PE: add overlay detection #344
Conversation
|
Final offset computation is not very expensive, but tell me if you want it not to be computed until the user actually calls |
There was a problem hiding this comment.
Don't calculate this in PeFile::parse. We try to make things lazily calculated as much as possible, for two reasons:
- it avoids unnecessary work and code bloat for users that don't need it
- it avoids potential parsing errors for parts of the file that users may not care about
Don't add methods to the unified API unless they are needed for its implementation. Instead, add things like this to the lower level API.
I'm not keen on adding concepts like "overlay" data that are not officially defined. This would better belong in a malware analysis crate built on top of this crate. And only looking at the end of the file seems wrong to me. That may be the easiest place to add "overlay" data, but it's not the only place.
So instead, I would like to see a method such as SectionTable::maximum_file_offset that returns the maximum section end file offset, and then you can do whatever you want with that (such as comparing it with the file size or data directories).
|
Thanks for your review. I've made changes to implement only a |
This change adds supports for overlay detection in
object.A data overlay is defined as the part of a PE file that is not declared in its headers, i.e. the part of the file past all declared sections.
That's a place where e.g. authenticode certificates are embedded (and where some binaries may also use to conceal data)