dissect.executable.pe.pe¶
Module Contents¶
Classes¶
PE file parser. |
|
A section in a PE file. |
|
Read from a PE file as if it's been mapped into the virtual address space. |
|
A stream that reads the section data from a PE file. |
- class dissect.executable.pe.pe.PE(fh: BinaryIO, virtual: bool = False)¶
PE file parser.
- Parameters:
fh – A file-like object of an executable.
virtual – Indicate whether to use virtual addressing instead of physical. Use this when the file has already been mapped into memory.
- fh¶
- virtual = False¶
- mz_header¶
- os2_header = None¶
- file_header = None¶
- optional_header = None¶
- vfh = None¶
- dos_stub¶
- property machine: dissect.executable.pe.c_pe.c_pe.IMAGE_FILE_MACHINE¶
Return the machine type of the PE file.
- property image_base: int¶
Return the image base address of the PE file.
- property timestamp: datetime.datetime | None¶
The compilation timestamp of the PE file, or
Noneif the PE file is compiled as reproducible.
- is_pe() bool¶
Return if the file is a valid PE file.
- is_nt() bool¶
Return if the file is a valid NT executable.
- is_os2() bool¶
Return if the file is an OS/2 executable.
- is_64bit() bool¶
Return if the PE file is 64-bit (PE32+).
- is_reproducible() bool¶
Return if the PE file is reproducible (i.e. has a REPRO debug entry).
- pdb_path() str | None¶
Return the PDB path, if available.
- data_directories() dict[dissect.executable.pe.c_pe.c_pe.IMAGE_DIRECTORY_ENTRY, dissect.executable.pe.directory.DataDirectory]¶
Return all data directories.
- property exports: dissect.executable.pe.directory.ExportDirectory | None¶
Return the export directory, if available.
- property imports: dissect.executable.pe.directory.ImportDirectory | None¶
Return the import directory, if available.
- property resources: dissect.executable.pe.directory.ResourceDirectory | None¶
Return the resource directory, if available.
- property exceptions: dissect.executable.pe.directory.ExceptionDirectory | None¶
Return the exception directory, if available.
- property security: dissect.executable.pe.directory.SecurityDirectory | None¶
Return the security directory, if available.
- property base_relocations: dissect.executable.pe.directory.BaseRelocationDirectory | None¶
Return the base relocation directory, if available.
- property debug: dissect.executable.pe.directory.DebugDirectory | None¶
Return the debug directory, if available.
- property global_pointer: int¶
Return the global pointer address, if available.
- property tls: dissect.executable.pe.directory.TlsDirectory | None¶
Return the TLS (Thread Local Storage) directory, if available.
- property load_config: dissect.executable.pe.directory.LoadConfigDirectory | None¶
Return the load config directory, if available.
- property bound_import: dissect.executable.pe.directory.BoundImportDirectory | None¶
Return the bound import directory, if available.
- property iat: dissect.executable.pe.directory.IatDirectory | None¶
Return the import address table (IAT) directory, if available.
- property delay_import: dissect.executable.pe.directory.DelayImportDirectory | None¶
Return the delay import directory, if available.
- property com_descriptor: dissect.executable.pe.directory.ComDescriptorDirectory | None¶
Return the COM descriptor directory, if available.
- va_to_rva(va: int) int¶
Return the relative virtual address (RVA) of the given virtual address (VA).
- open() VirtualStream¶
Return a stream of the virtual address space of the PE file.
- class dissect.executable.pe.pe.Section(pe: PE, header: dissect.executable.pe.c_pe.c_pe.IMAGE_SECTION_HEADER)¶
A section in a PE file.
- pe¶
- header¶
- __repr__() str¶
- classmethod from_fh(pe: PE, fh: BinaryIO) None¶
Read a section header from the file-like object.
- Parameters:
pe – The PE object to which this section belongs.
fh – The file-like object from which to read the section header.
- open() dissect.util.stream.RangeStream¶
Return a stream for the section data.
- property name: str¶
Return the name of the section.
- property virtual_size: int¶
Return the virtual size of the section.
- Returns:
The virtual size of the section as an int.
- property virtual_address: int¶
Return the virtual address of the section.
- Returns:
The virtual address of the section as an int.
- property raw_size: int¶
Return the raw size of the section.
- Returns:
The raw size of the section as an int.
- property pointer_to_raw_data: int¶
Return the pointer to raw data of the section.
- Returns:
The pointer to raw data of the section as an int.
- class dissect.executable.pe.pe.VirtualStream(pe: PE)¶
Bases:
dissect.util.stream.AlignedStreamRead from a PE file as if it’s been mapped into the virtual address space.
- pe¶
- class dissect.executable.pe.pe.SectionStream(section: Section)¶
Bases:
dissect.util.stream.AlignedStreamA stream that reads the section data from a PE file.
- section¶