hiǚdZdZdZdZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlZddlmZddlmZmZmZmZddlmZddlZej4d ej6d eZdd Zed dZdZ d Z!dZ"dZ#dZ$dZ%dZ&d Z'dZ(dZ)dZ*dZ+dZ,dZ-dZ.dZ/dZ0dZ1dZ2dZ3dZ4d Z5d!Z6d"Z7gd#Z8e7e8Z9gd$Z:e7e:Z;gd%Z<e7e<Z=gd&Z>e7e>Z?gd'Z@e7e@ZAgd(ZBe7eBZCgd)ZDe7eDZEgd*ZFe7eFZGgd+ZHe7eHZIdZJdZKgd,ZLe7eLZMgd-ZNe7eNZOdZPd.ZQd/ZRd0ZSd1ZTd2ZUd3ZVd4ZWd5ZXd6ZYgd7ZZe7eZZ[gd8Z\e7e\Z]gd9Z^e7e^Z_e`e^Z_e^D]$\ZaZbebe_vre_ebjeaeage_eb<&d:Zdd;Zed<Zfd=Zgd>ZhGd?d@eiZjGdAdBZkGdCdDelZmGdEdFZnd.d.d.d.d/d/d1d1d1d1d1d4d4d4d.dGZoed dHZped dIJdKZqGdLdMZrGdNdOerZsed d JdPZtGdQdRerZuGdSdTZvGdUdVevZwGdWdXevZxGdYdZevZyGd[d\evZzGd]d^evZ{Gd_d`evZ|GdadbevZ}GdcddevZ~GdedfevZGdgdhevZGdidjevZGdkdlevZGdmdnevZGdodpevZGdqdrevZGdsdtevZGdudvevZGdwdxevZGdydzevZGd{d|euZGd}d~ZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddeZGddZe j.e j0ze j2zdzj5ZdZe j.e j0ze j2zj5Zed  ddeeeefdedefdZGddZdZedk(reyy)abpefile, Portable Executable reader module All the PE file basic structures are available with their default names as attributes of the instance returned. Processed elements such as the import table are made available with lowercase names, to differentiate them from the upper case basic structure names. pefile has been tested against many edge cases such as corrupted and malformed PEs as well as malware, which often attempts to abuse the format way beyond its standard use. To the best of my knowledge most of the abuse is handled gracefully. Copyright (c) 2005-2024 Ero Carrera z Ero Carreraz 2024.8.26zero.carrera@gmail.comN)Counter)md5sha1sha256sha512)Unionbackslashreplace_backslashreplaceFcF|stjSfd}|S)Nc|tj|tj|fd}|S)Nc:tj|i|SN)copymodcopy)argskwargs cached_funcs 2C:\des-py\Monitor\venv\Lib\site-packages\pefile.pywrapperz-lru_cache..decorator..wrapper9s<< T .decorator6s>9i))'59!<   >  >r)rr)rrrrs`` rrr2s& ""7E22 r)rcD|dkr|}|r||zr|t||z zS|SN)int)valsection_alignmentfile_alignments rcache_adjust_SectionAlignmentr&Cs86!*S#44 C.?(?$@AA Jrc$|jdSNr)count)datas r count_zeroesr+Ss ::a=r  iMZiZMiNEiLEiLXiVZiPEli i cTt|Dcgc] }|d|dfc}|zScc}w)Nr)dict)pairses r two_way_dictr8s, u-!!A$!-5 66-s%))IMAGE_DIRECTORY_ENTRY_EXPORTr)IMAGE_DIRECTORY_ENTRY_IMPORTr4)IMAGE_DIRECTORY_ENTRY_RESOURCE)IMAGE_DIRECTORY_ENTRY_EXCEPTION)IMAGE_DIRECTORY_ENTRY_SECURITY)IMAGE_DIRECTORY_ENTRY_BASERELOC)IMAGE_DIRECTORY_ENTRY_DEBUG)IMAGE_DIRECTORY_ENTRY_COPYRIGHT)IMAGE_DIRECTORY_ENTRY_GLOBALPTR)IMAGE_DIRECTORY_ENTRY_TLS )!IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG )"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT )IMAGE_DIRECTORY_ENTRY_IAT )"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT )$IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR)IMAGE_DIRECTORY_ENTRY_RESERVED))IMAGE_FILE_RELOCS_STRIPPEDr4)IMAGE_FILE_EXECUTABLE_IMAGEr<)IMAGE_FILE_LINE_NUMS_STRIPPEDr@)IMAGE_FILE_LOCAL_SYMS_STRIPPEDrH)IMAGE_FILE_AGGRESIVE_WS_TRIMr1)IMAGE_FILE_LARGE_ADDRESS_AWAREr0)IMAGE_FILE_16BIT_MACHINE@)IMAGE_FILE_BYTES_REVERSED_LO)IMAGE_FILE_32BIT_MACHINE)IMAGE_FILE_DEBUG_STRIPPEDr.)"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)IMAGE_FILE_NET_RUN_FROM_SWAPr)IMAGE_FILE_SYSTEMr!)IMAGE_FILE_DLLr-)IMAGE_FILE_UP_SYSTEM_ONLY@)IMAGE_FILE_BYTES_REVERSED_HIr/).)IMAGE_SCN_TYPE_REGr)IMAGE_SCN_TYPE_DSECTr4)IMAGE_SCN_TYPE_NOLOADr<)IMAGE_SCN_TYPE_GROUPr@)IMAGE_SCN_TYPE_NO_PADrH)IMAGE_SCN_TYPE_COPYr1)IMAGE_SCN_CNT_CODEr0)IMAGE_SCN_CNT_INITIALIZED_DATAr^) IMAGE_SCN_CNT_UNINITIALIZED_DATAr`)IMAGE_SCN_LNK_OTHERrb)IMAGE_SCN_LNK_INFOr.)IMAGE_SCN_LNK_OVERre)IMAGE_SCN_LNK_REMOVEr)IMAGE_SCN_LNK_COMDATr!)IMAGE_SCN_MEM_PROTECTEDrj)IMAGE_SCN_NO_DEFER_SPEC_EXCrj)IMAGE_SCN_GPRELr/)IMAGE_SCN_MEM_FARDATAr/)IMAGE_SCN_MEM_SYSHEAP)IMAGE_SCN_MEM_PURGEABLE)IMAGE_SCN_MEM_16BITr)IMAGE_SCN_MEM_LOCKEDi)IMAGE_SCN_MEM_PRELOADi)IMAGE_SCN_ALIGN_1BYTESr,)IMAGE_SCN_ALIGN_2BYTESi )IMAGE_SCN_ALIGN_4BYTESi0)IMAGE_SCN_ALIGN_8BYTESi@)IMAGE_SCN_ALIGN_16BYTESiP)IMAGE_SCN_ALIGN_32BYTESi`)IMAGE_SCN_ALIGN_64BYTESip)IMAGE_SCN_ALIGN_128BYTESi)IMAGE_SCN_ALIGN_256BYTESi)IMAGE_SCN_ALIGN_512BYTESi)IMAGE_SCN_ALIGN_1024BYTESi)IMAGE_SCN_ALIGN_2048BYTESi)IMAGE_SCN_ALIGN_4096BYTESi)IMAGE_SCN_ALIGN_8192BYTESi)IMAGE_SCN_ALIGN_MASKi)IMAGE_SCN_LNK_NRELOC_OVFLi)IMAGE_SCN_MEM_DISCARDABLEi)IMAGE_SCN_MEM_NOT_CACHEDi)IMAGE_SCN_MEM_NOT_PAGED)IMAGE_SCN_MEM_SHARED)IMAGE_SCN_MEM_EXECUTEi )IMAGE_SCN_MEM_READi@)IMAGE_SCN_MEM_WRITEr2))IMAGE_DEBUG_TYPE_UNKNOWNr)IMAGE_DEBUG_TYPE_COFFr4)IMAGE_DEBUG_TYPE_CODEVIEWr<)IMAGE_DEBUG_TYPE_FPOr>)IMAGE_DEBUG_TYPE_MISCr@)IMAGE_DEBUG_TYPE_EXCEPTIONrB)IMAGE_DEBUG_TYPE_FIXUPrD)IMAGE_DEBUG_TYPE_OMAP_TO_SRCrF)IMAGE_DEBUG_TYPE_OMAP_FROM_SRCrH)IMAGE_DEBUG_TYPE_BORLANDrJ)IMAGE_DEBUG_TYPE_RESERVED10rL)IMAGE_DEBUG_TYPE_CLSIDrN)IMAGE_DEBUG_TYPE_VC_FEATURErP)IMAGE_DEBUG_TYPE_POGOrR)IMAGE_DEBUG_TYPE_ILTCGrT)IMAGE_DEBUG_TYPE_MPXrV)IMAGE_DEBUG_TYPE_REPROr1)&IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS))IMAGE_SUBSYSTEM_UNKNOWNr)IMAGE_SUBSYSTEM_NATIVEr4)IMAGE_SUBSYSTEM_WINDOWS_GUIr<)IMAGE_SUBSYSTEM_WINDOWS_CUIr>)IMAGE_SUBSYSTEM_OS2_CUIrB)IMAGE_SUBSYSTEM_POSIX_CUIrF)IMAGE_SUBSYSTEM_NATIVE_WINDOWSrH)IMAGE_SUBSYSTEM_WINDOWS_CE_GUIrJ)IMAGE_SUBSYSTEM_EFI_APPLICATIONrL)'IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVERrN)"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVERrP)IMAGE_SUBSYSTEM_EFI_ROMrR)IMAGE_SUBSYSTEM_XBOXrT)(IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATIONr1)$)IMAGE_FILE_MACHINE_UNKNOWNr)IMAGE_FILE_MACHINE_I386iL)IMAGE_FILE_MACHINE_R3000ib)IMAGE_FILE_MACHINE_R4000if)IMAGE_FILE_MACHINE_R10000ih)IMAGE_FILE_MACHINE_WCEMIPSV2ii)IMAGE_FILE_MACHINE_ALPHAi)IMAGE_FILE_MACHINE_SH3i)IMAGE_FILE_MACHINE_SH3DSPi)IMAGE_FILE_MACHINE_SH3Ei)IMAGE_FILE_MACHINE_SH4i)IMAGE_FILE_MACHINE_SH5i)IMAGE_FILE_MACHINE_ARMi)IMAGE_FILE_MACHINE_THUMBi)IMAGE_FILE_MACHINE_ARMNTi)IMAGE_FILE_MACHINE_AM33i)IMAGE_FILE_MACHINE_POWERPCi)IMAGE_FILE_MACHINE_POWERPCFPi)IMAGE_FILE_MACHINE_IA64r.)IMAGE_FILE_MACHINE_MIPS16if)IMAGE_FILE_MACHINE_ALPHA64)IMAGE_FILE_MACHINE_AXP64r)IMAGE_FILE_MACHINE_MIPSFPUif)IMAGE_FILE_MACHINE_MIPSFPU16if)IMAGE_FILE_MACHINE_TRICOREi )IMAGE_FILE_MACHINE_CEFi )IMAGE_FILE_MACHINE_EBCi)IMAGE_FILE_MACHINE_RISCV32i2P)IMAGE_FILE_MACHINE_RISCV64idP)IMAGE_FILE_MACHINE_RISCV128i(Q)IMAGE_FILE_MACHINE_LOONGARCH32i2b)IMAGE_FILE_MACHINE_LOONGARCH64idb)IMAGE_FILE_MACHINE_AMD64id)IMAGE_FILE_MACHINE_M32RiA)IMAGE_FILE_MACHINE_ARM64id)IMAGE_FILE_MACHINE_CEEi) )IMAGE_REL_BASED_ABSOLUTEr)IMAGE_REL_BASED_HIGHr4)IMAGE_REL_BASED_LOWr<)IMAGE_REL_BASED_HIGHLOWr>)IMAGE_REL_BASED_HIGHADJr@)IMAGE_REL_BASED_MIPS_JMPADDRrB)IMAGE_REL_BASED_SECTIONrD)IMAGE_REL_BASED_RELrF)IMAGE_REL_BASED_MIPS_JMPADDR16rJ)IMAGE_REL_BASED_IA64_IMM64rJ)IMAGE_REL_BASED_DIR64rL)IMAGE_REL_BASED_HIGH3ADJrN))IMAGE_LIBRARY_PROCESS_INITr4)IMAGE_LIBRARY_PROCESS_TERMr<)IMAGE_LIBRARY_THREAD_INITr@)IMAGE_LIBRARY_THREAD_TERMrH)(IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VAr0)%IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASEr^)(IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITYr`)"IMAGE_DLLCHARACTERISTICS_NX_COMPATrb)%IMAGE_DLLCHARACTERISTICS_NO_ISOLATIONr.)IMAGE_DLLCHARACTERISTICS_NO_SEHre) IMAGE_DLLCHARACTERISTICS_NO_BINDr)%IMAGE_DLLCHARACTERISTICS_APPCONTAINERr!)#IMAGE_DLLCHARACTERISTICS_WDM_DRIVERr-)!IMAGE_DLLCHARACTERISTICS_GUARD_CFrj).IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWAREr/))&IMAGE_DLLCHARACTERISTICS_EX_CET_COMPATr4)2IMAGE_DLLCHARACTERISTICS_EX_CET_COMPAT_STRICT_MODEr<)FIMAGE_DLLCHARACTERISTICS_EX_CET_SET_CONTEXT_IP_VALIDATION_RELAXED_MODEr@):IMAGE_DLLCHARACTERISTICS_EX_CET_DYNAMIC_APIS_ALLOW_IN_PROCrH)*IMAGE_DLLCHARACTERISTICS_EX_CET_RESERVED_1r1)*IMAGE_DLLCHARACTERISTICS_EX_CET_RESERVED_2r0))UNW_FLAG_EHANDLERr4)UNW_FLAG_UHANDLERr<)UNW_FLAG_CHAININFOr@))RAXr)RCXr4)RDXr<)RBXr>)RSPr@)RBPrB)RSIrD)RDIrF)R8rH)R9rJ)R10rL)R11rN)R12rP)R13rR)R14rT)R15rVr4r<r>r@rBrDrHrJrL)) RT_CURSORr4) RT_BITMAPr<)RT_ICONr>)RT_MENUr@) RT_DIALOGrB) RT_STRINGrD) RT_FONTDIRrF)RT_FONTrH)RT_ACCELERATORrJ) RT_RCDATArL)RT_MESSAGETABLErN)RT_GROUP_CURSORrP) RT_GROUP_ICONrT) RT_VERSIONr1) RT_DLGINCLUDE) RT_PLUGPLAY)RT_VXDr) RT_ANICURSOR) RT_ANIICON)RT_HTML) RT_MANIFEST)^) LANG_NEUTRALr)LANG_INVARIANT)LANG_AFRIKAANS6) LANG_ALBANIAN) LANG_ARABICr4) LANG_ARMENIAN+) LANG_ASSAMESEM) LANG_AZERI,) LANG_BASQUE-)LANG_BELARUSIAN#) LANG_BENGALIE)LANG_BULGARIANr<) LANG_CATALANr>) LANG_CHINESEr@) LANG_CROATIAN) LANG_CZECHrB) LANG_DANISHrD) LANG_DIVEHIe) LANG_DUTCHr)) LANG_ENGLISHrJ) LANG_ESTONIAN%) LANG_FAEROESE8) LANG_FARSI)) LANG_FINNISHrN) LANG_FRENCHrP) LANG_GALICIANV) LANG_GEORGIAN7) LANG_GERMANrF) LANG_GREEKrH) LANG_GUJARATIG) LANG_HEBREWrR) LANG_HINDI9)LANG_HUNGARIANrT)LANG_ICELANDICrV)LANG_INDONESIAN!) LANG_ITALIANr1) LANG_JAPANESEr') LANG_KANNADAK) LANG_KASHMIRI`) LANG_KAZAK?) LANG_KONKANIW) LANG_KOREAN) LANG_KYRGYZr^) LANG_LATVIAN&)LANG_LITHUANIAN')LANG_MACEDONIAN/) LANG_MALAY>)LANG_MALAYALAML) LANG_MANIPURIX) LANG_MARATHIN)LANG_MONGOLIANP) LANG_NEPALIa)LANG_NORWEGIANr) LANG_ORIYAH) LANG_POLISHr,)LANG_PORTUGUESEr.) LANG_PUNJABIF) LANG_ROMANIANr2) LANG_RUSSIAN) LANG_SANSKRITO) LANG_SERBIANrK) LANG_SINDHIY) LANG_SLOVAK)LANG_SLOVENIAN$) LANG_SPANISHrL) LANG_SWAHILIA) LANG_SWEDISH) LANG_SYRIACZ) LANG_TAMILI) LANG_TATARD) LANG_TELUGUJ) LANG_THAI) LANG_TURKISH)LANG_UKRAINIAN") LANG_URDUr0) LANG_UZBEKC)LANG_VIETNAMESE*) LANG_GAELIC<) LANG_MALTESE:) LANG_MAORI()LANG_RHAETO_ROMANCEr0) LANG_SAAMI;) LANG_SORBIAN.) LANG_SUTU0) LANG_TSONGA1) LANG_TSWANA2) LANG_VENDA3) LANG_XHOSA4) LANG_ZULU5)LANG_ESPERANTO) LANG_WALON) LANG_CORNISH) LANG_WELSH) LANG_BRETON)g)SUBLANG_NEUTRALr)SUBLANG_DEFAULTr4)SUBLANG_SYS_DEFAULTr<)SUBLANG_ARABIC_SAUDI_ARABIAr4)SUBLANG_ARABIC_IRAQr<)SUBLANG_ARABIC_EGYPTr>)SUBLANG_ARABIC_LIBYAr@)SUBLANG_ARABIC_ALGERIArB)SUBLANG_ARABIC_MOROCCOrD)SUBLANG_ARABIC_TUNISIArF)SUBLANG_ARABIC_OMANrH)SUBLANG_ARABIC_YEMENrJ)SUBLANG_ARABIC_SYRIArL)SUBLANG_ARABIC_JORDANrN)SUBLANG_ARABIC_LEBANONrP)SUBLANG_ARABIC_KUWAITrR)SUBLANG_ARABIC_UAErT)SUBLANG_ARABIC_BAHRAINrV)SUBLANG_ARABIC_QATARr1)SUBLANG_AZERI_LATINr4)SUBLANG_AZERI_CYRILLICr<)SUBLANG_CHINESE_TRADITIONALr4)SUBLANG_CHINESE_SIMPLIFIEDr<)SUBLANG_CHINESE_HONGKONGr>)SUBLANG_CHINESE_SINGAPOREr@)SUBLANG_CHINESE_MACAUrB) SUBLANG_DUTCHr4)SUBLANG_DUTCH_BELGIANr<)SUBLANG_ENGLISH_USr4)SUBLANG_ENGLISH_UKr<)SUBLANG_ENGLISH_AUSr>)SUBLANG_ENGLISH_CANr@)SUBLANG_ENGLISH_NZrB)SUBLANG_ENGLISH_EIRErD)SUBLANG_ENGLISH_SOUTH_AFRICArF)SUBLANG_ENGLISH_JAMAICArH)SUBLANG_ENGLISH_CARIBBEANrJ)SUBLANG_ENGLISH_BELIZErL)SUBLANG_ENGLISH_TRINIDADrN)SUBLANG_ENGLISH_ZIMBABWErP)SUBLANG_ENGLISH_PHILIPPINESrR)SUBLANG_FRENCHr4)SUBLANG_FRENCH_BELGIANr<)SUBLANG_FRENCH_CANADIANr>)SUBLANG_FRENCH_SWISSr@)SUBLANG_FRENCH_LUXEMBOURGrB)SUBLANG_FRENCH_MONACOrD)SUBLANG_GERMANr4)SUBLANG_GERMAN_SWISSr<)SUBLANG_GERMAN_AUSTRIANr>)SUBLANG_GERMAN_LUXEMBOURGr@)SUBLANG_GERMAN_LIECHTENSTEINrB)SUBLANG_ITALIANr4)SUBLANG_ITALIAN_SWISSr<)SUBLANG_KASHMIRI_SASIAr<)SUBLANG_KASHMIRI_INDIAr<)SUBLANG_KOREANr4)SUBLANG_LITHUANIANr4)SUBLANG_MALAY_MALAYSIAr4)SUBLANG_MALAY_BRUNEI_DARUSSALAMr<)SUBLANG_NEPALI_INDIAr<)SUBLANG_NORWEGIAN_BOKMALr4)SUBLANG_NORWEGIAN_NYNORSKr<)SUBLANG_PORTUGUESEr<)SUBLANG_PORTUGUESE_BRAZILIANr4)SUBLANG_SERBIAN_LATINr<)SUBLANG_SERBIAN_CYRILLICr>)SUBLANG_SPANISHr4)SUBLANG_SPANISH_MEXICANr<)SUBLANG_SPANISH_MODERNr>)SUBLANG_SPANISH_GUATEMALAr@)SUBLANG_SPANISH_COSTA_RICArB)SUBLANG_SPANISH_PANAMArD)"SUBLANG_SPANISH_DOMINICAN_REPUBLICrF)SUBLANG_SPANISH_VENEZUELArH)SUBLANG_SPANISH_COLOMBIArJ)SUBLANG_SPANISH_PERUrL)SUBLANG_SPANISH_ARGENTINArN)SUBLANG_SPANISH_ECUADORrP)SUBLANG_SPANISH_CHILErR)SUBLANG_SPANISH_URUGUAYrT)SUBLANG_SPANISH_PARAGUAYrV)SUBLANG_SPANISH_BOLIVIAr1)SUBLANG_SPANISH_EL_SALVADORr')SUBLANG_SPANISH_HONDURASrt)SUBLANG_SPANISH_NICARAGUAr))SUBLANG_SPANISH_PUERTO_RICOr)SUBLANG_SWEDISHr4)SUBLANG_SWEDISH_FINLANDr<)SUBLANG_URDU_PAKISTANr4)SUBLANG_URDU_INDIAr<)SUBLANG_UZBEK_LATINr4)SUBLANG_UZBEK_CYRILLICr<)SUBLANG_DUTCH_SURINAMr>)SUBLANG_ROMANIANr4)SUBLANG_ROMANIAN_MOLDAVIAr<)SUBLANG_RUSSIANr4)SUBLANG_RUSSIAN_MOLDAVIAr<)SUBLANG_CROATIANr4)SUBLANG_LITHUANIAN_CLASSICr<)SUBLANG_GAELICr4)SUBLANG_GAELIC_SCOTTISHr<)SUBLANG_GAELIC_MANXr>ctj|d}tj|gD] }||vs|cStj|dgdS)N *unknown*r)LANGgetSUBLANG) lang_value sublang_value lang_name sublang_names rget_sublang_name_for_langrDsV[1I M26   $   ;;}{m 4Q 77rczd}d}|t|kr|||dz}t|dkrytjd|d}|dz }|dk7rFd|dzcxkrt|kr/nn, ||||dzzjd||<|dk\ry||dzz }|dz }|t|kryy#t$r|dz }Y4wxYw)Nrr<z)lenstructunpackdecodeUnicodeDecodeError)r*counterli error_count data_slicelen_s r parse_stringsrRs AK c$i-!a!e_ z?Q  }}T:.q1 Q 19dQh3#d)3 !!!a$(l3:::F' a MA1  c$i-& !q  !s(B))B:9B:c|jDcgc]0}t|ttfr|j |r|||f2c}Scc}w)zRead the flags from a dictionary and return them in a usable form. Will return a list of (flag, value) for all flags in "flag_dict" matching the filter "flag_filter". )keys isinstancestrbytes startswith) flag_dict flag_filterflags rretrieve_flagsr\sMNN$   dS%L )dook.J y  s5A c`|D])\}}||zrd|j|<d|j|<+y)a Will process the flags and set attributes in the object accordingly. The object "obj" will gain attributes named after the flags provided in "flags" and valued True/False, matching the results of applying each flag value from "flags" to flag_field. TFN)__dict__)obj flag_fieldflagsr[values r set_flagsrcs;' e : !