PE wrapper

class malduck.pe.PE(data, fast_load=False)[source]

Wrapper around pefile.PE, accepts either bytes (raw file contents) or ProcessMemory instance.

directory(name)[source]

Get pefile directory entry by identifier

Parameters

name – shortened pefile directory entry identifier (e.g. ‘IMPORT’ for ‘IMAGE_DIRECTORY_ENTRY_IMPORT’)

Return type

pefile.Structure

property dos_header

Dos header

property file_header

File header

property headers_size

Estimated size of PE headers (first section offset). If there are no sections: returns 0x1000 or size of input if provided data are shorter than single page

property is32bit

Is it 32-bit file (PE)?

property is64bit

Is it 64-bit file (PE+)?

property nt_headers

NT headers

property optional_header

Optional header

resource(name)[source]

Retrieves single resource by specified name or type

Parameters

name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)

Return type

bytes or None

resources(name)[source]

Finds resource objects by specified name or type

Parameters

name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)

Return type

Iterator[bytes]

section(name)[source]

Get section by name

Parameters

name (str or bytes) – Section name

property sections

Sections

structure(rva, format)[source]

Get internal pefile Structure from specified rva

Parameters

formatpefile.Structure format (e.g. pefile.PE.__IMAGE_LOAD_CONFIG_DIRECTORY64_format__)

Return type

pefile.Structure

validate_import_names()[source]

Returns True if the first 8 imported library entries have valid library names

validate_padding()[source]

Returns True if area between first non-bss section and first 4kB doesn’t have only null-bytes

validate_resources()[source]

Returns True if first level of resource tree looks consistent