# README
Portable Executable Parser
pe is a go package for parsing the portable executable file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.
Table of content
Features
- Works with PE32/PE32+ file format.
- Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
- MS DOS header.
- Rich Header (calculate checksum and hash).
- NT Header (file header + optional header).
- COFF symbol table and string table.
- Sections headers + entropy calculation.
- Data directories
- Import Table + ImpHash calculation.
- Export Table
- Resource Table
- Exceptions Table
- Security Table + Authentihash calculation.
- Relocations Table
- Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
- TLS Table
- Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
- Bound Import Table
- Delay Import Table
- COM Table (CLR Metadata Header, Metadata Table Streams)
- Report several anomalies
Installing
Using this go package is easy. First, use go get to install the latest version of the library. This command will install the pedumper executable along with the library and its dependencies:
go get -u github.com/saferwall/pe
Next, include pe package in your application:
import "github.com/saferwall/pe"
Using the library
package main
import (
peparser "github.com/saferwall/pe"
)
func main() {
filename := "C:\\Binaries\\notepad.exe"
pe, err := peparser.New(filename, &peparser.Options{})
if err != nil {
log.Fatalf("Error while opening file: %s, reason: %v", filename, err)
}
err = pe.Parse()
if err != nil {
log.Fatalf("Error while parsing file: %s, reason: %v", filename, err)
}
}
Start by instantiating a pe object by called the New() method, which takes the file path to the file to be parsed and some optional options.
Afterwards, a call to the Parse() method will give you access to all the different part of the PE format, directly accessible to be used. Here is the definition of the struct:
type File struct {
DOSHeader ImageDOSHeader
RichHeader RichHeader
NtHeader ImageNtHeader
COFF COFF
Sections []Section
Imports []Import
Export Export
Debugs []DebugEntry
Relocations []Relocation
Resources ResourceDirectory
TLS TLSDirectory
LoadConfig LoadConfig
Exceptions []Exception
Certificates Certificate
DelayImports []DelayImport
BoundImports []BoundImportDescriptorData
GlobalPtr uint32
CLR CLRData
IAT []IATEntry
Header []byte
data mmap.MMap
closer io.Closer
Is64 bool
Is32 bool
Anomalies []string
size uint32
f *os.File
opts *Options
}
PE Header
As mentionned before, all members of the struct are directly (no getters) accessible, additionally, the fields types has been preserved as the spec defines them, that means if you need to show the prettified version of an int type, you have to call the corresponding helper function.
fmt.Printf("Magic is: 0x%x\n", pe.DosHeader.Magic)
fmt.Printf("Signature is: 0x%x\n", pe.NtHeader.Signature)
fmt.Printf("Machine is: 0x%x, Meaning: %s\n", pe.NtHeader.FileHeader.Machine, pe.PrettyMachineType())
Output:
Magic is: 0x5a4d
Signature is: 0x4550
Machine is: 0x8664, Meaning: x64
Rich Header
Example:
richHeader, _ := json.Marshal(pe.RichHeader)
fmt.Print(prettyPrint(richHeader))
Output:
{
"XorKey": 2796214951,
"CompIDs": [
{
"MinorCV": 27412,
"ProdID": 257,
"Count": 4,
"Unmasked": 16870164
},
{
"MinorCV": 30729,
"ProdID": 147,
"Count": 193,
"Unmasked": 9664521
},
{
"MinorCV": 0,
"ProdID": 1,
"Count": 1325,
"Unmasked": 65536
},
{
"MinorCV": 27412,
"ProdID": 260,
"Count": 9,
"Unmasked": 17066772
},
{
"MinorCV": 27412,
"ProdID": 259,
"Count": 3,
"Unmasked": 17001236
},
{
"MinorCV": 27412,
"ProdID": 256,
"Count": 1,
"Unmasked": 16804628
},
{
"MinorCV": 27412,
"ProdID": 269,
"Count": 209,
"Unmasked": 17656596
},
{
"MinorCV": 27412,
"ProdID": 255,
"Count": 1,
"Unmasked": 16739092
},
{
"MinorCV": 27412,
"ProdID": 258,
"Count": 1,
"Unmasked": 16935700
}
],
"DansOffset": 128,
"Raw": "47vE9afaqqan2qqmp9qqprOxq6ej2qqmrqI5pmbaqqan2qumit+qprOxrqeu2qqms7Gpp6TaqqazsaqnptqqprOxp6d22qqms7FVpqbaqqazsainptqqplJpY2in2qqm"
}
Iterating over sections
for _, sec := range pe.Sections {
fmt.Printf("Section Name : %s\n", sec.NameString())
fmt.Printf("Section VirtualSize : %x\n", sec.Header.VirtualSize)
fmt.Printf("Section Flags : %x, Meaning: %v\n\n",
sec.Header.Characteristics, sec.PrettySectionFlags())
}
Output:
Section Name : .text
Section VirtualSize : 2ea58
Section Flags : 60500060, Meaning: [Align8Bytes Readable Align16Bytes Executable Contains Code Initialized Data Align1Bytes]
Section Name : .data
Section VirtualSize : 58
Section Flags : c0500040, Meaning: [Readable Initialized Data Writable Align1Bytes Align16Bytes Align8Bytes]
Section Name : .rdata
Section VirtualSize : 18d0
Section Flags : 40600040, Meaning: [Align2Bytes Align8Bytes Readable Initialized Data Align32Bytes]
...
Roadmap
- imports MS-styled names demangling
- PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table
Fuzz Testing
To validate the parser we use the go-fuzz and a corpus of known malformed and tricky PE files from corkami.
Projects Using This Library
Fibratus A modern tool for Windows kernel exploration and tracing with a focus on security.
References
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format by Matt Pietrek
- An In-Depth Look into the Win32 Portable Executable File Format - Part 1 by Matt Pietrek
- An In-Depth Look into the Win32 Portable Executable File Format - Part 2 by Matt Pietrek
- Portable Executable File Format
- PE Format MSDN spec
- DotNET format
- BlackHat 2011 - CONSTANT INSECURITY: (PECOFF) Portable Executable FIle Format
# Functions
DecodeUTF16String decodes the UTF16 string from the byte slice.
IsBitSet returns true when a bit on a particular position is set.
IsPrintable checks weather a string is printable.
IsValidDosFilename returns true if the DLL name is likely to be valid.
IsValidFunctionName checks if an imported name uses the valid accepted characters expected in mangled function names.
Max returns the larger of x or y.
MetadataTableIndexToString returns the string representation of the metadata table index.
Min returns the min number in a slice.
New instantiates a file instance with options given a file name.
NewBytes instantiates a file instance with options given a memory buffer.
OrdLookup returns API name given an ordinal.
PrettyResourceLang prettifies the resource lang and sub lang.
PrettyUnwindInfoHandlerFlags returns the string representation of the `flags` field of the unwind info structure.
ProdIDtoStr maps product ids to MS internal names.
ProdIDtoVSversion retrieves the Visual Studio version from product id.
SectionAttributeDescription maps a section attribute to a friendly name.
