exe-rs is a Portable Executable (PE) parsing library tested on multiple kinds of malformed PE executables, including the Corkami corpus and various forms of malware! It's a library built with creation in mind as well as parsing, attempting to make tasks related to PE files as smooth and flawless as possible.
You can read the documentation here, and see various use examples in the test file.
This update makes major code-breaking changes! Notably, the buffer module has been moved into its own library called pkbuffer. This caused the whole library to need to be refactored, and ultimately changed the way the structures interact with the data! As a result, though, PE structure objects can retain buffer functionality without having to rely on interacting with a member of a struct (i.e., the pattern of "pefile.pe.buffer" is no longer necessary). The interface for buffer objects changed, though-- instead of requiring an explicit Offset object, they now take a usize as an offset. To make things simpler, RVA and Offset can now be explicitly converted into usize with the Into trait.
This refactor has caused the main PE module to become a trait! This means you can now flexibly create your own PE object by implementing this trait as well as the Buffer trait on an object.
PtrPE (for pointer-based PE data), VecPE (for owned PE data) and VallocPE for Windows (for data allocated with VirtualAlloc).PEImage has been renamed to VecPEalign has been moved into the main module.HashData and Entropy traits have been moved into the main module.PE derived objects can now be used like Buffer objects.BufferTooSmall error has been renamed to OutOfBounds to match pkbuffer.from_ptr has been moved to PtrPE and renamed to from_memoryto_image has been moved to PtrPE and renamed to to_vecpefind_embedded_imagesload_imageRVA and Offset can now be converted into a usize via the Into trait.align now takes generic unsigned integer types instead of just a usize, read the docs for more info.AsRef/AsMut in instances where [u8] is being used.Error now implements Send and Sync, thanks to @the_sylph for reporting this!&[u8] of assembly data. This is useful for quickly turning raw assembly into an executable! See PEImage::from_assembly.ExportDirectory::get_export_name_by_hash.Errors now feature more context! For example, InvalidRVA now contains the offending RVA. See the docs for more details!
Error now implements the std::error::Error trait and std::fmt::Display trait, thanks to p0lloloco for reporting!
Buffer objects can now be allocated directly with the Buffer::virtual_alloc function, see the docs for more.ImageImportDescriptor objects can now have their import address table resolved, see ImageImportDescriptor::resolve_iat.Only available for Windows: PE images can now be loaded and prepared for execution, see PE::load_image.
PE address conversion functions (e.g., PE::offset_to_rva) now validate their input addresses before recalculating.
Address::as_ptr where addresses were not being translated between PEType images.T into an array of bytes, see Buffer::slice_ref_to_bytes.RelocationDirectory::add_relocation.ImageSectionHeader now implements the Default trait.PE::add_section and PE::append_section.Address trait (e.g., Offset, RVA, VA, etc.) to pointers, see Address::as_ptr.PEImage object, a wrapper for PE objects which contains owned data in a backing vector, see the docs for more.Buffer objects now implement the Index trait.VS_VERSIONINFO has been implemented, see types::VSVersionInfo and similarly named structures.buffer::align.added the ability to convert a reference to mutable, see Buffer::make_mut_ref and Buffer::make_mut_slice_ref.
renamed ref_to_slice to ref_to_bytes to be more clear
#[repr(packed)] with #[repr(C)]headers::TLSCharacteristicsBuffer objects now operate on pointers, which solves a lot of underlying codePE::calculate_imphash.PE objects can now be cloned!ImportDirectory::get_import_map, which calls get_imports on all the descriptors and maps them to their DLL name.PE::recreate_image.Buffer::search_slice and Buffer::search_ref.headers::ImageDebugDirectory.implemented the TLS directory, see types::TLSDirectory, headers::ImageTLSDirectory32 and headers::ImageTLSDirectory64.
changed how ImageImportDescriptor::get_imports resolves ordinals, thanks to the ImportData enum it now resolves in a more sane manner.
RelocationDirectory::relocate is now visible and callable.#[repr(C)] instead of #[repr(packed)], allowing for deriving of traits such as Debug, Eq and Clone.u8 slice references! this has affected how PE files are initialized, see the docs for more details.PE::align_to_file and ImageSectionHeader::is_aligned_to_file for details.PE::get_dos_stub.PE::buffer::HashData in the docs.Offset objects, buffer operations requiring offsets can now be accessed directly from them with a supplied PE object.PE image can now calculate disk sizes and memory sizes, see PE::calculate_disk_size and PE::calculate_memory_size.PE::find_embedded_images. this does not have a corresponding test because it was tested on malware.added ability to calculate and validate PE checksums of an image, see PE::validate_checksum and PE::calculate_checksum.
fixed a bug in default ImageFileHeader generation where the size_of_optional_header value was calculated incorrectly.
PE::from_ptr and the test file for example usage.u8 slices, see the HashData trait in the buffer module.u8 slices, see the Entropy trait in the buffer module.Buffer::save.ImageSectionHeader such as reading data and calculating proper offsets to data.all headers in the headers module now implement clone!
fixed a bug where RVAs got translated incorrectly if they had no Offset equivalent
allow for mutable ImageImportByName structure
fixed a bug where import thunks weren't properly parsed, now tested against imports_nothunk.exe