python—pefile
pefile可以解析、读取或修改PE文件。
github地址: https://github.com/erocarrera/pefile/
一些示例地址: https://github.com/erocarrera/pefile/blob/wiki/UsageExamples.md
安装: pip3 install pefile
简单使用
修改PE:
# coding:utf8
import pefile
exe_sample = pefile.PE('test.exe')
# 输出基址,如: 0x400000
print(exe_sample.NT_HEADERS.OPTIONAL_HEADER.ImageBase)
# 输出一个导入表项的函数名
print(exe_sample.DIRECTORY_ENTRY_IMPORT[1].imports[0].name)
# 修改一个导入表项的函数名
exe_sample.DIRECTORY_ENTRY_IMPORT[1].imports[0].name = 'GoodEvening\x00' # 使用\x00截断
# 将修改的PE写入到新文件
exe_sample.write(filename='new_test.exe')
# 关闭文件句柄 原来的文件不会被修改
exe_sample.close()
获取.data数据:
# coding:utf8
from pefile import PE
def get_data(the_path):
the_pe = PE(the_path)
for section in the_pe.sections:
if section.Name.startswith(b'.data\x00'):
data = section.get_data()
the_pe.close()
return data
the_pe.close()
return None
获取特定资源数据:
import pefile
def get_resource_data(the_path):
the_pe = pefile.PE(the_path)
if hasattr(the_pe, 'DIRECTORY_ENTRY_RESOURCE'):
rt_rcdata_resource_type_id = pefile.RESOURCE_TYPE['RT_RCDATA']
for resource_entry in the_pe.DIRECTORY_ENTRY_RESOURCE.entries:
if resource_entry.id != rt_rcdata_resource_type_id:
continue
for rt_rcdata_entry in resource_entry.directory.entries:
if rt_rcdata_entry.name.string != b'SETTINGS':
continue
settings_entry = rt_rcdata_entry.directory.entries[0]
data_rva = settings_entry.data.struct.OffsetToData
size = settings_entry.data.struct.Size
data = the_pe.get_memory_mapped_image()[data_rva:data_rva+size]
the_pe.close()
return data
the_pe.close()
return
2019/10/30
慢慢适应: https://www.cnblogs.com/-rvy-/p/16746716.html
2012
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
