本文整理匯總了Python中pefile.PE屬性的典型用法代碼示例。如果您正苦於以下問題:Python pefile.PE屬性的具體用法?Python pefile.PE怎麽用?Python pefile.PE使用的例子?那麽, 這裏精選的屬性代碼示例或許可以為您提供幫助。您也可以進一步了解該屬性所在類pefile的用法示例。
在下文中一共展示了pefile.PE屬性的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: listimports
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def listimports(fname):
I = []
mype2=pefile.PE(fname,fast_load=True)
if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0:
mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
if mype2.DIRECTORY_ENTRY_IMPORT is not None:
for entry in mype2.DIRECTORY_ENTRY_IMPORT:
for imptab in entry.imports:
if imptab.name is None:
imptab.name = "None"
if imptab.address is None :
imptab.address = int(0)
x = hex(int(imptab.address)), imptab.name
I.append(x)
return I 示例2: listsections
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def listsections(fname):
pe=pefile.PE(fname)
if(windows == 1):
print("Sections: ", end='')
print("\t\tEntropy\n")
for sect in pe.sections:
print("%17s" % (sect.Name).decode('utf-8'), end='')
print(("\t%5.2f" % sect.get_entropy()))
else:
print("Sections: ", end='')
print("\t\tEntropy\n")
for sect in pe.sections:
print("%17s" % (sect.Name).decode('utf-8'), end='')
print(("\t\t%5.2f" % sect.get_entropy())) 示例3: pe_resource_by_name
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def pe_resource_by_name(self, resource_name):
"""
Extract a PE Resource from a binary by name
:param resource_name: str
:return: byte array
"""
offset = 0x00
size = 0x00
pe = pefile.PE(data=self.file_data)
for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:
for entry in rsrc.directory.entries:
if entry.name is not None:
if entry.name.__str__() == resource_name:
offset = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
return pe.get_memory_mapped_image()[offset:offset + size] 示例4: check_verinfo
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def check_verinfo(self, pe):
""" Determine the version info in a PE file """
ret = []
if hasattr(pe, 'VS_VERSIONINFO'):
if hasattr(pe, 'FileInfo'):
for entry in pe.FileInfo:
if hasattr(entry, 'StringTable'):
for st_entry in entry.StringTable:
for str_entry in st_entry.entries.items():
ret.append(convert_to_printable(str_entry[0]) + ': ' + convert_to_printable(str_entry[1]) )
elif hasattr(entry, 'Var'):
for var_entry in entry.Var:
if hasattr(var_entry, 'entry'):
ret.append(convert_to_printable(var_entry.entry.keys()[0]) + ': ' + var_entry.entry.values()[0])
return '\n'.join(ret) 示例5: disasmSymbol
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def disasmSymbol(self, va):
if not hasattr(self.PE, 'DIRECTORY_ENTRY_IMPORT'):
return None
# TODO: should implement with a lookup table
for i, entry in enumerate(self.PE.DIRECTORY_ENTRY_IMPORT):
for imp in entry.imports:
if imp.address == va:
name = ''
if imp.name:
name = imp.name
if imp.ordinal:
name = bytes(imp.ordinal)
return '{0}:{1}'.format(entry.dll.decode('cp437'), name.decode('cp437'))
return None 示例6: kEND
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def kEND(self, k):
gtype = str(self.ui.comboBox.currentText())
if gtype == 'FileAddress':
return self.plugin.dataModel.getDataSize()
elif gtype == 'VirtualAddress':
offset = self.plugin.dataModel.getDataSize()
return self.plugin.PE.get_rva_from_offset(offset) + self.plugin.PE.OPTIONAL_HEADER.ImageBase
elif gtype == 'RVA':
offset = self.plugin.dataModel.getDataSize()
return self.plugin.PE.get_rva_from_offset(offset)
else:
return None
# goto address type fa/va/rva 示例7: eventFilter
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def eventFilter(self, watched, event):
if event.type() == QtCore.QEvent.KeyPress:
if event.key() == QtCore.Qt.Key_Return:
# get RVA column from treeView
item = self.widget.currentItem()
rva = self.widget.indexFromItem(item, 1).data()
if rva:
rva = str(rva)
# strip 0x
rva = int(rva, 0)
offset = self.plugin.PE.get_offset_from_rva(rva)
self.plugin._viewMode.goTo(offset)
return False 示例8: run
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def run(self):
"""Run analysis.
@return: analysis results dict or None.
"""
if not os.path.exists(self.file_path):
return {}
try:
self.pe = pefile.PE(self.file_path)
except pefile.PEFormatError:
return {}
results = {}
results["peid_signatures"] = self._get_peid_signatures()
results["pe_imports"] = self._get_imported_symbols()
results["pe_exports"] = self._get_exported_symbols()
results["pe_sections"] = self._get_sections()
results["pe_resources"] = self._get_resources()
results["pe_versioninfo"] = self._get_versioninfo()
results["pe_imphash"] = self._get_imphash()
results["pe_timestamp"] = self._get_timestamp()
results["pdb_path"] = self._get_pdb_path()
results["signature"] = self._get_signature()
results["imported_dll_count"] = len([x for x in results["pe_imports"] if x.get("dll")])
return results 示例9: _GetSectionNames
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def _GetSectionNames(self, pefile_object):
"""Retrieves all PE section names.
