PE wrapper

class malduck.pe.PE(data: ProcessMemory | bytes, fast_load: bool = False)[source]

Wrapper around pefile.PE, accepts either bytes (raw file contents) or ProcessMemory instance.

directory(name: str) Any[source]

Get pefile directory entry by identifier

Parameters:

name – shortened pefile directory entry identifier (e.g. β€˜IMPORT’ for β€˜IMAGE_DIRECTORY_ENTRY_IMPORT’)

Return type:

pefile.Structure

property dos_header: Any

Dos header

property file_header: Any

File header

property headers_size: int

Estimated size of PE headers (first section offset). If there are no sections: returns 0x1000 or size of input if provided data are shorter than single page

property is32bit: Any

Is it 32-bit file (PE)?

property is64bit: Any

Is it 64-bit file (PE+)?

property nt_headers: Any

NT headers

property optional_header: Any

Optional header

resource(name: int | str | bytes) bytes | None[source]

Retrieves single resource by specified name or type

Parameters:

name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)

Return type:

bytes or None

resources(name: int | str | bytes) Iterator[bytes][source]

Finds resource objects by specified name or type

Parameters:

name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)

Return type:

Iterator[bytes]

section(name: str | bytes) Any[source]

Get section by name

Parameters:

name (str or bytes) – Section name

property sections: list

Sections

structure(rva: int, format: Any) Any[source]

Get internal pefile Structure from specified rva

Parameters:
  • rva – Relative virtual address of structure

  • format – pefile.Structure format (e.g. pefile.PE.__IMAGE_LOAD_CONFIG_DIRECTORY64_format__)

Return type:

pefile.Structure

validate_import_names() bool[source]

Returns True if the first 8 imported library entries have valid library names

validate_padding() bool[source]

Returns True if area between first non-bss section and first 4kB doesn’t have only null-bytes

validate_resources() bool[source]

Returns True if first level of resource tree looks consistent