Module pe 

PE/COFF reader and writer with byte-identical round-trip.

v0 scope: parse the structural skeleton (DOS header, PE signature, COFF file header, optional header, section header table) into typed fields, and capture every byte of the input file so PeFile::write_to_vec returns it back unchanged. Section contents and any data outside the structural skeleton (DOS stub, optional header body, certificate table, etc.) are preserved verbatim and not re-interpreted.

The contract: for any supported input bytes, PeFile::parse(bytes)?.write_to_vec() == bytes.

Down the road this crate will grow:

• Structured optional-header fields and data-directory entries.
• Editable section data with a write path that re-derives PointerToRawData / SizeOfRawData on serialise.
• Import-table parsing so the analysis crate can name PE call sites the way ELF’s ud-analysis::plt names PLT thunks.

For now the parser exists to validate input is a real PE and expose section metadata for higher layers; the byte-identity comes from re-emitting the original buffer.

Structs

CoffHeader

Parsed IMAGE_FILE_HEADER (a.k.a. COFF header).

CoffSymbol

One main COFF symbol-table entry, with its name resolved through the string table when needed. Aux records are skipped on iteration (their aux_count field on the preceding main symbol governs how many to skip).

DataDirectory

One (RVA, size) pair from the optional header’s data directory array. Both fields are zero when the entry is unused.

DosHeader

Parsed IMAGE_DOS_HEADER (the 64-byte prefix every PE file starts with). The fields that aren’t meaningful for modern PE files (the original 16-bit DOS layout descriptors) round through verbatim — typical values are e_cblp = 0x90, e_cparhdr = 0x4, e_minalloc = 0, e_maxalloc = 0xffff, e_sp = 0xb8, with reserved fields zero. The two fields that matter for the modern format are e_magic ("MZ") and e_lfanew (file offset of the PE signature).

OptionalHeader

Parsed IMAGE_OPTIONAL_HEADER / IMAGE_OPTIONAL_HEADER64. One struct handles both PE32 and PE32+ variants; the 32-bit ImageBase / stack / heap sizes are stored as u64 for uniformity and zero-extended on read.

PeExport

One entry from a PE file’s Export Address Table.

PeFile

A parsed PE file. The structured fields are read-only views; the authoritative bytes live in the private raw buffer and are what write_to_vec returns. Future iterations will replace this with a re-derive-on-write path; for v0 the round-trip is guaranteed trivially because we don’t mutate the buffer.

PeImport

One entry from a PE file’s Import Address Table (IAT). Names the imported symbol the loader will patch into iat_va at run time. Either name or ordinal is set (an import is either by-name or by-ordinal); rarely both, never neither.

SectionHeader

Parsed IMAGE_SECTION_HEADER.

Enums

Error

Errors surfaced when parsing or writing a PE file.

PeKind

PE32 vs PE32+ — the optional header’s structural variant.

Constants

COFF_DTYPE_FUNCTION

Type field high nibble: function (IMAGE_SYM_DTYPE_FUNCTION).

COFF_SYMBOL_SIZE

On-disk size of one COFF symbol-table entry (main or aux).

COFF_SYM_CLASS_EXTERNAL

StorageClass: external (IMAGE_SYM_CLASS_EXTERNAL).

COFF_SYM_CLASS_STATIC

StorageClass: static (IMAGE_SYM_CLASS_STATIC).

DATA_DIR_EXPORT

Index of the Export Table entry in data_directories.

DATA_DIR_IMPORT

Index of the Import Table entry in data_directories.

DOS_MAGIC

e_magic value of IMAGE_DOS_HEADER: ASCII “MZ”.

IMAGE_FILE_MACHINE_AMD64

Machine value for x86-64 (IMAGE_FILE_MACHINE_AMD64).

IMAGE_FILE_MACHINE_ARM64

Machine value for AArch64 (IMAGE_FILE_MACHINE_ARM64).

IMAGE_FILE_MACHINE_I386

Machine value for i386 (IMAGE_FILE_MACHINE_I386).

OPTIONAL_HEADER_MAGIC_PE32

Magic value at the start of IMAGE_OPTIONAL_HEADER for PE32 (32-bit images).

OPTIONAL_HEADER_MAGIC_PE32_PLUS

Magic value at the start of IMAGE_OPTIONAL_HEADER64 for PE32+ (64-bit images).

PE_SIGNATURE

PE signature appearing at IMAGE_DOS_HEADER::e_lfanew: ASCII “PE\0\0”.

SECTION_HEADER_SIZE

On-disk size of an IMAGE_SECTION_HEADER entry.

Functions

is_pe

Returns true if bytes look like a PE file (start with the DOS MZ magic and have a parseable e_lfanew).

Type Aliases

Result