Args:
pefile_object (pefile.PE): pefile object.
Returns:
list[str]: names of the sections.
"""
section_names = []
for section in pefile_object.sections:
section_name = getattr(section, 'Name', b'')
# Ensure the name is decoded correctly.
try:
section_name = '{0:s}'.format(section_name.decode('unicode_escape'))
except UnicodeDecodeError:
section_name = '{0:s}'.format(repr(section_name))
section_names.append(section_name)
return section_names 示例10: _GetImportTimestamps
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def _GetImportTimestamps(self, pefile_object):
"""Retrieves timestamps from the import directory, if available.
Args:
pefile_object (pefile.PE): pefile object.
Returns:
list[int]: import timestamps.
"""
import_timestamps = []
if not hasattr(pefile_object, 'DIRECTORY_ENTRY_IMPORT'):
return import_timestamps
for importdata in pefile_object.DIRECTORY_ENTRY_IMPORT:
dll_name = getattr(importdata, 'dll', '')
try:
dll_name = dll_name.decode('ascii')
except UnicodeDecodeError:
dll_name = dll_name.decode('ascii', errors='replace')
if not dll_name:
dll_name = '<NO DLL NAME>'
timestamp = getattr(importdata.struct, 'TimeDateStamp', 0)
if timestamp:
import_timestamps.append([dll_name, timestamp])
return import_timestamps 示例11: _GetResourceTimestamps
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def _GetResourceTimestamps(self, pefile_object):
"""Retrieves timestamps from resource directory entries, if available.
Args:
pefile_object (pefile.PE): pefile object.
Returns:
list[int]: resource timestamps.
"""
timestamps = []
if not hasattr(pefile_object, 'DIRECTORY_ENTRY_RESOURCE'):
return timestamps
for entrydata in pefile_object.DIRECTORY_ENTRY_RESOURCE.entries:
directory = entrydata.directory
timestamp = getattr(directory, 'TimeDateStamp', 0)
if timestamp:
timestamps.append(timestamp)
return timestamps 示例12: _GetDelayImportTimestamps
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def _GetDelayImportTimestamps(self, pefile_object):
"""Retrieves timestamps from delay import entries, if available.
Args:
pefile_object (pefile.PE): pefile object.
Returns:
tuple[str, int]: name of the DLL being imported and the second is
the timestamp of the entry.
"""
delay_import_timestamps = []
if not hasattr(pefile_object, 'DIRECTORY_ENTRY_DELAY_IMPORT'):
return delay_import_timestamps
for importdata in pefile_object.DIRECTORY_ENTRY_DELAY_IMPORT:
dll_name = importdata.dll
try:
dll_name = dll_name.decode('ascii')
except UnicodeDecodeError:
dll_name = dll_name.decode('ascii', errors='replace')
timestamp = getattr(importdata.struct, 'dwTimeStamp', 0)
delay_import_timestamps.append([dll_name, timestamp])
return delay_import_timestamps 示例13: decrypt_strings
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def decrypt_strings(algo, str_tuple, bin_path):
try:
data = open(bin_path, "rb").read()
pe = pefile.PE(data=data)
base_addr = pe.OPTIONAL_HEADER.ImageBase
except:
print("error: pefile")
sys.exit(1)
decrypted = []
for size, addr in str_tuple:
d = pe.get_data(addr - base_addr, size)
decrypted_str = decrypt_str(d, algo)
if decrypted_str is not None:
decrypted.append(decrypted_str)
return decrypted 示例14: dis
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def dis(self, data, offset, iat_api, bin_instance, verbose=False):
'''
data: raw binary of full PE
va: va of the instruction located at <data[index]>
iat_api: dict of imported API like {VA_IN_IAT: API_NAME}
'''
insts = dict()
insts = self.linear_sweep_cache(data=data, offset=offset, insts=insts, bin_instance=bin_instance, verbose=verbose)
insts = self._dis(data=data, offset=offset, iat_api=iat_api, bin_instance=bin_instance, insts=insts, verbose=verbose)
# Exploration of the exported functions
self._dis_exported_funcs(bin_instance=bin_instance, insts=insts, data=data, verbose=verbose, iat_api=iat_api)
# Search for unrecognized functions from their prolog function
insts = self.dis_prologues(data=data, bin_instance=bin_instance, iat_api=iat_api, insts=insts, verbose=verbose)
return insts 示例15: open_executable
# 需要導入模塊: import pefile [as 別名]
# 或者: from pefile import PE [as 別名]
def open_executable(self):
try:
if not os.path.exists(self.file_path):
raise FileNotFoundException
pe_file = pefile.PE(self.file_path)
if not (pe_file.is_dll() or pe_file.is_exe()):
raise FileFormatException
self.fPtr = open(self.file_path, 'rb')
self.fileSize = os.stat(self.file_path).st_size
except FileFormatException:
print("[-] Not an executable")
sys.exit(1)
except FileNotFoundException:
print("[-] No such file")
sys.exit(1)
except:
print("[-] Error: Could not open {0}".format(self.file_path))
sys.exit(1)