Name		Name	Last commit message	Last commit date
Latest commit History 15 Commits
cmd		cmd
corpus		corpus
.gitignore		.gitignore
LICENSE		LICENSE
README.md		README.md
anomaly.go		anomaly.go
arch.go		arch.go
boundimports.go		boundimports.go
debug.go		debug.go
delayimports.go		delayimports.go
dosheader.go		dosheader.go
dotnet.go		dotnet.go
exception.go		exception.go
exports.go		exports.go
file.go		file.go
file_test.go		file_test.go
fuzz.go		fuzz.go
globalptr.go		globalptr.go
go.mod		go.mod
go.sum		go.sum
helper.go		helper.go
iat.go		iat.go
imports.go		imports.go
loadconfig.go		loadconfig.go
ntheader.go		ntheader.go
ordlookup.go		ordlookup.go
pe-fuzz.zip		pe-fuzz.zip
pe.go		pe.go
reloc.go		reloc.go
resource.go		resource.go
richheader.go		richheader.go
section.go		section.go
security.go		security.go
symbol.go		symbol.go
tls.go		tls.go

Repository files navigation

Portable Executable Parser

pe parser is a go package for parsing the portable executable file format. This package was designed with malware analysis in mind, and being resistent to PE malformations.

Features

Works with PE32/PE32+ file fomat.
Supports Intel x86/AMD64/ARM7ARM7 Thumb/ARM8-64/IA64/CHPE architectures.
MS DOS header.
Rich Header (calculate checksum).
NT Header (file header + optional header).
COFF symbol table and string table.
Sections headers + entropy calculation.
Data directories
- Import Table + ImpHash calculation.
- Export Table
- Resource Table
- Exceptions Table
- Security Table + Authentihash calculation.
- Relocations Table
- Debug Table (CODEVIEW, POGO, VC FEATURE, REPRO, FPO, EXDLL CHARACTERISTICS debug types).
- TLS Table
- Load Config Directory (SEH, GFID, GIAT, Guard LongJumps, CHPE, Dynamic Value Reloc Table, Enclave Configuration, Volatile Metadata tables).
- Bound Import Table
- Delay Import Table
- COM Table (CLR Metadata Header, Metadata Table Streams)
Report several anomalies

Installing

Using peparser is easy. First, use go get to install the latest version of the library. This command will install the peparser generator executable along with the library and its dependencies:

go get -u github.com/saferwall/pe

Next, include peparser in your application:

import "github.com/saferwall/pe"

Using the library

package main

import (
	peparser "github.com/saferwall/pe"
)

func main() {
    filename := "C:\\Binaries\\notepad.exe"
    pe, err := peparser.New(filename, nil)
	if err != nil {
		log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
    }
    
    err = pe.Parse()
    if err != nil {
        log.Fatalf("Error while opening file: %s, reason: %s", filename, err)
    }

TODO:

imports MS-styled names demangling
PE: VB5 and VB6 typical structures: project info, DLLCall-imports, referenced modules, object table

Fuzz Testing

To validate the parser we use the go-fuzz and a corpus of known malformed and tricky PE files from corkami.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Portable Executable Parser

Features

Installing

Using the library

TODO:

Fuzz Testing

References

About

Releases 6

Sponsor this project

Contributors 15

Languages

License

saferwall/pe

Folders and files

Latest commit

History

Repository files navigation

Portable Executable Parser

Features

Installing

Using the library

TODO:

Fuzz Testing

References

About

Topics

Resources

License

Code of conduct

Stars

Watchers

Forks

Releases 6

Sponsor this project

Contributors 15

Languages