wader/fq
1
1
Fork 0
mirror of https://github.com/wader/fq.git synced 2024-08-18 00:10:29 +03:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: wader:56f2529ec10dfc1eeb108991fd1360e13ffa1560
Branches Tags
wader:master
wader:gojq-update
wader:bits-format-bytes-array
wader:bump-gomod-golang/text-0.17.0
wader:bump-gomod-golang-x-term-0.23.0
wader:to-from-float
wader:sqlite3
wader:pe
wader:mp4-sbgp-group_description_index-desc
wader:woff2
wader:http
wader:sei-itu-t35
wader:mpeg_ts_wip
wader:macho-cfstring-offset
wader:flac-sample-details-options
wader:display-binary
wader:man-page
wader:gzip-fromdeflate
wader:bump-gomod-BurntSushi/toml-1.3.1
wader:bump-gomod-BurntSushi/toml-1.3.0
wader:csv-options
wader:fit
wader:pdf
wader:repl-nicer-array-completion
wader:isa2
wader:usac
wader:kaitai2
wader:guides-fra-pcap-challange-2021-09
wader:v0.12.0
wader:v0.11.0
wader:v0.10.0
wader:v0.9.0
wader:v0.8.0
wader:v0.7.0
wader:v0.6.0
wader:v0.5.0
wader:v0.4.0
wader:v0.3.0
wader:v0.2.0
wader:v0.1.0
wader:v0.0.10
wader:v0.0.9
wader:v0.0.8
wader:v0.0.7
wader:v0.0.6
wader:v0.0.5
wader:v0.0.4
wader:v0.0.3
wader:v0.0.2
wader:v0.0.1
...
compare: wader:4234e8855638dea806d9ac09f34cdb8984d72a7f
Branches Tags
wader:gojq-update
wader:bits-format-bytes-array
wader:master
wader:bump-gomod-golang/text-0.17.0
wader:bump-gomod-golang-x-term-0.23.0
wader:to-from-float
wader:sqlite3
wader:pe
wader:mp4-sbgp-group_description_index-desc
wader:woff2
wader:http
wader:sei-itu-t35
wader:mpeg_ts_wip
wader:macho-cfstring-offset
wader:flac-sample-details-options
wader:display-binary
wader:man-page
wader:gzip-fromdeflate
wader:bump-gomod-BurntSushi/toml-1.3.1
wader:bump-gomod-BurntSushi/toml-1.3.0
wader:csv-options
wader:fit
wader:pdf
wader:repl-nicer-array-completion
wader:isa2
wader:usac
wader:kaitai2
wader:guides-fra-pcap-challange-2021-09
wader:v0.12.0
wader:v0.11.0
wader:v0.10.0
wader:v0.9.0
wader:v0.8.0
wader:v0.7.0
wader:v0.6.0
wader:v0.5.0
wader:v0.4.0
wader:v0.3.0
wader:v0.2.0
wader:v0.1.0
wader:v0.0.10
wader:v0.0.9
wader:v0.0.8
wader:v0.0.7
wader:v0.0.6
wader:v0.0.5
wader:v0.0.4
wader:v0.0.3
wader:v0.0.2
wader:v0.0.1

28 Commits
56f2529ec1 ... 4234e88556

Author SHA1 Message Date
Mattias Wadman
4234e88556
Merge 892a42da36 into 19bd2fbd7c 2024-06-05 14:32:40 -04:00
Mattias Wadman
19bd2fbd7c
Merge pull request #962 from wader/bump-gomod-golang-x-net-0.26.0 
Update gomod-golang-x-net to 0.26.0 from 0.25.0
 2024-06-05 19:33:31 +02:00
bump
c55e10667c Update gomod-golang-x-net to 0.26.0 from 0.25.0 
Tags https://github.com/golang/net/tags
 2024-06-05 19:24:19 +02:00
Mattias Wadman
292bd02397
Merge pull request #960 from wader/bump-docker-golang-1.22.4 
Update docker-golang to 1.22.4 from 1.22.3
 2024-06-05 18:55:09 +02:00
Mattias Wadman
bbdd43f5c8
Merge pull request #964 from wader/bump-github-go-version-1.22.4 
Update github-go-version to 1.22.4 from 1.22.3
 2024-06-05 18:54:26 +02:00
Mattias Wadman
35a8eddf04
Merge pull request #963 from wader/bump-gomod-golang-x-term-0.21.0 
Update gomod-golang-x-term to 0.21.0 from 0.20.0
 2024-06-05 18:54:09 +02:00
Mattias Wadman
8df50bf62f
Merge pull request #961 from wader/bump-gomod-golang-x-crypto-0.24.0 
Update gomod-golang-x-crypto to 0.24.0 from 0.23.0
 2024-06-05 18:27:04 +02:00
bump
1ff5a3fadf Update github-go-version to 1.22.4 from 1.22.3 2024-06-05 16:04:19 +00:00
bump
7566fd9307 Update gomod-golang-x-term to 0.21.0 from 0.20.0 
Tags https://github.com/golang/term/tags
 2024-06-05 16:04:16 +00:00
bump
f7cbf84469 Update gomod-golang-x-crypto to 0.24.0 from 0.23.0 
Tags https://github.com/golang/crypto/tags
 2024-06-05 16:04:11 +00:00
bump
ab09d3ce6f Update docker-golang to 1.22.4 from 1.22.3 2024-06-05 16:04:06 +00:00
Mattias Wadman
262d7e1fa1
Merge pull request #958 from wader/bump-gomod-golang/text-0.16.0 
Update gomod-golang/text to 0.16.0 from 0.15.0
 2024-06-04 18:17:04 +02:00
bump
8bc1a20b2a Update gomod-golang/text to 0.16.0 from 0.15.0 
Source diff 0.15.0..0.16.0 https://github.com/golang/text/compare/v0.15.0..v0.16.0
 2024-06-04 16:04:04 +00:00
Mattias Wadman
b0025b64c9
Merge pull request #956 from wader/bump-make-golangci-lint-1.59.0 
Update make-golangci-lint to 1.59.0 from 1.58.2
 2024-05-27 18:31:46 +02:00
Mattias Wadman
2171924898
Merge pull request #957 from wader/bump-github-golangci-lint-1.59.0 
Update github-golangci-lint to 1.59.0 from 1.58.2
 2024-05-27 18:31:40 +02:00
bump
44e2385ace Update github-golangci-lint to 1.59.0 from 1.58.2 
Release notes https://github.com/golangci/golangci-lint/releases/tag/v1.59.0
 2024-05-27 16:03:45 +00:00
bump
0cd90ce0de Update make-golangci-lint to 1.59.0 from 1.58.2 
Release notes https://github.com/golangci/golangci-lint/releases/tag/v1.59.0
 2024-05-27 16:03:43 +00:00
Mattias Wadman
9775381e05
Merge pull request #955 from wader/doc-formats-description 
doc: Include format description per format
 2024-05-24 12:20:04 +02:00
Mattias Wadman
6f2b59944d doc: Include format description per format 2024-05-24 12:08:07 +02:00
Mattias Wadman
cb1557dd65
Merge pull request #954 from wader/usage-rework2 
doc: Fix function indent
 2024-05-23 19:46:09 +02:00
Mattias Wadman
b818923c26 doc: Fix function indent 2024-05-23 18:33:37 +02:00
Mattias Wadman
e97e915352
Merge pull request #953 from wader/usage-rework 
doc: Reorganize and cleanup function descriptions
 2024-05-23 18:32:10 +02:00
Mattias Wadman
dff7c3cd74
Merge pull request #952 from wader/bump-gomod-BurntSushi/toml-1.4.0 
Update gomod-BurntSushi/toml to 1.4.0 from 1.3.2
 2024-05-23 18:20:50 +02:00
Mattias Wadman
40f38a5558 doc: Reorganize and cleanup function descriptions 2024-05-23 18:20:10 +02:00
bump
61f81fbfda Update gomod-BurntSushi/toml to 1.4.0 from 1.3.2 
Source diff 1.3.2..1.4.0 https://github.com/BurntSushi/toml/compare/v1.3.2..v1.4.0
 2024-05-23 16:04:49 +00:00
Mattias Wadman
ff65812941
Merge pull request #951 from wader/doc-add-kodsnack 
doc: Add kodsnack 585 - Polymorfisk JSON
 2024-05-22 10:47:35 +02:00
Mattias Wadman
175661d349 doc: Add kodsnack 585 - Polymorfisk JSON 2024-05-22 09:44:05 +02:00
Mattias Wadman
892a42da36 pe,pe_msdos_stub,coff: Add decoders 2024-04-03 09:57:03 +02:00
30 changed files with 3425 additions and 108 deletions
Show Stats Expand all files Collapse all files

6
.github/workflows/ci.yml vendored
View File

@ -7,7 +7,7 @@ on:
pull_request:
env:
GOLANGCILINT_VERSION: "1.58.2"
GOLANGCILINT_VERSION: "1.59.0"
jobs:
lint:
@ -15,7 +15,7 @@ jobs:
steps:
- uses: actions/setup-go@v3
with:
go-version: "1.22.3"
go-version: "1.22.4"
- uses: actions/checkout@v3
- uses: golangci/golangci-lint-action@v3
with:
@ -47,7 +47,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "1.22.3"
go-version: "1.22.4"
- name: Test
env:
GOARCH: ${{ matrix.goarch }}

2
.github/workflows/release.yml vendored
View File

@ -15,7 +15,7 @@ jobs:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "1.22.3"
go-version: "1.22.4"
- uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser

2
Dockerfile
View File

@ -1,5 +1,5 @@
# bump: docker-golang /FROM golang:([\d.]+)/ docker:golang|^1
FROM golang:1.22.3-bookworm AS base
FROM golang:1.22.4-bookworm AS base
# expect is used to test cli
RUN \

2
Makefile
View File

@ -61,7 +61,7 @@ gogenerate: always
lint: always
# bump: make-golangci-lint /golangci-lint@v([\d.]+)/ git:https://github.com/golangci/golangci-lint.git|^1
# bump: make-golangci-lint link "Release notes" https://github.com/golangci/golangci-lint/releases/tag/v$LATEST
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.58.2 run
go run github.com/golangci/golangci-lint/cmd/golangci-lint@v1.59.0 run
depgraph.svg: always
go run github.com/kisielk/godepgraph@latest github.com/wader/fq | dot -Tsvg -o godepgraph.svg

1
README.md
View File

@ -169,6 +169,7 @@ For details see [formats.md](doc/formats.md) and [usage.md](doc/usage.md).
## Presentations
- [Kodsnack 585 - Polymorfisk JSON](https://kodsnack.se/585/) - Swedish podcast episode about jq and fq
- "fq - jq for binary formats" at [FOSDEM 2023](https://fosdem.org/2023/) - [video & slides](https://fosdem.org/2023/schedule/event/bintools_fq/)
- "fq - jq for binary formats" at [No time to wait 6](https://mediaarea.net/NoTimeToWait6) - [video](https://www.youtube.com/watch?v=-Pwt5KL-xRs&t=1450s) - [slides](doc/presentations/nttw6/fq-nttw6-slides.pdf)
- "fq - jq for binary formats" at [Binary Tools Summit 2022](https://binary-tools.net/summit.html) - [video](https://www.youtube.com/watch?v=GJOq_b0eb-s&list=PLTj8twuHdQz-JcX7k6eOwyVPDB8CyfZc8&index=1) - [slides](doc/presentations/bts2022/fq-bts2022-v1.pdf)

1
doc/formats.jq
View File

@ -70,6 +70,7 @@ def formats_sections:
| ({} | _help_format_enrich("fq"; $f; false)) as $fhelp
| select(has_section($f; $fhelp))
| "## \($f.name)"
, $f.description + "."
, ""
, ($fhelp.notes | if . then ., "" else empty end)
, if $f.decode_in_arg then