%CLL !&CLL  'rc&|dk7xr ||dz zdk(S)Nrr4)r#s r power_of_tworfs !8 .aQ..rc.eZdZfdZfdZdZxZS) AddressSetc>t|d|_d|_yr)super__init__minmax)self __class__s rrkzAddressSet.__init__s rct|||j|nt|j||_|j||_yt|j||_yr)rjaddrlrm)rnrbros rrqzAddressSet.addsM  E HH,5#dhh2F HH,5#dhh2Frch|j |jdS|j|jz Sr()rlrmrns rdiffzAddressSet.diffs,HH$(8qQdhh>QQr)__name__ __module__ __qualname__rkrqrt __classcell__ros@rrhrhs G RrrhcLeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z y ) !UnicodeStringWrapperPostProcessorzThis class attempts to help the process of identifying strings that might be plain Unicode or Pascal. A list of strings will be wrapped on it with the hope the overlappings will help make the decision about their type.c.||_||_d|_yr)perva_ptrstring)rnr}r~s rrkz*UnicodeStringWrapperPostProcessor.__init__s  rc|jS)zGet the RVA of the string.)r~rss rget_rvaz)UnicodeStringWrapperPostProcessor.get_rvas ||rc&|jddS)z6Return the escaped UTF-8 representation of the string.utf-8r )rJrss r__str__z)UnicodeStringWrapperPostProcessor.__str__s{{7$788rcN|jsy|jj|S)N)rrJ)rnrs rrJz(UnicodeStringWrapperPostProcessor.decodes#{{!t{{!!4((rcd}y)z>Make this instance None, to express it's no known string type.Nrerss r invalidatez,UnicodeStringWrapperPostProcessor.invalidatesrc( |jj|jdz|j|_y#t $rH|jj jdj|jdzYywxYw)Nr< max_lengthzCFailed rendering pascal string, attempting to read from RVA 0x{0:x}) r}get_string_u_at_rvar~get_pascal_16_lengthr PEFormatError get_warningsappendformatrss rrender_pascal_16z2UnicodeStringWrapperPostProcessor.render_pascal_16s} ''55 q T-F-F-H6DK  GG " ) )66&5DKrc |jj|j|_y#t$rE|jj j dj|jYywxYw)NzDFailed rendering unicode string, attempting to read from RVA 0x{0:x})r}rr~rrrrrrss rrender_unicode_16z3UnicodeStringWrapperPostProcessor.render_unicode_16)s^ ''55dllCDK  GG " ) )66K|]}dj|yw){0}N)r).0bs r z Dump.get_text..cs:1u||A:s)joinrrss rget_textz Dump.get_textasww: :::rNr) rurvrwrrkrrrqrrrrerrrr=s(;(%=;;rr)xcrBhHrNIrMLrqQdsc :d}|}|dtjvrmtdj|Dcgc]}|tjvs|c}}dj|Dcgc]}|tjvs|c}}t||zScc}wcc}w)Nr4rr)rdigitsr"rSTRUCT_SIZEOF_TYPES)tr)_trs r sizeof_typerys E Btv}}BGG@1Q&---?Q@AB WW=Aav}}& r "U **A=sB B $B<BT)rrc d}g}i}g}d}d}|D]}d|vs|jdd\}} ||z }|jd| jd} g} | D]Z} | |vr>|D cgc]} | dt| } } | j| }dj | |} | j| ||| <\|t |z }|j| t j|}|||||fScc} w)N 'HCG}}S) !$,c>     g & '{{4..<<r)rrr)rnrs r__repr__zStructure.__repr__s> HH499;?achhqwwy)? @  ?s&A c >g}|jdj|jtjDcgc] }|tj vst |"}}|jD]}|D]{}t||}t|ttfrn|jdrdj|}ndj|}|dk(s|dk(r |dtjtj|zz }nt#|}|jd r>d j%|j'd Dcgc]}d j|c}}nLd j%|j'd Dcgc]"}||vr t)|nd j|$c}}|jd|j*||j,z|j*||dz|fz~|Scc}w#t $r|dz }Y_wxYwcc}wcc}w)z1Returns a string representation of the structure.z[{0}] Signature_z{:<8X}z0x{:<8X} TimeDateStamp dwTimeStampz [%s UTC]z [INVALID TIME] Signaturerz{:02X}z \x{0:02x}z0x%-8X 0x%-3X %-30s %s:)rrrr printable whitespaceordrrrUr"longrXtimeasctimegmtime ValueError bytearrayrrstripchrrr) rn indentationrrNprintable_bytesrTrr#val_strs rrzStructure.dumps  GNN499-.#,, 9J9J0JCF  MM% D$ dC(cC;/~~l3"*//#"6","3"3C"8o- 1E9#{T\\$++cBR5S'SSG(nG~~k2"$''9@9PQAX__Q/Q##%'' *1)@ %&%&$8!$A%1%8%8%;!<# ,..s3d6J6JJ..s3c  9$ % N [ " *9#'88G9 Rs)G< G<.HH 'H HHc "i}|j|d<|jD]}|D]}t||}t|tt fr9|dk(s|dk(rp d|t jt j|fz}nAdjd|Dcgc]}t|ts t|n|!c}D}|j||jz|j||d||<|S#t$rd|z}YFwxYwcc}w) z5Returns a dictionary representation of the structure.rrrz0x%-8X [%s UTC]z0x%-8X [INVALID TIME]rc3rK|]/}t|tjvr t|nd|z1yw)z\x%02xN)r"rr)rrs rrz&Structure.dump_dict..es6"#&a&F,<,<"<A)a-O"s57) FileOffsetOffsetValue)rrrrUr"rrrrrrrrr)rn dump_dictrTrr#rs rr+zStructure.dump_dictOs, !% +MM D dC(cC;/o- 1E@"3 # $ T[[-= >7#C''"SV!Wa 1c0B#a&"I!W"C #'"8"8"=@T@T"T"44S9 " ##  0 *@"9C"?C@ "Xs-C8$D 8D D NNr)rurvrwrrkrVrrrrrrrrr rrrr+rerrrrsV "8##I2$&# & (* =& 4l!rrc~eZdZdZfdZdZdZddZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZxZS)SectionStructurez#Convenience section handling class.cd|vr |d|_|d=d|_d|_d|_d|_t ||i|d|_d|_d|_ d|_ y)Nr}) r}PointerToRawDataVirtualAddress SizeOfRawDataMisc_VirtualSizerjrkPointerToRawData_adjVirtualAddress_adjsection_min_addrsection_max_addr)rnrrros rrkzSectionStructure.__init__vsn 6>TlDGt $"! $ $)&)$(!"& $ $rc2|j|jt|jj|j}|jjj dkr%|j|j k(r |j }||_|jSr )r4r0r}adjust_PointerToRawDataOPTIONAL_HEADERSectionAlignmentr1)rnptrds rget_PointerToRawData_adjz)SectionStructure.get_PointerToRawData_adjs  $ $ ,1F1F1R772243H3HID ww&&77&@((D,?,??..D(,D %(((rc|jt|jh|jj|j|jjj |jjj |_|jSr)r5r1r}adjust_SectionAlignmentr:r; FileAlignmentrss rget_VirtualAddress_adjz'SectionStructure.get_VirtualAddress_adjsn  " " *"".*.''*I*I''GG++<<GG++99+' &&&rc||j}n$||jz |jz}|||z}n|j||jz}n|}|r||t|||jz}|j A|j5||j |jzkDr|j |jz}|j j||S)aGet data chunk from a section. Allows to query data from the section by passing the addresses where the PE file would be loaded by default. It is then possible to retrieve code and data by their real addresses as they would be if loaded. Note that sections on disk can include padding that would not be loaded to memory. That is the case if `section.SizeOfRawData` is greater than `section.Misc_VirtualSize`, and that means that data past `section.Misc_VirtualSize` is padding. In case you are not interested in this padding, passing `ignore_padding=True` will truncate the result in order not to return the padding (if any). Returns bytes(). )r=rAr2rlr3r0r}__data__)rnstartrignore_paddingrends rrzSectionStructure.get_datas& =224F3355--/0F  6/C    +4---CC co&2Dc6D$9$99:C  ,1C1C1OT**T-?-???++d.@.@@wws++rc|dk(rttd}t|||nOd|vrKt||r?|r|jdxxt|zcc<n|jdxxt|zcc<||j|<y)NCharacteristics IMAGE_SCN_)r\SECTION_CHARACTERISTICSrchasattrr^)rnrr# section_flagss r __setattr__zSectionStructure.__setattr__s~ $ $*+BLQM dC / T !gdD&9 /04KD4QQ0 /04KD4QQ0! drcJ||jz |jzSr)r=rArs rget_rva_from_offsetz$SectionStructure.get_rva_from_offsets$5577$:U:U:WWWrcJ||jz |jzSr)rAr=rnrs rget_offset_from_rvaz$SectionStructure.get_offset_from_rvas$T0022T5R5R5TTTrcv|jy|j}||cxkxr||jzkScS)z F V-ADDVDV-V V V rcB|j0|j$|j|cxkxr|jkScS|j}t|jj |j z |jkr |j}n t|j|j}|j:|j|jkDr!||z|jkDr|j|z }||_||z|_||cxkxr||zkScS)z8Check whether the section contains the address provided.) r6r7rArGr}rCr=r2r3rmnext_section_virtual_addressr1)rnrr5sizes r contains_rvazSectionStructure.contains_rvas  ,1F1F1R((CG$2G2GG GG G!88: tww 4#@#@#B BTEWEW W((Dt))4+@+@AD  - - 911D4G4GG"T)D,M,MM447IID 2 2T 9!SD+=+DDDDDrc$|j|Sr)rXrQs rcontainszSectionStructure.containss  %%rc@|j|jS)z1Calculate and return the entropy for the section.) entropy_Hrrss r get_entropyzSectionStructure.get_entropys~~dmmo..rc^t't|jjSy)z/Get the SHA-1 hex-digest of the section's data.N)rr hexdigestrss r get_hash_sha1zSectionStructure.get_hash_sha1s)   (224 4 rc^t't|jjSy)z1Get the SHA-256 hex-digest of the section's data.N)rrr_rss rget_hash_sha256z SectionStructure.get_hash_sha256)  $--/*446 6 rc^t't|jjSy)z1Get the SHA-512 hex-digest of the section's data.N)rrr_rss rget_hash_sha512z SectionStructure.get_hash_sha512#rcrc^t't|jjSy)z-Get the MD5 hex-digest of the section's data.N)rrr_rss r get_hash_md5zSectionStructure.get_hash_md5)s( ?t}}'113 3 rc|sytt|}d}|jD]5}t|t |z }||t j |dzz}7|S)z)Calculate the entropy of a chunk of data.grr<)rr valuesfloatrGmathlog)rnr* occurencesentropyrp_xs rr\zSectionStructure.entropy_H/shYt_- ""$ .A(SY&C sTXXc1-- -G .r)NNF)rurvrwrrkr=rArrMrOrRrTrXrZr]r`rbrergr\rxrys@rr.r.ss[- % )'*,X "XU  $EL&/ 5 7 7 4 rr.c,Gdd}g}i}|||}|dD]}d|vr"|j|j|)|jdd\}}d|vr td|jdd\}}t |}||j k7s||j kDr!|j|j||j|||jtt|\} } } } } g}t| D]j\}}||vr|j|||\} }|Dcgc]}|tjg}}|j||D]}| |d| |d<l| | | | ||fScc}w)Nc6eZdZdZdZdZdZdZdZdZ y) )set_bitfields_format..AccumulatorcXg|_d|_d|_d|_||_||_y)N~r) _subfields_name_type _bits_left _comp_fields_format)rnfmt comp_fieldss rrkz2set_bitfields_format..Accumulator.__init__Bs/ DODJDJDO +D DLrc(|jy|jj|jdz|jz|j|jf|j t |jdz <d|_d|_g|_y)Nrr4rt)rwrzrrvruryrGrss rwrap_upz1set_bitfields_format..Accumulator.wrap_upLsszz! LL   S 04:: = >8< DOO7TD  c$,,/!3 4DJDJ DOrc4t|dz|_||_yNrH)rrxrw)rntps rnew_typez2set_bitfields_format..Accumulator.new_typeUs1"59DODJrc|xj|z c_|xj|zc_|jj||fyr)rvrxrur)rnrbitcnts r add_subfieldz6set_bitfields_format..Accumulator.add_subfieldYs4 JJ$ J OOv %O OO " "D&> 2rc|jSr)rwrss rget_typez2set_bitfields_format..Accumulator.get_type^ :: rc|jSr)rvrss rget_namez2set_bitfields_format..Accumulator.get_namearrc|jSr)rxrss r get_bits_leftz7set_bitfields_format..Accumulator.get_bits_leftds ?? "rN) rurvrwrkr~rrrrrrerr AccumulatorrrAs%  !  3    #rrr4rrz3Structures with bitfields do not support unions yetr)r~rrNotImplementedErrorr"rrrrrrrStructureWithBitfields BTF_NAME_IDXextend)rrold_fmtr|acrrrelm_bits format_str_ field_offsetsrT format_length extended_keysrr#sbfrbf_namesns rset_bitfields_formatr?s$#$#LGK Wk *Bay, c> JJL NN3   YYsA.( (?%E &^^C3(x= r{{} $23C3C3E(E JJL KK ! (+',(JJL8B5>8R5J=$ MdO8S k !   % S!3FIJQ-::;<JJX& 8A"/A"7M!A$  88  }dM; WW KsFcfeZdZdZdZdZdZdZd dZfdZ fdZ d fd Z fdZ d Z d ZxZS) raV Extends Structure's functionality with support for bitfields such as: ('B:4,LowerHalf', 'B:4,UpperHalf') To this end, two lists are maintained: * self.__keys__ that contains compound fields, for example ('B,~LowerHalfUpperHalf'), and is used during packing/unpaking * self.__keys_ext__ containing a separate key for each field (ex., LowerHalf, UpperHalf) to simplify implementation of dump() This way the implementation of unpacking/packing and dump() from Structure can be reused. In addition, we create a dictionary: --> (data type, [ (subfield name, length in bits)+ ] ) that facilitates bitfield paking and unpacking. With lru_cache() creating only once instance per format string, the memory overhead is negligible. rr4ct|\|_|_|_|_|_|_t|jDcgc]}dc}|_d|_ ||_ |dk7r||_ y|d|_ ycc}w)NFr) rrrrr __keys_ext____compound_fields__rangerrrr)rnrrrrNs rrkzStructureWithBitfields.__init__s ! (    "  " M    $6;4;Q;Q5R&St&S##* DLD fQi 'Ts A?cDt|||jyr)rjr_unpack_bitfield_attributesrnr*ros rrz!StructureWithBitfields.__unpack__s 4  ((*rc|j t| }|j|S#|jwxYwr)_pack_bitfield_attributesrjr rrs rr zStructureWithBitfields.__pack__sB &&( /7#%D  , , .   , , .s 3Ac|j}|j|_ t| |}||_|S#||_wxYwr)rrrjr)rnr#tkretros rrzStructureWithBitfields.dumpsC ]]))  ',{+CDM DMs 8 Ac|j}|j|_ t| }||_|S#||_wxYwr)rrrjr+)rnrrros rr+z StructureWithBitfields.dump_dictsB ]]))  '#%CDM DMs 7 Ac|jjD]}|j|d}t||}t ||d}|j|t j D]Z}d|t jzdz }||z}t||t j||z|z ||t jz }\y)zaReplace compound attributes corresponding to bitfields with separate sub-fields. rr4N) rrTrrdelattrr CF_SUBFLD_IDXBTF_BITCNT_IDXrr)rnrNcf_namecvaloffstsfmasks rrz2StructureWithBitfields._unpack_bitfield_attributess))..0 CAmmA&q)G4)D D' "E..q12H2V2VW CR 6 E EFF!K-::;D[U* 2AABB C Crc|jjD]}|j|d}d\}}|j|tjD]Y}d|tj zdz }t ||tj|z}|||zz}||tj z }[t|||y)z(Pack attributes into a compound bitfieldrrrr4N) rrTrrrrrrr)rnrNrracc_valrr field_vals rrz0StructureWithBitfields._pack_bitfield_attributess))..0 ,AmmA&q)G!NE7..q12H2V2VW CR 6 E EFF!KD"%;%H%H"IJTQ9--2AABB  C D'7 + ,rr,r)rurvrwrrr CF_TYPE_IDXrrkrr rr+rrrxrys@rrrsB(LNKM8 + C& ,rrc"eZdZdZfdZxZS) DataContainerzGeneric data container.c \t|}|jD]\}}|||yr)rjrMitems)rnr bare_setattrrrbros rrkzDataContainer.__init__s0w*  ,,. %JC e $ %r)rurvrwrrkrxrys@rrrs!