-
-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parsing PE file in memory #48
Comments
Hi @aelth, I'm not sure if I understand your use case correctly. There is the function Could you elaborate a bit more what you need? Regards, |
Hi, I'm sorry, I asked a question in a hurry without throughly thinking about it:( What I'm trying to do is to traverse the list of active processes and obtain the PE structure of the mapped file (process image) or any loaded DLL without reading the file from the disk. But, I was actually trying to avoid reading/copying/mapping the entire PE structure and tried to just parse the structures that I'm interested in (for example NT headers and section headers). Sorry again for my misleading question. Cheers, |
Very interesting use case. I didn't have that in mind when I wrote PeNet. So you solved your problem by using the NativeStructureParsers? If you have some changes, that you would to see in the official lib, just give me a pull request, or tell me what you need. |
At the end I solved my problem by reading the structures directly, taking fixed lengths into account and parsing sizes when needed. It looks something like this:
It is a bit hacky and I'm using PeNet structures directly, but it works:) Regarding the pull request, I don't think I have one, I just used the structures as described... Thanks again for your help! aelth |
Alright, good to hear that you found a solution. I'll close the issue. Whenever you have another question or idea feel free to create a new one. |
Hi,
first of all thanks for PeNet, it is a great library!
I have one feature request - the ability to parse PE file directly from memory, without the need to copy the contents to another buffer.
I tried to implement this myself using Streams, but I got stuck since the byte array usage is used in every parser and it seems to me that switch to memory streams would be very consuming (although I might be wrong).
Thanks,
aelth
The text was updated successfully, but these errors were encountered: