Struct EXE 

pub struct EXE<'a> {
    pub is64bit: bool,
    pub has_overlay: Option<bool>,
    pub arch: Architecture,
    pub sub_type: SubType,
    pub os: OperatingSystem,
    pub coff_header: Option<COFFHeader>,
    pub optional_header: Option<OptionalHeader>,
    pub exec_type: ExecutableType,
    pub subsystem: Option<SubSystem>,
    pub sections: Option<Vec<Section<'a>>>,
    pub imports: Option<Imports>,
    pub contents: &'a [u8],
}

The struct to partially represent EXE files.

Used on Windows, DOS, React OS, OS/2, and maybe others.

Effort is made to fail gracefully, since malware may not obey all the rules, and some information is better than none because some part of the data wasn’t parsed correctly.

Fields

is64bit: bool

If the program is 64-bit

has_overlay: Option<bool>

If the binary has extra data after the last section, could be used to hide something

arch: Architecture

Instruction set architecture for this binary

sub_type: SubType

EXE sub-type, mostly if it’s for DOS, Windows, OS/2

os: OperatingSystem

Operating System for this binary, likely Windows

coff_header: Option<COFFHeader>

COFF (Common Object File Format) header of the program

optional_header: Option<OptionalHeader>

Optional Header for this program, not optional if for Windows

exec_type: ExecutableType

Executable subtype: Program or Library?

subsystem: Option<SubSystem>

Windows Subsystem used by this program

sections: Option<Vec<Section<'a>>>

Sections of this binary

imports: Option<Imports>

External libraries used by this application or library

contents: &'a [u8]

The array containing the raw bytes used to parse this program

Implementations

impl<'a> EXE<'a>

pub fn from(contents: &'a [u8]) -> Result<Self>

EXE, MZ, or PE-32 file parsed from a sequence of bytes

Errors

Returns an error if parsing fails.

Trait Implementations

impl<'a> Clone for EXE<'a>

fn clone(&self) -> EXE<'a>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<'a> Debug for EXE<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Display for EXE<'_>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl ExecutableFile for EXE<'_>

fn architecture(&self) -> Option<Architecture>

Get the architecture type

fn pointer_size(&self) -> usize

Get the pointer size, 32- or 64-bit

fn operating_system(&self) -> OperatingSystem

Get the operating system type for a binary

fn compiled_timestamp(&self) -> Option<DateTime<Utc>>

Get the compilation timestamp, if available

fn num_sections(&self) -> u32

Number of sections for a binary

fn sections(&self) -> Option<&Vec<Section<'_>>>

Vec of sections for the binary

fn import_hash(&self) -> Option<String>

Import hash of the binary

fn fuzzy_imports(&self) -> Option<String>

SSDeep fuzzy hash of the binary

impl SpecimenFile for EXE<'_>

const MAGIC: &'static [&'static [u8]]

Magic number, the bytes at the beginning of the file, which identify the file format Some file types have more than one possible magic number

fn type_name(&self) -> &'static str

Common name for a specific file type