dissect.executable.pe.directory¶
Submodules¶
dissect.executable.pe.directory.basedissect.executable.pe.directory.baserelocdissect.executable.pe.directory.bound_importdissect.executable.pe.directory.com_descriptordissect.executable.pe.directory.debugdissect.executable.pe.directory.delay_importdissect.executable.pe.directory.exceptiondissect.executable.pe.directory.exportdissect.executable.pe.directory.iatdissect.executable.pe.directory.importsdissect.executable.pe.directory.load_configdissect.executable.pe.directory.resourcedissect.executable.pe.directory.securitydissect.executable.pe.directory.tls
Package Contents¶
Classes¶
Base class for PE data directories. |
|
The base relocation directory of a PE file. |
|
The bound import directory of a PE file. |
|
The COM descriptor directory of a PE file. |
|
The debug directory of a PE file. |
|
The delay import directory of a PE file. |
|
The exception directory of a PE file. |
|
The export directory of a PE file. |
|
The import address table (IAT) directory of a PE file. |
|
The import directory of a PE file. |
|
A function imported from a module. |
|
A module imported by a PE file, containing its functions. |
|
The load configuration directory of a PE file. |
|
A resource data entry in a PE file. |
|
The resource directory of a PE file. |
|
A resource directory entry in a PE file. |
|
Base class for resource entries in a PE file. |
|
The security directory of a PE file. |
|
The TLS (Thread Local Storage) directory of a PE file. |
- class dissect.executable.pe.directory.DataDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Base class for PE data directories.
- pe¶
- address¶
- size¶
- __repr__() str¶
- class dissect.executable.pe.directory.BaseRelocationDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe base relocation directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[BaseRelocation]¶
- __getitem__(idx: int) BaseRelocation¶
- property entries: list[BaseRelocation]¶
List of base relocation entries.
- class dissect.executable.pe.directory.BoundImportDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe bound import directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __getitem__(idx: str | int) BoundImportModule¶
- __contains__(name: str) bool¶
- property modules: list[BoundImportModule]¶
List of bound imported modules.
- class dissect.executable.pe.directory.ComDescriptorDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe COM descriptor directory of a PE file.
References
- property descriptor: dissect.executable.pe.c_pe.c_pe.IMAGE_COR20_HEADER¶
The CLR 2.0 header descriptor.
- property metadata: ComMetadata¶
The COM metadata directory.
- class dissect.executable.pe.directory.DebugDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe debug directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[DebugEntry]¶
- __getitem__(idx: int) DebugEntry¶
- property entries: list[DebugEntry]¶
List of debug entries in the debug directory.
- class dissect.executable.pe.directory.DelayImportDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe delay import directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __getitem__(idx: str | int) DelayImportModule¶
- __contains__(name: str) bool¶
- property modules: list[DelayImportModule]¶
List of delay imported modules.
- class dissect.executable.pe.directory.ExceptionDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe exception directory of a PE file.
Currently only shows the raw exception entries.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[dissect.executable.pe.c_pe.c_pe.IMAGE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_CE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_MIPS_RUNTIME_FUNCTION_ENTRY]¶
- __getitem__(idx: int) dissect.executable.pe.c_pe.c_pe.IMAGE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_CE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_MIPS_RUNTIME_FUNCTION_ENTRY¶
- property entries: list[dissect.executable.pe.c_pe.c_pe.IMAGE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_ALPHA64_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_CE_RUNTIME_FUNCTION_ENTRY | dissect.executable.pe.c_pe.c_pe.IMAGE_MIPS_RUNTIME_FUNCTION_ENTRY]¶
List of exception entries.
- class dissect.executable.pe.directory.ExportDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe export directory of a PE file.
- __repr__() str¶
- __iter__() collections.abc.Iterator[ExportFunction]¶
- __getitem__(idx: str | int) ExportFunction¶
- __contains__(idx: str | int) bool¶
- property header: dissect.executable.pe.c_pe.c_pe.IMAGE_EXPORT_DIRECTORY¶
The export directory header.
- property timestamp: datetime.datetime | None¶
The timestamp of the export directory, or
Noneif the PE file is compiled as reproducible.
- property name: str | None¶
The name of the export directory, if available.
- property base: int¶
The base ordinal of the exported functions.
