| authenticode.rs |
|
12128 |
| certificate_table.rs |
|
6901 |
| characteristic.rs |
Constants for flags that indicate attributes of the object or image file. These flags are used in the
[`goblin::pe::header::CoffHeader::characteristics`](crate::pe::header::CoffHeader::characteristics) field. |
6060 |
| data_directories.rs |
|
5087 |
| debug.rs |
|
6186 |
| dll_characteristic.rs |
Constants for characteristics of image files. These constants are used in the
[`goblin::pe::optional_header::WindowsFields::dll_characteristics`](crate::pe::optional_header::WindowsFields::dll_characteristics)
field.
The values 0x0001, 0x0002, 0x0004, 0x0008 are reserved for future use and must be zero. |
1498 |
| exception.rs |
Exception handling and stack unwinding for x64.
Exception information is exposed via the [`ExceptionData`] structure. If present in a PE file,
it contains a list of [`RuntimeFunction`] entries that can be used to get [`UnwindInfo`] for a
particular code location.
Unwind information contains a list of unwind codes which specify the operations that are
necessary to restore registers (including the stack pointer RSP) when unwinding out of a
function.
Depending on where the instruction pointer lies, there are three strategies to unwind:
1. If the RIP is within an epilog, then control is leaving the function, there can be no
exception handler associated with this exception for this function, and the effects of the
epilog must be continued to compute the context of the caller function. To determine if the
RIP is within an epilog, the code stream from RIP on is examined. If that code stream can be
matched to the trailing portion of a legitimate epilog, then it's in an epilog, and the
remaining portion of the epilog is simulated, with the context record updated as each
instruction is processed. After this, step 1 is repeated.
2. Case b) If the RIP lies within the prologue, then control has not entered the function,
there can be no exception handler associated with this exception for this function, and the
effects of the prolog must be undone to compute the context of the caller function. The RIP
is within the prolog if the distance from the function start to the RIP is less than or
equal to the prolog size encoded in the unwind info. The effects of the prolog are unwound
by scanning forward through the unwind codes array for the first entry with an offset less
than or equal to the offset of the RIP from the function start, then undoing the effect of
all remaining items in the unwind code array. Step 1 is then repeated.
3. If the RIP is not within a prolog or epilog and the function has an exception handler, then
the language-specific handler is called. The handler scans its data and calls filter
functions as appropriate. The language-specific handler can return that the exception was
handled or that the search is to be continued. It can also initiate an unwind directly.
For more information, see [x64 exception handling].
[`ExceptionData`]: struct.ExceptionData.html
[`RuntimeFunction`]: struct.RuntimeFunction.html
[`UnwindInfo`]: struct.UnwindInfo.html
[x64 exception handling]: https://docs.microsoft.com/en-us/cpp/build/exception-handling-x64?view=vs-2017 |
40132 |
| export.rs |
|
21943 |
| header.rs |
|
47637 |
| import.rs |
|
14164 |
| mod.rs |
A PE32 and PE32+ parser
|
29657 |
| optional_header.rs |
The module for the PE optional header ([`OptionalHeader`]) and related items. |
31241 |
| options.rs |
|
804 |
| relocation.rs |
|
5204 |
| section_table.rs |
|
12271 |
| subsystem.rs |
Constants for subsystems required to run image files. These constants are used in the
[`goblin::pe::optional_header::WindowsFields::subsystem`](crate::pe::optional_header::WindowsFields::subsystem)
field. |
1403 |
| symbol.rs |
|
20481 |
| utils.rs |
|
6242 |