1 #! /usr/bin/env python2.7
2 #3 #Author: Pat Litke (C) 2014
4 #5 #This code is free software: you can redistribute it and/or modify
6 #it under the terms of the GNU Affero General Public License as
7 #published by the Free Software Foundation, either version 3 of the
8 #License, or (at your option) any later version.
9 #10 #This code is distributed in the hope that it will be useful,
11 #but WITHOUT ANY WARRANTY; without even the implied warranty of
12 #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 #GNU General Public License for more details.
14 #15 #You should have received a copy of the GNU Affero General Public License
16 #along with Baku. If not, see .
17 #18 #Description:
19 #Quick and dirty module to read a binary file, look at the DOS header for the PE offset
20 #Seek to the PE offset, read the third DWORD in, unpack it, and return either EPOCH or GMTIMEs
21 #22 #Returns 1 if the file doesn't havea a DOS header
23 #Returns 2 if file couldn't be read
24 #Returns the data in epoch or formatted otherwise
25
26 from struct importunpack27 from binascii importhexlify28 from time importgmtime, strftime29
30 def getEpoch(filePath, epoch =True):31
32 #Open the file in Binary mode
33 try:34 handle = open(filePath, 'rb')35 if hexlify(handle.read(2)) != hexlify(u'MZ'):36 handle.close()37 return 1
38 except:39 return 2
40
41 #Get PE offset (@60, DWORD) from DOS header
42 #It's little-endian so we have to flip it
43 #We also need the HEX representation which is an INT value
44 handle.seek(60, 0)45 offset = handle.read(4)46 offset = hexlify(offset[::-1])47 offset = int(offset, 16)48
49 #Seek to PE header and read second DWORD
50 handle.seek(offset+8, 0)51 dword = handle.read(4)52 handle.close()53 t = unpack(">L", dword[::-1])[0]54
55 ifepoch:56 returnt57 else:58 return strftime('%Y-%m-%d %H:%M:%S', gmtime(float(t)))59
60
61
62 defgetUTC(filePath):63 returngetEpoch(filepath, False)64
65 defgetBoth(filePath):66 return [getEpoch(filepath), getEpoch(filepath, False)]
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