%%rrceZdZdZy)ImportDescDatazHolds import descriptor information. dll: name of the imported DLL imports: list of imported symbols (ImportData instances) struct: IMAGE_IMPORT_DESCRIPTOR structure NrurvrwrrerrrrrrceZdZdZdZy) ImportDatazHolds imported symbol's information. ordinal: Ordinal of the symbol name: Name of the symbol bound: If the symbol is bound, this contains the address. ct|drt|drt|dr|dk(r|jjtk(rt}n#|jjt k(rt }|dzz|j_|jj|j_ |jj|j_ |jj|j_ n|dk(r|j||j_ |jj|j_ |jj|j_ |jj|j_ n7|dk(r||j_ |jj|j_|jj|j_ |jj|j_ n|dk(r|jr|jj|j}|jj|j d|zt#|t#|j$kDr t'd|jj)|j|||j*|<y)Nordinalboundraddressr9The export name provided is longer than the existing one.)rKr}PE_TYPEOPTIONAL_HEADER_MAGIC_PEIMAGE_ORDINAL_FLAGOPTIONAL_HEADER_MAGIC_PE_PLUSIMAGE_ORDINAL_FLAG64 struct_tableOrdinal AddressOfDataFunctionForwarderString struct_iat name_offsetrOset_dword_at_offsetordinal_offsetrGrrset_bytes_at_offsetr^)rnrr# ordinal_flagname_rvas rrMzImportData.__setattr__s D) $g&f%y 77??&>>#5LWW__(EE#7L-9C&L,I!!)262C2C2K2K!!/-1->->-F-F!!*484E4E4M4M!!1??.47DOO148OO4Q4QDOO1/3/L/LDOO,6:oo6S6SDOO3"25!!/,0,=,=,K,K!!)-1->->-L-L!!*484E4E4S4S!!1###ww::4;K;KLHGG//++g-A 3x#dii.0+WGG//0@0@#F! drNrurvrwrrMrerrrrs 2"rrceZdZdZy) ExportDirDatazHolds export directory information. struct: IMAGE_EXPORT_DIRECTORY structure symbols: list of exported symbols (ExportData instances)NrrerrrrMsCrrceZdZdZdZy) ExportDataadHolds exported symbols' information. ordinal: ordinal of the symbol address: address of the symbol name: name of the symbol (None if the symbol is exported by ordinal only) forwarder: if the symbol is forwarded it will contain the name of the target symbol, None otherwise. ct|dr.t|dr!t|drt|dr|dk(r'|jj|j|n|dk(r'|jj |j |n|dk(rSt |t |jkDr td|jj|j|nW|dk(rRt |t |jkDr td|jj|j|||j|<y)Nrr forwarderrrz+>D"++D,?,?Es8c$))n,'S++D,<,  t9t & <<1 !2;c$BVBV>WW W W^ && 1n OO & &tBdoo6L6L6N1N'O P*11$//BE}03t7K7Kb7P3QQQ ::4??DQL--/,>H   R"x-($$r)   (NB , &J    # #E *!1n$  ! !T%;%;#5D  " "#2D   4 ' $$ ${[;Ns;S-ST $( rc |jdk7rS|jtdz |j|j<|jj |jg t ||}|jdk7r|jj |j ddjtDcgc]}t||ds|dc}z|j ddj|jDcgc]}|jst| c}z|S#|jdk7r|jjwwxYwcc}wcc}w)NrFlags: , rzUnwind codes: z; )rrrrrrrjrpoprunwind_info_flagsrr&is_validrV)rnr#rrrros rrzUnwindInfo.dumpsF   4 '"5c"::  " "4#7#7 8    $ $d&:&:%; < (7< ,D##t+!!%%' ii'8P!GD!A$ "))**, ,J  -   4 ' D'$0D0D"EF "5c"::T__  rc|jSr)rrss rget_chained_function_entryz%UnwindInfo.get_chained_function_entryrrcF|jdk7r td||_y)Nz(Chained function entry cannot be changed)rr)rnentrys rset_chained_function_entryz%UnwindInfo.set_chained_function_entrys$   $ & JK K#rr)rurvrwrrkr2rr+rMrr rBrErxrys@rrr3s6 )0:x6 "$#$rrc(eZdZdZdZdZdZdZy)PrologEpilogOpzMeant as an abstract class representing a generic unwind code. There is a subclass of PrologEpilogOp for each member of UNWIND_OP_CODES enum. c|t|j|||_|jj|y)Nr)r _get_formatrHr)rnunw_coder*unw_infors rr*zPrologEpilogOp.initializes2,   X &K   t$rcy)zComputes how many UNWIND_CODE structures UNWIND_CODE occupies. May be called before initialize() and, for that reason, should not rely on the values of intance attributes. r4rernrJrKs rr)z(PrologEpilogOp.length_in_code_structuress rcy)NTrerss rr8zPrologEpilogOp.is_validsrcy)NrrernrJs rrIzPrologEpilogOp._get_formatsNrN)rurvrwrr*r)r8rIrerrrGrGs% OrrGceZdZdZdZdZy)PrologEpilogOpPushRegUWOP_PUSH_NONVOLcy)N)UNWIND_CODE_PUSH_NONVOL)rrB:4,RegrerPs rrIz!PrologEpilogOpPushReg._get_formatsWrcBdt|jjzS)Nz .PUSHREG ) REGISTERSrHRegrss rrzPrologEpilogOpPushReg.__str__sYt{{777rN)rurvrwrrIrrerrrRrRsX8rrRc(eZdZdZdZdZdZdZy)PrologEpilogOpAllocLargeUWOP_ALLOC_LARGEc8dddd|jdk(rdffSdffS)NUNWIND_CODE_ALLOC_LARGErrrrzH,AllocSizeInQwordsz I,AllocSizeOpInforPs rrIz$PrologEpilogOpAllocLarge._get_formatsB %)1A)=%    DQ    rc(|jdk(rdSdS)Nrr<r>r_rMs rr)z2PrologEpilogOpAllocLarge.length_in_code_structuressOOq(q/a/rc|jjdk(r|jjdzS|jjS)NrrH)rHr`AllocSizeInQwords AllocSizerss rget_alloc_sizez'PrologEpilogOpAllocLarge.get_alloc_sizesC{{!!Q& KK ) )A - && rc:dt|jzSNz .ALLOCSTACK r%rerss rrz PrologEpilogOpAllocLarge.__str__D$7$7$9 :::rN)rurvrwrrIr)rerrerrr[r[s  0 ;rr[c"eZdZdZdZdZdZy)PrologEpilogOpAllocSmallUWOP_ALLOC_SMALLcy)N)UNWIND_CODE_ALLOC_SMALL)rrzB:4,AllocSizeInQwordsMinus8rerPs rrIz$PrologEpilogOpAllocSmall._get_format rc:|jjdzdzSr)rHAllocSizeInQwordsMinus8rss rrez'PrologEpilogOpAllocSmall.get_alloc_size%s{{22Q6::rc:dt|jzSrgrhrss rrz PrologEpilogOpAllocSmall.__str__(rirN)rurvrwrrIrerrerrrkrks ;;rrkc(eZdZdZfdZdZxZS)PrologEpilogOpSetFPUWOP_SET_FPREGctt||||||j|_|jdz|_yNr1)rjr* FrameRegister_frame_register FrameOffset _frame_offsetrnrJr*rKrros rr*zPrologEpilogOpSetFP.initialize/s7 8T8[A'55%11B6rc`dt|jzdzt|jzS)Nz .SETFRAME r5)rXryr%r{rss rrzPrologEpilogOpSetFP.__str__4s: ,,- . $$$% & r)rurvrwrr*rrxrys@rrtrt,s7  rrtc(eZdZdZdZdZdZdZy)PrologEpilogOpSaveRegUWOP_SAVE_NONVOLcyNr<re)rnunwcoderKs rr)z/PrologEpilogOpSaveReg.length_in_code_structures@rc4|jjdzSr)rHOffsetInQwordsrss r get_offsetz PrologEpilogOpSaveReg.get_offsetCs{{))A--rcy)N)UNWIND_CODE_SAVE_NONVOL)rrrVzH,OffsetInQwordsrerPs rrIz!PrologEpilogOpSaveReg._get_formatFrorc|dt|jjzdzt|j zSNz .SAVEREG r5)rXrHrYr%rrss rrzPrologEpilogOpSaveReg.__str__Ls0Yt{{77$>T__EVAWWWrNrurvrwrr)rrIrrerrrr=s. Xrrc(eZdZdZdZdZdZdZy)PrologEpilogOpSaveRegFarUWOP_SAVE_NONVOL_FARcyNr>rerMs rr)z2PrologEpilogOpSaveRegFar.length_in_code_structuresSrrc.|jjSrrHr)rss rrz#PrologEpilogOpSaveRegFar.get_offsetV{{!!!rcy)N)UNWIND_CODE_SAVE_NONVOL_FARrrrVzI,OffsetrerPs rrIz$PrologEpilogOpSaveRegFar._get_formatYrorcdt|jjzdzt|jjzSr)rXrHrYr%r)rss rrz PrologEpilogOpSaveRegFar.__str___s3Yt{{77$>T[[EWEWAXXXrNrrerrrrPs" Yrrc(eZdZdZdZdZdZdZy)PrologEpilogOpSaveXMMUWOP_SAVE_XMM128cy)N)UNWIND_CODE_SAVE_XMM128)rrrVzH,OffsetIn2QwordsrerPs rrIz!PrologEpilogOpSaveXMM._get_formatfrorcyrrerMs rr)z/PrologEpilogOpSaveXMM.length_in_code_structureslrrc4|jjdzSrw)rHOffsetIn2Qwordsrss rrz PrologEpilogOpSaveXMM.get_offsetos{{**R//rcdt|jjzdzt|j zSNz.SAVEXMM128 XMMr5)rVrHrYr%rrss rrzPrologEpilogOpSaveXMM.__str__rs0 3t{{#77$>T__EVAWWWrNrurvrwrrIr)rrrerrrrcs 0Xrrc(eZdZdZdZdZdZdZy)PrologEpilogOpSaveXMMFarUWOP_SAVE_XMM128_FARcy)N)UNWIND_CODE_SAVE_XMM128_FARrrerPs rrIz$PrologEpilogOpSaveXMMFar._get_formatyrorcyrrerMs rr)z2PrologEpilogOpSaveXMMFar.length_in_code_structuresrrc.|jjSrrrss rrz#PrologEpilogOpSaveXMMFar.get_offsetrrcdt|jjzdzt|jjzSr)rVrHrYr%r)rss rrz PrologEpilogOpSaveXMMFar.__str__s3 3t{{#77$>T[[EWEWAXXXrNrrerrrrvs "YrrceZdZdZdZy)PrologEpilogOpPushFrameUWOP_PUSH_MACHFRAMEc@d|jjrdzSdzS)Nz .PUSHFRAMEz r)rHr`rss rrzPrologEpilogOpPushFrame.__str__s!DKK,>,>yGGBGGrN)rurvrwrrrerrrrs Hrrc@eZdZdZfdZdZdZdZdZdZ xZ S)PrologEpilogOpEpilogMarker UWOP_EPILOGcd|_t|d |_t||||||jr8t |d|j j|jdzdk(|_|j|_ y)NT SizeOfEpilogr4r) _long_offstrK_firstrjr*rrHSizer`r _epilog_sizer|s rr*z%PrologEpilogOpEpilogMarker.initializesp!(N;;  8T8[A ;; Hndkk.>.> ?'2a7D $11rcN|jrd|jdzdk(rdfSdfSy)NUNWIND_CODE_EPILOGr4)zB,OffsetLow,Sizer B:4,Flags)zB,Sizerr B,OffsetLowz B:4,UnusedB:4,OffsetHigh)r)rrr)rr`rPs rrIz&PrologEpilogOpEpilogMarker._get_formatsC ;;$??Q&!+B    rcFt|ds|jdzdk(rdSdS)Nrr4rr<)rKr`rMs rr)z4PrologEpilogOpEpilogMarker.length_in_code_structuress38^4(//A:MRS9S   rc|jj|jr|jjdzzSdzS)NrHr)rH OffsetLowr OffsetHighrss rrz%PrologEpilogOpEpilogMarker.get_offsets@{{$$+/+;+;DKK " "a '  AB  rc(|jdkDSr()rrss rr8z#PrologEpilogOpEpilogMarker.is_valids 1$$rc|jdkDr5dt|jzdzt|jzSdS)Nrz EPILOG: size=z, offset from the end=-r)rr%rrss rrz"PrologEpilogOpEpilogMarker.__str__sX 1$ $##$ %' ($//#$ %   r) rurvrwrr*rIr)rr8rrxrys@rrrs$2.  %  rrcLeZdZdZeeeeee e e e e eeeeeeeeeei ZedZy)r'zBA factory for creating unwind codes based on the value of UnwindOpcp|j}|tjvrtj|SdSr)UnwindOpr' _class_dict)rcodes rr(zPrologEpilogOpsFactory.creates@-999 # . .t 4 6  rN)rurvrwrrSrRr\r[rlrkrurtrrrrrrrrrrrrr staticmethodr(rerrr'r's^L /22+/6/64/ K  rr'z!#$%&'()-@^_`{}~+,.;=[]:c|t|tttfsytdzt fdt |DS)NFs\/c3&K|]}|v ywrre)rralloweds rrz(is_valid_dos_filename..s,qG|,s)rUrVrWr allowed_filenameallset)rrs @ris_valid_dos_filenamers:y 1sE9&=>'G ,SV, ,,rrrelax_allowed_charactersrcd|rd|duxr:t|tttfxrt fdt |DS)Ns ._?@$()<>s!"#$%&'()*+,-./:<>?[\]^_`{|}~@c3:K|]}|tvxs|vywr)allowed_function_name)rr allowed_extras rrz)is_valid_function_name.. s$Sq++AqM/AASs)rUrVrWr rr)rrrs @ris_valid_function_namer sN!M;    T q3y1 2 T SCPQFS SrceZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(Z*d)Z+d*Z,d+Z-d,Z.d-d-d-e/d.fd/Z0d0Z1d1Z2d2Z3d3Z4d4Z5d5Z6d6Z7d7Z8d8Z9d9Z:d:Z;dd;Zd>Z?d?Z@d@ZAdAZBdBZCdCZDdDZEddEZFdFZGdGZHdHZIddIZJdJZKdKZLdLZMddMZNdNZOdOZPdPZQddQZRdRZSdSZTddTZU ddUZVddVZWddWZXdXZYddYZZdZZ[d[Z\e]fd\Z^d]Z_d^Z`dd_Zad`ZbdaZcdbZddcZeddZfddeZgddfZhdgZidhZjdiZkdjZldkZmdlZndmZodnZpdoZqdpZrdqZsdrZtdsZudtZvduZwdvZxdwZydxZzdyZ{dzZ|d{Z}d|Z~d}ed~efdZdZdZdZdZdZdZdZdZdZdZdZdZy-)PEa A Portable Executable representation. This class provides access to most of the information in a PE file. It expects to be supplied the name of the file to load or PE data to process and an optional argument 'fast_load' (False by default) which controls whether to load all the directories information, which can be quite time consuming. pe = pefile.PE('module.dll') pe = pefile.PE(name='module.dll') would load 'module.dll' and process it. If the data is already available in a buffer the same can be achieved with: pe = pefile.PE(data=module_dll_data) The "fast_load" can be set to a default by setting its value in the module itself by means, for instance, of a "pefile.fast_load = True". That will make all the subsequent instances not to load the whole PE structure. The "full_load" method can be used to parse the missing data at a later stage. Basic headers information will be available in the attributes: DOS_HEADER NT_HEADERS FILE_HEADER OPTIONAL_HEADER All of them will contain among their attributes the members of the corresponding structures as defined in WINNT.H The raw data corresponding to the header (from the beginning of the file up to the start of the first section) will be available in the instance's attribute 'header' as a string. The sections will be available as a list in the 'sections' attribute. Each entry will contain as attributes all the structure's members. Directory entries will be available as attributes (if they exist): (no other entries are processed at this point) DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances) DIRECTORY_ENTRY_EXPORT (ExportDirData instance) DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance) DIRECTORY_ENTRY_DEBUG (list of DebugData instances) DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances) DIRECTORY_ENTRY_TLS DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances) The following dictionary attributes provide ways of mapping different constants. They will accept the numeric value and return the string representation and the opposite, feed in the string and get the numeric constant: DIRECTORY_ENTRY IMAGE_CHARACTERISTICS SECTION_CHARACTERISTICS DEBUG_TYPE SUBSYSTEM_TYPE MACHINE_TYPE RELOCATION_TYPE RESOURCE_TYPE LANG SUBLANG )IMAGE_DOS_HEADER)z H,e_magiczH,e_cblpzH,e_cpzH,e_crlcz H,e_cparhdrz H,e_minallocz H,e_maxalloczH,e_sszH,e_spzH,e_csumzH,e_ipzH,e_csz H,e_lfarlczH,e_ovnoz8s,e_resz H,e_oemidz H,e_oeminfoz 20s,e_res2z I,e_lfanew)IMAGE_FILE_HEADER)z H,MachinezH,NumberOfSectionsI,TimeDateStampzI,PointerToSymbolTablezI,NumberOfSymbolszH,SizeOfOptionalHeaderzH,Characteristics)IMAGE_DATA_DIRECTORY)I,VirtualAddressI,Size)IMAGE_OPTIONAL_HEADER)H,MagicB,MajorLinkerVersionB,MinorLinkerVersion I,SizeOfCodeI,SizeOfInitializedDataI,SizeOfUninitializedDataI,AddressOfEntryPoint I,BaseOfCodez I,BaseOfDataz I,ImageBaseI,SectionAlignmentI,FileAlignmentH,MajorOperatingSystemVersionH,MinorOperatingSystemVersionH,MajorImageVersionH,MinorImageVersionH,MajorSubsystemVersionH,MinorSubsystemVersion I,Reserved1 I,SizeOfImageI,SizeOfHeaders I,CheckSum H,SubsystemH,DllCharacteristicszI,SizeOfStackReservezI,SizeOfStackCommitzI,SizeOfHeapReservezI,SizeOfHeapCommit I,LoaderFlagsI,NumberOfRvaAndSizes)IMAGE_OPTIONAL_HEADER64)rrrrrrrrz Q,ImageBaserrrrrrrrrrrrrrzQ,SizeOfStackReservezQ,SizeOfStackCommitzQ,SizeOfHeapReservezQ,SizeOfHeapCommitrr)IMAGE_NT_HEADERS) I,Signature)IMAGE_SECTION_HEADER) z8s,Namez,I,Misc,Misc_PhysicalAddress,Misc_VirtualSizerzI,SizeOfRawDataI,PointerToRawDatazI,PointerToRelocationszI,PointerToLinenumberszH,NumberOfRelocationszH,NumberOfLinenumbersI,Characteristics)IMAGE_DELAY_IMPORT_DESCRIPTOR)z I,grAttrszI,szNamezI,phmodzI,pIATzI,pINTz I,pBoundIATz I,pUnloadIATz I,dwTimeStamp)IMAGE_IMPORT_DESCRIPTOR)z$I,OriginalFirstThunk,CharacteristicsrzI,ForwarderChainI,Namez