QuasarApp/pe-parse
4
0
Fork 0
mirror of https://github.com/QuasarApp/pe-parse.git synced 2025-04-29 22:04:33 +00:00
Code Issues Projects Releases Wiki Activity
dae8606469
pe-parse/python
History
Wesley Shields dae8606469 Bugfix to get_bytes and add section.data. 
If get_bytes does not fill the list, get a slice of what was filled and
use that to convert to a bytearray. I still want to find a way to just
use a bytearray from the start. Luckily with the rest of this commit I
don't have a need to call get_bytes() on sections anymore.

Sections now have a data attribute which is a bytearray of the data that
makes up that section. This way you can just use section.data attribute
to get the entire contents and operate on it as you wish.

Make test.py use section.data to generate an MD5 of the section. It now
also prints the first 10 bytes of each section (if there are bytes).
2013-12-14 22:26:58 -05:00
..
pepy.cpp
Bugfix to get_bytes and add section.data.
2013-12-14 22:26:58 -05:00
README.md
Consistent puncutation and whitespace.
2013-12-01 16:08:59 -05:00
setup.py
Initial commit of pepy (pronounced p-pie).
2013-11-27 15:52:24 -05:00
test.py
Bugfix to get_bytes and add section.data.
2013-12-14 22:26:58 -05:00

README.md

pepy

pepy (pronounced p-pie) is a python binding to the pe-parse parser.

Building

If you can build pe-parse and have a working python environment (headers and libraries) you can build pepy.

  1. Build pepy:
  • python setup.py build
  1. Install pepy:
  • python setup.py install

Using

Parsed object

There are a number of objects involved in pepy. The main one is the parsed object. This object is returned by the parse method.

import pepy
p = pepy.parse("/path/to/exe")

The parsed object has a number of methods:

  • get_entry_point: Return the entry point address
  • get_bytes: Return the first N bytes at a given address
  • get_sections: Return a list of section objects
  • get_imports: Return a list of import objects
  • get_exports: Return a list of export objects
  • get_relocations: Return a list of relocation objects

The parsed object has a number of attributes:

  • signature
  • machine
  • numberofsections
  • timedatestamp
  • numberofsymbols
  • characteristics
  • magic
  • majorlinkerver
  • minorlinkerver
  • codesize
  • initdatasize
  • uninitdatasize
  • entrypointaddr
  • baseofcode
  • baseofdata
  • imagebase
  • sectionalignement
  • filealingment
  • majorosver
  • minorosver
  • win32ver
  • imagesize
  • headersize
  • checksum
  • subsystem
  • dllcharacteristics
  • stackreservesize
  • stackcommitsize
  • heapreservesize
  • heapcommitsize
  • loaderflags
  • rvasandsize

Example:

import time
import pepy

p = pepy.parse("/path/to/exe")
print "Timedatestamp: %s" % time.strftime("%Y-%m-%d %H:%M:%S", time.localtime(p.timedatestamp))
ep = p.get_entry_point()
print "Entry point: 0x%x" % ep

The get_sections, get_imports, get_exports and get_relocations methods each return a list of objects. The type of object depends upon the method called. get_sections returns a list of section objects, get_imports returns a list of import objects, etc.

Section Object

The section object has the following attributes:

  • base
  • length
  • virtaddr
  • virtsize
  • numrelocs
  • numlinenums
  • characteristics

Import Object

The import object has the following attributes:

  • sym
  • name
  • addr

Export Object

The export object has the following attributes:

  • mod
  • func
  • addr

Relocation Object

The relocation object has the following attributes:

  • type
  • addr

Authors

pe-parse was designed and implemented by Andrew Ruef (andrew@trailofbits.com) pepy was written by Wesley Shields (wxs@atarininja.org)