hexspell 0.0.5

A open source lib to parse executables in Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

//! Definitions for the various headers that make up a PE file.
//!
//! The structs in this module map directly onto the layout described in
//! Microsoft's PE/COFF specification. Each numeric field is represented
//! as a [`Field`](crate::field::Field) so it can be patched without
//! recalculating offsets manually. Only a subset of the optional header is
//! currently modeled, but the design allows for extensions as new use
//! cases arise.

use core::fmt;

use crate::field::Field;

#[derive(PartialEq, Eq, Debug)]
pub enum PEType {
    PE32,
    PE32Plus,
}

pub enum ImageBase {
    Base32(u32),
    Base64(u64),
}

pub enum Architecture {
    X86,
    X64,
    Unknown,
}

impl fmt::Display for Architecture {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        let s = match *self {
            Architecture::X86 => "x86",
            Architecture::X64 => "x64",
            Architecture::Unknown => "Unknown",
        };
        write!(f, "{s}")
    }
}

impl Architecture {
    pub fn from_u16(value: u16) -> Self {
        match value {
            0x014c => Architecture::X86,
            0x8664 => Architecture::X64,
            _ => Architecture::Unknown,
        }
    }
}

pub struct PeHeader {
    pub architecture: Field<String>, // Architecture type, e.g., x86, x64
    pub entry_point: Field<u32>, // Relative virtual address (RVA) of the entry point of the executable
    pub size_of_image: Field<u32>, // Total size of the image loaded in memory
    pub number_of_sections: Field<u16>, // Number of sections in the file
    pub checksum: Field<u32>,    // Checksum of the image
    pub section_alignment: Field<u32>, // Alignment of sections when loaded into memory
    pub file_alignment: Field<u32>, // Alignment factor that is used to align the raw data of sections in the image file
    pub size_of_headers: Field<u32>, // Combined size of all headers
    pub base_of_code: Field<u32>,   // RVA of the code section
    pub base_of_data: Field<u32>,   // RVA of the data section
    pub image_base: Field<ImageBase>, // Preferred base address of the image when loaded into memory
    pub subsystem: Field<u16>,      // Subsystem required to run this image, e.g., GUI or console
    pub dll_characteristics: Field<u16>, // DLL characteristics flags
    pub pe_type: PEType,            // Type of the PE file, e.g., PE32 or PE32+
}