I,FirstThunk)IMAGE_EXPORT_DIRECTORY) rrH,MajorVersionH,MinorVersionrzI,BasezI,NumberOfFunctionszI,NumberOfNameszI,AddressOfFunctionszI,AddressOfNameszI,AddressOfNameOrdinals)IMAGE_RESOURCE_DIRECTORY)rrrrzH,NumberOfNamedEntrieszH,NumberOfIdEntries)IMAGE_RESOURCE_DIRECTORY_ENTRY)rI,OffsetToData)IMAGE_RESOURCE_DATA_ENTRY)rrz I,CodePagez I,Reserved)VS_VERSIONINFOzH,Lengthz H,ValueLengthzH,Type)VS_FIXEDFILEINFO) rzI,StrucVersionzI,FileVersionMSzI,FileVersionLSzI,ProductVersionMSzI,ProductVersionLSzI,FileFlagsMaskz I,FileFlagszI,FileOSz I,FileTypez I,FileSubtypez I,FileDateMSz I,FileDateLS)StringFileInfor ) StringTabler )Stringr )Varr )IMAGE_THUNK_DATA)z0I,ForwarderString,Function,Ordinal,AddressOfData)r)z0Q,ForwarderString,Function,Ordinal,AddressOfData)IMAGE_DEBUG_DIRECTORY)rrrrzI,Typez I,SizeOfDatazI,AddressOfRawDatar)IMAGE_BASE_RELOCATION)rz I,SizeOfBlock)IMAGE_BASE_RELOCATION_ENTRY)zH,Data)0IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION)zI:12,PageRelativeOffsetzI:1,IndirectCallz I:19,IATIndex)/IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION)H:12,PageRelativeOffsetzH:1,IndirectCallzH:1,RexWPrefixz H:1,CfgCheckz H:1,Reserved)+IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION)rzH:4,RegisterNumber)IMAGE_FUNCTION_OVERRIDE_HEADER)zI,FuncOverrideSize)*IMAGE_FUNCTION_OVERRIDE_DYNAMIC_RELOCATION)z I,OriginalRvaz I,BDDOffsetz I,RvaSizeI,BaseRelocSize)IMAGE_BDD_INFO) I,Versionz I,BDDSize)IMAGE_BDD_DYNAMIC_RELOCATION)zH,LeftzH,RightzI,Value)IMAGE_TLS_DIRECTORY)zI,StartAddressOfRawDatazI,EndAddressOfRawDatazI,AddressOfIndexzI,AddressOfCallBacksI,SizeOfZeroFillr)r)zQ,StartAddressOfRawDatazQ,EndAddressOfRawDatazQ,AddressOfIndexzQ,AddressOfCallBacksrr)IMAGE_LOAD_CONFIG_DIRECTORY)4rrrrI,GlobalFlagsClearI,GlobalFlagsSetI,CriticalSectionDefaultTimeoutzI,DeCommitFreeBlockThresholdzI,DeCommitTotalFreeThresholdzI,LockPrefixTablezI,MaximumAllocationSizezI,VirtualMemoryThresholdI,ProcessHeapFlagszI,ProcessAffinityMask H,CSDVersionH,DependentLoadFlagsz I,EditListzI,SecurityCookiezI,SEHandlerTablezI,SEHandlerCountzI,GuardCFCheckFunctionPointerz I,GuardCFDispatchFunctionPointerzI,GuardCFFunctionTablezI,GuardCFFunctionCount I,GuardFlagsH,CodeIntegrityFlagsH,CodeIntegrityCatalogI,CodeIntegrityCatalogOffsetI,CodeIntegrityReservedz I,GuardAddressTakenIatEntryTablez I,GuardAddressTakenIatEntryCountzI,GuardLongJumpTargetTablezI,GuardLongJumpTargetCountzI,DynamicValueRelocTablezI,CHPEMetadataPointerzI,GuardRFFailureRoutinez&I,GuardRFFailureRoutineFunctionPointerI,DynamicValueRelocTableOffsetH,DynamicValueRelocTableSection H,Reserved2z*I,GuardRFVerifyStackPointerFunctionPointerI,HotPatchTableOffset I,Reserved3zI,EnclaveConfigurationPointerzI,VolatileMetadataPointerzI,GuardEHContinuationTablezI,GuardEHContinuationCountzI,GuardXFGCheckFunctionPointerz!I,GuardXFGDispatchFunctionPointerz&I,GuardXFGTableDispatchFunctionPointerz"I,CastGuardOsDeterminedFailureModezI,GuardMemcpyFunctionPointer)r)4rrrrr r!r"zQ,DeCommitFreeBlockThresholdzQ,DeCommitTotalFreeThresholdzQ,LockPrefixTablezQ,MaximumAllocationSizezQ,VirtualMemoryThresholdzQ,ProcessAffinityMaskr#r$r%z Q,EditListzQ,SecurityCookiezQ,SEHandlerTablezQ,SEHandlerCountzQ,GuardCFCheckFunctionPointerz Q,GuardCFDispatchFunctionPointerzQ,GuardCFFunctionTablezQ,GuardCFFunctionCountr&r'r(r)r*z Q,GuardAddressTakenIatEntryTablez Q,GuardAddressTakenIatEntryCountzQ,GuardLongJumpTargetTablezQ,GuardLongJumpTargetCountzQ,DynamicValueRelocTablezQ,CHPEMetadataPointerzQ,GuardRFFailureRoutinez&Q,GuardRFFailureRoutineFunctionPointerr+r,r-z*Q,GuardRFVerifyStackPointerFunctionPointerr.r/zQ,EnclaveConfigurationPointerzQ,VolatileMetadataPointerzQ,GuardEHContinuationTablezQ,GuardEHContinuationCountzQ,GuardXFGCheckFunctionPointerz!Q,GuardXFGDispatchFunctionPointerz&Q,GuardXFGTableDispatchFunctionPointerz"Q,CastGuardOsDeterminedFailureModezQ,GuardMemcpyFunctionPointer)IMAGE_DYNAMIC_RELOCATION_TABLE)rr)IMAGE_DYNAMIC_RELOCATION)I,Symbolr)IMAGE_DYNAMIC_RELOCATION64)Q,Symbolr)IMAGE_DYNAMIC_RELOCATION_V2) I,HeaderSizeI,FixupInfoSizer2 I,SymbolGroupI,Flags)IMAGE_DYNAMIC_RELOCATION64_V2)r6r7r4r8r9)IMAGE_BOUND_IMPORT_DESCRIPTOR)rH,OffsetModuleNamezH,NumberOfModuleForwarderRefs)IMAGE_BOUND_FORWARDER_REF)rr<z H,Reserved)RUNTIME_FUNCTION)zI,BeginAddressz I,EndAddressz I,UnwindDataNxc||_||_d|_g|_g|_d|_| | t dg|_d|_d|_ d|_ d|_ d|_ d|_ tjtj tj"d|_||n t'd} |j)|||y#|j+xYw)NzMust supply either name or dataFr)r>r@rB fast_load)max_symbol_exportsmax_repeated_symbol_get_section_by_rva_last_usedsections _PE__warningsrr__structures___PE__from_fileFileAlignment_WarningSectionAlignment_Warning!_PE__total_resource_entries_count_PE__total_resource_bytes_PE__total_import_symbolsr;__IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION_format__:__IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION_format__6__IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION_format__#dynamic_relocation_format_by_symbolglobals __parse__close)rnrr*rArBrCs rrkz PE.__init__M s#5#6 -1*  ? ? !&+"(-%/0+'(#&'#MMLLHH4 0 "+!6IGIk     & ""9-  OO " "IPP1I{C    = A?/A::A?ct||} |j||j j ||S#t$r9}|jj dj |d||Yd}~yd}~wwxYwra)rrrrFrrrGrbs r__unpack_data_with_bitfields__z!PE.__unpack_data_with_bitfields__ s +6{K     & ""9-  OO " "IPP1I{C    rfc .|tj|}|jdk(r tdd} t |d}|j |_t tdr5tj|j dtj|_ n5tj|j dtj|_ d|_ |!|jn|||_ d |_ t!|j|_d |_|st't)|jj+D]\}} |dk(r| t!|jz d kDs"|dk7s,| t!|jz d kDsH|j,j/dj|d| zt!|jz |jdd} t!| dk7r td|j1|j2| d|_|j4j6t8k(r td|j4r|j4j6t:k7r td|j4j<t!|jkDr td|j4j<} |j1|j>|j| | dz| |_ |j@r|j@jBs tdd|j@jBztDk(r tdd|j@jBztFk(r tdd|j@jBztHk(r tdd|j@jBztJk(r td|j@jBtLk7r td|j1|jN|j| dz| dzdz| dz|_(tStTd } |jPs td!tW|jP|jPjX| | dz|jPj[z} | |jPj\z}|j1|j^|j| | d"z| |_0d#}|j`[t!|j| | d$z|k\r=d%}|j| | d$zd&|zz}|j1|j^|| |_0|j`|j`jbtdk(r td|_3n|j`jbthk(rth|_3|j1|jj|j| | d$z| |_0d'}|j`[t!|j| | d$z|k\r=d%}|j| | d$zd&|zz}|j1|jj|| |_0|jPs td!|j` td(|jf>|j,j/d)j|j`jbtStld*}tW|j`|j`jn|g|j`_8| |j`j[z}|jP|j@_(|j`|j@_0|j`jr|j`jtkr|j,j/d+|j`jvd,kDr2|j,j/d-|j`jvzd"}tyt{d.|j`jvzD]}t!|j|z dk(rnt!|j|z dkr|j|dd/z}n|j|||z}|j1|j|||}|nn t~||_@||j[z }|j`jpj/||| |j`j[zd%zk\sn|j|}|jDcgc],}|jdkDr|j|j.}}t!|dkDr t|}nd}|r||kr|jd||_Hn|jd||_H|j|j`jr p|j|j`jr}|t!|jkDre|j,j/d0|j`jrzn2|j,j/d1|j`jrz|s|jyy#t$r:}dj|}|xrd |z}td j||d}~wwxYw#||jwwxYw#ttf$rYwxYwcc}w)2zParse a Portable Executable file. Loads a PE file, parsing all its structures and making them available through the instance's attributes. NrzThe file is emptyrb MAP_PRIVATE)accessTrz: %szUnable to access file '{0}'{1}Fg?g333333?zeByte 0x{0:02x} makes up {1:.4f}% of the file's contents. This may indicate truncation / malformation.gY@r^z9Unable to read the DOS Header, possibly a truncated file.rz)Probably a ZM Executable (not a PE file).zDOS Header magic not found.z.Invalid e_lfanew value, probably not a PE filerHzNT Headers not found.rz0Invalid NT Headers signature. Probably a NE filez0Invalid NT Headers signature. Probably a LE filez0Invalid NT Headers signature. Probably a LX filez0Invalid NT Headers signature. Probably a TE filezInvalid NT Headers signature.r@r0 IMAGE_FILE_zFile Header missingrbrFr.r`rrz5No Optional Header found, invalid PE32 or PE32+ file.z*Invalid type 0x{0:04x} in Optional Header.IMAGE_DLLCHARACTERISTICS_zXSizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.r1zsSuspicious NumberOfRvaAndSizes in the Optional Header. Normal values are never larger than 0x10, the value is: 0x%xsz[Possibly corrupt file. AddressOfEntryPoint lies outside the file. AddressOfEntryPoint: 0x%xzTAddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x%x)Losstatst_sizeropenfilenorKr[rkrC ACCESS_READrHIOErrorr ExceptionrTrG$_PE__resource_size_limit_upperbounds _PE__resource_size_limit_reachedrr rrFrre__IMAGE_DOS_HEADER_format__ DOS_HEADERe_magicIMAGE_DOSZM_SIGNATUREIMAGE_DOS_SIGNATUREe_lfanew__IMAGE_NT_HEADERS_format__ NT_HEADERSrIMAGE_NE_SIGNATUREIMAGE_LE_SIGNATUREIMAGE_LX_SIGNATUREIMAGE_TE_SIGNATUREIMAGE_NT_SIGNATURE__IMAGE_FILE_HEADER_format__ FILE_HEADERr\IMAGE_CHARACTERISTICSrcrHrSizeOfOptionalHeader __IMAGE_OPTIONAL_HEADER_format__r:Magicrrr"__IMAGE_OPTIONAL_HEADER64_format__DLL_CHARACTERISTICSDllCharacteristicsDATA_DIRECTORYAddressOfEntryPoint SizeOfHeadersNumberOfRvaAndSizesrr"__IMAGE_DATA_DIRECTORY_format__DIRECTORY_ENTRYrKeyErrorAttributeErrorparse_sectionsrEr0r9rlheaderget_section_by_rvarR full_load)rnfnamer*rArqfdexcp exception_msgbyte byte_countdos_header_datant_headers_offset image_flagsoptional_header_offsetsections_offset&MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZEpadding_length padded_datadll_characteristics_flagsr)MAX_ASSUMED_VALID_NUMBER_OF_RVA_AND_SIZESrN dir_entryrrawDataPointerslowest_section_offset ep_offsets rrSz PE.__parse__ s   775>D||q #$788B %& iik 4/$(IIdkk1d>N>N$ODM%)IIdkk1TEUEU$VDM#' >HHJ   DM$D 25T]]1C.-2*$+Idmm,D$E$K$K$M  j AI*s4==/A"AC"GAI*s4==/A"AD"HOO**L &uz'9C > ?? # #c$--&8 8 PQ Q OO44..  , , MM+.?!.C D)/ doo&?&? 78 8 T__.. .3E E RS S T__.. .3E E RS S T__.. .3E E RS S T__.. .3E E RS S ?? $ $(: : ?@ @//  - - MM+a/2Ca2G"2L M)A-0  %%:MJ  56 6 $""D$4$4$D$DkR!2Q!69I9I9P9P9R!R143C3C3X3XX#33  1 1 MM03IC3O P. 4  24.  ( 47MPU7UV66!N--&)?%)G')K$(#7#7552$8$D     +##))-EE7 %%++/LL< '+';';;;MM.1G%1O!7 (<($:@6((0 25Ke5S > >&)N"&--.1G%1O#/#1K,0+?+???#$:,@,D(  56 6    ' WX X <<  OO " "<CC((..  %3 !<% !    3 3 % /1+'$*>*>*E*E*GG&*&6&6#*.*>*>'  4 4""00 1 OO " ".     3 3d : OO " "O&&::;  5:1s:(<(<(P(PPQR) A4==!F*a/4==!F*Q.}}VW- 9}}V&OO,,44d-I  !0!3  i&&( (F  / / 6 6y A&)=)=)D)D)FFOS) V$$_5]] !!A%  ( ();); <   ! #$'$8 !$( !$(=(F--0DK--(>)>?DK  # #D$8$8$L$L M  00$$88I3t}}--&&7**>>? OO " ",.2.B.B.V.VW   NN M   % T 2 - J6M3I 4;;E=Q >HHJ"tn-  : s<B"j6k;1l k &5kk  k##k8;llc bd}d}|jjdd|jj}|dk(ry |jd|dz}|ddt |dzz}t t jd jt |dz|}||vry t jd ||j|d z}d |i}|d|jd}||d <d} t} t|D]4\} } | j| | | || t |zz 6t| |d<t j#|d} |d| z |k7s|d | k7s|d| k7s|d| k7r|j$jd| |d<g}||d<|dd}t't |dzD]U}|d|z|k(r,|d|zd z| k7r|j$jd|S||d|z| z |d|zd z| z gz }W|S#t$rYywxYw)a#Parses the rich header see https://www.ntcore.com/files/richsign.htm for more information Structure: 00 DanS ^ checksum, checksum, checksum, checksum 10 Symbol RVA ^ checksum, Symbol size ^ checksum... ... XX Rich, checksum, 0, 0,... iDanSiRichsRichr`NrHr@z<{0}Iz&PE.parse_rich_header..P sz!S'9Qqr clear_datalittlerr<r>z:Rich Header is not in Microsoft format, possibly malformedchecksumrizRich Header is malformed)rCfindr:rrGlistrHrIrrr indexr rrrWr" from_bytesrFr)rnDANSRICH rich_index rich_datar*rresultrord_rrr#r headervaluesrNs rparse_rich_headerzPE.parse_rich_header$ s]]'' T4//??A     dZ!^I gnnS^q5H&I9UVD4 kk$TZZ%5%9 :;6y~~g67%z@[ !(+ EHC   d3i$s3S>/B*CC D E$Z0|>>#x0 Gh $ &Aw("Aw("Aw(" OO " "L &z 'xABxs4yA~& QAAE{d"A ?h.OO**+EF   T!a%[83T!a%!)_x5OP PL Q c  sA$H"" H.-H.c|jS)zReturn the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method returns the full list. )rFrss rrzPE.get_warningsy src>|jD]}td|y)zPrint the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method prints the full list to standard output. >N)rFprint)rnwarnings r show_warningszPE.show_warnings s! G #w  rc|jGdd}|j}|r||_|jdd|j_|jdd|j_|jdd|j_|jdd|j_|jdd|j_yd|_y) zProcess the data directories. This method will load the data directories which might not have been loaded if the "fast_load" option was used. It also parses the rich header, which may or may not present. c eZdZy) PE.full_load..RichHeaderN)rurvrwrerr RichHeaderr s rrrNrirrr) parse_data_directoriesr RICH_HEADERr>rrirrr)rnr rich_headers rrz PE.full_load s ##%  ,,. )|D (3 D(ID   %&1ooh&ED   ##.??5$#?D   (3 D(ID   %*5//,*MD   '#D rc rt|j}|jD]<}t|j}|j }||||t |z>t |drt |dr|jD]}|D]}t |ds|jD]}t|jjD]\} }|j| } |j| } t || dkDr>|jdjd} | d| ddz|| d| d| ddzzs|jdjd} | || d| dt | z|}|s|St!|d 5}|j#|dddy#1swYyxYw) aWrite the PE file. This function will process all headers and components of the PE file and include all changes made (by just assigning to attributes in the PE objects) and write the changes back to a file whose name is provided as an argument. The filename is optional, if not provided the data will be returned as a 'str' object. rFileInfor r4rrFNr<zwb+)r rCrGr rrGrKrr rentriesrentries_offsetsentries_lengthsrJencoderswrite)rnfilename file_datarc struct_datarfinforDst_entryroffsetslengthsrM encoded_data new_file_datars rrzPE.write sdmm, ,, HI#I$6$6$89K..0F,1LL,A,H,H,T-..