首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 软件逆向
    3. 发新帖
7
[原创]利用python+pefile库做PE格式文件的快速开发
发表于: 2009-5-25 16:26 43211

[原创]利用python+pefile库做PE格式文件的快速开发

jmpjerryy 活跃值
2
2009-5-25 16:26
43211

发现很多的朋友经常用到PE格式相关的开发,如解析PE文件的格式,获取相关的内容。比如常常用到的静态的病毒启发式检测模型的建立、病毒样本分类、查壳脱壳等。
搜索了一下发现论坛里面没有我要讲的这个东西,于是我在这里向大家推荐pefile这个python库。

这个是基于MIT licence的一个开源项目,你可以在上面做更多的开发。
开发包的下载地址
http://code.google.com/p/pefile/

我觉得有以下几点大家可以注意:
1. 这个需要使用python语言开发,优点是敏捷开发,方便快捷,而且源代码可读,易懂,当然肯定不会用于商业的,作为学习研究非常方便。
2. 由于基于PE的结构pefile已经做了非常充分的解析,所以对于我们做二次开发非常方便。各种关键的数据结构能够非常容易的获得。
3. 由于python的编写的快速、低门槛。另外pefile已经做了很多的功能,这个pefile模块非常适合需要快速达到目的和一些需要入门的朋友。
4. 免费的开源项目

话不多说,直接教大家使用,看完后,方可知道pefile的强大。

1
2
1. 当然是要安装python开发包。
2. 下载pefile到本地,解压,新建一个文件petest.py
1
2
3
4
5
6
7
8
9
实验一
import os, string, shutil,re
import pefile ##记得import pefile
 
PEfile_Path = r"C:\temp\test.exe"
 
pe = pefile.PE(PEfile_Path)
print PEfile_Path
print pe
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
实验一结果
C:\temp\test.exe
----------DOS_HEADER----------
 
[IMAGE_DOS_HEADER]
e_magic:                       0x5A4D    
e_cblp:                        0x90      
e_cp:                          0x3       
e_crlc:                        0x0       
e_cparhdr:                     0x4       
e_minalloc:                    0x0       
e_maxalloc:                    0xFFFF    
e_ss:                          0x0       
e_sp:                          0xB8      
e_csum:                        0x0       
e_ip:                          0x0       
e_cs:                          0x0       
e_lfarlc:                      0x40      
e_ovno:                        0x0       
e_res:                         
e_oemid:                       0x0       
e_oeminfo:                     0x0       
e_res2:                        
e_lfanew:                      0xD0      
 
----------NT_HEADERS----------
 
[IMAGE_NT_HEADERS]
Signature:                     0x4550    
 
----------FILE_HEADER----------
 
[IMAGE_FILE_HEADER]
Machine:                       0x14C     
NumberOfSections:              0x2       
TimeDateStamp:                 0x46A8C07C [Thu Jul 26 15:40:44 2007 UTC]
PointerToSymbolTable:          0x0       
NumberOfSymbols:               0x0       
SizeOfOptionalHeader:          0xE0      
Characteristics:               0x10F     
Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED
 
----------OPTIONAL_HEADER----------
 
[IMAGE_OPTIONAL_HEADER]
Magic:                         0x10B     
MajorLinkerVersion:            0x6       
MinorLinkerVersion:            0x0       
SizeOfCode:                    0x420     
SizeOfInitializedData:         0x130     
SizeOfUninitializedData:       0x0       
AddressOfEntryPoint:           0x522     
BaseOfCode:                    0x220     
BaseOfData:                    0x640     
ImageBase:                     0x400000  
SectionAlignment:              0x10      
FileAlignment:                 0x10      
MajorOperatingSystemVersion:   0x4       
MinorOperatingSystemVersion:   0x0       
MajorImageVersion:             0x0       
MinorImageVersion:             0x0       
MajorSubsystemVersion:         0x4       
MinorSubsystemVersion:         0x0       
Reserved1:                     0x0       
SizeOfImage:                   0x768     
SizeOfHeaders:                 0x420     
CheckSum:                      0x0       
Subsystem:                     0x2       
DllCharacteristics:            0x0       
SizeOfStackReserve:            0x100000  
SizeOfStackCommit:             0x1000    
SizeOfHeapReserve:             0x100000  
SizeOfHeapCommit:              0x1000    
LoaderFlags:                   0x0       
NumberOfRvaAndSizes:           0x10      
DllCharacteristics: 
 
