Warning
The documentation for PE isn’t quite finished yet! If you want to contribute (or have ideas for better documentation), feel free to send me a pull request or email me.
Bases: object
The PE object is what gets returned after asking for a PE from any of the ways possible
PE.peFromBytes, PE.peFromFileName, or PE.peFromMemoryObject
| Parameters: |
|
|---|---|
| Returns: | an instance of itself. Duh. |
| Return type: |
Make sure an RVA falls inside the valid mapped range for the file. (also make sure it’s not 0...)
Return the “dll name” from the Name field of the IMAGE_EXPORT_DIRECTORY if one is present. If not, return None.
| Returns: | dll name |
|---|---|
| Return type: | str |
Return the name of this file acording to it’s export entry. (if there are no exports, return None)
Return the list of exports in this PE. The list contains tuples in the format; (rva, ord, name).
| Returns: | List of export tuples |
|---|---|
| Return type: | list |
Return the list of forwarders in this PE. The list contains tuples in the format; (rva, name, forwardname).
| Returns: | List of forwarders |
|---|---|
| Return type: | list |
Return the list of import tuples for this PE. The tuples are in the format (rva, libname, funcname).
| Returns: | List of import tuples |
|---|---|
| Return type: | list |
Parse out the PE’s .pdata section bytes.
No parameters, just uses PE.getSectionByName to get and parse .pdata entries.
If the section doesn’t exist, returns an empty tuple.
| Returns: | list of items found |
|---|
Get the (rva, size, codepage) tuple for the specified resource type/id combination. Returns None if not found.
Get the (rtype, nameid, (rva, size, codepage)) tuples for each resource in the PE.
Find the structure based off it’s name.
| Parameters: | name (string) – A file descriptor open with ‘rb’ (read binary) |
|---|---|
| Returns: | a vstruct header section |
| Return type: | vstruct.defs.pe.IMAGE_SECTION_HEADER |
Return the list of sections in this PE in VStruct format.
| Returns: | List of sections |
|---|---|
| Return type: | list |
Get a VS_VERSIONINFO object for this PE. (returns None if version resource is not found)
Returns a PE class for a string of bytes. Basically just passes your bytes into a StringIO() and hands that off to PE.PE
| Parameters: | fbytes (str.) – The bytestring for our PE. |
|---|---|
| Returns: | PE.PE instance of the specified PE. |
| Return type: | PE.PE |
Returns a PE class for a specified file path. Makes sure to open the file in “rb” mode to read binary.
| Parameters: | fname (str.) – The filename of our PE. |
|---|---|
| Returns: | PE.PE instance of the specified PE. |
| Return type: | PE.PE |
Returns a PE class for a string of bytes. Basically just passes your bytes into a StringIO() and hands that off to PE.PE
Example:
>>> # Import vtrace and PE
>>> import vtrace, PE
>>> # Initilize our vtrace.Trace object
>>> trace = vtrace.getTrace()
>>> trace.execute('C:\Path\To\Program\blah.exe')
>>> # Get our library bases
>>> libBase = trace.getMeta("LibraryBases")
>>> # Get the first address of our first entry (not realistic)
>>> base = libBase.items()[0][1]
>>> # Create our PE.PE()
>>> p = PE.peFromMemoryObject(trace, base)
| Parameters: |
|
|---|---|
| Returns: | PE.PE instance of the specified PE (with inmem=True). |
| Return type: |
A helper class to act as a file object, mainly used by PE.peFromMemoryObject. The seek() function sets the current virtual address.
Implements seek(),read() and write() functions for PE.PE to read
| Parameters: |
|
|---|
Resources are sorted into a hierarchy which begins with “type” and then “name/id” which still points to another directory entry which has 1 child (id 1033) with data.
A simple (read-only) VS_VERSIONINFO parser
Return dictionary style key,val tuples for the version keys in this VS_VERSIONINFO structure.
Example: for vskey,vsdata in vs.getVersionItems(): print vskey,vsdata
Some utilities for dealing with COFF .LIB files
Bases: vstruct.VStruct
Bases: vstruct.VStruct
Bases: vstruct.VStruct
Bases: vstruct.VStruct