itbSrSrSrSrSSKrSSKrSSKrSSKrSSKrSSK r SSK r SSK r SSK r SSKJ r SSKJr SSKJr SS KJr SS KJr SS KJr SSKrSSKrSSKr\R2"S \R4"S 55 \rSSjr\"SS9S5r\"SS9S5rSr Sr!Sr"Sr#Sr$Sr%Sr&Sr'Sr(Sr)Sr*Sr+Sr,Sr-Sr.Sr/Sr0S r1S!r2S"r3S#r4S$r5S%r6S&r7/S'Qr8\7"\85r9/S(Qr:\7"\:5r;/S)Qr<\7"\<5r=/S*Qr>\7"\>5r?/S+Qr@\7"\@5rA/S,QrB\7"\B5rC/S-QrD\7"\D5rE/S.QrF\7"\F5rGSrH/S/QrI\7"\I5rJ/S0QrK\7"\K5rLSrMS1rNS2rOS3rPS4rQS5rRS6rSS7rTS8rUS9rV/S:QrW\7"\W5rX/S;QrY\7"\Y5rZ/SrbS?rcS@rdSAreSBrf"SCSD\g5rh"SESF5ri"SGSH\j5rk"SISJ5rlS1S1S1S1S2S2S4S4S4S4S4S7S7S7S1SK.rm\"SS9SL5rn\"SSMSN9SO5ro"SPSQ5rp"SRSS\p5rq\"SSSN9ST5rr"SUSV\p5rs"SWSX5rt"SYSZ\t5ru"S[S\\t5rv"S]S^\t5rw"S_S`\t5rx"SaSb\t5ry"ScSd\t5rz"SeSf\t5r{"SgSh\t5r|"SiSj\t5r}"SkSl\t5r~"SmSn\t5r"SoSp\t5r"SqSr\t5r"SsSt\t5r"SuSv\t5r"SwSx\t5r"SySz\s5r"S{S|5r"S}S~\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS\5r"SS5r\f"\ GR$\ GR&-\ GR(-S-5rSr\f"\ GR$\ GR&-\ GR(-5r\"SS9SS\\\\4S\S\4Sjj5r"SS5rSr\S:Xa\"5 gg)abpefile, Portable Executable reader module All the PE file basic structures are available with their default names as attributes of the instance returned. Processed elements such as the import table are made available with lowercase names, to differentiate them from the upper case basic structure names. pefile has been tested against many edge cases such as corrupted and malformed PEs as well as malware, which often attempts to abuse the format way beyond its standard use. To the best of my knowledge most of the abuse is handled gracefully. Copyright (c) 2005-2023 Ero Carrera z Ero Carreraz2023.2.7zero.carrera@gmail.comN)Counter)Union)sha1)sha256)sha512md5backslashreplace_backslashreplaceFcT^^U(d[R"TT5$UU4SjnU$)Nc>^[R"TT5"U5m[R"U5U4Sj5nU$)Nc<>[R"T"U0UD65$N)copymodcopy)argskwargs cached_funcs 3C:\des-py\RoboSAPF\venv\Lib\site-packages\pefile.pywrapper-lru_cache..decorator..wrapper;s<< T .decorator8s<))'59!<   >  >r)rr)rrrrs`` rrr4s& ""7E22 r)rc<U[:aU$[US- 5S-$)N)FILE_ALIGNMENT_HARDCODED_VALUEint)valfile_alignments rcache_adjust_FileAlignmentr(Es$66 e  %%rcVUS:aUnU(aX-(aU[X- 5-$U$)N)r%)r&section_alignmentr's rcache_adjust_SectionAlignmentr,Ls26!*S4 C(?$@AA Jrc$URS5$Nr)count)datas r count_zeroesr1\s ::a=r r# iMZiZMiNEiLEiLXiVZiPEli i cX[UVs/sH oSUS4PM snU-5$s snf)Nr)dict)pairses r two_way_dictr=s. u-u!A$!u-5 66-s'))IMAGE_DIRECTORY_ENTRY_EXPORTr)IMAGE_DIRECTORY_ENTRY_IMPORTr9)IMAGE_DIRECTORY_ENTRY_RESOURCE)IMAGE_DIRECTORY_ENTRY_EXCEPTION)IMAGE_DIRECTORY_ENTRY_SECURITY)IMAGE_DIRECTORY_ENTRY_BASERELOC)IMAGE_DIRECTORY_ENTRY_DEBUG)IMAGE_DIRECTORY_ENTRY_COPYRIGHT)IMAGE_DIRECTORY_ENTRY_GLOBALPTR)IMAGE_DIRECTORY_ENTRY_TLS )!IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG )"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT )IMAGE_DIRECTORY_ENTRY_IAT )"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT )$IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR)IMAGE_DIRECTORY_ENTRY_RESERVED))IMAGE_FILE_RELOCS_STRIPPEDr9)IMAGE_FILE_EXECUTABLE_IMAGErA)IMAGE_FILE_LINE_NUMS_STRIPPEDrE)IMAGE_FILE_LOCAL_SYMS_STRIPPEDrM)IMAGE_FILE_AGGRESIVE_WS_TRIMr6)IMAGE_FILE_LARGE_ADDRESS_AWAREr5)IMAGE_FILE_16BIT_MACHINE@)IMAGE_FILE_BYTES_REVERSED_LO)IMAGE_FILE_32BIT_MACHINE)IMAGE_FILE_DEBUG_STRIPPEDr#)"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)IMAGE_FILE_NET_RUN_FROM_SWAPr!)IMAGE_FILE_SYSTEMr*)IMAGE_FILE_DLLr3)IMAGE_FILE_UP_SYSTEM_ONLY@)IMAGE_FILE_BYTES_REVERSED_HIr4).)IMAGE_SCN_TYPE_REGr)IMAGE_SCN_TYPE_DSECTr9)IMAGE_SCN_TYPE_NOLOADrA)IMAGE_SCN_TYPE_GROUPrE)IMAGE_SCN_TYPE_NO_PADrM)IMAGE_SCN_TYPE_COPYr6)IMAGE_SCN_CNT_CODEr5)IMAGE_SCN_CNT_INITIALIZED_DATArc) IMAGE_SCN_CNT_UNINITIALIZED_DATAre)IMAGE_SCN_LNK_OTHERrg)IMAGE_SCN_LNK_INFOr#)IMAGE_SCN_LNK_OVERrj)IMAGE_SCN_LNK_REMOVEr!)IMAGE_SCN_LNK_COMDATr*)IMAGE_SCN_MEM_PROTECTEDro)IMAGE_SCN_NO_DEFER_SPEC_EXCro)IMAGE_SCN_GPRELr4)IMAGE_SCN_MEM_FARDATAr4)IMAGE_SCN_MEM_SYSHEAP)IMAGE_SCN_MEM_PURGEABLE)IMAGE_SCN_MEM_16BITr)IMAGE_SCN_MEM_LOCKEDi)IMAGE_SCN_MEM_PRELOADi)IMAGE_SCN_ALIGN_1BYTESr2)IMAGE_SCN_ALIGN_2BYTESi )IMAGE_SCN_ALIGN_4BYTESi0)IMAGE_SCN_ALIGN_8BYTESi@)IMAGE_SCN_ALIGN_16BYTESiP)IMAGE_SCN_ALIGN_32BYTESi`)IMAGE_SCN_ALIGN_64BYTESip)IMAGE_SCN_ALIGN_128BYTESi)IMAGE_SCN_ALIGN_256BYTESi)IMAGE_SCN_ALIGN_512BYTESi)IMAGE_SCN_ALIGN_1024BYTESi)IMAGE_SCN_ALIGN_2048BYTESi)IMAGE_SCN_ALIGN_4096BYTESi)IMAGE_SCN_ALIGN_8192BYTESi)IMAGE_SCN_ALIGN_MASKi)IMAGE_SCN_LNK_NRELOC_OVFLi)IMAGE_SCN_MEM_DISCARDABLEi)IMAGE_SCN_MEM_NOT_CACHEDi)IMAGE_SCN_MEM_NOT_PAGED)IMAGE_SCN_MEM_SHARED)IMAGE_SCN_MEM_EXECUTEi )IMAGE_SCN_MEM_READi@)IMAGE_SCN_MEM_WRITEr7))IMAGE_DEBUG_TYPE_UNKNOWNr)IMAGE_DEBUG_TYPE_COFFr9)IMAGE_DEBUG_TYPE_CODEVIEWrA)IMAGE_DEBUG_TYPE_FPOrC)IMAGE_DEBUG_TYPE_MISCrE)IMAGE_DEBUG_TYPE_EXCEPTIONrG)IMAGE_DEBUG_TYPE_FIXUPrI)IMAGE_DEBUG_TYPE_OMAP_TO_SRCrK)IMAGE_DEBUG_TYPE_OMAP_FROM_SRCrM)IMAGE_DEBUG_TYPE_BORLANDrO)IMAGE_DEBUG_TYPE_RESERVED10rQ)IMAGE_DEBUG_TYPE_CLSIDrS)IMAGE_DEBUG_TYPE_VC_FEATURErU)IMAGE_DEBUG_TYPE_POGOrW)IMAGE_DEBUG_TYPE_ILTCGrY)IMAGE_DEBUG_TYPE_MPXr[)IMAGE_DEBUG_TYPE_REPROr6)&IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS))IMAGE_SUBSYSTEM_UNKNOWNr)IMAGE_SUBSYSTEM_NATIVEr9)IMAGE_SUBSYSTEM_WINDOWS_GUIrA)IMAGE_SUBSYSTEM_WINDOWS_CUIrC)IMAGE_SUBSYSTEM_OS2_CUIrG)IMAGE_SUBSYSTEM_POSIX_CUIrK)IMAGE_SUBSYSTEM_NATIVE_WINDOWSrM)IMAGE_SUBSYSTEM_WINDOWS_CE_GUIrO)IMAGE_SUBSYSTEM_EFI_APPLICATIONrQ)'IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVERrS)"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVERrU)IMAGE_SUBSYSTEM_EFI_ROMrW)IMAGE_SUBSYSTEM_XBOXrY)(IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATIONr6)$)IMAGE_FILE_MACHINE_UNKNOWNr)IMAGE_FILE_MACHINE_I386iL)IMAGE_FILE_MACHINE_R3000ib)IMAGE_FILE_MACHINE_R4000if)IMAGE_FILE_MACHINE_R10000ih)IMAGE_FILE_MACHINE_WCEMIPSV2ii)IMAGE_FILE_MACHINE_ALPHAi)IMAGE_FILE_MACHINE_SH3i)IMAGE_FILE_MACHINE_SH3DSPi)IMAGE_FILE_MACHINE_SH3Ei)IMAGE_FILE_MACHINE_SH4i)IMAGE_FILE_MACHINE_SH5i)IMAGE_FILE_MACHINE_ARMi)IMAGE_FILE_MACHINE_THUMBi)IMAGE_FILE_MACHINE_ARMNTi)IMAGE_FILE_MACHINE_AM33i)IMAGE_FILE_MACHINE_POWERPCi)IMAGE_FILE_MACHINE_POWERPCFPi)IMAGE_FILE_MACHINE_IA64r#)IMAGE_FILE_MACHINE_MIPS16if)IMAGE_FILE_MACHINE_ALPHA64)IMAGE_FILE_MACHINE_AXP64r)IMAGE_FILE_MACHINE_MIPSFPUif)IMAGE_FILE_MACHINE_MIPSFPU16if)IMAGE_FILE_MACHINE_TRICOREi )IMAGE_FILE_MACHINE_CEFi )IMAGE_FILE_MACHINE_EBCi)IMAGE_FILE_MACHINE_RISCV32i2P)IMAGE_FILE_MACHINE_RISCV64idP)IMAGE_FILE_MACHINE_RISCV128i(Q)IMAGE_FILE_MACHINE_LOONGARCH32i2b)IMAGE_FILE_MACHINE_LOONGARCH64idb)IMAGE_FILE_MACHINE_AMD64id)IMAGE_FILE_MACHINE_M32RiA)IMAGE_FILE_MACHINE_ARM64id)IMAGE_FILE_MACHINE_CEEi) )IMAGE_REL_BASED_ABSOLUTEr)IMAGE_REL_BASED_HIGHr9)IMAGE_REL_BASED_LOWrA)IMAGE_REL_BASED_HIGHLOWrC)IMAGE_REL_BASED_HIGHADJrE)IMAGE_REL_BASED_MIPS_JMPADDRrG)IMAGE_REL_BASED_SECTIONrI)IMAGE_REL_BASED_RELrK)IMAGE_REL_BASED_MIPS_JMPADDR16rO)IMAGE_REL_BASED_IA64_IMM64rO)IMAGE_REL_BASED_DIR64rQ)IMAGE_REL_BASED_HIGH3ADJrS))IMAGE_LIBRARY_PROCESS_INITr9)IMAGE_LIBRARY_PROCESS_TERMrA)IMAGE_LIBRARY_THREAD_INITrE)IMAGE_LIBRARY_THREAD_TERMrM)(IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VAr5)%IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASErc)(IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITYre)"IMAGE_DLLCHARACTERISTICS_NX_COMPATrg)%IMAGE_DLLCHARACTERISTICS_NO_ISOLATIONr#)IMAGE_DLLCHARACTERISTICS_NO_SEHrj) IMAGE_DLLCHARACTERISTICS_NO_BINDr!)%IMAGE_DLLCHARACTERISTICS_APPCONTAINERr*)#IMAGE_DLLCHARACTERISTICS_WDM_DRIVERr3)!IMAGE_DLLCHARACTERISTICS_GUARD_CFro).IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWAREr4))UNW_FLAG_EHANDLERr9)UNW_FLAG_UHANDLERrA)UNW_FLAG_CHAININFOrE))RAXr)RCXr9)RDXrA)RBXrC)RSPrE)RBPrG)RSIrI)RDIrK)R8rM)R9rO)R10rQ)R11rS)R12rU)R13rW)R14rY)R15r[r9rArCrErGrIrMrOrQ)) RT_CURSORr9) RT_BITMAPrA)RT_ICONrC)RT_MENUrE) RT_DIALOGrG) RT_STRINGrI) RT_FONTDIRrK)RT_FONTrM)RT_ACCELERATORrO) RT_RCDATArQ)RT_MESSAGETABLErS)RT_GROUP_CURSORrU) RT_GROUP_ICONrY) RT_VERSIONr6) RT_DLGINCLUDE) RT_PLUGPLAY)RT_VXDr) RT_ANICURSOR) RT_ANIICON)RT_HTML) RT_MANIFEST)^) LANG_NEUTRALr)LANG_INVARIANT)LANG_AFRIKAANS6) LANG_ALBANIAN) LANG_ARABICr9) LANG_ARMENIAN+) LANG_ASSAMESEM) LANG_AZERI,) LANG_BASQUE-)LANG_BELARUSIAN#) LANG_BENGALIE)LANG_BULGARIANrA) LANG_CATALANrC) LANG_CHINESErE) LANG_CROATIAN) LANG_CZECHrG) LANG_DANISHrI) LANG_DIVEHIe) LANG_DUTCHr() LANG_ENGLISHrO) LANG_ESTONIAN%) LANG_FAEROESE8) LANG_FARSI)) LANG_FINNISHrS) LANG_FRENCHrU) LANG_GALICIANV) LANG_GEORGIAN7) LANG_GERMANrK) LANG_GREEKrM) LANG_GUJARATIG) LANG_HEBREWrW) LANG_HINDI9)LANG_HUNGARIANrY)LANG_ICELANDICr[)LANG_INDONESIAN!) LANG_ITALIANr6) LANG_JAPANESEr&) LANG_KANNADAK) LANG_KASHMIRI`) LANG_KAZAK?) LANG_KONKANIW) LANG_KOREAN) LANG_KYRGYZrc) LANG_LATVIAN&)LANG_LITHUANIAN')LANG_MACEDONIAN/) LANG_MALAY>)LANG_MALAYALAML) LANG_MANIPURIX) LANG_MARATHIN)LANG_MONGOLIANP) LANG_NEPALIa)LANG_NORWEGIANr) LANG_ORIYAH) LANG_POLISHr+)LANG_PORTUGUESEr-) LANG_PUNJABIF) LANG_ROMANIANr1) LANG_RUSSIAN) LANG_SANSKRITO) LANG_SERBIANrJ) LANG_SINDHIY) LANG_SLOVAK)LANG_SLOVENIAN$) LANG_SPANISHrQ) LANG_SWAHILIA) LANG_SWEDISH) LANG_SYRIACZ) LANG_TAMILI) LANG_TATARD) LANG_TELUGUJ) LANG_THAI) LANG_TURKISH)LANG_UKRAINIAN") LANG_URDUr5) LANG_UZBEKC)LANG_VIETNAMESE*) LANG_GAELIC<) LANG_MALTESE:) LANG_MAORI()LANG_RHAETO_ROMANCEr/) LANG_SAAMI;) LANG_SORBIAN.) LANG_SUTU0) LANG_TSONGA1) LANG_TSWANA2) LANG_VENDA3) LANG_XHOSA4) LANG_ZULU5)LANG_ESPERANTO) LANG_WALON) LANG_CORNISH) LANG_WELSH) LANG_BRETON)g)SUBLANG_NEUTRALr)SUBLANG_DEFAULTr9)SUBLANG_SYS_DEFAULTrA)SUBLANG_ARABIC_SAUDI_ARABIAr9)SUBLANG_ARABIC_IRAQrA)SUBLANG_ARABIC_EGYPTrC)SUBLANG_ARABIC_LIBYArE)SUBLANG_ARABIC_ALGERIArG)SUBLANG_ARABIC_MOROCCOrI)SUBLANG_ARABIC_TUNISIArK)SUBLANG_ARABIC_OMANrM)SUBLANG_ARABIC_YEMENrO)SUBLANG_ARABIC_SYRIArQ)SUBLANG_ARABIC_JORDANrS)SUBLANG_ARABIC_LEBANONrU)SUBLANG_ARABIC_KUWAITrW)SUBLANG_ARABIC_UAErY)SUBLANG_ARABIC_BAHRAINr[)SUBLANG_ARABIC_QATARr6)SUBLANG_AZERI_LATINr9)SUBLANG_AZERI_CYRILLICrA)SUBLANG_CHINESE_TRADITIONALr9)SUBLANG_CHINESE_SIMPLIFIEDrA)SUBLANG_CHINESE_HONGKONGrC)SUBLANG_CHINESE_SINGAPORErE)SUBLANG_CHINESE_MACAUrG) SUBLANG_DUTCHr9)SUBLANG_DUTCH_BELGIANrA)SUBLANG_ENGLISH_USr9)SUBLANG_ENGLISH_UKrA)SUBLANG_ENGLISH_AUSrC)SUBLANG_ENGLISH_CANrE)SUBLANG_ENGLISH_NZrG)SUBLANG_ENGLISH_EIRErI)SUBLANG_ENGLISH_SOUTH_AFRICArK)SUBLANG_ENGLISH_JAMAICArM)SUBLANG_ENGLISH_CARIBBEANrO)SUBLANG_ENGLISH_BELIZErQ)SUBLANG_ENGLISH_TRINIDADrS)SUBLANG_ENGLISH_ZIMBABWErU)SUBLANG_ENGLISH_PHILIPPINESrW)SUBLANG_FRENCHr9)SUBLANG_FRENCH_BELGIANrA)SUBLANG_FRENCH_CANADIANrC)SUBLANG_FRENCH_SWISSrE)SUBLANG_FRENCH_LUXEMBOURGrG)SUBLANG_FRENCH_MONACOrI)SUBLANG_GERMANr9)SUBLANG_GERMAN_SWISSrA)SUBLANG_GERMAN_AUSTRIANrC)SUBLANG_GERMAN_LUXEMBOURGrE)SUBLANG_GERMAN_LIECHTENSTEINrG)SUBLANG_ITALIANr9)SUBLANG_ITALIAN_SWISSrA)SUBLANG_KASHMIRI_SASIArA)SUBLANG_KASHMIRI_INDIArA)SUBLANG_KOREANr9)SUBLANG_LITHUANIANr9)SUBLANG_MALAY_MALAYSIAr9)SUBLANG_MALAY_BRUNEI_DARUSSALAMrA)SUBLANG_NEPALI_INDIArA)SUBLANG_NORWEGIAN_BOKMALr9)SUBLANG_NORWEGIAN_NYNORSKrA)SUBLANG_PORTUGUESErA)SUBLANG_PORTUGUESE_BRAZILIANr9)SUBLANG_SERBIAN_LATINrA)SUBLANG_SERBIAN_CYRILLICrC)SUBLANG_SPANISHr9)SUBLANG_SPANISH_MEXICANrA)SUBLANG_SPANISH_MODERNrC)SUBLANG_SPANISH_GUATEMALArE)SUBLANG_SPANISH_COSTA_RICArG)SUBLANG_SPANISH_PANAMArI)"SUBLANG_SPANISH_DOMINICAN_REPUBLICrK)SUBLANG_SPANISH_VENEZUELArM)SUBLANG_SPANISH_COLOMBIArO)SUBLANG_SPANISH_PERUrQ)SUBLANG_SPANISH_ARGENTINArS)SUBLANG_SPANISH_ECUADORrU)SUBLANG_SPANISH_CHILErW)SUBLANG_SPANISH_URUGUAYrY)SUBLANG_SPANISH_PARAGUAYr[)SUBLANG_SPANISH_BOLIVIAr6)SUBLANG_SPANISH_EL_SALVADORr&)SUBLANG_SPANISH_HONDURASrs)SUBLANG_SPANISH_NICARAGUAr()SUBLANG_SPANISH_PUERTO_RICOr)SUBLANG_SWEDISHr9)SUBLANG_SWEDISH_FINLANDrA)SUBLANG_URDU_PAKISTANr9)SUBLANG_URDU_INDIArA)SUBLANG_UZBEK_LATINr9)SUBLANG_UZBEK_CYRILLICrA)SUBLANG_DUTCH_SURINAMrC)SUBLANG_ROMANIANr9)SUBLANG_ROMANIAN_MOLDAVIArA)SUBLANG_RUSSIANr9)SUBLANG_RUSSIAN_MOLDAVIArA)SUBLANG_CROATIANr9)SUBLANG_LITHUANIAN_CLASSICrA)SUBLANG_GAELICr9)SUBLANG_GAELIC_SCOTTISHrA)SUBLANG_GAELIC_MANXrCc[RUS5n[RU/5H nX#;dM Us $ [RUS/5S$)N *unknown*r)LANGgetSUBLANG) lang_value sublang_value lang_name sublang_names rget_sublang_name_for_langrCsO[1I M26   $  7 ;;}{m 4Q 77rcSnSnU[U5:aXUS-n[U5S:ag[R"SU5SnUS- nUS:waNSUS-s=::a[U5::a5O O2[XX6S--5R S5X!'US:agX6S-- nUS- nU[U5:aMgg![ a US- nN7f=f)NrrAzn[U[[45(dM UR U5(dM8X U4PM@ sn$s snf)zRead the flags from a dictionary and return them in a usable form. Will return a list of (flag, value) for all flags in "flag_dict" matching the filter "flag_filter". )keys isinstancestrbytes startswith) flag_dict flag_filterflags rretrieve_flagsr\sXNN$ $D dS%L ) .2ook.J $  sAA AclUH.up4XA-(aSURU'MSURU'M0 g)zWill process the flags and set attributes in the object accordingly. The object "obj" will gain attributes named after the flags provided in "flags" and valued True/False, matching the results of applying each flag value from "flags" to flag_field. TFN)__dict__)obj flag_fieldflagsr[values r set_flagsrcs2   !