----------PE Sections----------
 
[IMAGE_SECTION_HEADER]
Name:                          .text
Misc:                          0x418     
Misc_PhysicalAddress:          0x418     
Misc_VirtualSize:              0x418     
VirtualAddress:                0x220     
SizeOfRawData:                 0x420     
PointerToRawData:              0x420     
PointerToRelocations:          0x0       
PointerToLinenumbers:          0x0       
NumberOfRelocations:           0x0       
NumberOfLinenumbers:           0x0       
Characteristics:               0x60000020
Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Entropy: 6.385628 (Min=0.0, Max=8.0)
MD5     hash: 37ae973124ba5655ce156536f4018759
SHA-1   hash: 6354d772105b66ac33fb8950b76a289edafa230f
SHA-256 hash: f6dfe337c6c6278e60a687552d8fc3be2a2ed41a4278713cfd0dc631296befdc
SHA-512 hash: 9d22cdd011d7276f47e3b1844804d58be2e73eef826ad285769d449f03dbfcde743303b31a9172e513be571432b7b2080afe571e5819ec7968acd76c0d82207a
 
[IMAGE_SECTION_HEADER]
Name:                          .rsrc
Misc:                          0x128     
Misc_PhysicalAddress:          0x128     
Misc_VirtualSize:              0x128     
VirtualAddress:                0x640     
SizeOfRawData:                 0x130     
PointerToRawData:              0x840     
PointerToRelocations:          0x0       
PointerToLinenumbers:          0x0       
NumberOfRelocations:           0x0       
NumberOfLinenumbers:           0x0       
Characteristics:               0x40000040
Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
Entropy: 2.905524 (Min=0.0, Max=8.0)
MD5     hash: cfd4f1a98445485c616ea2ff9390278e
SHA-1   hash: 7480ffe5427a540e17353df9c490dbba86fd0c3b
SHA-256 hash: 93f9ad56e464614b6aa9521f2b80f3f7f2fd5e2b6d8d6fd6489a0b1cdb1f948e
SHA-512 hash: b054ba77825a4bb92d9beecb606d04f7a4bf4d16529d909e03e6b882175e23fb495c1c3dc9d921c3124210a6567bf68e70879d3163ece1a1cbb786f3ec94af43
 
----------Directories----------
 
[IMAGE_DIRECTORY_ENTRY_EXPORT]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_IMPORT]
VirtualAddress:                0x574     
Size:                          0x3C      
[IMAGE_DIRECTORY_ENTRY_RESOURCE]
VirtualAddress:                0x640     
Size:                          0x128     
[IMAGE_DIRECTORY_ENTRY_EXCEPTION]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_SECURITY]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_BASERELOC]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_DEBUG]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_COPYRIGHT]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_GLOBALPTR]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_TLS]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_IAT]
VirtualAddress:                0x220     
Size:                          0x1C      
[IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]
VirtualAddress:                0x0       
Size:                          0x0       
[IMAGE_DIRECTORY_ENTRY_RESERVED]
VirtualAddress:                0x0       
Size:                          0x0       
 
----------Imported symbols----------
 
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x5B0     
Characteristics:               0x5B0     
TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain:                0x0       
Name:                          0x5E0     
FirstThunk:                    0x220     
 
KERNEL32.dll.GetModuleHandleA Hint[294]
 
[IMAGE_IMPORT_DESCRIPTOR]
OriginalFirstThunk:            0x5B8     
Characteristics:               0x5B8     
TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
ForwarderChain:                0x0       
Name:                          0x62C     
FirstThunk:                    0x228     
 
USER32.dll.EndDialog Hint[185]
USER32.dll.GetDlgItemTextA Hint[260]
USER32.dll.DialogBoxParamA Hint[147]
USER32.dll.MessageBoxA Hint[446]
 
