# README
Portable Executable Parser 
pe is a go package for parsing the portable executable file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.
Table of content
Features
- Works with PE32/PE32+ file fomat.
- Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
- MS DOS header.
- Rich Header (calculate checksum).
- NT Header (file header + optional header).
- COFF symbol table and string table.
- Sections headers + entropy calculation.
- Data directories
- Import Table + ImpHash calculation.
- Export Table
- Resource Table
- Exceptions Table
- Security Table + Authentihash calculation.
- Relocations Table
- Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
- TLS Table
- Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
- Bound Import Table
- Delay Import Table
- COM Table (CLR Metadata Header, Metadata Table Streams)
- Report several anomalies
Installing
Using this go package is easy. First, use go get to install the latest version of the library. This command will install the pedumper executable along with the library and its dependencies:
go get -u github.com/saferwall/pe
Next, include pe package in your application:
import "github.com/saferwall/pe"
Using the library
package main
import (
peparser "github.com/saferwall/pe"
)
func main() {
filename := "C:\\Binaries\\notepad.exe"
pe, err := peparser.New(filename, nil)
if err != nil {
log.Fatalf("Error while opening file: %s, reason: %v", filename, err)
}
err = pe.Parse()
if err != nil {
log.Fatalf("Error while parsing file: %s, reason: %v", filename, err)
}
Start by instantiating a pe object by called the New() method, which takes the file path to the file to be parsed and some optional options.
Afterwards, a call to the Parse() method will give you access to all the different part of the PE format, directly accessible to be used. Here is the definition of the struct:
type File struct {
DosHeader ImageDosHeader `json:",omitempty"`
RichHeader *RichHeader `json:",omitempty"`
NtHeader ImageNtHeader `json:",omitempty"`
COFF *COFF `json:",omitempty"`
Sections []Section `json:",omitempty"`
Imports []Import `json:",omitempty"`
Export *Export `json:",omitempty"`
Debugs []DebugEntry `json:",omitempty"`
Relocations []Relocation `json:",omitempty"`
Resources *ResourceDirectory `json:",omitempty"`
TLS *TLSDirectory `json:",omitempty"`
LoadConfig *LoadConfig `json:",omitempty"`
Exceptions []Exception `json:",omitempty"`
Certificates *Certificate `json:",omitempty"`
DelayImports []DelayImport `json:",omitempty"`
BoundImports []BoundImportDescriptorData `json:",omitempty"`
GlobalPtr uint32 `json:",omitempty"`
CLR *CLRData `json:",omitempty"`
IAT []IATEntry `json:",omitempty"`
Header []byte
data mmap.MMap
closer io.Closer
Is64 bool
Is32 bool
Anomalies []string `json:",omitempty"`
size uint32
f *os.File
opts *Options
}
PE Header
As mentionned before, all members of the struct are directly (no getters/setters) accessible, additionally, the fields types has been preserved as the spec defines them, that means if you need to show the prettified version of an int type, you have to call the corresponding function.
fmt.Printf("Magic is: %x\n", pe.DosHeader.Magic)
fmt.Printf("Signature is: %x\n", pe.NtHeader.Signature)
fmt.Printf("Machine is: %x, Meaning: %s\n", pe.NtHeader.FileHeader.Machine, pe.PrettyMachineType())
Output:
Magic is: 5a4d
Signature is: 4550
Machine is: 8664, Meaning: x64
Iterating over sections
for _, sec := range pe.Sections {
fmt.Printf("Section Name : %s\n", sec.NameString())
fmt.Printf("Section VirtualSize : %x\n", sec.Header.VirtualSize)
fmt.Printf("Section Flags : %x, Meaning: %v\n\n",
sec.Header.Characteristics, sec.PrettySectionFlags())
}
Output:
Section Name : .text
Section VirtualSize : 2ea58
Section Flags : 60500060, Meaning: [Align8Bytes Readable Align16Bytes Executable Contains Code Initialized Data Align1Bytes]
Section Name : .data
Section VirtualSize : 58
Section Flags : c0500040, Meaning: [Readable Initialized Data Writable Align1Bytes Align16Bytes Align8Bytes]
Section Name : .rdata
Section VirtualSize : 18d0
Section Flags : 40600040, Meaning: [Align2Bytes Align8Bytes Readable Initialized Data Align32Bytes]
...
Roadmap
- imports MS-styled names demangling
- PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
Fuzz Testing
To validate the parser we use the go-fuzz and a corpus of known malformed and tricky PE files from corkami.