%CLL !&CLL  rc.US:g=(a XS- -S:H$)Nrr9)r&s r power_of_tworfs !8 .aQ..rc[U[5(aU$[U[5(a [U5$[R"US5$)Ncp1252)rUrW bytearraycodecsencode)xs rrIrIs;!U Ay ! !Qx}}Q))rc:^\rSrSrU4SjrU4SjrSrSrU=r$) AddressSetic>>[TU]5 SUlSUlgr)super__init__minmax)self __class__s rrqAddressSet.__init__s rc>[TU]U5 URcUO[URU5UlURcXlg[URU5Ulgr)rpaddrrrs)rtrbrus rrxAddressSet.addsK  E HH,5#dhh2F HH,5#dhh2FrclURb URcS$URUR- $r.)rrrsrts rdiffAddressSet.diffs,HH$(8qQdhh>QQr)rsrr) __name__ __module__ __qualname____firstlineno__rqrxr|__static_attributes__ __classcell__rus@rrnrns G RRrrncT\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rg)!UnicodeStringWrapperPostProcessorizThis class attempts to help the process of identifying strings that might be plain Unicode or Pascal. A list of strings will be wrapped on it with the hope the overlappings will help make the decision about their type.c*XlX lSUlgr)perva_ptrstring)rtrrs rrq*UnicodeStringWrapperPostProcessor.__init__s  rcUR$)zGet the RVA of the string.)rr{s rget_rva)UnicodeStringWrapperPostProcessor.get_rvas ||rc&URSS5$)z6Return the escaped UTF-8 representation of the string.utf-8r )rJr{s r__str__)UnicodeStringWrapperPostProcessor.__str__s{{7$788rcXUR(dgURR"U6$)N)rrJ)rtrs rrJ(UnicodeStringWrapperPostProcessor.decodes!{{{{!!4((rcSng)z>Make this instance None, to express it's no known string type.Nrer{s r invalidate,UnicodeStringWrapperPostProcessor.invalidatesrc$URRURS-UR5S9Ulg![ aH URR 5RSRURS-55 gf=f)NrA max_lengthzCFailed rendering pascal string, attempting to read from RVA 0x{0:x}) rget_string_u_at_rvarget_pascal_16_lengthr PEFormatError get_warningsappendformatr{s rrender_pascal_162UnicodeStringWrapperPostProcessor.render_pascal_16 s} ''55 q T-F-F-H6DK  GG " ) )66&5DKrcURRUR5Ulg![aE URR 5R SRUR55 gf=f)NzDFailed rendering unicode string, attempting to read from RVA 0x{0:x})rrrrrrrrr{s rrender_unicode_163UnicodeStringWrapperPostProcessor.render_unicode_160s^ ''55dllCDK  GG " ) )66 Dump.get_text..js: 1u||A s )joinrr{s rget_text Dump.get_texthsww: :::rrNr) r~rrrrrqrrrxrrrrrerrrrDs(;(%=;;rr)rlcrIBhHrNIrMLrqQdsc RSnUnUS[R;aw[SRUVs/sHo3[R;dMUPM sn55nSRUVs/sHo3[R;dMUPM sn5n[UU-$s snfs snf)Nr9rr)rdigitsr%rSTRUCT_SIZEOF_TYPES)tr/_trs r sizeof_typers E Btv}}BGG@1&---?Q@AB WW=Av}}& r "U **A=sB B +B$B$T)rrc Sn/n0n/nSnSnUHnSU;dM URSS5upX- nURS5 U RS5n /n U H\n X;a?UV s/sHoS[U 5PM n n U RU 5nSR X5n U RU 5 XcU 'M^ U[ U5- nURU 5 M [ R"U5nUUUUU4$s sn f)Nr)rr7r)rtrs r__repr__Structure.__repr__sB HH499;?;achhqwwy);? @  ?s)A c /nURSRUR55 [RVs/sH#o3[R ;dM[ U5PM% nnURGHnUGHn[X5n[U[[45(axURS5(aSRU5nOSRU5nUS:XdUS:Xa2US[R"[R"U55-- nOO[#U5nURS 5(aAS R%UR'S 5Vs/sHnS RU5PM sn5nOPS R%UR'S 5Vs/sH$nX4;a [)U5OS RU5PM& sn5nURSUR*UUR,-UR*UUS-U4-5 GM GM U$s snf![ a US- nNdf=fs snfs snf)z1Returns a string representation of the structure.z[{0}] Signature_z{:<8X}z0x{:<8X} TimeDateStamp dwTimeStampz [%s UTC]z [INVALID TIME] Signaturerz{:02X}z \x{0:02x}z0x%-8X 0x%-3X %-30s %s:)rrr r printable whitespaceordrr0rUr%longrXtimeasctimegmtime ValueErrorrirrstripchrrr ) rt indentationr7rNprintable_bytesrTr,r&val_strs rr7Structure.dump$s GNN499-.#,, ,q9J9J0JFCF,  MMDd(cC;//~~l33"*//#"6","3"3C"8o- 1E9#{T\\$++cBR5S'SSG2F (nG~~k22"$''9@9PQ9PAX__Q/9PQ##%'' *1)@ *AA%&$8!$A%1%8%8%;!<*A # ,..s3d6J6JJ..s3c  ;"P ] $ *9#'88G9 Rs)HH-0H$H9 +H> $H65H6c L0nURUS'URHnUHn[X5n[U[[ 45(a>US:XdUS:Xa1SU[ R"[ R"U554-nOJOISRSUVs/sH%n[U[5(d [U5OUPM' sn55nURUUR-URUUS.X'M M U$![a SU-nNJf=fs snf) z5Returns a dictionary representation of the structure.rr>r?z0x%-8X [%s UTC]z0x%-8X [INVALID TIME]rc3|# UH2n[U5[R;a [U5OSU-v M4 g7f)z\x%02xN)rLrrC)rrs rr&Structure.dump_dict..rs5"!WA#&a&F,<,<"<A)a-O!Ws:<) FileOffsetOffsetValue)r rr0rUr%rFrGrHrIrJrrErr )rt dump_dictrTr,r&rs rrWStructure.dump_dict[s0 !% +MMDd(cC;//o- 1E@"3 # $ T[[-= >7#C2F''"SV!WSVa 1c0B0B#a&"ISV!W"C #'"8"8"=@T@T"T"44S9 " %"2 *@"9C"?C@ "Xs/D ,D! DD)rrr rrrrr NNr)r~rrrrrqrVrrrrr r#r&r-r4rr:r7rWrrerrrrsV "8##I2$&# & (.= & 5n"rrc|\rSrSrSrSrSrSrSSjrSr S r S r S r S r S rSrSrSrSrSrSrSrg)SectionStructureiz#Convenience section handling class.cSU;a USUlUS SUlSUlSUlSUl[ R "U/UQ70UD6 SUlSUlSUl SUl g)Nr) rPointerToRawDataVirtualAddress SizeOfRawDataMisc_VirtualSizerrqPointerToRawData_adjVirtualAddress_adjsection_min_addrsection_max_addr)rtarglargds rrqSectionStructure.__init__ss 4<4jDGT $"! $4/$/$/$(!"& $ $rcURcVURbIURRURURRR 5UlUR$r)rar]radjust_FileAlignmentOPTIONAL_HEADER FileAlignmentr{s rget_PointerToRawData_adj)SectionStructure.get_PointerToRawData_adjsZ  $ $ ,$$0,0GG,H,H))477+B+B+P+P-)(((rcURcuURbhURRURURRR URRR 5UlUR$r)rbr^radjust_SectionAlignmentrjSectionAlignmentrkr{s rget_VirtualAddress_adj'SectionStructure.get_VirtualAddress_adjsn  " " *"".*.''*I*I''GG++<<GG++99+' &&&rNcUcUR5nO#XR5- UR5-nUbXB-nOURbX@R-nOUnU(aUbUb[XTUR-5nUR bBURb5XPR UR-:aUR UR-nUR RXE$)aGet data chunk from a section. Allows to query data from the section by passing the addresses where the PE file would be loaded by default. It is then possible to retrieve code and data by their real addresses as they would be if loaded. Note that sections on disk can include padding that would not be loaded to memory. That is the case if `section.SizeOfRawData` is greater than `section.Misc_VirtualSize`, and that means that data past `section.Misc_VirtualSize` is padding. In case you are not interested in this padding, passing `ignore_padding=True` will truncate the result in order not to return the padding (if any). Returns bytes() under Python 3.x and set() under Python 2.7 )rlrqr_rrr`r]r__data__)rtstartrignore_paddingrends rrSectionStructure.get_datas& =224F3355--/0F  /C    +---CC co&2DcD$9$99:C  ,1C1C1O**T-?-???++d.@.@@ww++rcUS:Xa[[S5n[XU5 OZSU;aT[X5(aDU(aURS==[U-ss'OURS==[U-ss'X RU'g)NCharacteristics IMAGE_SCN_)r\SECTION_CHARACTERISTICSrchasattrr^)rtr r& section_flagss r __setattr__SectionStructure.__setattr__s{ $ $*+BLQM d / T !gd&9&9 /04KD4QQ0 /04KD4QQ0! drcHXR5- UR5-$r)rlrqrs rget_rva_from_offset$SectionStructure.get_rva_from_offsets"5577$:U:U:WWWrcHXR5- UR5-$r)rqrlrtrs rget_offset_from_rva$SectionStructure.get_offset_from_rvas"0022T5R5R5TTTrc~URcgUR5nX!s=:*=(a X R-:$s $)z V V-ADVDV-V V V rcXURb6URb)URUs=:*=(a UR:$s $UR5n[URR 5UR 5- UR:a URnO [URUR5nURb;URUR:a!X#-UR:aURU- nX lX#-UlX!s=:*=(a X#-:$s $)z8Check whether the section contains the address provided.) rcrdrqrFrrtrlr_r`rsnext_section_virtual_addressr^)rtrrbsizes r contains_rvaSectionStructure.contains_rvas  ,1F1F1R((CGG$2G2GG GG G!88: tww 4#@#@#B BTEWEW W((Dt))4+@+@AD  - - 911D4G4GG")D,M,MM447IID 2 2 9!DD+=+DDDDDrc$URU5$r)rrs rcontainsSectionStructure.containss  %%rc@URUR55$)z1Calculate and return the entropy for the section.) entropy_Hrr{s r get_entropySectionStructure.get_entropys~~dmmo..rc`[b'[UR55R5$g)z/Get the SHA-1 hex-digest of the section's data.N)rr hexdigestr{s r get_hash_sha1SectionStructure.get_hash_sha1 s)   (224 4 rc`[b'[UR55R5$g)z1Get the SHA-256 hex-digest of the section's data.N)rrrr{s rget_hash_sha256 SectionStructure.get_hash_sha256&)  $--/*446 6 rc`[b'[UR55R5$g)z1Get the SHA-512 hex-digest of the section's data.N)rrrr{s rget_hash_sha512 SectionStructure.get_hash_sha512,rrc`[b'[UR55R5$g)z-Get the MD5 hex-digest of the section's data.N)r rrr{s r get_hash_md5SectionStructure.get_hash_md52s( ?t}}'113 3 rcU(dg[[U55nSnUR5H6n[U5[ U5- nX5[ R "US5--nM8 U$)z)Calculate the entropy of a chunk of data.grrA)rrivaluesfloatrFmathlog)rtr0 occurencesentropyrlp_xs rrSectionStructure.entropy_H8saYt_- ""$A(SY&C TXXc1-- -G%r) r`r]rar_r^rbrrdrc)NNF)r~rrrrrqrlrqrrrrrrrrrrrrrrrerrr[r[sZ- %)'*,X" XU  $EL&/ 5 7 7 4 rr[c8"SS5n/n0nU"X#5nUSHnSU;a#UR5 URU5 M,URSS5upgSU;a [S5eURSS5uph[ U5nXdR 5:wdXR 5:a!UR5 URU5 URXx5 M UR5 [[U55uppn /n[U 5HqunnX;aURU5 MX?un nUVs/sHnU[R/PM nnURU5 UHnU USU US'M Ms XXX4$s snf)Nc>\rSrSrSrSrSrSrSrSr Sr S r g ) )set_bitfields_format..AccumulatoriJcT/UlSUlSUlSUlX lXlg)N~r) _subfields_name_type _bits_left _comp_fields_format)rtfmt comp_fieldss rrq2set_bitfields_format..Accumulator.__init__Ks+ DODJDJDO + Lrc*URcgURRURS-UR-5 URUR4UR [ UR5S- 'SUlSUl/Ulg)Nrr9r)rrrrrrrFr{s rwrap_up1set_bitfields_format..Accumulator.wrap_upUsszz! LL   S 04:: = >8< DOO7TD  c$,,/!3 4DJDJ DOrc2[US-UlXlgNrM)rrr)rttps rnew_type2set_bitfields_format..Accumulator.new_type^s1"59DOJrcU=RU- slU=RU-slURRX45 gr)rrrr)rtr bitcnts r add_subfield6set_bitfields_format..Accumulator.add_subfieldbs2 JJ$ J OOv %O OO " "D> 2rcUR$r)rr{s rget_type2set_bitfields_format..Accumulator.get_typeg :: rcUR$r)rr{s rget_name2set_bitfields_format..Accumulator.get_namejrrcUR$r)rr{s r get_bits_left7set_bitfields_format..Accumulator.get_bits_leftms ?? "r)rrrrrrN) r~rrrrqrrrrrrrrerr AccumulatorrJs%  !  3    #rrr9rBrz3Structures with bitfields do not support unions yetr)rrrNotImplementedErrorr%rrrrrrr)StructureWithBitfields BTF_NAME_IDXextend)rrold_fmtracrrrelm_bits format_str_ field_offsetsrT format_length extended_keysr+r&sbfrbf_namesns rset_bitfields_formatrHs$#$#LGK W *Baycz JJL NN3   YYsA. (?%E &^^C3x= {{} $3C3C3E(E JJL KK ! +'(JJL8B5>8R5J= MdOS!   % !3FIJcQ-::; --> (data type, [ (subfield name, length in bits)+ ] ) that facilitates bitfield paking and unpacking. With lru_cache() creating only once instance per format string, the memory overhead is negligible. rr9c [U5uUlUlUlUlUlUl[UR5Vs/sHnSPM snUlSUl X0l US:waX l gUSUl gs snf)NFr) rrrrr __keys_ext____compound_fields__rangerrr r )rtrr r rNs rrqStructureWithBitfields.__init__s ! (    "  " M    $6;4;Q;Q5R&S5Rt5R&S##* DLD fQi 'Ts BcL>[[U] U5 UR5 gr)rprr-_unpack_bitfield_attributesrtr0rus rr-!StructureWithBitfields.__unpack__s! $d6t< ((*rc>UR5 [[U]5nUR 5 U$!UR 5 f=fr)_pack_bitfield_attributesrprr4rrs rr4StructureWithBitfields.__pack__sE &&( //?AD  , , .   , , .s 7A c>URnURUl[[U]U5nX lU$!X lf=fr)rrrprr7)rtrMtkretrus rr7StructureWithBitfields.dumpsC ]]))  .:;GCM Ms ;Ac>URnURUl[[U]5nXlU$!Xlf=fr)rrrprrW)rtrrrus rrW StructureWithBitfields.dump_dictsA ]]))  .?ACM Ms :AcURR5HnURUSn[X5n[ X5 SnURU[ R HXnSU[ R-S- nXd-n[UU[ RX6-U- 5 XE[ R- nMZ M g)zQReplace compound attributes corresponding to bitfields with separate sub-fields. rr9N) rrTrr0delattrr CF_SUBFLD_IDXBTF_BITCNT_IDXr*r)rtrNcf_namecvaloffstsfmasks rr2StructureWithBitfields._unpack_bitfield_attributess))..0AmmA&q)G4)D D "E..q12H2V2VWR 6 E EFF!K-::;[U* 2AABBX 1rcURR5HnURUSnSup4URU[RHWnSU[R -S- n[ X[R5U-nXGU--nX5[R - nMY [XU5 M g)z(Pack attributes into a compound bitfieldrrrr9N) rrTrrrrr0rr*)rtrNrracc_valrr field_vals rr0StructureWithBitfields._pack_bitfield_attributess))..0AmmA&q)G!NE..q12H2V2VWR 6 E EFF!KD%;%H%H"IJTQ--2AABB X D7 +1r) rrrr rrrrrr rYr)r~rrrrrr CF_TYPE_IDXrrqr-r4r7rWrrrrrs@rrrsG(LNKM8 + C& , ,rrc,^\rSrSrSrU4SjrSrU=r$) DataContainerizGeneric data container.c d>[[U] nUR5H up4U"X45 M gr)rprritems)rtr bare_setattrr,rbrus rrqDataContainer.__init__ s)]D= **,JC  $'rre)r~rrrrrqrrrs@rrrs!%%rrc\rSrSrSrSrg)ImportDescDataizHolds import descriptor information. dll: name of the imported DLL imports: list of imported symbols (ImportData instances) struct: IMAGE_IMPORT_DESCRIPTOR structure reNr~rrrrrrerrr r rr c\rSrSrSrSrSrg) ImportDataizHolds imported symbol's information. ordinal: Ordinal of the symbol name: Name of the symbol bound: If the symbol is bound, this contains the address. c[US5(Ga[US5(Ga[US5(GaUS:XaURR[:Xa[nO$URR[ :Xa[ nWUS--URlURRURl URRURl URRURl GOUS:XaURbX Rl URRURl URRURl URRURl GO>US:XaX Rl URRURlURRURl URRURl OUS:XaUR(aURRUR5nURRUR SU-5 [#U5[#UR$5:a ['S5eURR)URU5 X R*U'g)Nordinalboundr addressr9The export name provided is longer than the existing one.)r}rPE_TYPEOPTIONAL_HEADER_MAGIC_PEIMAGE_ORDINAL_FLAGOPTIONAL_HEADER_MAGIC_PE_PLUSIMAGE_ORDINAL_FLAG64 struct_tableOrdinal AddressOfDataFunctionForwarderString struct_iat name_offsetrset_dword_at_offsetordinal_offsetrFr rset_bytes_at_offsetr^)rtr r& ordinal_flagname_rvas rrImportData.__setattr__!s$ D) $ $g&&f%%y 77??&>>#5LWW__(EE#7L-9C&L,I!!)262C2C2K2K!!/-1->->-F-F!!*484E4E4M4M!!1??.47OO148OO4Q4QDOO1/3/L/LDOO,6:oo6S6SDOO3"25!!/,0,=,=,K,K!!)-1->->-L-L!!