43
doc/formats.md
View File

@ -157,6 +157,7 @@ fq -d bytes 'mp4({force: true})' file.mp4
[fq -rn -L . 'include "formats"; formats_sections']: sh-start
## aac_frame
Advanced Audio Coding frame.
### Options
@ -177,6 +178,7 @@ Decode value as aac_frame
```
## apple_bookmark
Apple BookmarkData.
Apple's `bookmarkData` format is used to encode information that can be resolved
into a `URL` object for a file even if the user moves or renames it. Can also
@ -218,6 +220,7 @@ torepr' <sfl2 file>
- https://michaellynn.github.io/2015/10/24/apples-bookmarkdata-exposed/
## asn1_ber
ASN1 BER (basic encoding rules, also CER and DER).
Supports decoding BER, CER and DER (X.690).
@ -250,6 +253,7 @@ $ fq -d asn1_ber 'torepr as $r | ["version", "modulus", "private_exponent", "pri
- https://lapo.it/asn1js/
## avc_au
H.264/AVC Access Unit.
### Options
@ -270,6 +274,7 @@ Decode value as avc_au
```
## avi
Audio Video Interleaved.
### Options
@ -318,6 +323,7 @@ $ fq -o decode_samples=false -o decode_extended_chunks=false d file.avi
- [OpenDML AVI File Format Extensions](http://www.jmcgowan.com/odmlff2.pdf)
## avro_ocf
Avro object container file.
Supports reading Avro Object Container Format (OCF) files based on the 1.11.0 specification.
@ -337,6 +343,7 @@ xentripetal@fastmail.com
[@xentripetal](https://github.com/xentripetal)
## bencode
BitTorrent bencoding.
### Convert represented value to JSON
@ -348,6 +355,7 @@ $ fq -d bencode torepr file.torrent
- https://wiki.theory.org/BitTorrentSpecification#Bencoding
## bitcoin_block
Bitcoin block.
### Options
@ -368,6 +376,7 @@ Decode value as bitcoin_block
```
## bits
Raw bits.
Decode to a slice and indexable binary of bits.
@ -390,6 +399,7 @@ $ echo 'hello' | fq -c -d bits '[.[range(8)]]'
```
## bplist
Apple Binary Property List.
### Show full decoding
```sh
@ -454,6 +464,7 @@ bplist> from_ns_keyed_archiver(1)
- https://opensource.apple.com/source/CF/CF-550/CFBinaryPList.c
## bson
Binary JSON.
### Limitations
@ -479,6 +490,7 @@ $ fq -d bson 'torepr | select(.name=="bob")' file.bson
- https://bsonspec.org/spec.html
## bytes
Raw bytes.
Decode to a slice and indexable binary of bytes.
@ -506,6 +518,7 @@ $ echo 'hello' | fq -d bytes '.[1]'
```
## caff
Live2D Cubism archive.
### Options
@ -529,6 +542,7 @@ Decode value as caff
- [@ronsor](https://github.com/ronsor)
## cbor
Concise Binary Object Representation.
### Convert represented value to JSON
@ -541,6 +555,7 @@ $ fq -d cbor torepr file.cbor
- https://www.rfc-editor.org/rfc/rfc8949.html
## csv
Comma separated values.
### Options
@ -574,6 +589,7 @@ $ fq -d csv '.[0] as $t | .[1:] | map(with_entries(.key = $t[.key]))' file.csv
```
## fit
Garmin Flexible and Interoperable Data Transfer.
### Limitations
@ -596,6 +612,7 @@ $ fq '[.data_records[] | select(.record_header.message_type == "data").data_mess
- https://developer.garmin.com/fit/cookbook/decoding-activity-files/
## flac_frame
FLAC frame.
### Options
@ -616,6 +633,7 @@ Decode value as flac_frame
```
## hevc_au
H.265/HEVC Access Unit.
### Options
@ -636,6 +654,7 @@ Decode value as hevc_au
```
## html
HyperText Markup Language.
### Options
@ -719,6 +738,7 @@ $ fq -r -o array=true -d html '.. | select(.[0] == "a" and .[1].href)?.[1].href'
```
## leveldb_descriptor
LevelDB Descriptor.
### Limitations
@ -735,6 +755,7 @@ $ fq -r -o array=true -d html '.. | select(.[0] == "a" and .[1].href)?.[1].href'
- https://github.com/google/leveldb/blob/main/db/version_edit.cc
## leveldb_log
LevelDB Log.
### Limitations
@ -751,6 +772,7 @@ $ fq -r -o array=true -d html '.. | select(.[0] == "a" and .[1].href)?.[1].href'
- https://github.com/google/leveldb/blob/main/db/write_batch.cc
## leveldb_table
LevelDB Table.
### Limitations
@ -768,6 +790,7 @@ $ fq -r -o array=true -d html '.. | select(.[0] == "a" and .[1].href)?.[1].href'
- https://github.com/google/leveldb/blob/main/doc/index.md
## luajit
LuaJIT 2.0 bytecode.
### Authors
- [@dlatchx](https://github.com/dlatchx)
@ -777,6 +800,7 @@ $ fq -r -o array=true -d html '.. | select(.[0] == "a" and .[1].href)?.[1].href'
- http://scm.zoomquiet.top/data/20131216145900/index.html
## macho
Mach-O macOS executable.
Supports decoding vanilla and FAT Mach-O binaries.
@ -795,12 +819,14 @@ acils@itu.edu.tr
[@Akaame](https://github.com/Akaame)
## markdown
Markdown.
### Array with all level 1 and 2 headers
```sh
$ fq -d markdown '[.. | select(.type=="heading" and .level<=2)?.children[0]]' file.md
```
## matroska
Matroska file.
### Options
@ -840,11 +866,13 @@ $ fq 'grep_by(.id == "Tracks") | matroska_path' file.mkv
- https://wiki.xiph.org/MatroskaOpus
## moc3
MOC3 file.
### Authors
- [@ronsor](https://github.com/ronsor)
## mp3
MP3 file.
### Options
@ -867,6 +895,7 @@ Decode value as mp3
```
## mp4
ISOBMFF, QuickTime and similar.
### Options
@ -932,6 +961,7 @@ $ fq 'grep_by(.type == "trak") | mp4_path' file.mp4
- [Quicktime file format](https://developer.apple.com/standards/qtff-2001.pdf)
## msgpack
MessagePack.
### Convert represented value to JSON
@ -943,6 +973,7 @@ $ fq -d msgpack torepr file.msgpack
- https://github.com/msgpack/msgpack/blob/master/spec.md
## nes
iNES/NES 2.0 cartridge ROM format.
### Limitations
@ -979,6 +1010,7 @@ $ for line in $(fq -r '.chr_rom[] | nes_tokitty(5)' file.nes);do printf "%b%s" "
- https://bugzmanov.github.io/nes_ebook/chapter_6_3.html
## opentimestamps
OpenTimestamps file.
### View a full OpenTimestamps file
@ -1006,6 +1038,7 @@ $ fq '.operations | map(select(.attestation_type == "bitcoin")) | length > 0' fi
- https://github.com/opentimestamps/python-opentimestamps
## pcap
PCAP packet capture.
### Build object with number of (reassembled) TCP bytes sent to/from client IP
```sh
@ -1018,6 +1051,7 @@ $ fq '.tcp_connections | group_by(.client.ip) | map({key: .[0].client.ip, value:
}
```
## pg_btree
PostgreSQL btree index file.
### Options
@ -1057,6 +1091,7 @@ p.n.safonov@gmail.com
### References
- https://www.postgresql.org/docs/current/storage-page-layout.html
## pg_control
PostgreSQL control file.
### Options
@ -1096,6 +1131,7 @@ p.n.safonov@gmail.com
### References
- https://github.com/postgres/postgres/blob/REL_14_2/src/include/catalog/pg_control.h
## pg_heap
PostgreSQL heap file.
### Options
@ -1148,6 +1184,7 @@ p.n.safonov@gmail.com
### References
- https://www.postgresql.org/docs/current/storage-page-layout.html
## protobuf
Protobuf.
### Can decode sub messages
@ -1159,6 +1196,7 @@ $ fq -d protobuf '.fields[6].wire_value | protobuf | d' file
- https://developers.google.com/protocol-buffers/docs/encoding
## rtmp
Real-Time Messaging Protocol.
Current only supports plain RTMP (not RTMPT or encrypted variants etc) with AMF0 (not AMF3).
@ -1172,6 +1210,7 @@ fq '.tcp_connections[] | select(.server.port=="rtmp") | d' file.cap
- https://rtmp.veriskope.com/pdf/video_file_format_spec_v10.pdf
## tls
Transport layer security.
### Options
@ -1319,6 +1358,7 @@ $ fq -o keylog=@traffic.keylog 'first(grep_by(.server.stream | format == "tls")
- [RFC 6101: The Secure Sockets Layer (SSL) Protocol Version 3.0](https://www.rfc-editor.org/rfc/rfc)
## tzif
Time Zone Information Format.
### Get last transition time
```sh
@ -1339,6 +1379,7 @@ fq '.v2plusdatablock.leap_second_records | length' tziffile
- https://datatracker.ietf.org/doc/html/rfc8536
## wasm
WebAssembly Binary Format.
### Count opcode usage
```sh
@ -1359,6 +1400,7 @@ $ fq '.sections | {import: map(select(.id == "import_section").content.im.x[].nm
- https://webassembly.github.io/spec/core/
## xml
Extensible Markup Language.
### Options
@ -1487,6 +1529,7 @@ $ echo '<a><b/><b>bbb</b><c attr="value">ccc</c></a>' | fq -o array=true '.[2][2
- [xml.com's Converting Between XML and JSON](https://www.xml.com/pub/a/2006/05/31/converting-between-xml-and-json.html)
## zip
ZIP archive.
### Options

245
doc/usage.md
View File

@ -406,8 +406,6 @@ There is also `tobitsrange` and `tobytesrange` which does the same thing but wil
Both `.[index]` and `.[start:end]` support negative indices to index from end.
TODO: tobytesrange, padding
#### Binary array
Is an array of numbers, strings, binaries or other nested binary arrays. When used as input to `tobits`/`tobytes` the following rules are used:
@ -428,92 +426,175 @@ Some examples:
`[(.a | tobytes[-10:]), 255, (.b | tobits[:10])] | tobytes` the concatenation of the last 10 bytes of `.a`, a byte with value 255 and the first 10 bits of `.b`.
The difference between `tobits` and `tobytes` is
TODO: padding and alignment
## Functions
All decode functions are available in two forms, just `<format>` (like `mp3`) that returns a decode value on error and `from_<format>` which throws error on decode error.
fq has all the same standard library jq functions and in addition some new ones.
### Additional generic functions
#### `grep_by(f)`
Recursively select using a filter. Ex: `grep_by(. > 180 and . < 200)`, `first(grep_by(format == "id3v2"))`.
#### `group`
Group values, same as `group_by(.)`.
#### `streaks`, `streaks_by(f)`
Like `group` but groups streaks based on condition.
#### `count`, `count_by(f)`
Like `group` but counts groups lengths based on condition.
#### `delta`, `delta_by(f)`
Array with difference between consecutive. `delta` is same as `delta_by(.b - .a)`.
#### `chunk($size)`
Split array or string into `$size` length chunks. Last chunk might be shorter.
#### `path_to_expr`
Converts a path value `["key", 1]` to a string `".key[1]"`.
#### `expr_to_path`
Converts from a string `".key[1]"` to path value `["key", 1]`.
#### `diff($a; $b)`
Produce a diff between `$a` and `$b`. Differences are represented as a object `{a: <value from a>, b: <value from b>}`.
#### `band`, `bor`, `bxor`, `bsl`, `bsr`, `bnot`.
Bitwise functions. Works the same as jq math functions. Functions with no arguments like `1 | bnot` uses only input, functions with more than one argument ignores input, `bsl(1; 3)`.
#### `repl`/`repl($opts)`
Nested REPL. Must be last in a pipeline. `1 | repl`, can "slurp" outputs. Ex: `1, 2, 3 | repl`, `[1,2,3] | repl({compact: true})`.
#### `slurp("<name>")`
Slurp outputs and save them to `$name`. Must be last in the pipeline. Will be available as a global array `$name`. Ex `1,2,3 | slurp("a")`, `$a[]` same as `spew("a")`.
#### `spew`/`spew("<name>")`
Output previously slurped values.
#### `spew`
Outputs all slurps as an object. `spew("<name>")` outputs one slurp. Ex: `spew("a")`.
#### `paste`
Read string from stdin until ^D. Useful for pasting text. Ex: `paste | from_pem | asn1_ber | repl` read from stdin then decode and start a new sub-REPL with result.
### Format decode functions
Format decode functions are available in two forms, just `mp3` or `mp3($opts)` that returns a decode value even on error and `from_mp3` or `from_mp3($opts)` which throws error on decode error.
The the only general format option currently is `force` to ignore decoder asserts.
For example to decode as mp3 and ignore assets do `mp3({force: true})` or `decode("mp3"; {force: true})`. From command line you can either do `fq -d mp3 -o force=true . file.mp3` or `fq -d bytes 'mp3({force: true})' file.mp3`.
Some formats has own options that can be specificed as part of `$opts` or as `-o name=value`. Too see options for a format do `fq -h mp3` or `help(mp3)` in a REPL. From command line you can either do `fq -d mp3 -o max_sync_seek=100 . file.mp3` or `fq -d bytes 'mp3({max_sync_seek: 100})' file.mp3`.
#### `decode`, `decode("<format>")`, `decode("<format>"; $opts)`
Decode format.
#### `probe`, `probe($opts)`
Probe and decode format.
#### `<format>`, `<format>($opts)`
Same as `decode("<format>")` and `decode("<format>"; $opts)`. Decode as format and return decode value even on decode error.
#### `from_<format>`, `from_<format>($opts)`
Same as `decode("<format>")` and `decode("<format>"; $opts)` decode as format but throw error on decode error.
Note that jq sometimes uses the notation `name/0`, `name/1` etc in error messages and documentation which means `<function-name>/<arity>`. Same function names with different arity are treated as separate functions, but are usually related in some way in practice.
### Function added in fq
#### `print`, `println`, `printerr`, `printerrln`
Print string or if not a string compact JSON value to stdout or stderr.
- All standard library functions from jq
- Adds a few new general functions:
- `print`, `println`, `printerr`, `printerrln` prints to stdout and stderr.
- `group` group values, same as `group_by(.)`.
- `streaks`, `streaks_by(f)` like `group` but groups streaks based on condition.
- `count`, `count_by(f)` like `group` but counts groups lengths.
- `debug(f)` like `debug` but uses arg to produce a debug message. `{a: 123} | debug({a}) | ...`.
- `path_to_expr` from `["key", 1]` to `".key[1]"`.
- `expr_to_path` from `".key[1]"` to `["key", 1]`.
- `diff($a; $b)` produce diff object between two values.
- `delta`, `delta_by(f)`, array with difference between all consecutive pairs.
- `chunk(f)`, split array or string into even chunks
- Bitwise functions `band`, `bor`, `bxor`, `bsl`, `bsr` and `bnot`. Works the same as jq math functions,
unary uses input and if more than one argument all as arguments ignoring the input. Ex: `1 | bnot` `bsl(1; 3)`
- Adds some decode value specific functions:
- `root` tree root for value
- `buffer_root` root value of buffer for value
- `format_root` root value of format for value
- `parent` parent value
- `parents` output parents of value
- `topath` path of value. Use `path_to_expr` to get a string representation.
- `tovalue`, `tovalue($opts)` symbolic value if available otherwise actual value
- `toactual`, `toactual($opts)` actual value (usually the decoded value)
- `tosym`, `tosym($opts)` symbolic value (mapped etc)
- `todescription` description of value
- `torepr` converts decode value into what it represents. For example convert msgpack decode value
into a value representing its JSON representation.
- All regexp functions work with binary as input and pattern argument with these differences
compared to when using string input:
- All offset and length will be in bytes.
- For `capture` the `.string` value is a binary.
- If pattern is a binary it will be matched literally and not as a regexp.
- If pattern is a binary or flags include "b" each input byte will be read as separate code points
- String functions are not overloaded to support binary for now as some of them might have behaviors that might be confusing.
- `explode` is overloaded to work with binary. Will explode into array of the unit of the binary.
end of binary.
instead of possibly multi-byte UTF-8 codepoints. This allows to match raw bytes. Ex: `match("\u00ff"; "b")`
will match the byte `0xff` and not the UTF-8 encoded codepoint for 255, `match("[^\u00ff]"; "b")` will match
all non-`0xff` bytes.
- `grep` functions take 1 or 2 arguments. First is a scalar to match, where a string is
treated as a regexp. A binary will match exact bytes. Second argument are regexp
flags with addition that "b" will treat each byte in the input binary as a code point, this
makes it possible to match exact bytes.
- `grep($v)`, `grep($v; $flags)` recursively match value and binary
- `vgrep($v)`, `vgrep($v; $flags)` recursively match value
- `bgrep($v)`, `bgrep($v; $flags)` recursively match binary
- `fgrep($v)`, `fgrep($v; $flags)` recursively match field name
- `grep_by(f)` recursively match using a filter. Ex: `grep_by(. > 180 and . < 200)`, `first(grep_by(format == "id3v2"))`.
- Binary:
- `tobits` - Transform input to binary with bit as unit, does not preserve source range, will start at zero.
- `tobitsrange` - Transform input to binary with bit as unit, preserves source range if possible.
- `tobytes` - Transform input to binary with byte as unit, does not preserve source range, will start at zero.
- `tobytesrange` - Transform input binary with byte as unit, preserves source range if possible.
- `.[start:end]`, `.[:end]`, `.[start:]` - Slice binary from start to end preserve source range.
- `open` open file for reading
- All decode functions take an optional option argument. The only option currently is `force` to ignore decoder asserts.
For example to decode as mp3 and ignore assets do `mp3({force: true})` or `decode("mp3"; {force: true})`, from command line
you currently have to do `fq -d bytes 'mp3({force: true})' file`.
- `decode`, `decode("<format>")`, `decode("<format>"; $opts)` decode format
- `probe`, `probe($opts)` probe and decode format
- `mp3`, `mp3($opts)`, ..., `<format>`, `<format>($opts)` same as `decode("<format>")`, `decode("<format>"; $opts)` decode as format and return decode value even on decode error.
- `from_mp3`, `from_mp3($opts)`, ..., `from_<format>`, `from_<format>($opts)` same as `decode("<format>")`, `decode("<format>"; $opts)` decode as format but throw error on decode error.
- Display shows hexdump/ASCII/tree for decode values and jq value for other types.
- `d`/`d($opts)` display value and truncate long arrays and binaries
- `da`/`da($opts)` display value and don't truncate arrays
- `dd`/`dd($opts)` display value and don't truncate arrays or binaries
- `dv`/`dv($opts)` verbosely display value and don't truncate arrays but truncate binaries
- `ddv`/`ddv($opts)` verbosely display value and don't truncate arrays or binaries
- `hd`/`hexdump` hexdump value
- `repl`/`repl($opts)` nested REPL, must be last in a pipeline. `1 | repl`, can "slurp" outputs. Ex: `1, 2, 3 | repl`, `[1,2,3] | repl({compact: true})`.
- `slurp("<name>")` slurp outputs and save them to `$name`, must be last in the pipeline. Will be available as a global array `$name`. Ex `1,2,3 | slurp("a")`, `$a[]` same as `spew("a")`.
- `spew`/`spew("<name>")` output previously slurped values. `spew` outputs all slurps as an object, `spew("<name>")` outputs one slurp. Ex: `spew("a")`.
- `paste` read string from stdin until ^D. Useful for pasting text.
- Ex: `paste | from_pem | asn1_ber | repl` read from stdin then decode and start a new sub-REPL with result.
#### `root`
Root decode value for decode value.
#### `buffer_root`
Root decode value of buffer for decode value.
#### `format_root`
Root decode value of format for decode value.
#### `parent`
Parent decode value for decode value.
#### `parents`
Outputs all parent decode values from decode value.
#### `topath`
Path for decode value. Use `path_to_expr` to get a string representation.
#### `tovalue`, `tovalue($opts)`
Symbolic, if available, or actual value for decode value.
#### `toactual`, `toactual($opts)`
Actual value for decode value.
#### `tosym`, `tosym($opts)`
Symbolic value for decode value.
#### `todescription`
Description for decode value.
#### `torepr`
Converts decode value into what it represents. For example converts msgpack decode value into a value representing its JSON representation.
### Display functions
Display shows hexdump, ASCII and tree column dump for decode values and jq value for other types.
#### `d`/`d($opts)`
display value and truncate long arrays and binaries.
#### `da`/`da($opts)`
Display value and don't truncate arrays.
#### `dd`/`dd($opts)`
Display value and don't truncate arrays or binaries.
#### `dv`/`dv($opts)`
Verbosely display value and don't truncate arrays but truncate binaries.
#### `ddv`/`ddv($opts)`
Verbosely display value and don't truncate arrays or binaries.
#### `hd`/`hexdump`
Hexdump value.
### Binary values
Binary values represents raw bits or bytes. When used in standard jq expressions they will behave as strings (UTF-8) with some exceptions listed below.
- All regexp functions work with binary as input and pattern argument with these differences
compared to when using string input:
- All offset and length will be in bytes.
- For `capture` the `.string` value is a binary.
- If pattern is a binary it will be matched literally and not as a regexp.
- If pattern is a binary or flags include "b" each input byte will be read as separate code points
- `explode` is overloaded to work with binary. Will explode into array of the unit of the binary.
- `.[start:end]`, `.[:end]`, `.[start:]` - Slice binary from start to end preserve source range.
#### `grep($v)`, `grep($v; $flags)`, `vgrep($v)`, `vgrep($v; $flags)`, `bgrep($v)`, `bgrep($v; $flags)`
Recursively match `$v`.
`$v` is a scalar to match, where a string is treated as a regexp. A binary will match exact bytes.
`$flags` argument are regexp flags with additional flag "b" that will treat each byte in the input binary
as a code point. This makes it possible to match exact bytes.
#### `fgrep($v)`, `fgrep($v; $flags)`
Recursively match field name in for decode value.
#### `tobits`
Transform input to binary with bit as unit and don't preserve source range.
#### `tobitsrange`
Transform input to binary with bit as unit and preserve source range.
#### `tobytes`
Transform input to binary with byte as unit and don't preserve source range.
#### `tobytesrange`
Transform input to binary with byte as unit and preserve source range.
#### `open`
Open file for reading.
### Naming inconsistencies

4
format/all/all.fqtest
View File

@ -28,6 +28,7 @@ $ fq -n _registry.groups.probe
"opentimestamps",
"pcap",
"pcapng",
"pe",
"png",
"tar",
"tiff",
@ -81,6 +82,7 @@ bytes Raw bytes
bzip2 bzip2 compression
caff Live2D Cubism archive
cbor Concise Binary Object Representation
coff Common Object File Format
csv Comma separated values
dns DNS packet
dns_tcp DNS packet (TCP)
@ -137,6 +139,7 @@ mpeg_pes MPEG Packetized elementary stream
mpeg_pes_packet MPEG Packetized elementary stream packet
mpeg_spu Sub Picture Unit (DVD subtitle)
mpeg_ts MPEG Transport Stream
msdos_stub MS-DOS Stub
msgpack MessagePack
nes iNES/NES 2.0 cartridge ROM format
ogg OGG file
@ -145,6 +148,7 @@ opentimestamps OpenTimestamps file
opus_packet Opus packet
pcap PCAP packet capture
pcapng PCAPNG packet capture
pe Portable Executable
pg_btree PostgreSQL btree index file
pg_control PostgreSQL control file
pg_heap PostgreSQL heap file

1
format/all/all.go
View File

@ -46,6 +46,7 @@ import (
_ "github.com/wader/fq/format/opentimestamps"
_ "github.com/wader/fq/format/opus"
_ "github.com/wader/fq/format/pcap"
_ "github.com/wader/fq/format/pe"
_ "github.com/wader/fq/format/png"
_ "github.com/wader/fq/format/postgres"
_ "github.com/wader/fq/format/prores"

13
format/format.go
View File

@ -89,6 +89,7 @@ var (
Bzip2 = &decode.Group{Name: "bzip2"}
CAFF = &decode.Group{Name: "caff"}
CBOR = &decode.Group{Name: "cbor"}
COFF = &decode.Group{Name: "coff"}
CSV = &decode.Group{Name: "csv"}
DNS = &decode.Group{Name: "dns"}
DNS_TCP = &decode.Group{Name: "dns_tcp"}
@ -145,7 +146,8 @@ var (
MPEG_PES_Packet = &decode.Group{Name: "mpeg_pes_packet"}
MPEG_SPU = &decode.Group{Name: "mpeg_spu"}
MPEG_TS = &decode.Group{Name: "mpeg_ts"}
MPES_PES = &decode.Group{Name: "mpeg_pes"}
MPEG_PES = &decode.Group{Name: "mpeg_pes"}
MSDOS_Stub = &decode.Group{Name: "msdos_stub"}
MsgPack = &decode.Group{Name: "msgpack"}
NES = &decode.Group{Name: "nes"}
Ogg = &decode.Group{Name: "ogg"}
@ -154,6 +156,7 @@ var (
Opus_Packet = &decode.Group{Name: "opus_packet"}
PCAP = &decode.Group{Name: "pcap"}
PCAPNG = &decode.Group{Name: "pcapng"}
PE = &decode.Group{Name: "pe"}
Pg_BTree = &decode.Group{Name: "pg_btree"}
Pg_Control = &decode.Group{Name: "pg_control"}
Pg_Heap = &decode.Group{Name: "pg_heap"}
@ -404,3 +407,11 @@ type Pg_Heap_In struct {
type Pg_BTree_In struct {
Page int `doc:"First page number in file, default is 0"`
}
type MS_DOS_Out struct {
LFANew int // logical file address for the New Executable header
}
type COFF_In struct {
FilePointerOffset int `doc:"File pointer offset"`
}

2
format/mpeg/mpeg_pes.go
View File

@ -16,7 +16,7 @@ var mpegSpuGroup decode.Group
func init() {
interp.RegisterFormat(
format.MPES_PES,
format.MPEG_PES,
&decode.Format{
Description: "MPEG Packetized elementary stream",
DecodeFn: pesDecode,

717
format/pe/coff.go Normal file
View File

@ -0,0 +1,717 @@
package pe
// string table:
// .coff.pointer_to_symbol_table as $off | .coff.number_of_symbols as $n | ($off+($n*18)) as $o | (tobytes[$o:$o+4] | explode | reverse |tobytes | tonumber) as $s | tobytes[$o:$o+$s] | dd
// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/
// https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
// https://upload.wikimedia.org/wikipedia/commons/1/1b/Portable_Executable_32_bit_Structure_in_SVG_fixed.svg
import (
"encoding/binary"
"strconv"
"strings"
"time"
"github.com/wader/fq/format"
"github.com/wader/fq/pkg/decode"
"github.com/wader/fq/pkg/interp"
"github.com/wader/fq/pkg/scalar"
)
func init() {
interp.RegisterFormat(
format.COFF,
&decode.Format{
Description: "Common Object File Format",
DecodeFn: peCoffStubDecode,
DefaultInArg: format.COFF_In{
FilePointerOffset: 0,
},
})
}
const (
peFormat32 = 0x10b
peFormat32Plus = 0x20b
)
var peFormatNames = scalar.UintMapSymStr{
peFormat32: "pe32",
peFormat32Plus: "pe32+",
}
const (
MachineTypeUNKNOWN = 0x0
MachineTypeALPHA = 0x184
MachineTypeALPHA64 = 0x284
MachineTypeAM33 = 0x1d3
MachineTypeAMD64 = 0x8664
MachineTypeARM = 0x1c0
MachineTypeARM64 = 0xaa64
MachineTypeARMNT = 0x1c4
// duplicate
// MachineTypeAXP64 = 0x284
MachineTypeEBC = 0xebc
MachineTypeI386 = 0x14c
MachineTypeIA64 = 0x200
MachineTypeLOONGARCH32 = 0x6232
MachineTypeLOONGARCH64 = 0x6264
MachineTypeM32R = 0x9041
MachineTypeMIPS16 = 0x266
MachineTypeMIPSFPU = 0x366
MachineTypeMIPSFPU16 = 0x466
MachineTypePOWERPC = 0x1f0
MachineTypePOWERPCFP = 0x1f1
MachineTypeR4000 = 0x166
MachineTypeRISCV32 = 0x5032
MachineTypeRISCV64 = 0x5064
MachineTypeRISCV128 = 0x5128
MachineTypeSH3 = 0x1a2
MachineTypeSH3DSP = 0x1a3
MachineTypeSH4 = 0x1a6
MachineTypeSH5 = 0x1a8
MachineTypeTHUMB = 0x1c2
MachineTypeWCEMIPSV2 = 0x169
)
var MachineTypeNames = scalar.UintMapSymStr{
MachineTypeUNKNOWN: "unknown",
MachineTypeALPHA: "alpha",
MachineTypeALPHA64: "alpha64",
MachineTypeAM33: "am33",
MachineTypeAMD64: "amd64",
MachineTypeARM: "arm",
MachineTypeARM64: "arm64",
MachineTypeARMNT: "armnt",
//MachineTypeAXP64: "axp64",
MachineTypeEBC: "ebc",
MachineTypeI386: "i386",
MachineTypeIA64: "ia64",
MachineTypeLOONGARCH32: "loongarch32",
MachineTypeLOONGARCH64: "loongarch64",
MachineTypeM32R: "m32r",
MachineTypeMIPS16: "mips16",
MachineTypeMIPSFPU: "mipsfpu",
MachineTypeMIPSFPU16: "mipsfpu16",
MachineTypePOWERPC: "powerpc",
MachineTypePOWERPCFP: "powerpcfp",
MachineTypeR4000: "r4000",
MachineTypeRISCV32: "riscv32",
MachineTypeRISCV64: "riscv64",
MachineTypeRISCV128: "riscv128",
MachineTypeSH3: "sh3",
MachineTypeSH3DSP: "sh3dsp",
MachineTypeSH4: "sh4",
MachineTypeSH5: "sh5",
MachineTypeTHUMB: "thumb",
MachineTypeWCEMIPSV2: "wcemipsv2",
}
const (
SubSystemUNKNOWN = 0
SubSystemNATIVE = 1
SubSystemWINDOWS_GUI = 2
SubSystemWINDOWS_CUI = 3
SubSystemOS2_CUI = 5
SubSystemPOSIX_CUI = 7
SubSystemNATIVE_WINDOWS = 8
SubSystemWINDOWS_CE_GUI = 9
SubSystemEFI_APPLICATION = 10
SubSystemEFI_BOOT_SERVICE_DRIVER = 11
SubSystemEFI_RUNTIME_DRIVER = 12
SubSystemEFI_ROM = 13
SubSystemXBOX = 14
SubSystemWINDOWS_BOOT_APPLICATION = 16
)
var subSystemNames = scalar.UintMapSymStr{
SubSystemUNKNOWN: "unknown",
SubSystemNATIVE: "native",
SubSystemWINDOWS_GUI: "windows_gui",
SubSystemWINDOWS_CUI: "windows_cui",
SubSystemOS2_CUI: "os2_cui",
SubSystemPOSIX_CUI: "posix_cui",
SubSystemNATIVE_WINDOWS: "native_windows",
SubSystemWINDOWS_CE_GUI: "windows_ce_gui",
SubSystemEFI_APPLICATION: "efi_application",
SubSystemEFI_BOOT_SERVICE_DRIVER: "efi_boot_service_driver",
SubSystemEFI_RUNTIME_DRIVER: "efi_runtime_driver",
SubSystemEFI_ROM: "efi_rom",
SubSystemXBOX: "xbox",
SubSystemWINDOWS_BOOT_APPLICATION: "windows_boot_application",
}
const (
symClassEndOfFunction = 0xff // A special symbol that represents the end of function, for debugging purposes.
symClassNull = 0 // No assigned storage class.
symClassAutomatic = 1 // The automatic (stack) variable. The Value field specifies the stack frame offset.
symClassExternal = 2 // A value that Microsoft tools use for external symbols. The Value field indicates the size if the section number is IMAGE_SYM_UNDEFINED (0). If the section number is not zero, then the Value field specifies the offset within the section.
symClassStatic = 3 // The offset of the symbol within the section. If the Value field is zero, then the symbol represents a section name.
symClassRegister = 4 // A register variable. The Value field specifies the register number.
symClassExternalDef = 5 // A symbol that is defined externally.
symClassLabel = 6 // A code label that is defined within the module. The Value field specifies the offset of the symbol within the section.
symClassUndefinedLabel = 7 // A reference to a code label that is not defined.
symClassMemberOfStruct = 8 // The structure member. The Value field specifies the n th member.
symClassArgument = 9 // A formal argument (parameter) of a function. The Value field specifies the n th argument.
symClassStructTag = 10 // The structure tag-name entry.
symClassMemberOfUnion = 11 // A union member. The Value field specifies the n th member.
symClassUnionTag = 12 // The Union tag-name entry.
symClassTypeDefinition = 13 // A Typedef entry.
symClassUndefinedStatic = 14 // A static data declaration.