References
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek
- An In-Depth Look into the Win32 Portable Executable File Format - Part 1 by Matt Pietrek
- An In-Depth Look into the Win32 Portable Executable File Format - Part 2 by Matt Pietrek
- Portable Executable File Format
- PE Format MSDN spec
- https://www.ntcore.com/files/dotnetformat.htm
# Packages
No description provided by the author
# Functions
FPOFrameTypePretty returns a string interpretation of the FPO frame type.
No description provided by the author
IsBitSet returns true when a bit on a particular position is set.
IsPrintable checks weather a string is printable.
IsValidDosFilename returns true if the DLL name is likely to be valid.
IsValidFunctionName checks if an imported name uses the valid accepted characters expected in mangled function names.
Max returns the larger of x or y.
MetadataTableIndextToString returns the string representation of the metadata table index.
Min returns the min number in a slice.
New instaniates a file instance with options given a file name.
NewBytes instaniates a file instance with options given a memory buffer.
OrdLookup returns API name given an ordinal.
PrettyExtendedDLLCharacteristics maps dll char to string.
PrettyUnwindInfoHandlerFlags returns the string representation of the `flags` field of the unwind info structure.
PrintLoadConfigStruct will print size of each load config struct.
ProdIDtoStr mapps product ids to MS internal names.
ProdIDtoVSversion retrieves the Visual Studio version from product id.
SectionAttributeDescription maps a section attribute to a friendly name.
StringifyGuardFlags returns list of strings which describes the GuardFlags.
# Constants
AnoDansSigNotFound is reported when rich header signature was found, but.
AnoPaddingDwordNotZero is repoted when rich header signature leading padding DWORDs are not equal to 0.
The current assembly descriptor, which should appear only in the prime module metadata.
This table is unused.
This table is unused.
Assembly reference descriptors.
This table is unused.
This table is unused.
Heaps Streams Bit Positions.
Class layout descriptors that hold information about how the loader should lay out respective classes.
This flag is obsolete and should not be set.
The image file can be loaded into any process, but preferably into a 32-bit process.
The image file can be loaded only into a 32-bit process.
The image file contains IL code only, with no embedded native unmanaged code except the start-up stub (which simply executes an indirect jump to the CLR entry point).
The executable’s entry point is an unmanaged method.
The image file is protected with a strong name signature.
The CLR loader and the JIT compiler are required to track debug information about the methods.
Constant value descriptors that map the default values stored in the #Blob stream to respective fields, parameters, and properties.
V-table slots are 32-bits in size.
V-table slots are 64-bits in size.
Call most derived method described by.
The thunk created by the common language runtime must provide data marshaling between managed and unmanaged code.
The thunk created by the common language runtime must provide data marshaling between managed and unmanaged code.
Custom attribute descriptors.
CVSignatureNB10 represents the CodeView signature 'NB10'.
CVSignatureRSDS represents the CodeView signature 'SDSR'.
DansSignature ('DanS' as dword) is where the rich header struct starts.
Security descriptors.
Edit-and-continue log descriptors that hold information about what changes have been made to specific metadata items during in-memory editing.
Edit-and-continue mapping descriptors.
Event descriptors.
A class-to-events mapping table.
An event map–to–events lookup table, which does not exist in optimized metadata (#~ stream).
Exported type descriptors that contain information about public classes exported by the current assembly, which are declared in other modules of the assembly.
Field definition descriptors.
Field layout descriptors that specify the offset or ordinal of individual fields.
Field or parameter marshaling descriptors for managed/unmanaged interoperations.
A class-to-fields lookup table, which does not exist in optimized metadata (#~ stream).
Field-to-data mapping descriptors.
FileAlignmentHardcodedValue represents the value which PointerToRawData should be at least equal or bigger to, or it will be rounded to zero.
File descriptors that contain information about other files in the current assembly.
FrameFPO indicates a frame of type FPO.
FrameNonFPO indicates a frame of type Non-FPO.
FrameTrap indicates a frame of type Trap.
FrameTSS indicates a frame of type TSS.
Type parameter descriptors for generic (parameterized) classes and methods.
Descriptors of constraints specified for type parameters of generic classes and methods.
Heaps Streams Bit Positions.
Reserved for Borland.
Reserved.
The Visual C++ debug information.
The COFF debug information (line numbers, symbol table, and string table).
A copy of .pdata section.
Extended DLL characteristics bits.
Reserved.
The frame pointer omission (FPO) information.
Incremental Link Time Code Generation (iLTCG).