> Q,?)2,3AJgajSTn9T)*8=||G7L7S7S,68* -9)2,3AJc,FW9W)*#!99992"  (E " #a GGM " # # #s F--F6c g|_d}t|jjD]}|tk\rF|j j dj|jjtnd}t|j|}|snl||j|zz}|j||j|||jz}t||jk(r"|j j d|dn|s"|j j d|dn|j||jj ||j |j"zt%|jkDr$|dz }|j j d |d |j'|j"t%|jkDr$|dz }|j j d |d |j(d kDr$|dz }|j j d |d|j+|j,|j.j0|j.j2d kDr$|dz }|j j d |d|j.j2dk7rJ|j"|j.j2zdk7r$|dz }|j j d |d||k\r|j j dnt5t6d}t9||j:||j<j?ddrj|j<j?ddrN|j@jCddk(r|jErn|j j d|d|jj ||jjGdtI|jD]I\} }| t%|jdz k(rd|_%)|j| dzj,|_%K|jjdkDrC|jr7||jdj|jjzzS|S)aFetch the PE file sections. The sections will be readily available in the "sections" attribute. Its attributes will contain all the section information plus "data" a buffer containing the section's data. The "Characteristics" member will be processed and attributes representing the section characteristics (with the 'IMAGE_SCN_' string trimmed from the constant's names) will be added to the section instance. Refer to the SectionStructure class for additional info. r>zToo many sections {0} (>={1})r)r}zInvalid section z. Contents are null-bytes.z8. No data in the file (is this corkami's virtsectblXP?).r4zError parsing section z$. SizeOfRawData is larger than file.z5. PointerToRawData points beyond the end of the file.rz'Suspicious value found parsing section z*. VirtualSize is extremely large > 256MiB.z&. VirtualAddress is beyond 0x10000000.z. PointerToRawData should normally be a multiple of FileAlignment, this might imply the file is trying to confuse tools which parse this incorrectly.z,Too many warnings parsing section. Aborting.rIrFrrsPAGEz!Suspicious flags set for section zf. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set. This might indicate a packed executable.c|jSr)r1)as rrz#PE.parse_sections..Xs )9)9r)rN)&rErrNumberOfSections MAX_SECTIONSrFrrr.__IMAGE_SECTION_HEADER_format__rrrCr+rrGr2r0rGr9r3r?r1r:r;r@r\rJrcrHr^r>Namer! is_driversortrrV) rnrMAX_SIMULTANEOUS_ERRORSrNsimultaneous_errorssectionsection_offset section_datarLrs rrzPE.parse_sections s "#t''889g *AL &&3::((99< "# &t'K'KPTUG#gnn&6&::N  # #N 3=='..2B!BLL)W^^-==&&)9!F<<&&w/7:t~~?OOO**;A3?CC MM  )Og *X 9:%dmm4 !LCc$--(1,,7;47;}}!G8 .4  !    , ,q 0T]]q)002T5E5E5V5VVV Mrc d|jfd|jfd|jfd|jfd|jfd|j fd|j fd|jfd |jfd |jff }|t|ttfs|g}|D]} t|d }|jj|}|||vrd }|j"r|r+|d dk(r#|d |j"|j$d}nN|r+|d dk(r#|d |j"|j$d}n! |d |j"|j$}|rt-||d dd ||t|ts|d |vs|j/|y #t $rYy wxYw#t&$r.} |j(j+d|d d| Yd } ~ d } ~ wwxYw)aSParse and process the PE file's data directories. If the optional argument 'directories' is given, only the directories at the specified indexes will be parsed. Such functionality allows parsing of areas of interest without the burden of having to parse all others. The directories can then be specified as: For export / import only: directories = [ 0, 1 ] or (more verbosely): directories = [ DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'], DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT'] ] If 'directories' is a list, the ones that are processed will be removed, leaving only the ones that are not present in the image. If `forwarded_exports_only` is True, the IMAGE_DIRECTORY_ENTRY_EXPORT attribute will only contain exports that are forwarded to another DLL. If `import_dllnames_only` is True, symbols will not be parsed from the import table and the entries in the IMAGE_DIRECTORY_ENTRY_IMPORT attribute will not have a `symbols` attribute. r:r9r;rCrArIrKrQrMr=Nrr4T)forwarded_only) dllnames_onlyzFailed to process directory "z": rD)parse_import_directoryparse_export_directoryparse_resources_directoryparse_debug_directoryparse_relocations_directoryparse_directory_tlsparse_directory_load_configparse_delay_import_directoryparse_directory_bound_importsparse_exceptions_directoryrUrrrr:r IndexErrorr1rrrFrrremove) rn directoriesforwarded_exports_onlyimport_dllnames_onlydirectory_parsingrDdirectory_indexrrbrs rrzPE.parse_data_directorieshs+@,T-H-H I +T-H-H I -t/M/M N *D,F,F G .0P0P Q ($*B*B C 0$2R2R S 143T3T U 143U3U V .0O0O P    "kE4=9*m &- 4E "1%("; 00??P "o&D++.!!H(FF (a%44%NN+/! -!!H(FF (a%44innTX! $,E!HY-E-Ey~~$VE eAhqrlE:({D11X,""?3[- 4  : - OO22"?azTF Ss*&%F: F/ F,+F,/ G&8$G!!G&c^|jjtdk7r!|jjtdk7ryt|j}|j }i}g}i}t ||zD]}|j|j|j|||j|}|nmd} |jdzdk(r#|j|vr||j} n4t|j|j} | ||j<| j|j|j| j } | dk7r|jj| n| j|j|j| j } | dk7r|jj| nP|jj| t!|| } |j| | ||j"<||z }|D]}|j$t'|j$ds'|j$j(|vr9|jjd |j*j-d d x |j$j/||j$j(|S#t0$rD} |jjd |j*j-d d | Yd} ~ d} ~ wwxYw)zParses exception directory All the code related to handling exception directories is documented in https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details rrNrr4r)rH unwindinfor z FunctionEntry of UNWIND_INFO at rz' points to an entry that does not existz/Failed parsing FunctionEntry of UNWIND_INFO at z: )rMachine MACHINE_TYPEr__RUNTIME_FUNCTION_format__rrrerrR UnwindDatarr2rFrrGr  BeginAddressrrKr rHrrEr) rnrrWrfrf_sizerva2rtrt_funcs rva2infosruiwsrDrs rrzPE.parse_exceptions_directorys    $ $ 5O(P P  ((L9R,SS t77 8))+ tw'( A%%00 c7+ 44S9&B zB #) MMY."2==1B#0H0H0WXB/1Ibmm,((r}}biik)RS:OO**2.((r}}biik)RS:OO**2.##**2.*"DE OOE "&+F2?? # 7NCQ( V B}}$ 2==/:}}**&8&&6ryy7P7P7RST6U=>  882==667! 4! &&Eyy00215Rv?  s)2K L,(:L''L,c t|j}|j}|}g} |j|j|j|||z|}||j j dy|jr |S||jz }|j|}|j|}|zt|j|z } |jD cgc]} | j|kDr | j} } | rWt| } |j| }|9|j|z } n)|jt|jz|z } |s+|j j dj|yg} t!t|j"t%| dz D]}|j|j&|j|||z|}|s t)d||jz }||j*z}|j-d|j||t.z}|rFt1|Dcgc] }t3|t4j6vs|"}}t|dkDs|rn| j t9|| ||j*z}|j-d|j||t.z}|rGt1|Dcgc] }t3|t4j6vs|"}}t|dkDs|r |S|s |S|j t;||| !cc} wcc}wcc}w) rrNz7The Bound Imports directory exists but can't be parsed.zHRVA of IMAGE_BOUND_IMPORT_DESCRIPTOR points to an invalid address: {0:x}rHz(IMAGE_BOUND_FORWARDER_REF cannot be readrrb)rHr)rHrr)r(__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__rrerCrFrrget_section_by_offsetrRrGrEr0rlrrrNumberOfModuleForwarderRefsr"$__IMAGE_BOUND_FORWARDER_REF_format__rOffsetModuleNameget_string_from_dataMAX_STRING_LENGTHr r"rrr r)rnrrW bnd_descrbnd_descr_sizerD bound_importsrrsafety_boundaryrsections_after_offsetfirst_section_after_offsetforwarder_refsr bnd_frwd_refrname_strr invalid_charss rrz PE.parse_directory_bound_imports!sdKKL "))+ ,,== cC.$89-I  &&M##%vs 9##% %C005G2237K"%dmm"4{"B"]])))K7&&)%) )255J1K."889STG**1*B*B[*P,,s73C3C3E/FFT &&7fSk  NI993QR?R;ST"  $33==MM#n(<= # 4  $'(RSS|**,,!>!>>44t}}Vf7H.HI#,X#6%#a&HXHX:X%M%8}s*m%%&lJA" HY777F004==&3D*DEH(2!c!fFDTDT6TA! !x=3&-  #$8^ O4)j% !s'"M  M4M. MMc j|j}|jtk(r |j} |j ||j |t |j|j|}|syt|S#t$r#|jjd|zd}Y:wxYw)rrz5Invalid TLS information. Can't read data at RVA: 0x%xNrH) __IMAGE_TLS_DIRECTORY_format__rr __IMAGE_TLS_DIRECTORY64_format__rerrrrRrrFrr)rnrrWr tls_structs rrzPE.parse_directory_tlss 44 <<8 8::F -- c9V#4#;#;#=> 44S9.Jj))  OO " "JSP J  sA B)B21B2c |jtk(r|j|}|j}nM|jtk(r|j|}|j }n|j jdyd}d}|dD],}|dz }|t|jddz }||k(s,n|d|dd|f}d} |j||j|t|j|j|}|syd} |dkDr&|j!|j"|j$} t'|| S#t$r!|j jd|zYfwxYw) rzGDon't know how to parse LOAD_CONFIG information for non-PE32/PE32+ fileNrr4rrz=Invalid LOAD_CONFIG information. Can't read data at RVA: 0x%xrD)rHdynamic_relocations)rrget_dword_at_rva&__IMAGE_LOAD_CONFIG_DIRECTORY_format__r(__IMAGE_LOAD_CONFIG_DIRECTORY64_format__rFrrrrerrrrRrparse_dynamic_relocationsDynamicValueRelocTableOffsetDynamicValueRelocTableSectionr ) rnrrWload_config_dir_szrfields_counter cumulative_szfieldload_config_structr*s rrzPE.parse_directory_load_configs <<3 3!%!6!6s!; @@F \\: :!%!6!6s!; BBF OO " "  AY E a N 0S1A!1DE EM 22   )VAY78! !%!5!5 c9V#4#;#;#=> 44S9"6" "" B "&"@"@"??"@@#  %;N    OO " "RUXX  sA E'E87E8cj|sy|sy|t|jkDry|j|dz }|j|z}d}t|jj } |j |j|j|||j|}|jdk7r)|jjd|jzy||z }||jz}g}||kr^|j} |jt k(r |j"} t| j } |j | |j|| |j|} | s |S|| z }| j$} | j&} d| cxkrdkrAnn>|j)|| |j*| }|jt-| | |nl| d k(r3|j/|\}}|jt1| | || n4| dkDr/|j)|| }|jt-| | ||| z }||kr^|S#t$r!|jjd|zYywxYw#t$r$|jjd|zd} YAwxYw) Nr4rzPInvalid IMAGE_DYNAMIC_RELOCATION_TABLE information. Can't read data at RVA: 0x%xzDNo parsing available for IMAGE_DYNAMIC_RELOCATION_TABLE.Version = %drB)rHsymbol relocationsrF)rHr8 bdd_relocs func_relocs)rGrEr1r)__IMAGE_DYNAMIC_RELOCATION_TABLE_format__rrerrRrrFrr$r#__IMAGE_DYNAMIC_RELOCATION_format__rr%__IMAGE_DYNAMIC_RELOCATION64_format__Symbol BaseRelocSize parse_image_base_relocation_listrQrparse_function_override_datar)rn dynamic_value_reloc_table_offset!dynamic_value_reloc_table_sectionrr image_dynamic_reloc_table_structreloc_table_sizerFr*rrlc_size dynamic_rlcr8rWr9r;r:s rr.zPE.parse_dynamic_relocationss00 ,s4==/A A-- AA EF$$'GG+/($  : : &(  /3/C/C>> c#34 44S90D0 , , 3 3q 8 OO " "V2::;  4999 Ci==F||<<CC (//1H #"22MM#x0 $ 8 8 =3 J#"G 8OC ''F,,DFa"CCtGGO $**)*6{ 1*.*K*KC*P' Z#**(*%#-$/ !"CCCN #**)*6{ 4KCsCiv#"[  OO " "$&)*   @! #&&(*-.#  #s$'=I=3J'JJ)J21J2c g}g}|j}|j||j|t|j |j |}|s"|j jd|z||fS|t|j z }||jz}||krK|j}|j||j|t|j |j |}|s"|j jd|z||fS|t|j z }g}t|jdzD]?} |jtjd|j|dd|dz }A|j||j} ||jz }|jt!||j"|| ||krK|j$}|j||j|t|j |j |} | s"|j jd|z||fS|t|j z }t| j&dzD]} |j(}|j||j|t|j |j |} | s$|j jd |z||fcS|t|j z }|jt+| ||fS) rz>Invalid function override header. Can't read data at RVA: 0x%xz((-I &&(*-.#J.. 9V$++- -CM9,,12 $$V]]4sA9N%OPQ%RSq ??Y,,K 9** *C   5$&22"/ +  3HnD//''  MM#y0779 :  $ $S )   OO " "CcI  * * y ''))x''1,- JAAAF,, c9V#4#;#;#=>((-I &&(*-.#J.. 9V$++- -C   6iH I J"J&&rc&|j||S)r)rA)rnrrWs rrzPE.parse_relocations_directorys44S$??rct|jj}||z}g}||kr~ |j|j|j |||j |}|s |S|j|jjkDr+|jjd|jz |S|j|jjkDr+|jjd|jz |S|.|j||z|j|j|z }n.|j||z|j|j|z |}|jt|||js |S||jz }||kr~|S#t $r$|jjd|zd}YnwxYw)Nrr7zEInvalid relocation information. VirtualAddress outside of Image: 0x%xz9Invalid relocation information. SizeOfBlock too large: %drHr)r __IMAGE_BASE_RELOCATION_format__rrerrRrrFrr1r: SizeOfImage SizeOfBlockparse_relocationsparse_relocations_with_formatr) rnrrWr{rGrFr9rlc reloc_entriess rrAz#PE.parse_image_base_relocation_listsTBBCJJLDj Ci **99MM#x0 $ 8 8 =+D?!!D$8$8$D$DD&&&(+(:(:;4-!5!5!A!AA&& __-"{ $ 6 6(NC$6$6(8R! !% B B(NC$6$6(8RTW!    1mT U?? 3?? "CeCihU! &&(*-.  s=F11)GGc j |j||}|j|}g}t }t t|dzD]}|j|j||dz|dzdz|} | s|S| j} | dz } | dz} | | f|vr$|jj d| |zz|S|j| | f|j t| | || |z || jz }|S#t$r$|jj d|dgcYSwxYw) rBad RVA in relocation data: 0xrr<r4rrPr3Overlapping offsets in relocation data at RVA: 0x%x)rHrrr)rrRrrFrrrrGre&__IMAGE_BASE_RELOCATION_ENTRY_format__rrqrr) rndata_rvarrWr*rroffsets_and_typerrDr reloc_type reloc_offsets rr_zPE.parse_relocationssw ==40D228 )K7 *:G  OO " "%CHQ<#P QI s#D*D21D2c N |j||}|j|}t |j }g}t} tt||zD]} |j||| |z| dz|z|} | s|S| j} | | vr$|jj d| |zz|S| j| |j t| || |z||z }|S#t$r$|jj d|dgcYSwxYw)rrdrr4rre)rHrr)rrRrrFrrrrrrGrhPageRelativeOffsetrqr) rnrgrrWrr*r entry_sizerrrrDrjs rr`z PE.parse_relocations_with_formats\ ==40D228?'8E  !33Lw&&&#&2S&8: KK % NNec|c?QR  : %K- &0?  OO " "%CHQ<#P QI s#C77*D$#D$c t|jj}g}tt ||z D]} |j |||zz|}|j|j||j|||zz}|syd}|jdk(rn|jdk(r|j} |j} |j| | | z} | dddk(r dgd g} | t| jz } | d kDr#| djd j| |j| | | }|Zt!j"d d |j$zd |_t)t+j,|j.|j0|j2|j4|j6|j&fj9ddj;|j<dz|_n| dddk(rdgdg}| t|jz } | d kDr#|djd j| |j|| | }n2|jdk(r|j} |j} |j| | | z} dgdg}|j|| | }|r|j@dvr| t|jz }|d kDr#|djdj||j|| | }nx|jdk(ri|j} |j} |j| | | z} ddgg}|j|| | }tCtDd}tG||jH||jtK|||S#t $r"|jjd|zYywxYw)rz7Invalid debug information. Can't read data at RVA: 0x%xNrr4r<r@sRSDS CV_INFO_PDB70)z4s,CvSignaturezI,Signature_Data1zH,Signature_Data2zH,Signature_Data3zB,Signature_Data4zB,Signature_Data5z6s,Signature_Data6I,Agerz{0}s,PdbFileNamez>Q)fields-XsNB10 CV_INFO_PDB20)zI,CvHeaderSignaturezI,CvHeaderOffsetrrpIMAGE_DEBUG_MISC)z I,DataTypezI,Lengthz B,Unicodez B,Reserved1r-rr4z {0}s,Datar!IMAGE_DEBUG_EX_DLLCHARACTERISTICSzI,ExDllCharacteristicsIMAGE_DLLCHARACTERISTICS_EX_)rHrD)&r __IMAGE_DEBUG_DIRECTORY_format__rrr"rrrFrrerRTyper0 SizeOfDatarCrrHrISignature_Data6Signature_Data6_valuerVuuidUUIDSignature_Data1Signature_Data2Signature_Data3Signature_Data4Signature_Data5replaceupperAgeSignature_StringUnicoder\EX_DLL_CHARACTERISTICSrcExDllCharacteristicsr)rnrrWdbg_sizedebugrr*dbgdbg_typedbg_type_offset dbg_type_size dbg_type_data__CV_INFO_PDB70_format__pdbFileName_size__CV_INFO_PDB20_format_____IMAGE_DEBUG_MISC_format__dbg_type_partial data_size-___IMAGE_DEBUG_EX_DLLCHARACTERISTICS_format__ex_dll_characteristics_flagss rrzPE.parse_debug_directory8slTBBCJJLTH_-. @C }}S8c>%98D&&55 44S8c>5IJ'C  Hxx1}Q"%"6"6 # $ #o &E! !!$/(  0,& 2J(K(R(R(TT%(!+03::.556FG $330- H +9? 'H,D,D"D::6 $ (0(@(@(0(@(@(0(@(@(0(@(@(0(@(@(0(F(F ,& !" %WS"-"UW!)a 02!1$#2A&'1(0,& 2J(K(R(R(TT% (!+03::.556FG $330- HQ"%"6"6 # $ #o &E! ' 0,$(#7#70-$ $'//69)'(DELLNO"%q=8;BB + 2 29 =$(#7#78-$R"%"6"6 # $ #o &E! 80A=  //A!