PEFramework Explanation

This library offers a minimalistic but complete interface to the PE image data. Most of the documentation can be taken from the PECOFF standard document.

Nevertheless, lets take a look at general concepts. The main include file is peframework.h.

PEFile struct

Container for any PE image. It can be serialized using the methods LoadFromDisk and WriteToStream. PE image variables should be directly read out of the structs, while modification has to be done carefully (prefer methods over direct access).

PE images are designed to store executable code that is tied to a specific machine type. They can be loaded into a specific memory range. After loading they need to be initialized by the given subsystem (win32, EFI, POSIX, etc). Then the image entry point can be called.

If not for execution, PE images offer a resource tree. On Windows it is used to store locale-orriented icons and GUI messages but the file format allows for more generic usage.

Custom debug information can be stored in the debug data directory. The most popular debug information format is currently the PDB debug database.

If data directories have been changed, the corresponding data directory allocations have to be invalidated to update the data on next writing.

PEFile::PESection struct

A section is a memory-resident data segment. It is created by compilers or other PE image generators and should not be touched after PE image finalization unless you know what you are doing.

Adding new sections is done by the PlaceSection or AddSection methods, to either put at a specific offset or allocate somewhere random.

PEStream class

Virtual stream interface for serialization of PE images. It supports origin-based seek operations and reading + writing. Implement this interface to provide custom locations to load PE images from, such as compressed storage.

There is a STL wrapper implementation available: PEStreamSTL. It can be constructed from a std::iostream instance.

peframework_exception class

The main exception type of this library. Some of the cases when it is thrown:

  • improper use of API, according to desired behavior
  • serialization errors

PEFramework is designed to be exception-safe.