StringifyGuardFlags returns list of strings which describes the GuardFlags.
# Constants
AnoDansSigNotFound is reported when rich header signature was found, but.
AnoInvalidGlobalPtrReg is reported when the global pointer register offset is outide the image.
AnoPaddingDwordNotZero is reported when rich header signature leading padding DWORDs are not equal to 0.
The current assembly descriptor, which should appear only in the prime module metadata.
This table is unused.
This table is unused.
Assembly reference descriptors.
This table is unused.
This table is unused.
Heaps Streams Bit Positions.
Class layout descriptors that hold information about how the loader should lay out respective classes.
This flag is obsolete and should not be set.
The image file can be loaded into any process, but preferably into a 32-bit process.
The image file can be loaded only into a 32-bit process.
The image file contains IL code only, with no embedded native unmanaged code except the start-up stub (which simply executes an indirect jump to the CLR entry point).
The executable’s entry point is an unmanaged method.
The image file is protected with a strong name signature.
The CLR loader and the JIT compiler are required to track debug information about the methods.
Constant value descriptors that map the default values stored in the #Blob stream to respective fields, parameters, and properties.
V-table slots are 32-bits in size.
V-table slots are 64-bits in size.
Call most derived method described by.
The thunk created by the common language runtime must provide data marshaling between managed and unmanaged code.
The thunk created by the common language runtime must provide data marshaling between managed and unmanaged code.
Custom attribute descriptors.
CVSignatureNB10 represents the CodeView signature 'NB10'.
CVSignatureRSDS represents the CodeView signature 'SDSR'.
DansSignature ('DanS' as dword) is where the rich header struct starts.
Security descriptors.
Edit-and-continue log descriptors that hold information about what changes have been made to specific metadata items during in-memory editing.
Edit-and-continue mapping descriptors.
Event descriptors.
A class-to-events mapping table.
An event map–to–events lookup table, which does not exist in optimized metadata (#~ stream).
Exported type descriptors that contain information about public classes exported by the current assembly, which are declared in other modules of the assembly.
Field definition descriptors.
Field layout descriptors that specify the offset or ordinal of individual fields.
Field or parameter marshaling descriptors for managed/unmanaged inter-operations.
A class-to-fields lookup table, which does not exist in optimized metadata (#~ stream).
Field-to-data mapping descriptors.
FileAlignmentHardcodedValue represents the value which PointerToRawData should be at least equal or bigger to, or it will be rounded to zero.
File descriptors that contain information about other files in the current assembly.
FrameFPO indicates a frame of type FPO.
FrameNonFPO indicates a frame of type Non-FPO.
FrameTrap indicates a frame of type Trap.
FrameTSS indicates a frame of type TSS.
Type parameter descriptors for generic (parameterized) classes and methods.
Descriptors of constraints specified for type parameters of generic classes and methods.
Heaps Streams Bit Positions.
Reserved for Borland.
Reserved.
The Visual C++ debug information.
The COFF debug information (line numbers, symbol table, and string table).
A copy of .pdata section.
Extended DLL characteristics bits.
Reserved.
The frame pointer omission (FPO) information.
Incremental Link Time Code Generation (iLTCG).
The location of DBG file.
Intel MPX.
The mapping from an RVA in source image to an RVA in image.
The mapping from an RVA in image to an RVA in source image.
Pogo aka PGO aka Profile Guided Optimization.
PE determinism or reproducibility.
Reserved.
An unknown value that is ignored by all tools.
Visual C++ features (/GS counts /sdl counts and guardN counts).
Architecture Specific Data.
Base Relocation Table.
The bound import table.
Certificate Directory.
CLR Runtime Header.
Debug.
Delay Import Descriptor.
Exception Table.
Export Table.
The RVA of the value to be stored in the global pointer register.
Import Address Table.
Import Table.
The load configuration table.
Must be zero.
Resource Table.
The thread local storage (TLS) table.
Image must execute in an AppContainer.
DLL can be relocated at load time.
ImageDllCharacteristicsExCETCompat indicates that the image is CET compatible.
Code Integrity checks are enforced.
Image supports Control Flow Guard.
Image can handle a high entropy 64-bit virtual address space.
Do not bind the image.
Isolation aware, but do not isolate the image.
Does not use structured exception (SE) handling.
Image is NX compatible.
Reserved, must be zero.
Reserved, must be zero.
Reserved, must be zero.
Reserved, must be zero.
Terminal Server aware.
A WDM driver.
MZ.
ZM.
No description provided by the author
No description provided by the author
ImageEnclaveImportMatchAuthorId indicates that the value of the enclave author identifier of the image must match the value in the import record.
ImageEnclaveImportMatchFamilyId indicates that the value of the enclave family identifier of the image must match the value in the import record.
ImageEnclaveImportMatchImageId indicates that the value of the enclave image identifier must match the value in the import record.
ImageEnclaveImportMatchNone indicates that none of the identifiers of the image need to match the value in the import record.
ImageEnclaveImportMatchUniqueId indicates that the value of the enclave unique identifier of the image must match the value in the import record.
Software enclave information.
Software enclave information.
Machine is based on 32-bit architecture.
Aggressively trim the working set.
Big endian.
Little endian.
Debug information has been removed from the image file.
The image file is a DLL rather than an EXE.
Flag indicates that the file is an image file (EXE or DLL).
Application can handle addresses beyond the 2GB range.
COFF line numbers have been removed.
COFF symbol table entries for local symbols have been removed.
Matsushita AM33.
x64.
ARM little endian.
ARM64 little endian.
ARM Thumb-2 little endian.
EFI byte code.
Intel 386 or later processors and compatible processors.
Intel Itanium processor family.
Mitsubishi M32R little endian.
MIPS16.
MIPS with FPU.
MIPS16 with FPU.
Power PC little endian.
Power PC with floating point support.
MIPS little endian.
RISC-V 128-bit address space.
RISC-V 32-bit address space.
RISC-V 64-bit address space.
Hitachi SH3.
Hitachi SH3 DSP.
Hitachi SH4.
Hitachi SH5.
Thumb.
The contents of this field are assumed to be applicable to any machine type.
MIPS little-endian WCE v2.
If the image file is on a network, copy and run it from the swap file.
Image file only.
If the image file is on removable media, copy and run it from the swap file.
The image file is a system file (for example, a device driver).
The image file should be run on a uniprocessor machine only.
ImageGuardCfEnableExportSuppression indicates that the module enables suppression of exports.
ImageGuardCfExportSuppressionInfoPresent indicates that the module contains suppressed export information.
ImageGuardCfFunctionTablePresent indicates that the module contains valid control flow target metadata.
ImageGuardCfFunctionTableSizeMask indicates that the mask for the subfield that contains the stride of Control Flow Guard function table entries (that is, the additional count of bytes per table entry).
ImageGuardCfFunctionTableSizeShift indicates the shift to right-justify Guard CF function table stride.
ImageGuardCfInstrumented indicates that the module performs control flow integrity checks using system-supplied support.
ImageGuardCfLongJumpTablePresent indicates that the module contains long jmp target information.
