a ,2a.@sdZdZdZdZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddlm Z ddl mZddl mZdd l mZdd l mZddlZddlZddlZed ed eZdddZeddddZeddddZddZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)d Z*d!Z+d"Z,d#Z-d$Z.d%Z/d&Z0d'Z1d(Z2d)Z3d*d+Z4gd,Z5e4e5Z6gd-Z7e4e7Z8gd.Z9e4e9Z:gd/Z;e4e;Zgd1Z?e4e?Z@gd2ZAe4eAZBgd3ZCe4eCZDdZEgd4ZFe4eFZGgd5ZHe4eHZIdZJd6ZKd7ZLd8ZMd9ZNd:ZOd;ZPdZSgd?ZTe4eTZUgd@ZVe4eVZWgdAZXe4eXZYeZeXZYeXD].\Z[Z\e\eYvrzeYe\]e[n e[geYe\<qXdBdCZ^dDdEZ_dFdGZ`dHdIZadJdKZbdLdMZcGdNdOdOZdGdPdQdQeeZfGdRdSdSZgd6d6d6d6d7d7d9d9d9d9d9d z Ero Carreraz2021.9.3zero.carrera@gmail.comN)Counter)sha1)sha256)sha512)md5backslashreplace_backslashreplaceFcs"|stSfdd}|S)Ncs*t|t|fdd}|S)Ncst|i|SN)copymodcopy)argskwargsZ cached_funcW/home/tom/ab/renpy-build/tmp/install.linux-x86_64/lib/python3.9/site-packages/pefile.pywrapper9sz-lru_cache..decorator..wrapper) functools lru_cachewraps)frmaxsizetypedrr decorator6szlru_cache..decorator)rr)rrr rrrrr2s  r)rcCs|tkr |St|ddS)N)FILE_ALIGNMENT_HARDCODED_VALUEint)valfile_alignmentrrrcache_adjust_FileAlignmentCsr!cCs,|dkr |}|r(||r(|t||S|S)N)r)rsection_alignmentr rrrcache_adjust_SectionAlignmentJs  r$cCs0z|d}Wnty*|d}Yn0|S)Nr)count TypeError)datar&rrr count_zeroesZs  r) r iMZiZMiNEiLEiLXiVZiPEli i cCstdd|D|S)NcSsg|]}|d|dfqS)rr).0errr z two_way_dict..)dict)pairsrrr two_way_dictsr7))IMAGE_DIRECTORY_ENTRY_EXPORTr)IMAGE_DIRECTORY_ENTRY_IMPORTr0)IMAGE_DIRECTORY_ENTRY_RESOURCE)IMAGE_DIRECTORY_ENTRY_EXCEPTION)IMAGE_DIRECTORY_ENTRY_SECURITY)IMAGE_DIRECTORY_ENTRY_BASERELOC)IMAGE_DIRECTORY_ENTRY_DEBUG)ZIMAGE_DIRECTORY_ENTRY_COPYRIGHT)ZIMAGE_DIRECTORY_ENTRY_GLOBALPTR)IMAGE_DIRECTORY_ENTRY_TLS )!IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG )"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT )ZIMAGE_DIRECTORY_ENTRY_IAT )"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT )Z$IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR)ZIMAGE_DIRECTORY_ENTRY_RESERVED))ZIMAGE_FILE_RELOCS_STRIPPEDr0)IMAGE_FILE_EXECUTABLE_IMAGEr;)ZIMAGE_FILE_LINE_NUMS_STRIPPEDr?)ZIMAGE_FILE_LOCAL_SYMS_STRIPPEDrE)ZIMAGE_FILE_AGGRESIVE_WS_TRIMr.)ZIMAGE_FILE_LARGE_ADDRESS_AWAREr-)ZIMAGE_FILE_16BIT_MACHINE@)ZIMAGE_FILE_BYTES_REVERSED_LOr )ZIMAGE_FILE_32BIT_MACHINE)ZIMAGE_FILE_DEBUG_STRIPPEDr)Z"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP)ZIMAGE_FILE_NET_RUN_FROM_SWAPr)ZIMAGE_FILE_SYSTEMr")IMAGE_FILE_DLLr+)ZIMAGE_FILE_UP_SYSTEM_ONLY@)ZIMAGE_FILE_BYTES_REVERSED_HIr,).)ZIMAGE_SCN_TYPE_REGr)ZIMAGE_SCN_TYPE_DSECTr0)ZIMAGE_SCN_TYPE_NOLOADr;)ZIMAGE_SCN_TYPE_GROUPr?)ZIMAGE_SCN_TYPE_NO_PADrE)ZIMAGE_SCN_TYPE_COPYr.)ZIMAGE_SCN_CNT_CODEr-)ZIMAGE_SCN_CNT_INITIALIZED_DATArR)Z IMAGE_SCN_CNT_UNINITIALIZED_DATAr )ZIMAGE_SCN_LNK_OTHERrS)ZIMAGE_SCN_LNK_INFOr)ZIMAGE_SCN_LNK_OVERrT)ZIMAGE_SCN_LNK_REMOVEr)ZIMAGE_SCN_LNK_COMDATr")ZIMAGE_SCN_MEM_PROTECTEDrV)ZIMAGE_SCN_NO_DEFER_SPEC_EXCrV)ZIMAGE_SCN_GPRELr,)ZIMAGE_SCN_MEM_FARDATAr,)ZIMAGE_SCN_MEM_SYSHEAP)ZIMAGE_SCN_MEM_PURGEABLE)ZIMAGE_SCN_MEM_16BITrX)ZIMAGE_SCN_MEM_LOCKEDi)ZIMAGE_SCN_MEM_PRELOADi)ZIMAGE_SCN_ALIGN_1BYTESr*)ZIMAGE_SCN_ALIGN_2BYTESi )ZIMAGE_SCN_ALIGN_4BYTESi0)ZIMAGE_SCN_ALIGN_8BYTESi@)ZIMAGE_SCN_ALIGN_16BYTESiP)ZIMAGE_SCN_ALIGN_32BYTESi`)ZIMAGE_SCN_ALIGN_64BYTESip)ZIMAGE_SCN_ALIGN_128BYTESi)ZIMAGE_SCN_ALIGN_256BYTESi)ZIMAGE_SCN_ALIGN_512BYTESi)ZIMAGE_SCN_ALIGN_1024BYTESi)ZIMAGE_SCN_ALIGN_2048BYTESi)ZIMAGE_SCN_ALIGN_4096BYTESi)ZIMAGE_SCN_ALIGN_8192BYTESi)ZIMAGE_SCN_ALIGN_MASKi)ZIMAGE_SCN_LNK_NRELOC_OVFLi)ZIMAGE_SCN_MEM_DISCARDABLEi)ZIMAGE_SCN_MEM_NOT_CACHEDi)ZIMAGE_SCN_MEM_NOT_PAGED)ZIMAGE_SCN_MEM_SHARED)IMAGE_SCN_MEM_EXECUTEi )ZIMAGE_SCN_MEM_READi@)IMAGE_SCN_MEM_WRITEr/))ZIMAGE_DEBUG_TYPE_UNKNOWNr)ZIMAGE_DEBUG_TYPE_COFFr0)ZIMAGE_DEBUG_TYPE_CODEVIEWr;)ZIMAGE_DEBUG_TYPE_FPOr=)ZIMAGE_DEBUG_TYPE_MISCr?)ZIMAGE_DEBUG_TYPE_EXCEPTIONrA)ZIMAGE_DEBUG_TYPE_FIXUPrC)ZIMAGE_DEBUG_TYPE_OMAP_TO_SRCrD)ZIMAGE_DEBUG_TYPE_OMAP_FROM_SRCrE)ZIMAGE_DEBUG_TYPE_BORLANDrG)ZIMAGE_DEBUG_TYPE_RESERVED10rI)ZIMAGE_DEBUG_TYPE_CLSIDrK)ZIMAGE_DEBUG_TYPE_VC_FEATURErL)ZIMAGE_DEBUG_TYPE_POGOrN)ZIMAGE_DEBUG_TYPE_ILTCGrO)ZIMAGE_DEBUG_TYPE_MPXrP)ZIMAGE_DEBUG_TYPE_REPROr.)Z&IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS))ZIMAGE_SUBSYSTEM_UNKNOWNr)IMAGE_SUBSYSTEM_NATIVEr0)ZIMAGE_SUBSYSTEM_WINDOWS_GUIr;)ZIMAGE_SUBSYSTEM_WINDOWS_CUIr=)ZIMAGE_SUBSYSTEM_OS2_CUIrA)ZIMAGE_SUBSYSTEM_POSIX_CUIrD)IMAGE_SUBSYSTEM_NATIVE_WINDOWSrE)ZIMAGE_SUBSYSTEM_WINDOWS_CE_GUIrG)ZIMAGE_SUBSYSTEM_EFI_APPLICATIONrI)Z'IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVERrK)Z"IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVERrL)ZIMAGE_SUBSYSTEM_EFI_ROMrN)ZIMAGE_SUBSYSTEM_XBOXrO)Z(IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATIONr.))ZIMAGE_FILE_MACHINE_UNKNOWNr)IMAGE_FILE_MACHINE_I386iL)ZIMAGE_FILE_MACHINE_R3000ib)ZIMAGE_FILE_MACHINE_R4000if)ZIMAGE_FILE_MACHINE_R10000ih)ZIMAGE_FILE_MACHINE_WCEMIPSV2ii)ZIMAGE_FILE_MACHINE_ALPHAi)ZIMAGE_FILE_MACHINE_SH3i)ZIMAGE_FILE_MACHINE_SH3DSPi)ZIMAGE_FILE_MACHINE_SH3Ei)ZIMAGE_FILE_MACHINE_SH4i)ZIMAGE_FILE_MACHINE_SH5i)ZIMAGE_FILE_MACHINE_ARMi)ZIMAGE_FILE_MACHINE_THUMBi)ZIMAGE_FILE_MACHINE_ARMNTi)ZIMAGE_FILE_MACHINE_AM33i)ZIMAGE_FILE_MACHINE_POWERPCi)ZIMAGE_FILE_MACHINE_POWERPCFPi)IMAGE_FILE_MACHINE_IA64r)ZIMAGE_FILE_MACHINE_MIPS16if)ZIMAGE_FILE_MACHINE_ALPHA64)ZIMAGE_FILE_MACHINE_AXP64rb)ZIMAGE_FILE_MACHINE_MIPSFPUif)ZIMAGE_FILE_MACHINE_MIPSFPU16if)ZIMAGE_FILE_MACHINE_TRICOREi )ZIMAGE_FILE_MACHINE_CEFi )ZIMAGE_FILE_MACHINE_EBCi)IMAGE_FILE_MACHINE_AMD64id)ZIMAGE_FILE_MACHINE_M32RiA)ZIMAGE_FILE_MACHINE_ARM64id)ZIMAGE_FILE_MACHINE_CEEi) )IMAGE_REL_BASED_ABSOLUTEr)IMAGE_REL_BASED_HIGHr0)IMAGE_REL_BASED_LOWr;)IMAGE_REL_BASED_HIGHLOWr=)IMAGE_REL_BASED_HIGHADJr?)ZIMAGE_REL_BASED_MIPS_JMPADDRrA)ZIMAGE_REL_BASED_SECTIONrC)ZIMAGE_REL_BASED_RELrD)ZIMAGE_REL_BASED_MIPS_JMPADDR16rG)ZIMAGE_REL_BASED_IA64_IMM64rG)IMAGE_REL_BASED_DIR64rI)ZIMAGE_REL_BASED_HIGH3ADJrK))ZIMAGE_LIBRARY_PROCESS_INITr0)ZIMAGE_LIBRARY_PROCESS_TERMr;)ZIMAGE_LIBRARY_THREAD_INITr?)ZIMAGE_LIBRARY_THREAD_TERMrE)Z(IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VAr-)Z%IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASErR)Z(IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITYr )Z"IMAGE_DLLCHARACTERISTICS_NX_COMPATrS)Z%IMAGE_DLLCHARACTERISTICS_NO_ISOLATIONr)ZIMAGE_DLLCHARACTERISTICS_NO_SEHrT)Z IMAGE_DLLCHARACTERISTICS_NO_BINDr)Z%IMAGE_DLLCHARACTERISTICS_APPCONTAINERr")Z#IMAGE_DLLCHARACTERISTICS_WDM_DRIVERr+)Z!IMAGE_DLLCHARACTERISTICS_GUARD_CFrV)Z.IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWAREr,))UNW_FLAG_EHANDLERr0)UNW_FLAG_UHANDLERr;)UNW_FLAG_CHAININFOr?))ZRAXr)ZRCXr0)ZRDXr;)ZRBXr=)ZRSPr?)ZRBPrA)ZRSIrC)ZRDIrD)ZR8rE)ZR9rG)ZR10rI)ZR11rK)ZR12rL)ZR13rN)ZR14rO)ZR15rPr0r;r=r?rArCrErGrI))Z RT_CURSORr0)Z RT_BITMAPr;)ZRT_ICONr=)ZRT_MENUr?)Z RT_DIALOGrA) RT_STRINGrC)Z RT_FONTDIRrD)ZRT_FONTrE)ZRT_ACCELERATORrG)Z RT_RCDATArI)ZRT_MESSAGETABLErK)ZRT_GROUP_CURSORrL)Z RT_GROUP_ICONrO) RT_VERSIONr.)Z RT_DLGINCLUDE)Z RT_PLUGPLAY)ZRT_VXDr])Z RT_ANICURSOR)Z RT_ANIICON)ZRT_HTML)Z RT_MANIFEST)^)Z LANG_NEUTRALr)ZLANG_INVARIANT)ZLANG_AFRIKAANS6)Z LANG_ALBANIAN)Z LANG_ARABICr0)Z LANG_ARMENIAN+)Z LANG_ASSAMESEM)Z LANG_AZERI,)Z LANG_BASQUE-)ZLANG_BELARUSIAN#)Z LANG_BENGALIE)ZLANG_BULGARIANr;)Z LANG_CATALANr=)Z LANG_CHINESEr?)Z LANG_CROATIAN)Z LANG_CZECHrA)Z LANG_DANISHrC)Z LANG_DIVEHIe)Z LANG_DUTCHrp)Z LANG_ENGLISHrG)Z LANG_ESTONIAN%)Z LANG_FAEROESE8)Z LANG_FARSI))Z LANG_FINNISHrK)Z LANG_FRENCHrL)Z LANG_GALICIANV)Z LANG_GEORGIAN7)Z LANG_GERMANrD)Z LANG_GREEKrE)Z LANG_GUJARATIG)Z LANG_HEBREWrN)Z LANG_HINDI9)ZLANG_HUNGARIANrO)ZLANG_ICELANDICrP)ZLANG_INDONESIAN!)Z LANG_ITALIANr.)Z LANG_JAPANESEro)Z LANG_KANNADAK)Z