The location of DBG file.
Intel MPX.
The mapping from an RVA in source image to an RVA in image.
The mapping from an RVA in image to an RVA in source image.
Pogo aka PGO aka Profile Guided Optimization.
PE determinism or reproducibility.
Reserved.
An unknown value that is ignored by all tools.
Visual C++ features (/GS counts /sdl counts and guardN counts).
Architecture Specific Data.
Base Relocation Table.
The bound import table.
Certificate Directory.
CLR Runtime Header.
Debug.
Delay Import Descriptor.
Exception Table.
Export Table.
The RVA of the value to be stored in the global pointer register.
Import Address Table.
Import Table.
The load configuration table.
Must be zero.
Resource Table.
The thread local storage (TLS) table.
Image must execute in an AppContainer.
DLL can be relocated at load time.
ImageDllCharacteristicsExCETCompat indicates that the image is CET compatible.
Code Integrity checks are enforced.
Image supports Control Flow Guard.
Image can handle a high entropy 64-bit virtual address space.
Do not bind the image.
Isolation aware, but do not isolate the image.
Does not use structured exception (SE) handling.
Image is NX compatible.
Reserved, must be zero.
Reserved, must be zero.
Reserved, must be zero.
Reserved, must be zero.
Terminal Server aware.
A WDM driver.
MZ.
ZM.
No description provided by the author
No description provided by the author
ImageEnclaveImportMatchAuthorId indicates that the value of the enclave author identifier of the image must match the value in the import record.
ImageEnclaveImportMatchFamilyId indicates that the value of the enclave family identifier of the image must match the value in the import record.
ImageEnclaveImportMatchImageId indicates that the value of the enclave image identifier must match the value in the import record.
ImageEnclaveImportMatchNone indicates that none of the identifiers of the image need to match the value in the import record.
ImageEnclaveImportMatchUniqueId indicates that the value of the enclave unique identifier of the image must match the value in the import record.
No description provided by the author
No description provided by the author
Machine is based on 32-bit architecture.
Aggressively trim the working set.
Big endian.
Little endian.
Debug information has been removed from the image file.
The image file is a DLL rather than an EXE.
Flag indicates that the file is an image file (EXE or DLL).
Application can handle addresses beyond the 2GB range.
COFF line numbers have been removed.
COFF symbol table entries for local symbols have been removed.
Matsushita AM33.
x64.
ARM little endian.
ARM64 little endian.
ARM Thumb-2 little endian.
EFI byte code.
Intel 386 or later processors and compatible processors.
Intel Itanium processor family.
Mitsubishi M32R little endian.
MIPS16.
MIPS with FPU.
MIPS16 with FPU.
Power PC little endian.
Power PC with floating point support.
MIPS little endian.
RISC-V 128-bit address space.
RISC-V 32-bit address space.
RISC-V 64-bit address space.
Hitachi SH3.
Hitachi SH3 DSP.
Hitachi SH4.
Hitachi SH5.
Thumb.
The contents of this field are assumed to be applicable to any machine type.
MIPS little-endian WCE v2.
If the image file is on a network, copy and run it from the swap file.
Image file only.
If the image file is on removable media, copy and run it from the swap file.
The image file is a system file (for example, a device driver).
The image file should be run on a uniprocessor machine only.
ImageGuardCfEnableExportSuppression indicates that the module enables suppression of exports.
ImageGuardCfExportSuppressionInfoPresent indicates that the module contains suppressed export information.
ImageGuardCfFnctionTableSizeMask indicates that the mask for the subfield that contains the stride of Control Flow Guard function table entries (that is, the additional count of bytes per table entry).
ImageGuardCfFnctionTableSizeShift indicates the shift to right-justify Guard CF function table stride.
ImageGuardCfFunctionTablePresent indicates that the module contains valid control flow target metadata.
ImageGuardCfInstrumented indicates that the module performs control flow integrity checks using system-supplied support.
ImageGuardCfLongjumpTablePresent indicates that the module contains longjmp target information.
ImageGuardCfWInstrumented indicates that the module performs control flow and write integrity checks.
ImageGuardDelayloadIATInItsOwnSection indicates that the Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected.
ImageGuardFlagExportSupressed indicates that the call target is export suppressed.
ImageGuardFlagFIDSupressed indicates that the call target is explicitly suppressed (do not treat it as valid for purposes of CFG).
ImageGuardProtectDelayloadIAT indicates that the module supports read only delay load IAT.
