Python pefile.DIRECTORY_ENTRY Examples

The following are 17 code examples of pefile.DIRECTORY_ENTRY(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module pefile , or try the search function .
Example #1
Source File: malwoverview.py    From malwoverview with GNU General Public License v3.0 6 votes vote down vote up
def listimports(fname):

    I = []
    mype2=pefile.PE(fname,fast_load=True)
    if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress != 0:
        mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
        if mype2.DIRECTORY_ENTRY_IMPORT is not None:
            for entry in mype2.DIRECTORY_ENTRY_IMPORT:
                for imptab in entry.imports:
                    if imptab.name is None:
                        imptab.name = "None"
                    if imptab.address is None :
                        imptab.address = int(0) 
                    x = hex(int(imptab.address)), imptab.name
                    I.append(x)
    return I 
Example #2
Source File: META_PE_SIGNATURE.py    From fsf with Apache License 2.0 6 votes vote down vote up
def META_PE_SIGNATURE(s, buff):

   sig_buff = []

   pe = pefile.PE(data=buff)

   address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress
   size = pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].Size

   # Eight bytes in due to the struct spec
   # typedef struct _WIN_CERTIFICATE
   # {
   #     DWORD       dwLength;
   #     WORD        wRevision;
   #     WORD        wCertificateType;   
   #     BYTE        bCertificate[ANYSIZE_ARRAY];
   # } WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
   sig_buff = buff[address + 8 : address + 8 + size]
   # Remove sequence and objid structures, 19 bytes
   signed_data, rest = decode(sig_buff[19:], asn1Spec=rfc2315.SignedData())

   return get_cert_info(signed_data) 
Example #3
Source File: PEFileModule.py    From codex-backend with MIT License 6 votes vote down vote up
def initialize(self, sample):
        if(self.already_initialized):
            return self.library
        self.already_initialized = True
        try:
            self.library = pefile.PE(data=sample.getBinary(), fast_load=True)
            # see if this initializations can be done on plugins.
            self.library.parse_data_directories(directories=[
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'],
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT'],
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_TLS'],
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY'],
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']])

        except pefile.PEFormatError:
            # print("parse fail")
            self.library = None
            # print(traceback.format_exc())
            logging.error("Error parsing pefileModule with sample:%s",
                          sample.getID(), exc_info=True) 
Example #4
Source File: PEHeaderReader.py    From codex-backend with MIT License 6 votes vote down vote up
def getImports(self):
        if (self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress == 0):
            return None

        d = {}
        # print(self.pe.DIRECTORY_ENTRY_IMPORT)
        for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
            aux = []
            for i in range(len(entry.dll)):
                if(ord(entry.dll[i]) >= 128):
                    aux.append('.')
                else:
                    aux.append(entry.dll[i])

            dll_name = "".join(aux)

            # print entry.dll
            # print entry.imports
            l = []
            for imp in entry.imports:
                l.append(str(imp.name))
                # print '\t', hex(imp.address), imp.name
            d[unicode(str(dll_name), "utf-8")] = l

        return d 
Example #5
Source File: PEHeaderReader.py    From codex-backend with MIT License 6 votes vote down vote up
def get_import_size_stats(self):
        # self.pe.parse_data_directories() # si if has fast load.
        total = 0
        if (self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress == 0):
            return 0, 0, 0
        for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
            total = total + len(entry.imports)
            # print entry.dll
            # for imp in entry.imports:
            # print '\t', hex(imp.address), imp.name

        cant_librerias = (len(self.pe.DIRECTORY_ENTRY_IMPORT))
        total_imports = total
        promedio = total / cant_librerias

        return total_imports, cant_librerias, promedio 
Example #6
Source File: pe.py    From cle with BSD 2-Clause "Simplified" License 6 votes vote down vote up
def _parse_pe_non_reloc_data_directories(self):
        """
        Parse data directories that is not DIRECTORY_ENTRY_BASERELOC since parsing relocations can take a long time in
        many PE binaries.
        """

