Module pychrysalide.format.pe
Documentation
This module provides support for the Portable Executable file format defined by Microsoft.
The specification for this format can be found at:
Classes
Class PeExportedRoutine
The PeExportedRoutine is a definition of a binary routine exported for other PE file.
The object can be compared using rich methods (like <= or !=) and produce an "informal" string representation of itself with a call to str().
Hierarchy
builtins.object ╰── gi._gi.GObject ╰── pychrysalide.format.BinSymbol ╰── pychrysalide.analysis.BinRoutine ╰── pychrysalide.format.pe.PeExportedRoutine
Implements:
Known subclass: pychrysalide.format.pe.PeImportedRoutine
Attributes
ordinal
Ordinal number linked to the symbol.
The returned integer value is valid only if the HAS_ORDINAL bit is set in the symbol flags.
This bit is automatically set when the value is defined.
Constants
OrdinalValue
Extra value for exported PE routine ordinals.
| 65535 | = 0xffff |
PeSymbolFlag
Extra indications for exported PE routine symbols.
| 4 | = 0x4 |
| 8 | = 0x8 |
Class PeFormat
The PeFormat class handles executables with a Portable Executable structure.
Instances can be created using the following constructor:
PeFormat(content)
Where content points to data as a BinContent instance.
Hierarchy
builtins.object ╰── gi._gi.GObject ╰── pychrysalide.format.KnownFormat ╰── pychrysalide.format.BinFormat ╰── pychrysalide.format.ExeFormat ╰── pychrysalide.format.pe.PeFormat
Implements: pychrysalide.analysis.storage.SerializableObject
Attributes
comp_ids
Compiler identifiers carried by the Rich header of the file format.
This property is a tuple of StructObject items or an empty tuple if no information is found.
Each item contains the the following properties :
- minor_cv;
- prod_id;
- count.
directories
Shortcut to the PE format directories.
This property is a StructObject instance and can also be access trough the self.nt_headers.data_directory attribute.
Each returned item is composed of the following properties :
- virtual_address;
- size.
dos_header
MS-DOS header of the file format.
This property is a StructObject instance.
The provided information is composed of the following properties :
- e_magic;
- e_cblp;
- e_cp;
- e_crlc;
- e_cparhdr;
- e_minalloc;
- e_maxalloc;
- e_ss;
- e_sp;
- e_csum;
- e_ip;
- e_cs;
- e_lfarlc;
- e_ovno;
- e_res;
- e_oemid;
- e_oeminfo;
- e_res2;
- e_lfanew.
rich_header
Raw values from the Rich header of the file format.
This property is a tuple of 64-bit values or an empty tuple if no Rich header exists in the PE file.
rich_header_checksum
Checksum used as XOR value for the Rich header of the file format.
This property is a 32-bit integer value.
Constants
ImageDirectoryEntry
Index number for a kind of data directory entry.
| 0 | = 0 |
| 1 | = 1 |
| 2 | = 2 |
| 3 | = 3 |
| 4 | = 4 |
| 5 | = 5 |
| 6 | = 6 |
| 7 | = 7 |
| 8 | = 8 |
| 9 | = 9 |
| 10 | = 10 |
| 11 | = 11 |
| 12 | = 12 |
| 13 | = 13 |
| 14 | = 14 |
Class PeImportedRoutine
The PeImportedRoutine is a definition of a binary routine imported from other PE file symbol.
The object can be compared using rich methods (like <= or !=) and produce an "informal" string representation of itself with a call to str().
Hierarchy
builtins.object ╰── gi._gi.GObject ╰── pychrysalide.format.BinSymbol ╰── pychrysalide.analysis.BinRoutine ╰── pychrysalide.format.pe.PeExportedRoutine ╰── pychrysalide.format.pe.PeImportedRoutine
Implements:
Attributes
index
Position of the symbol inside the importations table.
The returned value is an integer.
library
Imported DLL's name for the symbol.
The returned value is a string.