LANG_KASHMIRI`)Z LANG_KAZAK?)Z LANG_KONKANIW)Z LANG_KOREAN)Z LANG_KYRGYZrR)Z LANG_LATVIAN&)ZLANG_LITHUANIAN')ZLANG_MACEDONIAN/)Z LANG_MALAY>)ZLANG_MALAYALAML)Z LANG_MANIPURIX)Z LANG_MARATHIN)ZLANG_MONGOLIANP)Z LANG_NEPALIa)ZLANG_NORWEGIANr])Z LANG_ORIYAH)Z LANG_POLISHrq)ZLANG_PORTUGUESErr)Z LANG_PUNJABIF)Z LANG_ROMANIANrt)Z LANG_RUSSIAN)Z LANG_SANSKRITO)Z LANG_SERBIANr~)Z LANG_SINDHIY)Z LANG_SLOVAK)ZLANG_SLOVENIAN$)Z LANG_SPANISHrI)Z LANG_SWAHILIA)Z LANG_SWEDISH)Z LANG_SYRIACZ)Z LANG_TAMILI)Z LANG_TATARD)Z LANG_TELUGUJ)Z LANG_THAI)Z LANG_TURKISH)ZLANG_UKRAINIAN")Z LANG_URDUr-)Z LANG_UZBEKC)ZLANG_VIETNAMESE*)Z LANG_GAELIC<)Z LANG_MALTESE:)Z LANG_MAORI()ZLANG_RHAETO_ROMANCErs)Z LANG_SAAMI;)Z LANG_SORBIAN.)Z LANG_SUTU0)Z LANG_TSONGA1)Z LANG_TSWANA2)Z LANG_VENDA3)Z LANG_XHOSA4)Z LANG_ZULU5)ZLANG_ESPERANTO)Z LANG_WALON)Z LANG_CORNISH)Z LANG_WELSH)Z LANG_BRETON)g)ZSUBLANG_NEUTRALr)ZSUBLANG_DEFAULTr0)ZSUBLANG_SYS_DEFAULTr;)ZSUBLANG_ARABIC_SAUDI_ARABIAr0)ZSUBLANG_ARABIC_IRAQr;)ZSUBLANG_ARABIC_EGYPTr=)ZSUBLANG_ARABIC_LIBYAr?)ZSUBLANG_ARABIC_ALGERIArA)ZSUBLANG_ARABIC_MOROCCOrC)ZSUBLANG_ARABIC_TUNISIArD)ZSUBLANG_ARABIC_OMANrE)ZSUBLANG_ARABIC_YEMENrG)ZSUBLANG_ARABIC_SYRIArI)ZSUBLANG_ARABIC_JORDANrK)ZSUBLANG_ARABIC_LEBANONrL)ZSUBLANG_ARABIC_KUWAITrN)ZSUBLANG_ARABIC_UAErO)ZSUBLANG_ARABIC_BAHRAINrP)ZSUBLANG_ARABIC_QATARr.)ZSUBLANG_AZERI_LATINr0)ZSUBLANG_AZERI_CYRILLICr;)ZSUBLANG_CHINESE_TRADITIONALr0)ZSUBLANG_CHINESE_SIMPLIFIEDr;)ZSUBLANG_CHINESE_HONGKONGr=)ZSUBLANG_CHINESE_SINGAPOREr?)ZSUBLANG_CHINESE_MACAUrA)Z SUBLANG_DUTCHr0)ZSUBLANG_DUTCH_BELGIANr;)ZSUBLANG_ENGLISH_USr0)ZSUBLANG_ENGLISH_UKr;)ZSUBLANG_ENGLISH_AUSr=)ZSUBLANG_ENGLISH_CANr?)ZSUBLANG_ENGLISH_NZrA)ZSUBLANG_ENGLISH_EIRErC)ZSUBLANG_ENGLISH_SOUTH_AFRICArD)ZSUBLANG_ENGLISH_JAMAICArE)ZSUBLANG_ENGLISH_CARIBBEANrG)ZSUBLANG_ENGLISH_BELIZErI)ZSUBLANG_ENGLISH_TRINIDADrK)ZSUBLANG_ENGLISH_ZIMBABWErL)ZSUBLANG_ENGLISH_PHILIPPINESrN)ZSUBLANG_FRENCHr0)ZSUBLANG_FRENCH_BELGIANr;)ZSUBLANG_FRENCH_CANADIANr=)ZSUBLANG_FRENCH_SWISSr?)ZSUBLANG_FRENCH_LUXEMBOURGrA)ZSUBLANG_FRENCH_MONACOrC)ZSUBLANG_GERMANr0)ZSUBLANG_GERMAN_SWISSr;)ZSUBLANG_GERMAN_AUSTRIANr=)ZSUBLANG_GERMAN_LUXEMBOURGr?)ZSUBLANG_GERMAN_LIECHTENSTEINrA)ZSUBLANG_ITALIANr0)ZSUBLANG_ITALIAN_SWISSr;)ZSUBLANG_KASHMIRI_SASIAr;)ZSUBLANG_KASHMIRI_INDIAr;)ZSUBLANG_KOREANr0)ZSUBLANG_LITHUANIANr0)ZSUBLANG_MALAY_MALAYSIAr0)ZSUBLANG_MALAY_BRUNEI_DARUSSALAMr;)ZSUBLANG_NEPALI_INDIAr;)ZSUBLANG_NORWEGIAN_BOKMALr0)ZSUBLANG_NORWEGIAN_NYNORSKr;)ZSUBLANG_PORTUGUESEr;)ZSUBLANG_PORTUGUESE_BRAZILIANr0)ZSUBLANG_SERBIAN_LATINr;)ZSUBLANG_SERBIAN_CYRILLICr=)ZSUBLANG_SPANISHr0)ZSUBLANG_SPANISH_MEXICANr;)ZSUBLANG_SPANISH_MODERNr=)ZSUBLANG_SPANISH_GUATEMALAr?)ZSUBLANG_SPANISH_COSTA_RICArA)ZSUBLANG_SPANISH_PANAMArC)Z"SUBLANG_SPANISH_DOMINICAN_REPUBLICrD)ZSUBLANG_SPANISH_VENEZUELArE)ZSUBLANG_SPANISH_COLOMBIArG)ZSUBLANG_SPANISH_PERUrI)ZSUBLANG_SPANISH_ARGENTINArK)ZSUBLANG_SPANISH_ECUADORrL)ZSUBLANG_SPANISH_CHILErN)ZSUBLANG_SPANISH_URUGUAYrO)ZSUBLANG_SPANISH_PARAGUAYrP)ZSUBLANG_SPANISH_BOLIVIAr.)ZSUBLANG_SPANISH_EL_SALVADORro)ZSUBLANG_SPANISH_HONDURASr)ZSUBLANG_SPANISH_NICARAGUArp)ZSUBLANG_SPANISH_PUERTO_RICOr])ZSUBLANG_SWEDISHr0)ZSUBLANG_SWEDISH_FINLANDr;)ZSUBLANG_URDU_PAKISTANr0)ZSUBLANG_URDU_INDIAr;)ZSUBLANG_UZBEK_LATINr0)ZSUBLANG_UZBEK_CYRILLICr;)ZSUBLANG_DUTCH_SURINAMr=)ZSUBLANG_ROMANIANr0)ZSUBLANG_ROMANIAN_MOLDAVIAr;)ZSUBLANG_RUSSIANr0)ZSUBLANG_RUSSIAN_MOLDAVIAr;)ZSUBLANG_CROATIANr0)ZSUBLANG_LITHUANIAN_CLASSICr;)ZSUBLANG_GAELICr0)ZSUBLANG_GAELIC_SCOTTISHr;)ZSUBLANG_GAELIC_MANXr=cCs@t|d}t|gD]}||vr|Sqt|dgdS)N *unknown*r)LANGgetSUBLANG)Z lang_value sublang_valueZ lang_name sublang_namerrrget_sublang_name_for_langs   rcCsd}d}|t|kr|||d}t|dkr2qtd|d}|d7}|dkrd|dkrnt|krnnXz&t||||dd||<Wnty|d7}Yn0|dkrq||d7}|d7}qdS)Nrr;z.)keysrrrrretrieve_flagss rcCs0|D]&\}}||@r d|j|<qd|j|<qdS)a Will process the flags and set attributes in the object accordingly. The object "obj" will gain attributes named after the flags provided in "flags" and valued True/False, matching the results of applying each flag value from "flags" to flag_field. TFN)__dict__)objZ flag_fieldflagsrvaluerrr set_flagss  rcCs|dko||d@dkS)Nrr0r)rrrr power_of_twosrcCs"t|ttfrt|St|dS)Ncp1252)rr bytearraycodecsencode)xrrrrsrc@s`eZdZdZddZddZddZdd Zd d Zd d Z ddZ ddZ ddZ ddZ dS)!UnicodeStringWrapperPostProcessorzThis class attempts to help the process of identifying strings that might be plain Unicode or Pascal. A list of strings will be wrapped on it with the hope the overlappings will help make the decision about their type.cCs||_||_d|_dSr )perva_ptrstring)selfrrrrr__init__sz*UnicodeStringWrapperPostProcessor.__init__cCs|jS)zGet the RVA of the string.)rrrrrget_rvasz)UnicodeStringWrapperPostProcessor.get_rvacCs |ddS)z6Return the escaped UTF-8 representation of the string.utf-8r)rrrrr__str__sz)UnicodeStringWrapperPostProcessor.__str__cGs|js dS|jj|S)N)rr)rr rrrrsz(UnicodeStringWrapperPostProcessor.decodecCsd}dS)z>Make this instance None, to express it's no known string type.Nrrrrr invalidatesz,UnicodeStringWrapperPostProcessor.invalidatec CsTz |jj|jd|d|_Wn.tyN|jd|jdYn0dS)Nr; max_lengthzCFailed rendering pascal string, attempting to read from RVA 0x{0:x}) rget_string_u_at_rvarget_pascal_16_lengthr PEFormatError get_warningsappendformatrrrrrender_pascal_16s   z2UnicodeStringWrapperPostProcessor.render_pascal_16cCs ||jSr )9_UnicodeStringWrapperPostProcessor__get_word_value_at_rvarrrrrrsz6UnicodeStringWrapperPostProcessor.get_pascal_16_lengthcCsHz|j|d}Wnty&YdS0t|dkr8dStd|dS)Nr;F|jd|jYn0dS)NzDFailed rendering unicode string, attempting to read from RVA 0x{0:x})rrrrrrrrrrrrrender_unicode_16s  z3UnicodeStringWrapperPostProcessor.render_unicode_16N)__name__ __module__ __qualname____doc__rrrrrrrrrrrrrrrs   rc@s eZdZdZddZddZdS)rz"Generic PE format error exception.cCs ||_dSr )r)rrrrrr*szPEFormatError.__init__cCs t|jSr )reprrrrrrr-szPEFormatError.__str__N)rrrrrrrrrrr'src@sNeZdZdZddZdddZdddZdd d Zd d Zd dZ ddZ dS)Dumpz1Convenience class for dumping the PE information.cCs g|_dSr )textrrrrr4sz Dump.__init__rcCs|D]}|||qdS)zeAdds a list of lines. The list can be indented with the optional argument 'indent'. Nadd_line)rtxtindentlinerrr add_lines7szDump.add_linescCs||d|dS)z\Adds a line. The line can be indented with the optional argument 'indent'.  N)addrrrrrrr?sz Dump.add_linecCs|jdd||dS)z|Adds some text, no newline will be appended. The text can be indented with the optional argument 'indent'. z{0}{1} N)rrrr rrrrFszDump.addcCs|dd|dS)zAdds a header element.z {0}{1}{0} z ----------N)rr)rrrrr add_headerMszDump.add_headercCs|jddS)zAdds a newline.rN)rrrrrr add_newlineQszDump.add_newlinecCsddd|jDS)z"Get the text in its current state.rcss|]}d|VqdS){0}Nr)r1rrrr Wr4z Dump.get_text..)joinrrrrrget_textUsz Dump.get_textN)r)r)r) rrrrrrrrr r rrrrrr1s   r)rcrBhHrIrLrqQdscCsNd}|}|dtjvrBtddd|D}ddd|D}t||S)Nr0rrcSsg|]}|tjvr|qSrrdigitsr1rrrrr3sr4zsizeof_type..cSsg|]}|tjvr|qSrrrrrrr3tr4)rrrrSTRUCT_SIZEOF_TYPES)tr&Z_trrr sizeof_typems r!T)rr c sd}g}i}g}d}d}|D]}d|vr|dd\}||7}|dd} g} | D]F|vrfdd|D} | } d| | ||<q\|t|7}|| qt|}|||||fS)N.z {0}_{1:d})splitrr&rr!rcalcsize) r __format____unpacked_data_elms____field_offsets____keys____format_length__offsetelmelm_typeZ elm_namesnamesZ search_listZ occ_countrr$r set_formatxs:         r1c@seZdZdZd ddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZd!ddZddZdS)" StructurezPrepare structure object to extract members from data. Format is a list containing definitions for the elements of the structure. NcCsd|_g|_d|_i|_g|_|d}t|dts@t|d}t|\|_|_|_|_|_d|_||_ |rt||_ n |d|_ dS)Nr"rr0F) r(r+r,r*r)rtupler1__all_zeroes____file_offset__name)rrr6 file_offsetrrrrrs( zStructure.