*484E4E4S4S!!1###ww::4;K;KLHGG//++g-A 3x#dii.0+WGG//0@0@#F! drreNr~rrrrrrrerrrrs 6"rrc\rSrSrSrSrg) ExportDirDataiZzHolds export directory information. struct: IMAGE_EXPORT_DIRECTORY structure symbols: list of exported symbols (ExportData instances)reNrrerrr,r,ZsCrr,c\rSrSrSrSrSrg) ExportDataiaaDHolds exported symbols' information. ordinal: ordinal of the symbol address: address of the symbol name: name of the symbol (None if the symbol is exported by ordinal only) forwarder: if the symbol is forwarded it will contain the name of the target symbol, None otherwise. c[US5(GaC[US5(Ga1[US5(Ga[US5(Ga US:Xa'URRURU5 OUS:Xa'URR UR U5 OUS:XaT[ U5[ UR5:a [S5eURRURU5 OYUS:XaS[ U5[ UR5:a [S5eURRURU5 X RU'g)Nrr forwarderr rz+>D"++D,?,?Es8c$))n,'S++D,<,r>r8rr>c\rSrSrSrSrg)DynamicRelocationDataizHolds dynamic relocation information. struct: IMAGE_DYNAMIC_RELOCATION structure symbol: Symbol to which dynamic relocations must be applied relocations: List of dynamic relocations for this symbol (BaseRelocationData instances) reNrrerrr@r@rrr@c\rSrSrSrSrg)BaseRelocationDataizHolds base relocation information. struct: IMAGE_BASE_RELOCATION structure entries: list of relocation data (RelocationData instances) reNrrerrrBrBr8rrBc\rSrSrSrSrSrg)RelocationDataizHolds relocation information. type: Type of relocation The type string can be obtained by RELOCATION_TYPE[type] rva: RVA of the relocation c[US5(aaURRnUS:Xa US-US--nO)US:Xa#[X R- S5nUS-US--nX0RlX R U'g)NrGtyperUrri)r}rGDatarsbase_rvar^)rtr r&wordrs rrRelocationData.__setattr__s 4 " ";;##Dv~r dUl3S==0!4v &5.9 $KK ! drreNr*rerrrDrDs "rrDc\rSrSrSrSrg)TlsDataizBHolds TLS information. struct: IMAGE_TLS_DIRECTORY structure reNrrerrrMrMsrrMc\rSrSrSrSrg)BoundImportDescDataiaHolds bound import descriptor data. This directory entry will provide information on the DLLs this PE file has been bound to (if bound at all). The structure will contain the name and timestamp of the DLL at the time of binding so that the loader can know whether it differs from the one currently present in the system and must, therefore, re-bind the PE's imports. struct: IMAGE_BOUND_IMPORT_DESCRIPTOR structure name: DLL name entries: list of entries (BoundImportRefData instances) the entries will exist if this DLL has forwarded symbols. If so, the destination DLL will have an entry in this list. reNrrerrrOrOsrrOc\rSrSrSrSrg)LoadConfigDatai zHolds Load Config data. struct: IMAGE_LOAD_CONFIG_DIRECTORY structure name: dll name dynamic_relocations: dynamic relocation information, if present reNrrerrrQrQ rrrQc\rSrSrSrSrg)BoundImportRefDataizHolds bound import forwarder reference data. Contains the same information as the bound descriptor but for forwarded DLLs, if any. struct: IMAGE_BOUND_FORWARDER_REF structure name: dll name reNrrerrrSrSsrrSc\rSrSrSrSrg)ExceptionsDirEntryDatai zHolds the data related to SEH (and stack unwinding, in particular) struct an instance of RUNTIME_FUNTION unwindinfo an instance of UNWIND_INFO reNrrerrrUrU r8rrUc|^\rSrSrSrS U4SjjrU4SjrS U4SjjrU4SjrSr Sr U4S jr S r S r S rU=r$) UnwindInfoi(zHandles the complexities of UNWIND_INFO structure: * variable number of UWIND_CODEs * optional ExceptionHandler and FunctionEntry fields c>[[U] SUS9 [[U]5UlSUl[ SSS9UlSUlSUl g)N) UNWIND_INFO)z B:3,Versionz B:5,FlagszB,SizeOfPrologzB,CountOfCodeszB:4,FrameRegisterzB:4,FrameOffsetr  UNWIND_CODE) B,CodeOffset B:4,UnwindOp B:4,OpInforF) rprWrqr& _full_size_opt_field_namer _code_info_chained_entry_finished_unpacking)rtr rus rrqUnwindInfo.__init__.s` j$( $ )  D8:#0 K ##( rc J>UR(ag[[U]U5 URS-S-n[[U]5X R R 5--nUURS:XaSO[S-Ul [U5UR:agURS:wa(URS:waS[UR5-$/Ul[[U]5nURnUS:GaUR RXX@R R 5-5 [R!UR 5nUcS[URU-5-$UR#UR U5nUR R 5U-nUR%UR XXH-UURU-5 XH- nXW-nURR'U5 US:aGMUR((dUR*(aS UlUR.(aS UlUR,S:wa;[1UUR,[2R4"S XU[S-5S5 S Ulg) zUnpacks the UNWIND_INFO "in two calls", with the first call establishing a full size of the structure and the second, performing the actual unpacking. Nr9rrrAz&Unsupported version of UNWIND_INFO at zUnknown UNWIND_CODE at ExceptionHandler FunctionEntry  t9t & <<1 !2;c$BVBV>WW W :t + -&& 1n OO & &too6L6L6N1N'O P*11$//BE}03t7K7Kb7P3QQQ ::4??DQL--/,>H   "-($$r)   NB  &J    # #E *!1n$  ! !T%;%;#5D  " "#2D   4 ' $$ $[;Ns;S-ST $( rc >URS:waSUR[S- URUR'URR UR/5 [ [U]#U5nURS:waURR5 UR SSR[Vs/sHn[XS5(dMUSPM sn5-5 UR SSRURVs/sH$oDR5(dM[U5PM& sn5-5 U$!URS:waURR5 ff=fs snfs snf)NrFlags: , rzUnwind codes: z; )rar`rrrrrprWr7poprunwind_info_flagsr0rois_validrV)rtrMr7rrrus rr7UnwindInfo.dumpsU   4 '"5c"::  " "4#7#7 8    $ $d&:&:%; < (T/ URS:waSUR[S- URUR'URR UR/5 [ [U]#5nURS:waURR5 U$!URS:waURR5 ff=f)Nr) rar`rrrrrprWrWr)rtrrus rrWUnwindInfo.dump_dicts   4 '"5c"::  " "4#7#7 8    $ $d&:&:%; < ( D35C##t+!!%%' ##t+!!%%',s &B$$-CcUS:Xa[X[5 OZSU;aT[X5(aDU(aURS==[U-ss'OURS==[U-ss'X RU'g)Nrl UNW_FLAG_)rcrr}r^UNWIND_INFO_FLAGSr4s rrUnwindInfo.__setattr__si 7? d!2 3 D WT%8%8 g&*;D*AA& g&*;D*AA&! drcUR$r)r`r{s rr&UnwindInfo.sizeofs rcx>[UR5n[[U]5US[[U]5&[[U]5nUR HnX#RR 5-UR:a OVURR 5XX#RR 5-&X#RR 5- nM URS:waK[R"S[XR55UUR[S- UR&U$)Nrrjr) rir`rprWr4r&rorGrar1r0r)rtr0 cur_offsetucrus rr4UnwindInfo.__pack__s)5::t5U5WQz4/12:t35 ""BII,,..@ACASASAUDj99+;+;+== > ))**, ,J #   4 ' D'$0D0D"EF "5c"::T__  rcUR$r)rcr{s rget_chained_function_entry%UnwindInfo.get_chained_function_entryrrcFURS:wa [S5eXlg)Nz(Chained function entry cannot be changed)rcr)rtentrys rset_chained_function_entry%UnwindInfo.set_chained_function_entrys"   $ & JK K#r)rorcrbrdr`rar)r~rrrrrqr{r7rWrr&r4rrrrrs@rrWrW(s; )0<|6 "$#$$rrWc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpizMeant as an abstract class representing a generic unwind code. There is a subclass of PrologEpilogOp for each member of UNWIND_OP_CODES enum. cv[URU5US9UlURRU5 g)NrZ)r _get_formatrGr-)rtunw_coder0unw_infor s rrsPrologEpilogOp.initializes2,   X &K   t$rcg)zComputes how many UNWIND_CODE structures UNWIND_CODE occupies. May be called before initialize() and, for that reason, should not rely on the values of intance attributes. r9rertrrs rrr(PrologEpilogOp.length_in_code_structuress rcg)NTrer{s rrPrologEpilogOp.is_validsrcg)Nr[rertrs rrPrologEpilogOp._get_formatsNrrGN) r~rrrrrsrrrrrrerrrrs% Orrc$\rSrSrSrSrSrSrg)PrologEpilogOpPushRegiUWOP_PUSH_NONVOLcg)N)UNWIND_CODE_PUSH_NONVOL)r]r^B:4,Regrers rr!PrologEpilogOpPushReg._get_formatsWrcBS[URR-$)Nz .PUSHREG ) REGISTERSrGRegr{s rrPrologEpilogOpPushReg.__str__sYt{{777rreN)r~rrrrrrrrerrrrsX8rrc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpAllocLargeiUWOP_ALLOC_LARGEc:SSSSURS:XaS44$S44$)NUNWIND_CODE_ALLOC_LARGEr]r^r_rzH,AllocSizeInQwordsz I,AllocSizeOpInfors rr$PrologEpilogOpAllocLarge._get_formatsB %)1A)=%    DQ    rc*URS:XaS$S$)NrrArCrrs rrr2PrologEpilogOpAllocLarge.length_in_code_structuressOOq(q/a/rcURRS:XaURRS-$URR$)NrrM)rGrAllocSizeInQwords AllocSizer{s rget_alloc_size'PrologEpilogOpAllocLarge.get_alloc_sizesC{{!!Q& KK ) )A - && rc:S[UR55-$Nz .ALLOCSTACK rnrr{s rr PrologEpilogOpAllocLarge.__str__D$7$7$9 :::rreN) r~rrrrrrrrrrrerrrrs  0 ;rrc*\rSrSrSrSrSrSrSrg)PrologEpilogOpAllocSmalliUWOP_ALLOC_SMALLcg)N)UNWIND_CODE_ALLOC_SMALL)r]r^zB:4,AllocSizeInQwordsMinus8rers rr$PrologEpilogOpAllocSmall._get_format rc:URRS-S-$r)rGAllocSizeInQwordsMinus8r{s rr'PrologEpilogOpAllocSmall.get_alloc_sizes{{22Q6::rc:S[UR55-$rrr{s rr PrologEpilogOpAllocSmall.__str__rrreN) r~rrrrrrrrrerrrrs ;;rrc2^\rSrSrSrU4SjrSrSrU=r$)PrologEpilogOpSetFPi#UWOP_SET_FPREGcx>[[U] XX45 URUlUR S-UlgNr6)rprrs FrameRegister_frame_register FrameOffset _frame_offsetrtrr0rr rus rrsPrologEpilogOpSetFP.initialize&s; !43 H  (55%11B6rc`S[UR-S-[UR5-$)Nz .SETFRAME r)rrrnrr{s rrPrologEpilogOpSetFP.__str__-s: ,,- . $$$% & r)rr) r~rrrrrsrrrrs@rrr#s7  rrc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpSaveRegi6UWOP_SAVE_NONVOLcgNrAre)rtunwcoders rrr/PrologEpilogOpSaveReg.length_in_code_structures9rc4URRS-$r)rGOffsetInQwordsr{s r get_offset PrologEpilogOpSaveReg.get_offset<s{{))A--rcg)N)UNWIND_CODE_SAVE_NONVOL)r]r^rzH,OffsetInQwordsrers rr!PrologEpilogOpSaveReg._get_format?rrc|S[URR-S-[UR 55-$Nz .SAVEREG r)rrGrrnrr{s rrPrologEpilogOpSaveReg.__str__Es0Yt{{77$>T__EVAWWWrreN r~rrrrrrrrrrrerrrr6s. Xrrc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpSaveRegFariIUWOP_SAVE_NONVOL_FARcgNrCrers rrr2PrologEpilogOpSaveRegFar.length_in_code_structuresLrrc.URR$rrGrUr{s rr#PrologEpilogOpSaveRegFar.get_offsetO{{!!!rcg)N)UNWIND_CODE_SAVE_NONVOL_FARr]r^rzI,Offsetrers rr$PrologEpilogOpSaveRegFar._get_formatRrrcS[URR-S-[URR5-$r)rrGrrnrUr{s rr PrologEpilogOpSaveRegFar.__str__Xs3Yt{{77$>T[[EWEWAXXXrreNrrerrrrIs" Yrrc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpSaveXMMi\UWOP_SAVE_XMM128cg)N)UNWIND_CODE_SAVE_XMM128)r]r^rzH,OffsetIn2Qwordsrers rr!PrologEpilogOpSaveXMM._get_format_rrcgrrers rrr/PrologEpilogOpSaveXMM.length_in_code_structureserrc4URRS-$r)rGOffsetIn2Qwordsr{s rr PrologEpilogOpSaveXMM.get_offseths{{**R//rcS[URR5-S-[UR 55-$Nz.SAVEXMM128 XMMr)rVrGrrnrr{s rrPrologEpilogOpSaveXMM.__str__ks0 3t{{#77$>T__EVAWWWrreN r~rrrrrrrrrrrerrrr\s 0Xrrc0\rSrSrSrSrSrSrSrSr g) PrologEpilogOpSaveXMMFarioUWOP_SAVE_XMM128_FARcg)N)UNWIND_CODE_SAVE_XMM128_FARrrers rr$PrologEpilogOpSaveXMMFar._get_formatrrrcgrrers rrr2PrologEpilogOpSaveXMMFar.length_in_code_structuresxrrc.URR$rrr{s rr#PrologEpilogOpSaveXMMFar.get_offset{rrcS[URR5-S-[URR5-$r)rVrGrrnrUr{s rr PrologEpilogOpSaveXMMFar.__str__~s3 3t{{#77$>T[[EWEWAXXXrreNrrerrrros "Yrrc\rSrSrSrSrSrg)PrologEpilogOpPushFrameiUWOP_PUSH_MACHFRAMEcJSURR(aS-$S-$)Nz .PUSHFRAMEz r)rGrr{s rrPrologEpilogOpPushFrame.__str__s!DKK,>,>yGGBGGrreN)r~rrrrrrrerrrrs HrrcJ^\rSrSrSrU4SjrSrSrSrSr Sr S r U=r $) PrologEpilogOpEpilogMarkeri UWOP_EPILOGc>SUl[US5(+Ul[[U]XX45 UR(a8[ USURR5 URS-S:HUlURUl g)NT SizeOfEpilogr9r) _long_offstr}_firstrpr#rsr*rGSizerr& _epilog_sizers rrs%PrologEpilogOpEpilogMarker.initializest!(N;;  ($: H  ;; Hndkk.>.> ?'2a7D $11rcZUR(aSURS-S:XaS4$S4$g)NUNWIND_CODE_EPILOGr9)zB,OffsetLow,Sizer^ B:4,Flags)zB,Sizer^r. B,OffsetLowz B:4,UnusedB:4,OffsetHigh)r-)r/r^r0)r(rrs rr&PrologEpilogOpEpilogMarker._get_formatsC ;;$??Q&!+B    rcR[US5(dURS-S:XaS$S$)Nr&r9rrA)r}rrs rrr4PrologEpilogOpEpilogMarker.length_in_code_structuress68^44(//A:MRS9S   rcURRUR(aURRS--$S-$)NrMr)rG OffsetLowr' OffsetHighr{s rr%PrologEpilogOpEpilogMarker.get_offsets@{{$$+/+;+;DKK " "a '  AB  rc(UR5S:$r.)rr{s rr#PrologEpilogOpEpilogMarker.is_valids 1$$rcUR5S:a5S[UR5-S-[UR55-$S$)Nrz EPILOG: size=z, offset from the end=-r)rrnr*r{s rr"PrologEpilogOpEpilogMarker.__str__sX 1$ $##$ %' ($//#$ %   r)r*r(r') r~rrrrrsrrrrrrrrrs@rr#r#s) 2.  %   rr#cT\rSrSrSr\\\\\ \ \ \ \ \\\\\\\\\\\0 r\S5rSrg)rpizBA factory for creating unwind codes based on the value of UnwindOpcvURnU[R;a[RU"5$S$r)UnwindOprp _class_dict)rcodes rrqPrologEpilogOpsFactory.creates@-999 # . .t 4 6  rreN)r~rrrrrrrrrrrrrrrrrrrrrrr$r#r? staticmethodrqrrerrrprps^L /22+/6/64/ K  rrpz!#$%&'()-@^_`{}~+,.;=[]c^Ub [U[[[45(dg[S-m[ U4Sj[ U555$)NFs\/c3,># UH oT;v M g7frre)rralloweds rr(is_valid_dos_filename..s,VG|Vs)rUrVrWriallowed_filenameallset)rrEs @ris_valid_dos_filenamerJs=y 1sE9&=>>'G ,SV, ,,rrrelax_allowed_charactersr c^SmU(aSmUSL=(a@ [U[[[45=(a [ U4Sj[ U555$)Ns ._?@$()<>s!"#$%&'()*+,-./:<>?[\]^_`{|}~@c3L># UHo[;=(d UT;v M g7fr)allowed_function_name)rr allowed_extras rr)is_valid_function_name.. s"SFq++AqM/AAFs!