symClassEnumTag = 15 // An enumerated type tagname entry.
symClassMemberOfEnum = 16 // A member of an enumeration. The Value field specifies the n th member.
symClassRegisterParam = 17 // A register parameter.
symClassBitField = 18 // A bit-field reference. The Value field specifies the n th bit in the bit field.
symClassBlock = 100 // A .bb (beginning of block) or .eb (end of block) record. The Value field is the relocatable address of the code location.
symClassFunction = 101 // A value that Microsoft tools use for symbol records that define the extent of a function: begin function (.bf ), end function ( .ef ), and lines in function ( .lf ). For .lf records, the Value field gives the number of source lines in the function. For .ef records, the Value field gives the size of the function code.
symClassEndOfStruct = 102 // An end-of-structure entry.
symClassFile = 103 // A value that Microsoft tools, as well as traditional COFF format, use for the source-file symbol record. The symbol is followed by auxiliary records that name the file.
symClassSection = 104 // A definition of a section (Microsoft tools use STATIC storage class instead).
symClassWeakExternal = 105 // A weak external. For more information, see Auxiliary Format 3: Weak Externals.
symClassClrToken = 107 // A CLR token symbol. The name is an ASCII string that consists of the hexadecimal value of the token. For more information, see CLR Token Definition (Object Only).
)
var symClassNames = scalar.UintMapSymStr{
symClassEndOfFunction: "end_of_function",
symClassNull: "null",
symClassAutomatic: "automatic",
symClassExternal: "external",
symClassStatic: "static",
symClassRegister: "register",
symClassExternalDef: "external_def",
symClassLabel: "label",
symClassUndefinedLabel: "undefined_label",
symClassMemberOfStruct: "member_of_struct",
symClassArgument: "argument",
symClassStructTag: "struct_tag",
symClassMemberOfUnion: "member_of_union",
symClassUnionTag: "union_tag",
symClassTypeDefinition: "type_definition",
symClassUndefinedStatic: "undefined_static",
symClassEnumTag: "enum_tag",
symClassMemberOfEnum: "member_of_enum",
symClassRegisterParam: "register_param",
symClassBitField: "bit_field",
symClassBlock: "block",
symClassFunction: "function",
symClassEndOfStruct: "end_of_struct",
symClassFile: "file",
symClassSection: "section",
symClassWeakExternal: "weak_external",
symClassClrToken: "clr_token",
}
const (
symTypeNull = 0
symTypeVoid = 1
symTypeChar = 2
symTypeShort = 3
symTypeInt = 4
symTypeLong = 5
symTypeFloat = 6
symTypeDouble = 7
symTypeStruct = 8
symTypeUnion = 9
symTypeEnum = 10
symTypeMoe = 11
symTypeByte = 12
symTypeWord = 13
symTypeUint = 14
symTypeDword = 15
)
var symBaseTypeNames = scalar.UintMapSymStr{
symTypeNull: "null",
symTypeVoid: "void",
symTypeChar: "char",
symTypeShort: "short",
symTypeInt: "int",
symTypeLong: "long",
symTypeFloat: "float",
symTypeDouble: "double",
symTypeStruct: "struct",
symTypeUnion: "union",
symTypeEnum: "enum",
symTypeMoe: "moe",
symTypeByte: "byte",
symTypeWord: "word",
symTypeUint: "uint",
symTypeDword: "dword",
}
const (
symDtypeNull = 0
symDtypePointer = 1
symDtypeFunction = 2
symDtypeArray = 3
)
var symBaseDTypeNames = scalar.UintMapSymStr{
symDtypeNull: "null",
symDtypePointer: "pointer",
symDtypeFunction: "function",
symDtypeArray: "array",
}
// type stringTable []string
// func (m stringTable) MapStr(s scalar.Str) (scalar.Str, error) {
// if s.Actual == "" || s.Actual[0] != '/' {
// return s, nil
// }
// un, err := strconv.ParseUint(s.Actual[1:], 10, 64)
// if err != nil {
// // ignore error
// //nolint: nilerr
// return s, nil
// }
// n := int(un)
// if n >= len(m) {
// return s, nil
// }
// s.Sym = m[n]
// return s, nil
// }
func strIndexNull(idx int, s string) string {
if idx > len(s) {
return ""
}
i := strings.IndexByte(s[idx:], 0)
if i == -1 {
return s
}
return s[idx : idx+i]
}
type stringTable string
func (m stringTable) MapStr(s scalar.Str) (scalar.Str, error) {
if s.Actual[0] == '/' {
// /### section name
s.Actual = strings.TrimRight(s.Actual, "\x00")
un, err := strconv.ParseUint(s.Actual[1:], 10, 64)
if err != nil {
// ignore error
//nolint: nilerr
return s, nil
}
n := int(un) - 4
s.Sym = strIndexNull(n, string(m))
return s, nil
} else if s.Actual[0:4] == "\x00\x00\x00\x00" {
// \0\0\0\0LE32 symbol name
n := binary.LittleEndian.Uint32([]byte(s.Actual)[4:8]) - 4
s.Sym = strIndexNull(int(n), string(m))
} else {
// right null padded
s.Actual = strings.TrimRight(s.Actual, "\x00")
}
return s, nil
}
func peCoffStubDecode(d *decode.D) any {
var pci format.COFF_In
d.ArgAs(&pci)
addrSize := 64
d.Endian = decode.LittleEndian
d.FieldRawLen("signature", 4*8, d.AssertBitBuf([]byte("PE\x00\x00")))
d.FieldU16("machine", MachineTypeNames, scalar.UintHex)
numberOfSections := d.FieldU16("number_of_sections")
d.FieldU32("time_date_stamp", scalar.UintActualUnixTimeDescription(time.Second, time.RFC3339))
pointerToSymbolTable := d.FieldU32("pointer_to_symbol_table", scalar.UintHex)
numberOfSymbols := d.FieldU32("number_of_symbols")
sizeOfOptionalHeader := d.FieldU16("size_of_optional_header")
d.FieldStruct("characteristics", func(d *decode.D) {
// bytes swapped as it's a 16bit LE
d.FieldBool("bytes_reversed_lo") // 0x0080 // Little endian: the least significant bit (LSB) precedes the most significant bit (MSB) in memory. This flag is deprecated and should be zero.
d.FieldBool("reserved") // 0x0040 // This flag is reserved for future use.
d.FieldBool("large_address_aware") // 0x0020 // Application can handle > 2-GB addresses.
d.FieldBool("aggressive_ws_trim") // 0x0010 // Obsolete. Aggressively trim working set. This flag is deprecated for Windows 2000 and later and must be zero.
d.FieldBool("local_syms_stripped") // 0x0008 // COFF symbol table entries for local symbols have been removed. This flag is deprecated and should be zero.
d.FieldBool("line_nums_stripped") // 0x0004 // COFF line numbers have been removed. This flag is deprecated and should be zero.
d.FieldBool("executable_image") // 0x0002 // Image only. This indicates that the image file is valid and can be run. If this flag is not set, it indicates a linker error.
d.FieldBool("relocs_stripped") // 0x0001 // Image only, Windows CE, and Microsoft Windows NT and later. This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. If the base address is not available, the loader reports an error. The default behavior of the linker is to strip base relocations from executable (EXE) files.
d.FieldBool("bytes_reversed_hi") // 0x8000 // Big endian: the MSB precedes the LSB in memory. This flag is deprecated and should be zero.
d.FieldBool("up_system_only") // 0x4000 // The file should be run only on a uniprocessor machine.
d.FieldBool("dll") // 0x2000 // The image file is a dynamic-link library (DLL). Such files are considered executable files for almost all purposes, although they cannot be directly run.
d.FieldBool("system") // 0x1000 // The image file is a system file, not a user program.
d.FieldBool("net_run_from_swap") // 0x0800 // If the image is on network media, fully load it and copy it to the swap file.
d.FieldBool("removable_run_from_swap") // 0x0400 // If the image is on removable media, fully load it and copy it to the swap file.
d.FieldBool("debug_stripped") // 0x0200 // Debugging information is removed from the image file.
d.FieldBool("32bit_machine") // 0x0100 // Machine is based on a 32-bit-word architecture.
})
if pointerToSymbolTable != 0 {
pointerToSymbolTable -= uint64(pci.FilePointerOffset)
}
stringTablePos := (int64(pointerToSymbolTable) + int64(numberOfSymbols)*18) * 8
var stringTableMapper stringTable
if stringTablePos < d.Len()+4*8 {
d.SeekAbs(stringTablePos, func(d *decode.D) {
stringTableSize := d.U32() - 4
if stringTableSize*8 > uint64(d.BitsLeft()) {
return
}
stringTableMapper = stringTable(d.UTF8(int(stringTableSize)))
// d.FramedFn(int64(stringTableSize)*8, func(d *decode.D) {
// for !d.End() {
// stringTable = append(stringTable, d.UTF8Null())
// }
// })
})
}
// how to know if image only? windows specific?
if sizeOfOptionalHeader > 0 {
d.FieldStruct("optional_header", func(d *decode.D) {
d.FramedFn(int64(sizeOfOptionalHeader)*8, func(d *decode.D) {
peFormat := d.FieldU16("format", peFormatNames, scalar.UintHex)
d.FieldU8("major_linker_version")
d.FieldU8("minor_linker_version")
d.FieldU32("size_of_code")
d.FieldU32("size_of_initialized_data")
d.FieldU32("size_of_uninitialized_data")
d.FieldU32("address_of_entry_point", scalar.UintHex)
d.FieldU32("base_of_code", scalar.UintHex)
if peFormat == peFormat32 {
d.FieldU32("base_of_data", scalar.UintHex)
addrSize = 32
}
d.FieldU("image_base", addrSize, scalar.UintHex)
d.FieldU32("section_alignment")
d.FieldU32("file_alignment")
d.FieldU16("major_os_version")
d.FieldU16("minor_os_version")
d.FieldU16("major_image_version")
d.FieldU16("minor_image_version")
d.FieldU16("major_subsystem_version")
d.FieldU16("minor_subsystem_version")
d.FieldU32("win32_version")
d.FieldU32("size_of_image")
d.FieldU32("size_of_headers")
d.FieldU32("chunk_sum", scalar.UintHex)
d.FieldU16("subsystem", subSystemNames)
d.FieldStruct("dll_characteristics", func(d *decode.D) {
d.FieldBool("force_integrity") // Code Integrity checks are enforced.
d.FieldBool("dynamic_base") // DLL can be relocated at load time.
d.FieldBool("high_entropy_va") // Image can handle a high entropy 64-bit virtual address space.
d.FieldBool("reserved0") // ??
d.FieldBool("reserved1")
d.FieldBool("reserved2")
d.FieldBool("reserved3")
d.FieldBool("reserved4")
d.FieldBool("terminal_server_aware") // Terminal Server aware.
d.FieldBool("guard_cf") // Image supports Control Flow Guard.
d.FieldBool("wdm_driver") // A WDM driver.
d.FieldBool("appcontainer") // Image must execute in an AppContainer.
d.FieldBool("no_bind") // Do not bind the image.
d.FieldBool("no_seh") // Does not use structured exception (SE) handling. No SE handler may be called in this image.
d.FieldBool("no_isolation") // Isolation aware, but do not isolate the image.
d.FieldBool("nx_compat") // Image is NX compatible.
})
d.FieldU("size_of_track_reserve", addrSize)
d.FieldU("size_of_stack_commit", addrSize)
d.FieldU("size_of_heap_reserve", addrSize)
d.FieldU("size_of_heap_commit", addrSize)
d.FieldU32("loader_flags")
d.FieldU32("number_of_rva_and_sizes")
d.FieldU32("export_table_address", scalar.UintHex) //The export table address and size. For more information see .edata Section (Image Only).
d.FieldU32("export_table_size")
d.FieldU32("import_table_address", scalar.UintHex) //The import table address and size. For more information, see The .idata Section.
d.FieldU32("import_table_size")
d.FieldU32("resource_table_address", scalar.UintHex) //The resource table address and size. For more information, see The .rsrc Section.
d.FieldU32("resource_table_size")
d.FieldU32("exception_table_address", scalar.UintHex) //The exception table address and size. For more information, see The .pdata Section.
d.FieldU32("exception_table_size")
d.FieldU32("certificate_table_address", scalar.UintHex) //The attribute certificate table address and size. For more information, see The Attribute Certificate Table (Image Only).
d.FieldU32("certificate_table_size")
d.FieldU32("base_relocation_table_address", scalar.UintHex) //The base relocation table address and size. For more information, see The .reloc Section (Image Only).
d.FieldU32("base_relocation_table_size")
d.FieldU32("debug_address", scalar.UintHex) //The debug data starting address and size. For more information, see The .debug Section.
d.FieldU32("debug_size")
d.FieldU64("architecture") //Reserved, must be 0
d.FieldU64("global_ptr", scalar.UintHex) //The RVA of the value to be stored in the global pointer register. The size member of this structure must be set to zero.
d.FieldU32("tls_table_address", scalar.UintHex) //The thread local storage (TLS) table address and size. For more information, see The .tls Section.
d.FieldU32("tls_table_size")
d.FieldU32("load_config_table_address", scalar.UintHex) //The load configuration table address and size. For more information, see The Load Configuration Structure (Image Only).
d.FieldU32("load_config_table_size")
d.FieldU32("bound_import_address", scalar.UintHex) //The bound import table address and size.
d.FieldU32("bound_import_size")
d.FieldU32("iat_address", scalar.UintHex) //The import address table address and size. For more information, see Import Address Table.
d.FieldU32("iat_size")
d.FieldU32("delay_import_descriptor_address", scalar.UintHex) //The delay import descriptor address and size. For more information, see Delay-Load Import Tables (Image Only).
d.FieldU32("delay_import_descriptor_size")
d.FieldU32("clr_runtime_header_address", scalar.UintHex) //The CLR runtime header address and size. For more information, see The .cormeta Section (Object Only).
d.FieldU32("clr_runtime_header_size")
d.FieldU64("reserved") //must be zero
// TODO: where?
/*numberOfRvaAndSizes :=*/
/*
d.FieldArray("data_directories", func(d *decode.D) {
for i := 0; i < int(numberOfRvaAndSizes); i++ {
d.FieldStruct("data_directory", func(d *decode.D) {
d.FieldU32("virtual_address", scalar.UintHex)
d.FieldU32("size")
})
}
})
*/
d.FieldRawLen("unknown", d.BitsLeft())
})
})
}
// TODO: section_alignment?
d.FieldArray("sections", func(d *decode.D) {
for i := uint64(0); i < numberOfSections; i++ {
d.FieldStruct("section", func(d *decode.D) {
name := d.FieldUTF8("name", 8, stringTableMapper) // An 8-byte, null-padded UTF-8 encoded string. If the string is exactly 8 characters long, there is no terminating null. For longer names, this field contains a slash (/) that is followed by an ASCII representation of a decimal number that is an offset into the string table. Executable images do not use a string table and do not support section names longer than 8 characters. Long names in object files are truncated if they are emitted to an executable file.
d.FieldU32("virtual_size") // The total size of the section when loaded into memory. If this value is greater than SizeOfRawData, the section is zero-padded. This field is valid only for executable images and should be set to zero for object files.
virtualAddress := d.FieldU32("virtual_address", scalar.UintHex) // For executable images, the address of the first byte of the section relative to the image base when the section is loaded into memory. For object files, this field is the address of the first byte before relocation is applied; for simplicity, compilers should set this to zero. Otherwise, it is an arbitrary value that is subtracted from offsets during relocation.
sizeOfRawData := d.FieldU32("size_of_raw_data") // The size of the section (for object files) or the size of the initialized data on disk (for image files). For executable images, this must be a multiple of FileAlignment from the optional header. If this is less than VirtualSize, the remainder of the section is zero-filled. Because the SizeOfRawData field is rounded but the VirtualSize field is not, it is possible for SizeOfRawData to be greater than VirtualSize as well. When a section contains only uninitialized data, this field should be zero.
pointerToRawData := d.FieldU32("pointer_to_raw_data", scalar.UintHex) // The file pointer to the first page of the section within the COFF file. For executable images, this must be a multiple of FileAlignment from the optional header. For object files, the value should be aligned on a 4-byte boundary for best performance. When a section contains only uninitialized data, this field should be zero.
d.FieldU32("pointer_to_relocations", scalar.UintHex) // The file pointer to the beginning of relocation entries for the section. This is set to zero for executable images or if there are no relocations.
d.FieldU32("pointer_to_line_numbers", scalar.UintHex) // The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated.
d.FieldU16("number_of_relocations") // The number of relocation entries for the section. This is set to zero for executable images.
d.FieldU16("number_of_line_numbers") // The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.
d.FieldStruct("characteristics", func(d *decode.D) {
// 32 bit LE flags
d.FieldBool("cnt_uninitialized_data") // The section contains uninitialized data.
d.FieldBool("cnt_initialized_data") // The section contains initialized data.
d.FieldBool("cnt_code") // The section contains executable code.
d.FieldBool("reserved") // Reserved for future use.
d.FieldBool("type_no_pad") // The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
d.FieldBool("reserved0") // Reserved for future use.
d.FieldBool("reserved1") // Reserved for future use.
d.FieldBool("reserved2") // Reserved for future use.
d.FieldBool("gprel") // The section contains data referenced through the global pointer (GP).
d.FieldBool("unknown0") // ??
d.FieldBool("unknown1") // ??
d.FieldBool("lnk_comdat") // The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files.
d.FieldBool("lnk_remove") // The section will not become part of the image. This is valid only for object files.
d.FieldBool("reserved3") // Reserved for future use.
d.FieldBool("lnk_info") // The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
d.FieldBool("lnk_other") // Reserved for future use.
d.FieldBool("align_128bytes") // Align data on a 128-byte boundary. Valid only for object files.
d.FieldBool("align_8bytes") // Align data on an 8-byte boundary. Valid only for object files.
d.FieldBool("align_2bytes") // Align data on a 2-byte boundary. Valid only for object files.
d.FieldBool("align_1bytes") // Align data on a 1-byte boundary. Valid only for object files.
d.FieldBool("mem_preload") // Reserved for future use.
d.FieldBool("mem_locked") // Reserved for future use.
d.FieldBool("mem_16bit") // Reserved for future use.
d.FieldBool("mem_purgeable") // Reserved for future use. TODO was 0x00020000 in docnumberOfSymbols
d.FieldBool("mem_write") // The section can be written to.
d.FieldBool("mem_read") // The section can be read.
d.FieldBool("mem_execute") // The section can be executed as code.
d.FieldBool("mem_shared") // The section can be shared in memory.
d.FieldBool("mem_not_paged") // The section is not pageable.
d.FieldBool("mem_not_cached") // The section cannot be cached.
d.FieldBool("mem_discardable") // The section can be discarded as needed.
d.FieldBool("lnk_nreloc_ovfl") // The section contains extended relocations.
// IMAGE_SCN_ALIGN_4BYTES 0x00300000 Align data on a 4-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_16BYTES 0x00500000 Align data on a 16-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_32BYTES 0x00600000 Align data on a 32-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_64BYTES 0x00700000 Align data on a 64-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_256BYTES 0x00900000 Align data on a 256-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_512BYTES 0x00A00000 Align data on a 512-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 Align data on a 1024-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 Align data on a 2048-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 Align data on a 4096-byte boundary. Valid only for object files.
// IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 Align data on an 8192-byte boundary. Valid only for object files.
// d.FieldBool("reserved") // Reserved for future use.
// d.FieldBool("reserved") // Reserved for future use.
// d.FieldBool("reserved") // Reserved for future use.
// d.FieldBool("type_no_pad") // The section should not be padded to the next boundary. This flag is obsolete and is replaced by IMAGE_SCN_ALIGN_1BYTES. This is valid only for object files.
// d.FieldBool("reserved") // Reserved for future use.
// d.FieldBool("cnt_code") // The section contains executable code.
// d.FieldBool("cnt_initialized_data") // The section contains initialized data.
// d.FieldBool("cnt_uninitialized_data") // The section contains uninitialized data.
// d.FieldBool("lnk_other") // Reserved for future use.
// d.FieldBool("lnk_info") // The section contains comments or other information. The .drectve section has this type. This is valid for object files only.
// d.FieldBool("reserved") // Reserved for future use.
// d.FieldBool("lnk_remove") // The section will not become part of the image. This is valid only for object files.
// d.FieldBool("lnk_comdat") // The section contains COMDAT data. For more information, see COMDAT Sections (Object Only). This is valid only for object files.
// d.FieldBool("unknown") // The section contains data referenced through the global pointer (GP).
// d.FieldBool("unknown") // The section contains data referenced through the global pointer (GP).
// d.FieldBool("gprel") // The section contains data referenced through the global pointer (GP).
// d.FieldBool("mem_purgeable") // Reserved for future use. TODO was 0x00020000 in docnumberOfSymbols
// d.FieldBool("mem_16bit") // Reserved for future use.
// d.FieldBool("mem_locked") // Reserved for future use.
// d.FieldBool("mem_preload") // Reserved for future use.
// d.FieldBool("align_1bytes") // Align data on a 1-byte boundary. Valid only for object files.
// d.FieldBool("align_2bytes") // Align data on a 2-byte boundary. Valid only for object files.
// d.FieldBool("align_8bytes") // Align data on an 8-byte boundary. Valid only for object files.
// d.FieldBool("align_128bytes") // Align data on a 128-byte boundary. Valid only for object files.
// d.FieldBool("lnk_nreloc_ovfl") // The section contains extended relocations.
// d.FieldBool("mem_discardable") // The section can be discarded as needed.
// d.FieldBool("mem_not_cached") // The section cannot be cached.
// d.FieldBool("mem_not_paged") // The section is not pageable.
// d.FieldBool("mem_shared") // The section can be shared in memory.
// d.FieldBool("mem_execute") // The section can be executed as code.
// d.FieldBool("mem_read") // The section can be read.
// d.FieldBool("mem_write") // The section can be written to.
})
_ = name
_ = virtualAddress
_ = sizeOfRawData
_ = pointerToRawData
/*
if pointerToRawData != 0 {
pointerToRawData -= uint64(pci.FilePointerOffset)
d.SeekAbs(int64(pointerToRawData)*8, func(d *decode.D) {
switch name {
case ".idata":
d.FieldStruct("data", func(d *decode.D) {
count := 0
d.FieldArray("directory_table", func(d *decode.D) {
for {
var n uint64
d.FieldStruct("directory_entry", func(d *decode.D) {
n = d.FieldU32("lookup_table_rva", scalar.UintHex)
d.FieldU32("timestamp")
d.FieldU32("forward_chain")
d.FieldU32("name_rva", scalar.UintHex)
d.FieldU32("address_table_rva", scalar.UintHex)
})
if n == 0 {
break
}
count++
}
})
_ = virtualAddress
d.FieldArray("dlls", func(d *decode.D) {
for i := 0; i < count; i++ {
d.FieldStruct("dll", func(d *decode.D) {
d.FieldArray("lookup_table1", func(d *decode.D) {
for {
if d.PeekUintBits(addrSize) == 0 {
break
}
d.FieldU("bla", addrSize)
}
})
d.FieldU("lookup_table1_end", addrSize)
})
}
})
d.FieldArray("hint_names", func(d *decode.D) {
for i := 0; true; i++ {
log.Printf("i: %#+v\n", i)
d.FieldStruct("hint_name", func(d *decode.D) {
d.FieldU16("hint")
d.FieldUTF8Null("name")
// if d.AlignBits(16) != 0 {
// d.FieldU8("align_pad")
// }
})
if i > 800 {
break
}
}
})
})
default:
d.FieldRawLen("data", int64(sizeOfRawData)*8)
}
})
}
*/
})
}
})
// var stringTableMapperPos int64
// TODO: if pointerToSymbolTable != 0?
if pointerToSymbolTable != 0 {
d.FieldArray("symbol_table", func(d *decode.D) {
d.SeekAbs(int64(pointerToSymbolTable*8), func(d *decode.D) {
for i := uint64(0); i < numberOfSymbols; i++ {
d.FieldStruct("symbol", func(d *decode.D) {
// TODO: name
d.FieldUTF8("name", 8, stringTableMapper) // The name of the symbol, represented by a union of three structures. An array of 8 bytes is used if the name is not more than 8 bytes long. For more information, see Symbol Name Representation.
d.FieldU32("value") // The value that is associated with the symbol. The interpretation of this field depends on SectionNumber and StorageClass. A typical meaning is the relocatable address.
d.FieldU16("section_number") // The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning, as defined in section 5.4.2, "Section Number Values."
d.FieldU8("base_type", symBaseTypeNames)
d.FieldU8("complex_type", symBaseDTypeNames)
d.FieldU8("storage_class", symClassNames) // An enumerated value that represents storage class. For more information, see Storage Class.
d.FieldU8("number_of_aux_symbols") // The number of auxiliary symbol table entries that follow this record.
})
}
// stringTablePos = d.Pos()
})
})
d.SeekAbs(stringTablePos, func(d *decode.D) {
// TODO: if pos != 0?
d.FieldStruct("string_table", func(d *decode.D) {
stringTableSize := d.FieldU32("size") - 4
d.FramedFn(int64(stringTableSize*8), func(d *decode.D) {
d.FieldArray("entries", func(d *decode.D) {
for !d.End() {
d.FieldUTF8Null("entry")
}
})
})
})
})
}
return nil
}

61
format/pe/msdos_stub.go Normal file
View File

@ -0,0 +1,61 @@
package pe
// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/
import (
"github.com/wader/fq/format"
"github.com/wader/fq/internal/mathx"
"github.com/wader/fq/pkg/decode"
"github.com/wader/fq/pkg/interp"
"github.com/wader/fq/pkg/scalar"
)
func init() {
interp.RegisterFormat(
format.MSDOS_Stub,
&decode.Format{
Description: "MS-DOS Stub",
DecodeFn: msDosStubDecode,
})
}
func msDosStubDecode(d *decode.D) any {
d.Endian = decode.LittleEndian
d.FieldU16("e_magic", scalar.UintDescription("Magic number"), d.UintAssert(0x5a4d), scalar.UintHex)
d.FieldU16("e_cblp", scalar.UintDescription("Bytes on last page of file"))
d.FieldU16("e_cp", scalar.UintDescription("Pages in file"))
d.FieldU16("e_crlc", scalar.UintDescription("Relocations"))
d.FieldU16("e_cparhdr", scalar.UintDescription("Size of header in paragraphs"))
d.FieldU16("e_minalloc", scalar.UintDescription("Minimum extra paragraphs needed"))
d.FieldU16("e_maxalloc", scalar.UintDescription("Maximum extra paragraphs needed"))
d.FieldU16("e_ss", scalar.UintDescription("Initial (relative) SS value"))
d.FieldU16("e_sp", scalar.UintDescription("Initial SP value"))
d.FieldU16("e_csum", scalar.UintDescription("Checksum"))
d.FieldU16("e_ip", scalar.UintDescription("Initial IP value"))
d.FieldU16("e_cs", scalar.UintDescription("Initial (relative) CS value"))
d.FieldU16("e_lfarlc", scalar.UintDescription("File address of relocation table"))
d.FieldU16("e_ovno", scalar.UintDescription("Overlay number"))
d.FieldRawLen("e_res", 4*16, scalar.BitBufDescription("Reserved words"))
d.FieldU16("e_oemid", scalar.UintDescription("OEM identifier (for e_oeminfo)"))
d.FieldU16("e_oeminfo", scalar.UintDescription("OEM information; e_oemid specific"))
d.FieldRawLen("e_res2", 10*16, scalar.BitBufDescription("Reserved words"))
lfanew := d.FieldU32("e_lfanew", scalar.UintDescription("File address of new exe header"))
// TODO: how to detect UEFI?
subEndPos := mathx.Min(d.Pos()+64*8, int64(lfanew)*8)
// TODO: x86 format in the future
d.FieldRawLen("stub", subEndPos-d.Pos(), scalar.BitBufDescription("Sub program"))
// TODO: is not padding i guess?
padding := lfanew*8 - uint64(subEndPos)
if padding > 0 {
d.FieldRawLen("padding", int64(padding))
}
return format.MS_DOS_Out{
LFANew: int(lfanew),
}
}

37
format/pe/pe.go Normal file
View File

@ -0,0 +1,37 @@
package pe
import (
"fmt"
"github.com/wader/fq/format"
"github.com/wader/fq/pkg/decode"
"github.com/wader/fq/pkg/interp"
)
var msDosStubGroup decode.Group
var coffGroup decode.Group
func init() {
interp.RegisterFormat(
format.PE,
&decode.Format{
Description: "Portable Executable",
Groups: []*decode.Group{format.Probe},
Dependencies: []decode.Dependency{
{Groups: []*decode.Group{format.MSDOS_Stub}, Out: &msDosStubGroup},
{Groups: []*decode.Group{format.COFF}, Out: &coffGroup},
},
DecodeFn: peDecode,
})
}
func peDecode(d *decode.D) any {
_, v := d.FieldFormat("ms_dos_stub", &msDosStubGroup, nil)
msDOSOut, ok := v.(format.MS_DOS_Out)
if !ok {
panic(fmt.Sprintf("expected MS_DOS_Out got %#+v", v))
}
d.FieldFormat("coff", &coffGroup, format.COFF_In{FilePointerOffset: msDOSOut.LFANew})
return nil
}

7
format/pe/testdata/README.md vendored Normal file
View File

@ -0,0 +1,7 @@
PE sample from https://github.com/JonathanSalwan/binary-samples under MIT license
```sh
rm -f *.fqtest; for i in pe-* *.efi; do echo "\$ fq dv $i" > $i.fqtest ; done
```
EFI sample from https://github.com/badcf00d/UEFI-helloworld under BSD license

BIN
format/pe/testdata/helloworld.efi vendored Normal file
View File

Binary file not shown.

260
format/pe/testdata/helloworld.efi.fqtest vendored Normal file
View File

@ -0,0 +1,260 @@
$ fq dv helloworld.efi
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: helloworld.efi (pe) 0x0-0x800 (2048)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0x78 (120)
0x000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x000| 78 00 | x. | e_cblp: 120 (Bytes on last page of file) 0x2-0x4 (2)
0x000| 01 00 | .. | e_cp: 1 (Pages in file) 0x4-0x6 (2)
