本文整理汇总了Python中PE.peFromBytes方法的典型用法代码示例。如果您正苦于以下问题:Python PE.peFromBytes方法的具体用法?Python PE.peFromBytes怎么用?Python PE.peFromBytes使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类PE的用法示例。
在下文中一共展示了PE.peFromBytes方法的1个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: is_legit_pe
# 需要导入模块: import PE [as 别名]
# 或者: from PE import peFromBytes [as 别名]
def is_legit_pe(bytes):
"""
Load the memory region into a vivisect memory object and try loading the memory region as a PE "from memory".
If it succeeds and contains valid sections, it's considered a valid PE.
Parameters:
bytes : byte string to test
Returns: bool - True if legit pe, False if not
"""
try:
new_pe = PE.peFromBytes(bytes)
# ImageBase will not be zero and will be page aligned
if (
new_pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase == 0
or new_pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase & 0xFFF != 0
):
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint > len(bytes):
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders < 0x80:
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders > len(bytes):
return False
# Section check
# Start at 0x80, never seen a PE that has a VirtualAddress for the
# first section below 0x80, usually > 0x400
prva = 0x80
for sect in new_pe.getSections():
if prva > sect.VirtualAddress:
return False
elif sect.VirtualAddress & 0xFF != 0:
return False
prva = sect.VirtualAddress
# Assuming that more than 20 sections in a PE is likely bogus
if 0 >= new_pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections > 20:
return False
# Could do more checks, but leaving at these, hopefully it'll be enough to rule
# out garbage, but still catch missing MZ or DOS text stubs
except:
return False
return True