#file-format #parser #executable #binary-parser #pe #object #object-file

nightly no-std peview

A minimal and fast zero-copy parser for the PE32+ file format

5 releases

0.2.3 May 30, 2023
0.2.1 Dec 25, 2022
0.2.0 Dec 25, 2022
0.1.1 Dec 5, 2022
0.1.0 Dec 5, 2022

#2121 in Parser implementations

41 downloads per month

MIT license

11MB
1K SLoC

Contains (DOS exe, 11MB) etc/exe/ntoskrnl.exe

peview

A minimal and fast zero-copy parser for the PE32+ file format.

Build status Docs.rs Crates.io

Goal

This project aims to offer a more light weight and easier to use alternative to fully featured binary parsing libraries when it comes to parsing the PE32+ file format. It does so by:

  • Taking a zero-copy approach. Everything is a reference to the original data
  • Parsing on demand. Basic parsing is done at the beginning, the rest is opt-in
  • Not focusing on endianness. The parsed buffer is assumed to be in LE
  • Strongly validating native structures according to the official specification
  • Having no external dependencies on top of being a no-std library

Usage

Example of printing the RVA's and names of imported symbols:

use peview::{dir::Import, file::PeView};
use std::{error::Error, fs::File, io::Read};

fn main() -> Result<(), Box<dyn Error>> {
    // Read file into buffer and parse it
    let mut buf = Vec::new();
    File::open("etc/exe/ntoskrnl.exe")?.read_to_end(&mut buf)?;
    let pe = PeView::parse(&buf)?;

    // Iterate over modules in the import table
    for m in pe.imports()? {
        // Print the current modules name
        let module = m?;
        println!("{}", module.name()?);

        // Iterate over symbols within the module
        for i in module {
            // Check if the symbol is imported by name
            if let Import::Name(h, n) = i? {
                // Print out both the hint and its name
                println!("> {:#04x}: {}", h, n);
            }
        }
    }

    Ok(())
}

More usage examples can be found here.

Installation

Add the following line to your Cargo.toml file:

[dependencies]
# ...
peview = "0.2.3"

License

MIT

No runtime deps