0x000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x000| 00 00 | .. | e_maxalloc: 0 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x010|00 00 |.. | e_sp: 0 (Initial SP value) 0x10-0x12 (2)
0x010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x020|00 00 00 00 |.... |
0x020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x030| 78 00 00 00| x...| e_lfanew: 120 (File address of new exe header) 0x3c-0x40 (4)
0x040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x78 (56)
* |until 0x77.7 (56) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0x78-0x1f8 (384)
0x070| 50 45 00 00 | PE.. | signature: raw bits (valid) 0x78-0x7c (4)
0x070| 64 86 | d. | machine: "amd64" (0x8664) 0x7c-0x7e (2)
0x070| 03 00| ..| number_of_sections: 3 0x7e-0x80 (2)
0x080|96 bf 5b 5e |..[^ | time_date_stamp: 1583071126 (2020-03-01T13:58:46Z) 0x80-0x84 (4)
0x080| 00 00 00 00 | .... | pointer_to_symbol_table: 0x0 0x84-0x88 (4)
0x080| 00 00 00 00 | .... | number_of_symbols: 0 0x88-0x8c (4)
0x080| f0 00 | .. | size_of_optional_header: 240 0x8c-0x8e (2)
| | | characteristics{}: 0x8e-0x90 (2)
0x080| 22 | " | bytes_reversed_lo: false 0x8e-0x8e.1 (0.1)
0x080| 22 | " | reserved: false 0x8e.1-0x8e.2 (0.1)
0x080| 22 | " | large_address_aware: true 0x8e.2-0x8e.3 (0.1)
0x080| 22 | " | aggressive_ws_trim: false 0x8e.3-0x8e.4 (0.1)
0x080| 22 | " | local_syms_stripped: false 0x8e.4-0x8e.5 (0.1)
0x080| 22 | " | line_nums_stripped: false 0x8e.5-0x8e.6 (0.1)
0x080| 22 | " | executable_image: true 0x8e.6-0x8e.7 (0.1)
0x080| 22 | " | relocs_stripped: false 0x8e.7-0x8f (0.1)
0x080| 00| .| bytes_reversed_hi: false 0x8f-0x8f.1 (0.1)
0x080| 00| .| up_system_only: false 0x8f.1-0x8f.2 (0.1)
0x080| 00| .| dll: false 0x8f.2-0x8f.3 (0.1)
0x080| 00| .| system: false 0x8f.3-0x8f.4 (0.1)
0x080| 00| .| net_run_from_swap: false 0x8f.4-0x8f.5 (0.1)
0x080| 00| .| removable_run_from_swap: false 0x8f.5-0x8f.6 (0.1)
0x080| 00| .| debug_stripped: false 0x8f.6-0x8f.7 (0.1)
0x080| 00| .| 32bit_machine: false 0x8f.7-0x90 (0.1)
| | | optional_header{}: 0x90-0x180 (240)
0x090|0b 02 |.. | format: "pe32+" (0x20b) 0x90-0x92 (2)
0x090| 0e | . | major_linker_version: 14 0x92-0x93 (1)
0x090| 00 | . | minor_linker_version: 0 0x93-0x94 (1)
0x090| 00 02 00 00 | .... | size_of_code: 512 0x94-0x98 (4)
0x090| 00 04 00 00 | .... | size_of_initialized_data: 1024 0x98-0x9c (4)
0x090| 00 00 00 00| ....| size_of_uninitialized_data: 0 0x9c-0xa0 (4)
0x0a0|10 10 00 00 |.... | address_of_entry_point: 0x1010 0xa0-0xa4 (4)
0x0a0| 00 10 00 00 | .... | base_of_code: 0x1000 0xa4-0xa8 (4)
0x0a0| 00 00 00 40 01 00 00 00| ...@....| image_base: 0x140000000 0xa8-0xb0 (8)
0x0b0|00 10 00 00 |.... | section_alignment: 4096 0xb0-0xb4 (4)
0x0b0| 00 02 00 00 | .... | file_alignment: 512 0xb4-0xb8 (4)
0x0b0| 06 00 | .. | major_os_version: 6 0xb8-0xba (2)
0x0b0| 00 00 | .. | minor_os_version: 0 0xba-0xbc (2)
0x0b0| 00 00 | .. | major_image_version: 0 0xbc-0xbe (2)
0x0b0| 00 00| ..| minor_image_version: 0 0xbe-0xc0 (2)
0x0c0|06 00 |.. | major_subsystem_version: 6 0xc0-0xc2 (2)
0x0c0| 00 00 | .. | minor_subsystem_version: 0 0xc2-0xc4 (2)
0x0c0| 00 00 00 00 | .... | win32_version: 0 0xc4-0xc8 (4)
0x0c0| 00 40 00 00 | .@.. | size_of_image: 16384 0xc8-0xcc (4)
0x0c0| 00 02 00 00| ....| size_of_headers: 512 0xcc-0xd0 (4)
0x0d0|00 00 00 00 |.... | chunk_sum: 0x0 0xd0-0xd4 (4)
0x0d0| 0a 00 | .. | subsystem: "efi_application" (10) 0xd4-0xd6 (2)
| | | dll_characteristics{}: 0xd6-0xd8 (2)
0x0d0| 60 | ` | force_integrity: false 0xd6-0xd6.1 (0.1)
0x0d0| 60 | ` | dynamic_base: true 0xd6.1-0xd6.2 (0.1)
0x0d0| 60 | ` | high_entropy_va: true 0xd6.2-0xd6.3 (0.1)
0x0d0| 60 | ` | reserved0: false 0xd6.3-0xd6.4 (0.1)
0x0d0| 60 | ` | reserved1: false 0xd6.4-0xd6.5 (0.1)
0x0d0| 60 | ` | reserved2: false 0xd6.5-0xd6.6 (0.1)
0x0d0| 60 | ` | reserved3: false 0xd6.6-0xd6.7 (0.1)
0x0d0| 60 | ` | reserved4: false 0xd6.7-0xd7 (0.1)
0x0d0| 81 | . | terminal_server_aware: true 0xd7-0xd7.1 (0.1)
0x0d0| 81 | . | guard_cf: false 0xd7.1-0xd7.2 (0.1)
0x0d0| 81 | . | wdm_driver: false 0xd7.2-0xd7.3 (0.1)
0x0d0| 81 | . | appcontainer: false 0xd7.3-0xd7.4 (0.1)
0x0d0| 81 | . | no_bind: false 0xd7.4-0xd7.5 (0.1)
0x0d0| 81 | . | no_seh: false 0xd7.5-0xd7.6 (0.1)
0x0d0| 81 | . | no_isolation: false 0xd7.6-0xd7.7 (0.1)
0x0d0| 81 | . | nx_compat: true 0xd7.7-0xd8 (0.1)
0x0d0| 00 00 10 00 00 00 00 00| ........| size_of_track_reserve: 1048576 0xd8-0xe0 (8)
0x0e0|00 10 00 00 00 00 00 00 |........ | size_of_stack_commit: 4096 0xe0-0xe8 (8)
0x0e0| 00 00 10 00 00 00 00 00| ........| size_of_heap_reserve: 1048576 0xe8-0xf0 (8)
0x0f0|00 10 00 00 00 00 00 00 |........ | size_of_heap_commit: 4096 0xf0-0xf8 (8)
0x0f0| 00 00 00 00 | .... | loader_flags: 0 0xf8-0xfc (4)
0x0f0| 10 00 00 00| ....| number_of_rva_and_sizes: 16 0xfc-0x100 (4)
0x100|00 00 00 00 |.... | export_table_address: 0x0 0x100-0x104 (4)
0x100| 00 00 00 00 | .... | export_table_size: 0 0x104-0x108 (4)
0x100| 00 00 00 00 | .... | import_table_address: 0x0 0x108-0x10c (4)
0x100| 00 00 00 00| ....| import_table_size: 0 0x10c-0x110 (4)
0x110|00 00 00 00 |.... | resource_table_address: 0x0 0x110-0x114 (4)
0x110| 00 00 00 00 | .... | resource_table_size: 0 0x114-0x118 (4)
0x110| 00 00 00 00 | .... | exception_table_address: 0x0 0x118-0x11c (4)
0x110| 00 00 00 00| ....| exception_table_size: 0 0x11c-0x120 (4)
0x120|00 00 00 00 |.... | certificate_table_address: 0x0 0x120-0x124 (4)
0x120| 00 00 00 00 | .... | certificate_table_size: 0 0x124-0x128 (4)
0x120| 00 30 00 00 | .0.. | base_relocation_table_address: 0x3000 0x128-0x12c (4)
0x120| 0c 00 00 00| ....| base_relocation_table_size: 12 0x12c-0x130 (4)
0x130|00 00 00 00 |.... | debug_address: 0x0 0x130-0x134 (4)
0x130| 00 00 00 00 | .... | debug_size: 0 0x134-0x138 (4)
0x130| 00 00 00 00 00 00 00 00| ........| architecture: 0 0x138-0x140 (8)
0x140|00 00 00 00 00 00 00 00 |........ | global_ptr: 0x0 0x140-0x148 (8)
0x140| 00 00 00 00 | .... | tls_table_address: 0x0 0x148-0x14c (4)
0x140| 00 00 00 00| ....| tls_table_size: 0 0x14c-0x150 (4)
0x150|00 00 00 00 |.... | load_config_table_address: 0x0 0x150-0x154 (4)
0x150| 00 00 00 00 | .... | load_config_table_size: 0 0x154-0x158 (4)
0x150| 00 00 00 00 | .... | bound_import_address: 0x0 0x158-0x15c (4)
0x150| 00 00 00 00| ....| bound_import_size: 0 0x15c-0x160 (4)
0x160|00 00 00 00 |.... | iat_address: 0x0 0x160-0x164 (4)
0x160| 00 00 00 00 | .... | iat_size: 0 0x164-0x168 (4)
0x160| 00 00 00 00 | .... | delay_import_descriptor_address: 0x0 0x168-0x16c (4)
0x160| 00 00 00 00| ....| delay_import_descriptor_size: 0 0x16c-0x170 (4)
0x170|00 00 00 00 |.... | clr_runtime_header_address: 0x0 0x170-0x174 (4)
0x170| 00 00 00 00 | .... | clr_runtime_header_size: 0 0x174-0x178 (4)
0x170| 00 00 00 00 00 00 00 00| ........| reserved: 0 0x178-0x180 (8)
| | | unknown: raw bits 0x180-0x180 (0)
| | | sections[0:3]: 0x180-0x1f8 (120)
| | | [0]{}: section 0x180-0x1a8 (40)
0x180|2e 74 65 78 74 00 00 00 |.text... | name: ".text" 0x180-0x188 (8)
0x180| 23 00 00 00 | #... | virtual_size: 35 0x188-0x18c (4)
0x180| 00 10 00 00| ....| virtual_address: 0x1000 0x18c-0x190 (4)
0x190|00 02 00 00 |.... | size_of_raw_data: 512 0x190-0x194 (4)
0x190| 00 02 00 00 | .... | pointer_to_raw_data: 0x200 0x194-0x198 (4)
0x190| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x198-0x19c (4)
0x190| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x19c-0x1a0 (4)
0x1a0|00 00 |.. | number_of_relocations: 0 0x1a0-0x1a2 (2)
0x1a0| 00 00 | .. | number_of_line_numbers: 0 0x1a2-0x1a4 (2)
| | | characteristics{}: 0x1a4-0x1a8 (4)
0x1a0| 20 | | cnt_uninitialized_data: false 0x1a4-0x1a4.1 (0.1)
0x1a0| 20 | | cnt_initialized_data: false 0x1a4.1-0x1a4.2 (0.1)
0x1a0| 20 | | cnt_code: true 0x1a4.2-0x1a4.3 (0.1)
0x1a0| 20 | | reserved: false 0x1a4.3-0x1a4.4 (0.1)
0x1a0| 20 | | type_no_pad: false 0x1a4.4-0x1a4.5 (0.1)
0x1a0| 20 | | reserved0: false 0x1a4.5-0x1a4.6 (0.1)
0x1a0| 20 | | reserved1: false 0x1a4.6-0x1a4.7 (0.1)
0x1a0| 20 | | reserved2: false 0x1a4.7-0x1a5 (0.1)
0x1a0| 00 | . | gprel: false 0x1a5-0x1a5.1 (0.1)
0x1a0| 00 | . | unknown0: false 0x1a5.1-0x1a5.2 (0.1)
0x1a0| 00 | . | unknown1: false 0x1a5.2-0x1a5.3 (0.1)
0x1a0| 00 | . | lnk_comdat: false 0x1a5.3-0x1a5.4 (0.1)
0x1a0| 00 | . | lnk_remove: false 0x1a5.4-0x1a5.5 (0.1)
0x1a0| 00 | . | reserved3: false 0x1a5.5-0x1a5.6 (0.1)
0x1a0| 00 | . | lnk_info: false 0x1a5.6-0x1a5.7 (0.1)
0x1a0| 00 | . | lnk_other: false 0x1a5.7-0x1a6 (0.1)
0x1a0| 00 | . | align_128bytes: false 0x1a6-0x1a6.1 (0.1)
0x1a0| 00 | . | align_8bytes: false 0x1a6.1-0x1a6.2 (0.1)
0x1a0| 00 | . | align_2bytes: false 0x1a6.2-0x1a6.3 (0.1)
0x1a0| 00 | . | align_1bytes: false 0x1a6.3-0x1a6.4 (0.1)
0x1a0| 00 | . | mem_preload: false 0x1a6.4-0x1a6.5 (0.1)
0x1a0| 00 | . | mem_locked: false 0x1a6.5-0x1a6.6 (0.1)
0x1a0| 00 | . | mem_16bit: false 0x1a6.6-0x1a6.7 (0.1)
0x1a0| 00 | . | mem_purgeable: false 0x1a6.7-0x1a7 (0.1)
0x1a0| 60 | ` | mem_write: false 0x1a7-0x1a7.1 (0.1)
0x1a0| 60 | ` | mem_read: true 0x1a7.1-0x1a7.2 (0.1)
0x1a0| 60 | ` | mem_execute: true 0x1a7.2-0x1a7.3 (0.1)
0x1a0| 60 | ` | mem_shared: false 0x1a7.3-0x1a7.4 (0.1)
0x1a0| 60 | ` | mem_not_paged: false 0x1a7.4-0x1a7.5 (0.1)
0x1a0| 60 | ` | mem_not_cached: false 0x1a7.5-0x1a7.6 (0.1)
0x1a0| 60 | ` | mem_discardable: false 0x1a7.6-0x1a7.7 (0.1)
0x1a0| 60 | ` | lnk_nreloc_ovfl: false 0x1a7.7-0x1a8 (0.1)
| | | [1]{}: section 0x1a8-0x1d0 (40)
0x1a0| 2e 64 61 74 61 00 00 00| .data...| name: ".data" 0x1a8-0x1b0 (8)
0x1b0|18 00 00 00 |.... | virtual_size: 24 0x1b0-0x1b4 (4)
0x1b0| 00 20 00 00 | . .. | virtual_address: 0x2000 0x1b4-0x1b8 (4)
0x1b0| 00 02 00 00 | .... | size_of_raw_data: 512 0x1b8-0x1bc (4)
0x1b0| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x1bc-0x1c0 (4)
0x1c0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x1c0-0x1c4 (4)
0x1c0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x1c4-0x1c8 (4)
0x1c0| 00 00 | .. | number_of_relocations: 0 0x1c8-0x1ca (2)
0x1c0| 00 00 | .. | number_of_line_numbers: 0 0x1ca-0x1cc (2)
| | | characteristics{}: 0x1cc-0x1d0 (4)
0x1c0| 40 | @ | cnt_uninitialized_data: false 0x1cc-0x1cc.1 (0.1)
0x1c0| 40 | @ | cnt_initialized_data: true 0x1cc.1-0x1cc.2 (0.1)
0x1c0| 40 | @ | cnt_code: false 0x1cc.2-0x1cc.3 (0.1)
0x1c0| 40 | @ | reserved: false 0x1cc.3-0x1cc.4 (0.1)
0x1c0| 40 | @ | type_no_pad: false 0x1cc.4-0x1cc.5 (0.1)
0x1c0| 40 | @ | reserved0: false 0x1cc.5-0x1cc.6 (0.1)
0x1c0| 40 | @ | reserved1: false 0x1cc.6-0x1cc.7 (0.1)
0x1c0| 40 | @ | reserved2: false 0x1cc.7-0x1cd (0.1)
0x1c0| 00 | . | gprel: false 0x1cd-0x1cd.1 (0.1)
0x1c0| 00 | . | unknown0: false 0x1cd.1-0x1cd.2 (0.1)
0x1c0| 00 | . | unknown1: false 0x1cd.2-0x1cd.3 (0.1)
0x1c0| 00 | . | lnk_comdat: false 0x1cd.3-0x1cd.4 (0.1)
0x1c0| 00 | . | lnk_remove: false 0x1cd.4-0x1cd.5 (0.1)
0x1c0| 00 | . | reserved3: false 0x1cd.5-0x1cd.6 (0.1)
0x1c0| 00 | . | lnk_info: false 0x1cd.6-0x1cd.7 (0.1)
0x1c0| 00 | . | lnk_other: false 0x1cd.7-0x1ce (0.1)
0x1c0| 00 | . | align_128bytes: false 0x1ce-0x1ce.1 (0.1)
0x1c0| 00 | . | align_8bytes: false 0x1ce.1-0x1ce.2 (0.1)
0x1c0| 00 | . | align_2bytes: false 0x1ce.2-0x1ce.3 (0.1)
0x1c0| 00 | . | align_1bytes: false 0x1ce.3-0x1ce.4 (0.1)
0x1c0| 00 | . | mem_preload: false 0x1ce.4-0x1ce.5 (0.1)
0x1c0| 00 | . | mem_locked: false 0x1ce.5-0x1ce.6 (0.1)
0x1c0| 00 | . | mem_16bit: false 0x1ce.6-0x1ce.7 (0.1)
0x1c0| 00 | . | mem_purgeable: false 0x1ce.7-0x1cf (0.1)
0x1c0| c0| .| mem_write: true 0x1cf-0x1cf.1 (0.1)
0x1c0| c0| .| mem_read: true 0x1cf.1-0x1cf.2 (0.1)
0x1c0| c0| .| mem_execute: false 0x1cf.2-0x1cf.3 (0.1)
0x1c0| c0| .| mem_shared: false 0x1cf.3-0x1cf.4 (0.1)
0x1c0| c0| .| mem_not_paged: false 0x1cf.4-0x1cf.5 (0.1)
0x1c0| c0| .| mem_not_cached: false 0x1cf.5-0x1cf.6 (0.1)
0x1c0| c0| .| mem_discardable: false 0x1cf.6-0x1cf.7 (0.1)
0x1c0| c0| .| lnk_nreloc_ovfl: false 0x1cf.7-0x1d0 (0.1)
| | | [2]{}: section 0x1d0-0x1f8 (40)
0x1d0|2e 72 65 6c 6f 63 00 00 |.reloc.. | name: ".reloc" 0x1d0-0x1d8 (8)
0x1d0| 0c 00 00 00 | .... | virtual_size: 12 0x1d8-0x1dc (4)
0x1d0| 00 30 00 00| .0..| virtual_address: 0x3000 0x1dc-0x1e0 (4)
0x1e0|00 02 00 00 |.... | size_of_raw_data: 512 0x1e0-0x1e4 (4)
0x1e0| 00 06 00 00 | .... | pointer_to_raw_data: 0x600 0x1e4-0x1e8 (4)
0x1e0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1e8-0x1ec (4)
0x1e0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1ec-0x1f0 (4)
0x1f0|00 00 |.. | number_of_relocations: 0 0x1f0-0x1f2 (2)
0x1f0| 00 00 | .. | number_of_line_numbers: 0 0x1f2-0x1f4 (2)
| | | characteristics{}: 0x1f4-0x1f8 (4)
0x1f0| 40 | @ | cnt_uninitialized_data: false 0x1f4-0x1f4.1 (0.1)
0x1f0| 40 | @ | cnt_initialized_data: true 0x1f4.1-0x1f4.2 (0.1)
0x1f0| 40 | @ | cnt_code: false 0x1f4.2-0x1f4.3 (0.1)
0x1f0| 40 | @ | reserved: false 0x1f4.3-0x1f4.4 (0.1)
0x1f0| 40 | @ | type_no_pad: false 0x1f4.4-0x1f4.5 (0.1)
0x1f0| 40 | @ | reserved0: false 0x1f4.5-0x1f4.6 (0.1)
0x1f0| 40 | @ | reserved1: false 0x1f4.6-0x1f4.7 (0.1)
0x1f0| 40 | @ | reserved2: false 0x1f4.7-0x1f5 (0.1)
0x1f0| 00 | . | gprel: false 0x1f5-0x1f5.1 (0.1)
0x1f0| 00 | . | unknown0: false 0x1f5.1-0x1f5.2 (0.1)
0x1f0| 00 | . | unknown1: false 0x1f5.2-0x1f5.3 (0.1)
0x1f0| 00 | . | lnk_comdat: false 0x1f5.3-0x1f5.4 (0.1)
0x1f0| 00 | . | lnk_remove: false 0x1f5.4-0x1f5.5 (0.1)
0x1f0| 00 | . | reserved3: false 0x1f5.5-0x1f5.6 (0.1)
0x1f0| 00 | . | lnk_info: false 0x1f5.6-0x1f5.7 (0.1)
0x1f0| 00 | . | lnk_other: false 0x1f5.7-0x1f6 (0.1)
0x1f0| 00 | . | align_128bytes: false 0x1f6-0x1f6.1 (0.1)
0x1f0| 00 | . | align_8bytes: false 0x1f6.1-0x1f6.2 (0.1)
0x1f0| 00 | . | align_2bytes: false 0x1f6.2-0x1f6.3 (0.1)
0x1f0| 00 | . | align_1bytes: false 0x1f6.3-0x1f6.4 (0.1)
0x1f0| 00 | . | mem_preload: false 0x1f6.4-0x1f6.5 (0.1)
0x1f0| 00 | . | mem_locked: false 0x1f6.5-0x1f6.6 (0.1)
0x1f0| 00 | . | mem_16bit: false 0x1f6.6-0x1f6.7 (0.1)
0x1f0| 00 | . | mem_purgeable: false 0x1f6.7-0x1f7 (0.1)
0x1f0| 42 | B | mem_write: false 0x1f7-0x1f7.1 (0.1)
0x1f0| 42 | B | mem_read: true 0x1f7.1-0x1f7.2 (0.1)
0x1f0| 42 | B | mem_execute: false 0x1f7.2-0x1f7.3 (0.1)
0x1f0| 42 | B | mem_shared: false 0x1f7.3-0x1f7.4 (0.1)
0x1f0| 42 | B | mem_not_paged: false 0x1f7.4-0x1f7.5 (0.1)
0x1f0| 42 | B | mem_not_cached: false 0x1f7.5-0x1f7.6 (0.1)
0x1f0| 42 | B | mem_discardable: true 0x1f7.6-0x1f7.7 (0.1)
0x1f0| 42 | B | lnk_nreloc_ovfl: false 0x1f7.7-0x1f8 (0.1)
0x1f0| 00 00 00 00 00 00 00 00| ........| gap0: raw bits 0x1f8-0x800 (1544)
0x200|de a9 42 90 dc 23 38 4a 96 fb 7a de d0 80 51 6a|..B..#8J..z...Qj|
* |until 0x7ff.7 (end) (1544) | |

BIN
format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld vendored Executable file
View File

Binary file not shown.

391
format/pe/testdata/pe-Windows-ARMv7-Thumb2LE-HelloWorld.fqtest vendored Normal file
View File

@ -0,0 +1,391 @@
$ fq dv pe-Windows-ARMv7-Thumb2LE-HelloWorld
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-ARMv7-Thumb2LE-HelloWorld (pe) 0x0-0x1a00 (6656)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xf8 (248)
0x0000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x0000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x4 (2)
0x0000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x6 (2)
0x0000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x0000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x0000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x0000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x0000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x0010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x12 (2)
0x0010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x0010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x0010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x0010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x0010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x0010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x0020|00 00 00 00 |.... |
0x0020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x0020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x0020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x0030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x0030| f8 00 00 00| ....| e_lfanew: 248 (File address of new exe header) 0x3c-0x40 (4)
0x0040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x80 (64)
* |until 0x7f.7 (64) | |
0x0080|56 18 6d ac 12 79 03 ff 12 79 03 ff 12 79 03 ff|V.m..y...y...y..| padding: raw bits 0x80-0xf8 (120)
* |until 0xf7.7 (120) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xf8-0x2e0 (488)
0x00f0| 50 45 00 00 | PE.. | signature: raw bits (valid) 0xf8-0xfc (4)
0x00f0| c4 01 | .. | machine: "armnt" (0x1c4) 0xfc-0xfe (2)
0x00f0| 06 00| ..| number_of_sections: 6 0xfe-0x100 (2)
0x0100|0d aa 6f 53 |..oS | time_date_stamp: 1399826957 (2014-05-11T16:49:17Z) 0x100-0x104 (4)
0x0100| 00 00 00 00 | .... | pointer_to_symbol_table: 0x0 0x104-0x108 (4)
0x0100| 00 00 00 00 | .... | number_of_symbols: 0 0x108-0x10c (4)
0x0100| e0 00 | .. | size_of_optional_header: 224 0x10c-0x10e (2)
| | | characteristics{}: 0x10e-0x110 (2)
0x0100| 22 | " | bytes_reversed_lo: false 0x10e-0x10e.1 (0.1)
0x0100| 22 | " | reserved: false 0x10e.1-0x10e.2 (0.1)
0x0100| 22 | " | large_address_aware: true 0x10e.2-0x10e.3 (0.1)
0x0100| 22 | " | aggressive_ws_trim: false 0x10e.3-0x10e.4 (0.1)
0x0100| 22 | " | local_syms_stripped: false 0x10e.4-0x10e.5 (0.1)
0x0100| 22 | " | line_nums_stripped: false 0x10e.5-0x10e.6 (0.1)
0x0100| 22 | " | executable_image: true 0x10e.6-0x10e.7 (0.1)
0x0100| 22 | " | relocs_stripped: false 0x10e.7-0x10f (0.1)
0x0100| 01| .| bytes_reversed_hi: false 0x10f-0x10f.1 (0.1)
0x0100| 01| .| up_system_only: false 0x10f.1-0x10f.2 (0.1)
0x0100| 01| .| dll: false 0x10f.2-0x10f.3 (0.1)
0x0100| 01| .| system: false 0x10f.3-0x10f.4 (0.1)
0x0100| 01| .| net_run_from_swap: false 0x10f.4-0x10f.5 (0.1)
0x0100| 01| .| removable_run_from_swap: false 0x10f.5-0x10f.6 (0.1)
0x0100| 01| .| debug_stripped: false 0x10f.6-0x10f.7 (0.1)
0x0100| 01| .| 32bit_machine: true 0x10f.7-0x110 (0.1)
| | | optional_header{}: 0x110-0x1f0 (224)
0x0110|0b 01 |.. | format: "pe32" (0x10b) 0x110-0x112 (2)
0x0110| 0b | . | major_linker_version: 11 0x112-0x113 (1)
0x0110| 00 | . | minor_linker_version: 0 0x113-0x114 (1)
0x0110| 00 08 00 00 | .... | size_of_code: 2048 0x114-0x118 (4)
0x0110| 00 10 00 00 | .... | size_of_initialized_data: 4096 0x118-0x11c (4)
0x0110| 00 00 00 00| ....| size_of_uninitialized_data: 0 0x11c-0x120 (4)
0x0120|e5 12 00 00 |.... | address_of_entry_point: 0x12e5 0x120-0x124 (4)
0x0120| 00 10 00 00 | .... | base_of_code: 0x1000 0x124-0x128 (4)
0x0120| 00 20 00 00 | . .. | base_of_data: 0x2000 0x128-0x12c (4)
0x0120| 00 00 40 00| ..@.| image_base: 0x400000 0x12c-0x130 (4)
0x0130|00 10 00 00 |.... | section_alignment: 4096 0x130-0x134 (4)
0x0130| 00 02 00 00 | .... | file_alignment: 512 0x134-0x138 (4)
0x0130| 06 00 | .. | major_os_version: 6 0x138-0x13a (2)
0x0130| 02 00 | .. | minor_os_version: 2 0x13a-0x13c (2)
0x0130| 00 00 | .. | major_image_version: 0 0x13c-0x13e (2)
0x0130| 00 00| ..| minor_image_version: 0 0x13e-0x140 (2)
0x0140|06 00 |.. | major_subsystem_version: 6 0x140-0x142 (2)
0x0140| 02 00 | .. | minor_subsystem_version: 2 0x142-0x144 (2)
0x0140| 00 00 00 00 | .... | win32_version: 0 0x144-0x148 (4)
0x0140| 00 70 00 00 | .p.. | size_of_image: 28672 0x148-0x14c (4)
0x0140| 00 04 00 00| ....| size_of_headers: 1024 0x14c-0x150 (4)
0x0150|00 00 00 00 |.... | chunk_sum: 0x0 0x150-0x154 (4)
0x0150| 03 00 | .. | subsystem: "windows_cui" (3) 0x154-0x156 (2)
| | | dll_characteristics{}: 0x156-0x158 (2)
0x0150| 40 | @ | force_integrity: false 0x156-0x156.1 (0.1)
0x0150| 40 | @ | dynamic_base: true 0x156.1-0x156.2 (0.1)
0x0150| 40 | @ | high_entropy_va: false 0x156.2-0x156.3 (0.1)
0x0150| 40 | @ | reserved0: false 0x156.3-0x156.4 (0.1)
0x0150| 40 | @ | reserved1: false 0x156.4-0x156.5 (0.1)
0x0150| 40 | @ | reserved2: false 0x156.5-0x156.6 (0.1)
0x0150| 40 | @ | reserved3: false 0x156.6-0x156.7 (0.1)
0x0150| 40 | @ | reserved4: false 0x156.7-0x157 (0.1)
0x0150| 81 | . | terminal_server_aware: true 0x157-0x157.1 (0.1)
0x0150| 81 | . | guard_cf: false 0x157.1-0x157.2 (0.1)
0x0150| 81 | . | wdm_driver: false 0x157.2-0x157.3 (0.1)
0x0150| 81 | . | appcontainer: false 0x157.3-0x157.4 (0.1)
0x0150| 81 | . | no_bind: false 0x157.4-0x157.5 (0.1)
0x0150| 81 | . | no_seh: false 0x157.5-0x157.6 (0.1)
0x0150| 81 | . | no_isolation: false 0x157.6-0x157.7 (0.1)
0x0150| 81 | . | nx_compat: true 0x157.7-0x158 (0.1)
0x0150| 00 00 10 00 | .... | size_of_track_reserve: 1048576 0x158-0x15c (4)
0x0150| 00 10 00 00| ....| size_of_stack_commit: 4096 0x15c-0x160 (4)
0x0160|00 00 10 00 |.... | size_of_heap_reserve: 1048576 0x160-0x164 (4)
0x0160| 00 10 00 00 | .... | size_of_heap_commit: 4096 0x164-0x168 (4)
0x0160| 00 00 00 00 | .... | loader_flags: 0 0x168-0x16c (4)
0x0160| 10 00 00 00| ....| number_of_rva_and_sizes: 16 0x16c-0x170 (4)
0x0170|00 00 00 00 |.... | export_table_address: 0x0 0x170-0x174 (4)
0x0170| 00 00 00 00 | .... | export_table_size: 0 0x174-0x178 (4)
0x0170| f4 21 00 00 | .!.. | import_table_address: 0x21f4 0x178-0x17c (4)
0x0170| 3c 00 00 00| <...| import_table_size: 60 0x17c-0x180 (4)
0x0180|00 50 00 00 |.P.. | resource_table_address: 0x5000 0x180-0x184 (4)
0x0180| e0 01 00 00 | .... | resource_table_size: 480 0x184-0x188 (4)
0x0180| 00 40 00 00 | .@.. | exception_table_address: 0x4000 0x188-0x18c (4)
0x0180| 90 00 00 00| ....| exception_table_size: 144 0x18c-0x190 (4)
0x0190|00 00 00 00 |.... | certificate_table_address: 0x0 0x190-0x194 (4)
0x0190| 00 00 00 00 | .... | certificate_table_size: 0 0x194-0x198 (4)
0x0190| 00 60 00 00 | .`.. | base_relocation_table_address: 0x6000 0x198-0x19c (4)
0x0190| a8 00 00 00| ....| base_relocation_table_size: 168 0x19c-0x1a0 (4)
0x01a0|a0 20 00 00 |. .. | debug_address: 0x20a0 0x1a0-0x1a4 (4)
0x01a0| 38 00 00 00 | 8... | debug_size: 56 0x1a4-0x1a8 (4)
0x01a0| 00 00 00 00 00 00 00 00| ........| architecture: 0 0x1a8-0x1b0 (8)
0x01b0|00 00 00 00 00 00 00 00 |........ | global_ptr: 0x0 0x1b0-0x1b8 (8)
0x01b0| 00 00 00 00 | .... | tls_table_address: 0x0 0x1b8-0x1bc (4)
0x01b0| 00 00 00 00| ....| tls_table_size: 0 0x1bc-0x1c0 (4)
0x01c0|00 00 00 00 |.... | load_config_table_address: 0x0 0x1c0-0x1c4 (4)
0x01c0| 00 00 00 00 | .... | load_config_table_size: 0 0x1c4-0x1c8 (4)
0x01c0| 00 00 00 00 | .... | bound_import_address: 0x0 0x1c8-0x1cc (4)
0x01c0| 00 00 00 00| ....| bound_import_size: 0 0x1cc-0x1d0 (4)
0x01d0|00 20 00 00 |. .. | iat_address: 0x2000 0x1d0-0x1d4 (4)
0x01d0| 80 00 00 00 | .... | iat_size: 128 0x1d4-0x1d8 (4)
0x01d0| 00 00 00 00 | .... | delay_import_descriptor_address: 0x0 0x1d8-0x1dc (4)
0x01d0| 00 00 00 00| ....| delay_import_descriptor_size: 0 0x1dc-0x1e0 (4)
0x01e0|00 00 00 00 |.... | clr_runtime_header_address: 0x0 0x1e0-0x1e4 (4)
0x01e0| 00 00 00 00 | .... | clr_runtime_header_size: 0 0x1e4-0x1e8 (4)
0x01e0| 00 00 00 00 00 00 00 00| ........| reserved: 0 0x1e8-0x1f0 (8)
| | | unknown: raw bits 0x1f0-0x1f0 (0)
| | | sections[0:6]: 0x1f0-0x2e0 (240)
| | | [0]{}: section 0x1f0-0x218 (40)
0x01f0|2e 74 65 78 74 00 00 00 |.text... | name: ".text" 0x1f0-0x1f8 (8)
0x01f0| 94 06 00 00 | .... | virtual_size: 1684 0x1f8-0x1fc (4)
0x01f0| 00 10 00 00| ....| virtual_address: 0x1000 0x1fc-0x200 (4)
0x0200|00 08 00 00 |.... | size_of_raw_data: 2048 0x200-0x204 (4)
0x0200| 00 04 00 00 | .... | pointer_to_raw_data: 0x400 0x204-0x208 (4)
0x0200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20c (4)
0x0200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x210 (4)
0x0210|00 00 |.. | number_of_relocations: 0 0x210-0x212 (2)
0x0210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x214 (2)
| | | characteristics{}: 0x214-0x218 (4)
0x0210| 20 | | cnt_uninitialized_data: false 0x214-0x214.1 (0.1)
0x0210| 20 | | cnt_initialized_data: false 0x214.1-0x214.2 (0.1)
0x0210| 20 | | cnt_code: true 0x214.2-0x214.3 (0.1)
0x0210| 20 | | reserved: false 0x214.3-0x214.4 (0.1)
0x0210| 20 | | type_no_pad: false 0x214.4-0x214.5 (0.1)
0x0210| 20 | | reserved0: false 0x214.5-0x214.6 (0.1)
0x0210| 20 | | reserved1: false 0x214.6-0x214.7 (0.1)
0x0210| 20 | | reserved2: false 0x214.7-0x215 (0.1)
0x0210| 00 | . | gprel: false 0x215-0x215.1 (0.1)
0x0210| 00 | . | unknown0: false 0x215.1-0x215.2 (0.1)
0x0210| 00 | . | unknown1: false 0x215.2-0x215.3 (0.1)
0x0210| 00 | . | lnk_comdat: false 0x215.3-0x215.4 (0.1)
0x0210| 00 | . | lnk_remove: false 0x215.4-0x215.5 (0.1)
0x0210| 00 | . | reserved3: false 0x215.5-0x215.6 (0.1)
0x0210| 00 | . | lnk_info: false 0x215.6-0x215.7 (0.1)
0x0210| 00 | . | lnk_other: false 0x215.7-0x216 (0.1)
0x0210| 00 | . | align_128bytes: false 0x216-0x216.1 (0.1)
0x0210| 00 | . | align_8bytes: false 0x216.1-0x216.2 (0.1)
0x0210| 00 | . | align_2bytes: false 0x216.2-0x216.3 (0.1)
0x0210| 00 | . | align_1bytes: false 0x216.3-0x216.4 (0.1)
0x0210| 00 | . | mem_preload: false 0x216.4-0x216.5 (0.1)
0x0210| 00 | . | mem_locked: false 0x216.5-0x216.6 (0.1)
0x0210| 00 | . | mem_16bit: false 0x216.6-0x216.7 (0.1)
0x0210| 00 | . | mem_purgeable: false 0x216.7-0x217 (0.1)
0x0210| 60 | ` | mem_write: false 0x217-0x217.1 (0.1)
0x0210| 60 | ` | mem_read: true 0x217.1-0x217.2 (0.1)
0x0210| 60 | ` | mem_execute: true 0x217.2-0x217.3 (0.1)
0x0210| 60 | ` | mem_shared: false 0x217.3-0x217.4 (0.1)
0x0210| 60 | ` | mem_not_paged: false 0x217.4-0x217.5 (0.1)
0x0210| 60 | ` | mem_not_cached: false 0x217.5-0x217.6 (0.1)
0x0210| 60 | ` | mem_discardable: false 0x217.6-0x217.7 (0.1)
0x0210| 60 | ` | lnk_nreloc_ovfl: false 0x217.7-0x218 (0.1)
| | | [1]{}: section 0x218-0x240 (40)
0x0210| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x218-0x220 (8)
0x0220|ae 04 00 00 |.... | virtual_size: 1198 0x220-0x224 (4)
0x0220| 00 20 00 00 | . .. | virtual_address: 0x2000 0x224-0x228 (4)
0x0220| 00 06 00 00 | .... | size_of_raw_data: 1536 0x228-0x22c (4)
0x0220| 00 0c 00 00| ....| pointer_to_raw_data: 0xc00 0x22c-0x230 (4)
0x0230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x234 (4)
0x0230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x238 (4)
0x0230| 00 00 | .. | number_of_relocations: 0 0x238-0x23a (2)
0x0230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23c (2)
| | | characteristics{}: 0x23c-0x240 (4)
0x0230| 40 | @ | cnt_uninitialized_data: false 0x23c-0x23c.1 (0.1)
0x0230| 40 | @ | cnt_initialized_data: true 0x23c.1-0x23c.2 (0.1)
0x0230| 40 | @ | cnt_code: false 0x23c.2-0x23c.3 (0.1)
0x0230| 40 | @ | reserved: false 0x23c.3-0x23c.4 (0.1)
0x0230| 40 | @ | type_no_pad: false 0x23c.4-0x23c.5 (0.1)
0x0230| 40 | @ | reserved0: false 0x23c.5-0x23c.6 (0.1)
0x0230| 40 | @ | reserved1: false 0x23c.6-0x23c.7 (0.1)
0x0230| 40 | @ | reserved2: false 0x23c.7-0x23d (0.1)
0x0230| 00 | . | gprel: false 0x23d-0x23d.1 (0.1)
0x0230| 00 | . | unknown0: false 0x23d.1-0x23d.2 (0.1)
0x0230| 00 | . | unknown1: false 0x23d.2-0x23d.3 (0.1)
0x0230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.4 (0.1)
0x0230| 00 | . | lnk_remove: false 0x23d.4-0x23d.5 (0.1)
0x0230| 00 | . | reserved3: false 0x23d.5-0x23d.6 (0.1)
0x0230| 00 | . | lnk_info: false 0x23d.6-0x23d.7 (0.1)
0x0230| 00 | . | lnk_other: false 0x23d.7-0x23e (0.1)
0x0230| 00 | . | align_128bytes: false 0x23e-0x23e.1 (0.1)
0x0230| 00 | . | align_8bytes: false 0x23e.1-0x23e.2 (0.1)
0x0230| 00 | . | align_2bytes: false 0x23e.2-0x23e.3 (0.1)
0x0230| 00 | . | align_1bytes: false 0x23e.3-0x23e.4 (0.1)
0x0230| 00 | . | mem_preload: false 0x23e.4-0x23e.5 (0.1)
0x0230| 00 | . | mem_locked: false 0x23e.5-0x23e.6 (0.1)
0x0230| 00 | . | mem_16bit: false 0x23e.6-0x23e.7 (0.1)
0x0230| 00 | . | mem_purgeable: false 0x23e.7-0x23f (0.1)
0x0230| 40| @| mem_write: false 0x23f-0x23f.1 (0.1)
0x0230| 40| @| mem_read: true 0x23f.1-0x23f.2 (0.1)
0x0230| 40| @| mem_execute: false 0x23f.2-0x23f.3 (0.1)
0x0230| 40| @| mem_shared: false 0x23f.3-0x23f.4 (0.1)
0x0230| 40| @| mem_not_paged: false 0x23f.4-0x23f.5 (0.1)
0x0230| 40| @| mem_not_cached: false 0x23f.5-0x23f.6 (0.1)
0x0230| 40| @| mem_discardable: false 0x23f.6-0x23f.7 (0.1)
0x0230| 40| @| lnk_nreloc_ovfl: false 0x23f.7-0x240 (0.1)
| | | [2]{}: section 0x240-0x268 (40)
0x0240|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x240-0x248 (8)
0x0240| 4c 02 00 00 | L... | virtual_size: 588 0x248-0x24c (4)
0x0240| 00 30 00 00| .0..| virtual_address: 0x3000 0x24c-0x250 (4)
0x0250|00 02 00 00 |.... | size_of_raw_data: 512 0x250-0x254 (4)
0x0250| 00 12 00 00 | .... | pointer_to_raw_data: 0x1200 0x254-0x258 (4)
0x0250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25c (4)
0x0250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x260 (4)
0x0260|00 00 |.. | number_of_relocations: 0 0x260-0x262 (2)
0x0260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x264 (2)
| | | characteristics{}: 0x264-0x268 (4)
0x0260| 40 | @ | cnt_uninitialized_data: false 0x264-0x264.1 (0.1)
0x0260| 40 | @ | cnt_initialized_data: true 0x264.1-0x264.2 (0.1)
0x0260| 40 | @ | cnt_code: false 0x264.2-0x264.3 (0.1)
0x0260| 40 | @ | reserved: false 0x264.3-0x264.4 (0.1)
0x0260| 40 | @ | type_no_pad: false 0x264.4-0x264.5 (0.1)
0x0260| 40 | @ | reserved0: false 0x264.5-0x264.6 (0.1)
0x0260| 40 | @ | reserved1: false 0x264.6-0x264.7 (0.1)
0x0260| 40 | @ | reserved2: false 0x264.7-0x265 (0.1)