        directory_names = (
            'IMAGE_DIRECTORY_ENTRY_EXPORT',
            'IMAGE_DIRECTORY_ENTRY_IMPORT',
            'IMAGE_DIRECTORY_ENTRY_RESOURCE',
            'IMAGE_DIRECTORY_ENTRY_EXCEPTION',
            'IMAGE_DIRECTORY_ENTRY_SECURITY',
            'IMAGE_DIRECTORY_ENTRY_DEBUG',
            'IMAGE_DIRECTORY_ENTRY_COPYRIGHT',
            'IMAGE_DIRECTORY_ENTRY_GLOBALPTR',
            'IMAGE_DIRECTORY_ENTRY_TLS',
            'IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG',
            'IMAGE_DIRECTORY_ENTRY_IAT',
            'IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT',
            'IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR',
            'IMAGE_DIRECTORY_ENTRY_RESERVED',
        )
        directories = tuple(pefile.DIRECTORY_ENTRY[n] for n in directory_names)
        self._pe.parse_data_directories(directories=directories) 
Example #7
Source File: check_file.py    From SSMA with GNU General Public License v3.0 5 votes vote down vote up
def checkTSL(self):
        _tls = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[
            pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_TLS']].VirtualAddress
        if _tls:
            return _tls
        else:
            return None 
Example #8
Source File: ImportsPlug.py    From codex-backend with MIT License 5 votes vote down vote up
def process(self):
        pelib = self._getLibrary(PEFileModule().getName())
        if(pelib is None):
            return ""

        try:
            if (pelib.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']].VirtualAddress == 0):
                return ""
        except Exception, e:
            print str(e)
            return "" 
Example #9
Source File: pe.py    From plasma with GNU General Public License v3.0 5 votes vote down vote up
def load_dyn_sym(self):
        try:
            self.pe.parse_data_directories(
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'])
        except Exception as e:
            raise ExcPEFail(e)

        if hasattr(self.pe, 'DIRECTORY_ENTRY_IMPORT'):
            for entry in self.pe.DIRECTORY_ENTRY_IMPORT:
                for imp in entry.imports:
                    if imp.name is None:
                        continue

                    name = imp.name

                    # erocarrera/pefile returns a bytes but mlaferrera/prefile
                    # returns a string.
                    if isinstance(name, bytes):
                        name = name.decode()

                    n = name

                    if name in self.symbols:
                        name = self.rename_sym(name)

                    self.reverse_symbols[imp.address] = name
                    self.symbols[name] = imp.address

                    # TODO: always a function ?
                    # set the index, but the object is currently None
                    self.func_add_flag(imp.address, n)
                    self.db.functions[imp.address] = None 
Example #10
Source File: peinfo.py    From ida_pdb_loader with MIT License 5 votes vote down vote up
def get_debug_data(pe, type=DEBUG_TYPE[u'IMAGE_DEBUG_TYPE_CODEVIEW']):
    retval = None
    if not hasattr(pe, u'DIRECTORY_ENTRY_DEBUG'):
        # fast loaded - load directory
        pe.parse_data_directories(DIRECTORY_ENTRY[u'IMAGE_DIRECTORY_ENTRY_DEBUG'])
    if not hasattr(pe, u'DIRECTORY_ENTRY_DEBUG'):
        raise PENoDebugDirectoryEntriesError()
    else:
        for entry in pe.DIRECTORY_ENTRY_DEBUG:
            off = entry.struct.PointerToRawData
            size = entry.struct.SizeOfData
            if entry.struct.Type == type:
                retval = pe.__data__[off:off+size]
                break
    return retval 
Example #11
Source File: pefile_test.py    From pefile with MIT License 5 votes vote down vote up
def test_write_header_fields(self):
        """Verify correct field data modification."""