----------Resource directory----------
 
[IMAGE_RESOURCE_DIRECTORY]
Characteristics:               0x0       
TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
MajorVersion:                  0x0       
MinorVersion:                  0x0       
NumberOfNamedEntries:          0x0       
NumberOfIdEntries:             0x1       
  Id: [0x5] (RT_DIALOG)
  [IMAGE_RESOURCE_DIRECTORY_ENTRY]
  Name:                          0x5       
  OffsetToData:                  0x80000018
    [IMAGE_RESOURCE_DIRECTORY]
    Characteristics:               0x0       
    TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
    MajorVersion:                  0x0       
    MinorVersion:                  0x0       
    NumberOfNamedEntries:          0x0       
    NumberOfIdEntries:             0x1       
      Id: [0x65]
      [IMAGE_RESOURCE_DIRECTORY_ENTRY]
      Name:                          0x65      
      OffsetToData:                  0x80000030
        [IMAGE_RESOURCE_DIRECTORY]
        Characteristics:               0x0       
        TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]
        MajorVersion:                  0x0       
        MinorVersion:                  0x0       
        NumberOfNamedEntries:          0x0       
        NumberOfIdEntries:             0x1       
          [IMAGE_RESOURCE_DIRECTORY_ENTRY]
          Name:                          0x804     
          OffsetToData:                  0x48      
            [IMAGE_RESOURCE_DATA_ENTRY]
            OffsetToData:                  0x6A0     
            Size:                          0xC8      
            CodePage:                      0x0       
            Reserved:                      0x0       
1
print hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 7
支持
分享
赞赏记录
参与人
雪币
留言
时间
Youlor
为你点赞~
2024-2-11 00:04
伟叔叔
为你点赞~
2024-1-4 01:45
QinBeast
为你点赞~
2023-11-10 05:01
PLEBFE
为你点赞~
2023-9-28 00:10
shinratensei
为你点赞~
2023-9-25 02:57
心游尘世外
为你点赞~
2023-9-12 03:41
飘零丶
为你点赞~
2023-9-3 00:54
最新回复 (21)
jmpjerryy
雪    币: 339
活跃值: (29)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
2
占楼,希望能在斑竹那混个现金啥的。
2009-5-25 16:46
0
linhanshi
雪    币: 102604
活跃值: (201759)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
Support.
2009-5-25 16:48
0
笨笨雄
雪    币: 846
活跃值: (221)
能力值: (RANK:570 )
在线值:
发帖
回帖
粉丝
私信
4
python搞得我很崩溃,虽说开源代码支持多,可是版本变换太XXX,向下兼容太XXX
2009-5-25 22:53
0
linhanshi
雪    币: 102604
活跃值: (201759)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
私信
5
开源代码 是发展的方向.
2009-5-25 23:02
0
logkiller
雪    币: 8690
活跃值: (3806)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
6
收藏,以后能看懂再说
2009-5-26 08:06
0
arries
雪    币: 220
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
7
修正楼主一个小错误,pefile不是MIT的开源项目,而是代码许可基于MIT License,它是Ero Carrera搞的。
pefile是个好东西。
2009-7-19 17:18
0
riusksk
雪    币: 433
活跃值: (1885)
能力值: ( LV17,RANK:1820 )
在线值:
发帖
回帖
粉丝
私信
8
打坐学习了…
2009-7-19 20:13
0
yybruce
雪    币: 204
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
9
论坛中源于python 的还是较少的
2009-7-21 11:38
0
LAOWZ
雪    币: 262
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
10
关注一下。
2009-7-21 23:14
0
hawkish
雪    币: 258
活跃值: (40)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
私信
11
python写的程序就是简单易懂。。
2009-8-24 15:34
0
dINO
雪    币: 239
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
12
好东西! 啊有python+elfFILE库?
2009-8-24 22:26
0
ichina
雪    币: 29
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
13
谢谢,相当不错。
2009-9-1 15:09
0
imbadyc
雪    币: 181
活跃值: (32)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
14
很好的东西~
2010-9-25 10:44
0
hawkfeilee
雪    币: 26
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
15
想搞 没时间 可以用用
2011-4-3 09:10
0
末日星魂
雪    币: 180
活跃值: (10)
能力值: ( LV3,RANK:30 )
在线值:
发帖
回帖
粉丝
私信
16
谢谢楼主分享
2011-6-16 13:48
0
我是sld
雪    币: 261
活跃值: (55)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
17
支持下...
2011-6-16 14:40
0
hmugua
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
18
这个太强大了。
搞个学习一下。
2011-9-23 14:34
0
仙果
雪    币: 1491
活跃值: (985)
能力值: (RANK:860 )
在线值:
发帖
回帖
粉丝
私信
19
1
2
3
4
5
6
7
8
9
10
mype = pefile.PE(pefilepath)
# print pe # parse_version_information('MajorLinkerVersion')
if hasattr(mype, 'VS_VERSIONINFO'):
  if hasattr(mype, 'FileInfo'):
    for entry in mype.FileInfo:
      if hasattr(entry, 'StringTable'):
        for st in entry.StringTable:
          for k, v in st.entries.items():
              print k
              print v
2015-12-14 23:54
0
jerryroxet
雪    币: 986
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
20
nice work!!
2015-12-24 17:20
0
yber
雪    币: 9
活跃值: (230)
能力值: ( LV6,RANK:90 )
在线值:
发帖
回帖
粉丝
私信
21
强大
2017-5-14 09:29
0
ytfrdfiw
雪    币: 200
活跃值: (223)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
22
if hasattr(mype, 'VS_VERSIONINFO'):
  if hasattr(mype, 'FileInfo'):
    for entry in mype.FileInfo:
      if hasattr(entry, 'StringTable'):
        for st in entry.StringTable:
          for k, v in st.entries.items():
              print k
              print v
这个有个小BUG,应该如下:
 if hasattr(peInfo, 'VS_VERSIONINFO'):
        if hasattr(peInfo, 'FileInfo'):
            print('count %d' %peInfo.FileInfo.__len__());
            for entry in peInfo.FileInfo:
                    for list1 in entry:
                        if hasattr(list1, 'StringTable'):
                            for st in list1.StringTable:
                                for k, v in st.entries.items():
                                    print(str(k),':',str(v.decode('utf-8)')))
2020-2-12 13:21
1
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》