exe-rs is a Portable Executable (PE) parsing library tested on multiple kinds of malformed PE executables, including the Corkami corpus and various forms of malware! It's a library built with creation in mind as well as parsing, attempting to make tasks related to PE files as smooth and flawless as possible.
You can read the documentation here, and see various use examples in the test file.
- PE images can now be created from a
&[u8]of assembly data. This is useful for quickly turning raw assembly into an executable! SeePEImage::from_assembly. - Export names can now be acquired by hash algorithm, see
ExportDirectory::get_export_name_by_hash.
- Errors now feature more context! For example,
InvalidRVAnow contains the offending RVA. See the docs for more details!
Errornow implements thestd::error::Errortrait andstd::fmt::Displaytrait, thanks to p0lloloco for reporting!
- Only available for Windows:
Bufferobjects can now be allocated directly with theBuffer::virtual_allocfunction, see the docs for more. - Only available for Windows:
ImageImportDescriptorobjects can now have their import address table resolved, seeImageImportDescriptor::resolve_iat. - Only available for Windows:
PEimages can now be loaded and prepared for execution, seePE::load_image.
PEaddress conversion functions (e.g.,PE::offset_to_rva) now validate their input addresses before recalculating.- fixed a bug in
Address::as_ptrwhere addresses were not being translated betweenPETypeimages.
- added ability to turn a slice of type
Tinto an array of bytes, seeBuffer::slice_ref_to_bytes. - added the ability to add arbitrary relocations to a relocation table, see
RelocationDirectory::add_relocation. ImageSectionHeadernow implements the Default trait.- added the ability to add and append sections to the PE's section table, see
PE::add_sectionandPE::append_section. - added the ability to convert objects with the
Addresstrait (e.g.,Offset,RVA,VA, etc.) to pointers, seeAddress::as_ptr. - added the
PEImageobject, a wrapper forPEobjects which contains owned data in a backing vector, see the docs for more. Bufferobjects now implement theIndextrait.VS_VERSIONINFOhas been implemented, seetypes::VSVersionInfoand similarly named structures.- added an alignment function, see
buffer::align. - added the ability to convert a reference to mutable, see
Buffer::make_mut_refandBuffer::make_mut_slice_ref.
- renamed
ref_to_slicetoref_to_bytesto be more clear - marked objects still marked with
#[repr(packed)]with#[repr(C)] - tracked down TLS directory characteristics and made a bitflag structure, see
headers::TLSCharacteristics Bufferobjects now operate on pointers, which solves a lot of underlying code
- implemented the imphash algorithm, see
PE::calculate_imphash. - buffers and
PEobjects can now be cloned! - added
ImportDirectory::get_import_map, which callsget_importson all the descriptors and maps them to their DLL name. - added ability to convert an image from a disk image to a memory image and vice versa, see
PE::recreate_image. - added ability to search for byte strings in buffer, see
Buffer::search_sliceandBuffer::search_ref. - implemented the Debug directory, see
headers::ImageDebugDirectory. - implemented the TLS directory, see
types::TLSDirectory,headers::ImageTLSDirectory32andheaders::ImageTLSDirectory64.
- changed how
ImageImportDescriptor::get_importsresolves ordinals, thanks to theImportDataenum it now resolves in a more sane manner. - forgot to make a function public, oops!
RelocationDirectory::relocateis now visible and callable. - alignments have no need to be validated, validation checks removed from alignment functions.
- headers are now
#[repr(C)]instead of#[repr(packed)], allowing for deriving of traits such as Debug, Eq and Clone.
- buffers now operate on
u8slice references! this has affected how PE files are initialized, see the docs for more details. - added functionality to align offsets and RVAs to the file alignment and section alignment of the headers, see
PE::align_to_fileandImageSectionHeader::is_aligned_to_filefor details. - added functionality to pull the DOS stub out of the image, see
PE::get_dos_stub. - added a great example of dumping section hashes from a PE file, see
PE::buffer::HashDatain the docs. - added syntactic sugar for
Offsetobjects, buffer operations requiring offsets can now be accessed directly from them with a suppliedPEobject. PEimage can now calculate disk sizes and memory sizes, seePE::calculate_disk_sizeandPE::calculate_memory_size.- PE images embedded in a given executable can now be extracted! see
PE::find_embedded_images. this does not have a corresponding test because it was tested on malware. - added ability to calculate and validate PE checksums of an image, see
PE::validate_checksumandPE::calculate_checksum.
- fixed a bug in default
ImageFileHeadergeneration where thesize_of_optional_headervalue was calculated incorrectly. - fixed a bug where pointers weren't being calculated correctly into offsets.
- added support for resource directories
- refactored data directories to be initialized in a new fashion, see the docs for more details and the test file for examples.
- PE images can now be parsed from pointers, see
PE::from_ptrand the test file for example usage.
- PE object can now parse memory dumps properly, testing against compiled_dumped.bin.
- data directory is now parsed correctly, testing against no_dd.exe
- buffer now has support for arbitrary hashing of
u8slices, see the HashData trait in the buffer module. - buffer now also supports arbitrary calculation of entropy on
u8slices, see the Entropy trait in the buffer module. - buffers can now be dumped to disk (novel!) see
Buffer::save. - add functionality to
ImageSectionHeadersuch as reading data and calculating proper offsets to data. - all headers in the headers module now implement clone!
- fixed a bug where
RVAs got translated incorrectly if they had noOffsetequivalent
- added support for relocation directories
- moved PE headers into the headers module to differentiate them from Rust types
- added alignment validation for NT headers
- allow for mutable ImageImportByName structure
- fixed a bug where import thunks weren't properly parsed, now tested against imports_nothunk.exe
- fixed a bug in the default file headers for x64 architectures
- crate is published!
- add support for import and export directories