__init__cCs|jSr )r(rrrr__get_format__szStructure.__get_format__cCs|j|j|S)zLReturn the offset within the field for the requested field in the structure.)r5r*r field_namerrrget_field_absolute_offsetsz#Structure.get_field_absolute_offsetcCs |j|S)z?Return the offset within the structure for the requested field.)r*r9rrrget_field_relative_offsetsz#Structure.get_field_relative_offsetcCs|jSr r5rrrrget_file_offsetszStructure.get_file_offsetcCs ||_dSr r=rr-rrrset_file_offsetszStructure.set_file_offsetcCs|jS)z/Returns true is the unpacked data is all zeros.)r4rrrr all_zeroesszStructure.all_zeroescCs|jS)zReturn size of the structure.)r,rrrrsizeofszStructure.sizeofcCst|}t||jkr&|d|j}nt||jkrr cSsg|]}d|qS)r )rr&r1rrrrr3r4z&Structure.__repr__..rMrrrr__repr__szStructure.__repr__rc s<g}|d|jddtjD|jD]}|D]}t||}t|tt fr| drhd|}n d|}|dks|dkrz|d t t |7}Wnty|d 7}Yn0nLt|}| d rd d d|dD}nd fdd|dD}|d|j||j|j||d|fq6q,|S)z1Returns a string representation of the structure.z[{0}]cSsg|]}|tjvrt|qSr)r whitespaceordr1rrrrr3sz"Structure.dump..Z Signature_z{:<8X}z0x{:<8X} TimeDateStamp dwTimeStampz [%s UTC]z [INVALID TIME] SignaturercSsg|]}d|qS)z{:02X}rrSrrrr32r4cs&g|]}|vrt|nd|qS)z \x{0:02x})chrrrSZprintable_bytesrrr36s z0x%-8X 0x%-3X %-30s %s:)rrr6r printabler+rHrrlongrtimeasctimegmtime ValueErrorrrrstripr*r5)r indentationrNrrFrZval_strrrYrrNsJ          zStructure.dumpc Csi}|j|d<|jD]}|D]}t||}t|ttfr|dksH|dkrzd|tt|f}Wqt y~d|}Yq0nd ddd d |DD}|j ||j |j ||d ||<qq|S) z5Returns a dictionary representation of the structure.r2rTrUz0x%-8X [%s UTC]z0x%-8X [INVALID TIME]rcss,|]$}t|tjvrt|nd|VqdS)z\x%02xNrXrr[rrrrrasz&Structure.dump_dict..cSs"g|]}t|tst|n|qSrrrrRr1rrrrr3cr4z'Structure.dump_dict..)Z FileOffsetOffsetValue) r6r+rHrrr\r]r^r_r`rr*r5)r dump_dictrrFrrrrrhJs,       zStructure.dump_dict)NN)r)rrrrrr8r;r<r>r@rArBrGrLrrPrNrhrrrrr2s  7r2c@seZdZdZddZddZddZd#d d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"ZdS)$SectionStructurez#Convenience section handling class.cOs@d|vr|d|_|d=tj|g|Ri|d|_d|_dS)Nr)rr2rPointerToRawData_adjVirtualAddress_adj)rZarglZargdrrrrrs  zSectionStructure.__init__cCs2|jdur,|jdur,|j|j|jjj|_|jSr )rjPointerToRawDataradjust_FileAlignmentOPTIONAL_HEADER FileAlignmentrrrrget_PointerToRawData_adj{s    z)SectionStructure.get_PointerToRawData_adjcCs:|jdur4|jdur4|j|j|jjj|jjj|_|jSr )rkVirtualAddressradjust_SectionAlignmentrnSectionAlignmentrorrrrget_VirtualAddress_adjs  z'SectionStructure.get_VirtualAddress_adjNcCsn|dur|}n|||}|dur8||}n ||j}||j|jkr^|j|j}|jj||S)a\Get data chunk from a section. Allows to query data from the section by passing the addresses where the PE file would be loaded by default. It is then possible to retrieve code and data by their real addresses as they would be if loaded. Returns bytes() under Python 3.x and set() under Python 2.7 N)rprt SizeOfRawDatarlr__data__)rstartrr-endrrrrs      zSectionStructure.get_datacCsr|dkr ttd}t|||nDd|vrdt||rd|rN|jdt|O<n|jdt|N<||j|<dS)NCharacteristics IMAGE_SCN_)rSECTION_CHARACTERISTICSrhasattrr)rr6r section_flagsrrr __setattr__s zSectionStructure.__setattr__cCs|||Sr )rprtr?rrrget_rva_from_offsetsz$SectionStructure.get_rva_from_offsetcCs|||Sr )rtrprrrrrget_offset_from_rvasz$SectionStructure.get_offset_from_rvacCs4|jdurdS|}||ko.||jkSS)z.AccumulatorcSs(g|_d|_d|_d|_||_||_dS)N~r) _subfields_name_type _bits_left _comp_fields_format)rfmt comp_fieldsrrrrs z2set_bitfields_format..Accumulator.__init__cSsX|jdkrdS|j|jd|j|j|jf|jt|jd<d|_d|_g|_dS)Nr#r0r)rrrrrrrrrrrwrap_up)s z1set_bitfields_format..Accumulator.wrap_upcSst|d|_||_dSNrE)rrr)rtprrrnew_type2sz2set_bitfields_format..Accumulator.new_typecSs0|j|7_|j|8_|j||fdSr )rrrr)rr6Zbitcntrrr add_subfield6sz6set_bitfields_format..Accumulator.add_subfieldcSs|jSr )rrrrrget_type;sz2set_bitfields_format..Accumulator.get_typecSs|jSr )rrrrrget_name>sz2set_bitfields_format..Accumulator.get_namecSs|jSr )rrrrr get_bits_leftAsz7set_bitfields_format..Accumulator.get_bits_leftN) rrrrrrrrrrrrrr Accumulators  rr0rZr#z3Structures with bitfields do not support unions yetcSsg|]}|tjgqSr)StructureWithBitfields BTF_NAME_IDX)r1rrrrr3fr4z(set_bitfields_format..r) rrr&NotImplementedErrorrrrrrr1r3rCextend)rrZold_fmtrZacr.r/r%Zelm_bitsZ format_str_Z field_offsetsrZ format_lengthZ extended_keysrErZsbfZbf_namesnrrrset_bitfields_formatsB&       rcspeZdZdZdZdZdZdZdddZfddZ fd d Z dfd d Z fd dZ ddZ ddZZS)raV Extends Structure's functionality with support for bitfields such as: ('B:4,LowerHalf', 'B:4,UpperHalf') To this end, two lists are maintained: * self.__keys__ that contains compound fields, for example ('B,~LowerHalfUpperHalf'), and is used during packing/unpaking * self.__keys_ext__ containing a separate key for each field (ex., LowerHalf, UpperHalf) to simplify implementation of dump() This way the implementation of unpacking/packing and dump() from Structure can be reused. In addition, we create a dictionary: --> (data type, [ (subfield name, length in bits)+ ] ) that facilitates bitfield paking and unpacking. With lru_cache() creating only once instance per format string, the memory overhead is negligible. rr0NcCs\t|\|_|_|_|_|_|_ddt|jD|_d|_ ||_ |dkrN|n|d|_ dS)NcSsg|]}dqSr rrSrrrr3r4z3StructureWithBitfields.__init__..Fr) rr(r,r*r+ __keys_ext____compound_fields__ranger)r4r5r6)rrr6r7rrrrszStructureWithBitfields.__init__cstt|||dSr )superrrG_unpack_bitfield_attributesrr( __class__rrrGsz!StructureWithBitfields.__unpack__cs2|ztt|}W|n |0|Sr )_pack_bitfield_attributesrrrLrrrrrrLs zStructureWithBitfields.__pack__cs6|j}|j|_ztt||}W||_n||_0|Sr )r+rrrrN)rrbtkretrrrrNs zStructureWithBitfields.dumpcs4|j}|j|_ztt|}W||_n||_0|Sr )r+rrrrh)rrrrrrrhs z StructureWithBitfields.dump_dictcCs|jD]}|j|d}t||}t||d}|j|tjD]F}d|tj>d}||K}t||tj ||@|?||tj7}qDq dS)zaReplace compound attributes corresponding to bitfields with separate sub-fields. rr0N) rrr+rHdelattrr CF_SUBFLD_IDXBTF_BITCNT_IDXrDr)rrcf_nameZcvaloffstsfmaskrrrrs   z2StructureWithBitfields._unpack_bitfield_attributescCs|jD]|}|j|d}d\}}|j|tjD]D}d|tj>d}t||tj|@}|||>O}||tj7}q4t|||q dS)z(Pack attributes into a compound bitfieldrrrr0N) rrr+rrrrHrrD)rrrrZacc_valrrZ field_valrrrrs z0StructureWithBitfields._pack_bitfield_attributes)NN)r)rrrrrrZ CF_TYPE_IDXrrrGrLrNrhrr __classcell__rrrrrns    rcs eZdZdZfddZZS) DataContainerzGeneric data container.c s0tt|j}t|D]\}}|||qdSr )rrr~listitems)rr Z bare_setattrrFrrrrrs zDataContainer.__init__)rrrrrrrrrrrsrc@seZdZdZdS)ImportDescDatazHolds import descriptor information. dll: name of the imported DLL imports: list of imported symbols (ImportData instances) struct: IMAGE_IMPORT_DESCRIPTOR structure Nrrrrrrrrrsrc@seZdZdZddZdS) ImportDatazHolds imported symbol's information. ordinal: Ordinal of the symbol name: Name of the symbol bound: If the symbol is bound, this contains the address. cCsht|drZt|drZt|drZ|dkr|jjtkr>t}n|jjtkrNt}||d@B|j_|jj|j_ |jj|j_ |jj|j_ n|dkr|j dur||j _ |j j |j _ |j j |j _ |j j |j _ n|dkr||j_ |jj |j_|jj |j_ |jj |j_ n`|dkrZ|j rZ|j|j }|j|jd|Bt|t|jkrJtd|j|j |||j|<dS)Nordinalboundr6addressr9The export name provided is longer than the existing one.)r|rPE_TYPEOPTIONAL_HEADER_MAGIC_PEIMAGE_ORDINAL_FLAGOPTIONAL_HEADER_MAGIC_PE_PLUSIMAGE_ORDINAL_FLAG64 struct_tableOrdinal AddressOfDataFunctionForwarderString struct_iat name_offsetrset_dword_at_offsetordinal_offsetrr6rset_bytes_at_offsetr)rr6r ordinal_flagZname_rvarrrr~sL           zImportData.