enable parsing from loaded image

[shuffle2]

Most image formats handled by goblin are stored on disk in a different layout than they'd actually appear in memory if mapped for execution.

At least for PE, pointing goblin at an image that has been loaded into memory results in it erroring out (during processing imports, but i didn't look closer). It would be nice if it Just Worked.

btw, looking at the ImageBase field in the header and comparing to the address of the base of the PE is a reliable way to detect if you're parsing an on-disk image or one which has been loaded.

[m4b]

I believe we have the infra necessary to do this, it’s the pe config you pass to parser to eg resolve rvas I believe. It would be neat to perhaps use the heuristic you suggested to enter into an in-memory parsing mode (by setting the flag perhaps ?)

would you be interested in investigating the issue ?

[shuffle2]

My use case was pretty small so I just rewrote my code (which needed to follow some pointers in the PE) to do the VA translations using the PE headers. It's slower than reading from a mapped image, but it's OK for me for now...so I'm not planning on investing time into this.