ImageGuardSecurityCookieUnused indicates that the module does not make use of the /GS security cookie.
Optional Header magic.
Optional Header magic.
PE00.
Tables count.
Linear Executable is an executable file format in the EXE family.
The New Executable (abbreviated NE or NewEXE) is a 16-bit .exe file format, a successor to the DOS MZ executable format.
The base relocation is skipped.
This relocation is meaningful only when the machine type is ARM or Thumb.
The base relocation applies the difference to the 64-bit field at offset.
The base relocation adds the high 16 bits of the difference to the 16-bit field at offset.
The base relocation adds the high 16 bits of the difference to the 16-bit field at offset.
The base relocation applies all 32 bits of the difference to the 32-bit field at offset.
The base relocation adds the low 16 bits of the difference to the 16-bit field at offset.
The relocation interpretation is dependent on the machine type.
The relocation is only meaningful when the machine type is MIPS.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is meaningful only when the machine type is Thumb.
Reserved, must be zero.
Optional Header magic.
ImageScnAlign1024Bytes indicates to align data on a 1024-byte boundary.
ImageScnAlign128Bytes indicates to align data on a 128-byte boundary.
ImageScnAlign16Bytes indicates to align data on a 16-byte boundary.
ImageScnAlign1Bytes indicates to align data on a 1-byte boundary.
ImageScnAlign2048Bytes indicates to align data on a 2048-byte boundary.
ImageScnAlign256Bytes indicates to align data on a 256-byte boundary.
ImageScnAlign2Bytes indicates to align data on a 2-byte boundary.
ImageScnAlign32Bytes indicates to align data on a 32-byte boundary.
ImageScnAlign4096Bytes indicates to align data on a 4096-byte boundary.
ImageScnAlign4Bytes indicates to align data on a 4-byte boundary.
ImageScnAlign512Bytes indicates to align data on a 512-byte boundary.
ImageScnAlign64Bytes indicates to align data on a 64-byte boundary.
ImageScnAlign8192Bytes indicates to align data on a 8192-byte boundary.
ImageScnAlign8Bytes indicates to align data on a 8-byte boundary.
ImageScnCntCode indicates the section contains executable code.
ImageScnCntInitializedData indicates the section contains initialized data.
ImageScnCntUninitializedData indicates the section contains uninitialized data.
ImageScnGpRel indicates the section contains data referenced through the global pointer (GP).
ImageScnLnkComdat indicates the section contains COMDAT data.
ImageScnLnkInfo indicates the section contains comments or other information.
ImageScnLnkMRelocOvfl indicates the section contains extended relocations.
ImageScnLnkOther is reserved for future use.
ImageScnLnkRemove indicates the section will not become part of the image This is valid only for object files.
ImageScnMem16Bit is reserved for future use.
ImageScnMemDiscardable indicates the section can be discarded as needed.
ImageScnMemExecute indicates the section can be executed as code.
ImageScnMemLocked is reserved for future use.
ImageScnMemNotCached indicates the section cannot be cached.
ImageScnMemNotPaged indicates the section is not pageable.
ImageScnMemPreload is reserved for future use.
ImageScnMemPurgeable is reserved for future use.
ImageScnMemRead indicates the section can be read.
ImageScnMemShared indicates the section can be shared in memory.
ImageScnMemWrite indicates the section can be written to.
ImageScnReserved1 for future use.
ImageScnReserved2 for future use.
ImageScnReserved3 for future use.
ImageScnReserved4 for future use.
ImageScnReserved5 for future use.
ImageScnReserved6 for future use.
ImageScnTypeNoPad indicates the section should not be padded to the next boundary.
An Extensible Firmware Interface (EFI) application.
An EFI driver with boot services.
An EFI ROM image .
An EFI driver with run-time services.
Device drivers and native Windows processes.
Native Win9x driver.
The OS/2 character subsystem.
The Posix character subsystem.
An unknown subsystem.
Windows boot application.
Windows CE.
The Windows character subsystem.
The Windows graphical user interface (GUI) subsystem.
XBOX.
ImageSymAbsolute indicates that the symbol has an absolute (non-relocatable) value and is not an address.
ImageSymClassArgument indicates a formal argument (parameter) of a function.
ImageSymClassAutomatic indicates automatic (stack) variable.
ImageSymClassBitField indicates a bit-field reference.
ImageSymClassBlock indicates a .bb (beginning of block) or .eb (end of block) record.
ImageSymClassClrToken indicates a CLR token symbol.