__setattr__Nrrrrr~rrrrrsrc@seZdZdZdS) ExportDirDatazHolds export directory information. struct: IMAGE_EXPORT_DIRECTORY structure symbols: list of exported symbols (ExportData instances)Nrrrrrr.src@seZdZdZddZdS) ExportDataadHolds exported symbols' information. ordinal: ordinal of the symbol address: address of the symbol name: name of the symbol (None if the symbol is exported by ordinal only) forwarder: if the symbol is forwarded it will contain the name of the target symbol, None otherwise. cCst|drt|drt|drt|dr|dkrB|j|j|n|dkr\|j|j|nf|dkrt|t|jkr~td|j |j |n2|dkrt|t|j krtd|j |j |||j |<dS)Nrr forwarderr6rz|d@B}n(|dkrTt||jd}|d@|d@B}||j_||j|<dS)NrtyperLrri)r|rDatarbase_rvar)rr6rwordr-rrrr~s zRelocationData.__setattr__Nrrrrrrsrc@seZdZdZdS)TlsDatazJHolds TLS information. struct: IMAGE_TLS_DIRECTORY structure Nrrrrrrsrc@seZdZdZdS)BoundImportDescDataaHolds bound import descriptor data. This directory entry will provide information on the DLLs this PE file has been bound to (if bound at all). The structure will contain the name and timestamp of the DLL at the time of binding so that the loader can know whether it differs from the one currently present in the system and must, therefore, re-bind the PE's imports. struct: IMAGE_BOUND_IMPORT_DESCRIPTOR structure name: DLL name entries: list of entries (BoundImportRefData instances) the entries will exist if this DLL has forwarded symbols. If so, the destination DLL will have an entry in this list. Nrrrrrrsrc@seZdZdZdS)LoadConfigDatazlHolds Load Config data. struct: IMAGE_LOAD_CONFIG_DIRECTORY structure name: dll name Nrrrrrrsrc@seZdZdZdS)BoundImportRefDatazHolds bound import forwarder reference data. Contains the same information as the bound descriptor but for forwarded DLLs, if any. struct: IMAGE_BOUND_FORWARDER_REF structure name: dll name Nrrrrrrsrc@seZdZdZdS)ExceptionsDirEntryDatazHolds the data related to SEH (and stack unwinding, in particular) struct an instance of RUNTIME_FUNTION unwindinfo an instance of UNWIND_INFO NrrrrrrsrcsteZdZdZdfdd ZfddZdfdd Zfd d Zd d Zd dZ fddZ ddZ ddZ Z S) UnwindInfozHandles the complexities of UNWIND_INFO structure: * variable number of UWIND_CODEs * optional ExceptionHandler and FunctionEntry fields rcsHtt|jd|dtt||_d|_tddd|_d|_d|_ dS)N)Z UNWIND_INFO)z B:3,Versionz B:5,FlagszB,SizeOfPrologzB,CountOfCodeszB:4,FrameRegisterzB:4,FrameOffsetr7Z UNWIND_CODE) B,CodeOffset B:4,UnwindOp B:4,OpInforF) rrrrB _full_size_opt_field_namer _code_info_chained_entry_finished_unpacking)rr7rrrrs  zUnwindInfo.__init__c s|jr dStt|||jdd@}tt|||j}||jdkrTdntd|_ t ||j krrdS|j dkr|j dkrdt |j Sg|_tt|}|j}|dkrZ|j||||jt|j}|durdt |j |S||j|}|j|}||j||||||j |||7}||8}|j|q|jsj|jrpd |_|jr~d |_|jdkrt||jtd |||tddd |_dS) zUnpacks the UNWIND_INFO "in two calls", with the first call establishing a full size of the structure and the second, performing the actual unpacking. Nr0rrr;z&Unsupported version of UNWIND_INFO at zUnknown UNWIND_CODE at ZExceptionHandler FunctionEntry.zUnwind codes: z; cSsg|]}|rt|qSr)is_validrrerrrr3er4) rrrr*rrrrrNpoprunwind_info_flagsr)rrbrNrrrrNNs*     zUnwindInfo.dumpcsr|jdkr0|jtd|j|j<|j|jgz&tt|}W|jdkrn|j n|jdkrl|j 0|S)Nr) rrrr*rrrrrhr)rrrrrrhis     zUnwindInfo.dump_dictcCsh|dkrt||tnDd|vrZt||rZ|rD|jdt|O<n|jdt|N<||j|<dS)NrZ UNW_FLAG_)rrr|rUNWIND_INFO_FLAGSrrrrr~vszUnwindInfo.__setattr__cCs|jSr )rrrrrrBszUnwindInfo.sizeofcst|j}tt||dtt|<tt|}|jD]F}||j|jkrZq|j||||j<||j7}q>|jdkrt dt ||j||jt d|j<|S)Nrrr) rrrrrLrBrrrrIrHr)rr(Z cur_offsetZucrrrrLs    zUnwindInfo.__pack__cCs|jSr )rrrrrget_chained_function_entrysz%UnwindInfo.get_chained_function_entrycCs|jdkrtd||_dS)Nz(Chained function entry cannot be changed)rr)rentryrrrset_chained_function_entrys z%UnwindInfo.set_chained_function_entry)r)r)rrrrrr rNrhr~rBrLrrrrrrrrs >   rc@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpzMeant as an abstract class representing a generic unwind code. There is a subclass of PrologEpilogOp for each member of UNWIND_OP_CODES enum. cCs$t|||d|_|j|dS)Nr)r _get_formatrrGrunw_coder(unw_infor7rrrr s zPrologEpilogOp.initializecCsdS)zComputes how many UNWIND_CODE structures UNWIND_CODE occupies. May be called before initialize() and, for that reason, should not rely on the values of intance attributes. r0rrrrrrrrsz(PrologEpilogOp.length_in_code_structurescCsdS)NTrrrrrrszPrologEpilogOp.is_validcCsdS)NrrrrrrrrszPrologEpilogOp._get_formatN)rrrrr rrrrrrrrs rc@s eZdZdZddZddZdS)PrologEpilogOpPushRegUWOP_PUSH_NONVOLcCsdS)N)ZUNWIND_CODE_PUSH_NONVOL)rrB:4,Regrrrrrrsz!PrologEpilogOpPushReg._get_formatcCsdt|jjS)Nz .PUSHREG ) REGISTERSrRegrrrrrszPrologEpilogOpPushReg.__str__N)rrrrrrrrrrrsrc@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpAllocLargeUWOP_ALLOC_LARGEcCsdddd|jdkrdndffS)NZUNWIND_CODE_ALLOC_LARGErrrrzH,AllocSizeInQwordsz I,AllocSizeOpInforrrrrsz$PrologEpilogOpAllocLarge._get_formatcCs|jdkrdSdS)Nrr;r=r$rrrrrsz2PrologEpilogOpAllocLarge.length_in_code_structurescCs |jjdkr|jjdS|jjS)NrrE)rr%ZAllocSizeInQwordsZ AllocSizerrrrget_alloc_sizes z'PrologEpilogOpAllocLarge.get_alloc_sizecCsdt|SNz .ALLOCSTACK rr&rrrrrsz PrologEpilogOpAllocLarge.__str__N)rrrrrrr&rrrrrr"s  r"c@s(eZdZdZddZddZddZdS) PrologEpilogOpAllocSmallUWOP_ALLOC_SMALLcCsdS)N)ZUNWIND_CODE_ALLOC_SMALL)rrzB:4,AllocSizeInQwordsMinus8rrrrrrsz$PrologEpilogOpAllocSmall._get_formatcCs|jjddSr)rZAllocSizeInQwordsMinus8rrrrr&sz'PrologEpilogOpAllocSmall.get_alloc_sizecCsdt|Sr'r(rrrrrsz PrologEpilogOpAllocSmall.__str__N)rrrrrr&rrrrrr)sr)cs(eZdZdZfddZddZZS)PrologEpilogOpSetFPUWOP_SET_FPREGcs.tt||||||j|_|jd|_dSNr.)rr+r Z FrameRegister_frame_registerZ FrameOffset _frame_offsetrrrrr s  zPrologEpilogOpSetFP.initializecCsdt|jdt|jS)Nz .SETFRAME r )r r.rr/rrrrrszPrologEpilogOpSetFP.__str__)rrrrr rrrrrrr+s r+c@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpSaveRegUWOP_SAVE_NONVOLcCsdSNr;r)runwcoderrrrrsz/PrologEpilogOpSaveReg.length_in_code_structurescCs |jjdSr)rZOffsetInQwordsrrrr get_offsetsz PrologEpilogOpSaveReg.get_offsetcCsdS)N)ZUNWIND_CODE_SAVE_NONVOL)rrrzH,OffsetInQwordsrrrrrr sz!PrologEpilogOpSaveReg._get_formatcCs dt|jjdt|SNz .SAVEREG r )r rr!rr4rrrrrszPrologEpilogOpSaveReg.__str__Nrrrrrr4rrrrrrr0s r0c@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpSaveRegFarUWOP_SAVE_NONVOL_FARcCsdSNr=rrrrrrsz2PrologEpilogOpSaveRegFar.length_in_code_structurescCs|jjSr rrfrrrrr4sz#PrologEpilogOpSaveRegFar.get_offsetcCsdS)N)ZUNWIND_CODE_SAVE_NONVOL_FARrrrzI,Offsetrrrrrrsz$PrologEpilogOpSaveRegFar._get_formatcCs dt|jjdt|jjSr5)r rr!rrfrrrrr"sz PrologEpilogOpSaveRegFar.__str__Nr6rrrrr7s r7c@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpSaveXMMUWOP_SAVE_XMM128cCsdS)N)ZUNWIND_CODE_SAVE_XMM128)rrrzH,OffsetIn2Qwordsrrrrrr)sz!PrologEpilogOpSaveXMM._get_formatcCsdSr2rrrrrr/sz/PrologEpilogOpSaveXMM.length_in_code_structurescCs |jjdSr-)rZOffsetIn2Qwordsrrrrr42sz PrologEpilogOpSaveXMM.get_offsetcCs dt|jjdt|SNz.SAVEXMM128 XMMr )rrr!rr4rrrrr5szPrologEpilogOpSaveXMM.__str__Nrrrrrrr4rrrrrr<&s r<c@s0eZdZdZddZddZddZdd Zd S) PrologEpilogOpSaveXMMFarUWOP_SAVE_XMM128_FARcCsdS)N)ZUNWIND_CODE_SAVE_XMM128_FARr;rrrrrr<sz$PrologEpilogOpSaveXMMFar._get_formatcCsdSr9rrrrrrBsz2PrologEpilogOpSaveXMMFar.length_in_code_structurescCs|jjSr r:rrrrr4Esz#PrologEpilogOpSaveXMMFar.get_offsetcCs dt|jjdt|jjSr>)rrr!rrfrrrrrHsz PrologEpilogOpSaveXMMFar.__str__Nr?rrrrr@9s r@c@seZdZdZddZdS)PrologEpilogOpPushFrameUWOP_PUSH_MACHFRAMEcCsd|jjrdndS)Nz .PUSHFRAMEz r)rr%rrrrrOszPrologEpilogOpPushFrame.__str__N)rrrrrrrrrrBLsrBcsHeZdZdZfddZddZddZdd Zd d Zd d Z Z S)PrologEpilogOpEpilogMarker UWOP_EPILOGcs\d|_t|d |_tt||||||jrPt|d|jj|j d@dk|_|j |_ dS)NT SizeOfEpilogr0r) _long_offstr|_firstrrDr rDrSizer%rF _epilog_sizerrrrr Vs z%PrologEpilogOpEpilogMarker.initializecCs(|jr d|jd@dkrdndfSdSdS)NUNWIND_CODE_EPILOGr0)zB,OffsetLow,Sizer B:4,Flags)zB,SizerrL B,OffsetLowz B:4,UnusedB:4,OffsetHigh)rK)rMrrN)rHr%rrrrras z&PrologEpilogOpEpilogMarker._get_formatcCs t|ds|jd@dkrdSdS)NrFr0rr;)r|r%rrrrrxs  z4PrologEpilogOpEpilogMarker.length_in_code_structurescCs|jj|jr|jjd>ndBS)NrEr)rZ OffsetLowrGZ OffsetHighrrrrr4sz%PrologEpilogOpEpilogMarker.get_offsetcCs |dkS)Nr)r4rrrrrsz#PrologEpilogOpEpilogMarker.is_validcCs.