        # Test version information writing
        control_file = os.path.join(REGRESSION_TESTS_DIR, 'MSVBVM60.DLL')
        pe = pefile.PE(control_file, fast_load=True)
        pe.parse_data_directories(
            directories=[
                pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']])

        original_data = pe.write()

        str1 = b'string1'
        str2 = b'str2'
        str3 = b'string3'

        pe.FileInfo[0][0].StringTable[0].entries[b'FileDescription'] = str1
        pe.FileInfo[0][0].StringTable[0].entries[b'FileVersion'] = str2
        pe.FileInfo[0][0].StringTable[0].entries[b'InternalName'] = str3

        new_data = pe.write()

        diff, differences = 0, list()
        for idx in range(len(original_data)):
            if original_data[idx] != new_data[idx]:

                diff += 1
                # Skip the zeroes that pefile automatically adds to pad a new,
                # shorter string, into the space occupied by a longer one.
                if new_data[idx] != 0:
                    differences.append(chr(new_data[idx]))

        # Verify all modifications in the file were the ones we just made
        #
        self.assertEqual(''.join(differences).encode('utf-8', 'backslashreplace'),  str1+str2+str3)

        pe.close() 
Example #12
Source File: malwoverview.py    From malwoverview with GNU General Public License v3.0 5 votes vote down vote up
def listexports(fname):

    E = []
    mype2=pefile.PE(fname,fast_load=True)
    if mype2.OPTIONAL_HEADER.DATA_DIRECTORY[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']].VirtualAddress != 0:
        mype2.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])
        for exptab in mype2.DIRECTORY_ENTRY_EXPORT.symbols:
            x = hex(mype2.OPTIONAL_HEADER.ImageBase + exptab.address), exptab.name
            E.append(x)
    return E 
Example #13
Source File: windows_memory_patches.py    From MemoryPatchDetector with MIT License 5 votes vote down vote up
def get_relocations(pe, proc, module_base_address):
    try:
        relocations = []
        relocation_table = pe.NT_HEADERS.OPTIONAL_HEADER.DATA_DIRECTORY[
            pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_BASERELOC']]
        rva = relocation_table.VirtualAddress
        size = relocation_table.Size

        if size == 0:
            return []

        rlc_size = pefile.Structure(pe.__IMAGE_BASE_RELOCATION_format__).sizeof()
        end = rva + size
        while rva < end:
            try:
                rlc = pe.__unpack_data__(
                    pe.__IMAGE_BASE_RELOCATION_format__,
                    proc.read(module_base_address + rva, rlc_size),
                    file_offset=pe.get_offset_from_rva(rva))
            except pefile.PEFormatError:
                rlc = None

            if not rlc:
                break
            relocation_entries = parse_relocations(proc, module_base_address, pe, rva + rlc_size, rlc.VirtualAddress,
                                                   rlc.SizeOfBlock - rlc_size)

            relocations.append(
                pefile.BaseRelocationData(
                    struct=rlc,
                    entries=relocation_entries))

            if not rlc.SizeOfBlock:
                break
            rva += rlc.SizeOfBlock

        return relocations
    except Exception as ex:
        print(str(ex)) 
Example #14
Source File: pe.py    From cle with BSD 2-Clause "Simplified" License 4 votes vote down vote up
def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.segments = self.sections # in a PE, sections and segments have the same meaning
        self.os = 'windows'
        if self.binary is None:
            self._pe = pefile.PE(data=self._binary_stream.read(), fast_load=True)
            self._parse_pe_non_reloc_data_directories()
        elif self.binary in self._pefile_cache: # these objects are not mutated, so they are reusable within a process
            self._pe = self._pefile_cache[self.binary]
        else:
            self._pe = pefile.PE(self.binary, fast_load=True)
            self._parse_pe_non_reloc_data_directories()
            if not self.is_main_bin:
                # only cache shared libraries, the main binary will not be reused
                self._pefile_cache[self.binary] = self._pe

        if self.arch is None:
            self.set_arch(archinfo.arch_from_id(pefile.MACHINE_TYPE[self._pe.FILE_HEADER.Machine]))

