Python pefile.MACHINE_TYPE Examples

def get_info(filename):
	pe = pefile.PE(filename)
	fn = os.path.basename(filename) 		# file name
	fs = os.path.getsize(filename)			# file size (in byte)
	ts = pe.FILE_HEADER.TimeDateStamp 		# timestamp
	dl = pe.FILE_HEADER.IMAGE_FILE_DLL		# dll
	sc = pe.FILE_HEADER.NumberOfSections	# sections

	#print "Optional Header:\t\t", hex(pe.OPTIONAL_HEADER.ImageBase)
	#print "Address Of Entry Point:\t\t", hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)
	#print "Subsystem:\t\t\t", pefile.SUBSYSTEM_TYPE[pe.OPTIONAL_HEADER.Subsystem]
	#machine = 0
	#machine = pe.FILE_HEADER.Machine
	#print "Required CPU type:\t\t", pefile.MACHINE_TYPE[machine]
	#print "Number of RVA and Sizes:\t", pe.OPTIONAL_HEADER.NumberOfRvaAndSizes

	return fn, fs, ts, dl, sc

# Check for version info & metadata 

def set_arch_name(self):
        # TODO ARM

        # TODO Should we check these flags ?
        # pefile.OPTIONAL_HEADER_MAGIC_PE
        # pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS

        # return pefile.MACHINE_TYPE[self.pe.FILE_HEADER.Machine]

        if self.pe.FILE_HEADER.Machine == 0x014c:
            self.arch = "x86"

        if self.pe.FILE_HEADER.Machine == 0x8664:
            self.arch = "x64" 

def hintDisasm(self):

        if self.PE.FILE_HEADER.Machine & pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_AMD64'] == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_AMD64']:
            return DisasmViewMode.Disasm_x86_64bit

        if self.PE.FILE_HEADER.Machine & pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_I386'] == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_I386']:
            return DisasmViewMode.Disasm_x86_32bit

        return DisasmViewMode.Disasm_x86_32bit 

def _get_machine_type(self, path):
        try:
            pe = pefile.PE(path)
            format_ = 'PE'
            if pefile.MACHINE_TYPE[pe.FILE_HEADER.Machine].find('I386') != -1:
                arch = '32-bit'
            else:
                arch = '64-bit'
        except pefile.PEFormatError, detail:
            try:
                self._dprint(detail)
                m = MachO(path)
                format_ = 'Mach-O'
                for header in m.headers:
                    if CPU_TYPE_NAMES.get(header.header.cputype,header.header.cputype) == 'x86_64':
                    #if header.MH_MAGIC == MH_MAGIC_64:
                        arch = '64-bit'
                    else:
                        arch = '32-bit'
            except:
                try:
                    elffile = ELFFile(open(path, 'rb'))
                    format_ = 'ELF'
                    e_ident = elffile.header['e_ident']
                    if e_ident['EI_CLASS'] == 'ELFCLASS64':
                        arch = '64-bit'
                    else:
                        arch = '32-bit'
                except:                    
                    return None, None
                    #format_ = 'shellcode'
                    #arch = '32-bit' # 32-bit fixed 

def _get_arch_pe(self, pe_file):
        # get arch
        if pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_I386']:
            return arch.ARCH_X86
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_AMD64']:
            return arch.ARCH_X86
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_ARM']:
            return arch.ARCH_ARM
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_THUMB']:
            return arch.ARCH_ARM
        else:
            raise Exception("Machine not supported.") 

def _get_arch_mode_pe(self, pe_file):
        # get arch mode
        if pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_I386']:
            return arch.ARCH_X86_MODE_32
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_AMD64']:
            return arch.ARCH_X86_MODE_64
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_ARM']:
            return arch.ARCH_ARM_MODE_ARM
        elif pe_file.FILE_HEADER.Machine == pefile.MACHINE_TYPE['IMAGE_FILE_MACHINE_THUMB']:
            return arch.ARCH_ARM_MODE_THUMB
        else:
            raise Exception("Machine not supported.") 

def check_compatibility(cls, spec, obj):
        if hasattr(spec, 'read') and hasattr(spec, 'seek'):
            pe = pefile.PE(data=spec.read(), fast_load=True)
        else:
            pe = pefile.PE(spec, fast_load=True)

        arch = archinfo.arch_from_id(pefile.MACHINE_TYPE[pe.FILE_HEADER.Machine])
        return arch == obj.arch

    #
    # Public methods
    # 

def _identify_arch(self):
        machine = pefile.MACHINE_TYPE[self.helper.FILE_HEADER.Machine]
        if machine == 'IMAGE_FILE_MACHINE_I386':
            return ARCHITECTURE.X86
        elif machine == 'IMAGE_FILE_MACHINE_AMD64':
            return ARCHITECTURE.X86_64
        elif machine == 'IMAGE_FILE_MACHINE_ARM':
            return ARCHITECTURE.ARM
        else:
            return None 

def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.segments = self.sections # in a PE, sections and segments have the same meaning
        self.os = 'windows'
        if self.binary is None:
            self._pe = pefile.PE(data=self._binary_stream.read(), fast_load=True)
            self._parse_pe_non_reloc_data_directories()
        elif self.binary in self._pefile_cache: # these objects are not mutated, so they are reusable within a process
            self._pe = self._pefile_cache[self.binary]
        else:
            self._pe = pefile.PE(self.binary, fast_load=True)
            self._parse_pe_non_reloc_data_directories()
            if not self.is_main_bin:
                # only cache shared libraries, the main binary will not be reused
                self._pefile_cache[self.binary] = self._pe

        if self.arch is None:
            self.set_arch(archinfo.arch_from_id(pefile.MACHINE_TYPE[self._pe.FILE_HEADER.Machine]))

        self.mapped_base = self.linked_base = self._pe.OPTIONAL_HEADER.ImageBase

        self._entry = AT.from_rva(self._pe.OPTIONAL_HEADER.AddressOfEntryPoint, self).to_lva()

        if hasattr(self._pe, 'DIRECTORY_ENTRY_IMPORT'):
            self.deps = [entry.dll.decode().lower() for entry in self._pe.DIRECTORY_ENTRY_IMPORT]
        else:
            self.deps = []

        if self.binary is not None and not self.is_main_bin:
            self.provides = os.path.basename(self.binary).lower()
        else:
            self.provides = None

        self.tls_index_address = None
        self.tls_callbacks = None

        self.supports_nx = self._pe.OPTIONAL_HEADER.DllCharacteristics & 0x100 != 0
        self.pic = self.pic or self._pe.OPTIONAL_HEADER.DllCharacteristics & 0x40 != 0
        if hasattr(self._pe, 'DIRECTORY_ENTRY_LOAD_CONFIG'):
            self.load_config = {name: value['Value'] for name, value in self._pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.dump_dict().items() if name != 'Structure'}
        else:
            self.load_config = {}

        self._exports = {}
        self._ordinal_exports = {}
        self._symbol_cache = self._exports # same thing
        self._handle_imports()
        self._handle_exports()
        if self.loader._perform_relocations:
            # parse base relocs
            self._pe.parse_data_directories(directories=(pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_BASERELOC'],))
            self.__register_relocs()
        # parse TLS
        self._register_tls()
        # parse sections
        self._register_sections()

        self.linking = 'dynamic' if self.deps else 'static'
        self.jmprel = self._get_jmprel()
        self.memory.add_backer(0, self._pe.get_memory_mapped_image())