|dkr*dt|jdt|SdS)Nrz EPILOG: size=z, offset from the end=-r)r4rrJrrrrrs  z"PrologEpilogOpEpilogMarker.__str__) rrrrr rrr4rrrrrrrrDSs rDc@sHeZdZdZeeeeee e e e e eeeeeeeeeei ZeddZdS)rzBA factory for creating unwind codes based on the value of UnwindOpcCs |j}|tjvrtj|SdSr )ZUnwindOpr _class_dict)r3coderrrrs zPrologEpilogOpsFactory.createN)rrrrrrr#r"r*r)r,r+r1r0r8r7r=r<rAr@rCrBrErDrO staticmethodrrrrrrs rz!#$%&'()-@^_`{}~+,.;=[]cs>|dust|tttfsdStdtfddt|DS)NFs\/c3s|]}|vVqdSr rreallowedrrrr4z(is_valid_dos_filename..)rrrrallowed_filenameallsetrrrRris_valid_dos_filenamesrXz_?@$()<>cCs.|duo,t|tttfo,tddt|DS)Ncss|]}|tvVqdSr )allowed_function_namererrrrr4z)is_valid_function_name..)rrrrrUrVrWrrris_valid_function_names rZc@s6eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!d!d!e#d"fd#d$Z$d%d&Z%d'd(Z&d)d*Z'd+d,Z(d-d.Z)d/d0Z*d1d2Z+dd3d4Z,d5d6Z-dd8d9Z.d:d;Z/dd?Z1d@dAZ2dBdCZ3dDdEZ4dFdGZ5ddIdJZ6dKdLZ7dMdNZ8dOdPZ9ddQdRZ:dSdTZ;dUdVZd\d]Z?dd^d_Z@dd`daZAddbdcZBddedfZCdgdhZDddidjZEdkdlZFdmdnZGeHfdodpZIdqdrZJdsdtZKddvdwZLdxdyZMdzd{ZNd|d}ZOd~dZPdddZQdddZRddZSddZTddZUddZVddZWddZXddZYddZZddZ[ddZ\ddZ]ddZ^ddZ_ddZ`ddZaddZbddZcddZdddZeddZfddZgddZhddZiddZjddZkddZlddZmddZnddZoddZpddÄZqddńZrddDŽZsddɄZtd!S)PEa A Portable Executable representation. This class provides access to most of the information in a PE file. It expects to be supplied the name of the file to load or PE data to process and an optional argument 'fast_load' (False by default) which controls whether to load all the directories information, which can be quite time consuming. pe = pefile.PE('module.dll') pe = pefile.PE(name='module.dll') would load 'module.dll' and process it. If the data is already available in a buffer the same can be achieved with: pe = pefile.PE(data=module_dll_data) The "fast_load" can be set to a default by setting its value in the module itself by means, for instance, of a "pefile.fast_load = True". That will make all the subsequent instances not to load the whole PE structure. The "full_load" method can be used to parse the missing data at a later stage. Basic headers information will be available in the attributes: DOS_HEADER NT_HEADERS FILE_HEADER OPTIONAL_HEADER All of them will contain among their attributes the members of the corresponding structures as defined in WINNT.H The raw data corresponding to the header (from the beginning of the file up to the start of the first section) will be available in the instance's attribute 'header' as a string. The sections will be available as a list in the 'sections' attribute. Each entry will contain as attributes all the structure's members. Directory entries will be available as attributes (if they exist): (no other entries are processed at this point) DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances) DIRECTORY_ENTRY_EXPORT (ExportDirData instance) DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance) DIRECTORY_ENTRY_DEBUG (list of DebugData instances) DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances) DIRECTORY_ENTRY_TLS DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances) The following dictionary attributes provide ways of mapping different constants. They will accept the numeric value and return the string representation and the opposite, feed in the string and get the numeric constant: DIRECTORY_ENTRY IMAGE_CHARACTERISTICS SECTION_CHARACTERISTICS DEBUG_TYPE SUBSYSTEM_TYPE MACHINE_TYPE RELOCATION_TYPE RESOURCE_TYPE LANG SUBLANG )ZIMAGE_DOS_HEADER)z H,e_magiczH,e_cblpzH,e_cpzH,e_crlcz H,e_cparhdrz H,e_minallocz H,e_maxalloczH,e_sszH,e_spzH,e_csumzH,e_ipzH,e_csz H,e_lfarlczH,e_ovnoz8s,e_resz H,e_oemidz H,e_oeminfoz 20s,e_res2z I,e_lfanew)ZIMAGE_FILE_HEADER)z H,MachinezH,NumberOfSectionsI,TimeDateStampzI,PointerToSymbolTablezI,NumberOfSymbolszH,SizeOfOptionalHeaderzH,Characteristics)ZIMAGE_DATA_DIRECTORY)I,VirtualAddressI,Size)ZIMAGE_OPTIONAL_HEADER)H,MagicB,MajorLinkerVersionB,MinorLinkerVersion I,SizeOfCodeI,SizeOfInitializedDataI,SizeOfUninitializedDataI,AddressOfEntryPoint I,BaseOfCodez I,BaseOfDataz I,ImageBaseI,SectionAlignmentI,FileAlignmentH,MajorOperatingSystemVersionH,MinorOperatingSystemVersionH,MajorImageVersionH,MinorImageVersionH,MajorSubsystemVersionH,MinorSubsystemVersion I,Reserved1 I,SizeOfImageI,SizeOfHeaders I,CheckSum H,SubsystemH,DllCharacteristicszI,SizeOfStackReservezI,SizeOfStackCommitzI,SizeOfHeapReservezI,SizeOfHeapCommit I,LoaderFlagsI,NumberOfRvaAndSizes)ZIMAGE_OPTIONAL_HEADER64)r_r`rarbrcrdrerfz Q,ImageBasergrhrirjrkrlrmrnrorprqrrrsrtzQ,SizeOfStackReservezQ,SizeOfStackCommitzQ,SizeOfHeapReservezQ,SizeOfHeapCommitrurv)ZIMAGE_NT_HEADERS) I,Signature)ZIMAGE_SECTION_HEADER) z8s,Namez,I,Misc,Misc_PhysicalAddress,Misc_VirtualSizer]zI,SizeOfRawDataI,PointerToRawDatazI,PointerToRelocationszI,PointerToLinenumberszH,NumberOfRelocationszH,NumberOfLinenumbersI,Characteristics)ZIMAGE_DELAY_IMPORT_DESCRIPTOR)z I,grAttrszI,szNamezI,phmodzI,pIATzI,pINTz I,pBoundIATz I,pUnloadIATz I,dwTimeStamp)ZIMAGE_IMPORT_DESCRIPTOR)z$I,OriginalFirstThunk,Characteristicsr\zI,ForwarderChainI,Namez I,FirstThunk)ZIMAGE_EXPORT_DIRECTORY) ryr\H,MajorVersionH,MinorVersionrzzI,BasezI,NumberOfFunctionszI,NumberOfNameszI,AddressOfFunctionszI,AddressOfNameszI,AddressOfNameOrdinals)ZIMAGE_RESOURCE_DIRECTORY)ryr\r{r|zH,NumberOfNamedEntrieszH,NumberOfIdEntries)ZIMAGE_RESOURCE_DIRECTORY_ENTRY)rzI,OffsetToData)ZIMAGE_RESOURCE_DATA_ENTRY)r}r^z I,CodePagez I,Reserved)VS_VERSIONINFOzH,Lengthz H,ValueLengthzH,Type)VS_FIXEDFILEINFO) rwzI,StrucVersionzI,FileVersionMSzI,FileVersionLSzI,ProductVersionMSzI,ProductVersionLSzI,FileFlagsMaskz I,FileFlagszI,FileOSz I,FileTypez I,FileSubtypez I,FileDateMSz I,FileDateLS)ZStringFileInfor) StringTabler)Stringr)Varr)IMAGE_THUNK_DATA)z0I,ForwarderString,Function,Ordinal,AddressOfData)r)z0Q,ForwarderString,Function,Ordinal,AddressOfData)ZIMAGE_DEBUG_DIRECTORY)ryr\r{r|zI,Typez I,SizeOfDatazI,AddressOfRawDatarx)ZIMAGE_BASE_RELOCATION)r]z I,SizeOfBlock)ZIMAGE_BASE_RELOCATION_ENTRY)zH,Data)IMAGE_TLS_DIRECTORY)zI,StartAddressOfRawDatazI,EndAddressOfRawDatazI,AddressOfIndexzI,AddressOfCallBacksI,SizeOfZeroFillry)r)zQ,StartAddressOfRawDatazQ,EndAddressOfRawDatazQ,AddressOfIndexzQ,AddressOfCallBacksrry)IMAGE_LOAD_CONFIG_DIRECTORY)r^r\r{r|I,GlobalFlagsClearI,GlobalFlagsSetI,CriticalSectionDefaultTimeoutzI,DeCommitFreeBlockThresholdzI,DeCommitTotalFreeThresholdzI,LockPrefixTablezI,MaximumAllocationSizezI,VirtualMemoryThresholdI,ProcessHeapFlagszI,ProcessAffinityMask H,CSDVersion H,Reserved1z I,EditListzI,SecurityCookiezI,SEHandlerTablezI,SEHandlerCountzI,GuardCFCheckFunctionPointerz I,Reserved2zI,GuardCFFunctionTablezI,GuardCFFunctionCount I,GuardFlags)r)r^r\r{r|rrrzQ,DeCommitFreeBlockThresholdzQ,DeCommitTotalFreeThresholdzQ,LockPrefixTablezQ,MaximumAllocationSizezQ,VirtualMemoryThresholdzQ,ProcessAffinityMaskrrrz Q,EditListzQ,SecurityCookiezQ,SEHandlerTablezQ,SEHandlerCountzQ,GuardCFCheckFunctionPointerz Q,Reserved2zQ,GuardCFFunctionTablezQ,GuardCFFunctionCountr)ZIMAGE_BOUND_IMPORT_DESCRIPTOR)r\H,OffsetModuleNamezH,NumberOfModuleForwarderRefs)ZIMAGE_BOUND_FORWARDER_REF)r\rz H,Reserved)ZRUNTIME_FUNCTION)zI,BeginAddressz I,EndAddressz I,UnwindDataNxcCs||_||_g|_g|_d|_|dur6|dur6tdg|_d|_d|_d|_ d|_ d|_ d|_ |plt d}z||||Wn|Yn0dS)NzMust supply either name or dataFr fast_load)max_symbol_exportsmax_repeated_symbolsections _PE__warningsrr`__structures___PE__from_fileFileAlignment_WarningSectionAlignment_Warning!