        self.mapped_base = self.linked_base = self._pe.OPTIONAL_HEADER.ImageBase

        self._entry = AT.from_rva(self._pe.OPTIONAL_HEADER.AddressOfEntryPoint, self).to_lva()

        if hasattr(self._pe, 'DIRECTORY_ENTRY_IMPORT'):
            self.deps = [entry.dll.decode().lower() for entry in self._pe.DIRECTORY_ENTRY_IMPORT]
        else:
            self.deps = []

        if self.binary is not None and not self.is_main_bin:
            self.provides = os.path.basename(self.binary).lower()
        else:
            self.provides = None

        self.tls_index_address = None
        self.tls_callbacks = None

        self.supports_nx = self._pe.OPTIONAL_HEADER.DllCharacteristics & 0x100 != 0
        self.pic = self.pic or self._pe.OPTIONAL_HEADER.DllCharacteristics & 0x40 != 0
        if hasattr(self._pe, 'DIRECTORY_ENTRY_LOAD_CONFIG'):
            self.load_config = {name: value['Value'] for name, value in self._pe.DIRECTORY_ENTRY_LOAD_CONFIG.struct.dump_dict().items() if name != 'Structure'}
        else:
            self.load_config = {}

        self._exports = {}
        self._ordinal_exports = {}
        self._symbol_cache = self._exports # same thing
        self._handle_imports()
        self._handle_exports()
        if self.loader._perform_relocations:
            # parse base relocs
            self._pe.parse_data_directories(directories=(pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_BASERELOC'],))
            self.__register_relocs()
        # parse TLS
        self._register_tls()
        # parse sections
        self._register_sections()

        self.linking = 'dynamic' if self.deps else 'static'
        self.jmprel = self._get_jmprel()
        self.memory.add_backer(0, self._pe.get_memory_mapped_image()) 
Example #15
Source File: static.py    From mac-a-mal-cuckoo with MIT License 4 votes vote down vote up
def _get_signature(self):
        """If this executable is signed, get its signature(s)."""
        dir_index = pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_SECURITY"]
        if len(self.pe.OPTIONAL_HEADER.DATA_DIRECTORY) < dir_index:
            return []

        dir_entry = self.pe.OPTIONAL_HEADER.DATA_DIRECTORY[dir_index]
        if not dir_entry or not dir_entry.VirtualAddress or not dir_entry.Size:
            return []

        if not HAVE_MCRYPTO:
            log.critical("You do not have the m2crypto library installed "
                         "preventing certificate extraction: "
                         "pip install m2crypto")
            return []

        signatures = self.pe.write()[dir_entry.VirtualAddress+8:]
        bio = M2Crypto.BIO.MemoryBuffer(signatures)
        if not bio:
            return []

        pkcs7_obj = M2Crypto.m2.pkcs7_read_bio_der(bio.bio_ptr())
        if not pkcs7_obj:
            return []

        ret = []
        p7 = M2Crypto.SMIME.PKCS7(pkcs7_obj)
        for cert in p7.get0_signers(M2Crypto.X509.X509_Stack()) or []:
            subject = cert.get_subject()
            ret.append({
                "serial_number": "%032x" % cert.get_serial_number(),
                "common_name": subject.CN,
                "country": subject.C,
                "locality": subject.L,
                "organization": subject.O,
                "email": subject.Email,
                "sha1": "%040x" % int(cert.get_fingerprint("sha1"), 16),
                "md5": "%032x" % int(cert.get_fingerprint("md5"), 16),
            })

            if subject.GN and subject.SN:
                ret[-1]["full_name"] = "%s %s" % (subject.GN, subject.SN)
            elif subject.GN:
                ret[-1]["full_name"] = subject.GN
            elif subject.SN:
                ret[-1]["full_name"] = subject.SN

        return ret 
Example #16
Source File: CertficatePlug.py    From codex-backend with MIT License 4 votes vote down vote up
def process2(self):
        pe = self._getLibrary(PEFileModule().getName())
        if(pe is None):
            return ""
        #  get the security directory entry
        address = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
            pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']].VirtualAddress

        if address > 0:
            # Always in DER format AFAIK
            derData = pe.write()[address + 8:]
        else:
            logging.debug("address 0")
            return

