PEKit

Library for parsing Portable Executable (PE), COFF object, BigObj, and COFF import object files to obtain various information.

Features

• parse PE headers
• parse DOS headers
• parse COFF headers
• parse section tables
• parse symbol tables and string tables
• parse COFF relocations and line numbers
• parse PE data directories
  • export
  • import
  • exception
  • resource
  • base relocation
  • debug
  • TLS
  • load config
  • bound import
  • import address table
  • delay import
  • security
• parse COFF import objects
• parse /bigobj object files
• extract PE, COFF, BigObj, and import object members from archive files

Usage

Load PE file

For reading a PE file, use the PEFile class.

import Foundation
import PEKit

let path = "Path to PE file"
let url = URL(fileURLWithPath: path)
let pe = try PEFile(url: url)

print(pe.header)
print(pe.sections)

COFF object file

For reading a pure COFF object file, use the COFFFile class.

import Foundation
import PEKit

let path = "Path to COFF object file"
let url = URL(fileURLWithPath: path)
let coff = try COFFFile(url: url)

for section in coff.sections {
    print(section.name)
}

for symbol in coff.symbols {
    print(symbol.name(in: coff) ?? "nil")
}

BigObj file

For reading a COFF object file compiled with /bigobj, use the BigObjFile class.

import Foundation
import PEKit

let path = "Path to BigObj file"
let url = URL(fileURLWithPath: path)
let bigObj = try BigObjFile(url: url)

print(bigObj.header)
print(bigObj.sections)
print(bigObj.symbols)

Import object file

For reading a short import object used in COFF import libraries, use the ImportObjectFile class.

import Foundation
import PEKit

let path = "Path to import object file"
let url = URL(fileURLWithPath: path)
let importObject = try ImportObjectFile(url: url)

print(importObject.symbolName ?? "nil")
print(importObject.dllName ?? "nil")
print(importObject.exportName ?? "nil")

Data directories

PEFile provides accessors for PE data directories.

if let exports = pe.exportDirectory {
    print(exports.dllName(in: pe) ?? "nil")
    print(exports.symbols(in: pe) ?? [])
}

if let imports = pe.importDirectory,
   let descriptors = imports.descriptors(in: pe) {
    for descriptor in descriptors {
        print(descriptor.dllName(in: pe) ?? "nil")
    }
}

if let resources = pe.resourceDirectory {
    for child in resources.children(in: pe) {
        print(child)
    }
}

Address conversion

PEFile can convert VA and RVA values to file offsets.

let rva = pe.relativeVirtualAddress(fromVA: 0x180001000)
let fileOffset = pe.fileOffset(fromRVA: 0x1000)

Archive files

PEArchiveKit extends ObjectArchiveKit.ArchiveFile and can extract supported COFF-family members from archive files.

import Foundation
import ObjectArchiveKit
import PEArchiveKit

let path = "Path to archive library"
let url = URL(fileURLWithPath: path)
let archive = try ArchiveFile(url: url)

let peFiles = try archive.peFiles()
let coffFiles = try archive.coffFiles()
let bigObjFiles = try archive.bigObjFiles()
let importObjects = try archive.importObjectFiles()

print(peFiles)
print(coffFiles)
print(bigObjFiles)
print(importObjects)

Example Codes

The test target contains sample code that prints parsed information.

PE file

The following file contains sample code.

PEKitTests

COFF object file

The following file contains sample code.

COFFFileTests

BigObj file

The following file contains sample code.

BigObjFileTests

Import object file

The following file contains sample code.

ImportObjectFileTests

Related Projects

• MachOKit Mach-O parser written in Swift
• ELFKit ELF format parser written in Swift

License

PEKit is released under the MIT License. See LICENSE