_PE__total_resource_entries_count_PE__total_resource_bytes_PE__total_import_symbolsglobals __parse__close)rr6r(rrrrrrr s( z PE.__init__cCsR|jdurNt|drNttjtr.t|jtjs@dtt|jvrN|j|`dS)NTrvz mmap.mmap)rr|rmmaprrvrrrrrrr s   zPE.closec Cslt||d}z||Wn@tyZ}z(|jd|d||WYd}~dSd}~00|j||S)zyApply structure format to raw data. Returns an unpacked structure object if successful, None otherwise. rz7Corrupt header "{0}" at file offset {1}. Exception: {2}rN)r2rGrrrrr)rrr(r7 structureerrrrr__unpack_data__ s   zPE.__unpack_data__c s@|durt|}|jdkr$tdd}zzTt|d}|_ttdr`tjdtj_ ntjjdtj d_ d_ WnJt y}z2d |}|od |}td ||WYd}~n d}~00W|dur|n|dur|0n|dur|_ d _ tj _d _|sttj D]p\}} |dkr\d | tj d ks~|dkr2d | tj dkr2jd |d| tj q2j dd} t| dkrtdjj| dd_jjtkrtdjrjjtkrtdjjtj kr,tdjj} jjj | | d| d_ j rhj j!sptddj j!@t"krtddj j!@t#krtddj j!@t$krtddj j!@t%krtdj j!t&krtdjj'j | d| dd | dd_(t)t*d!} j(s6td"t+j(j(j,| | dj(-} | j(j.}jj/j | | d#| d_0d$}j0durtj | | d%|krd&}j | | d%d'|}jj/|| d_0j0durj0j1t2krt2_3nj0j1t4krt4_3jj5j | | d%| d_0d(}j0durtj | | d%|krd&}j | | d%d'|}jj5|| d_0j(std"j0durtd)j3durjd* j0j1t)t6d+}t+j0j0j7|gj0_8| j0-}j(j _(j0j _0j0j9j0j:krFjd,j0j;d-krhjd.j0j;d#}t||d}|durqfzt?||_@Wn tAtBfy(YqfYn0||-7}j0j8||| j0-d&krqfqC|}fd1d2jDD}t|dkrtE|}nd}|r||krˆj d|_Fnj d|_FGj0j9durHj0j9}|tj kr.jd3j0j9njd4j0j9|s<IdS)5zParse a Portable Executable file. Loads a PE file, parsing all its structures and making them available through the instance's attributes. NrzThe file is emptyrb MAP_PRIVATE)accessTr z: %szUnable to access file '{0}'{1}Fg?g?g333333?zeByte 0x{0:02x} makes up {1:.4f}% of the file's contents. This may indicate truncation / malformation.gY@rRz9Unable to read the DOS Header, possibly a truncated file.rz)Probably a ZM Executable (not a PE file).zDOS Header magic not found.z.Invalid e_lfanew value, probably not a PE filerEzNT Headers not found.rz0Invalid NT Headers signature. Probably a NE filez0Invalid NT Headers signature. Probably a LE filez0Invalid NT Headers signature. Probably a LX filez0Invalid NT Headers signature. Probably a TE filezInvalid NT Headers signature.r?r- IMAGE_FILE_zFile Header missingrSr}rr rWrz5No Optional Header found, invalid PE32 or PE32+ file.z*Invalid type 0x{0:04x} in Optional Header.IMAGE_DLLCHARACTERISTICS_zXSizeOfHeaders is smaller than AddressOfEntryPoint: this file cannot run under Windows 8.r.zsSuspicious NumberOfRvaAndSizes in the Optional Header. Normal values are never larger than 0x10, the value is: 0x%xscs(g|] }|jdkr|jjjqSr)rlrmrnrorOrrrr3 s   z PE.__parse__..z[Possibly corrupt file. AddressOfEntryPoint lies outside the file. AddressOfEntryPoint: 0x%xzTAddressOfEntryPoint lies outside the sections' boundaries. AddressOfEntryPoint: 0x%x)Josstatst_sizeropenfilenor|rrrvZ ACCESS_READrIOErrorr Exceptionrr$_PE__resource_size_limit_upperbounds _PE__resource_size_limit_reachedrrrrrr__IMAGE_DOS_HEADER_format__ DOS_HEADERZe_magicIMAGE_DOSZM_SIGNATUREIMAGE_DOS_SIGNATUREZe_lfanew__IMAGE_NT_HEADERS_format__ NT_HEADERSrVIMAGE_NE_SIGNATUREIMAGE_LE_SIGNATUREIMAGE_LX_SIGNATUREIMAGE_TE_SIGNATUREIMAGE_NT_SIGNATURE__IMAGE_FILE_HEADER_format__ FILE_HEADERrIMAGE_CHARACTERISTICSrryrBSizeOfOptionalHeader __IMAGE_OPTIONAL_HEADER_format__rnZMagicrrr"__IMAGE_OPTIONAL_HEADER64_format__DLL_CHARACTERISTICSDllCharacteristicsDATA_DIRECTORYZAddressOfEntryPointZ SizeOfHeadersZNumberOfRvaAndSizesrr__IMAGE_DATA_DIRECTORY_format__DIRECTORY_ENTRYr6KeyErrorAttributeErrorparse_sectionsrminheaderget_section_by_rvar full_load)rfnamer(rrfdexcpZ exception_msgZbyteZ byte_countZdos_header_dataZnt_headers_offset image_flagsZoptional_header_offsetZsections_offsetZ&MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZEpadding_lengthZ padded_datadll_characteristics_flagsr-Z)MAX_ASSUMED_VALID_NUMBER_OF_RVA_AND_SIZESr dir_entryZrawDataPointersZlowest_section_offsetZ ep_offsetrrrr s             "                       z PE.__parse__c Csd}d}|jdd|j}|dkr*dSzb|jd|d}|ddtt|d}ttd tt|d|}||vrWdSWnt yYdS0t d || |d }d |i}|d|d}||d <dd} t } t|D]*\} } | | | | || t|Aqt| |d<|d } |d| A|ksb|d| ksb|d| krfdS| |d<g}||d<|dd}ttt|dD]h}|d||kr|d|d | kr|jdq||d|| A|d|d | Ag7}q|S)a"Parses the rich header see http://www.ntcore.com/files/richsign.htm for more information Structure: 00 DanS ^ checksum, checksum, checksum, checksum 10 Symbol RVA ^ checksum, Symbol size ^ checksum... ... XX Rich, checksum, 0, 0,... iDanSiRichsRichr NrEr?z<{0}I| r4z&PE.parse_rich_header.. clear_datarr;r=checksumrzRich Header is malformed)rvfindrnr>rrrrrrrrIindexrrCrrrr)rZDANSZRICHZ rich_indexZ rich_datar(rFresultrZord_rrErrZ headervaluesrrrrparse_rich_headerN sP    $ .  ,zPE.parse_rich_headercCs|jS)zReturn the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method returns the full list. )rrrrrr szPE.get_warningscCs|jD]}td|qdS)zPrint the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method prints the full list to standard output. >N)rprint)rwarningrrr show_warnings s zPE.show_warningscCs|Gddd}|}|r|||_|dd|j_|dd|j_|dd|j_|dd|j_|dd|j_nd|_dS) zProcess the data directories. This method will load the data directories which might not have been loaded if the "fast_load" option was used. c@s eZdZdS)z PE.full_load..RichHeaderN)rrrrrrr RichHeader srrNrrFrr) parse_data_directoriesr RICH_HEADERrrrrFrr)rrZ rich_headerrrrr sz PE.full_loadc CsZt|j}|jD],}t|}|}||||t|<qt|dr,t|dr,|jD]}|D]}t|drd|jD]}t |j D]\} }|j | } |j | } t|| dkr|dd} | d| dd|| d| d| dd<q|dd} | || d| dt| <qqxqdq\|}|s:|St|d }|||dS) aWrite the PE file. This function will process all headers and components of the PE file and include all changes made (by just assigning to attributes in the PE objects) and write the changes back to a file whose name is provided as an argument. The filename is optional, if not provided the data will be returned as a 'str' object. r~FileInforr0rrNr;zwb+)rrvrrLr>rr|rrrentriesrentries_offsetsentries_lengthsrrrwriter)rfilenameZ file_datarZ struct_datar-finforst_entryrFoffsetsZlengthsrZ encoded_dataZ new_file_datarrrrr sD              zPE.writec Csg|_d}t|jjD]t}|tkrB|jd|jjtqd}t|j |d}|s^q|| |}| ||j ||| }t || kr|jd|dq|s|jd|dq|||j||j|jt|j kr |d7}|jd |d ||j|jjt|j krZ|d7}|jd |d |jd kr|d7}|jd |d||j|jj|jjd kr|d7}|jd |d|jjdkr|j|jjdkr|d7}|jd |d||kr|jdqttd}t||j||jddr|jddr|j !ddkrl|"rln|jd|d|j|q|jj#dddt$|jD]8\} }| t|jdkrd|_%n|j| dj|_%q|jjdkr|jr||jd |jjS|SdS)aFetch the PE file sections. The sections will be readily available in the "sections" attribute. Its attributes will contain all the section information plus "data" a buffer containing the section's data. The "Characteristics" member will be processed and attributes representing the section characteristics (with the 'IMAGE_SCN_' string trimmed from the constant's names) will be added to the section instance. Refer to the SectionStructure class for additional info. r=zToo many sections {0} (>={1})r)rzInvalid section z. Contents are null-bytes.z8. No data in the file (is this corkami's virtsectblXP?).r0zError parsing section z$. SizeOfRawData is larger than file.z5. PointerToRawData points beyond the end of the file.rZz'Suspicious value found parsing section z*. VirtualSize is extremely large > 256MiB.z&. VirtualAddress is beyond 0x10000000.z. PointerToRawData should normally be a multiple of FileAlignment, this might imply the file is trying to confuse tools which parse this incorrectly.z,Too many warnings parsing section. Aborting.rzr\Fr[rWsPAGEz!Suspicious flags set for section zf. Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set. This might indicate a packed executable.cSs|jSr )rq)arrrr r4z#PE.parse_sections..)rFN)&rrrZNumberOfSections MAX_SECTIONSrrrri__IMAGE_SECTION_HEADER_format__rBr@rvr)rGrrurlrrmrnrorrrrqrsrr{rryrrNamera is_driversortrCr) rr-ZMAX_SIMULTANEOUS_ERRORSrZsimultaneous_errorssectionZsection_offset section_datar}rErrrr s                  zPE.parse_sectionsFc Csd|jfd|jfd|jfd|jfd|jfd|jfd|jfd|jfd |jfd |j ff }|d urpt |t t fsp|g}|D]J}zt |d }|jj|}WntyYqYn0|d us||vr|jr|r|d dkr|d |j|jdd}n|r |d dkr |d |j|jdd}nZz|d |j|j}WnBtyx} z(|jd|d d| WYd } ~ n d } ~ 00|rt||d dd ||d urtt |t rt|d |vrt||qtd S)aSParse and process the PE file's data directories. If the optional argument 'directories' is given, only the directories at the specified indexes will be parsed. Such functionality allows parsing of areas of interest without the burden of having to parse all others. The directories can then be specified as: For export / import only: directories = [ 0, 1 ] or (more verbosely): directories = [ DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_IMPORT'], DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT'] ] If 'directories' is a list, the ones that are processed will be removed, leaving only the ones that are not present in the image. If `forwarded_exports_only` is True, the IMAGE_DIRECTORY_ENTRY_EXPORT attribute will only contain exports that are forwarded to another DLL. If `import_dllnames_only` is True, symbols will not be parsed from the import table and the entries in the IMAGE_DIRECTORY_ENTRY_IMPORT attribute will not have a `symbols` attribute. r9r8r:rBr@rFrHrMrJr<Nrr0T)forwarded_only) dllnames_onlyzFailed to process directoty "z": rC)parse_import_directoryparse_export_directoryparse_resources_directoryparse_debug_directoryparse_relocations_directoryparse_directory_tlsparse_directory_load_configparse_delay_import_directoryparse_directory_bound_importsparse_exceptions_directoryrr3rrrnr IndexErrorrqrIrrrrDremove) r directoriesZforwarded_exports_onlyZimport_dllnames_onlyZdirectory_parsingrZdirectory_indexrrrrrrr sj         zPE.parse_data_directoriesc Cs2|jjtdkr$|jjtdkr$dSt|j}|}i}g}i}t||D]}|j|j|||| |d}|durqdd} |j d@dkr:|j |vr||j } nt | |j d} | ||j <| ||j | } | dkr|j | qd| ||j | } | dkr.|j | qd|j| t|| d} || | ||j<||7}qN|D]}|jdkr|qht|jdsqh|jj|vr|j d |jd d qhz|j||jjWnTty(} z:|j d |jd d | WYd} ~ qhWYd} ~ n d} ~ 00qh|S)zParses exception directory All the code related to handling exception directories is documented in https://auscitte.github.io/systems%20blog/Exception-Directory-pefile#implementation-details rcraNrr0r)r unwindinforz FunctionEntry of UNWIND_INFO at rz' points to an entry that does not existz/Failed parsing FunctionEntry of UNWIND_INFO at z: )rMachine MACHINE_TYPEr2__RUNTIME_FUNCTION_format__rBrrrrZ UnwindDatarr rrrrZ BeginAddressrr|rrr>rr) rrrrfZrf_sizeZrva2rtZrt_funcsZ rva2infosrZuiwsrrrrrr s|                (zPE.parse_exceptions_directorycsBt|j}|}|}g}|j|j|j||||d}|durR|jddS|r^q>||7}||}| ||durt |j}fdd|j D} | rt | } || }|dur|j }n|j t |}|s|jd|dSg} tt |jt|dD]} |j|j|j||||d} | sRtd|| 7}|| j}|d |j||t}|rd dt|D}t |d ks|rq| t| |d q ||j}|d |j||t}|rd dt|D}t |d ks>|rq>|s(q>|t||| dq|S)rrNz7The Bound Imports directory exists but can't be parsed.csg|]}|jkr|jqSr)rlrOrrrr3ms z4PE.parse_directory_bound_imports..zHRVA of IMAGE_BOUND_IMPORT_DESCRIPTOR points to an invalid address: {0:x}rEz(IMAGE_BOUND_FORWARDER_REF cannot be readrcSsg|]}t|tjvr|qSrrcrerrrr3srS)rr6cSsg|]}t|tjvr|qSrrcrerrrr3s)rr6r)r2(__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__rBrrvrrrAget_section_by_offsetrrrrrlrrrZNumberOfModuleForwarderRefsr$__IMAGE_BOUND_FORWARDER_REF_format__rZOffsetModuleNameget_string_from_dataMAX_STRING_LENGTHrrr)rrrZ bnd_descrZbnd_descr_sizerwZ bound_importsrsafety_boundaryZsections_after_offsetZfirst_section_after_offsetZforwarder_refsrZ bnd_frwd_refr-Zname_strZ invalid_charsrrrrKs            z PE.parse_directory_bound_importscCsz|j}|jtkr|j}z*|j|||t|||d}Wn&t yf|j d|d}Yn0|spdSt |dS)rrz5Invalid TLS information. Can't read data at RVA: 0x%xNr) __IMAGE_TLS_DIRECTORY_format__rr __IMAGE_TLS_DIRECTORY64_format__rrr2rBrrrrr)rrrrZ tls_structrrrrs"    zPE.parse_directory_tlscCs|jtkr|j}n"|jtkr$|j}n|jddSd}z*|j|||t | | |d}Wn"t y|jd|Yn0|sdSt |dS)rzGDon't know how to parse LOAD_CONFIG information for non-PE32/PE32+ fileNrz=Invalid LOAD_CONFIG information. Can't read data at RVA: 0x%xr)rr&__IMAGE_LOAD_CONFIG_DIRECTORY_format__r(__IMAGE_LOAD_CONFIG_DIRECTORY64_format__rrrrr2rBrrr)rrrrZload_config_structrrrrs,     zPE.parse_directory_load_configcCst|j}||}g}||krz$|j|j|||||d}Wn&tyl|jd|d}Yn0|stq|j |j j kr|jd|j q|j |j j kr|jd|j q| |||j |j |}|t||d|j sq||j 7}q|S)rrz%s)zCInvalid resources directory. Can't read directory data at RVA: 0x%xrzDInvalid resources directory. Can't parse directory data at RVA: 0x%xr"zNError parsing the resources directory. The directory contains %d entries (>%s)zRError parsing the resources directory. The file contains at least %d entries (>%d)TzGResource size 0x%x exceeds file size 0x%x, overlapping resources found.zHError parsing the resources directory, Entry %d is invalid, RVA = 0x%x. r/rrr0z^Error parsing the resources directory, attempting to read entry name. Entry names overlap 0x%xznError parsing the resources directory, attempting to read entry name. Can't read unicode string at offset 0x%x)rleveldirsrm directoryr(z2Error parsing resource of type RT_STRING at RVA 0xrz with size r.)rr6idr)irI)rlangsublang)rr6r*r(rnrcSsg|] }|qSr)rrOrrrr3%r4z0PE.parse_resources_directory..r)1MAX_RESOURCE_DEPTHrrrr2#__IMAGE_RESOURCE_DIRECTORY_format__rBrrrZNumberOfNamedEntriesZNumberOfIdEntriesrMAX_RESOURCE_ENTRIESrrrrparse_resource_entryr NameOffsetrrrDataIsDirectoryOffsetToDirectoryr RESOURCE_TYPErr|r)r(rrIr* OffsetToDatarrupdatestringsrparse_resource_data_entryrIdparse_version_informationrrCrr)%rrrrr'r(r( resource_dirZ dir_entriesZnumber_of_entriesZMAX_ALLOWED_ENTRIESZstrings_to_postprocessZlast_name_begin_endrEresZ entry_nameZentry_idZname_is_string ustr_offsetZentry_directoryr7 resource_idZresource_strings resource_langZstring_entry_rvaZstring_entry_sizeZstring_entry_idZstring_entry_datarZ entry_dataZ last_entryZversion_entriesZ version_entryZrt_version_structZ string_rvasrZresource_directory_datarrrrs                          zPE.parse_resources_directorycCs\z||t|j}Wn$ty>|jd|YdS0|j|j|||d}|S)z0Parse a data entry from the resources directory.zGError parsing a resource directory data entry, the RVA is invalid: 0x%xNr) rr2$__IMAGE_RESOURCE_DATA_ENTRY_format__rBrrrrr)rrr(Z data_entryrrrr81s" zPE.parse_resource_data_entrycCsz||t|j}Wnty.YdS0|j|j|||d}|durTdS|jd@|_|jd@|_ |jd@|_ |j d@d?|_ |j d@|_ |S)z5Parse a directory entry from the resources directory.Nrrrr/r)rr2)__IMAGE_RESOURCE_DIRECTORY_ENTRY_format__rBrrrrr1Z_PE__padr9r5r2r3)rrr(resourcerrrr0Is&     zPE.parse_resource_entryc#Csz||j}Wn(ty8|jd|jYdS0|j|||j}|j|j ||d}|durldS|j| }| |}d}|r|j t |j|j}d}z4|dur|j|dd}n|j|||d?dd}Wn"ty|jd|Yn0|dkr|jd|dS|dur|d krt|d krv|dd d} | d| d } td | t|}|jd|dd ddSt|dsg|_|} || _|j| |durd}|| dt|d|j} |j|j|| d|| d} | sdSt|ds,g|_|j| || | |j} t|ds`g|_g}|j|j|| d|| d}|dur|jddS|j| | }z||}Wn,ty|jd|YqYn0||_|||r|dr|jdvrz|j dkrz|| | dt|d|j}g|_!|j|j"||d||d}|sxqz|j|| }z||}Wn,ty|jd|YqzYn0||_#i|_$i|_%i|_&|j!|||| dt|d|j}|||j'kr||j|j(||d||d}|sHq||j|| }z||}||}Wn,ty|jd|Yq|Yn0|dt|d|| |j}|j|}z|j||j d}||}Wn.ty|jd|dYq|Yn0|j'dkr6||j'}n||j'||j}||j$|<||f|j%|<t|t|f|j&|<q||j'||j}||krqz|}||j'krPqzqPn|rz|drz|}d|_)|jdvrz|j dkrz|| | dt|d|j}g|_*|j|j+||d||d}|sBqz|j|| }z||}Wn,ty|jd |YqzYn0|durqz|j*||dt|d|| |j}|} || |j krN|,|||dd}!|,||d|d!d}"|d!7}t-|!t.rt-|"t.r|d"|!