ImageGuardCfWInstrumented indicates that the module performs control flow and write integrity checks.
ImageGuardDelayLoadIATInItsOwnSection indicates that the Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected.
ImageGuardFlagExportSuppressed indicates that the call target is export suppressed.
ImageGuardFlagFIDSuppressed indicates that the call target is explicitly suppressed (do not treat it as valid for purposes of CFG).
ImageGuardProtectDelayLoadIAT indicates that the module supports read only delay load IAT.
ImageGuardSecurityCookieUnused indicates that the module does not make use of the /GS security cookie.
Optional Header magic.
Optional Header magic.
PE00.
Tables count.
Linear Executable is an executable file format in the EXE family.
The New Executable (abbreviated NE or NewEXE) is a 16-bit .exe file format, a successor to the DOS MZ executable format.
The base relocation is skipped.
This relocation is meaningful only when the machine type is ARM or Thumb.
The base relocation applies the difference to the 64-bit field at offset.
The base relocation adds the high 16 bits of the difference to the 16-bit field at offset.
The base relocation adds the high 16 bits of the difference to the 16-bit field at offset.
The base relocation applies all 32 bits of the difference to the 32-bit field at offset.
The base relocation adds the low 16 bits of the difference to the 16-bit field at offset.
The relocation interpretation is dependent on the machine type.
The relocation is only meaningful when the machine type is MIPS.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is only meaningful when the machine type is RISC-V.
This relocation is meaningful only when the machine type is Thumb.
Reserved, must be zero.
Optional Header magic.
ImageSectionAlign1024Bytes indicates to align data on a 1024-byte boundary.
ImageSectionAlign128Bytes indicates to align data on a 128-byte boundary.
ImageSectionAlign16Bytes indicates to align data on a 16-byte boundary.
ImageSectionAlign1Bytes indicates to align data on a 1-byte boundary.
ImageSectionAlign2048Bytes indicates to align data on a 2048-byte boundary.
ImageSectionAlign256Bytes indicates to align data on a 256-byte boundary.
ImageSectionAlign2Bytes indicates to align data on a 2-byte boundary.
ImageSectionAlign32Bytes indicates to align data on a 32-byte boundary.
ImageSectionAlign4096Bytes indicates to align data on a 4096-byte boundary.
ImageSectionAlign4Bytes indicates to align data on a 4-byte boundary.
ImageSectionAlign512Bytes indicates to align data on a 512-byte boundary.
ImageSectionAlign64Bytes indicates to align data on a 64-byte boundary.
ImageSectionAlign8192Bytes indicates to align data on a 8192-byte boundary.
ImageSectionAlign8Bytes indicates to align data on a 8-byte boundary.
ImageSectionCntCode indicates the section contains executable code.
ImageSectionCntInitializedData indicates the section contains initialized data.
ImageSectionCntUninitializedData indicates the section contains uninitialized data.
ImageSectionGpRel indicates the section contains data referenced through the global pointer (GP).
ImageSectionLnkComdat indicates the section contains COMDAT data.
ImageSectionLnkInfo indicates the section contains comments or other information.
ImageSectionLnkMRelocOvfl indicates the section contains extended relocations.
ImageSectionLnkOther is reserved for future use.
ImageSectionLnkRemove indicates the section will not become part of the image This is valid only for object files.
ImageSectionMem16Bit is reserved for future use.
ImageSectionMemDiscardable indicates the section can be discarded as needed.
ImageSectionMemExecute indicates the section can be executed as code.
ImageSectionMemLocked is reserved for future use.
ImageSectionMemNotCached indicates the section cannot be cached.
ImageSectionMemNotPaged indicates the section is not pageable.
ImageSectionMemPreload is reserved for future use.
ImageSectionMemPurgeable is reserved for future use.
ImageSectionMemRead indicates the section can be read.
ImageSectionMemShared indicates the section can be shared in memory.
ImageSectionMemWrite indicates the section can be written to.
ImageSectionReserved1 for future use.
ImageSectionReserved2 for future use.
ImageSectionReserved3 for future use.
ImageSectionReserved4 for future use.
ImageSectionReserved5 for future use.
ImageSectionReserved6 for future use.
ImageSectionTypeNoPad indicates the section should not be padded to the next boundary.
An Extensible Firmware Interface (EFI) application.
An EFI driver with boot services.
An EFI ROM image .
An EFI driver with run-time services.
Device drivers and native Windows processes.
Native Win9x driver.
The OS/2 character subsystem.
The Posix character subsystem.
An unknown subsystem.
Windows boot application.
Windows CE.
The Windows character subsystem.
The Windows graphical user interface (GUI) subsystem.
XBOX.
ImageSymAbsolute indicates that the symbol has an absolute (non-relocatable) value and is not an address.
ImageSymClassArgument indicates a formal argument (parameter) of a function.
ImageSymClassAutomatic indicates automatic (stack) variable.
ImageSymClassBitField indicates a bit-field reference.
ImageSymClassBlock indicates a .bb (beginning of block) or .eb (end of block) record.
ImageSymClassClrToken indicates a CLR token symbol.
ImageSymClassEndOfFunction indicates a special symbol that represents the end of function, for debugging purposes.
ImageSymClassEndOfStruct indicates an end-of-structure entry.
ImageSymClassEnumTag indicates an enumerated type tagname entry.
ImageSymClassExternal indicates a value that Microsoft tools use for external symbols.
ImageSymClassExternalDef indicates a symbol that is defined externally.
ImageSymClassFile indicates a value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record.
ImageSymClassFunction indicates a value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ).
ImageSymClassLabel indicates a code label that is defined within the module.
ImageSymClassMemberOfEnum indicates a member of an enumeration.
ImageSymClassMemberOfStruct indicates the structure member.
ImageSymClassMemberOfUnion indicates a union member.
ImageSymClassNull indicates no assigned storage class.
ImageSymClassRegister indicates a register variable.
ImageSymClassRegisterParam indicates a register parameter.
ImageSymClassSsection indicates a definition of a section (Microsoft tools use STATIC storage class instead).
ImageSymClassStatic indicates the offset of the symbol within the section.
ImageSymClassStructTag indicates the structure tag-name entry.
ImageSymClassTypeDefinition indicates a typedef entry.
ImageSymClassUndefinedLabel indicates a reference to a code label that is not defined.
ImageSymClassUndefinedStatic indicates a static data declaration.
ImageSymClassUnionTag indicates the structure tag-name entry.
ImageSymClassWeakExternal indicates a weak external.
ImageSymDebug indicates that the symbol provides general type or debugging information but does not correspond to a section.
ImageSymTypeByte indicates a byte; unsigned 1-byte integer.
ImageSymTypeChar indicates a character (signed byte).
ImageSymTypeDouble indicates an 8-byte floating-point number.
ImageSymTypeDword indicates an unsigned 4-byte integer.
ImageSymTypeEnum indicates an enumerated type.
ImageSymTypeFloat indicates a 4-byte floating-point number.
ImageSymTypeInt indicates a natural integer type (normally 4 bytes in Windows).