ImageSymClassEndOfFunction indicates a special symbol that represents the end of function, for debugging purposes.
ImageSymClassEndOfStruct indicates an end-of-structure entry.
ImageSymClassEnumTag indicates an enumerated type tagname entry.
ImageSymClassExternal indicates a value that Microsoft tools use for external symbols.
ImageSymClassExternalDef indicates a symbol that is defined externally.
ImageSymClassFile indicates a value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record.
ImageSymClassFunction indicates a value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ).
ImageSymClassLabel indicates a code label that is defined within the module.
ImageSymClassMemberOfEnum indicates a member of an enumeration.
ImageSymClassMemberOfStruct indicates the structure member.
ImageSymClassMemberOfUnion indicates a union member.
ImageSymClassNull indicates no assigned storage class.
ImageSymClassRegister indicates a register variable.
ImageSymClassRegisterParam indicates a register parameter.
ImageSymClassSsection indicates a definition of a section (Microsoft tools use STATIC storage class instead).
ImageSymClassStatic indicates the offset of the symbol within the section.
ImageSymClassStructTag indicates the structure tag-name entry.
ImageSymClassTypeDefinition indicates a typedef entry.
ImageSymClassUndefinedLabel indicates a reference to a code label that is not defined.
ImageSymClassUndefinedStatic indicates a static data declaration.
ImageSymClassUnionTag indicates the structure tag-name entry.
ImageSymClassWeakExternal indicates a weak external.
ImageSymDebug indicates that the symbol provides general type or debugging information but does not correspond to a section.
ImageSymTypeByte indicates a byte; unsigned 1-byte integer.
ImageSymTypeChar indicates a character (signed byte).
ImageSymTypeDouble indicates an 8-byte floating-point number.
ImageSymTypeDword indicates an unsigned 4-byte integer.
ImageSymTypeEnum indicates an enumerated type.
ImageSymTypeFloat indicates a 4-byte floating-point number.
ImageSymTypeInt indicates a natural integer type (normally 4 bytes in Windows).
ImageSymTypeLong indicates a 4-byte signed integer.
ImageSymTypeMoe A member of enumeration (a specific value).
ImageSymTypeNull indicates no type information or unknown base type.
ImageSymTypeShort indicates a 2-byte signed integer.
ImageSymTypeStruct indicates a structure.
ImageSymTypeUint indicates an unsigned integer of natural size (normally, 4 bytes).
ImageSymTypeUnion indicates a union.
ImageSymTypeVoid indicates no type no valid type; used with void pointers and functions.
ImageSymTypeWord indicates a word; unsigned 2-byte integer.
ImageSymUndefined indicates that the symbol record is not yet assigned a section.
Terse Executables have a 'VZ' signature.
There are two main varieties of LE executables: LX (32-bit), and LE (mixed 16/32-bit).
Implementation map descriptors used for the platform invocation (P/Invoke) type of managed/unmanaged code interoperation.
Interface implementation descriptors.
Managed resource descriptors.
MaxStringLength represents the maximum length of a string to be retrieved from the file.
Member (field or method) reference descriptors.
Method definition descriptors.
Method implementation descriptors.
A class-to-methods lookup table, which does not exist in optimized metadata (#~ stream).
Method semantics descriptors that hold information about which method is associated with a specific property or event and in what capacity.
Generic method instantiation descriptors.
The current module descriptor.
Module reference descriptors.
Nested class descriptors that provide mapping of nested classes to their respective enclosing classes.
Parameter definition descriptors.
A method-to-parameters lookup table, which does not exist in optimized metadata (#~ stream).
POGOTypeLTCG represents a signature for an undocumented PGO sub type.
POGOTypePGO represents a signature for an undocumented PGO sub type.
POGOTypePGU represents a signature for an undocumented PGO sub type.
POGzOTypePGI represents a signature for an undocumented PGO sub type.
Property descriptors.
A class-to-properties mapping table.
A property map–to–properties lookup table, which does not exist in optimized metadata (#~ stream).
RichSignature ('0x68636952' as dword) is where the rich header struct ends.
Stand-alone signature descriptors.
Heaps Streams Bit Positions.
TinyPESize On Windows XP (x32) the smallest PE executable is 97 bytes.
Class or interface definition descriptors.
Class reference descriptors.
Type specification descriptors.
UnwFlagChainInfo - This unwind info structure is not the primary one for the procedure.
UnwFlagEHandler - The function has an exception handler that should be called when looking for functions that need to examine exceptions.
UnwFlagNHandler - The function has no handler.
