def doExtractPE(deccontent, pos, n):
if pos>0x100: pos-=0x100
else: pos=0
pe = None
if pos+n>len(deccontent):n=len(deccontent)-pos
for i in range(pos, pos+n-2):
if deccontent[i]=='M' and deccontent[i+1]=='Z':
try:
pe = pefile.PE(data = deccontent[i:])
pe = deccontent[i:i+pe.sections[-1].PointerToRawData+pe.sections[-1].SizeOfRawData]
break
except:
pass
return pe
####################################################################
python类PE的实例源码
def get_exported_functions(self):
"""Get the exported function names of this PE file."""
filetype = self.get_type()
if "MS-DOS" not in filetype and "PE32" not in self.get_type():
return
if not HAVE_PEFILE:
if not File.notified_pefile:
File.notified_pefile = True
log.warning("Unable to import pefile (`pip install pefile`)")
return
try:
pe = pefile.PE(self.file_path)
if not hasattr(pe, "DIRECTORY_ENTRY_EXPORT"):
return
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name:
yield export.name
except Exception as e:
log.warning("Error enumerating exported functions: %s", e)
def extract_config(raw_data, key):
config = BASE_CONFIG
pe = pefile.PE(data=raw_data)
rt_string_idx = [
entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries
].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == 'DCDATA':
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
config = v51_data(data, key)
elif str(entry.name) in config.keys():
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
dec = rc4crypt(unhexlify(data), key)
config[str(entry.name)] = filter(lambda x: x in string.printable, dec)
return config
def get_long_line(data):
try:
raw_config = None
pe = pefile.PE(data=data)
for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries:
if str(entry.name) == "RT_RCDATA":
new_dirs = entry.directory
for entry in new_dirs.entries:
if str(entry.name) == '0':
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
raw_config = data
except:
raw_config = None
if raw_config != None:
return raw_config, 'V1'
try:
m = re.search('\x69\x00\x6F\x00\x6E\x00\x00\x59(.*)\x6F\x43\x00\x61\x00\x6E', data)
raw_config = m.group(0)[4:-12]
return raw_config, 'V2'
except:
return None, None
def get_config(data):
try:
pe = pefile.PE(data=data)
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == "CFG":
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
cleaned = data.replace('\x00', '')
raw_config = cleaned.split('##')
return raw_config
except:
return
def extract_config(raw_data):
pe = pefile.PE(data=raw_data)
try:
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries
].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
except:
return None
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == 'CFG':
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
return data
def extract_config(rawData):
try:
pe = pefile.PE(data=rawData)
try:
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
except ValueError:
return None
except AttributeError:
return None
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == 'XTREME':
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
return data
except:
return None
def get_config(data):
try:
pe = pefile.PE(data=data)
rt_string_idx = [
entry.id for entry in
pe.DIRECTORY_ENTRY_RESOURCE.entries].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == "GREAME":
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
raw_config = data.split('####@####')
return raw_config
except:
return None
def extract_config(raw_data):
try:
pe = pefile.PE(data=raw_data)
try:
rt_string_idx = [
entry.id for entry in pe.DIRECTORY_ENTRY_RESOURCE.entries
].index(pefile.RESOURCE_TYPE['RT_RCDATA'])
except:
return None
rt_string_directory = pe.DIRECTORY_ENTRY_RESOURCE.entries[rt_string_idx]
for entry in rt_string_directory.directory.entries:
if str(entry.name) == 'XX-XX-XX-XX' or str(entry.name) == 'CG-CG-CG-CG':
data_rva = entry.directory.entries[0].data.struct.OffsetToData
size = entry.directory.entries[0].data.struct.Size
data = pe.get_memory_mapped_image()[data_rva:data_rva+size]
config = data.split('####@####')
return config
except:
return None
def get_exports(self):
"""
Get a list of exported symbols from the PE file.
Returns:
A list of exported symbol names. If a symbol name is not available,
the ordinal number is used instead.
"""
exports = []
for export in self._pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name:
exports.append(export.name)
else:
export.append('%d' % export.ordinal)
return exports
def __setArch(self,filePath):
if not self.__archFlag:
self.__archFlag = True
else:
return
pe = pefile.PE(filePath,fast_load = True)
if pe.OPTIONAL_HEADER.Magic == 0x20b: #PE+ (x64)
self.__IDA_PATH = Config.IDA_PATH.replace("idaq.exe","idaq64.exe")
self.__BINDIFF_PLUGIN = Config.BINDIFF_PLUGIN.replace("zynamics_bindiff_4_0.plw","zynamics_bindiff_4_0.p64")
self.__IDBEXT = ".i64"
else:
#PE (x86)
self.__IDA_PATH = Config.IDA_PATH
self.__BINDIFF_PLUGIN = Config.BINDIFF_PLUGIN
self.__IDBEXT = ".idb"
def __init__(self, enabled=True, imports=False, file_info=False):
"""Creates an instace of the image meta registry.
Arguments
---------
enabled: bool
determines if image meta information should be added to the registry
imports: bool
it instructs the PE module to parse the directory entry import structure
file_info: bool
determines if file information meta data should be extracted from the PE
"""
self.image_metas = {}
self.imports = imports
self.file_info = file_info
self.enabled = enabled
self.full_loaded = False
def unpy2exe(filename, python_version=None, output_dir=None):
"""Process input params and produce output pyc files."""
if python_version is None:
version = __current_magic()
else:
version = versions.get(python_version, __current_magic())
if output_dir is None:
output_dir = '.'
elif not os.path.exists(output_dir):
os.makedirs(output_dir)
pe = pefile.PE(filename)
script_res = get_scripts_resource(pe)
dump = resource_dump(pe, script_res)
code_objects = get_co_from_dump(dump)
for co in code_objects:
save_co_to_pyc(co, version, output_dir)
def __init__(self, filepath):
self.path = filepath
self.filename = os.path.basename(filepath)
self.stream = open(filepath, 'r').read()
if magic.Magic(mime=True).from_file(filepath) == 'application/x-dosexec':
try:
self.pe = pefile.PE(filepath)
self.pedict = self.pe.dump_dict()
except Exception as excp:
print('Failed processing %s') % filepath
# Magic
def ssdeep(self):
return pydeep.hash_file(self.path)
# PE: impash #
def imphash(self):
return self.pe.get_imphash()
# PE: pehash #
def filesize(self):
return os.path.getsize(self.path)
##########
# PE #
##########
# PE : info #
def PE_info(self):
table=[]
try:
for fileinfo in self.pe.FileInfo:
if fileinfo.Key == 'StringFileInfo':
for stringtable in fileinfo.StringTable:
for entry in stringtable.entries.items():
table.append({'Info':entry[0], 'Value':entry[1]})
return table
except Exception as excp:
return 'None'
# PE: type #
def PE_OperatingSystem(self):
if self.pe:
return str(self.pedict['OPTIONAL_HEADER']['MajorOperatingSystemVersion']['Value']) + "." \
+ str(self.pedict['OPTIONAL_HEADER']['MinorOperatingSystemVersion']['Value'])
# PE:Machine type #
def PE_Machine(self):
if self.pe:
machinetype = self.pedict['FILE_HEADER']['Machine']['Value']
mt = {'0x14c': 'x86', '0x0200': 'Itanium', '0x8664': 'x64'}
if type(machinetype) is int:
return mt[str(hex(machinetype))]
else:
return str(machinetype) + ' => Not x86/64 or Itanium'
# PE:Entry Point #