$)rUrVrWrirHrI)rrKrOs @ris_valid_function_namerQ sN!M;    T q3y1 2 T SCPQFS Src(\rSrSrSrSrSrSrSrSr Sr S r S r S r S rS rSrSrSrSrSrSrSrSrSrSrSrSrSrSrSrSrSr Sr!S r"S!r#S"r$S#r%S$r&S%r'S&r(S'r)S(r*S)r+S*S*S*\,S+4S,jr-S-r.S.r/S/r0S0r1S1r2S2r3S3r4S4r5S5r6S6r7SS7jr8S8r9SS9jr:S:r;S;rS>r?S?r@SS@jrASArBSBrCSCrDSSDjrESErFSFrGSGrHSSHjrISIrJSJrKSKrLSSLjrMSMrNSNrOSSOjrPSSPjrQSSQjrRSSRjrSSSrTSSTjrUSUrVSVrW\X4SWjrYSXrZSYr[SSZjr\S[r]S\r^S]r_S^r`S_raSS`jrbSSajrcSbrdScreSdrfSergSfrhSgriShrjSirkSjrlSkrmSlrnSmroSnrpSorqSprrSqrsSrrtSsruStrvSurwSvrxSwrySx\zSy\{4Szjr|S{r}S|r~S}rS~rSrSrSrSrSrSrSrSrSrg*)PEi aA Portable Executable representation. This class provides access to most of the information in a PE file. It expects to be supplied the name of the file to load or PE data to process and an optional argument 'fast_load' (False by default) which controls whether to load all the directories information, which can be quite time consuming. pe = pefile.PE('module.dll') pe = pefile.PE(name='module.dll') would load 'module.dll' and process it. If the data is already available in a buffer the same can be achieved with: pe = pefile.PE(data=module_dll_data) The "fast_load" can be set to a default by setting its value in the module itself by means, for instance, of a "pefile.fast_load = True". That will make all the subsequent instances not to load the whole PE structure. The "full_load" method can be used to parse the missing data at a later stage. Basic headers information will be available in the attributes: DOS_HEADER NT_HEADERS FILE_HEADER OPTIONAL_HEADER All of them will contain among their attributes the members of the corresponding structures as defined in WINNT.H The raw data corresponding to the header (from the beginning of the file up to the start of the first section) will be available in the instance's attribute 'header' as a string. The sections will be available as a list in the 'sections' attribute. Each entry will contain as attributes all the structure's members. Directory entries will be available as attributes (if they exist): (no other entries are processed at this point) DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances) DIRECTORY_ENTRY_EXPORT (ExportDirData instance) DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance) DIRECTORY_ENTRY_DEBUG (list of DebugData instances) DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances) DIRECTORY_ENTRY_TLS DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances) The following dictionary attributes provide ways of mapping different constants. They will accept the numeric value and return the string representation and the opposite, feed in the string and get the numeric constant: DIRECTORY_ENTRY IMAGE_CHARACTERISTICS SECTION_CHARACTERISTICS DEBUG_TYPE SUBSYSTEM_TYPE MACHINE_TYPE RELOCATION_TYPE RESOURCE_TYPE LANG SUBLANG )IMAGE_DOS_HEADER)z H,e_magiczH,e_cblpzH,e_cpzH,e_crlcz H,e_cparhdrz H,e_minallocz H,e_maxalloczH,e_sszH,e_spzH,e_csumzH,e_ipzH,e_csz H,e_lfarlczH,e_ovnoz8s,e_resz H,e_oemidz H,e_oeminfoz 20s,e_res2z I,e_lfanew)IMAGE_FILE_HEADER)z H,MachinezH,NumberOfSectionsI,TimeDateStampzI,PointerToSymbolTablezI,NumberOfSymbolszH,SizeOfOptionalHeaderzH,Characteristics)IMAGE_DATA_DIRECTORY)I,VirtualAddressI,Size)IMAGE_OPTIONAL_HEADER)H,MagicB,MajorLinkerVersionB,MinorLinkerVersion I,SizeOfCodeI,SizeOfInitializedDataI,SizeOfUninitializedDataI,AddressOfEntryPoint I,BaseOfCodez I,BaseOfDataz I,ImageBaseI,SectionAlignmentI,FileAlignmentH,MajorOperatingSystemVersionH,MinorOperatingSystemVersionH,MajorImageVersionH,MinorImageVersionH,MajorSubsystemVersionH,MinorSubsystemVersion I,Reserved1 I,SizeOfImageI,SizeOfHeaders I,CheckSum H,SubsystemH,DllCharacteristicszI,SizeOfStackReservezI,SizeOfStackCommitzI,SizeOfHeapReservezI,SizeOfHeapCommit I,LoaderFlagsI,NumberOfRvaAndSizes)IMAGE_OPTIONAL_HEADER64)r[r\r]r^r_r`rarbz Q,ImageBasercrdrerfrgrhrirjrkrlrmrnrorpzQ,SizeOfStackReservezQ,SizeOfStackCommitzQ,SizeOfHeapReservezQ,SizeOfHeapCommitrqrr)IMAGE_NT_HEADERS) I,Signature)IMAGE_SECTION_HEADER) z8s,Namez,I,Misc,Misc_PhysicalAddress,Misc_VirtualSizerXzI,SizeOfRawDataI,PointerToRawDatazI,PointerToRelocationszI,PointerToLinenumberszH,NumberOfRelocationszH,NumberOfLinenumbersI,Characteristics)IMAGE_DELAY_IMPORT_DESCRIPTOR)z I,grAttrszI,szNamezI,phmodzI,pIATzI,pINTz I,pBoundIATz I,pUnloadIATz I,dwTimeStamp)IMAGE_IMPORT_DESCRIPTOR)z$I,OriginalFirstThunk,CharacteristicsrVzI,ForwarderChainI,Namez I,FirstThunk)IMAGE_EXPORT_DIRECTORY) rxrVH,MajorVersionH,MinorVersionr{zI,BasezI,NumberOfFunctionszI,NumberOfNameszI,AddressOfFunctionszI,AddressOfNameszI,AddressOfNameOrdinals)IMAGE_RESOURCE_DIRECTORY)rxrVr}r~zH,NumberOfNamedEntrieszH,NumberOfIdEntries)IMAGE_RESOURCE_DIRECTORY_ENTRY)r{I,OffsetToData)IMAGE_RESOURCE_DATA_ENTRY)rrYz I,CodePagez I,Reserved)VS_VERSIONINFOzH,Lengthz H,ValueLengthzH,Type)VS_FIXEDFILEINFO) ruzI,StrucVersionzI,FileVersionMSzI,FileVersionLSzI,ProductVersionMSzI,ProductVersionLSzI,FileFlagsMaskz I,FileFlagszI,FileOSz I,FileTypez I,FileSubtypez I,FileDateMSz I,FileDateLS)StringFileInfor) StringTabler)Stringr)Varr)IMAGE_THUNK_DATA)z0I,ForwarderString,Function,Ordinal,AddressOfData)r)z0Q,ForwarderString,Function,Ordinal,AddressOfData)IMAGE_DEBUG_DIRECTORY)rxrVr}r~zI,Typez I,SizeOfDatazI,AddressOfRawDatarw)IMAGE_BASE_RELOCATION)rXz I,SizeOfBlock)IMAGE_BASE_RELOCATION_ENTRY)zH,Data)0IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION)I:12,PageRelativeOffsetI:1,IndirectCallz I:19,IATIndex)/IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION)rrzI:1,RexWPrefixz I:1,CfgCheckz I:1,Reserved)+IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION)rzI:4,RegisterNumber)IMAGE_TLS_DIRECTORY)zI,StartAddressOfRawDatazI,EndAddressOfRawDatazI,AddressOfIndexzI,AddressOfCallBacksI,SizeOfZeroFillrx)r)zQ,StartAddressOfRawDatazQ,EndAddressOfRawDatazQ,AddressOfIndexzQ,AddressOfCallBacksrrx)IMAGE_LOAD_CONFIG_DIRECTORY)+rYrVr}r~I,GlobalFlagsClearI,GlobalFlagsSetI,CriticalSectionDefaultTimeoutzI,DeCommitFreeBlockThresholdzI,DeCommitTotalFreeThresholdzI,LockPrefixTablezI,MaximumAllocationSizezI,VirtualMemoryThresholdI,ProcessHeapFlagszI,ProcessAffinityMask H,CSDVersion H,Reserved1z I,EditListzI,SecurityCookiezI,SEHandlerTablezI,SEHandlerCountzI,GuardCFCheckFunctionPointerz I,GuardCFDispatchFunctionPointerzI,GuardCFFunctionTablezI,GuardCFFunctionCount I,GuardFlagsH,CodeIntegrityFlagsH,CodeIntegrityCatalogI,CodeIntegrityCatalogOffsetI,CodeIntegrityReservedz I,GuardAddressTakenIatEntryTablez I,GuardAddressTakenIatEntryCountzI,GuardLongJumpTargetTablezI,GuardLongJumpTargetCountzI,DynamicValueRelocTablezI,CHPEMetadataPointerzI,GuardRFFailureRoutinez&I,GuardRFFailureRoutineFunctionPointerI,DynamicValueRelocTableOffsetH,DynamicValueRelocTableSection H,Reserved2z?I,GuardRFVerifyStackPointerFunctionPointerI,HotPatchTableOffset I,Reserved3zI,EnclaveConfigurationPointer)r),rYrVr}r~rrrzQ,DeCommitFreeBlockThresholdzQ,DeCommitTotalFreeThresholdzQ,LockPrefixTablezQ,MaximumAllocationSizezQ,VirtualMemoryThresholdzQ,ProcessAffinityMaskrrrz Q,EditListzQ,SecurityCookiezQ,SEHandlerTablezQ,SEHandlerCountzQ,GuardCFCheckFunctionPointerz Q,GuardCFDispatchFunctionPointerzQ,GuardCFFunctionTablezQ,GuardCFFunctionCountrrrrrz Q,GuardAddressTakenIatEntryTablez Q,GuardAddressTakenIatEntryCountzQ,GuardLongJumpTargetTablezQ,GuardLongJumpTargetCountzQ,DynamicValueRelocTablezQ,CHPEMetadataPointerzQ,GuardRFFailureRoutinez&Q,GuardRFFailureRoutineFunctionPointerrrrz*Q,GuardRFVerifyStackPointerFunctionPointerzI,HotPatchTableOffsetrzQ,EnclaveConfigurationPointer)IMAGE_DYNAMIC_RELOCATION_TABLE)z I,VersionrY)IMAGE_DYNAMIC_RELOCATION)I,SymbolI,BaseRelocSize)IMAGE_DYNAMIC_RELOCATION64)Q,Symbolr)IMAGE_DYNAMIC_RELOCATION_V2) I,HeaderSizeI,FixupInfoSizer I,SymbolGroupI,Flags)IMAGE_DYNAMIC_RELOCATION64_V2)rrrrr)IMAGE_BOUND_IMPORT_DESCRIPTOR)rVH,OffsetModuleNamezH,NumberOfModuleForwarderRefs)IMAGE_BOUND_FORWARDER_REF)rVrz H,Reserved)RUNTIME_FUNCTION)zI,BeginAddressz I,EndAddressz I,UnwindDataNxcX@lXPlSUl/Ul/UlSUlUcUc [ S5e/UlSUlSUl SUl SUl SUl SUl [R[R [R"S.UlUbUO ['5SnUR)XU5 g! UR+5 e=f)NzMust supply either name or dataFr)rCrErG fast_load)max_symbol_exportsmax_repeated_symbol_get_section_by_rva_last_usedsections _PE__warningsrrJ__structures___PE__from_fileFileAlignment_WarningSectionAlignment_Warning!_PE__total_resource_entries_count_PE__total_resource_bytes_PE__total_import_symbolsrS;__IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION_format__:__IMAGE_INDIR_CONTROL_TRANSFER_DYNAMIC_RELOCATION_format__6__IMAGE_SWITCHTABLE_BRANCH_DYNAMIC_RELOCATION_format__#dynamic_relocation_format_by_symbolglobals __parse__close)rtr r0rrrs rrq PE.__init__ s#5#6 -1*  ? ? !&+"(-%/0+'(#&'#MMLLHH4 0 "+!6IGIk     & ""9-  OO " "IPP1I{    9 A;.A66A;c[XS9nURU5 UR R U5 U$![a8nURR SR USX555 SnAgSnAff=fr)rr-rrrrrrs r__unpack_data_with_bitfields__!PE.__unpack_data_with_bitfields__| s} +6K     & ""9-  OO " "IPP1I{    rc Ub[R"U5nURS:Xa [S5eSn[ US5nUR 5Ul[ [S5(a6[R"UR S[R5Ul O3[R"UR S[RS9Ul SUl UbUR5 OUb X l S Ul [!UR5UlS UlU(d['[)UR55R+5HupUS:XaU [!UR5- S :d&US:wdM/U [!UR5- S :dMMUR,R/SRUSU -[!UR5- 55 M URSSn [!U 5S:wa [S5eUR1UR2U SS9UlUR4R6[8:Xa [S5eUR4(aUR4R6[::wa [S5eUR4R<[!UR5:a [S5eUR4R<n UR1UR>URXS-U S9Ul UR@(aUR@RB(d [S5eSUR@RB-[D:Xa [S5eSUR@RB-[F:Xa [S5eSUR@RB-[H:Xa [S5eSUR@RB-[J:Xa [S5eUR@RB[L:wa [S5eUR1URNURU S-U S-S-U S-S9Ul([S[TS 5n URP(d [S!5e[WURPURPRXU 5 U S-URPR[5-n XRPR\-nUR1UR^URXS"-U S9Ul0S#nUR`cW[!URXS$-5U:a9S%nURXS$-S&U--nUR1UR^UU S9Ul0UR`bUR`Rb[d:Xa [dUl3OUR`Rb[h:Xa[hUl3UR1URjURXS$-U S9Ul0S'nUR`cW[!URXS$-5U:a9S%nURXS$-S&U--nUR1URjUU S9Ul0URP(d [S!5eUR`c [S(5eURfc>UR,R/S)RUR`Rb55 [S[lS*5n[WUR`UR`RnU5 /UR`l8XR`R[5-nURPUR@l(UR`UR@l0UR`RrUR`Rt:aUR,R/S+5 UR`RvS,:a2UR,R/S-UR`Rv-5 S"n[y[{S.UR`Rv-55Hn[!UR5U- S:Xa O[!UR5U- S:aURUSS/-nOURUUU-nUR1UR|UUS9nUc Op[~UUl@UUR[5- nUR`RpR/U5 UXR`R[5-S%-:dM O URU5nURVs/sHEnURS:dMURURUR`R5PMG nn[!U5S:a [U5nOSnU(aUU:aURSUUlIOURSUUlIURUR`Rr5bqURUR`Rr5nU[!UR5:a2UR,R/S0UR`Rr-5 O2UR,R/S1UR`Rr-5 U(dUR5 gg![a>nSRU5nU=(a S U-n[S RX55eSnAff=f!UbUR5 ff=f![[4a  GMf=fs snf)2zParse a Portable Executable file. Loads a PE file, parsing all its structures and making them available through the instance's attributes. NrzThe file is emptyrb MAP_PRIVATE)accessTrz: %szUnable to access file '{0}'{1}Fg?g333333?zeByte 0x{0:02x} makes up {1:.4f}% of the file's contents. This may indicate truncation / malformation.gY@rcz9Unable to read the DOS Header, possibly a truncated file.rZz)Probably a ZM Executable (not a PE file).zDOS Header magic not found.z.Invalid e_lfanew value, probably not a PE filerMzNT Headers not found.rz0Invalid NT Headers signature. Probably a NE filez0Invalid NT Headers signature. Probably a LE filez0Invalid NT Headers signature. Probably a LX filez0Invalid NT Headers signature. Probably a TE filezInvalid NT Headers signature.rEr5 IMAGE_FILE_zFile Header missingrgrEr#rerArz5No Optional Header found, invalid PE32 or PE32+ file.z*Invalid type 0x{0:04x} in Optional Header.IMAGE_DLLCHARACTERISTICS_zXSizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.r6zsSuspicious NumberOfRvaAndSizes in the Optional Header. Normal values are never larger than 0x10, the value is: 0x%xsz[Possibly corrupt file. AddressOfEntryPoint lies outside the file. AddressOfEntryPoint: 0x%xzTAddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x%x)Mosstatst_sizeropenfilenor}rrrt ACCESS_READrIOErrorr ExceptionrrF$_PE__resource_size_limit_upperbounds _PE__resource_size_limit_reachedrrir rrr__IMAGE_DOS_HEADER_format__ DOS_HEADERe_magicIMAGE_DOSZM_SIGNATUREIMAGE_DOS_SIGNATUREe_lfanew__IMAGE_NT_HEADERS_format__ NT_HEADERSr@IMAGE_NE_SIGNATUREIMAGE_LE_SIGNATUREIMAGE_LX_SIGNATUREIMAGE_TE_SIGNATUREIMAGE_NT_SIGNATURE__IMAGE_FILE_HEADER_format__ FILE_HEADERr\IMAGE_CHARACTERISTICSrcrzr&SizeOfOptionalHeader __IMAGE_OPTIONAL_HEADER_format__rjMagicrrr"__IMAGE_OPTIONAL_HEADER64_format__DLL_CHARACTERISTICSDllCharacteristicsDATA_DIRECTORYAddressOfEntryPoint SizeOfHeadersNumberOfRvaAndSizesrr%__IMAGE_DATA_DIRECTORY_format__DIRECTORY_ENTRYr KeyErrorAttributeErrorparse_sectionsrr]rirkrrheaderget_section_by_rvar full_load)rtfnamer0rrfdexcp exception_msgbyte byte_countdos_header_datant_headers_offset image_flagsoptional_header_offsetsections_offset&MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZEpadding_length padded_datadll_characteristics_flagsr)MAX_ASSUMED_VALID_NUMBER_OF_RVA_AND_SIZESrN dir_entryrrawDataPointerslowest_section_offset ep_offsets rr PE.__parse__ s   775>D||q #$788B %& iik 4//$(IIdkk1d>N>N$ODM%)IIdkk1TEUEU$VDM#' >HHJ   M$D 25T]]1C.-2*$+Idmm,D$E$K$K$M  AI*s4==/A"AC"GAI*s4==/A"AD"HOO**L &uz'9C > ?? # #c$--&8 8 PQ Q OO44..  , , MM+!.C D)/ doo&?&? 78 8 T__.. .3E E RS S T__.. .3E E RS S T__.. .3E E RS S T__.. .3E E RS S ?? $ $(: : ?@ @//  - - MM+a/2Ca2G"2L M)A-0  %%:MJ  56 6 $""D$4$4$D$DkR!2Q!69I9I9P9P9R!R13C3C3X3XX#33  1 1 MM0C3O P. 4  24.  ( 4PU7UV66!N--&%)G')K$(#7#7552$8$D     +##))-EE7 %%++/LL< '+';';;;MM.%1O!7 (<($:@6((0 2e5S > >&)N"&--.%1O#/#1K,0+?+???#$:,@,D(  56 6    ' WX X <<  OO " "<CC((..  %3 !<% !    3 3 % /1+'*>*>*E*E*GG&*&6&6#*.*>*>'  4 4""00 1 OO " ".     3 3d : OO " "O&&::;  5:1s:(<(<(P(PPQRA4==!F*a/4==!F*Q.}}VW- 9}}V&OO,,44d-I  !0!3  i&&( (F  / / 6 6y A&)=)=)D)D)FFOWSZ$$_5]]  #!!A%  D % %""D$8$8$F$F #    ! #$'$8 !$( !$(=(F--0DK--(>)>?DK  # #D$8$8$L$L M  00$$88I3t}}--&&7**>>? OO " ",.2.B.B.V.VW   NN o   % T 2 - J6M3I 4;;EQ >HHJ"Hn-  > sBB&k+m'm(?4m(+ l359l..l33l66m m%$m%c @SnSnURRSSURR55nUS:XagURSUS-nUSS[ [ U5S- 5-n[ [R"S R[ [ U5S- 55U55nX%;ag[R"S XURU5S -5nS U0nUSURS5nXS 'Sn [5n [U5H3upU RU "U 5U "Xk[ U5-5- 5 M5 [!U 5US'US n USU - U:wdUSU :wd USU :wagXS'/nXS'USSn[#[ [ U5S- 55HWnUSU-U:Xa-USU-S -U :waUR$RS5 U$XSU-U - USU-S -U - /- nMY U$![a gf=f)zParses the rich header see http://www.ntcore.com/files/richsign.htm for more information Structure: 00 DanS ^ checksum, checksum, checksum, checksum 10 Symbol RVA ^ checksum, Symbol size ^ checksum... ... XX Rich, checksum, 0, 0,... iDanSiRichsRichreNrMrEz<{0}I&PE.parse_rich_header..0 sz!S'9'9Q@q@r clear_datarrArCchecksumrzRich Header is malformed)rtfindrjrr%rFlistrGrHrrr1indexrir)rrWrr)rtDANSRICH rich_index rich_datar0r,resultr,ord_r0r+r&r1 headervaluesrNs rparse_rich_headerPE.parse_rich_header s]]]'' T4//??A     dZ!