0x0260| 00 | . | gprel: false 0x265-0x265.1 (0.1)
0x0260| 00 | . | unknown0: false 0x265.1-0x265.2 (0.1)
0x0260| 00 | . | unknown1: false 0x265.2-0x265.3 (0.1)
0x0260| 00 | . | lnk_comdat: false 0x265.3-0x265.4 (0.1)
0x0260| 00 | . | lnk_remove: false 0x265.4-0x265.5 (0.1)
0x0260| 00 | . | reserved3: false 0x265.5-0x265.6 (0.1)
0x0260| 00 | . | lnk_info: false 0x265.6-0x265.7 (0.1)
0x0260| 00 | . | lnk_other: false 0x265.7-0x266 (0.1)
0x0260| 00 | . | align_128bytes: false 0x266-0x266.1 (0.1)
0x0260| 00 | . | align_8bytes: false 0x266.1-0x266.2 (0.1)
0x0260| 00 | . | align_2bytes: false 0x266.2-0x266.3 (0.1)
0x0260| 00 | . | align_1bytes: false 0x266.3-0x266.4 (0.1)
0x0260| 00 | . | mem_preload: false 0x266.4-0x266.5 (0.1)
0x0260| 00 | . | mem_locked: false 0x266.5-0x266.6 (0.1)
0x0260| 00 | . | mem_16bit: false 0x266.6-0x266.7 (0.1)
0x0260| 00 | . | mem_purgeable: false 0x266.7-0x267 (0.1)
0x0260| c0 | . | mem_write: true 0x267-0x267.1 (0.1)
0x0260| c0 | . | mem_read: true 0x267.1-0x267.2 (0.1)
0x0260| c0 | . | mem_execute: false 0x267.2-0x267.3 (0.1)
0x0260| c0 | . | mem_shared: false 0x267.3-0x267.4 (0.1)
0x0260| c0 | . | mem_not_paged: false 0x267.4-0x267.5 (0.1)
0x0260| c0 | . | mem_not_cached: false 0x267.5-0x267.6 (0.1)
0x0260| c0 | . | mem_discardable: false 0x267.6-0x267.7 (0.1)
0x0260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x268 (0.1)
| | | [3]{}: section 0x268-0x290 (40)
0x0260| 2e 70 64 61 74 61 00 00| .pdata..| name: ".pdata" 0x268-0x270 (8)
0x0270|90 00 00 00 |.... | virtual_size: 144 0x270-0x274 (4)
0x0270| 00 40 00 00 | .@.. | virtual_address: 0x4000 0x274-0x278 (4)
0x0270| 00 02 00 00 | .... | size_of_raw_data: 512 0x278-0x27c (4)
0x0270| 00 14 00 00| ....| pointer_to_raw_data: 0x1400 0x27c-0x280 (4)
0x0280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x284 (4)
0x0280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x288 (4)
0x0280| 00 00 | .. | number_of_relocations: 0 0x288-0x28a (2)
0x0280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28c (2)
| | | characteristics{}: 0x28c-0x290 (4)
0x0280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c.1 (0.1)
0x0280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.2 (0.1)
0x0280| 40 | @ | cnt_code: false 0x28c.2-0x28c.3 (0.1)
0x0280| 40 | @ | reserved: false 0x28c.3-0x28c.4 (0.1)
0x0280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.5 (0.1)
0x0280| 40 | @ | reserved0: false 0x28c.5-0x28c.6 (0.1)
0x0280| 40 | @ | reserved1: false 0x28c.6-0x28c.7 (0.1)
0x0280| 40 | @ | reserved2: false 0x28c.7-0x28d (0.1)
0x0280| 00 | . | gprel: false 0x28d-0x28d.1 (0.1)
0x0280| 00 | . | unknown0: false 0x28d.1-0x28d.2 (0.1)
0x0280| 00 | . | unknown1: false 0x28d.2-0x28d.3 (0.1)
0x0280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.4 (0.1)
0x0280| 00 | . | lnk_remove: false 0x28d.4-0x28d.5 (0.1)
0x0280| 00 | . | reserved3: false 0x28d.5-0x28d.6 (0.1)
0x0280| 00 | . | lnk_info: false 0x28d.6-0x28d.7 (0.1)
0x0280| 00 | . | lnk_other: false 0x28d.7-0x28e (0.1)
0x0280| 00 | . | align_128bytes: false 0x28e-0x28e.1 (0.1)
0x0280| 00 | . | align_8bytes: false 0x28e.1-0x28e.2 (0.1)
0x0280| 00 | . | align_2bytes: false 0x28e.2-0x28e.3 (0.1)
0x0280| 00 | . | align_1bytes: false 0x28e.3-0x28e.4 (0.1)
0x0280| 00 | . | mem_preload: false 0x28e.4-0x28e.5 (0.1)
0x0280| 00 | . | mem_locked: false 0x28e.5-0x28e.6 (0.1)
0x0280| 00 | . | mem_16bit: false 0x28e.6-0x28e.7 (0.1)
0x0280| 00 | . | mem_purgeable: false 0x28e.7-0x28f (0.1)
0x0280| 40| @| mem_write: false 0x28f-0x28f.1 (0.1)
0x0280| 40| @| mem_read: true 0x28f.1-0x28f.2 (0.1)
0x0280| 40| @| mem_execute: false 0x28f.2-0x28f.3 (0.1)
0x0280| 40| @| mem_shared: false 0x28f.3-0x28f.4 (0.1)
0x0280| 40| @| mem_not_paged: false 0x28f.4-0x28f.5 (0.1)
0x0280| 40| @| mem_not_cached: false 0x28f.5-0x28f.6 (0.1)
0x0280| 40| @| mem_discardable: false 0x28f.6-0x28f.7 (0.1)
0x0280| 40| @| lnk_nreloc_ovfl: false 0x28f.7-0x290 (0.1)
| | | [4]{}: section 0x290-0x2b8 (40)
0x0290|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x290-0x298 (8)
0x0290| e0 01 00 00 | .... | virtual_size: 480 0x298-0x29c (4)
0x0290| 00 50 00 00| .P..| virtual_address: 0x5000 0x29c-0x2a0 (4)
0x02a0|00 02 00 00 |.... | size_of_raw_data: 512 0x2a0-0x2a4 (4)
0x02a0| 00 16 00 00 | .... | pointer_to_raw_data: 0x1600 0x2a4-0x2a8 (4)
0x02a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ac (4)
0x02a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2b0 (4)
0x02b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b2 (2)
0x02b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b4 (2)
| | | characteristics{}: 0x2b4-0x2b8 (4)
0x02b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4.1 (0.1)
0x02b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.2 (0.1)
0x02b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.3 (0.1)
0x02b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.4 (0.1)
0x02b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.5 (0.1)
0x02b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.6 (0.1)
0x02b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.7 (0.1)
0x02b0| 40 | @ | reserved2: false 0x2b4.7-0x2b5 (0.1)
0x02b0| 00 | . | gprel: false 0x2b5-0x2b5.1 (0.1)
0x02b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.2 (0.1)
0x02b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.3 (0.1)
0x02b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.4 (0.1)
0x02b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.5 (0.1)
0x02b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.6 (0.1)
0x02b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.7 (0.1)
0x02b0| 00 | . | lnk_other: false 0x2b5.7-0x2b6 (0.1)
0x02b0| 00 | . | align_128bytes: false 0x2b6-0x2b6.1 (0.1)
0x02b0| 00 | . | align_8bytes: false 0x2b6.1-0x2b6.2 (0.1)
0x02b0| 00 | . | align_2bytes: false 0x2b6.2-0x2b6.3 (0.1)
0x02b0| 00 | . | align_1bytes: false 0x2b6.3-0x2b6.4 (0.1)
0x02b0| 00 | . | mem_preload: false 0x2b6.4-0x2b6.5 (0.1)
0x02b0| 00 | . | mem_locked: false 0x2b6.5-0x2b6.6 (0.1)
0x02b0| 00 | . | mem_16bit: false 0x2b6.6-0x2b6.7 (0.1)
0x02b0| 00 | . | mem_purgeable: false 0x2b6.7-0x2b7 (0.1)
0x02b0| 40 | @ | mem_write: false 0x2b7-0x2b7.1 (0.1)
0x02b0| 40 | @ | mem_read: true 0x2b7.1-0x2b7.2 (0.1)
0x02b0| 40 | @ | mem_execute: false 0x2b7.2-0x2b7.3 (0.1)
0x02b0| 40 | @ | mem_shared: false 0x2b7.3-0x2b7.4 (0.1)
0x02b0| 40 | @ | mem_not_paged: false 0x2b7.4-0x2b7.5 (0.1)
0x02b0| 40 | @ | mem_not_cached: false 0x2b7.5-0x2b7.6 (0.1)
0x02b0| 40 | @ | mem_discardable: false 0x2b7.6-0x2b7.7 (0.1)
0x02b0| 40 | @ | lnk_nreloc_ovfl: false 0x2b7.7-0x2b8 (0.1)
| | | [5]{}: section 0x2b8-0x2e0 (40)
0x02b0| 2e 72 65 6c 6f 63 00 00| .reloc..| name: ".reloc" 0x2b8-0x2c0 (8)
0x02c0|9e 01 00 00 |.... | virtual_size: 414 0x2c0-0x2c4 (4)
0x02c0| 00 60 00 00 | .`.. | virtual_address: 0x6000 0x2c4-0x2c8 (4)
0x02c0| 00 02 00 00 | .... | size_of_raw_data: 512 0x2c8-0x2cc (4)
0x02c0| 00 18 00 00| ....| pointer_to_raw_data: 0x1800 0x2cc-0x2d0 (4)
0x02d0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2d0-0x2d4 (4)
0x02d0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2d4-0x2d8 (4)
0x02d0| 00 00 | .. | number_of_relocations: 0 0x2d8-0x2da (2)
0x02d0| 00 00 | .. | number_of_line_numbers: 0 0x2da-0x2dc (2)
| | | characteristics{}: 0x2dc-0x2e0 (4)
0x02d0| 40 | @ | cnt_uninitialized_data: false 0x2dc-0x2dc.1 (0.1)
0x02d0| 40 | @ | cnt_initialized_data: true 0x2dc.1-0x2dc.2 (0.1)
0x02d0| 40 | @ | cnt_code: false 0x2dc.2-0x2dc.3 (0.1)
0x02d0| 40 | @ | reserved: false 0x2dc.3-0x2dc.4 (0.1)
0x02d0| 40 | @ | type_no_pad: false 0x2dc.4-0x2dc.5 (0.1)
0x02d0| 40 | @ | reserved0: false 0x2dc.5-0x2dc.6 (0.1)
0x02d0| 40 | @ | reserved1: false 0x2dc.6-0x2dc.7 (0.1)
0x02d0| 40 | @ | reserved2: false 0x2dc.7-0x2dd (0.1)
0x02d0| 00 | . | gprel: false 0x2dd-0x2dd.1 (0.1)
0x02d0| 00 | . | unknown0: false 0x2dd.1-0x2dd.2 (0.1)
0x02d0| 00 | . | unknown1: false 0x2dd.2-0x2dd.3 (0.1)
0x02d0| 00 | . | lnk_comdat: false 0x2dd.3-0x2dd.4 (0.1)
0x02d0| 00 | . | lnk_remove: false 0x2dd.4-0x2dd.5 (0.1)
0x02d0| 00 | . | reserved3: false 0x2dd.5-0x2dd.6 (0.1)
0x02d0| 00 | . | lnk_info: false 0x2dd.6-0x2dd.7 (0.1)
0x02d0| 00 | . | lnk_other: false 0x2dd.7-0x2de (0.1)
0x02d0| 00 | . | align_128bytes: false 0x2de-0x2de.1 (0.1)
0x02d0| 00 | . | align_8bytes: false 0x2de.1-0x2de.2 (0.1)
0x02d0| 00 | . | align_2bytes: false 0x2de.2-0x2de.3 (0.1)
0x02d0| 00 | . | align_1bytes: false 0x2de.3-0x2de.4 (0.1)
0x02d0| 00 | . | mem_preload: false 0x2de.4-0x2de.5 (0.1)
0x02d0| 00 | . | mem_locked: false 0x2de.5-0x2de.6 (0.1)
0x02d0| 00 | . | mem_16bit: false 0x2de.6-0x2de.7 (0.1)
0x02d0| 00 | . | mem_purgeable: false 0x2de.7-0x2df (0.1)
0x02d0| 42| B| mem_write: false 0x2df-0x2df.1 (0.1)
0x02d0| 42| B| mem_read: true 0x2df.1-0x2df.2 (0.1)
0x02d0| 42| B| mem_execute: false 0x2df.2-0x2df.3 (0.1)
0x02d0| 42| B| mem_shared: false 0x2df.3-0x2df.4 (0.1)
0x02d0| 42| B| mem_not_paged: false 0x2df.4-0x2df.5 (0.1)
0x02d0| 42| B| mem_not_cached: false 0x2df.5-0x2df.6 (0.1)
0x02d0| 42| B| mem_discardable: true 0x2df.6-0x2df.7 (0.1)
0x02d0| 42| B| lnk_nreloc_ovfl: false 0x2df.7-0x2e0 (0.1)
0x02e0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| gap0: raw bits 0x2e0-0x1a00 (5920)
* |until 0x19ff.7 (end) (5920) | |

BIN
format/pe/testdata/pe-Windows-x64-cmd vendored Executable file
View File

Binary file not shown.

391
format/pe/testdata/pe-Windows-x64-cmd.fqtest vendored Normal file
View File

@ -0,0 +1,391 @@
$ fq dv pe-Windows-x64-cmd
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-x64-cmd (pe) 0x0-0x54400 (345088)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xf0 (240)
0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x4 (2)
0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x6 (2)
0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x12 (2)
0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x00020|00 00 00 00 |.... |
0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x00030| f0 00 00 00| ....| e_lfanew: 240 (File address of new exe header) 0x3c-0x40 (4)
0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x80 (64)
* |until 0x7f.7 (64) | |
0x00080|4d 7c a4 8a 09 1d ca d9 09 1d ca d9 09 1d ca d9|M|..............| padding: raw bits 0x80-0xf0 (112)
* |until 0xef.7 (112) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xf0-0x2e8 (504)
0x000f0|50 45 00 00 |PE.. | signature: raw bits (valid) 0xf0-0xf4 (4)
0x000f0| 64 86 | d. | machine: "amd64" (0x8664) 0xf4-0xf6 (2)
0x000f0| 06 00 | .. | number_of_sections: 6 0xf6-0xf8 (2)
0x000f0| e5 98 e7 4c | ...L | time_date_stamp: 1290246373 (2010-11-20T09:46:13Z) 0xf8-0xfc (4)
0x000f0| 00 00 00 00| ....| pointer_to_symbol_table: 0x0 0xfc-0x100 (4)
0x00100|00 00 00 00 |.... | number_of_symbols: 0 0x100-0x104 (4)
0x00100| f0 00 | .. | size_of_optional_header: 240 0x104-0x106 (2)
| | | characteristics{}: 0x106-0x108 (2)
0x00100| 22 | " | bytes_reversed_lo: false 0x106-0x106.1 (0.1)
0x00100| 22 | " | reserved: false 0x106.1-0x106.2 (0.1)
0x00100| 22 | " | large_address_aware: true 0x106.2-0x106.3 (0.1)
0x00100| 22 | " | aggressive_ws_trim: false 0x106.3-0x106.4 (0.1)
0x00100| 22 | " | local_syms_stripped: false 0x106.4-0x106.5 (0.1)
0x00100| 22 | " | line_nums_stripped: false 0x106.5-0x106.6 (0.1)
0x00100| 22 | " | executable_image: true 0x106.6-0x106.7 (0.1)
0x00100| 22 | " | relocs_stripped: false 0x106.7-0x107 (0.1)
0x00100| 00 | . | bytes_reversed_hi: false 0x107-0x107.1 (0.1)
0x00100| 00 | . | up_system_only: false 0x107.1-0x107.2 (0.1)
0x00100| 00 | . | dll: false 0x107.2-0x107.3 (0.1)
0x00100| 00 | . | system: false 0x107.3-0x107.4 (0.1)
0x00100| 00 | . | net_run_from_swap: false 0x107.4-0x107.5 (0.1)
0x00100| 00 | . | removable_run_from_swap: false 0x107.5-0x107.6 (0.1)
0x00100| 00 | . | debug_stripped: false 0x107.6-0x107.7 (0.1)
0x00100| 00 | . | 32bit_machine: false 0x107.7-0x108 (0.1)
| | | optional_header{}: 0x108-0x1f8 (240)
0x00100| 0b 02 | .. | format: "pe32+" (0x20b) 0x108-0x10a (2)
0x00100| 09 | . | major_linker_version: 9 0x10a-0x10b (1)
0x00100| 00 | . | minor_linker_version: 0 0x10b-0x10c (1)
0x00100| 00 72 02 00| .r..| size_of_code: 160256 0x10c-0x110 (4)
0x00110|00 ce 02 00 |.... | size_of_initialized_data: 183808 0x110-0x114 (4)
0x00110| 00 00 00 00 | .... | size_of_uninitialized_data: 0 0x114-0x118 (4)
0x00110| b4 90 00 00 | .... | address_of_entry_point: 0x90b4 0x118-0x11c (4)
0x00110| 00 10 00 00| ....| base_of_code: 0x1000 0x11c-0x120 (4)
0x00120|00 00 d0 4a 00 00 00 00 |...J.... | image_base: 0x4ad00000 0x120-0x128 (8)
0x00120| 00 10 00 00 | .... | section_alignment: 4096 0x128-0x12c (4)
0x00120| 00 02 00 00| ....| file_alignment: 512 0x12c-0x130 (4)
0x00130|06 00 |.. | major_os_version: 6 0x130-0x132 (2)
0x00130| 01 00 | .. | minor_os_version: 1 0x132-0x134 (2)
0x00130| 06 00 | .. | major_image_version: 6 0x134-0x136 (2)
0x00130| 01 00 | .. | minor_image_version: 1 0x136-0x138 (2)
0x00130| 06 00 | .. | major_subsystem_version: 6 0x138-0x13a (2)
0x00130| 01 00 | .. | minor_subsystem_version: 1 0x13a-0x13c (2)
0x00130| 00 00 00 00| ....| win32_version: 0 0x13c-0x140 (4)
0x00140|00 90 05 00 |.... | size_of_image: 364544 0x140-0x144 (4)
0x00140| 00 04 00 00 | .... | size_of_headers: 1024 0x144-0x148 (4)
0x00140| ec bd 05 00 | .... | chunk_sum: 0x5bdec 0x148-0x14c (4)
0x00140| 03 00 | .. | subsystem: "windows_cui" (3) 0x14c-0x14e (2)
| | | dll_characteristics{}: 0x14e-0x150 (2)
0x00140| 40 | @ | force_integrity: false 0x14e-0x14e.1 (0.1)
0x00140| 40 | @ | dynamic_base: true 0x14e.1-0x14e.2 (0.1)
0x00140| 40 | @ | high_entropy_va: false 0x14e.2-0x14e.3 (0.1)
0x00140| 40 | @ | reserved0: false 0x14e.3-0x14e.4 (0.1)
0x00140| 40 | @ | reserved1: false 0x14e.4-0x14e.5 (0.1)
0x00140| 40 | @ | reserved2: false 0x14e.5-0x14e.6 (0.1)
0x00140| 40 | @ | reserved3: false 0x14e.6-0x14e.7 (0.1)
0x00140| 40 | @ | reserved4: false 0x14e.7-0x14f (0.1)
0x00140| 81| .| terminal_server_aware: true 0x14f-0x14f.1 (0.1)
0x00140| 81| .| guard_cf: false 0x14f.1-0x14f.2 (0.1)
0x00140| 81| .| wdm_driver: false 0x14f.2-0x14f.3 (0.1)
0x00140| 81| .| appcontainer: false 0x14f.3-0x14f.4 (0.1)
0x00140| 81| .| no_bind: false 0x14f.4-0x14f.5 (0.1)
0x00140| 81| .| no_seh: false 0x14f.5-0x14f.6 (0.1)
0x00140| 81| .| no_isolation: false 0x14f.6-0x14f.7 (0.1)
0x00140| 81| .| nx_compat: true 0x14f.7-0x150 (0.1)
0x00150|00 00 10 00 00 00 00 00 |........ | size_of_track_reserve: 1048576 0x150-0x158 (8)
0x00150| 00 c0 0f 00 00 00 00 00| ........| size_of_stack_commit: 1032192 0x158-0x160 (8)
0x00160|00 00 10 00 00 00 00 00 |........ | size_of_heap_reserve: 1048576 0x160-0x168 (8)
0x00160| 00 10 00 00 00 00 00 00| ........| size_of_heap_commit: 4096 0x168-0x170 (8)
0x00170|00 00 00 00 |.... | loader_flags: 0 0x170-0x174 (4)
0x00170| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0x174-0x178 (4)
0x00170| 00 00 00 00 | .... | export_table_address: 0x0 0x178-0x17c (4)
0x00170| 00 00 00 00| ....| export_table_size: 0 0x17c-0x180 (4)
0x00180|58 a7 02 00 |X... | import_table_address: 0x2a758 0x180-0x184 (4)
0x00180| 64 00 00 00 | d... | import_table_size: 100 0x184-0x188 (4)
0x00180| 00 f0 04 00 | .... | resource_table_address: 0x4f000 0x188-0x18c (4)
0x00180| 58 84 00 00| X...| resource_table_size: 33880 0x18c-0x190 (4)
0x00190|00 c0 04 00 |.... | exception_table_address: 0x4c000 0x190-0x194 (4)
0x00190| dc 26 00 00 | .&.. | exception_table_size: 9948 0x194-0x198 (4)
0x00190| 00 00 00 00 | .... | certificate_table_address: 0x0 0x198-0x19c (4)
0x00190| 00 00 00 00| ....| certificate_table_size: 0 0x19c-0x1a0 (4)
0x001a0|00 80 05 00 |.... | base_relocation_table_address: 0x58000 0x1a0-0x1a4 (4)
0x001a0| 24 01 00 00 | $... | base_relocation_table_size: 292 0x1a4-0x1a8 (4)
0x001a0| 70 80 02 00 | p... | debug_address: 0x28070 0x1a8-0x1ac (4)
0x001a0| 38 00 00 00| 8...| debug_size: 56 0x1ac-0x1b0 (4)
0x001b0|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x1b0-0x1b8 (8)
0x001b0| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x1b8-0x1c0 (8)
0x001c0|00 00 00 00 |.... | tls_table_address: 0x0 0x1c0-0x1c4 (4)
0x001c0| 00 00 00 00 | .... | tls_table_size: 0 0x1c4-0x1c8 (4)
0x001c0| 00 00 00 00 | .... | load_config_table_address: 0x0 0x1c8-0x1cc (4)
0x001c0| 00 00 00 00| ....| load_config_table_size: 0 0x1cc-0x1d0 (4)
0x001d0|e8 02 00 00 |.... | bound_import_address: 0x2e8 0x1d0-0x1d4 (4)
0x001d0| 9c 00 00 00 | .... | bound_import_size: 156 0x1d4-0x1d8 (4)
0x001d0| 00 90 02 00 | .... | iat_address: 0x29000 0x1d8-0x1dc (4)
0x001d0| 48 07 00 00| H...| iat_size: 1864 0x1dc-0x1e0 (4)
0x001e0|2c a4 02 00 |,... | delay_import_descriptor_address: 0x2a42c 0x1e0-0x1e4 (4)
0x001e0| a0 00 00 00 | .... | delay_import_descriptor_size: 160 0x1e4-0x1e8 (4)
0x001e0| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x1e8-0x1ec (4)
0x001e0| 00 00 00 00| ....| clr_runtime_header_size: 0 0x1ec-0x1f0 (4)
0x001f0|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x1f0-0x1f8 (8)
| | | unknown: raw bits 0x1f8-0x1f8 (0)
| | | sections[0:6]: 0x1f8-0x2e8 (240)
| | | [0]{}: section 0x1f8-0x220 (40)
0x001f0| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x1f8-0x200 (8)
0x00200|cc 70 02 00 |.p.. | virtual_size: 159948 0x200-0x204 (4)
0x00200| 00 10 00 00 | .... | virtual_address: 0x1000 0x204-0x208 (4)
0x00200| 00 72 02 00 | .r.. | size_of_raw_data: 160256 0x208-0x20c (4)
0x00200| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x20c-0x210 (4)
0x00210|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x210-0x214 (4)
0x00210| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x214-0x218 (4)
0x00210| 00 00 | .. | number_of_relocations: 0 0x218-0x21a (2)
0x00210| 00 00 | .. | number_of_line_numbers: 0 0x21a-0x21c (2)
| | | characteristics{}: 0x21c-0x220 (4)
0x00210| 20 | | cnt_uninitialized_data: false 0x21c-0x21c.1 (0.1)
0x00210| 20 | | cnt_initialized_data: false 0x21c.1-0x21c.2 (0.1)
0x00210| 20 | | cnt_code: true 0x21c.2-0x21c.3 (0.1)
0x00210| 20 | | reserved: false 0x21c.3-0x21c.4 (0.1)
0x00210| 20 | | type_no_pad: false 0x21c.4-0x21c.5 (0.1)
0x00210| 20 | | reserved0: false 0x21c.5-0x21c.6 (0.1)
0x00210| 20 | | reserved1: false 0x21c.6-0x21c.7 (0.1)
0x00210| 20 | | reserved2: false 0x21c.7-0x21d (0.1)
0x00210| 00 | . | gprel: false 0x21d-0x21d.1 (0.1)
0x00210| 00 | . | unknown0: false 0x21d.1-0x21d.2 (0.1)
0x00210| 00 | . | unknown1: false 0x21d.2-0x21d.3 (0.1)
0x00210| 00 | . | lnk_comdat: false 0x21d.3-0x21d.4 (0.1)
0x00210| 00 | . | lnk_remove: false 0x21d.4-0x21d.5 (0.1)
0x00210| 00 | . | reserved3: false 0x21d.5-0x21d.6 (0.1)
0x00210| 00 | . | lnk_info: false 0x21d.6-0x21d.7 (0.1)
0x00210| 00 | . | lnk_other: false 0x21d.7-0x21e (0.1)
0x00210| 00 | . | align_128bytes: false 0x21e-0x21e.1 (0.1)
0x00210| 00 | . | align_8bytes: false 0x21e.1-0x21e.2 (0.1)
0x00210| 00 | . | align_2bytes: false 0x21e.2-0x21e.3 (0.1)
0x00210| 00 | . | align_1bytes: false 0x21e.3-0x21e.4 (0.1)
0x00210| 00 | . | mem_preload: false 0x21e.4-0x21e.5 (0.1)
0x00210| 00 | . | mem_locked: false 0x21e.5-0x21e.6 (0.1)
0x00210| 00 | . | mem_16bit: false 0x21e.6-0x21e.7 (0.1)
0x00210| 00 | . | mem_purgeable: false 0x21e.7-0x21f (0.1)
0x00210| 60| `| mem_write: false 0x21f-0x21f.1 (0.1)
0x00210| 60| `| mem_read: true 0x21f.1-0x21f.2 (0.1)
0x00210| 60| `| mem_execute: true 0x21f.2-0x21f.3 (0.1)
0x00210| 60| `| mem_shared: false 0x21f.3-0x21f.4 (0.1)
0x00210| 60| `| mem_not_paged: false 0x21f.4-0x21f.5 (0.1)
0x00210| 60| `| mem_not_cached: false 0x21f.5-0x21f.6 (0.1)
0x00210| 60| `| mem_discardable: false 0x21f.6-0x21f.7 (0.1)
0x00210| 60| `| lnk_nreloc_ovfl: false 0x21f.7-0x220 (0.1)
| | | [1]{}: section 0x220-0x248 (40)
0x00220|2e 72 64 61 74 61 00 00 |.rdata.. | name: ".rdata" 0x220-0x228 (8)
0x00220| 10 49 00 00 | .I.. | virtual_size: 18704 0x228-0x22c (4)
0x00220| 00 90 02 00| ....| virtual_address: 0x29000 0x22c-0x230 (4)
0x00230|00 4a 00 00 |.J.. | size_of_raw_data: 18944 0x230-0x234 (4)
0x00230| 00 76 02 00 | .v.. | pointer_to_raw_data: 0x27600 0x234-0x238 (4)
0x00230| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x238-0x23c (4)
0x00230| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x23c-0x240 (4)
0x00240|00 00 |.. | number_of_relocations: 0 0x240-0x242 (2)
0x00240| 00 00 | .. | number_of_line_numbers: 0 0x242-0x244 (2)
| | | characteristics{}: 0x244-0x248 (4)
0x00240| 40 | @ | cnt_uninitialized_data: false 0x244-0x244.1 (0.1)
0x00240| 40 | @ | cnt_initialized_data: true 0x244.1-0x244.2 (0.1)
0x00240| 40 | @ | cnt_code: false 0x244.2-0x244.3 (0.1)
0x00240| 40 | @ | reserved: false 0x244.3-0x244.4 (0.1)
0x00240| 40 | @ | type_no_pad: false 0x244.4-0x244.5 (0.1)
0x00240| 40 | @ | reserved0: false 0x244.5-0x244.6 (0.1)
0x00240| 40 | @ | reserved1: false 0x244.6-0x244.7 (0.1)
0x00240| 40 | @ | reserved2: false 0x244.7-0x245 (0.1)
0x00240| 00 | . | gprel: false 0x245-0x245.1 (0.1)
0x00240| 00 | . | unknown0: false 0x245.1-0x245.2 (0.1)
0x00240| 00 | . | unknown1: false 0x245.2-0x245.3 (0.1)
0x00240| 00 | . | lnk_comdat: false 0x245.3-0x245.4 (0.1)
0x00240| 00 | . | lnk_remove: false 0x245.4-0x245.5 (0.1)
0x00240| 00 | . | reserved3: false 0x245.5-0x245.6 (0.1)
0x00240| 00 | . | lnk_info: false 0x245.6-0x245.7 (0.1)
0x00240| 00 | . | lnk_other: false 0x245.7-0x246 (0.1)
0x00240| 00 | . | align_128bytes: false 0x246-0x246.1 (0.1)
0x00240| 00 | . | align_8bytes: false 0x246.1-0x246.2 (0.1)
0x00240| 00 | . | align_2bytes: false 0x246.2-0x246.3 (0.1)
0x00240| 00 | . | align_1bytes: false 0x246.3-0x246.4 (0.1)
0x00240| 00 | . | mem_preload: false 0x246.4-0x246.5 (0.1)
0x00240| 00 | . | mem_locked: false 0x246.5-0x246.6 (0.1)
0x00240| 00 | . | mem_16bit: false 0x246.6-0x246.7 (0.1)
0x00240| 00 | . | mem_purgeable: false 0x246.7-0x247 (0.1)
0x00240| 40 | @ | mem_write: false 0x247-0x247.1 (0.1)
0x00240| 40 | @ | mem_read: true 0x247.1-0x247.2 (0.1)
0x00240| 40 | @ | mem_execute: false 0x247.2-0x247.3 (0.1)
0x00240| 40 | @ | mem_shared: false 0x247.3-0x247.4 (0.1)
0x00240| 40 | @ | mem_not_paged: false 0x247.4-0x247.5 (0.1)
0x00240| 40 | @ | mem_not_cached: false 0x247.5-0x247.6 (0.1)
0x00240| 40 | @ | mem_discardable: false 0x247.6-0x247.7 (0.1)
0x00240| 40 | @ | lnk_nreloc_ovfl: false 0x247.7-0x248 (0.1)
| | | [2]{}: section 0x248-0x270 (40)
0x00240| 2e 64 61 74 61 00 00 00| .data...| name: ".data" 0x248-0x250 (8)
0x00250|98 d3 01 00 |.... | virtual_size: 119704 0x250-0x254 (4)
0x00250| 00 e0 02 00 | .... | virtual_address: 0x2e000 0x254-0x258 (4)
0x00250| 00 d4 01 00 | .... | size_of_raw_data: 119808 0x258-0x25c (4)
0x00250| 00 c0 02 00| ....| pointer_to_raw_data: 0x2c000 0x25c-0x260 (4)
0x00260|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x260-0x264 (4)
0x00260| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x264-0x268 (4)
0x00260| 00 00 | .. | number_of_relocations: 0 0x268-0x26a (2)
0x00260| 00 00 | .. | number_of_line_numbers: 0 0x26a-0x26c (2)
| | | characteristics{}: 0x26c-0x270 (4)
0x00260| 40 | @ | cnt_uninitialized_data: false 0x26c-0x26c.1 (0.1)
0x00260| 40 | @ | cnt_initialized_data: true 0x26c.1-0x26c.2 (0.1)
0x00260| 40 | @ | cnt_code: false 0x26c.2-0x26c.3 (0.1)
0x00260| 40 | @ | reserved: false 0x26c.3-0x26c.4 (0.1)
0x00260| 40 | @ | type_no_pad: false 0x26c.4-0x26c.5 (0.1)
0x00260| 40 | @ | reserved0: false 0x26c.5-0x26c.6 (0.1)
0x00260| 40 | @ | reserved1: false 0x26c.6-0x26c.7 (0.1)
0x00260| 40 | @ | reserved2: false 0x26c.7-0x26d (0.1)
0x00260| 00 | . | gprel: false 0x26d-0x26d.1 (0.1)
0x00260| 00 | . | unknown0: false 0x26d.1-0x26d.2 (0.1)
0x00260| 00 | . | unknown1: false 0x26d.2-0x26d.3 (0.1)
0x00260| 00 | . | lnk_comdat: false 0x26d.3-0x26d.4 (0.1)
0x00260| 00 | . | lnk_remove: false 0x26d.4-0x26d.5 (0.1)
0x00260| 00 | . | reserved3: false 0x26d.5-0x26d.6 (0.1)
0x00260| 00 | . | lnk_info: false 0x26d.6-0x26d.7 (0.1)
0x00260| 00 | . | lnk_other: false 0x26d.7-0x26e (0.1)
0x00260| 00 | . | align_128bytes: false 0x26e-0x26e.1 (0.1)
0x00260| 00 | . | align_8bytes: false 0x26e.1-0x26e.2 (0.1)
0x00260| 00 | . | align_2bytes: false 0x26e.2-0x26e.3 (0.1)
0x00260| 00 | . | align_1bytes: false 0x26e.3-0x26e.4 (0.1)
0x00260| 00 | . | mem_preload: false 0x26e.4-0x26e.5 (0.1)
0x00260| 00 | . | mem_locked: false 0x26e.5-0x26e.6 (0.1)
0x00260| 00 | . | mem_16bit: false 0x26e.6-0x26e.7 (0.1)
0x00260| 00 | . | mem_purgeable: false 0x26e.7-0x26f (0.1)
0x00260| c0| .| mem_write: true 0x26f-0x26f.1 (0.1)
0x00260| c0| .| mem_read: true 0x26f.1-0x26f.2 (0.1)
0x00260| c0| .| mem_execute: false 0x26f.2-0x26f.3 (0.1)
0x00260| c0| .| mem_shared: false 0x26f.3-0x26f.4 (0.1)
0x00260| c0| .| mem_not_paged: false 0x26f.4-0x26f.5 (0.1)
0x00260| c0| .| mem_not_cached: false 0x26f.5-0x26f.6 (0.1)
0x00260| c0| .| mem_discardable: false 0x26f.6-0x26f.7 (0.1)
0x00260| c0| .| lnk_nreloc_ovfl: false 0x26f.7-0x270 (0.1)
| | | [3]{}: section 0x270-0x298 (40)
0x00270|2e 70 64 61 74 61 00 00 |.pdata.. | name: ".pdata" 0x270-0x278 (8)
0x00270| dc 26 00 00 | .&.. | virtual_size: 9948 0x278-0x27c (4)
0x00270| 00 c0 04 00| ....| virtual_address: 0x4c000 0x27c-0x280 (4)
0x00280|00 28 00 00 |.(.. | size_of_raw_data: 10240 0x280-0x284 (4)
0x00280| 00 94 04 00 | .... | pointer_to_raw_data: 0x49400 0x284-0x288 (4)
0x00280| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x288-0x28c (4)
0x00280| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x28c-0x290 (4)
0x00290|00 00 |.. | number_of_relocations: 0 0x290-0x292 (2)
0x00290| 00 00 | .. | number_of_line_numbers: 0 0x292-0x294 (2)
| | | characteristics{}: 0x294-0x298 (4)
0x00290| 40 | @ | cnt_uninitialized_data: false 0x294-0x294.1 (0.1)
0x00290| 40 | @ | cnt_initialized_data: true 0x294.1-0x294.2 (0.1)
0x00290| 40 | @ | cnt_code: false 0x294.2-0x294.3 (0.1)
0x00290| 40 | @ | reserved: false 0x294.3-0x294.4 (0.1)
0x00290| 40 | @ | type_no_pad: false 0x294.4-0x294.5 (0.1)
0x00290| 40 | @ | reserved0: false 0x294.5-0x294.6 (0.1)
0x00290| 40 | @ | reserved1: false 0x294.6-0x294.7 (0.1)
0x00290| 40 | @ | reserved2: false 0x294.7-0x295 (0.1)
0x00290| 00 | . | gprel: false 0x295-0x295.1 (0.1)
0x00290| 00 | . | unknown0: false 0x295.1-0x295.2 (0.1)
0x00290| 00 | . | unknown1: false 0x295.2-0x295.3 (0.1)
0x00290| 00 | . | lnk_comdat: false 0x295.3-0x295.4 (0.1)
0x00290| 00 | . | lnk_remove: false 0x295.4-0x295.5 (0.1)
0x00290| 00 | . | reserved3: false 0x295.5-0x295.6 (0.1)
0x00290| 00 | . | lnk_info: false 0x295.6-0x295.7 (0.1)
0x00290| 00 | . | lnk_other: false 0x295.7-0x296 (0.1)
0x00290| 00 | . | align_128bytes: false 0x296-0x296.1 (0.1)
0x00290| 00 | . | align_8bytes: false 0x296.1-0x296.2 (0.1)
0x00290| 00 | . | align_2bytes: false 0x296.2-0x296.3 (0.1)
0x00290| 00 | . | align_1bytes: false 0x296.3-0x296.4 (0.1)
0x00290| 00 | . | mem_preload: false 0x296.4-0x296.5 (0.1)
0x00290| 00 | . | mem_locked: false 0x296.5-0x296.6 (0.1)
0x00290| 00 | . | mem_16bit: false 0x296.6-0x296.7 (0.1)
0x00290| 00 | . | mem_purgeable: false 0x296.7-0x297 (0.1)
0x00290| 40 | @ | mem_write: false 0x297-0x297.1 (0.1)
0x00290| 40 | @ | mem_read: true 0x297.1-0x297.2 (0.1)
0x00290| 40 | @ | mem_execute: false 0x297.2-0x297.3 (0.1)
0x00290| 40 | @ | mem_shared: false 0x297.3-0x297.4 (0.1)
0x00290| 40 | @ | mem_not_paged: false 0x297.4-0x297.5 (0.1)
0x00290| 40 | @ | mem_not_cached: false 0x297.5-0x297.6 (0.1)
0x00290| 40 | @ | mem_discardable: false 0x297.6-0x297.7 (0.1)
0x00290| 40 | @ | lnk_nreloc_ovfl: false 0x297.7-0x298 (0.1)
| | | [4]{}: section 0x298-0x2c0 (40)
0x00290| 2e 72 73 72 63 00 00 00| .rsrc...| name: ".rsrc" 0x298-0x2a0 (8)
0x002a0|58 84 00 00 |X... | virtual_size: 33880 0x2a0-0x2a4 (4)
0x002a0| 00 f0 04 00 | .... | virtual_address: 0x4f000 0x2a4-0x2a8 (4)
0x002a0| 00 86 00 00 | .... | size_of_raw_data: 34304 0x2a8-0x2ac (4)
0x002a0| 00 bc 04 00| ....| pointer_to_raw_data: 0x4bc00 0x2ac-0x2b0 (4)
0x002b0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2b0-0x2b4 (4)
0x002b0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2b4-0x2b8 (4)
0x002b0| 00 00 | .. | number_of_relocations: 0 0x2b8-0x2ba (2)
0x002b0| 00 00 | .. | number_of_line_numbers: 0 0x2ba-0x2bc (2)
| | | characteristics{}: 0x2bc-0x2c0 (4)
0x002b0| 40 | @ | cnt_uninitialized_data: false 0x2bc-0x2bc.1 (0.1)
0x002b0| 40 | @ | cnt_initialized_data: true 0x2bc.1-0x2bc.2 (0.1)
0x002b0| 40 | @ | cnt_code: false 0x2bc.2-0x2bc.3 (0.1)
0x002b0| 40 | @ | reserved: false 0x2bc.3-0x2bc.4 (0.1)
0x002b0| 40 | @ | type_no_pad: false 0x2bc.4-0x2bc.5 (0.1)
0x002b0| 40 | @ | reserved0: false 0x2bc.5-0x2bc.6 (0.1)
0x002b0| 40 | @ | reserved1: false 0x2bc.6-0x2bc.7 (0.1)
0x002b0| 40 | @ | reserved2: false 0x2bc.7-0x2bd (0.1)
0x002b0| 00 | . | gprel: false 0x2bd-0x2bd.1 (0.1)
0x002b0| 00 | . | unknown0: false 0x2bd.1-0x2bd.2 (0.1)
0x002b0| 00 | . | unknown1: false 0x2bd.2-0x2bd.3 (0.1)
0x002b0| 00 | . | lnk_comdat: false 0x2bd.3-0x2bd.4 (0.1)
0x002b0| 00 | . | lnk_remove: false 0x2bd.4-0x2bd.5 (0.1)
0x002b0| 00 | . | reserved3: false 0x2bd.5-0x2bd.6 (0.1)
0x002b0| 00 | . | lnk_info: false 0x2bd.6-0x2bd.7 (0.1)
0x002b0| 00 | . | lnk_other: false 0x2bd.7-0x2be (0.1)
0x002b0| 00 | . | align_128bytes: false 0x2be-0x2be.1 (0.1)
0x002b0| 00 | . | align_8bytes: false 0x2be.1-0x2be.2 (0.1)
0x002b0| 00 | . | align_2bytes: false 0x2be.2-0x2be.3 (0.1)
