本文整理匯總了Python中PE.peFromBytes方法的典型用法代碼示例。如果您正苦於以下問題:Python PE.peFromBytes方法的具體用法?Python PE.peFromBytes怎麽用?Python PE.peFromBytes使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類PE的用法示例。
在下文中一共展示了PE.peFromBytes方法的1個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: is_legit_pe
# 需要導入模塊: import PE [as 別名]
# 或者: from PE import peFromBytes [as 別名]
def is_legit_pe(bytes):
"""
Load the memory region into a vivisect memory object and try loading the memory region as a PE "from memory".
If it succeeds and contains valid sections, it's considered a valid PE.
Parameters:
bytes : byte string to test
Returns: bool - True if legit pe, False if not
"""
try:
new_pe = PE.peFromBytes(bytes)
# ImageBase will not be zero and will be page aligned
if (
new_pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase == 0
or new_pe.IMAGE_NT_HEADERS.OptionalHeader.ImageBase & 0xFFF != 0
):
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.AddressOfEntryPoint > len(bytes):
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders < 0x80:
return False
if new_pe.IMAGE_NT_HEADERS.OptionalHeader.SizeOfHeaders > len(bytes):
return False
# Section check
# Start at 0x80, never seen a PE that has a VirtualAddress for the
# first section below 0x80, usually > 0x400
prva = 0x80
for sect in new_pe.getSections():
if prva > sect.VirtualAddress:
return False
elif sect.VirtualAddress & 0xFF != 0:
return False
prva = sect.VirtualAddress
# Assuming that more than 20 sections in a PE is likely bogus
if 0 >= new_pe.IMAGE_NT_HEADERS.FileHeader.NumberOfSections > 20:
return False
# Could do more checks, but leaving at these, hopefully it'll be enough to rule
# out garbage, but still catch missing MZ or DOS text stubs
except:
return False
return True