ImageSymTypeLong indicates a 4-byte signed integer.
ImageSymTypeMoe A member of enumeration (a specific value).
ImageSymTypeNull indicates no type information or unknown base type.
ImageSymTypeShort indicates a 2-byte signed integer.
ImageSymTypeStruct indicates a structure.
ImageSymTypeUint indicates an unsigned integer of natural size (normally, 4 bytes).
ImageSymTypeUnion indicates a union.
ImageSymTypeVoid indicates no type no valid type; used with void pointers and functions.
ImageSymTypeWord indicates a word; unsigned 2-byte integer.
ImageSymUndefined indicates that the symbol record is not yet assigned a section.
Terse Executables have a 'VZ' signature.
There are two main varieties of LE executables: LX (32-bit), and LE (mixed 16/32-bit).
Implementation map descriptors used for the platform invocation (P/Invoke) type of managed/unmanaged code inter-operation.
Interface implementation descriptors.
Afrikaans (af).
Albanian (sq).
Alsatian (gsw).
Amharic (am).
Arabic (ar).
Armenian (hy).
Assamese (as).
Azerbaijani (Latin) (az).
Bangla (bn).
Bashkir (ba).
Basque (eu).
Belarusian (be).
Bosnian (Latin) (bs).
Breton (br).
Bulgarian (bg).
Burmese (my).
Catalan (ca).
Central Kurdish (ku).
Cherokee (chr).
Chinese (Simplified) (zh).
Corsican (co).
Croatian (hr).
Czech (cs).
Danish (da).
Dari (prs).
Divehi (dv).
Dutch (nl).
English (en).
Estonian (et).
Faroese (fo).
Filipino (fil).
Finnish (fi).
French (fr).
Frisian (fy).
Fulah (ff).
Fulah (Latin) (ff-Latn).
Galician (gl).
Georgian (ka).
German (de).
Greek (el).
Greenlandic (kl).
Guarani (gn).
Gujarati (gu).
Hausa (Latin) (ha).
Hawaiian (haw).
Hebrew (he).
Hindi (hi).
Hungarian (hu).
Icelandic (is).
LangIDLength specifies the length of the language identifier string.
Igbo (ig).
Indonesian (id).
Inuktitut (Latin) (iu).
Invariant locale language.
Irish (ga).
Italian (it).
Japanese (ja).
Kannada (kn).
Kashmiri (ks).
Kazakh (kk).
Khmer (km).
K'iche (quc).
Kinyarwanda (rw).
Kiswahili (sw).
Konkani (kok).
Korean (ko).
Kyrgyz (ky).
Lao (lo).
Latvian (lv).
Lithuanian (lt).
Lower Sorbian (dsb).
Luxembourgish (lb).
Macedonian (mk).
Malay (ms).
Malayalam (ml).
Maltese (mt).
Maori (mi).
Mapudungun (arn).
Marathi (mr).
Mohawk (moh).
Mongolian (Cyrillic) (mn).
Nepali (ne).
Default custom (MUI) locale language.
Norwegian (Bokmal) (nb).
Norwegian (Bokmal) (no).
Norwegian (Nynorsk) (nn).
Occitan (oc).
Odia (or).
Oromo (om).
Pashto (ps).
Persian (fa).
Polish (pl).
Portuguese (pt).
Punjabi (pa).
Quechua (quz).
Romanian (ro).
Romansh (rm).
Russian (ru).
Sakha (sah).
Sami (Inari) (smn).
Sami (Lule) (smj).
Sami (Northern) (se).
Sami (Skolt) (sms).
Sami (Southern) (sma).
Sanskrit (sa).
Scottish Gaelic (gd).
Serbian (Latin) (sr).
Sesotho Sa Leboa (nso).
Setswana (tn).
Sindhi (sd).
Sinhala (si).
Slovak (sk).
Slovenian (sl).
Somali (so).
Sotho (st).
Spanish (es).
Swedish (sv).
Syriac (syr).
System default locale language.
Tajik (Cyrillic) (tg).
Tamazight (Latin) (tzm).
Tamil (ta).
Tatar (tt).
Telugu (te).
Thai (th).
Tibetan (bo).
Tigrinya (ti).
Tsonga (ts).
Turkish (tr).
Turkmen (tk).
Ukrainian (uk).
Upper Sorbian (hsb).
Urdu (ur).
User default locale language.
Uyghur (ug).
Uzbek (Latin) (uz).
Venda (ve).
Vietnamese (vi).
Welsh (cy).
Wolof (wo).
Xhosa (xh).
Yi (ii).
Yoruba (yo).
Zulu (zu).
Managed resource descriptors.
MaxCOFFSymStrLength represents the maximum string length of a COFF symbol to read.
MaxDefaultSymbolsCount represents the default maximum number of COFF symbols to parse.
MaxDefaultRelocEntriesCount represents the default maximum number of relocations entries to parse.
MaxStringLength represents the maximum length of a string to be retrieved from the file.
Member (field or method) reference descriptors.
Method definition descriptors.
Method implementation descriptors.
A class-to-methods lookup table, which does not exist in optimized metadata (#~ stream).
Method semantics descriptors that hold information about which method is associated with a specific property or event and in what capacity.
Generic method instantiation descriptors.
The current module descriptor.
Module reference descriptors.
Nested class descriptors that provide mapping of nested classes to their respective enclosing classes.
Parameter definition descriptors.
A method-to-parameters lookup table, which does not exist in optimized metadata (#~ stream).
POGOTypeLTCG represents a signature for an undocumented PGO sub type.
POGOTypePGI represents a signature for an undocumented PGO sub type.
POGOTypePGO represents a signature for an undocumented PGO sub type.
POGOTypePGU represents a signature for an undocumented PGO sub type.
Property descriptors.
A class-to-properties mapping table.
A property map–to–properties lookup table, which does not exist in optimized metadata (#~ stream).
RichSignature ('0x68636952' as dword) is where the rich header struct ends.
Accelerator table.
Animated cursor.
Animated icon.
Bitmap resource.
Hardware-dependent cursor resource.
Dialog box.
Dialog include entry.
Font resource.
Font directory resource.
Hardware-independent cursor resource.
Hardware-independent icon resource.
HTML resource.
Hardware-dependent icon resource.
Side-by-Side Assembly Manifest.
Menu resource.
Message-table entry.
Plug and Play resource.
Application-defined resource (raw data).
String-table entry.
Version resource.
VXD.
Stand-alone signature descriptors.
StringFileInfoLength specifies length of the StringFileInfo structure.
StringFileInfoString is the UTF16-encoded string that identifies the StringFileInfo block.
StringLength specifies the length of the String structure.
Heaps Streams Bit Positions.
StringTableLength specifies the length of the StringTable structure.
Afrikaans South Africa (af-ZA).
Albanian Albania (sq-AL).
Alsatian France (gsw-FR).
Amharic Ethiopia (am-ET).
Arabic Algeria (ar-DZ).
Arabic Bahrain (ar-BH).
Arabic Egypt (ar-EG).
Arabic Iraq (ar-IQ).