UnwFlagUHandler - The function has a termination handler that should be called when unwinding an exception.
Allocate a large-sized area on the stack.
Allocate a small-sized area on the stack.
For version 1 of the UNWIND_INFO structure, this code was called UWOP_SAVE_XMM and occupied 2 records, it retained the lower 64 bits of the XMM register, but was later removed and is now skipped.
Push a machine frame.
Push a nonvolatile integer register, decrementing RSP by 8.
Save a nonvolatile integer register on the stack using a MOV instead of a PUSH.
Save a nonvolatile integer register on the stack with a long offset, using a MOV instead of a PUSH.
Save all 128 bits of a nonvolatile XMM register on the stack.
Save all 128 bits of a nonvolatile XMM register on the stack with a long offset.
Establish the frame pointer register by setting the register to some offset of the current RSP.
UWOP_SET_FPREG_LARGE is a CLR Unix-only extension to the Windows AMD64 unwind codes.
For version 1 of the UNWIND_INFO structure, this code was called UWOP_SAVE_XMM_FAR and occupied 3 records, it saved the lower 64 bits of the XMM register, but was later removed and is now skipped.
WinCertRevision1_0 represents the WIN_CERT_REVISION_1_0 Version 1, legacy version of the Win_Certificate structure.
WinCertRevision2_0 represents the WIN_CERT_REVISION_2_0.
Certificate contains a PKCS#7 SignedData structure.
Reserved.
Terminal Server Protocol Stack Certificate signing (Not Supported).
Certificate contains an X.509 Certificate (Not Supported).
# Variables
AnoAddressOfDataBeyondLimits is reported when Thunk AddressOfData goes beyond limites.
AnoAddressOfEntryPointNull is reported when address of entry point is 0.
AnoAddressOfEPLessSizeOfHeaders is reported when address of entry point is smaller than size of headers, the file cannot run under Windows.
AnoDanSMagicOffset is reported when the `DanS` magic offset is different than 0x80.
AnoImageBaseNull is reported when the image base is null.
AnoImageBaseOverflow is reported when the image base + SizeOfImage is larger than 80000000h/FFFF080000000000h in PE32/P32+.
AnoImportNoNameNoOrdinal is reported when an import entry does not have a name neither an oridinal, most probably malformed data.
AnoInvalidPEChecksum is reported when the optional header checksum field is different from what it should normally be.
AnoInvalidSizeOfImage is reported when SizeOfImage is not multiple of SectionAlignment.
AnoInvalidThunkAddressOfData is reported when thunk address is too spread out.
AnoMajorSubsystemVersion is reported when MajorSubsystemVersion has a value different than the standard 3 --> 6.
AnoManyRepeatedEntries is reported when import directory contains many entries have the same RVA.
No description provided by the author
No description provided by the author
AnoNumberOfRvaAndSizes is reported when NumberOfRvaAndSizes is different than 16.
NumberOfSections is reported when number of sections is larger or equal than 10.
AnoNumberOfSectionsNull is reported when sections count's is 0.
AnonWin32VersionValue is reported when Win32VersionValue is different than 0.
AnoPEHeaderOverlapDOSHeader is reported when the PE headers overlaps with the DOS header.
AnoPETimeStampFuture is reported when the file header timestamp is more than one day ahead of the current date timestamp.
AnoPETimeStampNull is reported when the file header timestamp is 0.
AnoSizeOfOptionalHeaderNull is reported when size of optional header is 0.
AnoUncommonSizeOfOptionalHeader32 is reported when size of optional header for PE32 is larger than 0xE0.
AnoUncommonSizeOfOptionalHeader64 is reported when size of optional header for PE32+ is larger than 0xF0.
ErrDamagedImportTable is reported when the IAT and ILT table length is 0.
ErrDOSMagicNotFound is returned when file is potentially a ZM executable.
No description provided by the author
No description provided by the author
ErrImageBaseNotAligned is reported when the image base is not aligned to 64K.
ErrImageNtOptionalHeaderMagicNotFound is returned when optional header magic is different from PE32/PE32+.
ErrImageNtSignatureNotFound is returned when PE magic signature is not found.
ErrImageOS2LESignatureFound is returned when signature is for a LE file.
ErrImageOS2SignatureFound is returned when signature is for a NE file.
ErrImageTESignatureFound is returned when signature is for a TE file.
ErrImageVXDSignatureFound is returned when signature is for a LX file.
ErrInvalidBaseRelocVA is reposed when base reloc lies outside of the image.