- property functions: list[ExportFunction]¶
List of exported functions.
- class dissect.executable.pe.directory.IatDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe import address table (IAT) directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[int]¶
- __getitem__(idx: int) int¶
- property entries: list[int]¶
List of addresses in the import address table.
- class dissect.executable.pe.directory.ImportDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe import directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __getitem__(idx: str | int) ImportModule¶
- __contains__(name: str) bool¶
- property modules: list[ImportModule]¶
List of imported modules.
- class dissect.executable.pe.directory.ImportFunction(module: ImportModule, lookup_thunk: dissect.executable.pe.c_pe.c_pe.IMAGE_THUNK_DATA32 | dissect.executable.pe.c_pe.c_pe.IMAGE_THUNK_DATA64, address_thunk: dissect.executable.pe.c_pe.c_pe.IMAGE_THUNK_DATA32 | dissect.executable.pe.c_pe.c_pe.IMAGE_THUNK_DATA64)¶
A function imported from a module.
- module¶
- lookup_thunk¶
- address_thunk¶
- address¶
- __repr__() str¶
- class dissect.executable.pe.directory.ImportModule(pe: dissect.executable.pe.pe.PE, descriptor: dissect.executable.pe.c_pe.c_pe.IMAGE_IMPORT_DESCRIPTOR)¶
A module imported by a PE file, containing its functions.
- pe¶
- descriptor¶
- __repr__() str¶
- __iter__() collections.abc.Iterator[ImportFunction]¶
- __getitem__(idx: str | int) ImportFunction¶
- __contains__(idx: str | int) bool¶
- property timestamp: datetime.datetime | None¶
The timestamp of this import module, or
Noneif the PE file is compiled as reproducible.
- property name: str¶
The name of the imported module.
- property functions: list[ImportFunction]¶
List of functions imported from this module.
- class dissect.executable.pe.directory.LoadConfigDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe load configuration directory of a PE file.
- property config: dissect.executable.pe.c_pe.c_pe.IMAGE_LOAD_CONFIG_DIRECTORY32 | dissect.executable.pe.c_pe.c_pe.IMAGE_LOAD_CONFIG_DIRECTORY64¶
The load configuration directory header.
- property timestamp: datetime.datetime | None¶
The timestamp of the load configuration directory, or
Noneif the PE file is compiled as reproducible.
- property security_cookie: int¶
The security cookie address.
- property guard_flags: dissect.executable.pe.c_pe.c_pe.IMAGE_GUARD¶
The guard flags.
- property chpe: dissect.executable.pe.c_pe.c_pe.IMAGE_ARM64EC_METADATA | dissect.executable.pe.c_pe.c_pe.IMAGE_ARM64EC_METADATA_V2 | dissect.executable.pe.c_pe.c_pe.IMAGE_CHPE_METADATA_X86 | None¶
The CHPE (Compiled Hybrid Portable Executable) metadata.
- class dissect.executable.pe.directory.ResourceDataEntry(rsrc: ResourceDirectory, address: int)¶
Bases:
ResourceEntryA resource data entry in a PE file.
- __repr__() str¶
- property entry: dissect.executable.pe.c_pe.c_pe.IMAGE_RESOURCE_DATA_ENTRY¶
The resource data entry structure.
- property offset_to_data: int¶
The offset to the resource data in the file.
- property size: int¶
The size of the resource data.
- property code_page: int¶
The code page of the resource data.
- open() dissect.util.stream.RangeStream¶
Open the resource data as a stream.
- class dissect.executable.pe.directory.ResourceDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe resource directory of a PE file.
This class provides a higher-level interface to access resources in a PE file. If you wish to access the raw resource directory structure, you can traverse it with the
treeattribute.- tree¶
- __repr__() str¶
- __len__() int¶
- __getitem__(idx: int | str | dissect.executable.pe.c_pe.c_pe.RT) list[Resource] | None¶
Get a resource by index or type.
- Parameters:
idx – The index of the resource to get, which can be an integer, a string (resource type name), or a member of the
c_pe.RTenum. Integers refer to the index in the resources list, while strings and enum members refer to the resource type.
- __contains__(idx: str | dissect.executable.pe.c_pe.c_pe.RT) bool¶
- get(type: int | str | dissect.executable.pe.c_pe.c_pe.RT) list[Resource] | None¶
Get all resources of a specific type.