Arabic Jordan (ar-JO).
Arabic Kuwait (ar-KW).
Arabic Lebanon (ar-LB).
Arabic Libya (ar-LY).
Arabic Morocco (ar-MA).
Arabic Oman (ar-OM).
Arabic Qatar (ar-QA).
Arabic Saudi Arabia (ar-SA).
Arabic Syria (ar-SY).
Arabic Tunisia (ar-TN).
Arabic U.a.e.
Arabic Yemen (ar-YE).
Armenian Armenia (hy-AM).
Assamese India (as-IN).
Azerbaijani (Cyrillic) (az-Cyrl).
Azerbaijani (Cyrillic) Azerbaijan (az-Cyrl-AZ).
Azerbaijani (Latin) (az-Latn).
Azerbaijani (Latin) Azerbaijan (az-Latn-AZ).
Bangla Bangladesh (bn-BD).
Bangla India (bn-IN).
Bashkir Russia (ba-RU).
Basque Spain (eu-ES).
Belarusian Belarus (be-BY).
Bosnian (Cyrillic) (bs-Cyrl).
Bosnian (Cyrillic) Bosnia And Herzegovina (bs-Cyrl-BA).
Bosnian (Latin) (bs-Latn).
Bosnian (Latin) Bosnia And Herzegovina (bs-Latn-BA).
Breton France (br-FR).
Bulgarian Bulgaria (bg-BG).
Burmese Myanmar (my-MM).
Catalan Spain (ca-ES).
Central Atlas Tamazight (Arabic) Morocco (tzm-ArabMA).
Central Kurdish (ku-Arab).
Central Kurdish Iraq (ku-Arab-IQ).
Cherokee (chr-Cher).
Cherokee United States (chr-Cher-US).
Chinese (Simplified) (zh-Hans).
Chinese (Simplified) People's Republic Of China (zh-CN).
Chinese (Simplified) Singapore (zh-SG).
Chinese (Traditional) (zh-Hant).
Chinese (Traditional) Hong Kong S.a.r.
Chinese (Traditional) Macao S.a.r.
Chinese (Traditional) Taiwan (zh-TW).
Corsican France (co-FR).
Croatian Croatia (hr-HR).
Croatian (Latin) Bosnia And Herzegovina (hr-BA).
Default custom sub-language.
Unspecified custom sub-language.
Czech Czech Republic (cs-CZ).
Danish Denmark (da-DK).
Dari Afghanistan (prs-AF).
User default sub-language.
Divehi Maldives (dv-MV).
Dutch Belgium (nl-BE).
Dutch Netherlands (nl-NL).
Dzongkha Bhutan (dz-BT).
English Australia (en-AU).
English Belize (en-BZ).
English Canada (en-CA).
English Caribbean (en-029).
English Hong Kong (en-HK).
English India (en-IN).
English Ireland (en-IE).
English Jamaica (en-JM).
English Malaysia (en-MY).
English New Zealand (en-NZ).
English Republic Of The Philippines (en-PH).
English Singapore (en-SG).
English South Africa (en-ZA).
English Trinidad And Tobago (en-TT).
English United Arab Emirates (en-AE).
English United Kingdom (en-GB).
English United States (en-US).
English Zimbabwe (en-ZW).
Estonian Estonia (et-EE).
Faroese Faroe Islands (fo-FO).
Filipino Philippines (fil-PH).
Finnish Finland (fi-FI).
French Belgium (fr-BE).
French Cameroon (fr-CM).
French Canada (fr-CA).
French Caribbean (fr-029).
French Congo, Drc (fr-CD).
French Côte D'ivoire (fr-CI).
French France (fr-FR).
French Haiti (fr-HT).
French Luxembourg (fr-LU).
French Mali (fr-ML).
French Morocco (fr-MA).
French Principality Of Monaco (fr-MC).
French Reunion (fr-RE).
French Senegal (fr-SN).
French Switzerland (fr-CH).
Frisian Netherlands (fy-NL).
Fulah (Latin) Nigeria (ff-Latn-NG).
Fulah Nigeria (ff-NG).
Fulah Senegal (ff-Latn-SN).
Galician Spain (gl-ES).
Georgian Georgia (ka-GE).
German Austria (de-AT).
German Germany (de-DE).
German Liechtenstein (de-LI).
German Luxembourg (de-LU).
German Switzerland (de-CH).
Greek Greece (el-GR).
Greenlandic Greenland (kl-GL).
Guarani Paraguay (gn-PY).
Gujarati India (gu-IN).
Hausa (Latin) (ha-Latn).
Hausa (Latin) Nigeria (ha-Latn-NG).
Hawaiian United States (haw-US).
Hebrew Israel (he-IL).
Hindi India (hi-IN).
Hungarian Hungary (hu-HU).
Icelandic Iceland (is-IS).
Igbo Nigeria (ig-NG).
Indonesian Indonesia (id-ID).
Inuktitut (Latin) (iu-Latn).
Inuktitut (Latin) Canada (iu-Latn-CA).
Inuktitut (Syllabics) (iu-Cans).
Inuktitut (Syllabics) Canada (iu-Cans-CA).
Invariant sub-language.
Irish Ireland (ga-IE).
Italian Italy (it-IT).
Italian Switzerland (it-CH).
Japanese Japan (ja-JP).
Kannada India (kn-IN).
Kanuri (Latin) Nigeria (kr-Latn-NG).
Kashmiri (Devanagari) India (ks-Deva-IN).
Kashmiri Perso-Arabic (ks-Arab).
Kazakh Kazakhstan (kk-KZ).
Khmer Cambodia (km-KH).
K'iche Guatemala (quc-Latn-GT).
Kinyarwanda Rwanda (rw-RW).
Kiswahili Kenya (sw-KE).
Konkani India (kok-IN).
Korean Korea (ko-KR).
Kyrgyz Kyrgyzstan (ky-KG).
Lao Lao P.d.r.
Latin Vatican City (la-VA).
Latvian Latvia (lv-LV).
Lithuanian Lithuania (lt-LT).
Lower Sorbian Germany (dsb-DE).
Luxembourgish Luxembourg (lb-LU).
Macedonian North Macedonia (mk-MK).
Malayalam India (ml-IN).
Malay Brunei Darussalam (ms-BN).
Malay Malaysia (ms-MY).
Maltese Malta (mt-MT).
Maori New Zealand (mi-NZ).
Mapudungun Chile (arn-CL).
Marathi India (mr-IN).
Mohawk Canada (moh-CA).
Mongolian (Cyrillic) (mn-Cyrl).
Mongolian (Cyrillic) Mongolia (mn-MN).
Mongolian (Traditional Mongolian) (mn-Mong).
Mongolian (Traditional Mongolian) Mongolia (mn-MongMN).
Mongolian (Traditional Mongolian) People's Republic Of China (mn-MongCN).
Default custom MUI sub-language.
Nepali India (ne-IN).
Nepali Nepal (ne-NP).
Neutral sub-language.
Norwegian (Bokmal) Norway (nb-NO).
Norwegian (Nynorsk) Norway (nn-NO).