0x002b0| 00 | . | align_1bytes: false 0x2be.3-0x2be.4 (0.1)
0x002b0| 00 | . | mem_preload: false 0x2be.4-0x2be.5 (0.1)
0x002b0| 00 | . | mem_locked: false 0x2be.5-0x2be.6 (0.1)
0x002b0| 00 | . | mem_16bit: false 0x2be.6-0x2be.7 (0.1)
0x002b0| 00 | . | mem_purgeable: false 0x2be.7-0x2bf (0.1)
0x002b0| 40| @| mem_write: false 0x2bf-0x2bf.1 (0.1)
0x002b0| 40| @| mem_read: true 0x2bf.1-0x2bf.2 (0.1)
0x002b0| 40| @| mem_execute: false 0x2bf.2-0x2bf.3 (0.1)
0x002b0| 40| @| mem_shared: false 0x2bf.3-0x2bf.4 (0.1)
0x002b0| 40| @| mem_not_paged: false 0x2bf.4-0x2bf.5 (0.1)
0x002b0| 40| @| mem_not_cached: false 0x2bf.5-0x2bf.6 (0.1)
0x002b0| 40| @| mem_discardable: false 0x2bf.6-0x2bf.7 (0.1)
0x002b0| 40| @| lnk_nreloc_ovfl: false 0x2bf.7-0x2c0 (0.1)
| | | [5]{}: section 0x2c0-0x2e8 (40)
0x002c0|2e 72 65 6c 6f 63 00 00 |.reloc.. | name: ".reloc" 0x2c0-0x2c8 (8)
0x002c0| 24 01 00 00 | $... | virtual_size: 292 0x2c8-0x2cc (4)
0x002c0| 00 80 05 00| ....| virtual_address: 0x58000 0x2cc-0x2d0 (4)
0x002d0|00 02 00 00 |.... | size_of_raw_data: 512 0x2d0-0x2d4 (4)
0x002d0| 00 42 05 00 | .B.. | pointer_to_raw_data: 0x54200 0x2d4-0x2d8 (4)
0x002d0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2d8-0x2dc (4)
0x002d0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2dc-0x2e0 (4)
0x002e0|00 00 |.. | number_of_relocations: 0 0x2e0-0x2e2 (2)
0x002e0| 00 00 | .. | number_of_line_numbers: 0 0x2e2-0x2e4 (2)
| | | characteristics{}: 0x2e4-0x2e8 (4)
0x002e0| 40 | @ | cnt_uninitialized_data: false 0x2e4-0x2e4.1 (0.1)
0x002e0| 40 | @ | cnt_initialized_data: true 0x2e4.1-0x2e4.2 (0.1)
0x002e0| 40 | @ | cnt_code: false 0x2e4.2-0x2e4.3 (0.1)
0x002e0| 40 | @ | reserved: false 0x2e4.3-0x2e4.4 (0.1)
0x002e0| 40 | @ | type_no_pad: false 0x2e4.4-0x2e4.5 (0.1)
0x002e0| 40 | @ | reserved0: false 0x2e4.5-0x2e4.6 (0.1)
0x002e0| 40 | @ | reserved1: false 0x2e4.6-0x2e4.7 (0.1)
0x002e0| 40 | @ | reserved2: false 0x2e4.7-0x2e5 (0.1)
0x002e0| 00 | . | gprel: false 0x2e5-0x2e5.1 (0.1)
0x002e0| 00 | . | unknown0: false 0x2e5.1-0x2e5.2 (0.1)
0x002e0| 00 | . | unknown1: false 0x2e5.2-0x2e5.3 (0.1)
0x002e0| 00 | . | lnk_comdat: false 0x2e5.3-0x2e5.4 (0.1)
0x002e0| 00 | . | lnk_remove: false 0x2e5.4-0x2e5.5 (0.1)
0x002e0| 00 | . | reserved3: false 0x2e5.5-0x2e5.6 (0.1)
0x002e0| 00 | . | lnk_info: false 0x2e5.6-0x2e5.7 (0.1)
0x002e0| 00 | . | lnk_other: false 0x2e5.7-0x2e6 (0.1)
0x002e0| 00 | . | align_128bytes: false 0x2e6-0x2e6.1 (0.1)
0x002e0| 00 | . | align_8bytes: false 0x2e6.1-0x2e6.2 (0.1)
0x002e0| 00 | . | align_2bytes: false 0x2e6.2-0x2e6.3 (0.1)
0x002e0| 00 | . | align_1bytes: false 0x2e6.3-0x2e6.4 (0.1)
0x002e0| 00 | . | mem_preload: false 0x2e6.4-0x2e6.5 (0.1)
0x002e0| 00 | . | mem_locked: false 0x2e6.5-0x2e6.6 (0.1)
0x002e0| 00 | . | mem_16bit: false 0x2e6.6-0x2e6.7 (0.1)
0x002e0| 00 | . | mem_purgeable: false 0x2e6.7-0x2e7 (0.1)
0x002e0| 42 | B | mem_write: false 0x2e7-0x2e7.1 (0.1)
0x002e0| 42 | B | mem_read: true 0x2e7.1-0x2e7.2 (0.1)
0x002e0| 42 | B | mem_execute: false 0x2e7.2-0x2e7.3 (0.1)
0x002e0| 42 | B | mem_shared: false 0x2e7.3-0x2e7.4 (0.1)
0x002e0| 42 | B | mem_not_paged: false 0x2e7.4-0x2e7.5 (0.1)
0x002e0| 42 | B | mem_not_cached: false 0x2e7.5-0x2e7.6 (0.1)
0x002e0| 42 | B | mem_discardable: true 0x2e7.6-0x2e7.7 (0.1)
0x002e0| 42 | B | lnk_nreloc_ovfl: false 0x2e7.7-0x2e8 (0.1)
0x002e0| 37 c8 e7 4c 40 00 01 00| 7..L@...| gap0: raw bits 0x2e8-0x54400 (344344)
0x002f0|f9 c8 e7 4c 4b 00 00 00 f9 c8 e7 4c 4b 00 00 00|...LK......LK...|
* |until 0x543ff.7 (end) (344344) | |

BIN
format/pe/testdata/pe-Windows-x86-cmd vendored Executable file
View File

Binary file not shown.

305
format/pe/testdata/pe-Windows-x86-cmd.fqtest vendored Normal file
View File

@ -0,0 +1,305 @@
$ fq dv pe-Windows-x86-cmd
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-Windows-x86-cmd (pe) 0x0-0x49a00 (301568)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0xd8 (216)
0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x4 (2)
0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x6 (2)
0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x12 (2)
0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x00020|00 00 00 00 |.... |
0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x00030| d8 00 00 00| ....| e_lfanew: 216 (File address of new exe header) 0x3c-0x40 (4)
0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x80 (64)
* |until 0x7f.7 (64) | |
0x00080|de 72 92 b9 9a 13 fc ea 9a 13 fc ea 9a 13 fc ea|.r..............| padding: raw bits 0x80-0xd8 (88)
* |until 0xd7.7 (88) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0xd8-0x270 (408)
0x000d0| 50 45 00 00 | PE.. | signature: raw bits (valid) 0xd8-0xdc (4)
0x000d0| 4c 01 | L. | machine: "i386" (0x14c) 0xdc-0xde (2)
0x000d0| 04 00| ..| number_of_sections: 4 0xde-0xe0 (2)
0x000e0|9e c1 5b 4a |..[J | time_date_stamp: 1247527326 (2009-07-13T23:22:06Z) 0xe0-0xe4 (4)
0x000e0| 00 00 00 00 | .... | pointer_to_symbol_table: 0x0 0xe4-0xe8 (4)
0x000e0| 00 00 00 00 | .... | number_of_symbols: 0 0xe8-0xec (4)
0x000e0| e0 00 | .. | size_of_optional_header: 224 0xec-0xee (2)
| | | characteristics{}: 0xee-0xf0 (2)
0x000e0| 02 | . | bytes_reversed_lo: false 0xee-0xee.1 (0.1)
0x000e0| 02 | . | reserved: false 0xee.1-0xee.2 (0.1)
0x000e0| 02 | . | large_address_aware: false 0xee.2-0xee.3 (0.1)
0x000e0| 02 | . | aggressive_ws_trim: false 0xee.3-0xee.4 (0.1)
0x000e0| 02 | . | local_syms_stripped: false 0xee.4-0xee.5 (0.1)
0x000e0| 02 | . | line_nums_stripped: false 0xee.5-0xee.6 (0.1)
0x000e0| 02 | . | executable_image: true 0xee.6-0xee.7 (0.1)
0x000e0| 02 | . | relocs_stripped: false 0xee.7-0xef (0.1)
0x000e0| 00| .| bytes_reversed_hi: false 0xef-0xef.1 (0.1)
0x000e0| 00| .| up_system_only: false 0xef.1-0xef.2 (0.1)
0x000e0| 00| .| dll: false 0xef.2-0xef.3 (0.1)
0x000e0| 00| .| system: false 0xef.3-0xef.4 (0.1)
0x000e0| 00| .| net_run_from_swap: false 0xef.4-0xef.5 (0.1)
0x000e0| 00| .| removable_run_from_swap: false 0xef.5-0xef.6 (0.1)
0x000e0| 00| .| debug_stripped: false 0xef.6-0xef.7 (0.1)
0x000e0| 00| .| 32bit_machine: false 0xef.7-0xf0 (0.1)
| | | optional_header{}: 0xf0-0x1d0 (224)
0x000f0|0b 01 |.. | format: "pe32" (0x10b) 0xf0-0xf2 (2)
0x000f0| 09 | . | major_linker_version: 9 0xf2-0xf3 (1)
0x000f0| 00 | . | minor_linker_version: 0 0xf3-0xf4 (1)
0x000f0| 00 2a 02 00 | .*.. | size_of_code: 141824 0xf4-0xf8 (4)
0x000f0| 00 6c 02 00 | .l.. | size_of_initialized_data: 158720 0xf8-0xfc (4)
0x000f0| 00 00 00 00| ....| size_of_uninitialized_data: 0 0xfc-0x100 (4)
0x00100|dc 60 00 00 |.`.. | address_of_entry_point: 0x60dc 0x100-0x104 (4)
0x00100| 00 10 00 00 | .... | base_of_code: 0x1000 0x104-0x108 (4)
0x00100| 00 20 02 00 | . .. | base_of_data: 0x22000 0x108-0x10c (4)
0x00100| 00 00 d0 4a| ...J| image_base: 0x4ad00000 0x10c-0x110 (4)
0x00110|00 10 00 00 |.... | section_alignment: 4096 0x110-0x114 (4)
0x00110| 00 02 00 00 | .... | file_alignment: 512 0x114-0x118 (4)
0x00110| 06 00 | .. | major_os_version: 6 0x118-0x11a (2)
0x00110| 01 00 | .. | minor_os_version: 1 0x11a-0x11c (2)
0x00110| 06 00 | .. | major_image_version: 6 0x11c-0x11e (2)
0x00110| 01 00| ..| minor_image_version: 1 0x11e-0x120 (2)
0x00120|06 00 |.. | major_subsystem_version: 6 0x120-0x122 (2)
0x00120| 01 00 | .. | minor_subsystem_version: 1 0x122-0x124 (2)
0x00120| 00 00 00 00 | .... | win32_version: 0 0x124-0x128 (4)
0x00120| 00 c0 04 00 | .... | size_of_image: 311296 0x128-0x12c (4)
0x00120| 00 04 00 00| ....| size_of_headers: 1024 0x12c-0x130 (4)
0x00130|8f b1 04 00 |.... | chunk_sum: 0x4b18f 0x130-0x134 (4)
0x00130| 03 00 | .. | subsystem: "windows_cui" (3) 0x134-0x136 (2)
| | | dll_characteristics{}: 0x136-0x138 (2)
0x00130| 00 | . | force_integrity: false 0x136-0x136.1 (0.1)
0x00130| 00 | . | dynamic_base: false 0x136.1-0x136.2 (0.1)
0x00130| 00 | . | high_entropy_va: false 0x136.2-0x136.3 (0.1)
0x00130| 00 | . | reserved0: false 0x136.3-0x136.4 (0.1)
0x00130| 00 | . | reserved1: false 0x136.4-0x136.5 (0.1)
0x00130| 00 | . | reserved2: false 0x136.5-0x136.6 (0.1)
0x00130| 00 | . | reserved3: false 0x136.6-0x136.7 (0.1)
0x00130| 00 | . | reserved4: false 0x136.7-0x137 (0.1)
0x00130| 81 | . | terminal_server_aware: true 0x137-0x137.1 (0.1)
0x00130| 81 | . | guard_cf: false 0x137.1-0x137.2 (0.1)
0x00130| 81 | . | wdm_driver: false 0x137.2-0x137.3 (0.1)
0x00130| 81 | . | appcontainer: false 0x137.3-0x137.4 (0.1)
0x00130| 81 | . | no_bind: false 0x137.4-0x137.5 (0.1)
0x00130| 81 | . | no_seh: false 0x137.5-0x137.6 (0.1)
0x00130| 81 | . | no_isolation: false 0x137.6-0x137.7 (0.1)
0x00130| 81 | . | nx_compat: true 0x137.7-0x138 (0.1)
0x00130| 00 00 10 00 | .... | size_of_track_reserve: 1048576 0x138-0x13c (4)
0x00130| 00 d0 0f 00| ....| size_of_stack_commit: 1036288 0x13c-0x140 (4)
0x00140|00 00 10 00 |.... | size_of_heap_reserve: 1048576 0x140-0x144 (4)
0x00140| 00 10 00 00 | .... | size_of_heap_commit: 4096 0x144-0x148 (4)
0x00140| 00 00 00 00 | .... | loader_flags: 0 0x148-0x14c (4)
0x00140| 10 00 00 00| ....| number_of_rva_and_sizes: 16 0x14c-0x150 (4)
0x00150|00 00 00 00 |.... | export_table_address: 0x0 0x150-0x154 (4)
0x00150| 00 00 00 00 | .... | export_table_size: 0 0x154-0x158 (4)
0x00150| e0 25 02 00 | .%.. | import_table_address: 0x225e0 0x158-0x15c (4)
0x00150| 64 00 00 00| d...| import_table_size: 100 0x15c-0x160 (4)
0x00160|00 10 04 00 |.... | resource_table_address: 0x41000 0x160-0x164 (4)
0x00160| 48 84 00 00 | H... | resource_table_size: 33864 0x164-0x168 (4)
0x00160| 00 00 00 00 | .... | exception_table_address: 0x0 0x168-0x16c (4)
0x00160| 00 00 00 00| ....| exception_table_size: 0 0x16c-0x170 (4)
0x00170|00 00 00 00 |.... | certificate_table_address: 0x0 0x170-0x174 (4)
0x00170| 00 00 00 00 | .... | certificate_table_size: 0 0x174-0x178 (4)
0x00170| 00 a0 04 00 | .... | base_relocation_table_address: 0x4a000 0x178-0x17c (4)
0x00170| 1c 1b 00 00| ....| base_relocation_table_size: 6940 0x17c-0x180 (4)
0x00180|68 39 02 00 |h9.. | debug_address: 0x23968 0x180-0x184 (4)
0x00180| 38 00 00 00 | 8... | debug_size: 56 0x184-0x188 (4)
0x00180| 00 00 00 00 00 00 00 00| ........| architecture: 0 0x188-0x190 (8)
0x00190|00 00 00 00 00 00 00 00 |........ | global_ptr: 0x0 0x190-0x198 (8)
0x00190| 00 00 00 00 | .... | tls_table_address: 0x0 0x198-0x19c (4)
0x00190| 00 00 00 00| ....| tls_table_size: 0 0x19c-0x1a0 (4)
0x001a0|90 bb 01 00 |.... | load_config_table_address: 0x1bb90 0x1a0-0x1a4 (4)
0x001a0| 40 00 00 00 | @... | load_config_table_size: 64 0x1a4-0x1a8 (4)
0x001a0| 70 02 00 00 | p... | bound_import_address: 0x270 0x1a8-0x1ac (4)
0x001a0| 94 00 00 00| ....| bound_import_size: 148 0x1ac-0x1b0 (4)
0x001b0|00 10 00 00 |.... | iat_address: 0x1000 0x1b0-0x1b4 (4)
0x001b0| 98 03 00 00 | .... | iat_size: 920 0x1b4-0x1b8 (4)
0x001b0| fc 22 02 00 | .".. | delay_import_descriptor_address: 0x222fc 0x1b8-0x1bc (4)
0x001b0| a0 00 00 00| ....| delay_import_descriptor_size: 160 0x1bc-0x1c0 (4)
0x001c0|00 00 00 00 |.... | clr_runtime_header_address: 0x0 0x1c0-0x1c4 (4)
0x001c0| 00 00 00 00 | .... | clr_runtime_header_size: 0 0x1c4-0x1c8 (4)
0x001c0| 00 00 00 00 00 00 00 00| ........| reserved: 0 0x1c8-0x1d0 (8)
| | | unknown: raw bits 0x1d0-0x1d0 (0)
| | | sections[0:4]: 0x1d0-0x270 (160)
| | | [0]{}: section 0x1d0-0x1f8 (40)
0x001d0|2e 74 65 78 74 00 00 00 |.text... | name: ".text" 0x1d0-0x1d8 (8)
0x001d0| c4 29 02 00 | .).. | virtual_size: 141764 0x1d8-0x1dc (4)
0x001d0| 00 10 00 00| ....| virtual_address: 0x1000 0x1dc-0x1e0 (4)
0x001e0|00 2a 02 00 |.*.. | size_of_raw_data: 141824 0x1e0-0x1e4 (4)
0x001e0| 00 04 00 00 | .... | pointer_to_raw_data: 0x400 0x1e4-0x1e8 (4)
0x001e0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1e8-0x1ec (4)
0x001e0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1ec-0x1f0 (4)
0x001f0|00 00 |.. | number_of_relocations: 0 0x1f0-0x1f2 (2)
0x001f0| 00 00 | .. | number_of_line_numbers: 0 0x1f2-0x1f4 (2)
| | | characteristics{}: 0x1f4-0x1f8 (4)
0x001f0| 20 | | cnt_uninitialized_data: false 0x1f4-0x1f4.1 (0.1)
0x001f0| 20 | | cnt_initialized_data: false 0x1f4.1-0x1f4.2 (0.1)
0x001f0| 20 | | cnt_code: true 0x1f4.2-0x1f4.3 (0.1)
0x001f0| 20 | | reserved: false 0x1f4.3-0x1f4.4 (0.1)
0x001f0| 20 | | type_no_pad: false 0x1f4.4-0x1f4.5 (0.1)
0x001f0| 20 | | reserved0: false 0x1f4.5-0x1f4.6 (0.1)
0x001f0| 20 | | reserved1: false 0x1f4.6-0x1f4.7 (0.1)
0x001f0| 20 | | reserved2: false 0x1f4.7-0x1f5 (0.1)
0x001f0| 00 | . | gprel: false 0x1f5-0x1f5.1 (0.1)
0x001f0| 00 | . | unknown0: false 0x1f5.1-0x1f5.2 (0.1)
0x001f0| 00 | . | unknown1: false 0x1f5.2-0x1f5.3 (0.1)
0x001f0| 00 | . | lnk_comdat: false 0x1f5.3-0x1f5.4 (0.1)
0x001f0| 00 | . | lnk_remove: false 0x1f5.4-0x1f5.5 (0.1)
0x001f0| 00 | . | reserved3: false 0x1f5.5-0x1f5.6 (0.1)
0x001f0| 00 | . | lnk_info: false 0x1f5.6-0x1f5.7 (0.1)
0x001f0| 00 | . | lnk_other: false 0x1f5.7-0x1f6 (0.1)
0x001f0| 00 | . | align_128bytes: false 0x1f6-0x1f6.1 (0.1)
0x001f0| 00 | . | align_8bytes: false 0x1f6.1-0x1f6.2 (0.1)
0x001f0| 00 | . | align_2bytes: false 0x1f6.2-0x1f6.3 (0.1)
0x001f0| 00 | . | align_1bytes: false 0x1f6.3-0x1f6.4 (0.1)
0x001f0| 00 | . | mem_preload: false 0x1f6.4-0x1f6.5 (0.1)
0x001f0| 00 | . | mem_locked: false 0x1f6.5-0x1f6.6 (0.1)
0x001f0| 00 | . | mem_16bit: false 0x1f6.6-0x1f6.7 (0.1)
0x001f0| 00 | . | mem_purgeable: false 0x1f6.7-0x1f7 (0.1)
0x001f0| 60 | ` | mem_write: false 0x1f7-0x1f7.1 (0.1)
0x001f0| 60 | ` | mem_read: true 0x1f7.1-0x1f7.2 (0.1)
0x001f0| 60 | ` | mem_execute: true 0x1f7.2-0x1f7.3 (0.1)
0x001f0| 60 | ` | mem_shared: false 0x1f7.3-0x1f7.4 (0.1)
0x001f0| 60 | ` | mem_not_paged: false 0x1f7.4-0x1f7.5 (0.1)
0x001f0| 60 | ` | mem_not_cached: false 0x1f7.5-0x1f7.6 (0.1)
0x001f0| 60 | ` | mem_discardable: false 0x1f7.6-0x1f7.7 (0.1)
0x001f0| 60 | ` | lnk_nreloc_ovfl: false 0x1f7.7-0x1f8 (0.1)
| | | [1]{}: section 0x1f8-0x220 (40)
0x001f0| 2e 64 61 74 61 00 00 00| .data...| name: ".data" 0x1f8-0x200 (8)
0x00200|28 c9 01 00 |(... | virtual_size: 117032 0x200-0x204 (4)
0x00200| 00 40 02 00 | .@.. | virtual_address: 0x24000 0x204-0x208 (4)
0x00200| 00 ca 01 00 | .... | size_of_raw_data: 117248 0x208-0x20c (4)
0x00200| 00 2e 02 00| ....| pointer_to_raw_data: 0x22e00 0x20c-0x210 (4)
0x00210|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x210-0x214 (4)
0x00210| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x214-0x218 (4)
0x00210| 00 00 | .. | number_of_relocations: 0 0x218-0x21a (2)
0x00210| 00 00 | .. | number_of_line_numbers: 0 0x21a-0x21c (2)
| | | characteristics{}: 0x21c-0x220 (4)
0x00210| 40 | @ | cnt_uninitialized_data: false 0x21c-0x21c.1 (0.1)
0x00210| 40 | @ | cnt_initialized_data: true 0x21c.1-0x21c.2 (0.1)
0x00210| 40 | @ | cnt_code: false 0x21c.2-0x21c.3 (0.1)
0x00210| 40 | @ | reserved: false 0x21c.3-0x21c.4 (0.1)
0x00210| 40 | @ | type_no_pad: false 0x21c.4-0x21c.5 (0.1)
0x00210| 40 | @ | reserved0: false 0x21c.5-0x21c.6 (0.1)
0x00210| 40 | @ | reserved1: false 0x21c.6-0x21c.7 (0.1)
0x00210| 40 | @ | reserved2: false 0x21c.7-0x21d (0.1)
0x00210| 00 | . | gprel: false 0x21d-0x21d.1 (0.1)
0x00210| 00 | . | unknown0: false 0x21d.1-0x21d.2 (0.1)
0x00210| 00 | . | unknown1: false 0x21d.2-0x21d.3 (0.1)
0x00210| 00 | . | lnk_comdat: false 0x21d.3-0x21d.4 (0.1)
0x00210| 00 | . | lnk_remove: false 0x21d.4-0x21d.5 (0.1)
0x00210| 00 | . | reserved3: false 0x21d.5-0x21d.6 (0.1)
0x00210| 00 | . | lnk_info: false 0x21d.6-0x21d.7 (0.1)
0x00210| 00 | . | lnk_other: false 0x21d.7-0x21e (0.1)
0x00210| 00 | . | align_128bytes: false 0x21e-0x21e.1 (0.1)
0x00210| 00 | . | align_8bytes: false 0x21e.1-0x21e.2 (0.1)
0x00210| 00 | . | align_2bytes: false 0x21e.2-0x21e.3 (0.1)
0x00210| 00 | . | align_1bytes: false 0x21e.3-0x21e.4 (0.1)
0x00210| 00 | . | mem_preload: false 0x21e.4-0x21e.5 (0.1)
0x00210| 00 | . | mem_locked: false 0x21e.5-0x21e.6 (0.1)
0x00210| 00 | . | mem_16bit: false 0x21e.6-0x21e.7 (0.1)
0x00210| 00 | . | mem_purgeable: false 0x21e.7-0x21f (0.1)
0x00210| c0| .| mem_write: true 0x21f-0x21f.1 (0.1)
0x00210| c0| .| mem_read: true 0x21f.1-0x21f.2 (0.1)
0x00210| c0| .| mem_execute: false 0x21f.2-0x21f.3 (0.1)
0x00210| c0| .| mem_shared: false 0x21f.3-0x21f.4 (0.1)
0x00210| c0| .| mem_not_paged: false 0x21f.4-0x21f.5 (0.1)
0x00210| c0| .| mem_not_cached: false 0x21f.5-0x21f.6 (0.1)
0x00210| c0| .| mem_discardable: false 0x21f.6-0x21f.7 (0.1)
0x00210| c0| .| lnk_nreloc_ovfl: false 0x21f.7-0x220 (0.1)
| | | [2]{}: section 0x220-0x248 (40)
0x00220|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x220-0x228 (8)
0x00220| 48 84 00 00 | H... | virtual_size: 33864 0x228-0x22c (4)
0x00220| 00 10 04 00| ....| virtual_address: 0x41000 0x22c-0x230 (4)
0x00230|00 86 00 00 |.... | size_of_raw_data: 34304 0x230-0x234 (4)
0x00230| 00 f8 03 00 | .... | pointer_to_raw_data: 0x3f800 0x234-0x238 (4)
0x00230| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x238-0x23c (4)
0x00230| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x23c-0x240 (4)
0x00240|00 00 |.. | number_of_relocations: 0 0x240-0x242 (2)
0x00240| 00 00 | .. | number_of_line_numbers: 0 0x242-0x244 (2)
| | | characteristics{}: 0x244-0x248 (4)
0x00240| 40 | @ | cnt_uninitialized_data: false 0x244-0x244.1 (0.1)
0x00240| 40 | @ | cnt_initialized_data: true 0x244.1-0x244.2 (0.1)
0x00240| 40 | @ | cnt_code: false 0x244.2-0x244.3 (0.1)
0x00240| 40 | @ | reserved: false 0x244.3-0x244.4 (0.1)
0x00240| 40 | @ | type_no_pad: false 0x244.4-0x244.5 (0.1)
0x00240| 40 | @ | reserved0: false 0x244.5-0x244.6 (0.1)
0x00240| 40 | @ | reserved1: false 0x244.6-0x244.7 (0.1)
0x00240| 40 | @ | reserved2: false 0x244.7-0x245 (0.1)
0x00240| 00 | . | gprel: false 0x245-0x245.1 (0.1)
0x00240| 00 | . | unknown0: false 0x245.1-0x245.2 (0.1)
0x00240| 00 | . | unknown1: false 0x245.2-0x245.3 (0.1)
0x00240| 00 | . | lnk_comdat: false 0x245.3-0x245.4 (0.1)
0x00240| 00 | . | lnk_remove: false 0x245.4-0x245.5 (0.1)
0x00240| 00 | . | reserved3: false 0x245.5-0x245.6 (0.1)
0x00240| 00 | . | lnk_info: false 0x245.6-0x245.7 (0.1)
0x00240| 00 | . | lnk_other: false 0x245.7-0x246 (0.1)
0x00240| 00 | . | align_128bytes: false 0x246-0x246.1 (0.1)
0x00240| 00 | . | align_8bytes: false 0x246.1-0x246.2 (0.1)
0x00240| 00 | . | align_2bytes: false 0x246.2-0x246.3 (0.1)
0x00240| 00 | . | align_1bytes: false 0x246.3-0x246.4 (0.1)
0x00240| 00 | . | mem_preload: false 0x246.4-0x246.5 (0.1)
0x00240| 00 | . | mem_locked: false 0x246.5-0x246.6 (0.1)
0x00240| 00 | . | mem_16bit: false 0x246.6-0x246.7 (0.1)
0x00240| 00 | . | mem_purgeable: false 0x246.7-0x247 (0.1)
0x00240| 40 | @ | mem_write: false 0x247-0x247.1 (0.1)
0x00240| 40 | @ | mem_read: true 0x247.1-0x247.2 (0.1)
0x00240| 40 | @ | mem_execute: false 0x247.2-0x247.3 (0.1)
0x00240| 40 | @ | mem_shared: false 0x247.3-0x247.4 (0.1)
0x00240| 40 | @ | mem_not_paged: false 0x247.4-0x247.5 (0.1)
0x00240| 40 | @ | mem_not_cached: false 0x247.5-0x247.6 (0.1)
0x00240| 40 | @ | mem_discardable: false 0x247.6-0x247.7 (0.1)
0x00240| 40 | @ | lnk_nreloc_ovfl: false 0x247.7-0x248 (0.1)
| | | [3]{}: section 0x248-0x270 (40)
0x00240| 2e 72 65 6c 6f 63 00 00| .reloc..| name: ".reloc" 0x248-0x250 (8)
0x00250|1c 1b 00 00 |.... | virtual_size: 6940 0x250-0x254 (4)
0x00250| 00 a0 04 00 | .... | virtual_address: 0x4a000 0x254-0x258 (4)
0x00250| 00 1c 00 00 | .... | size_of_raw_data: 7168 0x258-0x25c (4)
0x00250| 00 7e 04 00| .~..| pointer_to_raw_data: 0x47e00 0x25c-0x260 (4)
0x00260|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x260-0x264 (4)
0x00260| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x264-0x268 (4)
0x00260| 00 00 | .. | number_of_relocations: 0 0x268-0x26a (2)
0x00260| 00 00 | .. | number_of_line_numbers: 0 0x26a-0x26c (2)
| | | characteristics{}: 0x26c-0x270 (4)
0x00260| 40 | @ | cnt_uninitialized_data: false 0x26c-0x26c.1 (0.1)
0x00260| 40 | @ | cnt_initialized_data: true 0x26c.1-0x26c.2 (0.1)
0x00260| 40 | @ | cnt_code: false 0x26c.2-0x26c.3 (0.1)
0x00260| 40 | @ | reserved: false 0x26c.3-0x26c.4 (0.1)
0x00260| 40 | @ | type_no_pad: false 0x26c.4-0x26c.5 (0.1)
0x00260| 40 | @ | reserved0: false 0x26c.5-0x26c.6 (0.1)
0x00260| 40 | @ | reserved1: false 0x26c.6-0x26c.7 (0.1)
0x00260| 40 | @ | reserved2: false 0x26c.7-0x26d (0.1)
0x00260| 00 | . | gprel: false 0x26d-0x26d.1 (0.1)
0x00260| 00 | . | unknown0: false 0x26d.1-0x26d.2 (0.1)
0x00260| 00 | . | unknown1: false 0x26d.2-0x26d.3 (0.1)
0x00260| 00 | . | lnk_comdat: false 0x26d.3-0x26d.4 (0.1)
0x00260| 00 | . | lnk_remove: false 0x26d.4-0x26d.5 (0.1)
0x00260| 00 | . | reserved3: false 0x26d.5-0x26d.6 (0.1)
0x00260| 00 | . | lnk_info: false 0x26d.6-0x26d.7 (0.1)
0x00260| 00 | . | lnk_other: false 0x26d.7-0x26e (0.1)
0x00260| 00 | . | align_128bytes: false 0x26e-0x26e.1 (0.1)
0x00260| 00 | . | align_8bytes: false 0x26e.1-0x26e.2 (0.1)
0x00260| 00 | . | align_2bytes: false 0x26e.2-0x26e.3 (0.1)
0x00260| 00 | . | align_1bytes: false 0x26e.3-0x26e.4 (0.1)
0x00260| 00 | . | mem_preload: false 0x26e.4-0x26e.5 (0.1)
0x00260| 00 | . | mem_locked: false 0x26e.5-0x26e.6 (0.1)
0x00260| 00 | . | mem_16bit: false 0x26e.6-0x26e.7 (0.1)
0x00260| 00 | . | mem_purgeable: false 0x26e.7-0x26f (0.1)
0x00260| 42| B| mem_write: false 0x26f-0x26f.1 (0.1)
0x00260| 42| B| mem_read: true 0x26f.1-0x26f.2 (0.1)
0x00260| 42| B| mem_execute: false 0x26f.2-0x26f.3 (0.1)
0x00260| 42| B| mem_shared: false 0x26f.3-0x26f.4 (0.1)
0x00260| 42| B| mem_not_paged: false 0x26f.4-0x26f.5 (0.1)
0x00260| 42| B| mem_not_cached: false 0x26f.5-0x26f.6 (0.1)
0x00260| 42| B| mem_discardable: true 0x26f.6-0x26f.7 (0.1)
0x00260| 42| B| lnk_nreloc_ovfl: false 0x26f.7-0x270 (0.1)
0x00270|6f da 5b 4a 38 00 00 00 db da 5b 4a 43 00 00 00|o.[J8.....[JC...| gap0: raw bits 0x270-0x49a00 (300944)
* |until 0x499ff.7 (end) (300944) | |

BIN
format/pe/testdata/pe-cygwin-ls.exe vendored Executable file
View File

Binary file not shown.

525
format/pe/testdata/pe-cygwin-ls.exe.fqtest vendored Normal file
View File

@ -0,0 +1,525 @@
$ fq dv pe-cygwin-ls.exe
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-cygwin-ls.exe (pe) 0x0-0x2101d (135197)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0x80 (128)
0x00000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x00000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x4 (2)
0x00000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x6 (2)
0x00000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x00000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x00000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x00000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x00000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x00010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x12 (2)
0x00010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x00010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x00010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x00010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x00010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x00010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x00020|00 00 00 00 |.... |
0x00020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x00020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x00020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x00030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x00030| 80 00 00 00| ....| e_lfanew: 128 (File address of new exe header) 0x3c-0x40 (4)
0x00040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x80 (64)
* |until 0x7f.7 (64) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0x80-0x2101d (135069)
0x00080|50 45 00 00 |PE.. | signature: raw bits (valid) 0x80-0x84 (4)
0x00080| 4c 01 | L. | machine: "i386" (0x14c) 0x84-0x86 (2)
0x00080| 09 00 | .. | number_of_sections: 9 0x86-0x88 (2)
0x00080| 00 00 11 00 | .... | time_date_stamp: 1114112 (1970-01-13T21:28:32Z) 0x88-0x8c (4)
0x00080| 00 10 02 00| ....| pointer_to_symbol_table: 0x21000 0x8c-0x90 (4)
0x00090|00 00 00 00 |.... | number_of_symbols: 0 0x90-0x94 (4)
0x00090| e0 00 | .. | size_of_optional_header: 224 0x94-0x96 (2)
| | | characteristics{}: 0x96-0x98 (2)
0x00090| 2f | / | bytes_reversed_lo: false 0x96-0x96.1 (0.1)
0x00090| 2f | / | reserved: false 0x96.1-0x96.2 (0.1)
0x00090| 2f | / | large_address_aware: true 0x96.2-0x96.3 (0.1)
0x00090| 2f | / | aggressive_ws_trim: false 0x96.3-0x96.4 (0.1)
0x00090| 2f | / | local_syms_stripped: true 0x96.4-0x96.5 (0.1)
0x00090| 2f | / | line_nums_stripped: true 0x96.5-0x96.6 (0.1)
0x00090| 2f | / | executable_image: true 0x96.6-0x96.7 (0.1)
0x00090| 2f | / | relocs_stripped: true 0x96.7-0x97 (0.1)
0x00090| 01 | . | bytes_reversed_hi: false 0x97-0x97.1 (0.1)
0x00090| 01 | . | up_system_only: false 0x97.1-0x97.2 (0.1)
0x00090| 01 | . | dll: false 0x97.2-0x97.3 (0.1)
0x00090| 01 | . | system: false 0x97.3-0x97.4 (0.1)
0x00090| 01 | . | net_run_from_swap: false 0x97.4-0x97.5 (0.1)
0x00090| 01 | . | removable_run_from_swap: false 0x97.5-0x97.6 (0.1)
0x00090| 01 | . | debug_stripped: false 0x97.6-0x97.7 (0.1)
0x00090| 01 | . | 32bit_machine: true 0x97.7-0x98 (0.1)
| | | optional_header{}: 0x98-0x178 (224)
0x00090| 0b 01 | .. | format: "pe32" (0x10b) 0x98-0x9a (2)
0x00090| 02 | . | major_linker_version: 2 0x9a-0x9b (1)
0x00090| 19 | . | minor_linker_version: 25 0x9b-0x9c (1)
0x00090| 00 4e 01 00| .N..| size_of_code: 85504 0x9c-0xa0 (4)
0x000a0|00 0a 02 00 |.... | size_of_initialized_data: 133632 0xa0-0xa4 (4)
0x000a0| 00 16 00 00 | .... | size_of_uninitialized_data: 5632 0xa4-0xa8 (4)
0x000a0| 00 10 00 00 | .... | address_of_entry_point: 0x1000 0xa8-0xac (4)
0x000a0| 00 10 00 00| ....| base_of_code: 0x1000 0xac-0xb0 (4)
0x000b0|00 60 01 00 |.`.. | base_of_data: 0x16000 0xb0-0xb4 (4)
0x000b0| 00 00 40 00 | ..@. | image_base: 0x400000 0xb4-0xb8 (4)
0x000b0| 00 10 00 00 | .... | section_alignment: 4096 0xb8-0xbc (4)
0x000b0| 00 02 00 00| ....| file_alignment: 512 0xbc-0xc0 (4)
0x000c0|04 00 |.. | major_os_version: 4 0xc0-0xc2 (2)
0x000c0| 00 00 | .. | minor_os_version: 0 0xc2-0xc4 (2)
0x000c0| 01 00 | .. | major_image_version: 1 0xc4-0xc6 (2)
0x000c0| 00 00 | .. | minor_image_version: 0 0xc6-0xc8 (2)
0x000c0| 04 00 | .. | major_subsystem_version: 4 0xc8-0xca (2)
0x000c0| 00 00 | .. | minor_subsystem_version: 0 0xca-0xcc (2)
0x000c0| 00 00 00 00| ....| win32_version: 0 0xcc-0xd0 (4)
0x000d0|00 80 02 00 |.... | size_of_image: 163840 0xd0-0xd4 (4)
0x000d0| 00 04 00 00 | .... | size_of_headers: 1024 0xd4-0xd8 (4)
0x000d0| 4c 89 02 00 | L... | chunk_sum: 0x2894c 0xd8-0xdc (4)
0x000d0| 03 00 | .. | subsystem: "windows_cui" (3) 0xdc-0xde (2)
| | | dll_characteristics{}: 0xde-0xe0 (2)
0x000d0| 00 | . | force_integrity: false 0xde-0xde.1 (0.1)
0x000d0| 00 | . | dynamic_base: false 0xde.1-0xde.2 (0.1)
0x000d0| 00 | . | high_entropy_va: false 0xde.2-0xde.3 (0.1)
0x000d0| 00 | . | reserved0: false 0xde.3-0xde.4 (0.1)
0x000d0| 00 | . | reserved1: false 0xde.4-0xde.5 (0.1)
0x000d0| 00 | . | reserved2: false 0xde.5-0xde.6 (0.1)
0x000d0| 00 | . | reserved3: false 0xde.6-0xde.7 (0.1)
0x000d0| 00 | . | reserved4: false 0xde.7-0xdf (0.1)
0x000d0| 80| .| terminal_server_aware: true 0xdf-0xdf.1 (0.1)
0x000d0| 80| .| guard_cf: false 0xdf.1-0xdf.2 (0.1)
0x000d0| 80| .| wdm_driver: false 0xdf.2-0xdf.3 (0.1)
0x000d0| 80| .| appcontainer: false 0xdf.3-0xdf.4 (0.1)
0x000d0| 80| .| no_bind: false 0xdf.4-0xdf.5 (0.1)
0x000d0| 80| .| no_seh: false 0xdf.5-0xdf.6 (0.1)
0x000d0| 80| .| no_isolation: false 0xdf.6-0xdf.7 (0.1)
0x000d0| 80| .| nx_compat: false 0xdf.7-0xe0 (0.1)
0x000e0|00 00 20 00 |.. . | size_of_track_reserve: 2097152 0xe0-0xe4 (4)
0x000e0| 00 10 00 00 | .... | size_of_stack_commit: 4096 0xe4-0xe8 (4)
0x000e0| 00 00 10 00 | .... | size_of_heap_reserve: 1048576 0xe8-0xec (4)
0x000e0| 00 10 00 00| ....| size_of_heap_commit: 4096 0xec-0xf0 (4)
0x000f0|00 00 00 00 |.... | loader_flags: 0 0xf0-0xf4 (4)
0x000f0| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0xf4-0xf8 (4)
0x000f0| 00 00 00 00 | .... | export_table_address: 0x0 0xf8-0xfc (4)
0x000f0| 00 00 00 00| ....| export_table_size: 0 0xfc-0x100 (4)
0x00100|00 50 02 00 |.P.. | import_table_address: 0x25000 0x100-0x104 (4)
0x00100| 30 0e 00 00 | 0... | import_table_size: 3632 0x104-0x108 (4)
0x00100| 00 60 02 00 | .`.. | resource_table_address: 0x26000 0x108-0x10c (4)
0x00100| e8 04 00 00| ....| resource_table_size: 1256 0x10c-0x110 (4)
0x00110|00 00 00 00 |.... | exception_table_address: 0x0 0x110-0x114 (4)
0x00110| 00 00 00 00 | .... | exception_table_size: 0 0x114-0x118 (4)
0x00110| 00 00 00 00 | .... | certificate_table_address: 0x0 0x118-0x11c (4)
0x00110| 00 00 00 00| ....| certificate_table_size: 0 0x11c-0x120 (4)
0x00120|00 00 00 00 |.... | base_relocation_table_address: 0x0 0x120-0x124 (4)
0x00120| 00 00 00 00 | .... | base_relocation_table_size: 0 0x124-0x128 (4)
0x00120| 00 e0 01 00 | .... | debug_address: 0x1e000 0x128-0x12c (4)
0x00120| 1c 00 00 00| ....| debug_size: 28 0x12c-0x130 (4)
0x00130|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x130-0x138 (8)
0x00130| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x138-0x140 (8)
0x00140|00 00 00 00 |.... | tls_table_address: 0x0 0x140-0x144 (4)
0x00140| 00 00 00 00 | .... | tls_table_size: 0 0x144-0x148 (4)
0x00140| 00 00 00 00 | .... | load_config_table_address: 0x0 0x148-0x14c (4)