^(?$?@I gnnSY!1C-DEyQD kk$ZZ%5%9 :;6y~~g67%z@[ !(+HC   tCy4#c(N0C+DD F,$Z0|7 7X  %aH)<Q8@S%z 'xABxs3t9q=)*AAE{d"A ?h.OO**+EF   !a%[83T!a%!)_x5OP PL+ W  sA8H HHcUR$)zReturn the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method returns the full list. )rr{s rrPE.get_warningsS srcBURHn[SU5 M g)zPrint the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method prints the full list to standard output. >N)rprint)rtwarnings r show_warningsPE.show_warnings] sG #w 'rcUR5 "SS5nUR5nU(aU"5UlURSS5URlURSS5URlURSS5URlURSS5URlURSS5URlgSUlg) zProcess the data directories. This method will load the data directories which might not have been loaded if the "fast_load" option was used. c\rSrSrSrg) PE.full_load..RichHeaderiq reN)r~rrrrrerr RichHeaderrHq s rrIr1Nrr,r,r0) parse_data_directoriesr< RICH_HEADERr=r1rr,r,r0)rtrI rich_headers rr PE.full_loadh s ##%  ,,. )|D (3 D(ID   %&1ooh&ED   ##.??5$#?D   (3 D(ID   %*5//,*MD   '#D rc [UR5nURH;n[UR55nUR 5nXBXU[ U5-&M= [ US5(Ga([ US5(GaURGHnUHn[ US5(dMURHn[URR55HupURU n URU n [ U5U S:a?URS5RS5n U SU SS-UU SU SU SS--&MtURS5RS5n U UU SU S[ U 5-&M M M GM UnU(dU$[!US 5nUR#U5 UR%5 g) aMWrite the PE file. This function will process all headers and components of the PE file and include all changes made (by just assigning to attributes in the PE objects) and write the changes back to a file whose name is provided as an argument. The filename is optional, if not provided the data will be returned as a 'str' object. rFileInforr9rrENrAzwb+)rirtrr4rrFr}rOrr3entriesr entries_offsetsentries_lengthsrJrkrwriter)rtfilename file_datar struct_datarfinforst_entryr,offsetslengthsrM encoded_data new_file_datars rrSPE.write sdmm, ,,I#I$6$6$89K..0F,1LL,A,H,H,T-..> Q,?)2,3AJgajSTn9T)*8=||G7L7S7S,68* -9)2,3AJc,FW9W)*%3Q->"'+4"  5 !    rc4 /UlSn[URR5GH nU[:aFUR R SRURR[55 GOSn[URUS9nU(d GOXR5U--nURU5 URXfUR5-n[U5UR5:Xa"UR R SUS35 GOU(d"UR R SUS35 GOURU5 URR U5 UR UR"-[%UR5:a$US- nUR R S US 35 UR'UR"UR(R*5[%UR5:a$US- nUR R S US 35 UR,S :a$US- nUR R S US35 UR/UR0UR(R2UR(R*5S :a$US- nUR R S US35 UR(R*S:waKUR"UR(R*-S:wa$US- nUR R S US35 XB:aUR R S5 O[5[6S5n[9XUR:U5 UR<R?SS5(auUR<R?SS5(aTUR@RCS5S:XaURE5(aOUR R SUS35 URR U5 GM URRGSS9 [IUR5HKupU [%UR5S- :Xa SUl%M*URU S-R0Ul%MM URRS:aGUR(a6XRSR5URR--$U$)aFetch the PE file sections. The sections will be readily available in the "sections" attribute. Its attributes will contain all the section information plus "data" a buffer containing the section's data. The "Characteristics" member will be processed and attributes representing the section characteristics (with the 'IMAGE_SCN_' string trimmed from the constant's names) will be added to the section instance. Refer to the SectionStructure class for additional info. rCzToo many sections {0} (>={1})r)rzInvalid section z. Contents are null-bytes.z8. No data in the file (is this corkami's virtsectblXP?).r9zError parsing section z$. SizeOfRawData is larger than file.z5. PointerToRawData points beyond the end of the file.rz'Suspicious value found parsing section z*. VirtualSize is extremely large > 256MiB.z&. VirtualAddress is beyond 0x10000000.z. PointerToRawData should normally be a multiple of FileAlignment, this might imply the file is trying to confuse tools which parse this incorrectly.z,Too many warnings parsing section. Aborting.r{rFrrAsPAGEz!Suspicious flags set for section zf. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set. This might indicate a packed executable.cUR$r)r^)as rr.#PE.parse_sections..4s )9)9r)r,N)&rrrNumberOfSections MAX_SECTIONSrrrr[__IMAGE_SECTION_HEADER_format__r&r rtr1r-rr_r]rFrirjrkr`ror^rpr\r|rcrzr^r=NamerK is_driversortr)r) rtrMAX_SIMULTANEOUS_ERRORSrNsimultaneous_errorssectionsection_offset section_datar~r+s rrPE.parse_sections s "#t''889AL &&3::((99< "# &t'K'KPTUG#nn&6&::N  # #N 3=='..2B!BLL)W^^-==&&)9!*>*L*LDMM"#$q(#&&,QC0++ ''*4#q(#&&=aSA00 ,,**((99((66  $q(#&&=aSA)) $$22a7--0D0D0R0RRWXX#q(#&&04SS#=&&'UV*+BLQM g66 F##%u""&&'>FF<<&&w/7:t~~?O?OOO**;A3?CC MM  )Q:Z 9:%dmm4LCc$--(1,,7;47;}}!G8 .4 5    , ,q 0T]]q)002T5E5E5V5VVV Mrc $SUR4SUR4SUR4SUR4SUR4SUR 4SUR 4SUR4S UR4S UR44 nUb[U[[45(dU/nUGHn[US nURRUnUbXa;aS nUR"(aU(a)US S:Xa US "UR"UR$SS9nOQU(a)US S:Xa US "UR"UR$SS9nO!US "UR"UR$5nU(a[-XS SS U5 UcM[U[5(dMUS U;dGMUR/U5 GM g ![ a  g f=f![&a.n UR(R+SUS SU 35 S n A NS n A ff=f)aParse and process the PE file's data directories. If the optional argument 'directories' is given, only the directories at the specified indexes will be parsed. Such functionality allows parsing of areas of interest without the burden of having to parse all others. The directories can then be specified as: For export / import only: directories = [ 0, 1 ] or (more verbosely): directories = [ DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'], DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT'] ] If 'directories' is a list, the ones that are processed will be removed, leaving only the ones that are not present in the image. If `forwarded_exports_only` is True, the IMAGE_DIRECTORY_ENTRY_EXPORT attribute will only contain exports that are forwarded to another DLL. If `import_dllnames_only` is True, symbols will not be parsed from the import table and the entries in the IMAGE_DIRECTORY_ENTRY_IMPORT attribute will not have a `symbols` attribute. r?r>r@rHrFrNrPrVrRrBNrr9T)forwarded_only) dllnames_onlyzFailed to process directoty "z": rI)parse_import_directoryparse_export_directoryparse_resources_directoryparse_debug_directoryparse_relocations_directoryparse_directory_tlsparse_directory_load_configparse_delay_import_directoryparse_directory_bound_importsparse_exceptions_directoryrUrr3r rjr IndexErrorr^r)rrrr*remove) rt directoriesforwarded_exports_onlyimport_dllnames_onlydirectory_parsingrdirectory_indexr$rbrs rrJPE.parse_data_directoriesDs"@,T-H-H I +T-H-H I -t/M/M N *D,F,F G .0P0P Q ($*B*B C 0$2R2R S 143T3T U 143U3U V .0O0O P    "kE4=99*m &E "1%("; 00??P "o&D++.!!H(FF %a%44%NN+/! -!!H(FF %a%44innTX! $)!HY-E-Ey~~$VE AhqrlE:({D111X,""?3a'   < - OO22"?azTF Ss*-%G G GG H!$H  HcpURR[S:wa"URR[S:wag[UR5nUR 5n0n/n0n[ X$-5GHnURURURX5URU5S9nUc GOiSn URS-S:XGa"URU;aXsRn O0[URUR5S9n XUR'U RURURU R 555n U S:waURRU 5 OU RURURU R 555n U S:waURRU 5 OLURRU 5 [!X9S9n URU 5 XUR"'X- nGM UHnUR$cM['UR$S5(dM/UR$R(U;a:URRS UR*R-5S S 35 MUR$R/XSR$R(5 M U$![0aFn URRS UR*R-5S S U 35 Sn A GMSn A ff=f)zParses exception directory All the code related to handling exception directories is documented in https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details rrNrZr9r)rG unwindinforiz FunctionEntry of UNWIND_INFO at rlz' points to an entry that does not existz/Failed parsing FunctionEntry of UNWIND_INFO at z: )rMachine MACHINE_TYPEr__RUNTIME_FUNCTION_format__r&rrrr UnwindDatarWr{rrrrU BeginAddressrr}rirGrrr) rtrrrfrf_sizerva2rtrt_funcs rva2infosruiwsrrs rrzPE.parse_exceptions_directorys    $ $ 5O(P P  ((L9R,SS t77 8))+ t'A%%00 c+ 44S9&B zB #) MMY."==1B#0H0H0WXB/1bmm,((r}}biik)RS:OO**2.((r}}biik)RS:OO**2.##**2.*"DE OOE "&+2?? # NCQ(VB}}$ 2==/::==..&8&&6ryy7P7P7RST6U=>  88==667!4! &&Eyy00215Rv?  s.1K%% L5/:L00L5c  [UR5nUR5nUn/nURURURXU-US9nUcUR R S5 gUR5(aU$XR5- nURU5nURU5nUc[UR5U- n URV s/sH!n U RU:dMU RPM# n n U (a.[U 5n URU 5nUbURU- n O)UR[UR55-U- n U(d+UR R SRU55 g/n [![UR"[%U S- 555HnURUR&URXU-US9nU(d [)S5eXR5- nX_R*-nUR-SURUU[.-5nU(aR[1U5Vs/sH$n[3U5[4R6;dM"UPM& nn[U5S:dU(a OU R [9UUS 95 M XSR*-nUR-SURUU[.-5nU(aS[1U5Vs/sH$n[3U5[4R6;dM"UPM& nn[U5S:dU(aU$U(dU$UR [;UUU S 95 GMVs sn fs snfs snf) rrZNz7The Bound Imports directory exists but can't be parsed.zHRVA of IMAGE_BOUND_IMPORT_DESCRIPTOR points to an invalid address: {0:x}rMz(IMAGE_BOUND_FORWARDER_REF cannot be readrrg)rGr )rGr rP)r(__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__r&rrtrrr#get_section_by_offsetrrFrr]rrrrrNumberOfModuleForwarderRefsr%$__IMAGE_BOUND_FORWARDER_REF_format__rOffsetModuleNameget_string_from_dataMAX_STRING_LENGTHrirLrrCrSrO)rtrr bnd_descrbnd_descr_sizeru bound_importsrjr safety_boundaryrsections_after_offsetfirst_section_after_offsetforwarder_refsr bnd_frwd_refrname_strr invalid_charss rry PE.parse_directory_bound_importssdKKL "))+ ,,== c.$89-I  &&M##%%vs ##% %C005G2237K"%dmm"4{"B"]])*))K7'A&&*&) )255J1K."889STG**1*B*B[*P,,s73C3C3E/FFT &&7fSk  NI993QR?R;ST $33==MM#n(<= # 4  $'(RSS**,,!>!>>44t}}Vf7H.HI#,X#6%#6a#a&HXHX:X#6"%8}s*m%%&lJAH777F004==&3D*DEH(2!2!c!fFDTDT6TA2!x=3&-  #$8^ O4)j% !s$)NN*!NN!N 9N c lURnUR[:Xa URnUR UUR U[ U5R55URU5S9nU(dg[US9$![a# URRSU-5 SnN=f=f)rrZz5Invalid TLS information. Can't read data at RVA: 0x%xNr) __IMAGE_TLS_DIRECTORY_format__rr __IMAGE_TLS_DIRECTORY64_format__rrrr&rrrrrM)rtrrr tls_structs rrvPE.parse_directory_tlsws 44 <<8 8::F -- c9V#4#;#;#=> 44S9.Jj))  OO " "JSP J  sAB*B32B3c UR[:XaURU5nURnONUR[:XaURU5nUR nOUR RS5 gSnSnUSH-nUS- nU[URS5S- nXc:XdM- O USUSSU4nSnURUURU[U5R55URU5S9nU(dgSn US:a&UR!UR"UR$5n ['XS 9$![a! UR RSU-5 Nif=f) rzGDon't know how to parse LOAD_CONFIG information for non-PE32/PE32+ fileNrr9rrZz=Invalid LOAD_CONFIG information. Can't read data at RVA: 0x%xrC)rGdynamic_relocations)rrget_dword_at_rva&__IMAGE_LOAD_CONFIG_DIRECTORY_format__r(__IMAGE_LOAD_CONFIG_DIRECTORY64_format__rrrrrrrr&rrparse_dynamic_relocationsDynamicValueRelocTableOffsetDynamicValueRelocTableSectionrQ) rtrrload_config_dir_szrfields_counter cumulative_szfieldload_config_structrs rrwPE.parse_directory_load_configs <<3 3!%!6!6s!; @@F \\: :!%!6!6s!; BBF OO " "  AYE a N 0S1A!1DE EM2  )VAY78! !%!5!5 c9V#4#;#;#=> 44S9"6" "" B "&"@"@"??"@@#  %    OO " "RUXX  s AE(E<;E<cU(dgU(dgU[UR5:agURUS- nURU-nSn[UR5R 5nUR URURXF5URU5S9nURS:wa'URRSUR5 gXF- nXER-n/nXG:GaURn UR[ :Xa UR"n [U 5R 5n UR U URXJ5URU5S9n U (dU$XJ- nU R$n U R&n SU s=::aS::a;O O8UR)XMUR*U 5nUR[-XUS95 U S:a*UR)XM5nUR[-XUS95 XM- nXG:aGMU$![a" URRSU-5 GNf=f![a$ URRSU-5 Sn GNf=f) Nr9rZzPInvalid IMAGE_DYNAMIC_RELOCATION_TABLE information. Can't read data at RVA: 0x%xzDNo pasring available for IMAGE_DYNAMIC_RELOCATION_TABLE.Version = %d> c4 44S90D0 , , 3 3q 8 OO " "V088  999 i==F||<<CC (//1H #"22MM#0 $ 8 8 =3 4#"1 OC ''F,,DFa"CCtGGO $**)*{ z"CCCN #**)*{ KC]i`#"C  OO " "$&)*  >! #&&(*-.#  #s$29H/I (I I  *I:9I:c$URX5$)r)r)rtrrs rruPE.parse_relocations_directory"s44S??rc[UR5R5nX-n/nX:GaURURUR X5UR U5S9nU(dU$URURR:a+URRSUR-5 U$URURR:a+URRSUR-5 U$Uc-URX-URURU- 5nO-URX-URURU- U5nUR[XxS95 UR(dU$XR- nX:aGMU$![ a$ URRSU-5 SnGNvf=f)NrZrzEInvalid relocation information. VirtualAddress outside of Image: 0x%xz9Invalid relocation information. SizeOfBlock too large: %drGrP)r __IMAGE_BASE_RELOCATION_format__r&rrrrrrr^rj SizeOfImage SizeOfBlockparse_relocationsparse_relocations_with_formatrB) rtrrrrrwrrlc reloc_entriess rr#PE.parse_image_base_relocation_list'sTBBCJJLj i **99MM#0 $ 8 8 =+D?!!D$8$8$D$DD&&&(+(:(:;4-!5!5!A!AA&& __-"{ $ 6 6NC$6$6(8R! !% B BNC$6$6(8RTW!    1T U?? ?? "CiilU! &&(*-.  s9F33*G! G!c tURX5nURU5n/n[ 5n[ [[U5S- 55HnURURXHS-US-S-US9n U (d U$U Rn U S- n U S-n X4U;a#URR SX--5 U$URX45 UR [XX,U-S 95 XYR5- nM U$![a$ URR SUS35 /s$f=f) rBad RVA in relocation data: 0xrlrAr9rZrUrG3Overlapping offsets in relocation data at RVA: 0x%x)rGrFrIr)rrrrrrIrr%rFr&__IMAGE_BASE_RELOCATION_ENTRY_format__rHrxrDr&) rtdata_rvarrr0r rPoffsets_and_typer+rrJ reloc_type reloc_offsets rrPE.parse_relocationsdsg ==0D228 )K9-<I  OO " "%CHQ<#P QI s"D +D76D7c ZURX5nURU5n[ U5R 5n/n[5n [[[U5U- 55Hn URUXZU-U S-U-US9n U (d U$U Rn X;a#URR SX--5 U$U RU 5 UR [XX-S95 Xg- nM U$![a$ URR SUS35 /s$f=f)rrrlr9rZr)rGrIr)rrrrrrr&rIrr%rFrPageRelativeOffsetrxrD) rtrrrrr0r  entry_sizerPrYr+rrs rr PE.parse_relocations_with_formatsO ==0D228?'8E  !33L&&&#&2&8: KK % NNe|?QR   %K/62A  OO " "%CHQ<#P QI s"C<<+D*)D*c [UR5R5n/n[[ X#- 55GH nUR XU--U5nURURUURXU--5S9nU(d gSnURS:XaGOURS:XGaURn URn URXU -n U SSS:XGaS/S Q/n U [U 5R5- n U S :a#U SRS RU 55 URXU 5nUb[ R""S S UR$-5S Ul[)[*R,"UR.UR0UR2UR4UR6UR&4S95R9SS5R;5UR<S-UlGO&U SSS:Xa]S/SQ/nU [U5R5- n U S :a#USRS RU 55 URXU 5nOURS:XaURn URn URXU -n S/SQ/nURXU 5nU(agUR@S;aWU [U5R5- nUS :a#USRSRU55 URXU 5nUR[CXxS95 GM U$![ a" URRSU-5  gf=f)rz7Invalid debug information. Can't read data at RVA: 0x%xNrZr9rArEsRSDS CV_INFO_PDB70)z4s,CvSignaturezI,Signature_Data1zH,Signature_Data2zH,Signature_Data3zB,Signature_Data4zB,Signature_Data5z6s,Signature_Data6I,Agerz{0}s,PdbFileNamez>Q)fields-XsNB10 CV_INFO_PDB20)zI,CvHeaderSignaturezI,CvHeaderOffsetrurIMAGE_DEBUG_MISC)z I,DataTypezI,Lengthz B,Unicodez B,Reserved1rrr9z {0}s,Data)rGr)"r __IMAGE_DEBUG_DIRECTORY_format__r&rr%rrrrrrTyper] SizeOfDatartrrGrHSignature_Data6Signature_Data6_valuerVuuidUUIDSignature_Data1Signature_Data2Signature_Data3Signature_Data4Signature_Data5replaceupperAgeSignature_StringUnicoder>)rtrrdbg_sizedebugr+r0dbgdbg_typedbg_type_offset dbg_type_size dbg_type_data__CV_INFO_PDB70_format__pdbFileName_size__CV_INFO_PDB20_format_____IMAGE_DEBUG_MISC_format__dbg_type_partial data_sizes rrtPE.parse_debug_directorysTBBCJJLT_-.C }}Sc>%98D&&55 44Sc>5IJ'C  Hxx1}Q"%"6"6 # $ # &E! !!