# 0>*,J0,110 LL#X> ? @B }! &&PSVV  sO'O-,O-c R ||g}||}|tkDr%|jjd|tfzy |j|t |j j }|j|j ||j|}||jjd|zyg}||j z }|j|jz} d} | | kDr!|jjd| | fzy|xj| z c_ |jtkDr/|jjd|jtfzyg} d} t| D].} |jsT|j |j"kDr;d |_|jjd |j |j"fz|j%|}|#|jjd | |fznd}d}|j&d zd z }|s |j&}n||j(z} t+||}|xj |j-z c_| rA| d|kr9| d|k\r1| j/|jjd|zn|||j-zf} | j||j0r||j2z|vrn|j5||j2z|||z z ||dz|||j2zgz}|snhd}|t6dk(ri}|j8D]}t;|dsi}|j<j8D]}|8t;|dr,|j>j@jB |jD>|j>j@jF}|j>j@jB}|jD} |j||}tI|tK|dz dz||jM|||j<_'|jtQ||||n|jS||j2z}|rf|xj |jBz c_tU||j&dz|j&dz }|jtQ||||nn|dk(r|jVt6dk(rj|r|d } j<j8dj<j8}|D]/} d}! | j>j@}!|!|jY|!1 ||j z }1| D"cgc]}"|"j[}#}"|#j]t_| D]\} }"|"jatc||!}$|$S#t$r!|jjd|zYywxYw#t$r"|jjd|zYwxYw#t$r&|jjd|dd|Y wxYw#YxYw#YxYwcc}"w)"aParse the resources directory. Given the RVA of the resources directory, it will process all its entries. The root will have the corresponding member of its structure, IMAGE_RESOURCE_DIRECTORY plus 'entries', a list of all the entries in the directory. Those entries will have, correspondingly, all the structure's members (IMAGE_RESOURCE_DIRECTORY_ENTRY) and an additional one, "directory", pointing to the IMAGE_RESOURCE_DIRECTORY structure representing upper layers of the tree. This one will also have an 'entries' attribute, pointing to the 3rd, and last, level. Another directory with more entries. Those last entries will have a new attribute (both 'leaf' or 'data_entry' can be used to access it). This structure finally points to the resource data. All the members of this structure, IMAGE_RESOURCE_DATA_ENTRY, are available as its attributes. NzNError parsing the resources directory. Excessively nested table depth %d (>%s)zCInvalid resources directory. Can't read directory data at RVA: 0x%xrzDInvalid resources directory. Can't parse directory data at RVA: 0x%xr!zNError parsing the resources directory. The directory contains %d entries (>%s)zRError parsing the resources directory. The file contains at least %d entries (>%d)TzGResource size 0x%x exceeds file size 0x%x, overlapping resources found.zHError parsing the resources directory, Entry %d is invalid, RVA = 0x%x. r2rrr4z^Error parsing the resources directory, attempting to read entry name. Entry names overlap 0x%xznError parsing the resources directory, attempting to read entry name. Can't read unicode string at offset 0x%x)rleveldirsr directoryr*z2Error parsing resource of type RT_STRING at RVA 0xrz with size r1)rHridrirL)rHlangsublang)rHrrr*r%rr[)2MAX_RESOURCE_DEPTHrFrrr#__IMAGE_RESOURCE_DIRECTORY_format__rrrerRNumberOfNamedEntriesNumberOfIdEntriesrKMAX_RESOURCE_ENTRIESrryrLrxparse_resource_entryr NameOffsetr{rr6DataIsDirectoryOffsetToDirectoryr RESOURCE_TYPErrKrr*rHrr OffsetToDatarRr"updatestringsrparse_resource_data_entryrIdparse_version_informationrrrrr)%rnrrWrrrr* resource_dir dir_entriesnumber_of_entriesMAX_ALLOWED_ENTRIESstrings_to_postprocesslast_name_begin_endrres entry_nameentry_idname_is_string ustr_offsetentry_directoryr resource_idresource_strings resource_langstring_entry_rvastring_entry_sizestring_entry_idstring_entry_datarH entry_data last_entryversion_entries version_entryrt_version_structr string_rvasresource_directory_datas% rrzPE.parse_resources_directorysm, <5D  H % % OO " ":=BDV668LMN  !# #*+} C66//$2X2XX592&&'33>>++C0C{&&8;>*EJH!hh3:N!88&7  !B4!UJ//:3R3R3TT/++A.</2kA/224..7:EG $#j&E&E&GG+' +11*=""c333t;"&"@"@s444C(N+%!)C,A,A!A BB #A#'}[99 G'6'>'>'M "; /!6%CHHu,dvr |j@dk(r|j3| |jzdt#|dzzz|j}g|_! |j|jD||d||z}|sn|j|z|jz} |j!|}||_#i|_$i|_%i|_&|jBj ||j3||jzdt#|dzzz|j}|||jNzkr|j|jP||d||z}|sn_|j|z|jz} |j!|}|j|}|j3dt#|dzz|z|jz|j}|j|z} |j!||j@}|j|}|jNdk(r||jNz}n)|j3|jN|z|j}||jH|<||f|jJ|<t#|t#|f|jL|<|||jNzkr|j3|jN|z|j}||k(rn|}||jNk\rn |r|j=dr|}d|_)|j>dvr|j@dk(r|j3| |jzdt#|dzzz|j}g|_* |j|jV||d||z}|sn[|j|z|jz} |j!|}|n%|jTj ||j3dt#|dzz|z|jz|j}|} || |j@zkry|jY|||dzd}!|jY||dz|d!zd}"|d!z }t[|!t\rt[|"t\r|d"|!|"fzi|_/|| |j@zkry|j3||jNz|j}|||jNzkrn|j3|jN| z|j} |jNdk(s| |jNk\rn|j8j |y#t$r7|jj dj |jYywxYw#t$r"|jj d|zY|wxYw#t$r-|jj dj |YwxYw#t$r.|jj dj |YFwxYw#t$r.|jj dj |YwxYw#t$r#|jj d|dYwxYw#t$r.|jj d j |YwxYw)#aParse version information structure. The date will be made available in three attributes of the PE object. VS_VERSIONINFO will contain the first three fields of the main structure: 'Length', 'ValueLength', and 'Type' VS_FIXEDFILEINFO will hold the rest of the fields, accessible as sub-attributes: 'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS', 'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags', 'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS' FileInfo is a list of all StringFileInfo and VarFileInfo structures. StringFileInfo structures will have a list as an attribute named 'StringTable' containing all the StringTable structures. Each of those structures contains a dictionary 'entries' with all the key / value version information string pairs. VarFileInfo structures will have a list as an attribute named 'Var' containing all Var structures. Each Var structure will have a dictionary as an attribute named 'entry' which will contain the name and value of the Var. zWError parsing the version information, attempting to read OffsetToData with RVA: 0x{:x}Nrasciiencodingr4zzError parsing the version information, attempting to read VS_VERSION_INFO string. Can't read unicode string at offset 0x%xz"Invalid VS_VERSION_INFO block: {0}sVS_VERSION_INFOr`z\uz({0} ... ({1} bytes, too long to display)z\00rrr<r rz/Error parsing StringFileInfo/VarFileInfo structz|Error parsing the version information, attempting to read StringFileInfo string. Can't read unicode string at offset 0x{0:x}sStringFileInforwrzyError parsing the version information, attempting to read StringTable string. Can't read unicode string at offset 0x{0:x}z}Error parsing the version information, attempting to read StringTable Key string. Can't read unicode string at offset 0x{0:x}rzzError parsing the version information, attempting to read StringTable Value string. Can't read unicode string at offset 0xrs VarFileInfo VarFileInfoz}Error parsing the version information, attempting to read VarFileInfo Var string. Can't read unicode string at offset 0x{0:x}r@z 0x%04x 0x%04x)0rRrrrFrrrCrre__VS_VERSIONINFO_format__rrr1rmr2r3rrGrJrfindrrrKrKey dword_align__VS_FIXEDFILEINFO_format__r r__StringFileInfo_format__rXr{ ValueLengthr __StringTable_format__LangIDrrrLength__String_format__rr__Var_format__get_word_from_datarUr"rD)#rnversion_struct start_offsetrversioninfo_structrr section_endversioninfo_stringexcerptvinfofixedfileinfo_offsetfixedfileinfo_structstringfileinfo_offsetrstringfileinfo_structstringfileinfo_stringstringtable_offsetstringtable_structstringtable_string entry_offset string_structr key_offset value_offsetrbnew_stringtable_offsetvarfileinfo_struct var_offset var_struct var_stringvarword_offsetorig_varword_offsetword1word2s# rrzPE.parse_version_informationis' 4 33N4O4OPL== ~?R?R0RS"11  * *H,2   % $114F4M4M4OO ))+6 !003%%w'?'?4K"  "%)%=%='&>&"&*%=%=+ ";!AG&>&"  % OO " "4;;>ufM  t-."$D #'  ""5)  %!# #//  % % '!s3E/F/J*K K  ' '  $33  , , )* +$';; 4  $ t/0$&D ! $$%9: !% 0 0 #7#>#>#@ @  ' '!  tZ(DM$($8$8.../0(+@@%9% ! %,&&E++'($++-.   (,(@(@(M%)> ! % LL. /%)>)I)I!**..&8-99Q>)-)9)9-/6689s#89A=>?'33 *&9;)5-1-A-A 77$%7%89(47I(I.B.* 2!+77010779:$ "151I1I+1V.5G*157*2=?*:=?*:-99@@AST'+'7'7.0779:3'9#:Q#>?@+77 ( )03E3L3LLM-1,@,@ $ 6 6 ( 7,8<,G-A-M $1 %!/ ; ;".!/"/"6"6"8!9( &&*&>&>{&K-1-E-Ek-R ,0+;+; !SX\ 2".!/"/"6"6"8!9!/ ; ; ,L+9*E*E *TK &(,(@(@$/M>sC !$C #E G.>>sCE)03E3L3LLMN261A1A.558JJ*772.25GG!-C*-1F1M1MM!}B'+@+K+K,&;"*7"''++v5*66!;!%!1!1-,3356s#89A=>?'33 "J.0&*%)%9%9 //$Z[1(4z(A&:& *!+77()(//12$ ")-)A)A+)NJ&-!*..55jA)-)9)9Z1!45()(//12+77 * /=++1J4J4JJK%)$;$; (.1:L Mq%E%)$;$; (!);nq>P QST%E+a/N)%5*UC:P$.5%.0P4" 0+1J4J4JJK &*%5%5&):)::N,E,EEor U#]   OO " "CCI6"//D   R  OO " "58CE  D! &&<;e,(f% "g<.hi;=d;:d;>'e)(e),3f"!f"%3gg3hh(ii3i?>i?c  jjj|tjj j |}|syfd} j|jt||j|jdz}j|jt||j|jdz}j|jt||j|jdz}g} d} j|j} t!j"} | r3| j$t!| jz|jz } t'j(t*} d}t-t|jt+| dz D]}j/||}|$|dzt!|krj1||}ny||dk(rF||k\r,|||zkr$j3|} j |}n|rzd}d}j1||}|| d z} | dkrd }n7j3|t4}t7|d sd }n j |}| ||fxxd z cc<| ||fdkDr%jjd |d |ddnt!| j8kDr6jjdj;j8nq| jt=|j>|zj |jd|zz|j |jd|zz|||| |s)jjd|jd| Dchc]}|j@}}d} j|j} t!j"} | r3| j$t!| jz|jz } t'j(t*} d}t-t|jt+| dz D]%}||j>z|vs j1||}|| d z} | dkrd }n|dk(r?|||k\r|||zkrj3|}nd}| |xxd z cc<| |jBkDr7jjdj;jB|nqt!| j8kDr+jjdj8dn.| jt=|j>|z|d|(|s*jjd|jdy| s|jErytG|| j3|jHS#t $r!jjd|zYywxYw#t $r!jjd|zYywxYw#t $rYwxYw#t $rI| d z} | dkrd }Y j |}n"#t $r| d z} | dkrd }YY0YY wxYwY8wxYwcc}w#t $rd}Y8wxYw)aParse the export directory. Given the RVA of the export directory, it will process all its entries. The exports will be made available as a list of ExportData instances in the 'IMAGE_DIRECTORY_ENTRY_EXPORT' PE attribute. rz+Error parsing export directory at RVA: 0x%xNcRtjj|z Sr)rGrCrR)rrns rlength_until_eofz3PE.parse_export_directory..length_until_eof3s"t}}%(@(@(EE Err@rLTrr4F)rz9Export directory contains more than 10 repeated entries (r5z#02xz). Assuming corrupt.zHExport directory contains more than {} symbol entries. Assuming corrupt.r<) r}rrrrrrrrzIRVA AddressOfNames in the export directory points to an invalid address: rz[Export directory contains more than {} repeated ordinal entries (0x{:x}). Assuming corrupt.z$Export directory contains more than z# ordinal entries. Assuming corrupt.)rrrrzMRVA AddressOfFunctions in the export directory points to an invalid address: )rHsymbolsr)%re!__IMAGE_EXPORT_DIRECTORY_format__rrrrRrrFrAddressOfNamesrl NumberOfNamesAddressOfNameOrdinalsAddressOfFunctionsNumberOfFunctionsrrGrCr1 collections defaultdictr"rrget_dword_from_dataget_string_at_rvaMAX_SYMBOL_NAME_LENGTHrrBrrBaserrCrrr)rnrrWr export_dirraddress_of_namesaddress_of_name_ordinalsaddress_of_functionsexports#max_failed_entries_before_giving_uprr symbol_counts&export_parsing_loop_completed_normallyrNsymbol_ordinalsymbol_address forwarder_strrsymbol_name_address symbol_namesymbol_name_offsetexpordinalsrs` rrzPE.parse_export_directorys --66 4#I#IJQQS!44S9 .J   F #}}))$Z%>%>?,,q0  (,}}00$Z%E%EF,,q0( $$(==--$Z%B%BC0014$ .0+))**C*CDdmm, &&g&&()*++,  $//4 15.s:33S19L5MNO] A!445MqQN)nq.@3$D/"&!9!9(." %1)< $#*)D $ 6 6~ F '+'?'?'O$" $ #' "&":":;KQ"O "*3q836!;=B:00#%;K*+PTU9>6 %)%=%=>Q%R"$ ;7 8A = 8k>:;b@&&#}B~d&;;OQ]#d&=&==&&((.t/F/F(G NN&OOn<#'#;#;"881q5@$+#'#;#;"55N8JJ$% 2+%5 [] ~6 OO " "&55a8:  ,33CCKK33.0+))**G*GHdmm, &&g&&()*//0  $//4 15.Z993QR?R;STU5 CZ__$H4*%)%=%=>RTW%XN")71<7:a?AF>!Q&#.&#-&t3$($:$:>$JM$(M n-2- 043K3KKOO**FFLf 44nG '$*A*AAOO**>2233VX *# 5 .!"/ ]5 n6 OO " "&99!<>  :002'' 8  a  OO " "=E    J  OO " "=E    Z%.! 3q836!;=B:)-)A)ABU)V&$71<7:a?AF> ' n4(%*%)N*sAX:*C Y'Z,Z$)[9[>:'Y$#Y$''ZZ Z! Z!$[6>[[6[/%[6*[6.[//[65[6> \  \ c$||zdzdz|dzz S)Nr>lre)rnrbases rrzPE.dword_aligns $"j0TJ5FGGrc|jj}|jj|jjz}||cxkr|kr n|S||z}|Sr)r: ImageBaser])rnvabegin_of_image end_of_images rnormalize_import_vazPE.normalize_import_va sZ--77++558L8L8X8XX  R ., .  . B rc>g}d} |j|t|jj}|j|}|j|j||}|r|jr |Sd}|jdk(r|jjtdk(r|j|j|_|j|j |_|j|j"|_|j|j$|_|j|j$|_|j|j(|_d}||jz }t+|j,|z } ||j"kDs||j kDr&t/||j"z ||j z } g} |j1|j"|j d| |} |d kDr-|j j d j3| |S| s|d z }B|j6t8kDr1|j j d |j6t8fz |S|j;|j(t<} t?| sd } | ri| D]G} | j@tCjD| jG| jH}|sA|| _ I|j tK|| | #t$r"|j j d|zY|SwxYw#t$r@} |j j dj3|| j4Yd} ~ d} ~ wwxYw)z*Walk and parse the delay import directory.rTz5Error parsing the Delay import directory at RVA: 0x%xrFrNzSError parsing the Delay import directory. Invalid import data at RVA: 0x{0:x} ({1})rBzWToo many errors parsing the Delay import directory. Invalid import data at RVA: 0x{0:x}r4z)Error, too many imported symbols %d (>%s) *invalid*rHimportsdll)&rr(__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__rrrFrrRrergrAttrsrrrr+ pBoundIATpIATpINT pUnloadIATphmodszNamerGrCrm parse_importsrrbrMMAX_IMPORT_SYMBOLSrMAX_DLL_LENGTHrr ordlookup ordLookuplowerrr)rnrrW import_descsrOr*r import_desccontains_addressesmax_len import_datarr0r8funcnames rrzPE.parse_delay_import_directory+s   }}dKKLSSU2237K..=='/K+"8"8":^]"' ##q($$,, =V0WW(,(@(@AVAV(W %#'#;#;KP>P%Q "%)" ;%%' 'C $--(;6G[%%%{/?/?)