pe

Documentation

Index

• Constants
• Variables
• func Max(x, y uint32) uint32
• func Min(x, y uint32) uint32
• func OrdLookup(libname string, ord uint64, makeName bool) string
• func PowerOfTwo(val uint32) bool
• type ByVAddr
  • func (self ByVAddr) Len() int
  • func (s ByVAddr) Less(i, j int) bool
  • func (self ByVAddr) Swap(i, j int)
• type PEFile
  • func NewPEFile(filename string) (pe *PEFile, err error)
  • func (self *PEFile) GetData(section *lib.SectionHeader) []byte
  • func (self *PEFile) GetImpHash() string

Constants

const (
	MAX_STRING_LENGTH = 0x100000 // 2^20

	IMAGE_DOS_SIGNATURE   = 0x5A4D
	IMAGE_DOSZM_SIGNATURE = 0x4D5A
	IMAGE_NE_SIGNATURE    = 0x454E
	IMAGE_LE_SIGNATURE    = 0x454C
	IMAGE_LX_SIGNATURE    = 0x584C
	IMAGE_TE_SIGNATURE    = 0x5A56 // Terse Executables have a 'VZ' signature

	IMAGE_NT_SIGNATURE               = 0x00004550
	IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
	IMAGE_ORDINAL_FLAG               = uint32(0x80000000)
	IMAGE_ORDINAL_FLAG64             = uint64(0x8000000000000000)
	OPTIONAL_HEADER_MAGIC_PE         = 0x10b
	OPTIONAL_HEADER_MAGIC_PE_PLUS    = 0x20b
	FILE_ALIGNMENT_HARDCODED_VALUE   = 0x200
)

This will set a maximum length of a string to be retrieved from the file.

It's there to prevent loading massive amounts of data from memory mapped
files. Strings longer than 1MB should be rather rare.

Variables

var INVALID_IMP_NAME = []byte("*invalid*")

var OLEAUT_32_ORD_NAMES = map[uint64]string{}/* 398 elements not displayed */

var OrdNames = map[string]map[uint64]string{
	"ws2_32.dll":   WS2_32_ORD_NAMES,
	"wsock32.dll":  WS2_32_ORD_NAMES,
	"oleaut32.dll": OLEAUT_32_ORD_NAMES,
}

var VALID_DOS_NAME = regexp.MustCompile("^[\\pL\\pN!//$%&'\\(\\)`\\-@^_\\{\\}~+,.;=\\[\\]]+$")

Valid FAT32 8.3 short filename characters according to:

http://en.wikipedia.org/wiki/8.3_filename

This will help decide whether DLL ASCII names are likely to be valid or otherwise corrupt data

The filename length is not checked because the DLLs filename can be longer that the 8.3

var VALID_FUNC_NAME = regexp.MustCompile(`^[\pL\pN_\?@$\(\)]+$`)

Check if a imported name uses the valid accepted characters expected in mangled function names. If the symbol's characters don't fall within this charset we will assume the name is invalid

var WS2_32_ORD_NAMES = map[uint64]string{}/* 117 elements not displayed */

Functions

func Max

func Max(x, y uint32) uint32

func Min

func Min(x, y uint32) uint32

func OrdLookup

func OrdLookup(libname string, ord uint64, makeName bool) string

func PowerOfTwo

func PowerOfTwo(val uint32) bool

Returns whether this value is a power of 2

Types

type ByVAddr

type ByVAddr []*lib.SectionHeader

func (ByVAddr) Len

func (self ByVAddr) Len() int

func (ByVAddr) Less

func (s ByVAddr) Less(i, j int) bool

func (ByVAddr) Swap

func (self ByVAddr) Swap(i, j int)

type PEFile

type PEFile struct {
	Filename          string
	DosHeader         *lib.DosHeader
	NTHeader          *lib.NTHeader
	FileHeader        *lib.FileHeader
	OptionalHeader    *lib.OptionalHeader
	OptionalHeader64  *lib.OptionalHeader64
	Sections          []*lib.SectionHeader
	ImportDescriptors []*lib.ImportDescriptor
	ExportDirectory   *lib.ExportDirectory
	// contains filtered or unexported fields
}

The representation of the PEFile with some helpful abstractions

func NewPEFile

func NewPEFile(filename string) (pe *PEFile, err error)

func (*PEFile) GetData

func (self *PEFile) GetData(section *lib.SectionHeader) []byte

func (*PEFile) GetImpHash

func (self *PEFile) GetImpHash() string