Occitan France (oc-FR).
Odia India (or-IN).
Oromo Ethiopia (om-ET).
Pashto Afghanistan (ps-AF).
Persian Iran (fa-IR).
Polish Poland (pl-PL).
Portuguese Brazil (pt-BR).
Portuguese Portugal (pt-PT).
Pseudo Language Pseudo Locale For East Asian/Complex Script Localization Testing (qps-ploca).
Pseudo Language Pseudo Locale Used For Localization Testing (qps-ploc).
Pseudo Language Pseudo Locale Used For Localization Testing Of Mirrored Locales (qps-plocm).
Punjabi (pa-Arab).
Punjabi India (pa-IN).
Punjabi Islamic Republic Of Pakistan (pa-Arab-PK).
Quechua Bolivia (quz-BO).
Quechua Ecuador (quz-EC).
Quechua Peru (quz-PE).
Romanian Moldova (ro-MD).
Romanian Romania (ro-RO).
Romansh Switzerland (rm-CH).
Russian Moldova (ru-MD).
Russian Russia (ru-RU).
Sakha Russia (sah-RU).
Sami (Inari) Finland (smn-FI).
Sami (Lule) Norway (smj-NO).
Sami (Lule) Sweden (smj-SE).
Sami (Northern) Finland (se-FI).
Sami (Northern) Norway (se-NO).
Sami (Northern) Sweden (se-SE).
Sami (Skolt) Finland (sms-FI).
Sami (Southern) Norway (sma-NO).
Sami (Southern) Sweden (sma-SE).
Sanskrit India (sa-IN).
Scottish Gaelic United Kingdom (gd-GB).
Serbian (Cyrillic) (sr-Cyrl).
Serbian (Cyrillic) Bosnia And Herzegovina (sr-Cyrl-BA).
Serbian (Cyrillic) Montenegro (sr-Cyrl-ME).
Serbian (Cyrillic) Serbia (sr-Cyrl-RS).
Serbian (Cyrillic) Serbia And Montenegro (Former) (sr-Cyrl-CS).
Serbian (Latin) (sr-Latn).
Serbian (Latin) Bosnia And Herzegovina (sr-Latn-BA).
Serbian (Latin) Montenegro (sr-Latn-ME).
Serbian (Latin) Serbia (sr-Latn-RS).
Serbian (Latin) Serbia And Montenegro (Former) (sr-Latn-CS).
Sesotho Sa Leboa South Africa (nso-ZA).
Setswana Botswana (tn-BW).
Setswana South Africa (tn-ZA).
Sindhi (sd-Arab).
Sindhi Islamic Republic Of Pakistan (sd-Arab-PK).
Sinhala Sri Lanka (si-LK).
Slovak Slovakia (sk-SK).
Slovenian Slovenia (sl-SI).
Somali Somalia (so-SO).
Sotho South Africa (st-ZA).
Spanish Argentina (es-AR).
Spanish Bolivarian Republic Of Venezuela (es-VE).
Spanish Bolivia (es-BO).
Spanish Chile (es-CL).
Spanish Colombia (es-CO).
Spanish Costa Rica (es-CR).
Spanish Cuba (es-CU).
Spanish Dominican Republic (es-DO).
Spanish Ecuador (es-EC).
Spanish El Salvador (es-SV).
Spanish Guatemala (es-GT).
Spanish Honduras (es-HN).
Spanish Latin America (es-419).
Spanish Mexico (es-MX).
Spanish Nicaragua (es-NI).
Spanish Panama (es-PA).
Spanish Paraguay (es-PY).
Spanish Peru (es-PE).
Spanish Puerto Rico (es-PR).
Spanish Spain (es-ES).
Spanish Spain (es-ES_tradnl).
Spanish United States (es-US).
Spanish Uruguay (es-UY).
Swedish Finland (sv-FI).
Swedish Sweden (sv-SE).
Syriac Syria (syr-SY).
System default sub-language.
Tajik (Cyrillic) (tg-Cyrl).
Tajik (Cyrillic) Tajikistan (tg-Cyrl-TJ).
Tamazight (Latin) (tzm-Latn).
Tamazight (Latin) Algeria (tzm-Latn-DZ).
Tamil India (ta-IN).
Tamil Sri Lanka (ta-LK).
Tatar Russia (tt-RU).
Telugu India (te-IN).
Thai Thailand (th-TH).
Tibetan People's Republic Of China (bo-CN).
Tigrinya Eritrea (ti-ER).
Tigrinya Ethiopia (ti-ET).
Tsonga South Africa (ts-ZA).
Turkish Turkey (tr-TR).
Turkmen Turkmenistan (tk-TM).
Ukrainian Ukraine (uk-UA).
Upper Sorbian Germany (hsb-DE).
Urdu India (ur-IN).
Urdu Islamic Republic Of Pakistan (ur-PK).
Uyghur People's Republic Of China (ug-CN).
Uzbek (Cyrillic) (uz-Cyrl).
Uzbek (Cyrillic) Uzbekistan (uz-Cyrl-UZ).
Uzbek (Latin) (uz-Latn).
Uzbek (Latin) Uzbekistan (uz-Latn-UZ).
Valencian Spain (ca-ESvalencia).
Venda South Africa (ve-ZA).
Vietnamese Vietnam (vi-VN).
Welsh United Kingdom (cy-GB).
Wolof Senegal (wo-SN).
Xhosa South Africa (xh-ZA).
Yiddish World (yi-001).
Yi People's Republic Of China (ii-CN).
Yoruba Nigeria (yo-NG).
Zulu South Africa (zu-ZA).
TinyPESize On Windows XP (x32) the smallest PE executable is 97 bytes.
Class or interface definition descriptors.
Class reference descriptors.
Type specification descriptors.
UnwFlagChainInfo - This unwind info structure is not the primary one for the procedure.
UnwFlagEHandler - The function has an exception handler that should be called when looking for functions that need to examine exceptions.
UnwFlagNHandler - The function has no handler.
UnwFlagUHandler - The function has a termination handler that should be called when unwinding an exception.
Allocate a large-sized area on the stack.
Allocate a small-sized area on the stack.
For version 1 of the UNWIND_INFO structure, this code was called UWOP_SAVE_XMM and occupied 2 records, it retained the lower 64 bits of the XMM register, but was later removed and is now skipped.
Push a machine frame.
Push a nonvolatile integer register, decrementing RSP by 8.
Save a nonvolatile integer register on the stack using a MOV instead of a PUSH.
Save a nonvolatile integer register on the stack with a long offset, using a MOV instead of a PUSH.
Save all 128 bits of a nonvolatile XMM register on the stack.
Save all 128 bits of a nonvolatile XMM register on the stack with a long offset.
Establish the frame pointer register by setting the register to some offset of the current RSP.
UWOP_SET_FPREG_LARGE is a CLR Unix-only extension to the Windows AMD64 unwind codes.
For version 1 of the UNWIND_INFO structure, this code was called UWOP_SAVE_XMM_FAR and occupied 3 records, it saved the lower 64 bits of the XMM register, but was later removed and is now skipped.