$/(  0,& 2J(K(R(R(TT%(!+03::.556FG $330 H +9? 'H,D,D"D::6 $ (0(@(@(0(@(@(0(@(@(0(@(@(0(@(@(0(F(F ,& !" %WS"-"UW!)a 02!1$#2A&'1(0,& 2J(K(R(R(TT% (!+03::.556FG $330 HQ"%"6"6 # $ # &E! ' 0,$(#7#70$ $'//69)'(DELLNO"%q=8;BB + 2 29 =$(#7#78$ LL#> ?C/F A! &&PSVV  sM  (M87M8c  UcU/nUcUnU[:a%URRSU[4-5 gURU[ UR 5R 55nURUR UURU5S9nUcURRSU-5 g/nXR 5- nURUR-n Sn X:a URRSX4-5 gU=RU - sl UR[:a/URRSUR[4-5 g/n Sn [U 5GH\n UR(dUUR UR":a;S UlURRS UR UR"4-5 UR%U5nUc"URRS X4-5 GOSnSnUR&S -S - nU(d UR&nOX>R(-n[+UU5nU=R UR-5- slU (aCU SU:a:U SU:a1U R/5 URRSU-5 GOUUUR-5-4n U RU5 UR0(GaX>R2-U;a GOUR5X>R2-X!U- - UUS-XSUR2-/-S9nU(d GOSnU[6S:XGa*0nUR8GHn[;US5(dM0nUR<R8HnUb?[;US5(a.UR>R@RBb URDcMGUR>R@RFnUR>R@RBnURDnURUU5nUU5S- S-U5 URMU5 M UUR<l'GM UR[QUUUUS95 OURSX>R2-5nU(a_U=R URB- sl[UUUR&S-UR&S- S9nUR[QXUUS95 O OUS:XaURV[6S:XarU(aUS nWR<R8SR<R8nUH2n Sn!U R>R@n!U!cM!URYU!5 M4 XR 5- nGM_ U V"s/sHn"U"R[5PM n#n"U#R]5 [_U 5Hun n"U"Ra5 M [cXxS!9n$U$$![a! URRSU-5 gf=f![a" URRSU-5 GNf=f![a' URRSUSSU35 GM!f=f! GN'=f! GN=fs sn"f)"aXParse the resources directory. Given the RVA of the resources directory, it will process all its entries. The root will have the corresponding member of its structure, IMAGE_RESOURCE_DIRECTORY plus 'entries', a list of all the entries in the directory. Those entries will have, correspondingly, all the structure's members (IMAGE_RESOURCE_DIRECTORY_ENTRY) and an additional one, "directory", pointing to the IMAGE_RESOURCE_DIRECTORY structure representing upper layers of the tree. This one will also have an 'entries' attribute, pointing to the 3rd, and last, level. Another directory with more entries. Those last entries will have a new attribute (both 'leaf' or 'data_entry' can be used to access it). This structure finally points to the resource data. All the members of this structure, IMAGE_RESOURCE_DATA_ENTRY, are available as its attributes. NzNError parsing the resources directory. Excessively nested table depth %d (>%s)zCInvalid resources directory. Can't read directory data at RVA: 0x%xrZzDInvalid resources directory. Can't parse directory data at RVA: 0x%xr*zNError parsing the resources directory. The directory contains %d entries (>%s)zRError parsing the resources directory. The file contains at least %d entries (>%d)TzGResource size 0x%x exceeds file size 0x%x, overlapping resources found.zHError parsing the resources directory, Entry %d is invalid, RVA = 0x%x. r7rrr9z^Error parsing the resources directory, attempting to read entry name. Entry names overlap 0x%xznError parsing the resources directory, attempting to read entry name. Can't read unicode string at offset 0x%x)rIleveldirsr directoryr0z2Error parsing resource of type RT_STRING at RVA 0xrlz with size r6)rGr idrirQ)rGlangsublang)rGr rr0r$r*r)2MAX_RESOURCE_DEPTHrrrr#__IMAGE_RESOURCE_DIRECTORY_format__r&rrrNumberOfNamedEntriesNumberOfIdEntriesrMAX_RESOURCE_ENTRIESrrrrparse_resource_entryre NameOffsetrrrDataIsDirectoryOffsetToDirectoryrs RESOURCE_TYPErPr}rr0rGr)r OffsetToDatarRr%updatestringsr:parse_resource_data_entryr<Idparse_version_informationrrgr)rr7)%rtrrrIr r r0 resource_dir dir_entriesnumber_of_entriesMAX_ALLOWED_ENTRIESstrings_to_postprocesslast_name_begin_endr+res entry_nameentry_idname_is_string ustr_offsetentry_directoryr resource_idresource_strings resource_langstring_entry_rvastring_entry_sizestring_entry_idstring_entry_datarG entry_data last_entryversion_entries version_entryrt_version_structr string_rvasresource_directory_datas% rrsPE.parse_resources_directorycsA. <5D  H % % OO " ":=BDV668LMN  !# #*+C66//$2X2XX6:2&&'33>>++C0C{&&8;>*EJH!hh3:N!88&7  !B4!UJ//:3R3R3TT/++A.</2kA/224..7:EG $#j&E&E&GG+' +11*="""333t;"&"@"@444(N+%!)C,A,A!A BB #A#'}[99 G'6'>'> "; </!6%CHHu,S;GaUR@S:XGaUR3U UR5-S[#U5S---UR5n/Ul!URURDUUSUU-S9nU(dGOURU-UR5-nUR!U5nUUl#0Ul$0Ul%0Ul&URBR U5 UR3UUR5-S[#U5S---UR5nUUURN-:GaURURPUUSUU-S9nU(dGO_URU-UR5-nUR!U5nURU5nUR3S[#U5S--U-UR5-UR5nURU-nUR!UUR@S9nURU5nURNS:XaUURN-nO)UR3URNU-UR5nUURHU'UU4URJU'[#U5[#U54URLU'UUURN-:aGMUR3URNU-UR5nUU:XaGO?UnUURN:aGO+GMGO&U(GaUR=S5(GaUnSUl)UR>S;GaUR@S:XGaUR3U UR5-S[#U5S---UR5n/Ul*URURVUUSUU-S9nU(dGOkURU-UR5-nUR!U5nUcGO4URTR U5 UR3S[#U5S--U-UR5-UR5nUn UU UR@-:aURYUUUS-S5n!URYUUS-US!-S5n"US!- n[[U![\5(a#[[U"[\5(aUS"U!U"4-0Ul/UU UR@-:aMUR3UURN-UR5nUUURN-::aOGMUR3URNU -UR5n URNS:XdXRN:aOGM;UR8R U5 g![a7 URR SR UR55 gf=f![a" URR SU-5 GNf=f![a. URR SR U55 Mf=f![a/ URR SR U55 GMNf=f![a/ URR SR U55 GMf=f![a$ URR SUS35 GM+f=f![a/ URR S R U55 GMf=f)#aParse version information structure. The date will be made available in three attributes of the PE object. VS_VERSIONINFO will contain the first three fields of the main structure: 'Length', 'ValueLength', and 'Type' VS_FIXEDFILEINFO will hold the rest of the fields, accessible as sub-attributes: 'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS', 'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags', 'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS' FileInfo is a list of all StringFileInfo and VarFileInfo structures. StringFileInfo structures will have a list as an attribute named 'StringTable' containing all the StringTable structures. Each of those structures contains a dictionary 'entries' with all the key / value version information string pairs. VarFileInfo structures will have a list as an attribute named 'Var' containing all Var structures. Each Var structure will have a dictionary as an attribute named 'entry' which will contain the name and value of the Var. zWError parsing the version information, attempting to read OffsetToData with RVA: 0x{:x}NrZasciiencodingr9zzError parsing the version information, attempting to read VS_VERSION_INFO string. Can't read unicode string at offset 0x%xz"Invalid VS_VERSION_INFO block: {0}sVS_VERSION_INFOrez\uz({0} ... ({1} bytes, too long to display)z\00rrrArrOz/Error parsing StringFileInfo/VarFileInfo structz|Error parsing the version information, attempting to read StringFileInfo string. Can't read unicode string at offset 0x{0:x}sStringFileInforrzyError parsing the version information, attempting to read StringTable string. Can't read unicode string at offset 0x{0:x}z}Error parsing the version information, attempting to read StringTable Key string. Can't read unicode string at offset 0x{0:x}rzzError parsing the version information, attempting to read StringTable Value string. Can't read unicode string at offset 0xrls VarFileInfo VarFileInfoz}Error parsing the version information, attempting to read VarFileInfo Var string. Can't read unicode string at offset 0x{0:x}rEz 0x%04x 0x%04x)0rrrrrrrtr)r__VS_VERSIONINFO_format__r&rr^rsr_r`rrFrJrfindrIrr}rKey dword_align__VS_FIXEDFILEINFO_format__rrO__StringFileInfo_format__rXr ValueLengthr__StringTable_format__LangIDrPrQrRLength__String_format__r r__Var_format__get_word_from_datarUr%r)#rtversion_struct start_offsetr,versioninfo_structr,rj section_endversioninfo_stringexcerptvinfofixedfileinfo_offsetfixedfileinfo_structstringfileinfo_offsetrWstringfileinfo_structstringfileinfo_stringstringtable_offsetstringtable_structstringtable_string entry_offset string_structr, key_offset value_offsetrbnew_stringtable_offsetvarfileinfo_struct var_offset var_struct var_stringvarword_offsetorig_varword_offsetword1word2s# rr!PE.parse_version_informations, 4 33N4O4OPL==~?R?R0RS"11  * *H2   % $114F4M4M4OO ))+6 !003%%w'?'?4K"  "%)%=%='&>&"&*%=%= ";!AG&>&"  % OO " "4;;EE%7!8&" OO " "4;;&--g6>>ufM  t-.."$D #'  ""5)  %!# #//  % % '!s3E/F/J*K K  ' '  $33  , , * +$; 4  $ t/00$&D ! $$%9: !% 0 0 #>#>#@ @  ' '!  tZ((DM%)$8$8../0(@%9% ! %,&&E++'($++-.   (,(@(@(M%)> ! % LL. /%)>)I)I!** *..&8-99Q>*.)9)9-/6689s#89A=>?'33 *&9;)5-1-A-A 77$%7%89(47I(I.B.* 2!+77010779:$ "151I1I+1V.5G*157*2=?*:=?*:-99@@AST'+'7'7.0779:3'9#:Q#>?@+77 ( )03E3L3LLM-1,@,@ $ 6 6 ( 7,8<,G-A-M $1 %!/ ; ;".!/"/"6"6"8!9( &&*&>&>{&K-1-E-Ek-R ,0+;+; !SX\ 2".!/"/"6"6"8!9!/ ; ; ,L+9*E*E *TK &(,(@(@$/M>sC !$C #E G.>>sCG)03E3L3LLMP261A1A.558JJ*772.25GG!-C*-1F1M1MM!AF'+@+K+K,,&;"*7"''++v5*66!;"&!1!1-,3356s#89A=>?'33 "J.0&*%)%9%9 //$Z[1(4z(A&:& *!+77()(//12$ ")-)A)A+)NJ&-!*..55jA)-)9)9Z1!45()(//12+77 * /=++1J4J4JJK%)$;$; (.1:L Mq%E%)$;$; (!);nq>P QST%E+a/N)%55*UC:P:P$.5%.0P4" 0+1J4J4JJK &*%5%5&):)::Ne98e9<(f('f(+4g#"g#&4hh"4ii)j  j 4kkc^TRTRTRU[TR5R 55TR U5S9nU(dgU4SjnTRUR[U"UR5URS-55nTRUR[U"UR5URS-55nTRUR[U"UR5URS-55n/n Sn TRUR5n [!TR"5n U (a3U R$[!U R55-UR- n [&R("[*5n Sn[-[UR[+U S- 555GHnTR/X5nUb%US-[!U5:aTR1UU5nO gUbUS:XaMJUU:a,UX-:a$TR3U5nTR U5nO U(aMSnSnTR1Xo5nUcU S -n U S::aS n GO:TR3U[45n[7USS 9(dS n GOTR U5nU UU4==S - ss'U UU4S:a%TRRS US USS35 O[!U 5TR8:a6TRRSR;TR855 OpU R[=TUR>U-TR URSU--5UTR URSU--5UUUUS9 5 GM U(d)TRRSURS35 U Vs1sHnUR@iM nnSn TRUR5n [!TR"5n U (a3U R$[!U R55-UR- n [&R("[*5n Sn[-[UR[+U S- 555GH.nUUR>-U;dMTR1UU5nUcU S -n U S::aS n OUS:XaMFUb UU:aUX-:aTR3U5nOSnU U==S - ss'U UTRB:a7TRRSR;TRBU55 Oq[!U 5TR8:a+TRRSTR8S35 O-U R[=UR>U-USUS95 GM1 U(d*TRRSURS35 gU (dURE5(ag[GUU TR3URH5S9$![ a! TRRSU-5 gf=f![ a! TRRSU-5 gf=f![ a GMf=f![ aN U S -n U S::aS n GM.TR U5nGNA![ a U S -n U S::aS n GM`GMLf=ff=fs snf![ a SnGNVf=f)zParse the export directory. Given the RVA of the export directory, it will process all its entries. The exports will be made available as a list of ExportData instances in the 'IMAGE_DIRECTORY_ENTRY_EXPORT' PE attribute. rZz+Error parsing export directory at RVA: 0x%xNcR>[TR5TRU5- $r)rFrtr)rrts rlength_until_eof3PE.parse_export_directory..length_until_eofs"t}}%(@(@(EE ErrErQTrr9F)rKz9Export directory contains more than 10 repeated entries (rz#02xz). Assuming corrupt.zHExport directory contains more than {} symbol entries. Assuming corrupt.rA) rrr%rr2r r#r0r3zIRVA AddressOfNames in the export directory points to an invalid address: rlz[Export directory contains more than {} repeated ordinal entries (0x{:x}). Assuming corrupt.z$Export directory contains more than z# ordinal entries. Assuming corrupt.)rrr r0zMRVA AddressOfFunctions in the export directory points to an invalid address: )rGsymbolsr )%r!__IMAGE_EXPORT_DIRECTORY_format__rrr&rrrrAddressOfNamesrr NumberOfNamesAddressOfNameOrdinalsAddressOfFunctionsNumberOfFunctionsrrFrtr^ collections defaultdictr%rrYget_dword_from_dataget_string_at_rvaMAX_SYMBOL_NAME_LENGTHrQrrr.Baserrr#r,re)rtrrro export_dirryaddress_of_namesaddress_of_name_ordinalsaddress_of_functionsexports#max_failed_entries_before_giving_uprjr symbol_counts&export_parsing_loop_completed_normallyrNsymbol_ordinalsymbol_address forwarder_strr3symbol_name_address symbol_namesymbol_name_offsetexpordinalsr+s` rrrPE.parse_export_directorys --66 4#I#IJQQS!44S9 .J   F #}}))$Z%>%>?,,q0  (,}}00$Z%E%EF,,q0( $$(==--$Z%B%BC0014$ .0+))**C*CDdmm, &&g&&()*++,  $//4 15.s:33S19L5MNOA!445MQN)nq.@3$D/"&!9!9(." %1)< $#*)D $ 6 6~ F '+'?'?'O$" $ #' "&":":;K"O "*3q836!;=B:00#%;K*+PTU9>6 %)%=%=>Q%R"$ ;7 8A = 8k>:;b@&&#}B~d&;;OQ]#d&=&==&&((.t/F/F(G NN&OOn<#'#;#;"881q5@$+#'#;#;"55N8JJ$% 2+%5 [P~6 OO " "&55a8:  ,337CCKK73.0+))**G*GHdmm, &&g&&()*//0  $//4 15.Z993QR?R;STUC(H4*%)%=%=>RTW%XN")71<7:a?AF>!Q&#.&#-&3$($:$:>$JM$(M n-2- 043K3KKOO**FFLf 44nG '$*A*AAOO**>2233VX *# 5 .!"/ _Vp6 OO " "&99!<>  :0022'' 8  c  OO " "=E    J  OO " "=E    Z%.! 3q836!;=B:)-)A)ABU)V&$71<7:a?AF>  n4*%*%)N*sAY6-C Z$[[$\?+]6(Z! Z!$([[ [! [!