ErrInvalidBasicRelocSizeOfBloc is reposed when base reloc is too large.
ErrInvalidElfanewValue is returned when e_lfanew is larger than file size.
ErrInvalidFileAlignment is reported when file alignment is larger than 0x200 and not a power of 2.
ErrInvalidNtHeaderOffset is returned when the NT Header offset is beyond the image file.
ErrInvalidPESize is returned when the file size is less that the smallest PE file size possible.ErrImageOS2SignatureFound.
ErrInvalidSectionAlignment is reported when file alignment is lesser than 0x200 and different from section alignment.
ErrInvalidSectionFileAlignment is reported when section alignment is less than a PAGE_SIZE and section alignement != file alignment.
ErrOutsideBoundary is reported when attempting to read an address beyond file image limits.
OleAut32OrdNames maps ordinals to names.
OpInfoRegisters maps registers to string.
OrdNames maps the dll names to ordinal names.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
Predefined Resource Types.
UnOpToString maps unwind opcodes to strings.
WS232OrdNames maps ordinals to name.
# Structs
BoundForwardedRefData reprents the struct in addition to the dll name.
BoundImportDescriptorData represents the descripts in addition to forwarded refs.
Certificate directory.
CertInfo wraps the important fields of the pkcs7 structure.
No description provided by the author
No description provided by the author
CLRData embeds the Common Language Runtime Header structure as well as the Metadata header structure.
No description provided by the author
COFF holds properties related to the COFF format.
COFFSymbol represents an entry in the COFF symbol table, which it is an array of records, each 18 bytes long.
CompID represents the `@comp.id` structure.
No description provided by the author
CVHeader represents the the CodeView header struct to the PDB 2.0 file.
CvInfoPDB20 represents the the CodeView data block of a PDB 2.0 file.
CvInfoPDB70 represents the the CodeView data block of a PDB 7.0 file.
DataDirectory represents an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file.
DebugEntry wraps ImageDebugDirectory to include debug directory type.
DelayImport represents an entry in the delay import table.
DVRT Dynamic Value Relocation Table.
No description provided by the author
Exception represent an entry in the function table.
Export represent the export table.
ExportFunction represents an imported function in the export table.
A File represents an open PE file.
FPOData Represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used.
GUID is a 128-bit value consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by onegroup of 12 hexadecimal digits.
No description provided by the author
IATEntry represents an entry inside the IAT.
ImageARMRuntimeFunctionEntry represents the function table entry for the ARM platform.
ImageBaseRelocation represents the IMAGE_BASE_RELOCATION structure.
ImageBaseRelocationEntry represents an image base relocation entry.
ImageBoundForwardedRef represents the IMAGE_BOUND_FORWARDER_REF.
ImageBoundImportDescriptor represents the IMAGE_BOUND_IMPORT_DESCRIPTOR.
No description provided by the author
No description provided by the author
No description provided by the author
ImageCOR20Header represents the CLR 2.0 header structure.
ImageCORVTableFixup defines the v-table fixups that contains the initializing information necessary for the runtime to create the thunks.
ImageDataDirectory represents the directory format.
ImageDebugDirectory represents the IMAGE_DEBUG_DIRECTORY structure.
ImageDebugMisc represents the IMAGE_DEBUG_MISC structure.
ImageDelayImportDescriptor represents the _IMAGE_DELAYLOAD_DESCRIPTOR structure.
ImageDosHeader represents the DOS stub of a PE.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
ImageEnclaveImport defines a entry in the array of images that an enclave can import.
No description provided by the author
ImageExportDirectory represents the IMAGE_EXPORT_DIRECTORY structure.
ImageFileHeader contains infos about the physical layout and properties of the file.
ImageImportDescriptor describes the remainder of the import information.
ImageLoadConfigCodeIntegrity Code Integrity in loadconfig (CI).
ImageLoadConfigDirectory32 Contains the load configuration data of an image for x86 binaries.
ImageLoadConfigDirectory32v1 size is 0x40.
ImageLoadConfigDirectory32v10 size is 0xA4 since Windows 10 build 18362 (or maybe earlier).
ImageLoadConfigDirectory32v11 size is 0xAC since Windows 10 build 19564 (or maybe earlier).
ImageLoadConfigDirectory32v12 size is 0xB8 since Visual C++ 2019 / RS5_IMAGE_LOAD_CONFIG_DIRECTORY32.
ImageLoadConfigDirectory32v2 size is 0x48.
ImageLoadConfigDirectory32v3 size is 0x5C.
