How to use the pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS function in pefile
To help you get started, we’ve selected a few pefile examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
pfalcon / pymsasid3 / input.py View on Github 
BufferHook.__init__(self, source, base_address)
try :
import pefile
except :
print('pefile module not found. see http://code.google.com/p/pefile/')
exit()
self.pe = pefile.PE(data = source)
self.source = self.pe.get_memory_mapped_image()
self.base_address = self.pe.OPTIONAL_HEADER.ImageBase
self.entry_point = (self.base_address
+ self.pe.OPTIONAL_HEADER.AddressOfEntryPoint)
self.pos = 0
self.seek(self.base_address + self.pe.OPTIONAL_HEADER.AddressOfEntryPoint)
if self.pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE:
self.dis_mode = 32
elif self.pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS:
self.dis_mode = 64def is64bit(self) -> Any:
"""
Is it 64-bit file (PE+)?
"""
return self.optional_header.Magic == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUSdef get_arch(filename):
type2arch= {pefile.OPTIONAL_HEADER_MAGIC_PE: 'i686',
pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS: 'x86_64'}
pe = pefile.PE(filename)
try:
return type2arch[pe.PE_TYPE]
except KeyError:
sys.stderr.write('Error: unknown architecture')
sys.exit(1)input_image = os.path.join(input_dir, 'chrome.exe')
output_image = os.path.join(output_dir, 'chrome.exe')
# pefile mmap()s the whole executable, and then parses parts of
# it into python data structures for ease of processing.
# To write the file again, only the mmap'd data is written back,
# so modifying the parsed python objects generally has no effect.
# However, parsed raw data ends up in pe.Structure instances,
# and these all get serialized back when the file gets written.
# So things that are in a Structure must have their data set
# through the Structure, while other data must bet set through
# the set_bytes_*() methods.
pe = pefile.PE(input_image, fast_load=True)
if architecture == 'x64':
assert pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS
else:
assert pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE
pe.parse_data_directories(directories=[
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
found_elf = False
for i, peimport in enumerate(pe.DIRECTORY_ENTRY_IMPORT):
if peimport.dll.lower() == 'chrome_elf.dll':
assert not found_elf, 'only one chrome_elf.dll import expected'
found_elf = True
if i > 0:
swap = pe.DIRECTORY_ENTRY_IMPORT[0]
# Morally we want to swap peimport.struct and swap.struct here,
# but the pe module doesn't expose a public method on Structureinput_image = os.path.join(input_dir, 'chrome.exe')
output_image = os.path.join(output_dir, 'chrome.exe')
# pefile mmap()s the whole executable, and then parses parts of
# it into python data structures for ease of processing.
# To write the file again, only the mmap'd data is written back,
# so modifying the parsed python objects generally has no effect.
# However, parsed raw data ends up in pe.Structure instances,
# and these all get serialized back when the file gets written.
# So things that are in a Structure must have their data set
# through the Structure, while other data must bet set through
# the set_bytes_*() methods.
pe = pefile.PE(input_image, fast_load=True)
if architecture == 'x64' or architecture == 'arm64':
assert pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS
else:
assert pe.PE_TYPE == pefile.OPTIONAL_HEADER_MAGIC_PE
pe.parse_data_directories(directories=[
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT']])
found_elf = False
for i, peimport in enumerate(pe.DIRECTORY_ENTRY_IMPORT):
if peimport.dll.lower() == 'chrome_elf.dll':
assert not found_elf, 'only one chrome_elf.dll import expected'
found_elf = True
if i > 0:
swap = pe.DIRECTORY_ENTRY_IMPORT[0]
# Morally we want to swap peimport.struct and swap.struct here,
# but the pe module doesn't expose a public method on Structure# Do not forget to remove it again.
del sys.path[-1]
pe = pefile.PE(filename)
# This is the information we use from the file.
extracted = {}
extracted["DLLs"] = []
for imported_module in getattr(pe, "DIRECTORY_ENTRY_IMPORT", ()):
extracted["DLLs"].append(imported_module.dll.decode())
pe_type2arch = {
pefile.OPTIONAL_HEADER_MAGIC_PE: False,
pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS: True,
}
if pe.PE_TYPE not in pe_type2arch:
# Support your architecture, e.g. ARM if necessary.
raise NuitkaAssumptionError(
"Unknown PE file architecture", filename, pe.PE_TYPE, pe_type2arch
)
extracted["AMD64"] = pe_type2arch[pe.PE_TYPE]
python_is_64bit = getArchitecture() == "x86_64"
if extracted["AMD64"] is not python_is_64bit:
warning(
"Python %s bits with %s bits dependencies in '%s'"
% ("64" if python_is_64bit else "32" "32" if python_is_64bit else "64")
)
Popular pefile functions
- pefile.BaseRelocationData
- pefile.DataContainer
- pefile.DIRECTORY_ENTRY
- pefile.get_sublang_name_for_lang
- pefile.IMAGE_CHARACTERISTICS
- pefile.LANG
- pefile.LANG.get
- pefile.MACHINE_TYPE
- pefile.MACHINE_TYPE.get
- pefile.OPTIONAL_HEADER_MAGIC_PE
- pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS
- pefile.PE
- pefile.PEFormatError
- pefile.RelocationData
- pefile.RESOURCE_TYPE
- pefile.RESOURCE_TYPE.get
- pefile.retrieve_flags
- pefile.SECTION_CHARACTERISTICS
- pefile.Structure
- pefile.SUBSYSTEM_TYPE.get