2
--------------------------------------------------------------------
3
pefile - Portable Executable reader module
4
--------------------------------------------------------------------
9
pefile will allow to access from any Python script all (or most) of the contents
12
The structures defined in the Windows header files will be accessible as the
13
PE instance attributes and will have the same names as defined there.
14
(The main structures will have the standard capitalized names and will be
15
attributes of the PE instance. Their members will be attributes.)
17
Other attributes and data, which require further processing but are very useful
18
will be available as lowercase attributes. Some of those are, the imported and
19
exported symbols and the sections, with direct access to their data (if any) and
20
convenient methods to retrieve data based on the address as if the file were
21
loaded, instead of needing to dig the offsets into the file.
25
Starting from pefile 1.2 it's possible to write back any changes done to the PE
26
file. One has to be careful with this functionality as it will not be very
27
intelligent reconstructing the PE file. That is, it will not handle displacing
28
structures if that would be needed because a new section has been added.
29
The rule of thumb is, if there's room for an additional header/structure to fit
30
then there'll be no problem and pefile will write it.
31
All other modifications, i.e. changing individual values in header/structure
32
members should work well.
33
One possible useful application of this could be to correct malformed headers
34
used by some malware in order to cause certain analysis tools to malfunction.
39
Last versions are available at:
41
http://dkbza.org/pefile.html
46
Just importing it should suffice. The module should be endianness independent and
47
it's known to work on OS X, Windows, and Linux.
52
There might be some obscure info which is not readily accessible, this may be
53
due to my ignorance or laziness. Patches or suggestions are, as usual, welcomed.
55
Thinks known to be missing so far:
57
-Reading and processing the exceptions directory entry. (Architecture dependent
62
Given the amount of information embedded in the PE file format it is difficult
63
to test all the data retrieved thoroughly. I did my best trying and verifying
64
the accuracy of all the parsing. Most of the basic data has been tested by using
65
this module, so no outrageously obvious problems should exist. Any feedback on
66
inconsistent or faulty behavior will be welcome.
68
-------------------------------------------------------------------------
69
Copyright (c) 2005-2013 Ero Carrera <ero@dkbza.org>. All rights reserved.
70
-------------------------------------------------------------------------