VarFileInfoString is the UTF16-encoded string that identifies the VarFileInfoString block.
VersionResourceType identifies the version resource type in the resource directory.
VsFileInfoSignature is the file info signature.
VsVersionInfoString is the UTF16-encoded string that identifies the VS_VERSION_INFO block.
VsVersionInfoStringLength specifies the length of the VS_VERSION_INFO structure.
WinCertRevision1_0 represents the WIN_CERT_REVISION_1_0 Version 1, legacy version of the Win_Certificate structure.
WinCertRevision2_0 represents the WIN_CERT_REVISION_2_0.
Certificate contains a PKCS#7 SignedData structure.
Reserved.
Terminal Server Protocol Stack Certificate signing (Not Supported).
Certificate contains an X.509 Certificate (Not Supported).
# Variables
AnoAddressOfDataBeyondLimits is reported when Thunk AddressOfData goes beyond limits.
AnoAddressOfEntryPointNull is reported when address of entry point is 0.
AnoAddressOfEPLessSizeOfHeaders is reported when address of entry point is smaller than size of headers, the file cannot run under Windows.
AnoCOFFSymbolsCount is reported when the number of COFF symbols is absurdly high.
AnoDanSMagicOffset is reported when the `DanS` magic offset is different than 0x80.
AnoImageBaseNull is reported when the image base is null.
AnoImageBaseOverflow is reported when the image base + SizeOfImage is larger than 80000000h/FFFF080000000000h in PE32/P32+.
AnoImportNoNameNoOrdinal is reported when an import entry does not have a name neither an ordinal, most probably malformed data.
AnoInvalidPEChecksum is reported when the optional header checksum field is different from what it should normally be.
AnoInvalidSizeOfImage is reported when SizeOfImage is not multiple of SectionAlignment.
AnoInvalidThunkAddressOfData is reported when thunk address is too spread out.
AnoMajorSubsystemVersion is reported when MajorSubsystemVersion has a value different than the standard 3 --> 6.
AnoManyRepeatedEntries is reported when import directory contains many entries have the same RVA.
No description provided by the author
No description provided by the author
AnoNumberOfRvaAndSizes is reported when NumberOfRvaAndSizes is different than 16.
NumberOfSections is reported when number of sections is larger or equal than 10.
AnoNumberOfSectionsNull is reported when sections count's is 0.
AnonWin32VersionValue is reported when Win32VersionValue is different than 0.
AnoPEHeaderOverlapDOSHeader is reported when the PE headers overlaps with the DOS header.
AnoPETimeStampFuture is reported when the file header timestamp is more than one day ahead of the current date timestamp.
AnoPETimeStampNull is reported when the file header timestamp is 0.
AnoRelocationEntriesCount is reported when the number of relocation entries is absurdly high.
AnoReservedDataDirectoryEntry is reported when the last data directory entry is not zero.
AnoSizeOfOptionalHeaderNull is reported when size of optional header is 0.
AnoUncommonSizeOfOptionalHeader32 is reported when size of optional header for PE32 is larger than 0xE0.
AnoUncommonSizeOfOptionalHeader64 is reported when size of optional header for PE32+ is larger than 0xF0.
ErrDamagedImportTable is reported when the IAT and ILT table length is 0.
ErrDOSMagicNotFound is returned when file is potentially a ZM executable.
No description provided by the author
No description provided by the author
ErrImageBaseNotAligned is reported when the image base is not aligned to 64K.
ErrImageNtOptionalHeaderMagicNotFound is returned when optional header magic is different from PE32/PE32+.
ErrImageNtSignatureNotFound is returned when PE magic signature is not found.
ErrImageOS2LESignatureFound is returned when signature is for a LE file.
ErrImageOS2SignatureFound is returned when signature is for a NE file.
ErrImageTESignatureFound is returned when signature is for a TE file.
ErrImageVXDSignatureFound is returned when signature is for a LX file.
ErrInvalidBaseRelocVA is reposed when base reloc lies outside of the image.
ErrInvalidBasicRelocSizeOfBloc is reposed when base reloc is too large.
ErrInvalidElfanewValue is returned when e_lfanew is larger than file size.
ErrInvalidFileAlignment is reported when file alignment is larger than 0x200 and not a power of 2.
ErrInvalidNtHeaderOffset is returned when the NT Header offset is beyond the image file.
ErrInvalidPESize is returned when the file size is less that the smallest PE file size possible.ErrImageOS2SignatureFound.
ErrInvalidSectionAlignment is reported when file alignment is lesser than 0x200 and different from section alignment.
ErrInvalidSectionFileAlignment is reported when section alignment is less than a PAGE_SIZE and section alignment != file alignment.
error.
ErrOutsideBoundary is reported when attempting to read an address beyond file image limits.
ErrSecurityDataDirInvalidCertHeader is reported when the certificate header in the security directory is invalid.
OleAut32OrdNames maps ordinals to names.
OpInfoRegisters maps registers to string.
OrdNames maps the dll names to ordinal names.
WS232OrdNames maps ordinals to name.
# Structs
AssemblyOS 0x22.
AssemblyProcessor 0x21.
AssemblyRefOS 0x25.
AssemblyRefProcessor 0x24.
AssemblyRef 0x23.
Assembly 0x20.
AuthenticodeContent provides a simplified view on SpcIndirectDataContent, which specifies the ASN.1 encoded values of the authenticode signature content.
BoundForwardedRefData represents the struct in addition to the dll name.
BoundImportDescriptorData represents the descriptor in addition to forwarded refs.
Certificate directory.
No description provided by the author
CertInfo wraps the important fields of the pkcs7 structure.
No description provided by the author
No description provided by the author
ClassLayout 0x0f.
CLRData embeds the Common Language Runtime Header structure as well as the Metadata header structure.
No description provided by the author
COFF holds properties related to the COFF format.
COFFSymbol represents an entry in the COFF symbol table, which it is an array of records, each 18 bytes long.
CompID represents the `@comp.id` structure.
No description provided by the author
Constant 0x0b.
CustomAttribute 0x0c.
CVHeader represents the the CodeView header struct to the PDB 2.0 file.
CVInfoPDB20 represents the the CodeView data block of a PDB 2.0 file.
CVInfoPDB70 represents the the CodeView data block of a PDB 7.0 file.
DataDirectory represents an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file.
DebugEntry wraps ImageDebugDirectory to include debug directory type.
DeclSecurity 0x0e.
DelayImport represents an entry in the delay import table.
No description provided by the author
DVRT represents the Dynamic Value Relocation Table.
No description provided by the author
EventMap 0x12.
Event 0x14.
Exception represent an entry in the function table.
Export represent the export table.
ExportedType 0x27.
ExportFunction represents an imported function in the export table.
FieldLayout 0x10.
FieldMarshal 0x0d.
FieldRVA 0x1d.
Field 0x04.
A File represents an open PE file.
FileInfo represents the PE file information struct.
File 0x26.
FPOData represents the stack frame layout for a function on an x86 computer when frame pointer omission (FPO) optimization is used.