0x00140| 00 00 00 00| ....| load_config_table_size: 0 0x14c-0x150 (4)
0x00150|00 00 00 00 |.... | bound_import_address: 0x0 0x150-0x154 (4)
0x00150| 00 00 00 00 | .... | bound_import_size: 0 0x154-0x158 (4)
0x00150| 8c 52 02 00 | .R.. | iat_address: 0x2528c 0x158-0x15c (4)
0x00150| 28 02 00 00| (...| iat_size: 552 0x15c-0x160 (4)
0x00160|00 00 00 00 |.... | delay_import_descriptor_address: 0x0 0x160-0x164 (4)
0x00160| 00 00 00 00 | .... | delay_import_descriptor_size: 0 0x164-0x168 (4)
0x00160| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x168-0x16c (4)
0x00160| 00 00 00 00| ....| clr_runtime_header_size: 0 0x16c-0x170 (4)
0x00170|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x170-0x178 (8)
| | | unknown: raw bits 0x178-0x178 (0)
| | | sections[0:9]: 0x178-0x2e0 (360)
| | | [0]{}: section 0x178-0x1a0 (40)
0x00170| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x178-0x180 (8)
0x00180|04 4c 01 00 |.L.. | virtual_size: 84996 0x180-0x184 (4)
0x00180| 00 10 00 00 | .... | virtual_address: 0x1000 0x184-0x188 (4)
0x00180| 00 4e 01 00 | .N.. | size_of_raw_data: 85504 0x188-0x18c (4)
0x00180| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x18c-0x190 (4)
0x00190|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x190-0x194 (4)
0x00190| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x194-0x198 (4)
0x00190| 00 00 | .. | number_of_relocations: 0 0x198-0x19a (2)
0x00190| 00 00 | .. | number_of_line_numbers: 0 0x19a-0x19c (2)
| | | characteristics{}: 0x19c-0x1a0 (4)
0x00190| 60 | ` | cnt_uninitialized_data: false 0x19c-0x19c.1 (0.1)
0x00190| 60 | ` | cnt_initialized_data: true 0x19c.1-0x19c.2 (0.1)
0x00190| 60 | ` | cnt_code: true 0x19c.2-0x19c.3 (0.1)
0x00190| 60 | ` | reserved: false 0x19c.3-0x19c.4 (0.1)
0x00190| 60 | ` | type_no_pad: false 0x19c.4-0x19c.5 (0.1)
0x00190| 60 | ` | reserved0: false 0x19c.5-0x19c.6 (0.1)
0x00190| 60 | ` | reserved1: false 0x19c.6-0x19c.7 (0.1)
0x00190| 60 | ` | reserved2: false 0x19c.7-0x19d (0.1)
0x00190| 00 | . | gprel: false 0x19d-0x19d.1 (0.1)
0x00190| 00 | . | unknown0: false 0x19d.1-0x19d.2 (0.1)
0x00190| 00 | . | unknown1: false 0x19d.2-0x19d.3 (0.1)
0x00190| 00 | . | lnk_comdat: false 0x19d.3-0x19d.4 (0.1)
0x00190| 00 | . | lnk_remove: false 0x19d.4-0x19d.5 (0.1)
0x00190| 00 | . | reserved3: false 0x19d.5-0x19d.6 (0.1)
0x00190| 00 | . | lnk_info: false 0x19d.6-0x19d.7 (0.1)
0x00190| 00 | . | lnk_other: false 0x19d.7-0x19e (0.1)
0x00190| 50 | P | align_128bytes: false 0x19e-0x19e.1 (0.1)
0x00190| 50 | P | align_8bytes: true 0x19e.1-0x19e.2 (0.1)
0x00190| 50 | P | align_2bytes: false 0x19e.2-0x19e.3 (0.1)
0x00190| 50 | P | align_1bytes: true 0x19e.3-0x19e.4 (0.1)
0x00190| 50 | P | mem_preload: false 0x19e.4-0x19e.5 (0.1)
0x00190| 50 | P | mem_locked: false 0x19e.5-0x19e.6 (0.1)
0x00190| 50 | P | mem_16bit: false 0x19e.6-0x19e.7 (0.1)
0x00190| 50 | P | mem_purgeable: false 0x19e.7-0x19f (0.1)
0x00190| 60| `| mem_write: false 0x19f-0x19f.1 (0.1)
0x00190| 60| `| mem_read: true 0x19f.1-0x19f.2 (0.1)
0x00190| 60| `| mem_execute: true 0x19f.2-0x19f.3 (0.1)
0x00190| 60| `| mem_shared: false 0x19f.3-0x19f.4 (0.1)
0x00190| 60| `| mem_not_paged: false 0x19f.4-0x19f.5 (0.1)
0x00190| 60| `| mem_not_cached: false 0x19f.5-0x19f.6 (0.1)
0x00190| 60| `| mem_discardable: false 0x19f.6-0x19f.7 (0.1)
0x00190| 60| `| lnk_nreloc_ovfl: false 0x19f.7-0x1a0 (0.1)
| | | [1]{}: section 0x1a0-0x1c8 (40)
0x001a0|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x1a0-0x1a8 (8)
0x001a0| c4 01 00 00 | .... | virtual_size: 452 0x1a8-0x1ac (4)
0x001a0| 00 60 01 00| .`..| virtual_address: 0x16000 0x1ac-0x1b0 (4)
0x001b0|00 02 00 00 |.... | size_of_raw_data: 512 0x1b0-0x1b4 (4)
0x001b0| 00 52 01 00 | .R.. | pointer_to_raw_data: 0x15200 0x1b4-0x1b8 (4)
0x001b0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1b8-0x1bc (4)
0x001b0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1bc-0x1c0 (4)
0x001c0|00 00 |.. | number_of_relocations: 0 0x1c0-0x1c2 (2)
0x001c0| 00 00 | .. | number_of_line_numbers: 0 0x1c2-0x1c4 (2)
| | | characteristics{}: 0x1c4-0x1c8 (4)
0x001c0| 40 | @ | cnt_uninitialized_data: false 0x1c4-0x1c4.1 (0.1)
0x001c0| 40 | @ | cnt_initialized_data: true 0x1c4.1-0x1c4.2 (0.1)
0x001c0| 40 | @ | cnt_code: false 0x1c4.2-0x1c4.3 (0.1)
0x001c0| 40 | @ | reserved: false 0x1c4.3-0x1c4.4 (0.1)
0x001c0| 40 | @ | type_no_pad: false 0x1c4.4-0x1c4.5 (0.1)
0x001c0| 40 | @ | reserved0: false 0x1c4.5-0x1c4.6 (0.1)
0x001c0| 40 | @ | reserved1: false 0x1c4.6-0x1c4.7 (0.1)
0x001c0| 40 | @ | reserved2: false 0x1c4.7-0x1c5 (0.1)
0x001c0| 00 | . | gprel: false 0x1c5-0x1c5.1 (0.1)
0x001c0| 00 | . | unknown0: false 0x1c5.1-0x1c5.2 (0.1)
0x001c0| 00 | . | unknown1: false 0x1c5.2-0x1c5.3 (0.1)
0x001c0| 00 | . | lnk_comdat: false 0x1c5.3-0x1c5.4 (0.1)
0x001c0| 00 | . | lnk_remove: false 0x1c5.4-0x1c5.5 (0.1)
0x001c0| 00 | . | reserved3: false 0x1c5.5-0x1c5.6 (0.1)
0x001c0| 00 | . | lnk_info: false 0x1c5.6-0x1c5.7 (0.1)
0x001c0| 00 | . | lnk_other: false 0x1c5.7-0x1c6 (0.1)
0x001c0| 60 | ` | align_128bytes: false 0x1c6-0x1c6.1 (0.1)
0x001c0| 60 | ` | align_8bytes: true 0x1c6.1-0x1c6.2 (0.1)
0x001c0| 60 | ` | align_2bytes: true 0x1c6.2-0x1c6.3 (0.1)
0x001c0| 60 | ` | align_1bytes: false 0x1c6.3-0x1c6.4 (0.1)
0x001c0| 60 | ` | mem_preload: false 0x1c6.4-0x1c6.5 (0.1)
0x001c0| 60 | ` | mem_locked: false 0x1c6.5-0x1c6.6 (0.1)
0x001c0| 60 | ` | mem_16bit: false 0x1c6.6-0x1c6.7 (0.1)
0x001c0| 60 | ` | mem_purgeable: false 0x1c6.7-0x1c7 (0.1)
0x001c0| c0 | . | mem_write: true 0x1c7-0x1c7.1 (0.1)
0x001c0| c0 | . | mem_read: true 0x1c7.1-0x1c7.2 (0.1)
0x001c0| c0 | . | mem_execute: false 0x1c7.2-0x1c7.3 (0.1)
0x001c0| c0 | . | mem_shared: false 0x1c7.3-0x1c7.4 (0.1)
0x001c0| c0 | . | mem_not_paged: false 0x1c7.4-0x1c7.5 (0.1)
0x001c0| c0 | . | mem_not_cached: false 0x1c7.5-0x1c7.6 (0.1)
0x001c0| c0 | . | mem_discardable: false 0x1c7.6-0x1c7.7 (0.1)
0x001c0| c0 | . | lnk_nreloc_ovfl: false 0x1c7.7-0x1c8 (0.1)
| | | [2]{}: section 0x1c8-0x1f0 (40)
0x001c0| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x1c8-0x1d0 (8)
0x001d0|70 65 00 00 |pe.. | virtual_size: 25968 0x1d0-0x1d4 (4)
0x001d0| 00 70 01 00 | .p.. | virtual_address: 0x17000 0x1d4-0x1d8 (4)
0x001d0| 00 66 00 00 | .f.. | size_of_raw_data: 26112 0x1d8-0x1dc (4)
0x001d0| 00 54 01 00| .T..| pointer_to_raw_data: 0x15400 0x1dc-0x1e0 (4)
0x001e0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x1e0-0x1e4 (4)
0x001e0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x1e4-0x1e8 (4)
0x001e0| 00 00 | .. | number_of_relocations: 0 0x1e8-0x1ea (2)
0x001e0| 00 00 | .. | number_of_line_numbers: 0 0x1ea-0x1ec (2)
| | | characteristics{}: 0x1ec-0x1f0 (4)
0x001e0| 40 | @ | cnt_uninitialized_data: false 0x1ec-0x1ec.1 (0.1)
0x001e0| 40 | @ | cnt_initialized_data: true 0x1ec.1-0x1ec.2 (0.1)
0x001e0| 40 | @ | cnt_code: false 0x1ec.2-0x1ec.3 (0.1)
0x001e0| 40 | @ | reserved: false 0x1ec.3-0x1ec.4 (0.1)
0x001e0| 40 | @ | type_no_pad: false 0x1ec.4-0x1ec.5 (0.1)
0x001e0| 40 | @ | reserved0: false 0x1ec.5-0x1ec.6 (0.1)
0x001e0| 40 | @ | reserved1: false 0x1ec.6-0x1ec.7 (0.1)
0x001e0| 40 | @ | reserved2: false 0x1ec.7-0x1ed (0.1)
0x001e0| 00 | . | gprel: false 0x1ed-0x1ed.1 (0.1)
0x001e0| 00 | . | unknown0: false 0x1ed.1-0x1ed.2 (0.1)
0x001e0| 00 | . | unknown1: false 0x1ed.2-0x1ed.3 (0.1)
0x001e0| 00 | . | lnk_comdat: false 0x1ed.3-0x1ed.4 (0.1)
0x001e0| 00 | . | lnk_remove: false 0x1ed.4-0x1ed.5 (0.1)
0x001e0| 00 | . | reserved3: false 0x1ed.5-0x1ed.6 (0.1)
0x001e0| 00 | . | lnk_info: false 0x1ed.6-0x1ed.7 (0.1)
0x001e0| 00 | . | lnk_other: false 0x1ed.7-0x1ee (0.1)
0x001e0| 60 | ` | align_128bytes: false 0x1ee-0x1ee.1 (0.1)
0x001e0| 60 | ` | align_8bytes: true 0x1ee.1-0x1ee.2 (0.1)
0x001e0| 60 | ` | align_2bytes: true 0x1ee.2-0x1ee.3 (0.1)
0x001e0| 60 | ` | align_1bytes: false 0x1ee.3-0x1ee.4 (0.1)
0x001e0| 60 | ` | mem_preload: false 0x1ee.4-0x1ee.5 (0.1)
0x001e0| 60 | ` | mem_locked: false 0x1ee.5-0x1ee.6 (0.1)
0x001e0| 60 | ` | mem_16bit: false 0x1ee.6-0x1ee.7 (0.1)
0x001e0| 60 | ` | mem_purgeable: false 0x1ee.7-0x1ef (0.1)
0x001e0| 40| @| mem_write: false 0x1ef-0x1ef.1 (0.1)
0x001e0| 40| @| mem_read: true 0x1ef.1-0x1ef.2 (0.1)
0x001e0| 40| @| mem_execute: false 0x1ef.2-0x1ef.3 (0.1)
0x001e0| 40| @| mem_shared: false 0x1ef.3-0x1ef.4 (0.1)
0x001e0| 40| @| mem_not_paged: false 0x1ef.4-0x1ef.5 (0.1)
0x001e0| 40| @| mem_not_cached: false 0x1ef.5-0x1ef.6 (0.1)
0x001e0| 40| @| mem_discardable: false 0x1ef.6-0x1ef.7 (0.1)
0x001e0| 40| @| lnk_nreloc_ovfl: false 0x1ef.7-0x1f0 (0.1)
| | | [3]{}: section 0x1f0-0x218 (40)
0x001f0|2e 62 75 69 6c 64 69 64 |.buildid | name: ".buildid" 0x1f0-0x1f8 (8)
0x001f0| 35 00 00 00 | 5... | virtual_size: 53 0x1f8-0x1fc (4)
0x001f0| 00 e0 01 00| ....| virtual_address: 0x1e000 0x1fc-0x200 (4)
0x00200|00 02 00 00 |.... | size_of_raw_data: 512 0x200-0x204 (4)
0x00200| 00 ba 01 00 | .... | pointer_to_raw_data: 0x1ba00 0x204-0x208 (4)
0x00200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20c (4)
0x00200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x210 (4)
0x00210|00 00 |.. | number_of_relocations: 0 0x210-0x212 (2)
0x00210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x214 (2)
| | | characteristics{}: 0x214-0x218 (4)
0x00210| 40 | @ | cnt_uninitialized_data: false 0x214-0x214.1 (0.1)
0x00210| 40 | @ | cnt_initialized_data: true 0x214.1-0x214.2 (0.1)
0x00210| 40 | @ | cnt_code: false 0x214.2-0x214.3 (0.1)
0x00210| 40 | @ | reserved: false 0x214.3-0x214.4 (0.1)
0x00210| 40 | @ | type_no_pad: false 0x214.4-0x214.5 (0.1)
0x00210| 40 | @ | reserved0: false 0x214.5-0x214.6 (0.1)
0x00210| 40 | @ | reserved1: false 0x214.6-0x214.7 (0.1)
0x00210| 40 | @ | reserved2: false 0x214.7-0x215 (0.1)
0x00210| 00 | . | gprel: false 0x215-0x215.1 (0.1)
0x00210| 00 | . | unknown0: false 0x215.1-0x215.2 (0.1)
0x00210| 00 | . | unknown1: false 0x215.2-0x215.3 (0.1)
0x00210| 00 | . | lnk_comdat: false 0x215.3-0x215.4 (0.1)
0x00210| 00 | . | lnk_remove: false 0x215.4-0x215.5 (0.1)
0x00210| 00 | . | reserved3: false 0x215.5-0x215.6 (0.1)
0x00210| 00 | . | lnk_info: false 0x215.6-0x215.7 (0.1)
0x00210| 00 | . | lnk_other: false 0x215.7-0x216 (0.1)
0x00210| 30 | 0 | align_128bytes: false 0x216-0x216.1 (0.1)
0x00210| 30 | 0 | align_8bytes: false 0x216.1-0x216.2 (0.1)
0x00210| 30 | 0 | align_2bytes: true 0x216.2-0x216.3 (0.1)
0x00210| 30 | 0 | align_1bytes: true 0x216.3-0x216.4 (0.1)
0x00210| 30 | 0 | mem_preload: false 0x216.4-0x216.5 (0.1)
0x00210| 30 | 0 | mem_locked: false 0x216.5-0x216.6 (0.1)
0x00210| 30 | 0 | mem_16bit: false 0x216.6-0x216.7 (0.1)
0x00210| 30 | 0 | mem_purgeable: false 0x216.7-0x217 (0.1)
0x00210| 40 | @ | mem_write: false 0x217-0x217.1 (0.1)
0x00210| 40 | @ | mem_read: true 0x217.1-0x217.2 (0.1)
0x00210| 40 | @ | mem_execute: false 0x217.2-0x217.3 (0.1)
0x00210| 40 | @ | mem_shared: false 0x217.3-0x217.4 (0.1)
0x00210| 40 | @ | mem_not_paged: false 0x217.4-0x217.5 (0.1)
0x00210| 40 | @ | mem_not_cached: false 0x217.5-0x217.6 (0.1)
0x00210| 40 | @ | mem_discardable: false 0x217.6-0x217.7 (0.1)
0x00210| 40 | @ | lnk_nreloc_ovfl: false 0x217.7-0x218 (0.1)
| | | [4]{}: section 0x218-0x240 (40)
0x00210| 2f 34 00 00 00 00 00 00| /4......| name: ".eh_frame" ("/4") 0x218-0x220 (8)
0x00220|0c 3a 00 00 |.:.. | virtual_size: 14860 0x220-0x224 (4)
0x00220| 00 f0 01 00 | .... | virtual_address: 0x1f000 0x224-0x228 (4)
0x00220| 00 3c 00 00 | .<.. | size_of_raw_data: 15360 0x228-0x22c (4)
0x00220| 00 bc 01 00| ....| pointer_to_raw_data: 0x1bc00 0x22c-0x230 (4)
0x00230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x234 (4)
0x00230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x238 (4)
0x00230| 00 00 | .. | number_of_relocations: 0 0x238-0x23a (2)
0x00230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23c (2)
| | | characteristics{}: 0x23c-0x240 (4)
0x00230| 40 | @ | cnt_uninitialized_data: false 0x23c-0x23c.1 (0.1)
0x00230| 40 | @ | cnt_initialized_data: true 0x23c.1-0x23c.2 (0.1)
0x00230| 40 | @ | cnt_code: false 0x23c.2-0x23c.3 (0.1)
0x00230| 40 | @ | reserved: false 0x23c.3-0x23c.4 (0.1)
0x00230| 40 | @ | type_no_pad: false 0x23c.4-0x23c.5 (0.1)
0x00230| 40 | @ | reserved0: false 0x23c.5-0x23c.6 (0.1)
0x00230| 40 | @ | reserved1: false 0x23c.6-0x23c.7 (0.1)
0x00230| 40 | @ | reserved2: false 0x23c.7-0x23d (0.1)
0x00230| 00 | . | gprel: false 0x23d-0x23d.1 (0.1)
0x00230| 00 | . | unknown0: false 0x23d.1-0x23d.2 (0.1)
0x00230| 00 | . | unknown1: false 0x23d.2-0x23d.3 (0.1)
0x00230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.4 (0.1)
0x00230| 00 | . | lnk_remove: false 0x23d.4-0x23d.5 (0.1)
0x00230| 00 | . | reserved3: false 0x23d.5-0x23d.6 (0.1)
0x00230| 00 | . | lnk_info: false 0x23d.6-0x23d.7 (0.1)
0x00230| 00 | . | lnk_other: false 0x23d.7-0x23e (0.1)
0x00230| 30 | 0 | align_128bytes: false 0x23e-0x23e.1 (0.1)
0x00230| 30 | 0 | align_8bytes: false 0x23e.1-0x23e.2 (0.1)
0x00230| 30 | 0 | align_2bytes: true 0x23e.2-0x23e.3 (0.1)
0x00230| 30 | 0 | align_1bytes: true 0x23e.3-0x23e.4 (0.1)
0x00230| 30 | 0 | mem_preload: false 0x23e.4-0x23e.5 (0.1)
0x00230| 30 | 0 | mem_locked: false 0x23e.5-0x23e.6 (0.1)
0x00230| 30 | 0 | mem_16bit: false 0x23e.6-0x23e.7 (0.1)
0x00230| 30 | 0 | mem_purgeable: false 0x23e.7-0x23f (0.1)
0x00230| 40| @| mem_write: false 0x23f-0x23f.1 (0.1)
0x00230| 40| @| mem_read: true 0x23f.1-0x23f.2 (0.1)
0x00230| 40| @| mem_execute: false 0x23f.2-0x23f.3 (0.1)
0x00230| 40| @| mem_shared: false 0x23f.3-0x23f.4 (0.1)
0x00230| 40| @| mem_not_paged: false 0x23f.4-0x23f.5 (0.1)
0x00230| 40| @| mem_not_cached: false 0x23f.5-0x23f.6 (0.1)
0x00230| 40| @| mem_discardable: false 0x23f.6-0x23f.7 (0.1)
0x00230| 40| @| lnk_nreloc_ovfl: false 0x23f.7-0x240 (0.1)
| | | [5]{}: section 0x240-0x268 (40)
0x00240|2e 62 73 73 00 00 00 00 |.bss.... | name: ".bss" 0x240-0x248 (8)
0x00240| 74 15 00 00 | t... | virtual_size: 5492 0x248-0x24c (4)
0x00240| 00 30 02 00| .0..| virtual_address: 0x23000 0x24c-0x250 (4)
0x00250|00 00 00 00 |.... | size_of_raw_data: 0 0x250-0x254 (4)
0x00250| 00 00 00 00 | .... | pointer_to_raw_data: 0x0 0x254-0x258 (4)
0x00250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25c (4)
0x00250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x260 (4)
0x00260|00 00 |.. | number_of_relocations: 0 0x260-0x262 (2)
0x00260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x264 (2)
| | | characteristics{}: 0x264-0x268 (4)
0x00260| 80 | . | cnt_uninitialized_data: true 0x264-0x264.1 (0.1)
0x00260| 80 | . | cnt_initialized_data: false 0x264.1-0x264.2 (0.1)
0x00260| 80 | . | cnt_code: false 0x264.2-0x264.3 (0.1)
0x00260| 80 | . | reserved: false 0x264.3-0x264.4 (0.1)
0x00260| 80 | . | type_no_pad: false 0x264.4-0x264.5 (0.1)
0x00260| 80 | . | reserved0: false 0x264.5-0x264.6 (0.1)
0x00260| 80 | . | reserved1: false 0x264.6-0x264.7 (0.1)
0x00260| 80 | . | reserved2: false 0x264.7-0x265 (0.1)
0x00260| 00 | . | gprel: false 0x265-0x265.1 (0.1)
0x00260| 00 | . | unknown0: false 0x265.1-0x265.2 (0.1)
0x00260| 00 | . | unknown1: false 0x265.2-0x265.3 (0.1)
0x00260| 00 | . | lnk_comdat: false 0x265.3-0x265.4 (0.1)
0x00260| 00 | . | lnk_remove: false 0x265.4-0x265.5 (0.1)
0x00260| 00 | . | reserved3: false 0x265.5-0x265.6 (0.1)
0x00260| 00 | . | lnk_info: false 0x265.6-0x265.7 (0.1)
0x00260| 00 | . | lnk_other: false 0x265.7-0x266 (0.1)
0x00260| 60 | ` | align_128bytes: false 0x266-0x266.1 (0.1)
0x00260| 60 | ` | align_8bytes: true 0x266.1-0x266.2 (0.1)
0x00260| 60 | ` | align_2bytes: true 0x266.2-0x266.3 (0.1)
0x00260| 60 | ` | align_1bytes: false 0x266.3-0x266.4 (0.1)
0x00260| 60 | ` | mem_preload: false 0x266.4-0x266.5 (0.1)
0x00260| 60 | ` | mem_locked: false 0x266.5-0x266.6 (0.1)
0x00260| 60 | ` | mem_16bit: false 0x266.6-0x266.7 (0.1)
0x00260| 60 | ` | mem_purgeable: false 0x266.7-0x267 (0.1)
0x00260| c0 | . | mem_write: true 0x267-0x267.1 (0.1)
0x00260| c0 | . | mem_read: true 0x267.1-0x267.2 (0.1)
0x00260| c0 | . | mem_execute: false 0x267.2-0x267.3 (0.1)
0x00260| c0 | . | mem_shared: false 0x267.3-0x267.4 (0.1)
0x00260| c0 | . | mem_not_paged: false 0x267.4-0x267.5 (0.1)
0x00260| c0 | . | mem_not_cached: false 0x267.5-0x267.6 (0.1)
0x00260| c0 | . | mem_discardable: false 0x267.6-0x267.7 (0.1)
0x00260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x268 (0.1)
| | | [6]{}: section 0x268-0x290 (40)
0x00260| 2e 69 64 61 74 61 00 00| .idata..| name: ".idata" 0x268-0x270 (8)
0x00270|30 0e 00 00 |0... | virtual_size: 3632 0x270-0x274 (4)
0x00270| 00 50 02 00 | .P.. | virtual_address: 0x25000 0x274-0x278 (4)
0x00270| 00 10 00 00 | .... | size_of_raw_data: 4096 0x278-0x27c (4)
0x00270| 00 f8 01 00| ....| pointer_to_raw_data: 0x1f800 0x27c-0x280 (4)
0x00280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x284 (4)
0x00280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x288 (4)
0x00280| 00 00 | .. | number_of_relocations: 0 0x288-0x28a (2)
0x00280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28c (2)
| | | characteristics{}: 0x28c-0x290 (4)
0x00280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c.1 (0.1)
0x00280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.2 (0.1)
0x00280| 40 | @ | cnt_code: false 0x28c.2-0x28c.3 (0.1)
0x00280| 40 | @ | reserved: false 0x28c.3-0x28c.4 (0.1)
0x00280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.5 (0.1)
0x00280| 40 | @ | reserved0: false 0x28c.5-0x28c.6 (0.1)
0x00280| 40 | @ | reserved1: false 0x28c.6-0x28c.7 (0.1)
0x00280| 40 | @ | reserved2: false 0x28c.7-0x28d (0.1)
0x00280| 00 | . | gprel: false 0x28d-0x28d.1 (0.1)
0x00280| 00 | . | unknown0: false 0x28d.1-0x28d.2 (0.1)
0x00280| 00 | . | unknown1: false 0x28d.2-0x28d.3 (0.1)
0x00280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.4 (0.1)
0x00280| 00 | . | lnk_remove: false 0x28d.4-0x28d.5 (0.1)
0x00280| 00 | . | reserved3: false 0x28d.5-0x28d.6 (0.1)
0x00280| 00 | . | lnk_info: false 0x28d.6-0x28d.7 (0.1)
0x00280| 00 | . | lnk_other: false 0x28d.7-0x28e (0.1)
0x00280| 30 | 0 | align_128bytes: false 0x28e-0x28e.1 (0.1)
0x00280| 30 | 0 | align_8bytes: false 0x28e.1-0x28e.2 (0.1)
0x00280| 30 | 0 | align_2bytes: true 0x28e.2-0x28e.3 (0.1)
0x00280| 30 | 0 | align_1bytes: true 0x28e.3-0x28e.4 (0.1)
0x00280| 30 | 0 | mem_preload: false 0x28e.4-0x28e.5 (0.1)
0x00280| 30 | 0 | mem_locked: false 0x28e.5-0x28e.6 (0.1)
0x00280| 30 | 0 | mem_16bit: false 0x28e.6-0x28e.7 (0.1)
0x00280| 30 | 0 | mem_purgeable: false 0x28e.7-0x28f (0.1)
0x00280| c0| .| mem_write: true 0x28f-0x28f.1 (0.1)
0x00280| c0| .| mem_read: true 0x28f.1-0x28f.2 (0.1)
0x00280| c0| .| mem_execute: false 0x28f.2-0x28f.3 (0.1)
0x00280| c0| .| mem_shared: false 0x28f.3-0x28f.4 (0.1)
0x00280| c0| .| mem_not_paged: false 0x28f.4-0x28f.5 (0.1)
0x00280| c0| .| mem_not_cached: false 0x28f.5-0x28f.6 (0.1)
0x00280| c0| .| mem_discardable: false 0x28f.6-0x28f.7 (0.1)
0x00280| c0| .| lnk_nreloc_ovfl: false 0x28f.7-0x290 (0.1)
| | | [7]{}: section 0x290-0x2b8 (40)
0x00290|2e 72 73 72 63 00 00 00 |.rsrc... | name: ".rsrc" 0x290-0x298 (8)
0x00290| e8 04 00 00 | .... | virtual_size: 1256 0x298-0x29c (4)
0x00290| 00 60 02 00| .`..| virtual_address: 0x26000 0x29c-0x2a0 (4)
0x002a0|00 06 00 00 |.... | size_of_raw_data: 1536 0x2a0-0x2a4 (4)
0x002a0| 00 08 02 00 | .... | pointer_to_raw_data: 0x20800 0x2a4-0x2a8 (4)
0x002a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ac (4)
0x002a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2b0 (4)
0x002b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b2 (2)
0x002b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b4 (2)
| | | characteristics{}: 0x2b4-0x2b8 (4)
0x002b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4.1 (0.1)
0x002b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.2 (0.1)
0x002b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.3 (0.1)
0x002b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.4 (0.1)
0x002b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.5 (0.1)
0x002b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.6 (0.1)
0x002b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.7 (0.1)
0x002b0| 40 | @ | reserved2: false 0x2b4.7-0x2b5 (0.1)
0x002b0| 00 | . | gprel: false 0x2b5-0x2b5.1 (0.1)
0x002b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.2 (0.1)
0x002b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.3 (0.1)
0x002b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.4 (0.1)
0x002b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.5 (0.1)
0x002b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.6 (0.1)
0x002b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.7 (0.1)
0x002b0| 00 | . | lnk_other: false 0x2b5.7-0x2b6 (0.1)
0x002b0| 30 | 0 | align_128bytes: false 0x2b6-0x2b6.1 (0.1)
0x002b0| 30 | 0 | align_8bytes: false 0x2b6.1-0x2b6.2 (0.1)
0x002b0| 30 | 0 | align_2bytes: true 0x2b6.2-0x2b6.3 (0.1)
0x002b0| 30 | 0 | align_1bytes: true 0x2b6.3-0x2b6.4 (0.1)
0x002b0| 30 | 0 | mem_preload: false 0x2b6.4-0x2b6.5 (0.1)
0x002b0| 30 | 0 | mem_locked: false 0x2b6.5-0x2b6.6 (0.1)
0x002b0| 30 | 0 | mem_16bit: false 0x2b6.6-0x2b6.7 (0.1)
0x002b0| 30 | 0 | mem_purgeable: false 0x2b6.7-0x2b7 (0.1)
0x002b0| c0 | . | mem_write: true 0x2b7-0x2b7.1 (0.1)
0x002b0| c0 | . | mem_read: true 0x2b7.1-0x2b7.2 (0.1)
0x002b0| c0 | . | mem_execute: false 0x2b7.2-0x2b7.3 (0.1)
0x002b0| c0 | . | mem_shared: false 0x2b7.3-0x2b7.4 (0.1)
0x002b0| c0 | . | mem_not_paged: false 0x2b7.4-0x2b7.5 (0.1)
0x002b0| c0 | . | mem_not_cached: false 0x2b7.5-0x2b7.6 (0.1)
0x002b0| c0 | . | mem_discardable: false 0x2b7.6-0x2b7.7 (0.1)
0x002b0| c0 | . | lnk_nreloc_ovfl: false 0x2b7.7-0x2b8 (0.1)
| | | [8]{}: section 0x2b8-0x2e0 (40)
0x002b0| 2f 31 34 00 00 00 00 00| /14.....| name: ".gnu_debuglink" ("/14") 0x2b8-0x2c0 (8)
0x002c0|10 00 00 00 |.... | virtual_size: 16 0x2c0-0x2c4 (4)
0x002c0| 00 70 02 00 | .p.. | virtual_address: 0x27000 0x2c4-0x2c8 (4)
0x002c0| 00 02 00 00 | .... | size_of_raw_data: 512 0x2c8-0x2cc (4)
0x002c0| 00 0e 02 00| ....| pointer_to_raw_data: 0x20e00 0x2cc-0x2d0 (4)
0x002d0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x2d0-0x2d4 (4)
0x002d0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x2d4-0x2d8 (4)
0x002d0| 00 00 | .. | number_of_relocations: 0 0x2d8-0x2da (2)
0x002d0| 00 00 | .. | number_of_line_numbers: 0 0x2da-0x2dc (2)
| | | characteristics{}: 0x2dc-0x2e0 (4)
0x002d0| 40 | @ | cnt_uninitialized_data: false 0x2dc-0x2dc.1 (0.1)
0x002d0| 40 | @ | cnt_initialized_data: true 0x2dc.1-0x2dc.2 (0.1)
0x002d0| 40 | @ | cnt_code: false 0x2dc.2-0x2dc.3 (0.1)
0x002d0| 40 | @ | reserved: false 0x2dc.3-0x2dc.4 (0.1)
0x002d0| 40 | @ | type_no_pad: false 0x2dc.4-0x2dc.5 (0.1)
0x002d0| 40 | @ | reserved0: false 0x2dc.5-0x2dc.6 (0.1)
0x002d0| 40 | @ | reserved1: false 0x2dc.6-0x2dc.7 (0.1)
0x002d0| 40 | @ | reserved2: false 0x2dc.7-0x2dd (0.1)
0x002d0| 00 | . | gprel: false 0x2dd-0x2dd.1 (0.1)
0x002d0| 00 | . | unknown0: false 0x2dd.1-0x2dd.2 (0.1)
0x002d0| 00 | . | unknown1: false 0x2dd.2-0x2dd.3 (0.1)
0x002d0| 00 | . | lnk_comdat: false 0x2dd.3-0x2dd.4 (0.1)
0x002d0| 00 | . | lnk_remove: false 0x2dd.4-0x2dd.5 (0.1)
0x002d0| 00 | . | reserved3: false 0x2dd.5-0x2dd.6 (0.1)
0x002d0| 00 | . | lnk_info: false 0x2dd.6-0x2dd.7 (0.1)
0x002d0| 00 | . | lnk_other: false 0x2dd.7-0x2de (0.1)
0x002d0| 30 | 0 | align_128bytes: false 0x2de-0x2de.1 (0.1)
0x002d0| 30 | 0 | align_8bytes: false 0x2de.1-0x2de.2 (0.1)
0x002d0| 30 | 0 | align_2bytes: true 0x2de.2-0x2de.3 (0.1)
0x002d0| 30 | 0 | align_1bytes: true 0x2de.3-0x2de.4 (0.1)
0x002d0| 30 | 0 | mem_preload: false 0x2de.4-0x2de.5 (0.1)
0x002d0| 30 | 0 | mem_locked: false 0x2de.5-0x2de.6 (0.1)
0x002d0| 30 | 0 | mem_16bit: false 0x2de.6-0x2de.7 (0.1)
0x002d0| 30 | 0 | mem_purgeable: false 0x2de.7-0x2df (0.1)
0x002d0| 42| B| mem_write: false 0x2df-0x2df.1 (0.1)
0x002d0| 42| B| mem_read: true 0x2df.1-0x2df.2 (0.1)
0x002d0| 42| B| mem_execute: false 0x2df.2-0x2df.3 (0.1)
0x002d0| 42| B| mem_shared: false 0x2df.3-0x2df.4 (0.1)
0x002d0| 42| B| mem_not_paged: false 0x2df.4-0x2df.5 (0.1)
0x002d0| 42| B| mem_not_cached: false 0x2df.5-0x2df.6 (0.1)
0x002d0| 42| B| mem_discardable: true 0x2df.6-0x2df.7 (0.1)
0x002d0| 42| B| lnk_nreloc_ovfl: false 0x2df.7-0x2e0 (0.1)
| | | symbol_table[0:0]: 0x2e0-0x2e0 (0)
| | | string_table{}: 0x21000-0x2101d (29)
0x21000|1d 00 00 00 |.... | size: 29 0x21000-0x21004 (4)
| | | entries[0:2]: 0x21004-0x2101d (25)
0x21000| 2e 65 68 5f 66 72 61 6d 65 00 | .eh_frame. | [0]: ".eh_frame" entry 0x21004-0x2100e (10)
0x21000| 2e 67| .g| [1]: ".gnu_debuglink" entry 0x2100e-0x2101d (15)
0x21010|6e 75 5f 64 65 62 75 67 6c 69 6e 6b 00| |nu_debuglink.| |
0x002e0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................| gap0: raw bits 0x2e0-0x21000 (134432)
* |until 0x20fff.7 (134432) | |

BIN
format/pe/testdata/pe-mingw32-strip.exe vendored Executable file
View File

Binary file not shown.

481
format/pe/testdata/pe-mingw32-strip.exe.fqtest vendored Normal file
View File

@ -0,0 +1,481 @@
$ fq dv pe-mingw32-strip.exe
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: pe-mingw32-strip.exe (pe) 0x0-0x11b60e (1160718)
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| ms_dos_stub{}: (msdos_stub) 0x0-0x80 (128)
0x000000|4d 5a |MZ | e_magic: 0x5a4d (valid) 0x0-0x2 (2)
0x000000| 90 00 | .. | e_cblp: 144 (Bytes on last page of file) 0x2-0x4 (2)
0x000000| 03 00 | .. | e_cp: 3 (Pages in file) 0x4-0x6 (2)
0x000000| 00 00 | .. | e_crlc: 0 (Relocations) 0x6-0x8 (2)
0x000000| 04 00 | .. | e_cparhdr: 4 (Size of header in paragraphs) 0x8-0xa (2)
0x000000| 00 00 | .. | e_minalloc: 0 (Minimum extra paragraphs needed) 0xa-0xc (2)
0x000000| ff ff | .. | e_maxalloc: 65535 (Maximum extra paragraphs needed) 0xc-0xe (2)
0x000000| 00 00| ..| e_ss: 0 (Initial (relative) SS value) 0xe-0x10 (2)
0x000010|b8 00 |.. | e_sp: 184 (Initial SP value) 0x10-0x12 (2)
0x000010| 00 00 | .. | e_csum: 0 (Checksum) 0x12-0x14 (2)
0x000010| 00 00 | .. | e_ip: 0 (Initial IP value) 0x14-0x16 (2)
0x000010| 00 00 | .. | e_cs: 0 (Initial (relative) CS value) 0x16-0x18 (2)
0x000010| 40 00 | @. | e_lfarlc: 64 (File address of relocation table) 0x18-0x1a (2)
0x000010| 00 00 | .. | e_ovno: 0 (Overlay number) 0x1a-0x1c (2)
0x000010| 00 00 00 00| ....| e_res: raw bits (Reserved words) 0x1c-0x24 (8)
0x000020|00 00 00 00 |.... |
0x000020| 00 00 | .. | e_oemid: 0 (OEM identifier (for e_oeminfo)) 0x24-0x26 (2)
0x000020| 00 00 | .. | e_oeminfo: 0 (OEM information; e_oemid specific) 0x26-0x28 (2)
0x000020| 00 00 00 00 00 00 00 00| ........| e_res2: raw bits (Reserved words) 0x28-0x3c (20)
0x000030|00 00 00 00 00 00 00 00 00 00 00 00 |............ |
0x000030| 80 00 00 00| ....| e_lfanew: 128 (File address of new exe header) 0x3c-0x40 (4)
0x000040|0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68|........!..L.!Th| stub: raw bits (Sub program) 0x40-0x80 (64)
* |until 0x7f.7 (64) | |
|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef| coff{}: (coff) 0x80-0x11b60e (1160590)
0x000080|50 45 00 00 |PE.. | signature: raw bits (valid) 0x80-0x84 (4)
0x000080| 4c 01 | L. | machine: "i386" (0x14c) 0x84-0x86 (2)
0x000080| 08 00 | .. | number_of_sections: 8 0x86-0x88 (2)
0x000080| 00 00 00 00 | .... | time_date_stamp: 0 (1970-01-01T00:00:00Z) 0x88-0x8c (4)
0x000080| 00 b6 11 00| ....| pointer_to_symbol_table: 0x11b600 0x8c-0x90 (4)
0x000090|00 00 00 00 |.... | number_of_symbols: 0 0x90-0x94 (4)
0x000090| e0 00 | .. | size_of_optional_header: 224 0x94-0x96 (2)
| | | characteristics{}: 0x96-0x98 (2)
0x000090| 0f | . | bytes_reversed_lo: false 0x96-0x96.1 (0.1)
0x000090| 0f | . | reserved: false 0x96.1-0x96.2 (0.1)
0x000090| 0f | . | large_address_aware: false 0x96.2-0x96.3 (0.1)
0x000090| 0f | . | aggressive_ws_trim: false 0x96.3-0x96.4 (0.1)
0x000090| 0f | . | local_syms_stripped: true 0x96.4-0x96.5 (0.1)
0x000090| 0f | . | line_nums_stripped: true 0x96.5-0x96.6 (0.1)
0x000090| 0f | . | executable_image: true 0x96.6-0x96.7 (0.1)
0x000090| 0f | . | relocs_stripped: true 0x96.7-0x97 (0.1)
0x000090| 03 | . | bytes_reversed_hi: false 0x97-0x97.1 (0.1)
0x000090| 03 | . | up_system_only: false 0x97.1-0x97.2 (0.1)
0x000090| 03 | . | dll: false 0x97.2-0x97.3 (0.1)
0x000090| 03 | . | system: false 0x97.3-0x97.4 (0.1)
0x000090| 03 | . | net_run_from_swap: false 0x97.4-0x97.5 (0.1)
0x000090| 03 | . | removable_run_from_swap: false 0x97.5-0x97.6 (0.1)
0x000090| 03 | . | debug_stripped: true 0x97.6-0x97.7 (0.1)
0x000090| 03 | . | 32bit_machine: true 0x97.7-0x98 (0.1)
| | | optional_header{}: 0x98-0x178 (224)
0x000090| 0b 01 | .. | format: "pe32" (0x10b) 0x98-0x9a (2)
0x000090| 02 | . | major_linker_version: 2 0x9a-0x9b (1)
0x000090| 1c | . | minor_linker_version: 28 0x9b-0x9c (1)
0x000090| 00 b6 0c 00| ....| size_of_code: 833024 0x9c-0xa0 (4)
0x0000a0|00 b2 11 00 |.... | size_of_initialized_data: 1159680 0xa0-0xa4 (4)
0x0000a0| 00 58 00 00 | .X.. | size_of_uninitialized_data: 22528 0xa4-0xa8 (4)
0x0000a0| e0 12 00 00 | .... | address_of_entry_point: 0x12e0 0xa8-0xac (4)
0x0000a0| 00 10 00 00| ....| base_of_code: 0x1000 0xac-0xb0 (4)
0x0000b0|00 d0 0c 00 |.... | base_of_data: 0xcd000 0xb0-0xb4 (4)
0x0000b0| 00 00 40 00 | ..@. | image_base: 0x400000 0xb4-0xb8 (4)