- Parameters:
type – The type of the resource (e.g.
c_pe.RT.ICON). Integers can also be used to refer to resource types by their numeric value, or strings to refer to resource types by their name.
- find(type: int | str | dissect.executable.pe.c_pe.c_pe.RT, name: str | int) Resource | None¶
Find a specific resource by type and name.
- Parameters:
type – The type of the resource (e.g.
c_pe.RT.ICON). Integers can also be used to refer to resource types by their numeric value, or strings to refer to resource types by their name.name – The name of the resource, which can be a string or an integer ID.
- property cursor: list[Resource] | None¶
Return a list of hardware-dependent cursor resources, if available.
- property icon: list[Resource] | None¶
Return a list of hardware-dependent icon resources, if available.
Return a list of menu resources, if available.
- string_table(language: str | int | None = None) dict[int, str]¶
Return the parsed string table for a specific language.
- Parameters:
language – The language of the string table to return. If
None, the first available language is used.
- property accelerator: list[Resource] | None¶
Return a list of accelerator table resources, if available.
- accelerator_table(language: str | int | None = None) dict[int, str]¶
Return the parsed accelerator table for a specific language.
- Parameters:
language – The language of the version information to return. If
None, the first available language is used.
- property rcdata: list[Resource] | None¶
Return a list of application-defined (raw data) resources, if available.
- property message_table: list[Resource] | None¶
Return a list of message table resources, if available.
- property group_cursor: list[Resource] | None¶
Return a list of hardware-independent group cursor resources, if available.
- property group_icon: list[Resource] | None¶
Return a list of hardware-independent group icon resources, if available.
- vs_version_info(language: str | int | None = None) dict | None¶
Return the parsed version information for a specific language.
- Parameters:
language – The language of the version information to return. If
None, the first available language is used.
- property dialog_include: list[Resource] | None¶
Return a list of dialog include resources, if available.
- property plug_and_play: list[Resource] | None¶
Return a list of plug and play resources, if available.
- property animated_cursor: list[Resource] | None¶
Return a list of animated cursor resources, if available.
- class dissect.executable.pe.directory.ResourceDirectoryEntry(rsrc: ResourceDirectory, address: int)¶
Bases:
ResourceEntryA resource directory entry in a PE file.
- __repr__() str¶
- property entry: dissect.executable.pe.c_pe.c_pe.IMAGE_RESOURCE_DIRECTORY¶
The resource directory entry structure.
- property timestamp: datetime.datetime | None¶
The timestamp of this resource directory, or
Noneif the PE file is compiled as reproducible.
- get(name: int | str | dissect.executable.pe.c_pe.c_pe.RT) ResourceDataEntry | ResourceDirectoryEntry | None¶
Get a resource entry by name.
- listdir() dict[int | str, ResourceEntry]¶
Return a dictionary of the entries in this resource directory.
- iterdir() collections.abc.Iterator[tuple[int | str, ResourceDataEntry | ResourceDirectoryEntry]]¶
Iterate over the entries in this resource directory.
- class dissect.executable.pe.directory.ResourceEntry(rsrc: ResourceDirectory, address: int)¶
Base class for resource entries in a PE file.
- rsrc¶
- address¶
- property entry: dissect.executable.pe.c_pe.c_pe.IMAGE_RESOURCE_DATA_ENTRY¶
- Abstractmethod:
- class dissect.executable.pe.directory.SecurityDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe security directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[Certificate]¶
- __getitem__(idx: int) Certificate¶
- property entries: list[Certificate]¶
List of certificates in the security directory.
- class dissect.executable.pe.directory.TlsDirectory(pe: dissect.executable.pe.pe.PE, address: int, size: int)¶
Bases:
dissect.executable.pe.directory.base.DataDirectoryThe TLS (Thread Local Storage) directory of a PE file.
- __repr__() str¶
- __len__() int¶
- __iter__() collections.abc.Iterator[int]¶
- __getitem__(idx: int) int¶
- property header: dissect.executable.pe.c_pe.c_pe.IMAGE_TLS_DIRECTORY32 | dissect.executable.pe.c_pe.c_pe.IMAGE_TLS_DIRECTORY64¶
The TLS directory header.
- property callbacks: list[int]¶
List of callback addresses.