什么是PE文件?
PE文件被称为可移植的执行体是Portable Execute的全称,常见的EXE、DLL、OCX、SYS、COM都是PE文件,PE文件是微软Windows操作系统上的程序文件(可能是间接被执行,如DLL)。
怎么识别PE文件?
1、首先,PE文件一定是MZ(0x4D5A)起头的。
2、其次,3C位置的值(即如图所示E8)指向的值是PE(0x5045)
代码如下:
#coding: UTF-8
import linecache,os,struct,sys
#get all PE files of a directory
def readFileChar(path):
try:
fileHandle=open(path,"rb")
data_id = struct.unpack("h",fileHandle.read(2))
return data_id[0]
fileHandle.close()
except Exception ,e:
print e
return "kkk"
def getShifting(path):
try:
#获得0x3c地址的值,pe文件应为0x45 50
fileHandle=open(path,"rb")
fileHandle.seek(60,0)
data_id = struct.unpack("h",fileHandle.read(2))[0]
fileHandle.close()
#print data_id
fileHandle=open(path,"rb")
fileHandle.seek(data_id,0)
pe = struct.unpack("h",fileHandle.read(2))[0]
fileHandle.close()
return pe
except:
return "kkk"
if __name__=="__main__":
paths=[]
pePath=[]
#paths:all files' paths
insPath=sys.argv[1]
savefile=insPath.split("\\")[-1]
#cur_path=os.path.abspath(os.path.join(os.path.dirname(__file__), "%s_PEfile.txt"%savefile))
cur_path=os.path.abspath(os.path.join("c:\\", "%s_PEfile.txt"%savefile))
#print "cur_path",cur_path
savefileHandle=open(cur_path,'w')
#print insPath
for root,dirs,files in os.walk(insPath):
for file in files:
paths.append(root+file)
path=root+"\\"+file
shifting = getShifting(path)
# print "readFileChar",readFileChar(path)
# print "shifting",shifting
if readFileChar(path)==23117 and shifting==17744:
pePath.append(file)
print path,"is ----------------->pe file "
savefileHandle.write(file+'\n')
savefileHandle.close()