0x0000b0| 00 10 00 00 | .... | section_alignment: 4096 0xb8-0xbc (4)
0x0000b0| 00 02 00 00| ....| file_alignment: 512 0xbc-0xc0 (4)
0x0000c0|04 00 |.. | major_os_version: 4 0xc0-0xc2 (2)
0x0000c0| 00 00 | .. | minor_os_version: 0 0xc2-0xc4 (2)
0x0000c0| 01 00 | .. | major_image_version: 1 0xc4-0xc6 (2)
0x0000c0| 00 00 | .. | minor_image_version: 0 0xc6-0xc8 (2)
0x0000c0| 04 00 | .. | major_subsystem_version: 4 0xc8-0xca (2)
0x0000c0| 00 00 | .. | minor_subsystem_version: 0 0xca-0xcc (2)
0x0000c0| 00 00 00 00| ....| win32_version: 0 0xcc-0xd0 (4)
0x0000d0|00 70 12 00 |.p.. | size_of_image: 1208320 0xd0-0xd4 (4)
0x0000d0| 00 04 00 00 | .... | size_of_headers: 1024 0xd4-0xd8 (4)
0x0000d0| 95 80 12 00 | .... | chunk_sum: 0x128095 0xd8-0xdc (4)
0x0000d0| 03 00 | .. | subsystem: "windows_cui" (3) 0xdc-0xde (2)
| | | dll_characteristics{}: 0xde-0xe0 (2)
0x0000d0| 00 | . | force_integrity: false 0xde-0xde.1 (0.1)
0x0000d0| 00 | . | dynamic_base: false 0xde.1-0xde.2 (0.1)
0x0000d0| 00 | . | high_entropy_va: false 0xde.2-0xde.3 (0.1)
0x0000d0| 00 | . | reserved0: false 0xde.3-0xde.4 (0.1)
0x0000d0| 00 | . | reserved1: false 0xde.4-0xde.5 (0.1)
0x0000d0| 00 | . | reserved2: false 0xde.5-0xde.6 (0.1)
0x0000d0| 00 | . | reserved3: false 0xde.6-0xde.7 (0.1)
0x0000d0| 00 | . | reserved4: false 0xde.7-0xdf (0.1)
0x0000d0| 00| .| terminal_server_aware: false 0xdf-0xdf.1 (0.1)
0x0000d0| 00| .| guard_cf: false 0xdf.1-0xdf.2 (0.1)
0x0000d0| 00| .| wdm_driver: false 0xdf.2-0xdf.3 (0.1)
0x0000d0| 00| .| appcontainer: false 0xdf.3-0xdf.4 (0.1)
0x0000d0| 00| .| no_bind: false 0xdf.4-0xdf.5 (0.1)
0x0000d0| 00| .| no_seh: false 0xdf.5-0xdf.6 (0.1)
0x0000d0| 00| .| no_isolation: false 0xdf.6-0xdf.7 (0.1)
0x0000d0| 00| .| nx_compat: false 0xdf.7-0xe0 (0.1)
0x0000e0|00 00 c0 00 |.... | size_of_track_reserve: 12582912 0xe0-0xe4 (4)
0x0000e0| 00 10 00 00 | .... | size_of_stack_commit: 4096 0xe4-0xe8 (4)
0x0000e0| 00 00 10 00 | .... | size_of_heap_reserve: 1048576 0xe8-0xec (4)
0x0000e0| 00 10 00 00| ....| size_of_heap_commit: 4096 0xec-0xf0 (4)
0x0000f0|00 00 00 00 |.... | loader_flags: 0 0xf0-0xf4 (4)
0x0000f0| 10 00 00 00 | .... | number_of_rva_and_sizes: 16 0xf4-0xf8 (4)
0x0000f0| 00 00 00 00 | .... | export_table_address: 0x0 0xf8-0xfc (4)
0x0000f0| 00 00 00 00| ....| export_table_size: 0 0xfc-0x100 (4)
0x000100|00 30 12 00 |.0.. | import_table_address: 0x123000 0x100-0x104 (4)
0x000100| d4 10 00 00 | .... | import_table_size: 4308 0x104-0x108 (4)
0x000100| 00 00 00 00 | .... | resource_table_address: 0x0 0x108-0x10c (4)
0x000100| 00 00 00 00| ....| resource_table_size: 0 0x10c-0x110 (4)
0x000110|00 00 00 00 |.... | exception_table_address: 0x0 0x110-0x114 (4)
0x000110| 00 00 00 00 | .... | exception_table_size: 0 0x114-0x118 (4)
0x000110| 00 00 00 00 | .... | certificate_table_address: 0x0 0x118-0x11c (4)
0x000110| 00 00 00 00| ....| certificate_table_size: 0 0x11c-0x120 (4)
0x000120|00 00 00 00 |.... | base_relocation_table_address: 0x0 0x120-0x124 (4)
0x000120| 00 00 00 00 | .... | base_relocation_table_size: 0 0x124-0x128 (4)
0x000120| 00 00 00 00 | .... | debug_address: 0x0 0x128-0x12c (4)
0x000120| 00 00 00 00| ....| debug_size: 0 0x12c-0x130 (4)
0x000130|00 00 00 00 00 00 00 00 |........ | architecture: 0 0x130-0x138 (8)
0x000130| 00 00 00 00 00 00 00 00| ........| global_ptr: 0x0 0x138-0x140 (8)
0x000140|04 60 12 00 |.`.. | tls_table_address: 0x126004 0x140-0x144 (4)
0x000140| 18 00 00 00 | .... | tls_table_size: 24 0x144-0x148 (4)
0x000140| 00 00 00 00 | .... | load_config_table_address: 0x0 0x148-0x14c (4)
0x000140| 00 00 00 00| ....| load_config_table_size: 0 0x14c-0x150 (4)
0x000150|00 00 00 00 |.... | bound_import_address: 0x0 0x150-0x154 (4)
0x000150| 00 00 00 00 | .... | bound_import_size: 0 0x154-0x158 (4)
0x000150| 24 33 12 00 | $3.. | iat_address: 0x123324 0x158-0x15c (4)
0x000150| 98 02 00 00| ....| iat_size: 664 0x15c-0x160 (4)
0x000160|00 00 00 00 |.... | delay_import_descriptor_address: 0x0 0x160-0x164 (4)
0x000160| 00 00 00 00 | .... | delay_import_descriptor_size: 0 0x164-0x168 (4)
0x000160| 00 00 00 00 | .... | clr_runtime_header_address: 0x0 0x168-0x16c (4)
0x000160| 00 00 00 00| ....| clr_runtime_header_size: 0 0x16c-0x170 (4)
0x000170|00 00 00 00 00 00 00 00 |........ | reserved: 0 0x170-0x178 (8)
| | | unknown: raw bits 0x178-0x178 (0)
| | | sections[0:8]: 0x178-0x2b8 (320)
| | | [0]{}: section 0x178-0x1a0 (40)
0x000170| 2e 74 65 78 74 00 00 00| .text...| name: ".text" 0x178-0x180 (8)
0x000180|d4 b5 0c 00 |.... | virtual_size: 832980 0x180-0x184 (4)
0x000180| 00 10 00 00 | .... | virtual_address: 0x1000 0x184-0x188 (4)
0x000180| 00 b6 0c 00 | .... | size_of_raw_data: 833024 0x188-0x18c (4)
0x000180| 00 04 00 00| ....| pointer_to_raw_data: 0x400 0x18c-0x190 (4)
0x000190|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x190-0x194 (4)
0x000190| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x194-0x198 (4)
0x000190| 00 00 | .. | number_of_relocations: 0 0x198-0x19a (2)
0x000190| 00 00 | .. | number_of_line_numbers: 0 0x19a-0x19c (2)
| | | characteristics{}: 0x19c-0x1a0 (4)
0x000190| 60 | ` | cnt_uninitialized_data: false 0x19c-0x19c.1 (0.1)
0x000190| 60 | ` | cnt_initialized_data: true 0x19c.1-0x19c.2 (0.1)
0x000190| 60 | ` | cnt_code: true 0x19c.2-0x19c.3 (0.1)
0x000190| 60 | ` | reserved: false 0x19c.3-0x19c.4 (0.1)
0x000190| 60 | ` | type_no_pad: false 0x19c.4-0x19c.5 (0.1)
0x000190| 60 | ` | reserved0: false 0x19c.5-0x19c.6 (0.1)
0x000190| 60 | ` | reserved1: false 0x19c.6-0x19c.7 (0.1)
0x000190| 60 | ` | reserved2: false 0x19c.7-0x19d (0.1)
0x000190| 00 | . | gprel: false 0x19d-0x19d.1 (0.1)
0x000190| 00 | . | unknown0: false 0x19d.1-0x19d.2 (0.1)
0x000190| 00 | . | unknown1: false 0x19d.2-0x19d.3 (0.1)
0x000190| 00 | . | lnk_comdat: false 0x19d.3-0x19d.4 (0.1)
0x000190| 00 | . | lnk_remove: false 0x19d.4-0x19d.5 (0.1)
0x000190| 00 | . | reserved3: false 0x19d.5-0x19d.6 (0.1)
0x000190| 00 | . | lnk_info: false 0x19d.6-0x19d.7 (0.1)
0x000190| 00 | . | lnk_other: false 0x19d.7-0x19e (0.1)
0x000190| 50 | P | align_128bytes: false 0x19e-0x19e.1 (0.1)
0x000190| 50 | P | align_8bytes: true 0x19e.1-0x19e.2 (0.1)
0x000190| 50 | P | align_2bytes: false 0x19e.2-0x19e.3 (0.1)
0x000190| 50 | P | align_1bytes: true 0x19e.3-0x19e.4 (0.1)
0x000190| 50 | P | mem_preload: false 0x19e.4-0x19e.5 (0.1)
0x000190| 50 | P | mem_locked: false 0x19e.5-0x19e.6 (0.1)
0x000190| 50 | P | mem_16bit: false 0x19e.6-0x19e.7 (0.1)
0x000190| 50 | P | mem_purgeable: false 0x19e.7-0x19f (0.1)
0x000190| 60| `| mem_write: false 0x19f-0x19f.1 (0.1)
0x000190| 60| `| mem_read: true 0x19f.1-0x19f.2 (0.1)
0x000190| 60| `| mem_execute: true 0x19f.2-0x19f.3 (0.1)
0x000190| 60| `| mem_shared: false 0x19f.3-0x19f.4 (0.1)
0x000190| 60| `| mem_not_paged: false 0x19f.4-0x19f.5 (0.1)
0x000190| 60| `| mem_not_cached: false 0x19f.5-0x19f.6 (0.1)
0x000190| 60| `| mem_discardable: false 0x19f.6-0x19f.7 (0.1)
0x000190| 60| `| lnk_nreloc_ovfl: false 0x19f.7-0x1a0 (0.1)
| | | [1]{}: section 0x1a0-0x1c8 (40)
0x0001a0|2e 64 61 74 61 00 00 00 |.data... | name: ".data" 0x1a0-0x1a8 (8)
0x0001a0| e8 1e 00 00 | .... | virtual_size: 7912 0x1a8-0x1ac (4)
0x0001a0| 00 d0 0c 00| ....| virtual_address: 0xcd000 0x1ac-0x1b0 (4)
0x0001b0|00 20 00 00 |. .. | size_of_raw_data: 8192 0x1b0-0x1b4 (4)
0x0001b0| 00 ba 0c 00 | .... | pointer_to_raw_data: 0xcba00 0x1b4-0x1b8 (4)
0x0001b0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x1b8-0x1bc (4)
0x0001b0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x1bc-0x1c0 (4)
0x0001c0|00 00 |.. | number_of_relocations: 0 0x1c0-0x1c2 (2)
0x0001c0| 00 00 | .. | number_of_line_numbers: 0 0x1c2-0x1c4 (2)
| | | characteristics{}: 0x1c4-0x1c8 (4)
0x0001c0| 40 | @ | cnt_uninitialized_data: false 0x1c4-0x1c4.1 (0.1)
0x0001c0| 40 | @ | cnt_initialized_data: true 0x1c4.1-0x1c4.2 (0.1)
0x0001c0| 40 | @ | cnt_code: false 0x1c4.2-0x1c4.3 (0.1)
0x0001c0| 40 | @ | reserved: false 0x1c4.3-0x1c4.4 (0.1)
0x0001c0| 40 | @ | type_no_pad: false 0x1c4.4-0x1c4.5 (0.1)
0x0001c0| 40 | @ | reserved0: false 0x1c4.5-0x1c4.6 (0.1)
0x0001c0| 40 | @ | reserved1: false 0x1c4.6-0x1c4.7 (0.1)
0x0001c0| 40 | @ | reserved2: false 0x1c4.7-0x1c5 (0.1)
0x0001c0| 00 | . | gprel: false 0x1c5-0x1c5.1 (0.1)
0x0001c0| 00 | . | unknown0: false 0x1c5.1-0x1c5.2 (0.1)
0x0001c0| 00 | . | unknown1: false 0x1c5.2-0x1c5.3 (0.1)
0x0001c0| 00 | . | lnk_comdat: false 0x1c5.3-0x1c5.4 (0.1)
0x0001c0| 00 | . | lnk_remove: false 0x1c5.4-0x1c5.5 (0.1)
0x0001c0| 00 | . | reserved3: false 0x1c5.5-0x1c5.6 (0.1)
0x0001c0| 00 | . | lnk_info: false 0x1c5.6-0x1c5.7 (0.1)
0x0001c0| 00 | . | lnk_other: false 0x1c5.7-0x1c6 (0.1)
0x0001c0| 60 | ` | align_128bytes: false 0x1c6-0x1c6.1 (0.1)
0x0001c0| 60 | ` | align_8bytes: true 0x1c6.1-0x1c6.2 (0.1)
0x0001c0| 60 | ` | align_2bytes: true 0x1c6.2-0x1c6.3 (0.1)
0x0001c0| 60 | ` | align_1bytes: false 0x1c6.3-0x1c6.4 (0.1)
0x0001c0| 60 | ` | mem_preload: false 0x1c6.4-0x1c6.5 (0.1)
0x0001c0| 60 | ` | mem_locked: false 0x1c6.5-0x1c6.6 (0.1)
0x0001c0| 60 | ` | mem_16bit: false 0x1c6.6-0x1c6.7 (0.1)
0x0001c0| 60 | ` | mem_purgeable: false 0x1c6.7-0x1c7 (0.1)
0x0001c0| c0 | . | mem_write: true 0x1c7-0x1c7.1 (0.1)
0x0001c0| c0 | . | mem_read: true 0x1c7.1-0x1c7.2 (0.1)
0x0001c0| c0 | . | mem_execute: false 0x1c7.2-0x1c7.3 (0.1)
0x0001c0| c0 | . | mem_shared: false 0x1c7.3-0x1c7.4 (0.1)
0x0001c0| c0 | . | mem_not_paged: false 0x1c7.4-0x1c7.5 (0.1)
0x0001c0| c0 | . | mem_not_cached: false 0x1c7.5-0x1c7.6 (0.1)
0x0001c0| c0 | . | mem_discardable: false 0x1c7.6-0x1c7.7 (0.1)
0x0001c0| c0 | . | lnk_nreloc_ovfl: false 0x1c7.7-0x1c8 (0.1)
| | | [2]{}: section 0x1c8-0x1f0 (40)
0x0001c0| 2e 72 64 61 74 61 00 00| .rdata..| name: ".rdata" 0x1c8-0x1d0 (8)
0x0001d0|a8 21 03 00 |.!.. | virtual_size: 205224 0x1d0-0x1d4 (4)
0x0001d0| 00 f0 0c 00 | .... | virtual_address: 0xcf000 0x1d4-0x1d8 (4)
0x0001d0| 00 22 03 00 | .".. | size_of_raw_data: 205312 0x1d8-0x1dc (4)
0x0001d0| 00 da 0c 00| ....| pointer_to_raw_data: 0xcda00 0x1dc-0x1e0 (4)
0x0001e0|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x1e0-0x1e4 (4)
0x0001e0| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x1e4-0x1e8 (4)
0x0001e0| 00 00 | .. | number_of_relocations: 0 0x1e8-0x1ea (2)
0x0001e0| 00 00 | .. | number_of_line_numbers: 0 0x1ea-0x1ec (2)
| | | characteristics{}: 0x1ec-0x1f0 (4)
0x0001e0| 40 | @ | cnt_uninitialized_data: false 0x1ec-0x1ec.1 (0.1)
0x0001e0| 40 | @ | cnt_initialized_data: true 0x1ec.1-0x1ec.2 (0.1)
0x0001e0| 40 | @ | cnt_code: false 0x1ec.2-0x1ec.3 (0.1)
0x0001e0| 40 | @ | reserved: false 0x1ec.3-0x1ec.4 (0.1)
0x0001e0| 40 | @ | type_no_pad: false 0x1ec.4-0x1ec.5 (0.1)
0x0001e0| 40 | @ | reserved0: false 0x1ec.5-0x1ec.6 (0.1)
0x0001e0| 40 | @ | reserved1: false 0x1ec.6-0x1ec.7 (0.1)
0x0001e0| 40 | @ | reserved2: false 0x1ec.7-0x1ed (0.1)
0x0001e0| 00 | . | gprel: false 0x1ed-0x1ed.1 (0.1)
0x0001e0| 00 | . | unknown0: false 0x1ed.1-0x1ed.2 (0.1)
0x0001e0| 00 | . | unknown1: false 0x1ed.2-0x1ed.3 (0.1)
0x0001e0| 00 | . | lnk_comdat: false 0x1ed.3-0x1ed.4 (0.1)
0x0001e0| 00 | . | lnk_remove: false 0x1ed.4-0x1ed.5 (0.1)
0x0001e0| 00 | . | reserved3: false 0x1ed.5-0x1ed.6 (0.1)
0x0001e0| 00 | . | lnk_info: false 0x1ed.6-0x1ed.7 (0.1)
0x0001e0| 00 | . | lnk_other: false 0x1ed.7-0x1ee (0.1)
0x0001e0| 60 | ` | align_128bytes: false 0x1ee-0x1ee.1 (0.1)
0x0001e0| 60 | ` | align_8bytes: true 0x1ee.1-0x1ee.2 (0.1)
0x0001e0| 60 | ` | align_2bytes: true 0x1ee.2-0x1ee.3 (0.1)
0x0001e0| 60 | ` | align_1bytes: false 0x1ee.3-0x1ee.4 (0.1)
0x0001e0| 60 | ` | mem_preload: false 0x1ee.4-0x1ee.5 (0.1)
0x0001e0| 60 | ` | mem_locked: false 0x1ee.5-0x1ee.6 (0.1)
0x0001e0| 60 | ` | mem_16bit: false 0x1ee.6-0x1ee.7 (0.1)
0x0001e0| 60 | ` | mem_purgeable: false 0x1ee.7-0x1ef (0.1)
0x0001e0| 40| @| mem_write: false 0x1ef-0x1ef.1 (0.1)
0x0001e0| 40| @| mem_read: true 0x1ef.1-0x1ef.2 (0.1)
0x0001e0| 40| @| mem_execute: false 0x1ef.2-0x1ef.3 (0.1)
0x0001e0| 40| @| mem_shared: false 0x1ef.3-0x1ef.4 (0.1)
0x0001e0| 40| @| mem_not_paged: false 0x1ef.4-0x1ef.5 (0.1)
0x0001e0| 40| @| mem_not_cached: false 0x1ef.5-0x1ef.6 (0.1)
0x0001e0| 40| @| mem_discardable: false 0x1ef.6-0x1ef.7 (0.1)
0x0001e0| 40| @| lnk_nreloc_ovfl: false 0x1ef.7-0x1f0 (0.1)
| | | [3]{}: section 0x1f0-0x218 (40)
0x0001f0|2f 34 00 00 00 00 00 00 |/4...... | name: ".eh_frame" ("/4") 0x1f0-0x1f8 (8)
0x0001f0| 64 a2 01 00 | d... | virtual_size: 107108 0x1f8-0x1fc (4)
0x0001f0| 00 20 10 00| . ..| virtual_address: 0x102000 0x1fc-0x200 (4)
0x000200|00 a4 01 00 |.... | size_of_raw_data: 107520 0x200-0x204 (4)
0x000200| 00 fc 0f 00 | .... | pointer_to_raw_data: 0xffc00 0x204-0x208 (4)
0x000200| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x208-0x20c (4)
0x000200| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x20c-0x210 (4)
0x000210|00 00 |.. | number_of_relocations: 0 0x210-0x212 (2)
0x000210| 00 00 | .. | number_of_line_numbers: 0 0x212-0x214 (2)
| | | characteristics{}: 0x214-0x218 (4)
0x000210| 40 | @ | cnt_uninitialized_data: false 0x214-0x214.1 (0.1)
0x000210| 40 | @ | cnt_initialized_data: true 0x214.1-0x214.2 (0.1)
0x000210| 40 | @ | cnt_code: false 0x214.2-0x214.3 (0.1)
0x000210| 40 | @ | reserved: false 0x214.3-0x214.4 (0.1)
0x000210| 40 | @ | type_no_pad: false 0x214.4-0x214.5 (0.1)
0x000210| 40 | @ | reserved0: false 0x214.5-0x214.6 (0.1)
0x000210| 40 | @ | reserved1: false 0x214.6-0x214.7 (0.1)
0x000210| 40 | @ | reserved2: false 0x214.7-0x215 (0.1)
0x000210| 00 | . | gprel: false 0x215-0x215.1 (0.1)
0x000210| 00 | . | unknown0: false 0x215.1-0x215.2 (0.1)
0x000210| 00 | . | unknown1: false 0x215.2-0x215.3 (0.1)
0x000210| 00 | . | lnk_comdat: false 0x215.3-0x215.4 (0.1)
0x000210| 00 | . | lnk_remove: false 0x215.4-0x215.5 (0.1)
0x000210| 00 | . | reserved3: false 0x215.5-0x215.6 (0.1)
0x000210| 00 | . | lnk_info: false 0x215.6-0x215.7 (0.1)
0x000210| 00 | . | lnk_other: false 0x215.7-0x216 (0.1)
0x000210| 30 | 0 | align_128bytes: false 0x216-0x216.1 (0.1)
0x000210| 30 | 0 | align_8bytes: false 0x216.1-0x216.2 (0.1)
0x000210| 30 | 0 | align_2bytes: true 0x216.2-0x216.3 (0.1)
0x000210| 30 | 0 | align_1bytes: true 0x216.3-0x216.4 (0.1)
0x000210| 30 | 0 | mem_preload: false 0x216.4-0x216.5 (0.1)
0x000210| 30 | 0 | mem_locked: false 0x216.5-0x216.6 (0.1)
0x000210| 30 | 0 | mem_16bit: false 0x216.6-0x216.7 (0.1)
0x000210| 30 | 0 | mem_purgeable: false 0x216.7-0x217 (0.1)
0x000210| 40 | @ | mem_write: false 0x217-0x217.1 (0.1)
0x000210| 40 | @ | mem_read: true 0x217.1-0x217.2 (0.1)
0x000210| 40 | @ | mem_execute: false 0x217.2-0x217.3 (0.1)
0x000210| 40 | @ | mem_shared: false 0x217.3-0x217.4 (0.1)
0x000210| 40 | @ | mem_not_paged: false 0x217.4-0x217.5 (0.1)
0x000210| 40 | @ | mem_not_cached: false 0x217.5-0x217.6 (0.1)
0x000210| 40 | @ | mem_discardable: false 0x217.6-0x217.7 (0.1)
0x000210| 40 | @ | lnk_nreloc_ovfl: false 0x217.7-0x218 (0.1)
| | | [4]{}: section 0x218-0x240 (40)
0x000210| 2e 62 73 73 00 00 00 00| .bss....| name: ".bss" 0x218-0x220 (8)
0x000220|60 56 00 00 |`V.. | virtual_size: 22112 0x220-0x224 (4)
0x000220| 00 d0 11 00 | .... | virtual_address: 0x11d000 0x224-0x228 (4)
0x000220| 00 00 00 00 | .... | size_of_raw_data: 0 0x228-0x22c (4)
0x000220| 00 00 00 00| ....| pointer_to_raw_data: 0x0 0x22c-0x230 (4)
0x000230|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x230-0x234 (4)
0x000230| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x234-0x238 (4)
0x000230| 00 00 | .. | number_of_relocations: 0 0x238-0x23a (2)
0x000230| 00 00 | .. | number_of_line_numbers: 0 0x23a-0x23c (2)
| | | characteristics{}: 0x23c-0x240 (4)
0x000230| 80 | . | cnt_uninitialized_data: true 0x23c-0x23c.1 (0.1)
0x000230| 80 | . | cnt_initialized_data: false 0x23c.1-0x23c.2 (0.1)
0x000230| 80 | . | cnt_code: false 0x23c.2-0x23c.3 (0.1)
0x000230| 80 | . | reserved: false 0x23c.3-0x23c.4 (0.1)
0x000230| 80 | . | type_no_pad: false 0x23c.4-0x23c.5 (0.1)
0x000230| 80 | . | reserved0: false 0x23c.5-0x23c.6 (0.1)
0x000230| 80 | . | reserved1: false 0x23c.6-0x23c.7 (0.1)
0x000230| 80 | . | reserved2: false 0x23c.7-0x23d (0.1)
0x000230| 00 | . | gprel: false 0x23d-0x23d.1 (0.1)
0x000230| 00 | . | unknown0: false 0x23d.1-0x23d.2 (0.1)
0x000230| 00 | . | unknown1: false 0x23d.2-0x23d.3 (0.1)
0x000230| 00 | . | lnk_comdat: false 0x23d.3-0x23d.4 (0.1)
0x000230| 00 | . | lnk_remove: false 0x23d.4-0x23d.5 (0.1)
0x000230| 00 | . | reserved3: false 0x23d.5-0x23d.6 (0.1)
0x000230| 00 | . | lnk_info: false 0x23d.6-0x23d.7 (0.1)
0x000230| 00 | . | lnk_other: false 0x23d.7-0x23e (0.1)
0x000230| 60 | ` | align_128bytes: false 0x23e-0x23e.1 (0.1)
0x000230| 60 | ` | align_8bytes: true 0x23e.1-0x23e.2 (0.1)
0x000230| 60 | ` | align_2bytes: true 0x23e.2-0x23e.3 (0.1)
0x000230| 60 | ` | align_1bytes: false 0x23e.3-0x23e.4 (0.1)
0x000230| 60 | ` | mem_preload: false 0x23e.4-0x23e.5 (0.1)
0x000230| 60 | ` | mem_locked: false 0x23e.5-0x23e.6 (0.1)
0x000230| 60 | ` | mem_16bit: false 0x23e.6-0x23e.7 (0.1)
0x000230| 60 | ` | mem_purgeable: false 0x23e.7-0x23f (0.1)
0x000230| c0| .| mem_write: true 0x23f-0x23f.1 (0.1)
0x000230| c0| .| mem_read: true 0x23f.1-0x23f.2 (0.1)
0x000230| c0| .| mem_execute: false 0x23f.2-0x23f.3 (0.1)
0x000230| c0| .| mem_shared: false 0x23f.3-0x23f.4 (0.1)
0x000230| c0| .| mem_not_paged: false 0x23f.4-0x23f.5 (0.1)
0x000230| c0| .| mem_not_cached: false 0x23f.5-0x23f.6 (0.1)
0x000230| c0| .| mem_discardable: false 0x23f.6-0x23f.7 (0.1)
0x000230| c0| .| lnk_nreloc_ovfl: false 0x23f.7-0x240 (0.1)
| | | [5]{}: section 0x240-0x268 (40)
0x000240|2e 69 64 61 74 61 00 00 |.idata.. | name: ".idata" 0x240-0x248 (8)
0x000240| d4 10 00 00 | .... | virtual_size: 4308 0x248-0x24c (4)
0x000240| 00 30 12 00| .0..| virtual_address: 0x123000 0x24c-0x250 (4)
0x000250|00 12 00 00 |.... | size_of_raw_data: 4608 0x250-0x254 (4)
0x000250| 00 a0 11 00 | .... | pointer_to_raw_data: 0x11a000 0x254-0x258 (4)
0x000250| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x258-0x25c (4)
0x000250| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x25c-0x260 (4)
0x000260|00 00 |.. | number_of_relocations: 0 0x260-0x262 (2)
0x000260| 00 00 | .. | number_of_line_numbers: 0 0x262-0x264 (2)
| | | characteristics{}: 0x264-0x268 (4)
0x000260| 40 | @ | cnt_uninitialized_data: false 0x264-0x264.1 (0.1)
0x000260| 40 | @ | cnt_initialized_data: true 0x264.1-0x264.2 (0.1)
0x000260| 40 | @ | cnt_code: false 0x264.2-0x264.3 (0.1)
0x000260| 40 | @ | reserved: false 0x264.3-0x264.4 (0.1)
0x000260| 40 | @ | type_no_pad: false 0x264.4-0x264.5 (0.1)
0x000260| 40 | @ | reserved0: false 0x264.5-0x264.6 (0.1)
0x000260| 40 | @ | reserved1: false 0x264.6-0x264.7 (0.1)
0x000260| 40 | @ | reserved2: false 0x264.7-0x265 (0.1)
0x000260| 00 | . | gprel: false 0x265-0x265.1 (0.1)
0x000260| 00 | . | unknown0: false 0x265.1-0x265.2 (0.1)
0x000260| 00 | . | unknown1: false 0x265.2-0x265.3 (0.1)
0x000260| 00 | . | lnk_comdat: false 0x265.3-0x265.4 (0.1)
0x000260| 00 | . | lnk_remove: false 0x265.4-0x265.5 (0.1)
0x000260| 00 | . | reserved3: false 0x265.5-0x265.6 (0.1)
0x000260| 00 | . | lnk_info: false 0x265.6-0x265.7 (0.1)
0x000260| 00 | . | lnk_other: false 0x265.7-0x266 (0.1)
0x000260| 30 | 0 | align_128bytes: false 0x266-0x266.1 (0.1)
0x000260| 30 | 0 | align_8bytes: false 0x266.1-0x266.2 (0.1)
0x000260| 30 | 0 | align_2bytes: true 0x266.2-0x266.3 (0.1)
0x000260| 30 | 0 | align_1bytes: true 0x266.3-0x266.4 (0.1)
0x000260| 30 | 0 | mem_preload: false 0x266.4-0x266.5 (0.1)
0x000260| 30 | 0 | mem_locked: false 0x266.5-0x266.6 (0.1)
0x000260| 30 | 0 | mem_16bit: false 0x266.6-0x266.7 (0.1)
0x000260| 30 | 0 | mem_purgeable: false 0x266.7-0x267 (0.1)
0x000260| c0 | . | mem_write: true 0x267-0x267.1 (0.1)
0x000260| c0 | . | mem_read: true 0x267.1-0x267.2 (0.1)
0x000260| c0 | . | mem_execute: false 0x267.2-0x267.3 (0.1)
0x000260| c0 | . | mem_shared: false 0x267.3-0x267.4 (0.1)
0x000260| c0 | . | mem_not_paged: false 0x267.4-0x267.5 (0.1)
0x000260| c0 | . | mem_not_cached: false 0x267.5-0x267.6 (0.1)
0x000260| c0 | . | mem_discardable: false 0x267.6-0x267.7 (0.1)
0x000260| c0 | . | lnk_nreloc_ovfl: false 0x267.7-0x268 (0.1)
| | | [6]{}: section 0x268-0x290 (40)
0x000260| 2e 43 52 54 00 00 00 00| .CRT....| name: ".CRT" 0x268-0x270 (8)
0x000270|18 00 00 00 |.... | virtual_size: 24 0x270-0x274 (4)
0x000270| 00 50 12 00 | .P.. | virtual_address: 0x125000 0x274-0x278 (4)
0x000270| 00 02 00 00 | .... | size_of_raw_data: 512 0x278-0x27c (4)
0x000270| 00 b2 11 00| ....| pointer_to_raw_data: 0x11b200 0x27c-0x280 (4)
0x000280|00 00 00 00 |.... | pointer_to_relocations: 0x0 0x280-0x284 (4)
0x000280| 00 00 00 00 | .... | pointer_to_line_numbers: 0x0 0x284-0x288 (4)
0x000280| 00 00 | .. | number_of_relocations: 0 0x288-0x28a (2)
0x000280| 00 00 | .. | number_of_line_numbers: 0 0x28a-0x28c (2)
| | | characteristics{}: 0x28c-0x290 (4)
0x000280| 40 | @ | cnt_uninitialized_data: false 0x28c-0x28c.1 (0.1)
0x000280| 40 | @ | cnt_initialized_data: true 0x28c.1-0x28c.2 (0.1)
0x000280| 40 | @ | cnt_code: false 0x28c.2-0x28c.3 (0.1)
0x000280| 40 | @ | reserved: false 0x28c.3-0x28c.4 (0.1)
0x000280| 40 | @ | type_no_pad: false 0x28c.4-0x28c.5 (0.1)
0x000280| 40 | @ | reserved0: false 0x28c.5-0x28c.6 (0.1)
0x000280| 40 | @ | reserved1: false 0x28c.6-0x28c.7 (0.1)
0x000280| 40 | @ | reserved2: false 0x28c.7-0x28d (0.1)
0x000280| 00 | . | gprel: false 0x28d-0x28d.1 (0.1)
0x000280| 00 | . | unknown0: false 0x28d.1-0x28d.2 (0.1)
0x000280| 00 | . | unknown1: false 0x28d.2-0x28d.3 (0.1)
0x000280| 00 | . | lnk_comdat: false 0x28d.3-0x28d.4 (0.1)
0x000280| 00 | . | lnk_remove: false 0x28d.4-0x28d.5 (0.1)
0x000280| 00 | . | reserved3: false 0x28d.5-0x28d.6 (0.1)
0x000280| 00 | . | lnk_info: false 0x28d.6-0x28d.7 (0.1)
0x000280| 00 | . | lnk_other: false 0x28d.7-0x28e (0.1)
0x000280| 30 | 0 | align_128bytes: false 0x28e-0x28e.1 (0.1)
0x000280| 30 | 0 | align_8bytes: false 0x28e.1-0x28e.2 (0.1)
0x000280| 30 | 0 | align_2bytes: true 0x28e.2-0x28e.3 (0.1)
0x000280| 30 | 0 | align_1bytes: true 0x28e.3-0x28e.4 (0.1)
0x000280| 30 | 0 | mem_preload: false 0x28e.4-0x28e.5 (0.1)
0x000280| 30 | 0 | mem_locked: false 0x28e.5-0x28e.6 (0.1)
0x000280| 30 | 0 | mem_16bit: false 0x28e.6-0x28e.7 (0.1)
0x000280| 30 | 0 | mem_purgeable: false 0x28e.7-0x28f (0.1)
0x000280| c0| .| mem_write: true 0x28f-0x28f.1 (0.1)
0x000280| c0| .| mem_read: true 0x28f.1-0x28f.2 (0.1)
0x000280| c0| .| mem_execute: false 0x28f.2-0x28f.3 (0.1)
0x000280| c0| .| mem_shared: false 0x28f.3-0x28f.4 (0.1)
0x000280| c0| .| mem_not_paged: false 0x28f.4-0x28f.5 (0.1)
0x000280| c0| .| mem_not_cached: false 0x28f.5-0x28f.6 (0.1)
0x000280| c0| .| mem_discardable: false 0x28f.6-0x28f.7 (0.1)
0x000280| c0| .| lnk_nreloc_ovfl: false 0x28f.7-0x290 (0.1)
| | | [7]{}: section 0x290-0x2b8 (40)
0x000290|2e 74 6c 73 00 00 00 00 |.tls.... | name: ".tls" 0x290-0x298 (8)
0x000290| 20 00 00 00 | ... | virtual_size: 32 0x298-0x29c (4)
0x000290| 00 60 12 00| .`..| virtual_address: 0x126000 0x29c-0x2a0 (4)
0x0002a0|00 02 00 00 |.... | size_of_raw_data: 512 0x2a0-0x2a4 (4)
0x0002a0| 00 b4 11 00 | .... | pointer_to_raw_data: 0x11b400 0x2a4-0x2a8 (4)
0x0002a0| 00 00 00 00 | .... | pointer_to_relocations: 0x0 0x2a8-0x2ac (4)
0x0002a0| 00 00 00 00| ....| pointer_to_line_numbers: 0x0 0x2ac-0x2b0 (4)
0x0002b0|00 00 |.. | number_of_relocations: 0 0x2b0-0x2b2 (2)
0x0002b0| 00 00 | .. | number_of_line_numbers: 0 0x2b2-0x2b4 (2)
| | | characteristics{}: 0x2b4-0x2b8 (4)
0x0002b0| 40 | @ | cnt_uninitialized_data: false 0x2b4-0x2b4.1 (0.1)
0x0002b0| 40 | @ | cnt_initialized_data: true 0x2b4.1-0x2b4.2 (0.1)
0x0002b0| 40 | @ | cnt_code: false 0x2b4.2-0x2b4.3 (0.1)
0x0002b0| 40 | @ | reserved: false 0x2b4.3-0x2b4.4 (0.1)
0x0002b0| 40 | @ | type_no_pad: false 0x2b4.4-0x2b4.5 (0.1)
0x0002b0| 40 | @ | reserved0: false 0x2b4.5-0x2b4.6 (0.1)
0x0002b0| 40 | @ | reserved1: false 0x2b4.6-0x2b4.7 (0.1)
0x0002b0| 40 | @ | reserved2: false 0x2b4.7-0x2b5 (0.1)
0x0002b0| 00 | . | gprel: false 0x2b5-0x2b5.1 (0.1)
0x0002b0| 00 | . | unknown0: false 0x2b5.1-0x2b5.2 (0.1)
0x0002b0| 00 | . | unknown1: false 0x2b5.2-0x2b5.3 (0.1)
0x0002b0| 00 | . | lnk_comdat: false 0x2b5.3-0x2b5.4 (0.1)
0x0002b0| 00 | . | lnk_remove: false 0x2b5.4-0x2b5.5 (0.1)
0x0002b0| 00 | . | reserved3: false 0x2b5.5-0x2b5.6 (0.1)
0x0002b0| 00 | . | lnk_info: false 0x2b5.6-0x2b5.7 (0.1)
0x0002b0| 00 | . | lnk_other: false 0x2b5.7-0x2b6 (0.1)
0x0002b0| 30 | 0 | align_128bytes: false 0x2b6-0x2b6.1 (0.1)
0x0002b0| 30 | 0 | align_8bytes: false 0x2b6.1-0x2b6.2 (0.1)
0x0002b0| 30 | 0 | align_2bytes: true 0x2b6.2-0x2b6.3 (0.1)
0x0002b0| 30 | 0 | align_1bytes: true 0x2b6.3-0x2b6.4 (0.1)
0x0002b0| 30 | 0 | mem_preload: false 0x2b6.4-0x2b6.5 (0.1)
0x0002b0| 30 | 0 | mem_locked: false 0x2b6.5-0x2b6.6 (0.1)
0x0002b0| 30 | 0 | mem_16bit: false 0x2b6.6-0x2b6.7 (0.1)
0x0002b0| 30 | 0 | mem_purgeable: false 0x2b6.7-0x2b7 (0.1)
0x0002b0| c0 | . | mem_write: true 0x2b7-0x2b7.1 (0.1)
0x0002b0| c0 | . | mem_read: true 0x2b7.1-0x2b7.2 (0.1)
0x0002b0| c0 | . | mem_execute: false 0x2b7.2-0x2b7.3 (0.1)
0x0002b0| c0 | . | mem_shared: false 0x2b7.3-0x2b7.4 (0.1)
0x0002b0| c0 | . | mem_not_paged: false 0x2b7.4-0x2b7.5 (0.1)
0x0002b0| c0 | . | mem_not_cached: false 0x2b7.5-0x2b7.6 (0.1)
0x0002b0| c0 | . | mem_discardable: false 0x2b7.6-0x2b7.7 (0.1)
0x0002b0| c0 | . | lnk_nreloc_ovfl: false 0x2b7.7-0x2b8 (0.1)
| | | symbol_table[0:0]: 0x2b8-0x2b8 (0)
| | | string_table{}: 0x11b600-0x11b60e (14)
0x11b600|0e 00 00 00 |.... | size: 14 0x11b600-0x11b604 (4)
| | | entries[0:1]: 0x11b604-0x11b60e (10)
0x11b600| 2e 65 68 5f 66 72 61 6d 65 00| | .eh_frame.| | [0]: ".eh_frame" entry 0x11b604-0x11b60e (10)
0x0002b0| 00 00 00 00 00 00 00 00| ........| gap0: raw bits 0x2b8-0x11b600 (1160008)
0x0002c0|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|................|
* |until 0x11b5ff.7 (1160008) | |

12
go.mod
View File

@ -9,7 +9,7 @@ require (
// bump: gomod-BurntSushi/toml /github\.com\/BurntSushi\/toml v(.*)/ https://github.com/BurntSushi/toml.git|^1
// bump: gomod-BurntSushi/toml command go get -d github.com/BurntSushi/toml@v$LATEST && go mod tidy
// bump: gomod-BurntSushi/toml link "Source diff $CURRENT..$LATEST" https://github.com/BurntSushi/toml/compare/v$CURRENT..v$LATEST
github.com/BurntSushi/toml v1.3.2
github.com/BurntSushi/toml v1.4.0
// bump: gomod-creasty-defaults /github\.com\/creasty\/defaults v(.*)/ https://github.com/creasty/defaults.git|^1
// bump: gomod-creasty-defaults command go get -d github.com/creasty/defaults@v$LATEST && go mod tidy
@ -48,7 +48,7 @@ require (
// bump: gomod-golang-x-crypto /golang\.org\/x\/crypto v(.*)/ https://github.com/golang/crypto.git|^0
// bump: gomod-golang-x-crypto command go get -d golang.org/x/crypto@v$LATEST && go mod tidy
// bump: gomod-golang-x-crypto link "Tags" https://github.com/golang/crypto/tags
golang.org/x/crypto v0.23.0
golang.org/x/crypto v0.24.0
// has no tags
// go get -d golang.org/x/exp@master && go mod tidy
@ -57,17 +57,17 @@ require (
// bump: gomod-golang-x-net /golang\.org\/x\/net v(.*)/ https://github.com/golang/net.git|^0
// bump: gomod-golang-x-net command go get -d golang.org/x/net@v$LATEST && go mod tidy
// bump: gomod-golang-x-net link "Tags" https://github.com/golang/net/tags
golang.org/x/net v0.25.0
golang.org/x/net v0.26.0
// bump: gomod-golang-x-term /golang\.org\/x\/term v(.*)/ https://github.com/golang/term.git|^0
// bump: gomod-golang-x-term command go get -d golang.org/x/term@v$LATEST && go mod tidy
// bump: gomod-golang-x-term link "Tags" https://github.com/golang/term/tags
golang.org/x/term v0.20.0
golang.org/x/term v0.21.0
// bump: gomod-golang/text /golang\.org\/x\/text v(.*)/ https://github.com/golang/text.git|^0
// bump: gomod-golang/text command go get -d golang.org/x/text@v$LATEST && go mod tidy
// bump: gomod-golang/text link "Source diff $CURRENT..$LATEST" https://github.com/golang/text/compare/v$CURRENT..v$LATEST
golang.org/x/text v0.15.0
golang.org/x/text v0.16.0
// bump: gomod-gopkg.in/yaml.v3 /gopkg\.in\/yaml\.v3 v(.*)/ https://github.com/go-yaml/yaml.git|^3
// bump: gomod-gopkg.in/yaml.v3 command go get -d gopkg.in/yaml.v3@v$LATEST && go mod tidy
@ -79,6 +79,6 @@ require (
github.com/itchyny/timefmt-go v0.1.5 // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
golang.org/x/sys v0.20.0 // indirect
golang.org/x/sys v0.21.0 // indirect
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
)

24
go.sum
View File

@ -1,5 +1,5 @@
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
github.com/creasty/defaults v1.7.0 h1:eNdqZvc5B509z18lD8yc212CAqJNvfT1Jq6L8WowdBA=
github.com/creasty/defaults v1.7.0/go.mod h1:iGzKe6pbEHnpMPtfDXZEr0NVxWnPTjb1bbDy08fPzYM=
github.com/ergochat/readline v0.1.1 h1:C8Uuo3ybB23GWOt0uxmHbGzKM9owmtXary6Clrj84s0=
@ -25,18 +25,18 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWb
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
github.com/wader/gojq v0.12.1-0.20240401131232-6c6bc364201a h1:P881Oecjt9FEXrwkGJ6UObJksxejJaF/fKq1ZfXpiVE=
github.com/wader/gojq v0.12.1-0.20240401131232-6c6bc364201a/go.mod h1:qVrzkUdnBtJvM4twyRQ6xdziPSnSp35dLm4s/DN2iP4=
golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw=
golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=