringFileInfo) ValueLength 

func (self *StringFileInfo) ValueLength() uint16

type StringTable 

type StringTable struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*StringTable) DebugString 

func (self *StringTable) DebugString() string

func (*StringTable) Key 

func (self *StringTable) Key() string

func (*StringTable) Length 

func (self *StringTable) Length() uint16

func (*StringTable) ResourceStrings 

func (self *StringTable) ResourceStrings() []*ResourceString

func (*StringTable) Size 

func (self *StringTable) Size() int

func (*StringTable) Type 

func (self *StringTable) Type() uint16

func (*StringTable) ValueLength 

func (self *StringTable) ValueLength() uint16

type TagVS_FIXEDFILEINFO 

type TagVS_FIXEDFILEINFO struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
}

func (*TagVS_FIXEDFILEINFO) DebugString 

func (self *TagVS_FIXEDFILEINFO) DebugString() string

func (*TagVS_FIXEDFILEINFO) Size 

func (self *TagVS_FIXEDFILEINFO) Size() int

type UnixTimeStamp32 

type UnixTimeStamp32 struct {
	time.Time
	Raw uint32
}

func (*UnixTimeStamp32) DebugString 

func (self *UnixTimeStamp32) DebugString() string

func (*UnixTimeStamp32) String 

func (self *UnixTimeStamp32) String() string

type VS_VERSIONINFO 

type VS_VERSIONINFO struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*VS_VERSIONINFO) Children 

func (self *VS_VERSIONINFO) Children() []*StringFileInfo

func (*VS_VERSIONINFO) DebugString 

func (self *VS_VERSIONINFO) DebugString() string

func (*VS_VERSIONINFO) Length 

func (self *VS_VERSIONINFO) Length() uint16

func (*VS_VERSIONINFO) Size 

func (self *VS_VERSIONINFO) Size() int

func (*VS_VERSIONINFO) Type 

func (self *VS_VERSIONINFO) Type() *Enumeration

func (*VS_VERSIONINFO) Value 

func (self *VS_VERSIONINFO) Value() *TagVS_FIXEDFILEINFO

func (*VS_VERSIONINFO) ValueLength 

func (self *VS_VERSIONINFO) ValueLength() uint16

type WIN_CERTIFICATE 

type WIN_CERTIFICATE struct {
	Reader  io.ReaderAt
	Offset  int64
	Profile *PeProfile
	// contains filtered or unexported fields
}

func (*WIN_CERTIFICATE) CertificateType 

func (self *WIN_CERTIFICATE) CertificateType() uint16

func (*WIN_CERTIFICATE) DebugString 

func (self *WIN_CERTIFICATE) DebugString() string

func (*WIN_CERTIFICATE) Length 

func (self *WIN_CERTIFICATE) Length() uint32

func (*WIN_CERTIFICATE) Revision 

func (self *WIN_CERTIFICATE) Revision() uint16

func (*WIN_CERTIFICATE) Size 

func (self *WIN_CERTIFICATE) Size() int

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.