-
Notifications
You must be signed in to change notification settings - Fork 1
Introduction
##Description The PeParser library is a collection of parsers used to extract information from PE/COFF files, which means "Portable Executable", the windows executable format, and "Common Object File Format", and other widely spread format. It aims to provide a simple interface on these files, and correctness of the retrieved information.
####Disclaimer Keep in mind that what this library do is only reading bytes from the file. If one or more of these bytes are not correct, we would get a seemingly wrong result, when this is just the file which was badly encoded. Honorable mentions : System flag seems to be obsolete Both "Little endian" and "Big endian" flag Wrong timestamp
There are, of course, more of these oddities, but these are, to me, the most common
##State The library is currently in an usable but highly incomplete state, and help woud be appreciated. Currently, it can only parse informations from PE/COFF files, but later I woul expect it to be able to modify them, adding, modifying or removing information.
##What is this library about, really ? If you don't really know how do PE/COFF files work, the definition provided above is not really useful to you. In fact, the principle is pretty simple. You may know that nearly every file format but the simplest, do have some kind of "file header" to provide the loader some information. Now, think about the executables, how can the Windows loader load them if it do not know anything about the file ? Who tells him that this is an executable file ? The answer is : nobody. So the file must provide some information on how to load it. So, the PE header contains things like the PE signature, timestamp, number of sections (more on sections later), etc ... If you want to know more about PE/COFF file format, here is the official documentation : https://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx So what this library does allowing us to do this kind of information retrieval in a safe way, doing all consistency check for us, and providing a simple interface on top of the file.