WIP: pe: Add decoder

Author: wader

format/all/all.go

@@ -40,6 +40,7 @@ import (
 	_ "github.com/wader/fq/format/ogg"
 	_ "github.com/wader/fq/format/opus"
 	_ "github.com/wader/fq/format/pcap"
+	_ "github.com/wader/fq/format/pe"
 	_ "github.com/wader/fq/format/png"
 	_ "github.com/wader/fq/format/postgres"
 	_ "github.com/wader/fq/format/prores"

format/format.go

@@ -145,6 +145,9 @@ var (
 	Opus_Packet         = &decode.Group{Name: "opus_packet"}
 	PCAP                = &decode.Group{Name: "pcap"}
 	PCAPNG              = &decode.Group{Name: "pcapng"}
+	PE                  = &decode.Group{Name: "pe"}
+	PE_COFF             = &decode.Group{Name: "pe_coff"}
+	PE_MSDOS_Stub       = &decode.Group{Name: "pe_msdos_stub"}
 	Pg_BTree            = &decode.Group{Name: "pg_btree"}
 	Pg_Control          = &decode.Group{Name: "pg_control"}
 	Pg_Heap             = &decode.Group{Name: "pg_heap"}

format/pe/pe.go

@@ -0,0 +1,37 @@
+package pe
+
+// https://osandamalith.com/2020/07/19/exploring-the-ms-dos-stub/
+
+import (
+	"github.com/wader/fq/format"
+	"github.com/wader/fq/pkg/decode"
+	"github.com/wader/fq/pkg/interp"
+)
+
+// TODO: probe?
+// TODO: not pe_ prefix for format names?
+
+var peMSDosStubGroup decode.Group
+var peCOFFGroup decode.Group
+
+func init() {
+	interp.RegisterFormat(
+		format.PE,
+		&decode.Format{
+			Description: "Portable Executable",
+			Groups:      []*decode.Group{format.Probe},
+			Dependencies: []decode.Dependency{
+				{Groups: []*decode.Group{format.PE_MSDOS_Stub}, Out: &peMSDosStubGroup},
+				{Groups: []*decode.Group{format.PE_COFF}, Out: &peCOFFGroup},
+			},
+			DecodeFn: peDecode,
+		})
+}
+
+func peDecode(d *decode.D) any {
+
+	d.FieldFormat("ms_dos_stub", &peMSDosStubGroup, nil)
+	d.FieldFormat("coff", &peCOFFGroup, nil)
+
+	return nil
+}