ImageLoadConfigDirectory32v4 size is 0x6c since Windows 10 (preview 9879).
ImageLoadConfigDirectory32v5 size is 0x78 since Windows 10 build 14286 (or maybe earlier).
ImageLoadConfigDirectory32v6 size is 0x80 since Windows 10 build 14383 (or maybe earlier).
ImageLoadConfigDirectory32v7 size is 0x90 since Windows 10 build 14901 (or maybe earlier).
ImageLoadConfigDirectory32v8 size is 0x98 since Windows 10 build 15002 (or maybe earlier).
ImageLoadConfigDirectory32v9 size is 0xA0 since Windows 10 build 16237 (or maybe earlier).
ImageLoadConfigDirectory64 Contains the load configuration data of an image for x64 binaries.
ImageLoadConfigDirectory64v10 for binaries compiled since Windows 10 build 18362 (or maybe earlier).
ImageLoadConfigDirectory64v11 for binaries compiled since Windows 10 build 19534 (or maybe earlier).
ImageLoadConfigDirectory64v12 for binaries compiled since Visual C++ 2019 / RS5_IMAGE_LOAD_CONFIG_DIRECTORY64.
ImageLoadConfigDirectory64v2 is the first structure for x64.
ImageLoadConfigDirectory64v3 added #pragma pack(4).
ImageLoadConfigDirectory64v4 for binaries compiled since Windows 10 build 9879 (or maybe earlier).
ImageLoadConfigDirectory64v5 for binaries compiled since Windows 10 build 14286 (or maybe earlier).
ImageLoadConfigDirectory64v6 for binaries compiled since Windows 10 build 14393 (or maybe earlier).
ImageLoadConfigDirectory64v7 for binaries compiled since Windows 10 build 14901 (or maybe earlier).
ImageLoadConfigDirectory64v8 for binaries compiled since Windows 10 build 15002 (or maybe earlier).
ImageLoadConfigDirectory64v9 for binaries compiled since Windows 10 build 15002 (or maybe earlier).
ImageNtHeader represents the PE header and is the general term for a structure named IMAGE_NT_HEADERS.
ImageOptionalHeader32 represents the PE32 format structure of the optional header.
ImageOptionalHeader64 represents the PE32+ format structure of the optional header.
No description provided by the author
No description provided by the author
ImageResourceDataEntry Each Resource Data entry describes an actual unit of raw data in the Resource Data area.
ImageResourceDirectory represents the IMAGE_RESOURCE_DIRECTORY.
ImageResourceDirectoryEntry represents an entry in the resource directory entries.
ImageRuntimeFunctionEntry represents an entry in the function table on 64-bit Windows.
ImageSectionHeader is part of the section table , in fact section table is an array of Image Section Header each contains information about one section of the whole file such as attribute,virtual offset.
ImageThunkData32 corresponds to one imported function from the executable.
ImageThunkData64 is the PE32+ version of IMAGE_THUNK_DATA.
ImageTLSDirectory32 represents the IMAGE_TLS_DIRECTORY32 structure.
ImageTLSDirectory64 represents the IMAGE_TLS_DIRECTORY64 structure.
No description provided by the author
Import represents an empty entry in the emport table.
ImportFunction represents an imported function in the import table.
No description provided by the author
MetadataHeader consists of a storage signature and a storage header.
MetadataStreamHeader represents a Metadata Stream Header Structure.
MetadataTable represents the content of a particular table in the metadata.
MetadataTableStreamHeader represents the Metadata Table Stream Header Structure.
ModuleTableRow represents the `Module` metadata table contains a single record that provides the identification of the current module.
Options for Parsing.
POGO structure that information related to the Profile Guided Optimization.
No description provided by the author
Relocation represents the relocation table which holds the data that needs to be relocated.
No description provided by the author
No description provided by the author
No description provided by the author
ResourceDataEntry represents a resource data entry.
ResourceDirectory represents resource directory information.
ResourceDirectoryEntry represents a resource directory entry.
RichHeader is a structure that is written right after the MZ DOS header.
Section represents a PE section header, plus additionnal data like entropy.
No description provided by the author
No description provided by the author
TLSDirectory represents tls directory information with callback entries.
No description provided by the author
UnwindCode is used to record the sequence of operations in the prolog that affect the nonvolatile registers and RSP.
UnwindInfo represents the _UNWIND_INFO structure.
No description provided by the author
No description provided by the author
WinCertificate encapsulates a signature used in verifying executable files.