GenericParamConstraint 0x2c.
GenericParam 0x2a.
GUID is a 128-bit value consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by one group of 12 hexadecimal digits.
No description provided by the author
IATEntry represents an entry inside the IAT.
ImageARMRuntimeFunctionEntry represents the function table entry for the ARM platform.
ImageBaseRelocation represents the IMAGE_BASE_RELOCATION structure.
ImageBaseRelocationEntry represents an image base relocation entry.
ImageBoundForwardedRef represents the IMAGE_BOUND_FORWARDER_REF.
ImageBoundImportDescriptor represents the IMAGE_BOUND_IMPORT_DESCRIPTOR.
ImageCHPEMetadataX86 represents the X86_IMAGE_CHPE_METADATA_X86.
ImageCOR20Header represents the CLR 2.0 header structure.
ImageCORVTableFixup defines the v-table fixups that contains the initializing information necessary for the runtime to create the thunks.
ImageDataDirectory represents the directory format.
ImageDebugDirectory represents the IMAGE_DEBUG_DIRECTORY structure.
ImageDebugMisc represents the IMAGE_DEBUG_MISC structure.
ImageDelayImportDescriptor represents the _IMAGE_DELAYLOAD_DESCRIPTOR structure.
ImageDOSHeader represents the DOS stub of a PE.
ImageDynamicRelocation32 represents the 32-bit version of a reloc entry.
No description provided by the author
ImageDynamicRelocation64 represents the 64-bit version of a reloc entry.
No description provided by the author
ImageDynamicRelocationTable represents the DVRT header.
No description provided by the author
No description provided by the author
ImageEnclaveImport defines a entry in the array of images that an enclave can import.
No description provided by the author
ImageExportDirectory represents the IMAGE_EXPORT_DIRECTORY structure.
ImageFileHeader contains infos about the physical layout and properties of the file.
ImageImportControlTransferDynamicRelocation represents the Imported Address Retpoline (type 3), size = 4 bytes.
ImageImportDescriptor describes the remainder of the import information.
ImageIndirectControlTransferDynamicRelocation represents the Indirect Branch Retpoline (type 4), size = 2 bytes.
ImageLoadConfigCodeIntegrity Code Integrity in load config (CI).
ImageLoadConfigDirectory32 Contains the load configuration data of an image for x86 binaries.
ImageLoadConfigDirectory64 Contains the load configuration data of an image for x64 binaries.
ImageNtHeader represents the PE header and is the general term for a structure named IMAGE_NT_HEADERS.
ImageOptionalHeader32 represents the PE32 format structure of the optional header.
ImageOptionalHeader64 represents the PE32+ format structure of the optional header.
ImagePGOItem represents the _IMAGE_POGO_INFO structure.
No description provided by the author
ImageResourceDataEntry Each Resource Data entry describes an actual unit of raw data in the Resource Data area.
ImageResourceDirectory represents the IMAGE_RESOURCE_DIRECTORY.
ImageResourceDirectoryEntry represents an entry in the resource directory entries.
ImageRuntimeFunctionEntry represents an entry in the function table on 64-bit Windows (IMAGE_RUNTIME_FUNCTION_ENTRY).
ImageSectionHeader is part of the section table , in fact section table is an array of Image Section Header each contains information about one section of the whole file such as attribute,virtual offset.
ImageSwitchableBranchDynamicRelocation represents the Switchable Retpoline (type 5), size = 2 bytes.
ImageThunkData32 corresponds to one imported function from the executable.
ImageThunkData64 is the PE32+ version of IMAGE_THUNK_DATA.
ImageTLSDirectory32 represents the IMAGE_TLS_DIRECTORY32 structure.
ImageTLSDirectory64 represents the IMAGE_TLS_DIRECTORY64 structure.
No description provided by the author
ImplMap 0x1c.
Import represents an empty entry in the import table.
ImportFunction represents an imported function in the import table.
InterfaceImpl 0x09.
No description provided by the author
ManifestResource 0x28.
MembersRef 0x0a.
MetadataHeader consists of a storage signature and a storage header.
MetadataStreamHeader represents a Metadata Stream Header Structure.
MetadataTable represents the content of a particular table in the metadata.
MetadataTableStreamHeader represents the Metadata Table Stream Header Structure.
MethodDef 0x06.
MethodImpl 0x19.
MethodSemantics 0x18.
MethodSpec 0x2b.
ModuleRef 0x1a.
Module 0x00.
NestedClass 0x29.
Options that influence the PE parsing behaviour.
Param 0x08.
POGO structure contains information related to the Profile Guided Optimization.
PropertyMap 0x15.
Property 0x17.
No description provided by the author
No description provided by the author
Relocation represents the relocation table which holds the data that needs to be relocated.
No description provided by the author
No description provided by the author
No description provided by the author
No description provided by the author
ResourceDataEntry represents a resource data entry.
ResourceDirectory represents resource directory information.
ResourceDirectoryEntry represents a resource directory entry.
RichHeader is a structure that is written right after the MZ DOS header.
No description provided by the author
ScopeTable represents a variable length structure containing a count followed by Count "scope records".
Section represents a PE section header, plus additional data like entropy.
No description provided by the author
No description provided by the author
No description provided by the author
StandAloneSig 0x11.
String Represents the organization of data in a file-version resource.
StringFileInfo represents the organization of data in a file-version resource.
StringTable represents the organization of data in a file-version resource.
No description provided by the author
No description provided by the author
TLSDirectory represents tls directory information with callback entries.
TypeDef 0x02.
TypeRef 0x01.
TypeSpec 0x1b.
UnwindCode is used to record the sequence of operations in the prolog that affect the nonvolatile registers and RSP.
UnwindInfo represents the _UNWIND_INFO structure.
No description provided by the author
No description provided by the author
VsFixedFileInfo contains version information for a file.
VsVersionInfo represents the organization of data in a file-version resource.
WinCertificate encapsulates a signature used in verifying executable files.
# Type aliases
COMImageFlagsType represents a COM+ header entry point flag type.
CVSignature represents a CodeView signature.
DllCharacteristicsExType represents a DLL Characteristics type.
FPOFrameType represents the type of a FPO frame.
ImageBaseRelocationEntryType represents the type of an in image base relocation entry.
ImageDebugDirectoryType represents the type of a debug directory.
ImageDirectoryEntry represents an entry inside the data directories.
ImageFileHeaderCharacteristicsType represents the type of the image file header `Characteristics` field.
ImageFileHeaderMachineType represents the type of the image file header `Machine“ field.
ImageGuardFlagType represents the type for load configuration image guard flags.
ImageOptionalHeaderDllCharacteristicsType represents the type of the optional header `DllCharacteristics field.
ImageOptionalHeaderSubsystemType represents the type of the optional header `Subsystem field.
POGOType represents a POGO type.
ResourceLang represents a resource language.
ResourceSubLang represents a resource sub language.
ResourceType represents a resource type.
TLSDirectoryCharacteristicsType represents the type of a TLS directory Characteristics.
UnwindOpType represents the type of an unwind opcode.