$\<\\8,\<2\<7\88\< ]]c"X-S-S-US-- $)NrClre)rtrbases rrPPE.dword_aligns"j0TJ5FGGrcURRnURRURR-nX!::a X:aX-nU$r)rj ImageBaser)rtvabegin_of_image end_of_images rnormalize_import_vaPE.normalize_import_vasQ--77++558L8L8X8XX   B$5  B rc/nSnURU[UR5R55nURU5nURURUUS9nU(aUR5(aU$SnURS:XaURR[S:XaURUR5UlURUR 5UlURUR"5UlURUR$5UlURUR$5UlURUR(5UlSnXR5- n[+UR,5U- n XR":dXR :a$[/XR"- XR - 5n /n UR1UR"UR SU U5n US :a-UR R S R3U55 U$U (dUS - nGMOUR6[8:a1UR R S UR6[84-5 U$UR;UR([<5n [?U 5(d [AS 5n U (aoU HPn U RBbM[DRF"U RI5U RJ5nU(dMJXl!MR UR [MXzU S95 GMG![a" UR R SU-5 U$f=f![a?n UR R SR3XR455 Sn A GNSn A ff=f)z*Walk and parse the delay import directory.rTz5Error parsing the Delay import directory at RVA: 0x%xrZFrNzSError parsing the Delay import directory. Invalid import data at RVA: 0x{0:x} ({1})rGzWToo many errors parsing the Delay import directory. Invalid import data at RVA: 0x{0:x}r9z)Error, too many imported symbols %d (>%s) *invalid*rGimportsdll)'rr(__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__r&rrrrrr#grAttrsrrrr pBoundIATpIATpINT pUnloadIATphmodszNamerFrtrs parse_importsrrbrMAX_IMPORT_SYMBOLSrMAX_DLL_LENGTHrJrIr  ordlookup ordLookuplowerrr )rtrr import_descsrOr0r  import_desccontains_addressesmax_len import_datarrrfuncnames rrxPE.parse_delay_import_directorys   }}dKKLSSU2237K..=='/K+"8"8":":^]"' ##q($$,, =V0WW(,(@(@AVAV(W %#'#;#;KP>P%Q "%)" %%' 'C $--(;6G%%%/?/?)?c$4$44c>@ @ ( "$**556@@B B ( "$**556@@B B=>>rc /n/SQn[US5(dgURGHn[UR[5(a)URR 5R 5nOURR 5nURSS5n[U5S:aUSU;aUSnURR 5nURHnSnUR(dM[R"XgRSS 9nU(d&[S URS URS 35eO URnU(dMx[U[5(aUR 5nURUR 5<SUR 5<35 M GM [!S R#U5R%55R'5$)aReturn the imphash of the PE file. Creates a hash based on imported symbol names and their specific order within the executable: https://www.mandiant.com/resources/blog/tracking-malware-import-hashing Returns: the hexdigest of the MD5 hash of the exported symbols. )ocxsysrDIRECTORY_ENTRY_IMPORTr.r9rNT) make_namezUnable to look up ordinal rB04xr)r}rrUrrWrJrrsplitrFrr rrrrrr rrkr) rtimpstrsextsrlibnamepartsentry_dll_lowerimprs r get_imphashPE.get_imphashs$t56600E%))U++))**,224))//+NN3*E5zA~%(d"2(#iioo/O}}xx(22' H$+8 1S[[QTDUV$ #xxHh..'0H'--/8>>;KLM%%1>388G$++-.88::rc[US5(dg[URS5(dgURRVs/sHCnU(dM URcMURR 5R 5PME nn[ U5S:Xag[SRU5R55R5$s snf)zReturn the exphash of the PE file. Similar to imphash, but based on exported symbol names and their specific order. Returns: the hexdigest of the SHA256 hash of the exported symbols. DIRECTORY_ENTRY_EXPORTrr{rr) r}rr{r rJrrFrrrkr)rtr< export_lists r get_exphashPE.get_exphashJst566t22I>>0088 8 $VV $AFFMMO ! ! #8  { q chh{+2245??AA s C C%,Cc/nSn[UR5R5nURX5nURU5nURURXxS9n U (aU R5(aGOXR5- n[UR5U- n XR:dXR:a$[XR- XR- 5n /n U(dfURU RU RU R U S9n US :a UR R S US35 OU (dUS - nGM7UR%U R&[(5n [+U 5(d [-S 5n U (aoU HPnUR.bM[0R2"U R55UR65nU(dMJXlMR UR [9XU S95 GMU(d[;SS/5nSnSnUHnUR<HnUH~nU(aUR.(dMUR.n[?UR.5[@:XaUR.RCS5nUREU5(dMyUS - n O US - nM M U[U5:Xa!US:aUR R S5 U$![a$ UR R SUS35 GMf=f![a8n UR R SUSSU R"S35 S n A GNFS n A ff=f)z$Walk and parse the import directory.rz-Error parsing the import directory at RVA: 0xrlrZrzBError parsing the import directory. Invalid Import data at RVA: 0xz ()NrGzLToo many errors parsing the import directory. Invalid import data at RVA: 0xr9rr LoadLibraryGetProcAddressrrz?Imported symbols contain entries typical of packed executables.)#r"__IMAGE_IMPORT_DESCRIPTOR_format__r&rrrrrrr#rFrtOriginalFirstThunk FirstThunkrsrForwarderChainrbrrerrJrIr rrrrr rIrrFrWrJrX)rtrrrprrOimage_import_descriptor_sizer0r rrrr<rrrsuspicious_importssuspicious_imports_count total_symbolsimp_dllsuspicious_symbolr s rrqPE.parse_import_directorycsT  '0  3 3( &( % }}SG2237K..77/K +"8"8":": %%' 'C $--(;6G333s=S=S7S888#@V@V:VK  "&"4"4#66#..#22#* #5#K?OO**99JC(-- n)F{{*#,#6#6syy{FNN#S#8*2K * ##"+PSTIP!$m5E%F!G '( $M'%ooF-?)%V[[$%{{ ,5#);;#5#5g#>D??+<==494!.@"Q&M.()C0B,CC!B&&&Uw! &&CC7K  F%OO**99G#H"&K(-%.7.E.E .T+#}}-@!D#'#:#:4#C#'#9#9%33a79O$ 6h??'(~H&*&>&>%33a7'  )88:  44\B 22<<)%+*<'(STTq (( ''%.#-*; ''0'@'@'B%%$/' +,?%1"+[/@ A)$ !  !s+0BK >K?K KK K+*K+c/nUR[:Xa[nURnO9UR[:Xa[ nUR nO[nURn[U5R5nSnSn Sn Sn [5n [5n UnU(GaUb&XU-:aURRS5 U$UR[:a1URRSUR[4-5 U$U=RS- sl X:a/$U R5U:a/$U R5U:a/$SnURX5nU(d[#W5U:waURRS U-5 gUR%UUUR'U5S 9nU(aUR)UR*5UlUR)UR,5UlUR)UR.5UlUR)UR05UlU(aAUR*U:a1UR*U::a!URRS U-5 U$U(aZUR*(aIUR*nUU-(a US -S:a/$O'UU :aU nOU nUU;aU S- n UR3U5 U(aUR55(aU$UUR5- nURU5 U(aGMU$![ a S nGNf=f)Nrr[rz9Error parsing the import table. Entries go beyond bounds.z$Excessive number of imports %d (>%s)r9FTz9Error parsing the import table. Invalid data at RVA: 0x%xrZz\Error parsing the import table. AddressOfData overlaps with THUNK_DATA for THUNK at RVA 0x%xrr)rrr__IMAGE_THUNK_DATA_format__rr__IMAGE_THUNK_DATA64_format__rr&rnrrrrr|rrrFrrrrr!r rrxr#)rtrrrrr'r expected_sizeMAX_ADDRESS_SPREADADDR_4GBMAX_REPEATED_ADDRESSESrepeated_addressaddresses_of_data_set_64addresses_of_data_set_32 start_rvafailedr0 thunk_data addr_of_datathe_sets rrPE.get_import_tablels` <<3 3-L55F \\: :/L77F .L55F!&)002 (!##-< #-<  %#Z1G*G&&OB **-??&&:224FGHt q  ' '1 , ' 9 (,,.1CC ',,.1CC F }}S8Tm3&&RUXX--$*B*B3*G.J "+/+C+C,,, (.2-E-E... *'+&>&>z?R?R&S #%)%=%=j>P>P%Q ",, 9,,3&&(+.0 > ;j66)77 ,.$j069! :$x/":":#w.(A-(KK -!6!6!8!8  :$$& &C LL $IcL M!  sM MMcUbURnURU5 URSSnURGH5nURS:XaURS:XaM&URnUR UR URR5nURURURRURR5nU[UR5:d9U[UR5:d Xg-[UR5:dX:aMU[U5- n U S:a USU -- nO U S:aUSU nXER5- nGM8 UbWUlU$)aDReturns the data corresponding to the memory layout of the PE file. The data includes the PE header and the sections loaded at offsets corresponding to their relative virtual addresses. (the VirtualAddress section header member). Any offset in this data corresponds to the absolute memory address ImageBase+offset. The optional argument 'max_virtual_address' provides with means of limiting which sections are processed. Any section with their VirtualAddress beyond this value will be skipped. Normally, sections with values beyond this range are just there to confuse tools. It's a common trick to see in packed executables. If the 'ImageBase' optional argument is supplied, the file's relocations will be applied to the image by calling the 'relocate_image()' method. Beware that the relocation information is applied permanently. NrrA)rtrelocate_imagerr`r_rir]rjrkror^rprFr) rtmax_virtual_addressr original_data mapped_datarjsrdprdrbr s rget_memory_mapped_imagePE.get_memory_mapped_imageso,  !MMM    *mmA& }}G''1,1F1F!1K''C++(($*>*>*L*LC"&!=!=&&$$55$$22" c$--((T]]++9s4==11%</#k2BBN!u~55 !#)/>: ++- -KA%H  )DMrc/n[US5(aURRHn[US5(dMURRHn[US5(dM[URS5(dM3URR(dMP[ URRR 55HnURU5 M M M U$)zReturns a list of all the strings found withing the resources (if any). This method will scan all entries in the resources directory of the PE, if there is one, and will return a [] with the strings. An empty list will be returned otherwise. DIRECTORY_ENTRY_RESOURCErr)r}rrPrrr3rr)rtresources_stringsres_typer. res_strings rget_resources_stringsPE.get_resources_strings9s 43 4 4 99AA8[11'/'9'9'A'A "; << ' (=(=y I I$/$9$9$A$A$A26$/$9$9$A$A$H$H$J3"J%6$<$> "/   &"M $$V,,-sAB.cURU5nU(d+U[UR5:aU$[SUSS35eUR U5$)zGet the file offset corresponding to this RVA. Given a RVA , this method will find the section where the data lies and return the offset within the file. zdata at RVA 0xrlz can't be fetched)rrFrtrr)rtrrs rrPE.get_offset_from_rvasW  # #C ( S'' .Q7H IJ J$$S))rcUcgURU5nU(d!URSURXU-5$URSURXS95$)z1Get an ASCII string located at the given address.Nr)r)rrrtr)rtrrrs rrPE.get_string_at_rvas^ ;  # #C (,,Q c*DT0UV V((AJJsJ,NOOrcnU[U5:agX!Sn[U[5(a [U5$U$)rrN)rFrUrirW)rtrr0rs rget_bytes_from_dataPE.get_bytes_from_datas5 CI  M a # #8Orc`URX5nURS5nUS:aUSUnU$)zGet an ASCII string from data.rArN)r)r2)rtrr0rrws rrPE.get_string_from_datas6  $ $V 2ffUm !8$3ArcnUS:XagURUS5nUS-n[US5nURX5nSnURSUS-5nUS:XaD[U5nXu:dXr:Xa[U5S- nO1X@RX-X'- 5- nUS- nUnOUS-S:XaUS-nOMp[R "SR U5US US-5nS R[[U55n U(a[U RUS 55$[U RS S 55$) z3Get an Unicode string located at the given address.rrrAr9rgr*rz<{:d}HNrr r) rrrr2rFrGrHrrmaprLrIrk) rtrrrJr0 requested null_index data_lengthuchrsrs rrPE.get_string_u_at_rvasA ?}}S!$ q  C( }}S, ; Q?JR!$i *k.G!$TaJ c&79QRR&] & a1$q $ hooj94@P*q.;QR GGCUO $ QXXh(;<= ='#6788rc^URHnURU5(dMUs $ g)z1Get the section containing the given file offset.N)rr)rtrrjs rrPE.get_section_by_offsets-}}G&&v..%rcURb,URRU5(a UR$URH#nURU5(dMX lUs $ g)z-Get the section containing the given address.N)rrr)rtrrjs rrPE.get_section_by_rvasb  - - 911>>sCC999}}G##C((5<2% rc"UR5$r) dump_infor{s rr PE.__str__ s~~rc[US5$)z.Checks if the PE file has relocation directoryDIRECTORY_ENTRY_BASERELOC)r}r{s r has_relocs PE.has_relocsst899rc^[US5(aURR(agg)NDIRECTORY_ENTRY_LOAD_CONFIGTF)r}r@rr{s rhas_dynamic_relocsPE.has_dynamic_relocss% 46 7 7//CCrc4[URUS95 g)z=Print all the PE header information in a human readable from.rIN)rBr9)rtrJs r print_info PE.print_infos dnnhn/0rc /Uc [5nUR5nU(a;URS5 UH$nURU5 UR 5 M& URS5 UR UR R55 UR 5 URS5 UR URR55 UR 5 URS5 UR URR55 [[S5nURS5 /n[U5H7n[URUS5(dM#URUS5 M9 URS R!U55 UR 5 [#US 5(aGUR$b:URS 5 UR UR$R55 [[&S 5nURS 5 /n[U5H7n[UR$US5(dM#URUS5 M9 URS R!U55 UR 5 URS 5 [[(S5n UR*GHn UR U R55 URS5 /n[U 5H,n[XS5(dMURUS5 M. URS R!U55 URSR-U R/555 [0b.URSR-U R3555 [4b"URSU R75-5 [8b"URSU R;5-5 [<b"URSU R?5-5 UR 5 GM [#US 5(a}[#UR$S5(abURS5 UR$R@H'n U cMUR U R55 M) UR 5 [#US5(Gay[CURD5GH_up[GURD5S:aURSU S-35 OURS5 U bUR U R55 UR 5 [#US5(a<UR URHU R55 UR 5 [#US5(dM[GURJ5U :dMURJU GHVnUR UR55 UR 5 [#US5(GaURLHnUR5Vs/sHnURSU-5PM nURSR-URNRQUS555 UR 5 [URTRW555HJnURS R-USRQUS5USRQUS555 ML M UR 5 GMa[#US!5(dGMuURXHn[#US"5(dMUR5Vs/sHnURSU-5PM nURS R-[SURZR]55SRQS#S5[SURZR_55S55 M UR 5 GMY GMb [#US$5(GacURS%5 UR UR`RbR55 UR 5 URS&S'-5 UR`RdHnURfcM[iS(5nURj(a URjnURS)URlURfURQU54-5 URn(a<URS*R-URnRQUS555 MUR 5 M UR 5 [#US+5(GafURS,5 URpGHDnUR URbR55 URr(dcURS-R-URuURbRv5RQUS555 UR 5 UR 5 URrGHrnURxS.LaURjb_URS/R-URzRQS#5URjRQS#5URl55 OURS0R-URzRQS#5URl55 O`URS1R-URzRQUS5URjRQUS5UR|55 UR~(a-URS2R-UR~55 GMbUR 5 GMu UR 5 GMG [#US35(Ga URS45 URHnUR URbR55 URS5R-URjRQUS555 UR 5 URTHxnUR URbR5S65 URS5R-URjRQUS55S65 UR 5 Mz GM [#US75(GaURS85 URGHdnUR URbR55 UR 5 URrGHnURxS.LaFURS9R-URzRQUS5URl55 O`URS:R-URzRQUS5URjRQUS5UR|55 UR~(a,URS2R-UR~55 MUR 5 GM UR 5 GMg [#US;5(GaURS<5 UR URRbR55 URRTGHnURjb3URjRQUS5nURS=US>3S?5 OX[RURbRS@5nURSAURbRSBSCUSD3S?5 UR URbR5S?5 [#USE5(Ga)UR URRbR5S65 URRTGHnURjb3URjRQS#S5nURS=US>3SF5 O+URSAURbRSBS>3SF5 UR URbR5SF5 [#USE5(dMUR URRbR5SG5 URRTGHn[#USH5(dMURSIURRURR[RURRSJ5[URRURR54-SG5 UR URbR5SK5 UR URRbR5SL5 GM [#URSM5(dGM)URR(dGMGURSNSK5 [S[URRRW555HGun nURSOR-U URSPSQ5RQSR55SL5 MI GM UR 5 GM UR 5 [#USS5(aUR(aoURRb(aTURST5 UR URRbR55 UR 5 [#USU5(aUR(aoURRb(aTURSV5 UR URRbR55 UR 5 [#USW5(aURSX5 URHnUR URbR55 URSY[URbR-5 UR 5 URZ(dMUR URZR5S65 UR 5 M UR5(aURS[5 URHnUR URbR55 URTH9n URS\U R[U RS]S4-S65 M; UR 5 M [#US_5(a[GUR5S:aURS`5 URHxn!UR U!RbR55 [#U!Sa5(dM?U!RcMNUR U!RR5S65 Mz UR5$s snfs snf![a8 URSZR-URbR55 GN:f=f![a0 URS^U RU R4-S65 GMf=f)bz>Dump all the PE header information into human readable string.NParsing Warningsrrrrr~rrrjrzDllCharacteristics: PE Sectionsr{z!Entropy: {0:f} (Min=0.0, Max=8.0)zMD5 hash: {0}zSHA-1 hash: %szSHA-256 hash: %szSHA-512 hash: %sr Directoriesrr9zVersion Information Version InformationrrOrz z LangID: {0}r z {0}: {1}rrrrExported symbolsz%-10s %-10s %srRVAreNonez%-10d 0x%08X %sz forwarder: {0}rImported symbolsz Name -> {0}Tz*{0}.{1} Ordinal[{2}] (Imported by Ordinal)z&{0} Ordinal[{1}] (Imported by Ordinal)z{0}.{1} Hint[{2:d}]z Bound: 0x{0:08X}DIRECTORY_ENTRY_BOUND_IMPORT Bound importszDLL: {0}rEDIRECTORY_ENTRY_DELAY_IMPORTDelay Imported symbolsz({0} Ordinal[{1:d}] (Imported by Ordinal)z{0}.{1} Hint[{2}]rResource directoryzName: []rArzId: [0xrz] (rrrIrMr0z\--- LANG [%d,%d][%s,%s]r;rQrUrz [STRINGS]z {0:6d}: {1}unicode-escaper rHDIRECTORY_ENTRY_TLSTLSr@ LOAD_CONFIGDIRECTORY_ENTRY_DEBUGDebug informationzType: zType: 0x{0:x}(Unknown)Base relocationsz%08Xh %sr6z0x%08X 0x%x(Unknown)DIRECTORY_ENTRY_EXCEPTIONz"Unwind data for exception handlingr)\rrrrrrrr7rrr\rrxsortedr0rrr}rjrr|rrrr rrrrrrrrr)rrFrrOrrUrJr3rPr rrrTrrrGr{rrIr rr0rrrrerrrrrPrRrrr=r rr0rrr<rCrrkrWr@rZ DEBUG_TYPErrr=r<rRELOCATION_TYPErFr]rr)"rtr7rJwarningsrCrrar[r"r~rjrr+ vinfo_entryrrXr str_entry var_entryexportr modulerbound_imp_desc bound_imp_refr res_type_idr.r0rr base_relocrelocrs" rr9 PE.dump_infos~ <6D$$&  OO. /# g&  "$  % t++-.   % t++-.   & t'',,./$%:MJ  ;'Dt''a11 T!W%( dii&'  4* + +0D0D0P OO- . NN4//446 7$2 !<% ! '(45Dt++T!W55 T!W%6 dii&'   &&'> M }}G NN7<<> * HHY E}-7G,,LLa). MM$))E* + MM3::7;N;N;PQ  1889M9M9OPQ 073H3H3JJK! 073J3J3LLM! 073J3J3LLM    '%* 4* + +  "21 1  OOM *!11@@ (NN9>>#34A     4) * *$-d.A.A$B t**+a/OO&:37)$DEOO$9:*NN;#3#3#56  "4!344NN4#8#8#=#B#B#DE$$&4,,T]]1Cc1I!%s!3uzz|4((*"5-88,1,=,=HP  Xtd{!; X $ $3$:$:(0(>(>,46I)*%&!"!% 0 0 217X=M=M=S=S=U8V1WI$(MM(6(=(=,5aL,?,?08:M-.-6aL,?,?08:M-. )* %&2X->.!,,.$UE22-2YY #*9g#>#>5>NN4D%&4DD)- dTk(B4D%&%)MM(6(=(=,01E1E1G,H,K,R,R079L-.-11G1G1I,J1,M )*%& .7!,,.]"4%C| 41 2 2 OO. / NN466==BBD E     MM-0JJ K55==>>-V9D{{%{{HH,!>>6>>4;;x;PQR'' -44 & 0 0 7 7BU V ((*!>$     41 2 2 OO. /55v}}1134~~HH'.. 226==3E3EFMM (*=$$&  "$nnF//47!;;2 HH L S S$*JJ$5$5g$>$*KK$6$6w$?