PE wrapper¶
-
class
malduck.pe.PE(data: Union[ProcessMemory, bytes], fast_load: bool = False)[source]¶ Wrapper around
pefile.PE, accepts either bytes (raw file contents) orProcessMemoryinstance.-
directory(name: str) → Any[source]¶ Get pefile directory entry by identifier
- Parameters
name – shortened pefile directory entry identifier (e.g. ‘IMPORT’ for ‘IMAGE_DIRECTORY_ENTRY_IMPORT’)
- Return type
pefile.Structure
-
property
dos_header¶ Dos header
-
property
file_header¶ File header
-
property
headers_size¶ Estimated size of PE headers (first section offset). If there are no sections: returns 0x1000 or size of input if provided data are shorter than single page
-
property
is32bit¶ Is it 32-bit file (PE)?
-
property
is64bit¶ Is it 64-bit file (PE+)?
-
property
nt_headers¶ NT headers
-
property
optional_header¶ Optional header
-
resource(name: Union[int, str, bytes]) → Optional[bytes][source]¶ Retrieves single resource by specified name or type
- Parameters
name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)
- Return type
bytes or None
-
resources(name: Union[int, str, bytes]) → Iterator[bytes][source]¶ Finds resource objects by specified name or type
- Parameters
name (int or str or bytes) – String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)
- Return type
Iterator[bytes]
-
section(name: Union[str, bytes]) → Any[source]¶ Get section by name
- Parameters
name (str or bytes) – Section name
-
property
sections¶ Sections
-
structure(rva: int, format: Any) → Any[source]¶ Get internal pefile Structure from specified rva
- Parameters
rva – Relative virtual address of structure
format –
pefile.Structureformat (e.g.pefile.PE.__IMAGE_LOAD_CONFIG_DIRECTORY64_format__)
- Return type
pefile.Structure
-
validate_import_names() → bool[source]¶ Returns True if the first 8 imported library entries have valid library names
-