        (contentInfo, rest) = decoder.decode(
            derData, asn1Spec=rfc2315.ContentInfo())

        contentType = contentInfo.getComponentByName('contentType')

        if contentType == rfc2315.signedData:
            signedData = decode(contentInfo.getComponentByName(
                'content'), asn1Spec=rfc2315.SignedData())

        for sd in signedData:
            if sd == '':
                continue

            signerInfos = sd.getComponentByName('signerInfos')
            for si in signerInfos:
                issuerAndSerial = si.getComponentByName(
                    'issuerAndSerialNumber')
                issuer = issuerAndSerial.getComponentByName(
                    'issuer').getComponent()
                for i in issuer:
                    for r in i:
                        at = r.getComponentByName('type')
                        if rfc2459.id_at_countryName == at:
                            cn = decode(r.getComponentByName(
                                'value'), asn1Spec=rfc2459.X520countryName())
                            print(cn[0])
                        elif rfc2459.id_at_organizationName == at:
                            on = decode(r.getComponentByName(
                                'value'), asn1Spec=rfc2459.X520OrganizationName())
                            print(on[0].getComponent())
                        elif rfc2459.id_at_organizationalUnitName == at:
                            ou = decode(r.getComponentByName(
                                'value'), asn1Spec=rfc2459.X520OrganizationalUnitName())
                            print(ou[0].getComponent())
                        elif rfc2459.id_at_commonName == at:
                            cn = decode(r.getComponentByName(
                                'value'), asn1Spec=rfc2459.X520CommonName())
                            print(cn[0].getComponent())
                        else:
                            print at 
Example #17
Source File: invisimole_decrypt.py    From malware-research with BSD 2-Clause "Simplified" License 4 votes vote down vote up
def main():

    if len(sys.argv) < 2:
        print('Usage: {0:s} input_dll'.format(sys.argv[0]))
        return

    filename = sys.argv[1]
    pe = pefile.PE(filename)
    pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_RESOURCE']])
    
    RC2CL_offset, RC2CL_size = 0, 0
    RC2FM_offset, RC2FM_size = 0, 0

    if hasattr(pe, 'DIRECTORY_ENTRY_RESOURCE'):
        for resource_type in pe.DIRECTORY_ENTRY_RESOURCE.entries:

            if pefile.RESOURCE_TYPE.get(resource_type.struct.Id, '-') == 'RT_RCDATA':

                if hasattr(resource_type, 'directory'):
                    for resource_id in resource_type.directory.entries:

                        if hasattr(resource_id, 'directory'):
                            for resource_lang in resource_id.directory.entries:

                                if hasattr(resource_lang, 'data'):

                                    if str(resource_id.name) == 'RC2CL':
                                        RC2CL_offset = resource_lang.data.struct.OffsetToData
                                        RC2CL_size = resource_lang.data.struct.Size
                                    elif str(resource_id.name) == 'RC2FM':
                                        RC2FM_offset = resource_lang.data.struct.OffsetToData
                                        RC2FM_size = resource_lang.data.struct.Size

    if RC2CL_offset != 0 and RC2CL_size != 0:
        print('RC2CL resource {0:08X} - {1:08X}'.format(RC2CL_offset, RC2CL_size))

        save_payload(filename, 'RC2CL', pe.get_data(RC2CL_offset, RC2CL_size), RC2CL_size)
    else:
        print('RC2CL resource not found')

    if RC2FM_offset != 0 and RC2FM_size != 0:
        print('RC2FM resource {0:08X} - {1:08X}'.format(RC2FM_offset, RC2FM_size))

        save_payload(filename, 'RC2FM', pe.get_data(RC2FM_offset, RC2FM_size), RC2FM_size)
    else:
        print('RC2FM resource not found')