$*NN!"!HH H O O$*JJ$5$5g$>!" 188 & 1 1(BMM")))..55h@ST  $$&&<#D( 47 8 8 OO4 5;;v}}1134  "$nnF//47FMM & 1 1('>'@!D"; << NN;+@+@+G+G+L+L+NPQR1<1F1F1N1N #*=&#A#A$(MM(C,9,>,>,C,C,9,>,>,F,F,0HH0=0B0B0G0G-.-F0=0B0B0G0G0=0B0B0J0J-. +* )*)*%&%)NN=3G3G3L3L3NPR$S$(NN=3E3E3L3L3Q3Q3SUW$X%2O(!( (=(=y I I$/$9$9$A$A$A $ k2 >7;$*;+@+@+H+H+N+N+P$Q8"OC%)MM(5(<(<,/,6,=,=0@BT-..4fWo )* )+%&8"Q(Bj  "UBX     D/ 0 0((((// OOE " NN433::??A B     D7 8 8000077 OOM * NN4;;BBGGI J     40 1 1 OO/ 011szz01TMM(Z -H"HI  "999NN399>>#3Q7$$&2 ??   OO. /"<< z005578'//E &%))_UZZ5PQSQT5U)VV0  "= D5 6 6D223a7 OO@ A44ryy~~/02|,,1JNN2==#5#5#7;5 }}g !Y6%&n TMM":"A"A#**//"RST"$ 2eii5LLas>A]& A]+ U/A]0Y5A^5]0>A^2^1A^2^55A_/_.A_/c 0nUR5nU(aX!S'URR5US'URR5US'URR5US'[ [ S5n/US'UH:n[URUS5(dM#USRUS5 M< [US5(a*URbURR5US'[ [S 5n/US 'UH:n[URUS5(dM#US RUS5 M< /US '[ [S 5nURHnUR5nUS RU5 /US'UH/n[XtS5(dMUSRUS5 M1 UR5US'[bUR!5US'["bUR%5US'[&bUR)5US'[*cMUR-5US'M [US5(ao[URS5(aT/US'[/URR05H,upU cM USRU R55 M. [US5(Gaa/US'[/UR25GHBup/n U RU R55 [US5(a,U RUR4U R55 [US5(Ga[7UR85U :Ga/n U RU 5 UR8U GHwnU RUR55 [US5(a0nUR:HfnU R=UR55 UR>US'[AURBRE55HnUSUUS'M Mh U RU5 M[US5(dMURFHn0n[US5(dMU R=UR55 [AURHRK55SU[AURHRM55S'U RU5 M GMz USRU 5 GME [US5(a/US'USRURNRPR55 URNRRHyn0nURTbSURWURXURTURZS .5 UR\(aUR\US!'USRU5 M{ [US"5(a/US#'UR^Hn/nUS#RU5 URURPR55 UR`Hn0nURbS$LaURdUS%'URXUS&'O-URdUS%'URZUS''URfUS('URh(aURhUS)'URU5 M M [US*5(a/US+'URjHn0nUS+RU5 URWURPR55 URZUS%'URBH=n0nURWURPR55 URZUS%'M? M [US,5(a/US-'URlHn/nUS-RU5 URURPR55 UR`Hn0nURbS$LaURdUS%'URXUS&'O-URdUS%'URZUS''URfUS('URh(aURhUS)'URU5 M M [US.5(Ga/US/'US/RURnRPR55 URnRBGHn0n URZbURZU S''OCURPRp[rRuURPRpS054U S1'U RWURPR55 US/RU 5 [US25(dM/n!U!RURvRPR55 US/RU!5 URvRBGHn"0n#U"RZbU"RZU#S''OU"RPRpU#S1'U#RWU"RPR55 U!RU#5 [U"S25(dM/n$U$RU"RvRPR55 U!RU$5 U"RvRBGHn%[U%S35(dM0n&U%RxRzU&S4'U%RxR|U&S5'[~RuU%RxRzS65U&S7'[U%RxRzU%RxR|5U&S8'U&RWU%RPR55 U&RWU%RxRPR55 U$RU&5 GM [U"RvS95(dGM$U"RvR(dGMB[AU"RvRRE55H6un n'U$RU'RS:S;5RS<55 M8 GM GM [US=5(aSUR(aBURRP(a'URRPR5US>'[US?5(aSUR(aBURRP(a'URRPR5US@'[USA5(a/USB'URHn(0n)USBRU)5 U)RWU(RPR55 [RuU(RPRU(RPR5U)SC'M UR5(a/USD'URHn*/n+USDRU+5 U+RU*RPR55 U*RBH?n,0n-U+RU-5 U,RU-SE'[U,RSFS U-SC'MA M U$![a U,RU-SC'Mef=f)Gz5Dump all the PE header information into a dictionary.rGrrrrrlrrjNrrrHr{EntropyMD5SHA1SHA256SHA512rrIrrJrrOrrUr9rrrrKrLr0rrOTDLLrreHintBoundrPrQrRrSrrTrr rr0r<r>r; LANG_NAME SUBLANG_NAMErrVr rHrWrXr@rYrZr[rr\rMr6)OrrrWrrr\rr0rr}rjrr|rrr rrrrrrrr)rrrrFrOrrrUr3rPr rrrrTrrGr{rrrr r0rrrrrrrPrRrr rr=rr0rrr<rCrrkrJrWr@rZr_rr=r<rr`rFr).rtrWrarr[r"r~rj section_dictr+rvs_vinfoversion_info_list fileinfo_listrstringtable_dictrXrcrdvar_dictre export_dictrf import_listr symbol_dictrgbound_imp_desc_dictrhbound_imp_ref_dict module_listrresource_type_dictdirectory_listr.resource_id_dictresource_id_listr0resource_lang_dictrrdbg_dictrjbase_reloc_listrk reloc_dicts. rrW PE.dump_dicts  $$& ,4( )"&//";";"= ,"&//";";"= ,#'#3#3#=#=#? - $%:MJ  'Dt''a11'"))$q'2  4* + +0D0D0P+/+?+?+I+I+KI' ($2 !<% !+- &'-Dt++T!W55./66tAw?.$& - &'> M }}G",,.L m $ + +L 9$&L !%7G,, )00a9&'.&9&9&;L #&-&:&:&< U#'.'<'<'> V$!)0)@)@)B X&!)0)@)@)B X&!%$ 4* + +  "21 1 (*Im $"+D,@,@,O,O"P(m,33I4G4G4IJ#Q 4) * */1I+ ,!*4+>+>!? $&!!((););)=>4!344%,,T-B-B3-G-Q-Q-ST4,,T]]1Cc1I$&M%,,];!%s!3%,,U__->?"5-88/1,,1,=,= - 4 4X5G5G5I J=E__ 0 :15h6F6F6L6L6N1OIENq\$4Yq\$B2P-> *001AB$UE22-2YY +-#*9g#>#>$1$8$89L9L9N$OPT(1(>(>(@Q&&'Q)HT)//2F2F2H-I!-L$M%2$8$8$B.7"4,/0778IJA"@D 41 2 2,.I( ) ( ) 0 0++22<<> 55== >>-&&'-~~#)>>$*KK''393C3C K0,-44[A> 41 2 2,.I( )55 ,-44[A""6==#:#:#<=$nnF"$K//47-3ZZ E*17 I.-3ZZ E*.4kk F+.4kk F+||/5|| G,&&{3- 6$ 47 8 8)+Io &"&"C"C&(#/*112EF#**>+@+@+J+J+LM-;-@-@#E*%3%;%;M)+&&--m.B.B.L.L.NO0=0B0B&u-&<#D 47 8 824I. /;; 23::;G""6==#:#:#<=$nnF"$K//47-3ZZ E*17 I.-3ZZ E*.4kk F+.4kk F+||/5|| G,&&{3- <& 43 4 4.0I* + * + 2 2--44>>@ !99AA%'"==,19&v.!**%))(//*<*J'/'9'9'A'A +-(&++77B7G7G,V45@5G5G5J5J,T2(// 0B0B0L0L0NO&--.>?"; <)6(:(:(B(B%7(1%&GKhh(5(:(:(?(?G&$6{$C )B(5(:(:(?(?(5(:(:(B(B)&%7(6%& %7$=$=(5(<(<(F(F(H%&%7$=$=(5(:(:(A(A(K(K(M%&%5$;$;P)**0&/%&8"[(B'BT D/ 0 0((((//#77>>HHJIe  D7 8 80000770077AAC   40 1 1-/I) *11-.55h? 4 4 67#->>#**//3::??#S 2 ??  ,.I( )"<< "$,-44_E&&z'8'8'B'B'DE'//E!#J#**:6(- Ju%8-r,BAF F  rc~US-[UR5:agURURXS-S5$)zDReturn the quad-word value at the given file offset. (little endian)rMNr)rFrtrrs rget_qword_from_offsetPE.get_qword_from_offsetorrcBURXRU55$)zJSet the quad-word value at the file offset corresponding to the given RVA.)rr)rtrqwords rset_qword_at_rvaPE.set_qword_at_rvawrrcBURXRU55$)z1Set the quad-word value at the given file offset.)r&r)rtrrs rset_qword_at_offsetPE.set_qword_at_offset{rrc[U[5(d [S5eURU5nU(dgUR X25$)zOverwrite, with the given string, the bytes at the file offset corresponding to the given RVA. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. data should be of type: bytesF)rUrW TypeErrorrr&)rtrr0rs rrPE.set_bytes_at_rvasD$&&;< <))#.''55rc[U[5(d [S5eSUs=::a[UR5:aO gUR X5 gg)zOverwrite the bytes at the given file offset with the given string. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. rrFT)rUrWrrFrtset_data_bytesrtrr0s rr&PE.set_bytes_at_offsetsR$&&;< <  +T]]+ +    -rrr0c[UR[5(d[UR5UlX RX[U5-&gr)rUrtrirFrs rrPE.set_data_bytess8$--33%dmm4DM59 fD 12rcPURHnURURURR5nX!R -nU[ UR5:dM\U[ UR5:dMwURX!R55 M g)zUUpdate the PE image content with any individual section data that has been modified. N) rrir]rjrkr_rFrtrr)rtrjsection_data_startsection_data_ends rmerge_modified_section_dataPE.merge_modified_section_datas }}G!%!:!:(($*>*>*L*L"  24I4II !C $66;Kc O<##$68H8H8JK%rcFXRR- n[URR5S:GaeURRSR(Ga;[ US5(dUR [S/S9 [ US5(dURRS5 GO[URGHJnSnU[UR5:dM!URUnUS- nUR[S :XaGOUR[S :Xa@URURUR!UR5U-S - S -5 GOUR[S :Xa=URURUR!UR5U-S -5 GO5UR[S:Xa9UR#URUR%UR5U-5 OUR[S:XaU[UR5:XaGM|URUnUS- nURURUR!UR5S -UR-U-S-S - 5 OOUR[S:Xa8UR'URUR)UR5U-5 U[UR5:aGM)GMM XRl[ US5(a;UR*H+nUR,HnU=R.U- slM M- [ US5(aUR0R2=R4U- slUR0R2=R6U- slUR0R2=R8U- slUR0R2=R:U- sl[ US5(GafUR<R2n [ U S5(a&U R>(aU =R>U- sl[ U S5(a&U R@(aU =R@U- sl [ U S5(a&U RB(aU =RBU- sl![ U S5(a&U RD(aU =RDU- sl"[ U S5(a&U RF(aU =RFU- sl#[ U S5(a&U RH(aU =RHU- sl$[ U S5(a&U RJ(aU =RJU- sl%[ U S5(a&U RL(aU =RLU- sl&[ U S5(a&U RN(aU =RNU- sl'[ U S5(a&U RP(aU =RPU- sl(URR[T:Xa7[ U S5(a&U RV(aU =RVU- sl+[ U S 5(a&U RX(aU =RXU- sl,[ U S!5(a&U RZ(aU =R\U- sl.[ U S"5(a&U R\(aU =R\U- sl.[ U S#5(a(U R^(aU =R^U- sl/g$g$g$g$g$g$)%aApply the relocation information to the image using the provided image base. This method will apply the relocation information to the image. Given the new base, all the relocations will be processed and both the raw data and the section's data will be fixed accordingly. The resulting image can be retrieved as well through the method: get_memory_mapped_image() In order to get something that would more closely match what could be found in memory once the Windows loader finished its work. rIrGr<rFr}zZRelocating image but PE does not have (or pefile cannot parse) a DIRECTORY_ENTRY_BASERELOCrr9rrr6rrrrrBrrrWr@LockPrefixTableEditListSecurityCookieSEHandlerTableGuardCFCheckFunctionPointerGuardCFDispatchFunctionPointerGuardCFFunctionTableGuardAddressTakenIatEntryTableGuardLongJumpTargetTableDynamicValueRelocTableCHPEMetadataPointerGuardRFFailureRoutine$GuardRFFailureRoutineFunctionPointer(GuardRFVerifyStackPointerFunctionPointerEnclaveConfigurationPointerN)0rjrrFrr)r}rJr rrr<rPrFr`rrrrrrrrrrrWrGStartAddressOfRawDataEndAddressOfRawDataAddressOfIndexAddressOfCallBacksr@rrrrrrrrrrrrrrrrr) rt new_ImageBaserelocation_differencerk entry_idxr next_entryrfunc load_configs rrPE.relocate_imagesk!.0D0D0N0N N $$33 4 9$$33A6;;;4!<==++!01R!S T,4!<==&&9 ";;E !"I#c%--&88 % i 8!Q  ::9S)TT "ZZ?;Q+RR !00 % $($8$8$C&;%<')%*#) !)#ZZ?;P+QQ !00 % $($8$8$C&;%<#) !)#ZZ?;T+UU !11 % $ 5 5eii @"7!8 #ZZ?;T+UU )C ,>> %).y)AJ%NI 00 % %)%9%9%))%D%J&0nn%5&;%<'1%1 $& !& #ZZ?;R+SS!11 % $ 5 5eii @"7!8c$c%--&888<|.; *t56666C #  (== !,7t233((//EE)E((//CC)C((//>>BWW>((//BB)Bt:;;">>EE K):;;#33//3HH/; 33 8L8L((,AA(K)9::#22..2GG.K)9::#22..2GG.K)FGG#??;;?TT;K)IJJ#BB>>BWW>K)?@@#88448MM4K)IJJ#BB>>BWW>K)CDD#<<88>@4G &* t}}%!i-IN)KLs8a<()AC!+,,1uX\*+  q1uw/5A M3JK c4==QQ+KLQO  H5 $z1h"nE*v%(b.9R0f$#dmm,,,rc[SnUR5(d2UR5(dXRR-U:Xagg)zCheck whether the file is a standard executable. This will return true only if the file has the IMAGE_FILE_EXECUTABLE_IMAGE flag set and the IMAGE_FILE_DLL not set and the file does not appear to be a driver either. r]TF)ris_dllrfrrz)rtEXE_flags ris_exe PE.is_exesF))FG^^%%,,<<<IrcP[SnXRR-U:Xagg)ztCheck whether the file is a standard DLL. This will return true only if the image has the IMAGE_FILE_DLL flag set. rmTF)rrrz)rtDLL_flags rr PE.is_dlls, ))9: ''77 7H DrcN[US5(dUR[S/S9 [US5(dg[S5nUR UR Vs/sHo"R R5PM sn5(ag[S5nUR URVs/sH+oDRR5RS5PM- sn5(a+URR[S [S 4;aggs snfs snf) zCheck whether the file is a Windows driver. This will return true only if there are reliable indicators of the image being a driver. rr?rF)s ntoskrnl.exeshal.dllsndis.syss bootvid.dlls kdcom.dllT)spagespagedrArr)r}rJr rI intersectionrrrrrerKrj SubsystemSUBSYSTEM_TYPE)rt system_DLLsrdriver_like_section_namesrjs rrf PE.is_drivers,t566  ' ',-KLM (  t566  T   # #(,(C(C D(CWW]]_(C D  $'(;$<! $ 1 1AE Og\\   ! ( ( 1 O    * *78?@  ! E Ps #D32D"c|^Sm[UR54U4Sjjn[US5(a6U"URR 5UR R 45mURH!nU"URUR45mM# [S/n[URR5H:upEXC;aM U"URUR5UR45mM< [UR5[#T5:a [#T5$g![ a Myf=f)zgGet the offset of data appended to the file and not contained within the area described in the headers.rcZ>[U5U::a[U5[T5:aU$T$r)sum)offset_and_size file_sizelargest_offset_and_sizes r'update_if_sum_is_larger_and_within_fileQPE.get_overlay_data_start_offset..update_if_sum_is_larger_and_within_file,s7?#y0S5IC'M6'&* *rrjrDN)rFrtr}rjrrrrr]r_r r)rrr^r)rr )rtr rjskip_directoriesr+rr s @rget_overlay_data_start_offset PE.get_overlay_data_start_offset&s/#)(+4=='9 + 4* + +&M((88:$$99' #}}G&M))7+@+@A' #% ,,LMN'(<(<(K(KLNC& *Q--i.F.FGX+' M t}} $; < <./ / !  s-D-- D;:D;cHUR5nUbURUS$g)z]Get the data appended to the file and not contained within the area described in the headers.Nr rtrtoverlay_data_offsets r get_overlayPE.get_overlayTs/#@@B  *==!4!56 6rcdUR5nUbURSU$URSS$)zKReturn the just data defined by the PE headers, removing any overlaid data.Nr r! s rtrimPE.trim_s;#@@B  *==!5"56 6}}QrcU[:aDURSLa5[U5(d%URR SU-5 SUl[ X5$)NFz=If FileAlignment > 0x200 it should be a power of 2. Value: %xT)r$rrfrrr()rtr&r's rriPE.adjust_FileAlignmentvsU : :))U2<;W;W&&S%'.2*)#>>rcU[:a:X2:wa5URSLa&URRSX24-5 SUl[ XU5$)NFzAIf FileAlignment(%x) < 0x200 it should equal SectionAlignment(%x)T)r$rrrr,)rtr&r+r's rroPE.adjust_SectionAlignmentsV : :311U:&&W%9:15-,S^TTr)rrrrOrrjrrKrrrrt __from_file__resource_size_limit_reached!__resource_size_limit_upperboundsr__total_import_symbols__total_resource_bytes__total_resource_entries_count __warningsrrrrrrrr)NFF)rNrNFr)NF)rN)rN)rN)r)NrH)r~rrrrrrr rrrrdrrr|rrCr>rMrQrRrTrWrXrrrrrrrrrrrrrrr&__IMAGE_DYNAMIC_RELOCATION_V2_format__(__IMAGE_DYNAMIC_RELOCATION64_V2_format__rrrMAX_SYMBOL_EXPORT_COUNTrqrrrrrrr<rrDrrSrrJrzryrvrwrrurrrrtrsrrr!rrrPrrxrrrrqrrrrrrrrrr)rrrrrr=rArDr9rWrrrrrrr$rrYrrrr1rrrrrrrr&r%rWrrrrrr r rfr r# r& rirorrerrrSrS s{BP#2 $ '# "($H!*&F#I'# 0, *&)%" +'1- ,( ! #&! VKEN# %! ($($ .* C? B>>: &" ($/.*b00,d1- +' -) .* 0, 0, ,( # 2 4l ,,n` Ob  $.5nL^TY`4DXtun*83 jX#t@ ;z*X&PiVu'n 0>s$j G RH kZ ?.;`B2h^ ] ~BHGR!8 'D->**1B P)9V  :1]~ cL 5 K OKQ' K NIO' K OKQ6"":S:: L\U|I.-`& 8t,\  . ?$ UrrSc SSKnSnURSS(d [U5 gURSS:XaURSS(dURS5 [ URS5nUR R HNn[[URRUR-5URUR5 MP g[[ URS5R55 g)Nrz1pefile.py pefile.py exports r9rrAzerror: required)rargvrBexitrSrr{rnrjrrr rr9)rusagerrs rmainr; s E 88AB< e ! !xx| HH1 2  _,,44C B&&003;;>?3;; 5 b!o'')*r__main__)reFFr3 )r __author__ __version__ __contact__rrrGrjrGrrrrrtypingrhashlibrrrr rrrrregister_error lookup_errorr%rFrr(r,r1rrrrrrrcrrr6 rrrrrrr IMAGE_NUMBEROF_DIRECTORY_ENTRIESrrrrr=directory_entry_typesr image_characteristicsrsection_characteristicsr| debug_typesr_subsystem_typesr machine_typesrrelocation_typesr`dll_characteristicsrr$rr registersrrrrrrrr$rrr resource_typerrr<rr>r:rBr@rrCrRr\rcrfrIrIrnrrrrrrrrr[rrrr rr,r.r7r:r<r>r@rBrDrMrOrQrSrUrWrrrrrrrrrrr#rpascii_lowercaseascii_uppercaserrGrJrNrVrWriboolrQrSr; r~rerrrR s)   %  )6+>+>?Q+RS  " 4&&  4     !#% )  %7(45&%%:;/b''>? *+ & "o.% NM*  /0$##67!&  !!23  &  #   0]+ _BDh T w  w-#*L- %%l3".  $+8.  '/* R RHHV I &;&;T & 4++ 4d#($(VFFREyEP 4e$NX%NXbi,Yi,X%%]?"?"DCMC."."bm=*M M"]"Bm-&]]i$'i$XOO28N8;~;8 ;~ ;  . &XNX&Y~Y&XNX&Y~Y&HnH= = @  D   mm  - V333fmmC  4FK  S% "# ?C    @VU@VUFl+* zFr