`dissect.executable`¶

Subpackages¶

Submodules¶

dissect.executable.exception

Package Contents¶

Classes¶

`ELF`
`PE`	PE file parser.

class dissect.executable.ELF(fh: BinaryIO)¶

fh¶

e_ident¶

c_elf¶

header¶

segments¶

sections¶

symbol_tables: list[SymbolTable]¶

__repr__() → str¶

dump() → bytes¶

property dynamic: bool¶

class dissect.executable.PE(fh: BinaryIO, virtual: bool = False)¶

PE file parser.

Parameters:

fh – A file-like object of an executable.
virtual – Indicate whether to use virtual addressing instead of physical. Use this when the file has already been mapped into memory.

fh¶

virtual = False¶

mz_header¶

os2_header = None¶

file_header = None¶

optional_header = None¶

sections: list[Section] = []¶

vfh = None¶

dos_stub¶

property machine: dissect.executable.pe.c_pe.c_pe.IMAGE_FILE_MACHINE¶: Return the machine type of the PE file.

property image_base: int¶: Return the image base address of the PE file.

property timestamp: datetime.datetime | None¶: The compilation timestamp of the PE file, or None if the PE file is compiled as reproducible.

is_pe() → bool¶: Return if the file is a valid PE file.

is_nt() → bool¶: Return if the file is a valid NT executable.

is_os2() → bool¶: Return if the file is an OS/2 executable.

is_64bit() → bool¶: Return if the PE file is 64-bit (PE32+).

is_reproducible() → bool¶: Return if the PE file is reproducible (i.e. has a REPRO debug entry).

pdb_path() → str | None¶: Return the PDB path, if available.

data_directories() → dict[dissect.executable.pe.c_pe.c_pe.IMAGE_DIRECTORY_ENTRY, dissect.executable.pe.directory.DataDirectory]¶: Return all data directories.

property exports: dissect.executable.pe.directory.ExportDirectory | None¶: Return the export directory, if available.

property imports: dissect.executable.pe.directory.ImportDirectory | None¶: Return the import directory, if available.

property resources: dissect.executable.pe.directory.ResourceDirectory | None¶: Return the resource directory, if available.

property exceptions: dissect.executable.pe.directory.ExceptionDirectory | None¶: Return the exception directory, if available.

property security: dissect.executable.pe.directory.SecurityDirectory | None¶: Return the security directory, if available.

property base_relocations: dissect.executable.pe.directory.BaseRelocationDirectory | None¶: Return the base relocation directory, if available.

property debug: dissect.executable.pe.directory.DebugDirectory | None¶: Return the debug directory, if available.

property global_pointer: int¶: Return the global pointer address, if available.

property tls: dissect.executable.pe.directory.TlsDirectory | None¶: Return the TLS (Thread Local Storage) directory, if available.

property load_config: dissect.executable.pe.directory.LoadConfigDirectory | None¶: Return the load config directory, if available.

property bound_import: dissect.executable.pe.directory.BoundImportDirectory | None¶: Return the bound import directory, if available.

property iat: dissect.executable.pe.directory.IatDirectory | None¶: Return the import address table (IAT) directory, if available.

property delay_import: dissect.executable.pe.directory.DelayImportDirectory | None¶: Return the delay import directory, if available.

property com_descriptor: dissect.executable.pe.directory.ComDescriptorDirectory | None¶: Return the COM descriptor directory, if available.

va_to_rva(va: int) → int¶: Return the relative virtual address (RVA) of the given virtual address (VA).

open() → VirtualStream¶: Return a stream of the virtual address space of the PE file.