?cK$4$44cK>@ @ ( "$**556@@B B ( "$**556@@B B=>>rc g}gd}t|dsy|jD]p}t|jtr)|jj j }n|jj }|jdd}t|dkDr |d|vr|d}|jj }|jD]}d}|jsJtj||jd }|s2td |jd |jd |j}|sjt|tr|j }|j|j d|j st!d j#|j%j'S)a?Return the imphash of the PE file. Creates a hash based on imported symbol names and their specific order within the executable: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing Returns: the hexdigest of the MD5 hash of the exported symbols. )ocxsysr0DIRECTORY_ENTRY_IMPORTr.r4rNT) make_namezUnable to look up ordinal r04xr)rKrKrUr0rWrJr>rsplitrGr/rr<r=rrrrrrr_) rnimpstrsextsrDlibnamepartsentry_dll_lowerimprDs r get_imphashzPE.get_imphashs$t5600 NE%))U+))**,224))//+NN3*E5zA~%(d"2(#iioo/O}} Nxx(22' H$+8 1S[[QTDUV #xxHh.'0H'--/8>>;KLM% N N>388G$++-.88::rct|dsyt|jdsy|jjDcgc]8}|r4|j(|jj j :}}t |dk(rytdj|jjScc}w)zReturn the exphash of the PE file. Similar to imphash, but based on exported symbol names and their specific order. Returns: the hexdigest of the SHA256 hash of the exported symbols. DIRECTORY_ENTRY_EXPORTrrrr) rKrXrrrJr>rGrrrr_)rnr7 export_lists r get_exphashzPE.get_exphashst56t22I>0088 QVV' FFMMO ! ! #  { q 388K(//12<<>> s=CcPg}d}t|jj} |j||}|j|}|j|j||} | r| jrno|| jz }t|j|z } || jkDs|| jkDr&t|| jz || jz } g} |sb |j| j| j| j | } |d kDr |j j d |dn| s|d z },|j%| j&t(} t+| sd } | ri| D]G}|j,t/j0| j3|j4}|sA||_I|j t7| | | |sddh}d}d}|D]}|j8D]x}|D]l}|r |j,s|j,}t;|j,t<k(r|j,j?d}|jA|sg|d z }n|d z }z|t|k(r |dkr|j j d|S#t$r"|j j d|dYwxYw#t$r8} |j j d|dd| j"dYd } ~ d } ~ wwxYw)z$Walk and parse the import directory.rz-Error parsing the import directory at RVA: 0xrrrzBError parsing the import directory. Invalid Import data at RVA: 0xz ()NrBzLToo many errors parsing the import directory. Invalid import data at RVA: 0xr4r-r. LoadLibraryGetProcAddressrrz?Imported symbols contain entries typical of packed executables.)!r"__IMAGE_IMPORT_DESCRIPTOR_format__rrrrFrrRrerrGrCOriginalFirstThunk FirstThunkrmr9ForwarderChainrbrrr;rrr<r=r>rrr/rrWrJrX)rnrrWrr?rOimage_import_descriptor_sizer*rr@rBrCr7r0r8rDsuspicious_importssuspicious_imports_count total_symbolsimp_dllsuspicious_symbolrs rrzPE.parse_import_directorysf  '0  3 3( &( % }}S*FG2237K..77;/K +"8"8": ;%%' 'C $--(;6G[333s[=S=S7S+888# @V@V:VK  "&"4"4#66#..#22#* #5#K?OO**99JC(-")3F{{*#,#6#6syy{FNN#S#*2FK 3 ##"+{PSTIP"/1A!B '( $M' '%oo 'F-?")%V[[$%{{ ,5#);;#5#5g#>D??+<=494!""Q&M ' ')C0B,CC!B&&&Uw! &&CC7K  F%OO**99G#H"&K(-%.7.E.E .T+#}}-@!D#'#:#:4#C#'#9#9%33a79O$ 6h?'3H&*&>&>%33a7'  )88:  44\B d22<<%s)r4FTz9Error parsing the import table. Invalid data at RVA: 0x%xrz\Error parsing the import table. AddressOfData overlaps with THUNK_DATA for THUNK at RVA 0x%xror)rrr__IMAGE_THUNK_DATA_format__rr__IMAGE_THUNK_DATA64_format__rrrhrFrrMr:rtrrrGrerRr+rrrrrqr)rnrrrArwrr expected_sizeMAX_ADDRESS_SPREADADDR_4GBMAX_REPEATED_ADDRESSESrepeated_addressaddresses_of_data_set_64addresses_of_data_set_32 start_rvafailedr* thunk_data addr_of_datathe_sets rrozPE.get_import_tables] <<3 3-L55F \\: :/L77F .L55F!&)002 (!##-< #-<  %#Z1G*G&&OB **-??&&:224FGHt q  ' '1 , ' #99 (,,.1CC ',,.1CC F }}S-8Tm3&&RUXX--$*B*B3*G.J "+/+C+C,,, (.2-E-E... *'+&>&>z?R?R&S #%)%=%=j>P>P%Q ",, 9,,3&&(+.0 > ;j66)77 ,.$j069! $x/":":#w.(A-(KK -!6!6!8  :$$& &C LL $IL M!  sL LLc||j}|j||j}|jD]}|jdk(r|j dk(r#|j }|j |j}|j|j|jj|jj}|t|jkDs8|t|jkDs ||zt|jkDs||k\r|t|z } | dkDr |d| zz }n | dkr|d| }||jz }||_|S)aReturns the data corresponding to the memory layout of the PE file. The data includes the PE header and the sections loaded at offsets corresponding to their relative virtual addresses. (the VirtualAddress section header member). Any offset in this data corresponds to the absolute memory address ImageBase+offset. The optional argument 'max_virtual_address' provides with means of limiting which sections are processed. Any section with their VirtualAddress beyond this value will be skipped. Normally, sections with values beyond this range are just there to confuse tools. It's a common trick to see in packed executables. If the 'ImageBase' optional argument is supplied, the file's relocations will be applied to the image by calling the 'relocate_image()' method. Beware that the relocation information is applied permanently. Nrr)rCrelocate_imagerrEr3r2r9r0r?r1r:r;r@rGr) rnmax_virtual_addressr' original_data mapped_datarsrdprdr5rs rget_memory_mapped_imagezPE.get_memory_mapped_image{sb,  !MMM    *kk }} .G''1,1F1F!1K''C..w/G/GHC!%!=!=&&$$55$$22" c$--((T]]++9s4==11%)<</#k2BBN!u~55 !#)/>: 7++- -K; .B  )DMrcg}t|dr|jjD]}t|ds|jjD]}t|dst|jds'|jjs>t |jjj D]}|j||S)aReturns a list of all the strings found within the resources (if any). This method will scan all entries in the resources directory of the PE, if there is one, and will return a [] with the strings. An empty list will be returned otherwise. DIRECTORY_ENTRY_RESOURCErr)rKrrrrrrir)rnresources_stringsres_typer res_strings rget_resources_stringszPE.get_resources_stringss 43 4 99AA I8[1'/'9'9'A'A I "; < ' (=(=y I$/$9$9$A$A26$/$9$9$A$A$H$H$J3"!IJ%6$<$C,CS%%{{3s++S''}}S-- OP Pzz#v&&rc L|j|}|s||jrnt|jDcgc]G}|j|j|j j |j jIc}}||kr|Sy|S|j|Scc}w)z.Get the RVA corresponding to this file offset.N) rrErlr?r1r:r;r@rO)rnrr lowest_rvas rrOzPE.get_rva_from_offsets  & &v .}} "&   44,, 00AA 00>>  J&"M $$V,,-sA B!c|j|}|s*|t|jkr|Std|dd|j |S)zGet the file offset corresponding to this RVA. Given a RVA , this method will find the section where the data lies and return the offset within the file. zdata at RVA 0xrz can't be fetched)rrGrCrrR)rnrrs rrRzPE.get_offset_from_rvasW  # #C ( S'' .Q7H IJ J$$S))rc|y|j|}|s"|jd|j|||zS|jd|j||S)z1Get an ASCII string located at the given address.Nr)r)rrrCr)rnrrrs rrzPE.get_string_at_rva0sb ;  # #C (,,Q cC*DT0UV V((AJJs:J,NOOrcd|t|kDry||d}t|tr t|S|S)rLrN)rGrUr rW)rnrr*rs rget_bytes_from_datazPE.get_bytes_from_data;s4 CI  M a #8Orc`|j||}|jd}|dk\r|d|}|S)zGet an ASCII string from data.rrN)rr)rnrr*rrFs rrzPE.get_string_from_dataDs8  $ $VT 2ffUm !8$3Arc>|dk(ry|j|d}|dz}t|d}|j||}d} |jd|dz}|dk(rGt|}||ks||k(rt|dz }n2||j||z||z z }|dz }|}n|dzdk(r|dz}npt j dj ||d |dz}d jtt|} |r| j|d S| jd d S) z3Get an Unicode string located at the given address.rrr<r4rbrrqz<{:d}HNrr r) rrlrrGrHrIrrmapr"r) rnrrrr* requested null_index data_lengthuchrsrs rrzPE.get_string_u_at_rvaLsC ?}}S!$ q  C( }}S), ; Q?JR!$i *kZ.G!$TaJ cK&7k9QRR&] & a1$q $ hooj94@P*q.;QR GGCUO $ 88H&9: :xx!455rcP|jD]}|j|s|cSy)z1Get the section containing the given file offset.N)rErT)rnrrs rrzPE.get_section_by_offsetws/}} G&&v. rc|j'|jj|r |jS|jD]}|j|s||_|cSy)z-Get the section containing the given address.N)rDrXrE)rnrrs rrzPE.get_section_by_rvasc  - - 911>>sC999}} G##C(5<2  rc"|jSr) dump_inforss rrz PE.__str__s~~rct|dS)z.Checks if the PE file has relocation directoryDIRECTORY_ENTRY_BASERELOC)rKrss r has_relocsz PE.has_relocsst899rcJt|dr|jjryy)NDIRECTORY_ENTRY_LOAD_CONFIGTF)rKrr*rss rhas_dynamic_relocszPE.has_dynamic_relocss" 46 7//CCrc:t|j|y)z=Print all the PE header information in a human readable from.rN)rr)rnrs r print_infoz PE.print_infos dnnhn/0rc &/| t}|j}|r9|jd|D]#}|j||j %|jd|j |j j|j |jd|j |jj|j |jd|j |jjttd}|jdg}t|D]0}t|j|ds|j|d2|jd j!||j t#|d rF|j$:|jd |j |j$jtt&d }|jd g}t|D]0}t|j$|ds|j|d2|jd j!|tt(d } | rg}t#|dr||j*p|j*D]a} | j,j.t0dk(s$t| D]0}t| j2|ds|j|d2c|r1|jd|jd j!||j |jdtt4d} |j6D]s} |j | j|jdg}t| D]&}t| |ds|j|d(|jd j!||jdj9| j;t<.|jdj9| j?t@"|jd| jCztD"|jd| jGztH"|jd| jKz|j vt#|d rtt#|j$dr^|jd|j$jLD]$} | |j | j&|j t#|drKtO|jPD]2\}}tS|jPdkDr|jd|dzn|jd||j |j|j t#|dr<|j |jT|j|j t#|dstS|jV|kDs|jV|D]9}|j |j|j t#|d r|jXD]}|jDcgc]}|jd!|zc}|jd"j9|jZj]|d#|j tt_|j`jcD]I}|jd$j9|dj]|d#|dj]|d#K|j Ut#|d%sc|jdD]}t#|d&s|jDcgc]}|jd!|zc}|jd$j9t_|j2jgdj]d'd#t_|j2jid|j <5t#|d(rK|jd)|j |jjj,j|j |jd*d+z|jjjlD]}|jnd,}|jpr |jp}|jd-|jr|jn|j]|fz|jtr;|jd.j9|jtj]|d#|j |j t#|d/rU|jd0|jvD]4}|j |j,j|jxsc|jd1j9|j{|j,j|j]|d#|j |j |jxD]i}|j~d2ur|jp_|jd3j9|jj]d'|jpj]d'|jrn|jd4j9|jj]d'|jrn`|jd5j9|jj]|d#|jpj]|d#|j|jr,|jd6j9|jZ|j l|j 7t#|d7r|jd8|jD]}|j |j,j|jd9j9|jpj]|d#|j |j`D]w}|j |j,jd:|jd9j9|jpj]|d#d:|j yt#|d;ry|jd<|jD]X}|j |j,j|j |jxD]}|j~d2urF|jd=j9|jj]|d#|jrn`|jd>j9|jj]|d#|jpj]|d#|j|jr+|jd6j9|j|j |j [t#|d?rY|jd@|j |jj,j|jj`D]}|jp3|jpj]|d#}|jdA|dBdCnXtj|j,jdD}|jdE|j,jdFdG|dHdC|j |j,jdCt#|dIr |j |jj,jd:|jj`D]}|jp3|jpj]d'd#}|jdA|dBdJn+|jdE|j,jdFdBdJ|j |j,jdJt#|dIs|j |jj,jdK|jj`D] }t#|dLs|jdM|jj|jjtj|jjdNt|jj|jjfzdK|j |j,jdO|j |jj,jdP t#|jdQs|jjs,|jdRdOt_t|jjjcD]F\}}|jdSj9||jdTdUj]dVdPH|j |j t#|dWrv|jrj|jj,rT|jdX|j |jj,j|j t#|dYrv|jrj|jj,rT|jdZ|j |jj,j|j t#|dr|jd[|j*D]} |j | j,j |jd\t0| j,j.z|j | j2sy|j | j2jd:|j |jr|jd^|jD]}!|j |!j,j|!j`D]8}" |jd_|"jt|"jd`dfzd::|j t#|dbrtS|jdkDr|jdc|jD]o}#|j |#j,jt#|#dds9|#jF|j |#jjd:q|jScc}wcc}w#t$r8|jd]j9| j,j.YwxYw#t$r/|jda|"j|"jfzd:YwxYw)ez>Dump all the PE header information into human readable string.NParsing Warningsr{rrrmr4rr5r:rnzDllCharacteristics: ryDIRECTORY_ENTRY_DEBUGrzExDllCharacteristics: PE SectionsrIz!Entropy: {0:f} (Min=0.0, Max=8.0)zMD5 hash: {0}zSHA-1 hash: %szSHA-256 hash: %szSHA-512 hash: %sr Directoriesrr4zVersion Information Version Informationr rr z z LangID: {0}r z {0}: {1}rrDrrXExported symbolsz%-10s %-10s %srRVArsNonez%-10d 0x%08X %sz forwarder: {0}rKImported symbolsz Name -> {0}Tz*{0}.{1} Ordinal[{2}] (Imported by Ordinal)z&{0} Ordinal[{1}] (Imported by Ordinal)z{0}.{1} Hint[{2:d}]z Bound: 0x{0:08X}DIRECTORY_ENTRY_BOUND_IMPORT Bound importszDLL: {0}r@DIRECTORY_ENTRY_DELAY_IMPORTDelay Imported symbolsz({0} Ordinal[{1:d}] (Imported by Ordinal)z{0}.{1} Hint[{2}]rResource directoryzName: []r<rszId: [0xrtz] (r\rrDrHr*z\--- LANG [%d,%d][%s,%s]r<rLrPrz [STRINGS]z {0:6d}: {1}unicode-escaper rDIRECTORY_ENTRY_TLSTLSr LOAD_CONFIGDebug informationzType: zType: 0x{0:x}(Unknown)Base relocationsz%08Xh %sr1z0x%08X 0x%x(Unknown)DIRECTORY_ENTRY_EXCEPTIONz"Unwind data for exception handlingr)\rrrrrrr{rrrr\rrqsortedrrrrKr:rrrrHr{ DEBUG_TYPErDrJrErr]rrgrr`rrbrrerrrrGr rr rrJrrrrrTrirXrrrrrrKr/rrrjr0rkrrrrrr>rrr*rrr=rDrrrrrrrrRELOCATION_TYPErrrr)$rnrrwarningsrrrar[rr debug_entryrLrrr vinfo_entryrDrr str_entry var_entryexportrmoduler8bound_imp_desc bound_imp_refr res_type_idrrrr base_relocrelocr s$ rrz PE.dump_infosZ <6D$$&  OO. /# # g&  " #  % t++-.   % t++-.   & t'',,./$%:MJ  ;' &Dt''a1 T!W% & dii&'  4* +0D0D0P OO- . NN4//446 7$2 !<% ! '(45 &Dt++T!W5 T!W% & dii&''5 "$B( $ (E56..:#'#=#=6K#**//%&NOP%++G$H6D&{'8'8$q'B % T!W 56 612 dii./   &&'> M }} G NN7<<> * HHY E}- *7DG,LLa) * MM$))E* + MM3::7;N;N;PQ  1889M9M9OPQ 073H3H3JJK! 073J3J3LLM! 073J3J3LLM    ' * 4* +  "21  OOM *!11@@ 5 (NN9>>#34 5     4) *$-d.A.A$B< / [t**+a/OO&:37)$DEOO$9:*NN;#3#3#56  "4!34NN4#8#8#=#B#B#DE$$&4,T]]1Cc1I!%s!3./uzz|4((*"5-8,1,=,=&HP  Xtd{!; X $ $3$:$:(0(>(>,46I)*%&!"!% 0 0 217X=M=M=S=S=U8V1W !&I$(MM(6(=(=,5aL,?,?08:M-.-6aL,?,?08:M-. )* %& !&&.!,,.$UE2-2YY & #*9g#>5>NN4D%&,0)- dTk(B%&%)MM(6(=(=,01E1E1G,H,K,R,R079L-.-11G1G1I,J1,M )*%& &!,,.]./< /| 41 2 OO. / NN466==BBD E     MM-0JJ K55== +>>-"D{{%{{HH,!>>6>>4;;x;PQR'' -44 & 0 0 7 7BU V ((*! +$     41 2 OO. /55* #v}}1134~~HH'.. 226==3E3EFMM (*=$$&  "$nn+F//47!;;2 HH L S S$*JJ$5$5g$>$*KK$6$6w$?$*NN!"!HH H O O$*JJ$5$5g$>!" 188 & 1 1(BMM")))..55h@ST  $$&' '& 47 8 OO4 5;; #v}}1134  "$nn+F//47FMM & 1 1('>'@!D"; < NN;+@+@+G+G+L+L+NPQR1<1F1F1N1NY #*=&#A$(MM(C,9,>,>,C,C,9,>,>,F,F,0HH0=0B0B0G0G-.-F0=0B0B0G0G0=0B0B0J0J-. +* )*)*%&%)NN=3G3G3L3L3NPR$S$(NN=3E3E3L3L3Q3Q3SUW$X%Y(!( (=(=y I$/$9$9$A$A $ k2 >7;$*;+@+@+H+H+N+N+P$Q8" !&OC%)MM(5(<(<,/,6,=,=0@BT-..4fWo )* )+%& !&O2&h  "OG #R     D/ 0((((// OOE " NN433::??A B     D7 8000077 OOM * NN4;;BBGGI J     40 1 OO/ 011 'szz01TMM(Z -H"HI  "99NN399>>#3Q7$$& ' ??  OO. /"<< # z005578'// E &%))_UZZ5PQSQT5U)VV   " # D5 6D223a7 OO@ A44 <ryy~~/02|,1JNN2==#5#5#7; < }}Y !Y6%&` TMM":"A"A#**//"RST"$ 2eii5LLas>A\ 6A\ T /A\W>5A]\=A]]A]]4A^^A^c i}|j}|r||d<|jj|d<|jj|d<|jj|d<t t d}g|d<|D]3}t|j|ds|dj|d5t|dr)|j|jj|d<t td }g|d <|D]3}t|j|ds|d j|d5g|d <t td }|jD]}|j}|d j|g|d<|D])}t||ds|dj|d+|j|d<t|j!|d<t"|j%|d<t&|j)|d<t*|j-|d<t|drgt|jdrQg|d<t/|jj0D]*\} } |  |dj| j,t|dr;g|d<t/|j2D]\} } g} | j| jt|dr,| j|j4| jt|drt7|j8| kDrg} | j| |j8| D]^}| j|jt|dri}|j:D]c}| j=|j|j>|d<tA|jBjED] }|d||d<e| j|t|ds|jFD]}i}t|ds| j=|jtA|jHjKd|tA|jHjMd<| j|a|dj|  t|drg|d<|dj|jNjPj|jNjRD]r}i}|jTN|jW|jX|jT|jZd |j\r|j\|d!<|dj|tt|d"rg|d#<|j^D]}g}|d#j||j|jPj|j`D]}i}|jbd$ur|jd|d%<|jX|d&<n-|jd|d%<|jZ|d'<|jf|d(<|jhr|jh|d)<|j|t|d*rg|d+<|jjD]}i}|d+j||jW|jPj|jZ|d%<|jBD]<}i}|jW|jPj|jZ|d%<>t|d,rg|d-<|jlD]}g}|d-j||j|jPj|j`D]}i}|jbd$ur|jd|d%<|jX|d&<n-|jd|d%<|jZ|d'<|jf|d(<|jhr|jh|d)<|j|t|d.rg|d/<|d/j|jnjPj|jnjBD]}i} |jZ|jZ| d'<nC|jPjptrju|jPjpd0f| d1<| jW|jPj|d/j| t|d2sg}!