src/engine/include/pe.h

/* pe.h - PE/COFF image parsing (engine-private, Windows-specific).
 *
 * Locating a section by name inside a mapped PE image is a Windows-image
 * concern, not a property of the source-agnostic matcher: it lives in the
 * engine, alongside the rest of the Windows bring-up. Handlers never see this
 * header - they consume only the generic memory model (memmodel.h) and the pure
 * matcher (sigscan.h). The engine uses these to build mem_view_t windows out of
 * a guest image and feed them to the matcher.
 */
#ifndef VMIE_PE_H
#define VMIE_PE_H
#include <stdint.h>
#include <stddef.h>
#include <stdbool.h>
#include "memmodel.h"   /* mem_view_t, vmie_mem */

/* One enumerated PE section header, decoded by pe_sections. Mirrors the public
 * win32 section_desc, but stays engine-private (this header is engine-only).
 *   name  - section name, NUL-terminated (PE names are <= 8 bytes; name[8] NUL)
 *   rva   - section RVA (relative to module_base)
 *   vsize - virtual size in bytes
 *   prot  - VR_R/VR_W/VR_X from the section Characteristics (VR_U never set) */
typedef struct { char name[9]; uint32_t rva; uint32_t vsize; uint32_t prot; } pe_secrec;

/* Enumerate the section headers of the PE image based at `module_base` inside a
 * view holding at least the image headers (the first page is enough).
 *   out, max - caller array receiving up to `max` pe_secrec; out may be NULL to
 *              count only. Headers truncated by the view end are not reported.
 * Returns the TOTAL section count (may exceed `max`), or -1 if `v` does not hold
 * a parseable PE at `module_base`. Shares the section-table walk with
 * pe_find_section (one header parser, no duplication). */
int pe_sections(mem_view_t v, uint64_t module_base, pe_secrec* out, int max);

/* Locate a PE section by name within a view that contains at least the image
 * headers at `module_base` (the first page is enough).
 *   module_base - image base VA, must be >= v.base_va and inside `v`
 *   name        - section name, e.g. ".text" (compared up to 8 bytes)
 *   rva_out     - receives the section RVA (relative to module_base); may be NULL
 *   vsize_out   - receives the section virtual size; may be NULL
 * Returns true if found. Only the headers need to be present in `v`; the section
 * body does not. */
bool pe_find_section(mem_view_t v, uint64_t module_base, const char* name,
                     uint64_t* rva_out, uint32_t* vsize_out);

/* Locate a PE section AND return a sub-view spanning it. Requires the whole
 * section body to be present in `v` (true for an in-memory image dump). Prefer
 * scanning ".text" over a whole image: faster, and avoids false hits in data.
 * Returns true and fills *out on success. For guest memory, where the body is
 * usually not co-resident with the headers, use vmie_pe_section. */
bool pe_section(mem_view_t v, uint64_t module_base, const char* name,
                mem_view_t* out);

/* Read a PE section out of guest memory under `cr3` into `buf`.
 *   module_base - image base VA (headers read from the first page)
 *   name        - section name, e.g. ".text"
 *   buf, bufcap - destination buffer and its capacity (section is truncated to fit)
 *   out         - on success, a view spanning the bytes read into `buf`
 * Returns 0 on success, -1 if the headers/section are unreadable or absent. The
 * guest image body need not be co-resident with the headers (unlike pe_section).*/
int vmie_pe_section(vmie_mem* m, uintptr_t cr3, uint64_t module_base,
                    const char* name, uint8_t* buf, size_t bufcap, mem_view_t* out);

#endif /* VMIE_PE_H */
Split the library into CORE / ENGINE / HANDLERS layers 2026-06-15 02:57:46 +03:00			`/* pe.h - PE/COFF image parsing (engine-private, Windows-specific).`
			`*`
			`* Locating a section by name inside a mapped PE image is a Windows-image`
			`* concern, not a property of the source-agnostic matcher: it lives in the`
			`* engine, alongside the rest of the Windows bring-up. Handlers never see this`
			`* header - they consume only the generic memory model (memmodel.h) and the pure`
			`* matcher (sigscan.h). The engine uses these to build mem_view_t windows out of`
			`* a guest image and feed them to the matcher.`
			`*/`
			`#ifndef VMIE_PE_H`
			`#define VMIE_PE_H`
			`#include <stdint.h>`
			`#include <stddef.h>`
			`#include <stdbool.h>`
			`#include "memmodel.h" /* mem_view_t, vmie_mem */`

Add PE section enumeration and section views (section-local / RVA / absolute) 2026-06-16 19:06:59 +03:00			`/* One enumerated PE section header, decoded by pe_sections. Mirrors the public`
			`* win32 section_desc, but stays engine-private (this header is engine-only).`
			`* name - section name, NUL-terminated (PE names are <= 8 bytes; name[8] NUL)`
			`* rva - section RVA (relative to module_base)`
			`* vsize - virtual size in bytes`
			`* prot - VR_R/VR_W/VR_X from the section Characteristics (VR_U never set) */`
			`typedef struct { char name[9]; uint32_t rva; uint32_t vsize; uint32_t prot; } pe_secrec;`

			/* Enumerate the section headers of the PE image based at `module_base` inside a
			`* view holding at least the image headers (the first page is enough).`
			* out, max - caller array receiving up to `max` pe_secrec; out may be NULL to
			`* count only. Headers truncated by the view end are not reported.`
			* Returns the TOTAL section count (may exceed `max`), or -1 if `v` does not hold
			* a parseable PE at `module_base`. Shares the section-table walk with
			`* pe_find_section (one header parser, no duplication). */`
			`int pe_sections(mem_view_t v, uint64_t module_base, pe_secrec* out, int max);`

Split the library into CORE / ENGINE / HANDLERS layers 2026-06-15 02:57:46 +03:00			`/* Locate a PE section by name within a view that contains at least the image`
			* headers at `module_base` (the first page is enough).
			* module_base - image base VA, must be >= v.base_va and inside `v`
			`* name - section name, e.g. ".text" (compared up to 8 bytes)`
			`* rva_out - receives the section RVA (relative to module_base); may be NULL`
			`* vsize_out - receives the section virtual size; may be NULL`
			* Returns true if found. Only the headers need to be present in `v`; the section
			`* body does not. */`
			`bool pe_find_section(mem_view_t v, uint64_t module_base, const char* name,`
			`uint64_t* rva_out, uint32_t* vsize_out);`

			`/* Locate a PE section AND return a sub-view spanning it. Requires the whole`
			* section body to be present in `v` (true for an in-memory image dump). Prefer
			`* scanning ".text" over a whole image: faster, and avoids false hits in data.`
			`* Returns true and fills *out on success. For guest memory, where the body is`
			`* usually not co-resident with the headers, use vmie_pe_section. */`
			`bool pe_section(mem_view_t v, uint64_t module_base, const char* name,`
			`mem_view_t* out);`

			/* Read a PE section out of guest memory under `cr3` into `buf`.
			`* module_base - image base VA (headers read from the first page)`
			`* name - section name, e.g. ".text"`
			`* buf, bufcap - destination buffer and its capacity (section is truncated to fit)`
			* out - on success, a view spanning the bytes read into `buf`
			`* Returns 0 on success, -1 if the headers/section are unreadable or absent. The`
			`* guest image body need not be co-resident with the headers (unlike pe_section).*/`
			`int vmie_pe_section(vmie_mem* m, uintptr_t cr3, uint64_t module_base,`
			`const char* name, uint8_t* buf, size_t bufcap, mem_view_t* out);`

			`#endif /* VMIE_PE_H */`