|!j|jvjPj|d/j|!|jvjBD]}"i}#|"jZ|"jZ|#d'<n|"jPjp|#d1<|#jW|"jPj|!j|#t|"d2sg}$|$j|"jvjPj|!j|$|"jvjBD]}%t|%d3si}&|%jxjz|&d4<|%jxj||&d5<t~ju|%jxjzd6|&d7<t|%jxjz|%jxj||&d8<|&jW|%jPj|&jW|%jxjPj|$j|&t|"jvd9s|"jvjs'tA|"jvjjED]5\} }'|$j|'jd:d;jd<7t|d=rI|jr=|jjPr'|jjPj|d><t|d?rI|jr=|jjPr'|jjPj|d@<t|dArg|dB<|jD]}(i})|dBj|)|)jW|(jPjtju|(jPj|(jPj|)dC<|jrg|dD<|jD]}*g}+|dDj|+|+j|*jPj|*jBD]>},i}-|+j|-|,j|-dE< t|,jdFd |-dC<@|S#t$r|,j|-dC<Y_wxYw)Gz5Dump all the PE header information into a dictionary.rr{rrrmr#rr:NrnrrrIEntropyMD5SHA1SHA256SHA512rrrrr rr rr4rrDrXrrrrKrTDLLrrHintBoundrrrrrrrsrrr*r=r?r< LANG_NAME SUBLANG_NAMErrr rrrrrrrr{rrr1)Orr{r+rrr\rrrrKr:rrJrEr]rrgrr`rrbrrerrrr rGrr rrrrrrrDrirTrXrHrrrrrrrKr/rjr0rkrrrrrrr>rr*rrr=rDrrrJrrrrr{rrrrrr).rnr+rrr[rrLr section_dictrrvs_vinfoversion_info_list fileinfo_listrDstringtable_dictrrrvar_dictr export_dictr import_listr8 symbol_dictrbound_imp_desc_dictrbound_imp_ref_dict module_listrresource_type_dictdirectory_listrresource_id_dictresource_id_listrresource_lang_dictrrdbg_dictrbase_reloc_listr reloc_dicts. rr+z PE.dump_dictNs  $$& ,4I( )"&//";";"= ,"&//";";"= ,#'#3#3#=#=#? - $%:MJ  ' 3Dt''a1'"))$q'2 3 4* +0D0D0P+/+?+?+I+I+KI' ($2 !<% !+- &'- @Dt++T!W5./66tAw? @$& - &'> M }} CG",,.L m $ + +L 9$&L !% :7DG, )00a9 :'.&9&9&;L #&-&:&:&< U#'.'<'<'> V$!)0)@)@)B X&!)0)@)@)B X&! C$ 4* +  "21 (*Im $"+D,@,@,O,O"P KY(m,33I4G4G4IJ K 4) */1I+ ,!*4+>+>!? K X$&!!((););)=>4!34%,,T-B-B3-G-Q-Q-ST4,T]]1Cc1I$&M%,,];!%s!3C%,,U__->?"5-8/1,,1,=,=R - 4 4X5G5G5I J=E__ 0 :15h6F6F6L6L6N1O!RIENq\$4Yq\$B!RR *001AB$UE2-2YYC +-#*9g#>$1$8$89L9L9N$OPT(1(>(>(@Q&&'Q)HT)//2F2F2H-I!-L$M%2$8$8$BCC,/0778IJA KD 41 2,.I( ) ( ) 0 0++22<<> 55== B >>-&&'-~~#)>>$*KK''393C3C K0,-44[A B 41 2,.I( )55 4 ,-44[A""6==#:#:#<=$nn 4F"$K//47-3ZZ E*17 I.-3ZZ E*.4kk F+.4kk F+||/5|| G,&&{3 4  4$ 47 8)+Io &"&"C"C C&(#/*112EF#**>+@+@+J+J+LM-;-@-@#E*%3%;%;CM)+&&--m.B.B.L.L.NO0=0B0B&u-C C 47 824I. /;; 4 23::;G""6==#:#:#<=$nn 4F"$K//47-3ZZ E*17 I.-3ZZ E*.4kk F+.4kk F+||/5|| G,&&{3 4  4& 43 4.0I* + * + 2 2--44>>@ !99AAG &%'"==,19&v.!**%))(//*<*J'/'9'9'A'A4& +-(&++77B7G7G,V45@5G5G5J5J,T2(// 0B0B0L0L0NO&--.>?"; )6(:(:(B(B%7(1%&GKhh(5(:(:(?(?G&$6{$C )B(5(:(:(?(?(5(:(:(B(B)&%7(6%& %7$=$=(5(<(<(F(F(H%&%7$=$=(5(:(:(A(A(K(K(M%&%5$;$;P)**0&/%&!&[4&'G &T D/ 0((((//#77>>HHJIe  D7 80000770077AAC   40 1-/I) *11 T-.55h? 4 4 67#->>#**//3::??#S  T ?? ,.I( )"<< 8 "$,-44_E&&z'8'8'B'B'DE'//8E!#J#**:6(- Ju%8- A:DMM* *'' fvz(JANNrcD|j||j|S)zLSet the double word value at the file offset corresponding to the given RVA.)set_bytes_at_rvar)rnrrs rset_dword_at_rvazPE.set_dword_at_rva $$S$*B*B5*IJJrcD|j||j|S)z3Set the double word value at the given file offset.)rr)rnrrs rrzPE.set_dword_at_offset ''0H0H0OPPrc.tjd|S)zFReturn a two byte string representing the word value. (little endian).rrrnrs rget_data_from_wordzPE.get_data_from_word{{4&&rcv|dzdzt|kDrytjd||dz|dzdzdS)a Convert two bytes of data to a word (little endian) 'offset' is assumed to index into a word array. So setting it to N will return a dword out of the data starting at offset N*2. Returns None if the data can't be turned into a word. r4r<Nrrrrs rrzPE.get_word_from_datarrcj |j|j|dddS#t$rYywxYw)zReturn the word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. Nr<r)rrrrQs rget_word_at_rvazPE.get_word_at_rvas< **4==+=bq+A1E E   #& 22c~|dzt|jkDry|j|j||dzdS)z?Return the word value at the given file offset. (little endian)r<Nr)rGrCrrs rget_word_from_offsetzPE.get_word_from_offsets> A:DMM* *&&t}}Vfqj'I1MMrcD|j||j|S)zESet the word value at the file offset corresponding to the given RVA.)rr)rnrrs rset_word_at_rvazPE.set_word_at_rvas $$S$*A*A$*GHHrcD|j||j|S)z,Set the word value at the given file offset.)rr)rnrrs rrzPE.set_word_at_offsets ''0G0G0MNNrc.tjd|S)zMReturn an eight byte string representing the quad-word value (little endian).r,BAF F  rc~|dzt|jkDry|j|j||dzdS)zDReturn the quad-word value at the given file offset. (little endian)rHNr)rGrCr$rs rget_qword_from_offsetzPE.get_qword_from_offsetr rcD|j||j|S)zJSet the quad-word value at the file offset corresponding to the given RVA.)rr")rnrqwords rset_qword_at_rvazPE.set_qword_at_rvarrcD|j||j|S)z1Set the quad-word value at the given file offset.)rr")rnrr*s rset_qword_at_offsetzPE.set_qword_at_offset rrct|ts td|j|}|sy|j ||S)zOverwrite, with the given string, the bytes at the file offset corresponding to the given RVA. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. data should be of type: bytesF)rUrW TypeErrorrr)rnrr*rs rrzPE.set_bytes_at_rvasC$&;< <))#.''55rct|ts tdd|cxkrt|jkrny|j ||yy)zOverwrite the bytes at the given file offset with the given string. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. r/rFT)rUrWr0rGrCset_data_bytes)rnrr*s rrzPE.set_bytes_at_offset$sQ$&;< <  +T]]+ +    -rrr*ct|jts,t|j}|j||_||j||t |zyr)rUrCr r^rG)rnrr*new_datas rr2zPE.set_data_bytes5sJ$--3 /H    $DM59 fvD 12rc|jD]~}|j|j}||jz}|t |j ksF|t |j ks_|j ||jy)zeUpdate the PE image content with any individual section data that has been modified. N)rEr9r0r2rGrCr2r)rnrsection_data_startsection_data_ends rmerge_modified_section_datazPE.merge_modified_section_data=s }} LG!%!=!=g>V>V!W 1G4I4II !C $66;Kc O<##$68H8H8JK  Lrc6||jjz }t|jjdk\r|jjdjrt |ds|j tdgt |ds|jjdnM|jD]=}d}|t|jks|j|}|dz }|jtd k(rn|jtd k(r@|j|j|j!|j|zd z d zn|jtd k(r=|j|j|j!|j|zd zn0|jtdk(r9|j#|j|j%|j|zn|jtdk(r}|t|jk(rs|j|}|dz }|j|j|j!|jd z|jz|zdzd z nN|jtdk(r8|j'|j|j)|j|z|t|jkr@||j_t |dr7|j*D](}|j,D]}|xj.|z c_*t |dr|j0j2xj4|z c_|j0j2xj6|z c_|j0j2xj8|z c_|j0j2xj:|z c_t |dr |j<j2} t | dr!| j>r| xj>|z c_t | dr!| j@r| xj@|z c_ t | dr!| jBr| xjB|z c_!t | dr!| jDr| xjD|z c_"t | dr!| jFr| xjF|z c_#t | dr!| jHr| xjH|z c_$t | dr!| jJr| xjJ|z c_%t | dr!| jLr| xjL|z c_&t | dr!| jNr| xjN|z c_'t | dr!| jPr| xjP|z c_(|jRtTk(r-t | dr!| jVr| xjV|z c_+t | d r!| jXr| xjX|z c_,t | d!r!| jZr| xj\|z c_.t | d"r!| j\r| xj\|z c_.t | d#r!| j^r| xj^|z c_/t | d$r!| j`r| xj`|z c_0t | d%r!| jbr| xjb|z c_1t | d&r!| jdr| xjd|z c_2t | d'r!| jfr| xjf|z c_3t | d(r!| jhr| xjh|z c_4t | d)r!| jjr| xjj|z c_5t | d*r#| jlr| xjl|z c_6y+y+y+y+y+y+),a2Apply the relocation information to the image using the provided image base. This method will apply the relocation information to the image. Given the new base, all the relocations will be processed and both the raw data and the section's data will be fixed accordingly. The resulting image can be retrieved as well through the method: get_memory_mapped_image() In order to get something that would more closely match what could be found in memory once the Windows loader finished its work. rDrBrrArzZRelocating image but PE does not have (or pefile cannot parse) a DIRECTORY_ENTRY_BASERELOCrr4rrr1rrrrrrrKrrLockPrefixTableEditListSecurityCookieSEHandlerTableGuardCFCheckFunctionPointerGuardCFDispatchFunctionPointerGuardCFFunctionTableGuardAddressTakenIatEntryTableGuardLongJumpTargetTableDynamicValueRelocTableCHPEMetadataPointerGuardRFFailureRoutine$GuardRFFailureRoutineFunctionPointer(GuardRFVerifyStackPointerFunctionPointerEnclaveConfigurationPointerVolatileMetadataPointerGuardEHContinuationTableGuardXFGCheckFunctionPointerGuardXFGDispatchFunctionPointer$GuardXFGTableDispatchFunctionPointer CastGuardOsDeterminedFailureModeGuardMemcpyFunctionPointerN)7r:r'rGrrrKrrrFrrrrrrrrrr+r+r&rKr/rrrHStartAddressOfRawDataEndAddressOfRawDataAddressOfIndexAddressOfCallBacksrr;r<r=r>r?r@rArBrCrDrrrErFrGrHrIrJrKrLrMrNrOrP) rn new_ImageBaserelocation_differencer entry_idxrD next_entryr0func load_configs rrzPE.relocate_imageJsO!.0D0D0N0N N $$33 4 9$$33A6;;4!<=++!01R!S T,4!<=&&9 ";;ZE !"I#c%--&88 % i 8!Q  ::9S)TT "ZZ?;Q+RR !00 % $($8$8$C&;%<')%*#) !)#ZZ?;P+QQ !00 % $($8$8$C&;%<#) !)#ZZ?;T+UU !11 % $ 5 5eii @"7!8 #ZZ?;T+UU )C ,>> %).y)AJ%NI 00 % %)%9%9%))%D%J&0nn%5&;%<'1%1 $& !& #ZZ?;R+SS!11 % $ 5 5eii @"7!8a$c%--&88 Zx.;D *t5666>C # > (== >>t23((//EE)E((//CC)C((//>>BWW>((//BB)Bt:;">>EE K):;#33//3HH/; 3 8L8L((,AA(K)9:#22..2GG.K)9:#22..2GG.K)FG#??;;?TT;K)IJ#BB>>BWW>K)?@#88448MM4K)IJ#BB>>BWW>K)CD#<<88>::>SS:?Ge>@4G &* t}}%!i-IN)KLx1}% FAOq((1uQ'I q1uw/5A M3JK c4==QQ+KLQO  H5 $z1h"nE Fv%(b.9R0f$#dmm,,,rctd}|js-|js||jjz|k(ryy)zCheck whether the file is a standard executable. This will return true only if the file has the IMAGE_FILE_EXECUTABLE_IMAGE flag set and the IMAGE_FILE_DLL not set and the file does not appear to be a driver either. rXTF)ris_dllrrrH)rnEXE_flags ris_exez PE.is_exesC))FG^^%D,,<<<IrcPtd}||jjz|k(ryy)zCheck whether the file is a standard DLL. This will return true only if the image has the IMAGE_FILE_DLL flag set. rhTF)rrrH)rnDLL_flags rrdz PE.is_dlls. ))9: t''77 7H Drct|ds|jtdgt|dsyhd}|j|jDchc]}|j j c}ryddh}|j|jDchc]+}|jj jd -c}r)|jjtd td fvryycc}wcc}w) zCheck whether the file is a Windows driver. This will return true only if there are reliable indicators of the image being a driver. rKr:r:F>hal.dllndis.sys kdcom.dll bootvid.dll ntoskrnl.exeTspagespagedrrr) rKrr intersectionrKr0r>rErr!r: SubsystemSUBSYSTEM_TYPE)rn system_DLLsrUdriver_like_section_namesrs rrz PE.is_drivers,t56  ' ',-KLM (  t56    # #(,(C(C DSWW]]_ D %,h$7! $ 1 1AE OgW\\   ! ( ( 1 O   * *78?@  ! E Ps !C80C=c^dt|jffd }t|dr6||jj |j j f|jD] }||j|jf"tdg}t|jjD]8\}}||vr ||j|j|jf:t|jt#kDr t#Sy#t $rYswxYw)zoGet the offset of data appended to the file and not contained within the area described in the headers.rcLtt|cxkr|kr|SSSr)sum)offset_and_size file_sizelargest_offset_and_sizes r'update_if_sum_is_larger_and_within_filezQPE.get_overlay_data_start_offset..update_if_sum_is_larger_and_within_files5*+c/.BOiO&&P* ** *rr:r?N)rGrCrKr:rrrrEr0r2rrrrRr1rrrv)rnrzrskip_directoriesrrrys @rget_overlay_data_start_offsetz PE.get_overlay_data_start_offsets:#)(+4=='9 + 4* +&M((88:$$99' #}} G&M))7+@+@A' #  ,,LMN'(<(<(K(KL NC&& *Q--i.F.FGX+'  t}} $; < <./ / !  s-D  D,+D,cF|j}||j|dSy)zeGet the data appended to the file and not contained within the area described in the headers.Nr|rCrnoverlay_data_offsets r get_overlayzPE.get_overlay s/#@@B  *==!4!56 6rcb|j}||jd|S|jddS)zKReturn the just data defined by the PE headers, removing any overlaid data.Nr~rs rtrimzPE.trims;#@@B  *==!5"56 6}}Qrc|jjtk\rf|jdurXt |jjs9|j j d|jjzd|_|dzS)NFz=If FileAlignment > 0x200 it should be a power of 2. Value: %xTi)r:r@MIN_VALID_FILE_ALIGNMENTrIrfrFr)rnr#s rr9zPE.adjust_PointerToRawData&s|    - -1I I))U2<$$22<&&S++99;.2*V|rc|dkr>||k7r9|jdur+|jjd|dd|ddd|_t|||S)Nr!FzIf SectionAlignment(0xrz+) < 0x1000 it should equal FileAlignment(0xr\T)rJrFrr&)rnr#r$r%s rr?zPE.adjust_SectionAlignment;sp v %"3311U:&&,->q,AB--;A,>aA15-,S2C^TTrr)NFF)rNrNF)r)NF)rN)rN)rN)r)Nr)rurvrwrrzrrrrrrr1r_rrrrrrrrrrrrrzr\rfrNrOrPrLrNrQrSr&r'r,r-r<r=r>&__IMAGE_DYNAMIC_RELOCATION_V2_format__(__IMAGE_DYNAMIC_RELOCATION64_V2_format__rrrMAX_SYMBOL_EXPORT_COUNTrkrVrYr^rTrerhrSrrrrrrrrrrrr.rBrrAr_r`rrrrrrrr+rrGrVrZrr9rorrrrOrRrrrrrrrrrrrrr+rrrr+r rrrrrrrrr"r$r&r(r+r-rrr"rWr2r8rr^r]rfrdrr|rrr9r?rerrrr sBP#2 $ '# "($H!*&F#I'# 0, *&)%" +'1- ,( ! #&! VKEN# %! ($($ .* C? B>>: 1- =9! /+ &" ($8.*t80,t1- +' -) .* 0, 0, ,( # 2 3j ,,]~ Sj  $22#hK\TY]4~Xtun*83 jd#LU'n@ 9v)V%NGRo'b 0>j$X F PH kZ ?.;`?2h^ \ |AFCJ!6 'D->*(1B P)6V  :1jX bH 5 K OKQ' K NIO' K OKQ6"":S:: LATFI0-d& ;z*X  *Urrcddl}d}|jdds t|y|jddk(r|jdds|jdt |jd}|j j D]M}tt|jj|jz|j|jOytt |jdjy)Nrz1pefile.py pefile.py exports r4rr<zerror: required)rJargvrexitrrXrr%r:r'rrrr)rJusager}r"s rmainrLs E 88AB< e ! !xx| HH1 2  _,,44 C B&&003;;>?3;;   b!o'')*r__main__)r`FFr)r __author__ __version__ __contact__codecsrrrrr\rkr[rprrHrrrhashlibrrrrtypingrr<register_error lookup_errorr"rrr&r+rArr:rpr;rrrrrr~r}rrrrr IMAGE_NUMBEROF_DIRECTORY_ENTRIESrrrrr8directory_entry_typesrimage_characteristicsrsection_characteristicsrJ debug_typesrsubsystem_typesrq machine_typesrrelocation_typesrdll_characteristicsrex_dll_characteristicsrr SECTOR_SIZEr7r< registersrXrSr\rlrurrrrrr resource_typerrr=rr?r5rCrArrDrRr\rcrfrrhr{rwrrrrrrr.rrrrrrrrrrrrrrrrrrrr r r rrGrRr[rkrtrrrrrrr'ascii_lowercaseascii_uppercaserrrrrrVrWr boolrrrrurerrrsU   %  --)+>6+>+>?Q+RS " 4     !#% )  %7(45&%%:;/b''>? *+ & "o.% NM*  /0$##67&&<=   !!23  &  #   0]+ _BDh T w  w-#*0L- %%l3".  08*  '/ R RHHV I &;&;T & 4++ 4d#'$'TAAHIyIX 4e$NX%NXbi,Yi,X%%];";"|CMC,","^m=*M M=M}"]"@m-&]]g$'g$TOO28N8;~;8 ;~ ;  . "XNX&Y~Y&XNX&Y~Y&HnH; ; |  F   mm!! &( - V333fmmC&(  4FK  S% "# ?C    pXUpXUfq+* zFr