|"fi|_/q|||j'|j}|||j'krqzq||j'| |j} |j'dks| |j'krdqqd|j|dS)#aParse version information structure. The date will be made available in three attributes of the PE object. VS_VERSIONINFO will contain the first three fields of the main structure: 'Length', 'ValueLength', and 'Type' VS_FIXEDFILEINFO will hold the rest of the fields, accessible as sub-attributes: 'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS', 'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags', 'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS' FileInfo is a list of all StringFileInfo and VarFileInfo structures. StringFileInfo structures will have a list as an attribute named 'StringTable' containing all the StringTable structures. Each of those structures contains a dictionary 'entries' with all the key / value version information string pairs. VarFileInfo structures will have a list as an attribute named 'Var' containing all Var structures. Each Var structure will have a dictionary as an attribute named 'entry' which will contain the name and value of the Var. zWError parsing the version information, attempting to read OffsetToData with RVA: 0x{:x}Nrasciiencodingr0zzError parsing the version information, attempting to read VS_VERSION_INFO string. Can't read unicode string at offset 0x%xz"Invalid VS_VERSION_INFO block: {0}sVS_VERSION_INFOr z\uz({0} ... ({1} bytes, too long to display)r%z\00r~rr;rrz/Error parsing StringFileInfo/VarFileInfo structz|Error parsing the version information, attempting to read StringFileInfo string. Can't read unicode string at offset 0x{0:x}sStringFileInfor!rzyError parsing the version information, attempting to read StringTable string. Can't read unicode string at offset 0x{0:x}z}Error parsing the version information, attempting to read StringTable Key string. Can't read unicode string at offset 0x{0:x}rzzError parsing the version information, attempting to read StringTable Value string. Can't read unicode string at offset 0xrs VarFileInfoZ VarFileInfoz}Error parsing the version information, attempting to read VarFileInfo Var string. Can't read unicode string at offset 0x{0:x}r?z 0x%04x 0x%04x)0rr5rrrrrvrIr__VS_VERSIONINFO_format__rBrrqrrurrrrrfindrreplacer|r~ZKey dword_align__VS_FIXEDFILEINFO_format__rr__StringFileInfo_format__rr#Z ValueLengthr__StringTable_format__LangIDrrrZLength__String_format__r6r__Var_format__get_word_from_datarrr)#rZversion_structZ start_offsetrZversioninfo_structr=rZ section_endZversioninfo_stringZexcerptZvinfoZfixedfileinfo_offsetZfixedfileinfo_structZstringfileinfo_offsetrZstringfileinfo_structZstringfileinfo_stringZstringtable_offsetZstringtable_structZstringtable_stringZ entry_offsetZ string_structrF key_offsetZ value_offsetrZnew_stringtable_offsetZvarfileinfo_structZ var_offsetZ var_structZ var_stringZvarword_offsetZorig_varword_offsetZword1Zword2rrrr:hsv                                         zPE.parse_version_informationcsz.jj|tj|d}Wn$tyRjd|YdS0|s\dSfdd}zd|j t ||j |j d}|j t ||j |j d}|j t ||j |jd}Wn$tyjd|YdS0g} d} |j } tj} | r.| jt| |j } tt} d}tt |j t| dD]T}||}|dur|dt|kr||}ndS|dusT|d krqT||kr|||kr|}z|}WntyYqTYn0n|rqTd}d}||}|dur@| d 8} | d kr@d }q|t}t|s`d }qz|}Wn~ty| d 8} | d krd }Yqz|}Wn<ty| d 8} | d krd }YYqYYqTYn0Yn0| ||fd 7<| ||fdkr8jd |d |ddqn*t| jkrbjdjq| t|j||j d|||j d|||||d qT|sȈjd|j ddd| D}d} |j } tj} | r| jt| |j } tt} d}tt |jt| dD],}||j|vr4z||}Wntyrd}Yn0|dur| d 8} | d krd }qd|d krq4|dur||kr|||krֈ|}nd}| |d 7<| |j krjdj |qdn,t| jkrDjdjdqd| t|j||d|dq4|sjd|j ddS| s|!rdSt"|| |j#dS)aParse the export directory. Given the RVA of the export directory, it will process all its entries. The exports will be made available as a list of ExportData instances in the 'IMAGE_DIRECTORY_ENTRY_EXPORT' PE attribute. rz+Error parsing export directory at RVA: 0x%xNcstj|Sr )rrvr)rrrrlength_until_eof;sz3PE.parse_export_directory..length_until_eofr?rITrr0Fz9Export directory contains more than 10 repeated entries (r z#02xz). Assuming corrupt.zHExport directory contains more than {} symbol entries. Assuming corrupt.r;) rrrrrr6rrrzIRVA AddressOfNames in the export directory points to an invalid address: rcSsh|] }|jqSr)r)r1exprrr r4z,PE.parse_export_directory..z[Export directory contains more than {} repeated ordinal entries (0x{:x}). Assuming corrupt.z$Export directory contains more than z# ordinal entries. Assuming corrupt.)rrr6rzMRVA AddressOfFunctions in the export directory points to an invalid address: )rsymbolsr6)$r!__IMAGE_EXPORT_DIRECTORY_format__rr2rBrrrrZAddressOfNamesrZ NumberOfNamesZAddressOfNameOrdinalsZAddressOfFunctionsZNumberOfFunctionsrrrvrq collections defaultdictrrrQget_dword_from_dataget_string_at_rvaMAX_SYMBOL_NAME_LENGTHrZrrrZBaserrArr)rrrrZ export_dirrSZaddress_of_namesZaddress_of_name_ordinalsZaddress_of_functionsexportsZ#max_failed_entries_before_giving_uprrZ symbol_countsZ&export_parsing_loop_completed_normallyrZsymbol_ordinalZsymbol_addressZ forwarder_strrZsymbol_name_addressZ symbol_nameZsymbol_name_offsetZordinalsrErrrrs                                zPE.parse_export_directorycCs||dd@|d@S)Nr=lr)rr-baserrrrJ&szPE.dword_aligncCs4|jj}|jj|jj}||kr0||kr0||8}|Sr )rn ImageBaser)rvaZbegin_of_imageZ end_of_imagerrrnormalize_import_va)s zPE.normalize_import_vac Cs\g}d}z||t|j}Wn(tyJ|jd|YqXYn0||}|j|j||d}|rt| rxqXd}|j dkr|j j t dkr||j|_||j|_||j|_||j|_||j|_||j|_d}||7}t|j|} ||jks ||jkr6t||j||j} g} z||j|jd| |} Wn<ty} z"|jd|| jWYd} ~ n d} ~ 00|d kr|jd |qX| s|d 7}q|jtkr|jd |jtfqX||jt} t| st d } | r| D]0} | j!durt"#| $| j%}|r|| _!q|t&|| | dq|S)z*Walk and parse the delay import directory.rz5Error parsing the Delay import directory at RVA: 0x%xrFr`TNzSError parsing the Delay import directory. Invalid import data at RVA: 0x{0:x} ({1})rAzWToo many errors parsing the Delay import directory. Invalid import data at RVA: 0x{0:x}r0z)Error, too many imported symbols %d (>%s) *invalid*rimportsdll)'rr2(__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__rBrrrrrrAZgrAttrsrr r raZ pBoundIATZpIATZpINTZ pUnloadIATZphmodZszNamerrvr parse_importsrrrMAX_IMPORT_SYMBOLSr[MAX_DLL_LENGTHrXrr6 ordlookup ordLookuplowerrr)rrr import_descsrr(r7 import_desccontains_addressesmax_len import_datarresymbolfuncnamerrrr5s             zPE.parse_delay_import_directoryrcCst|dr|jdurdS|dkr0t|jjS|dkrHt|jjS|dkr`t|jjS|dkrxt|jjStddS)Nrrrrrrz#Invalid hashing algorithm specified) r|rrrrrrrr)r algorithmrrrget_rich_header_hashszPE.get_rich_header_hashcCsg}gd}t|dsdS|jD]}t|jtr@|j}n |j}|dd}t|dkrv|d|vrv|d}|j D]~}d}|j st j |j|j dd}|std |jd |j d n|j }|sq|t|tr|}|d ||fq|q td |S)N)ZocxsysreDIRECTORY_ENTRY_IMPORTr.r0rT)Z make_namezUnable to look up ordinal rZZ04xz%s.%sr#)r|rwrrerrrlrsplitrrdr6rjrkrrrrrrr)rZimpstrsZextsrlibnamepartsimprsrrr get_imphashs8       zPE.get_imphashc Csg}d}z||t|j}Wn,tyN|jd|dYqYn0||}|j|j||d}|rx| r|q||7}t |j |} ||j ks||j krt||j ||j } g} |s^z|j|j |j |j| d} WnDty*} z*|jd|dd| jdWYd } ~ n d } ~ 00|d krN|jd |dq| s^|d 7}q||jt} t| s~td } | r| D]0} | jd urt| | j}|r|| _q|t|| | dq|stddg}d}d}|D]v}|jD]h} |D]T}| r| jsq| j}t| jt kr6| j!d}|"|r|d 7}qTq|d 7}qq|t |kr|dkr|jd|S)z$Walk and parse the import directory.rz-Error parsing the import directory at RVA: 0xrrrzBError parsing the import directory. Invalid Import data at RVA: 0xz ()NrAzLToo many errors parsing the import directory. Invalid import data at RVA: 0xr0rbrc LoadLibraryZGetProcAddressrr]z?Imported symbols contain entries typical of packed executables.)#rr2"__IMAGE_IMPORT_DESCRIPTOR_format__rBrrrrrrArrvZOriginalFirstThunkZ FirstThunkrrgZForwarderChainrr[rrirXrr6rjrkrlrrrVrdrrrr)rrrrrmrr(r7rnrprqr2rerrrsZsuspicious_importsZsuspicious_imports_countZ total_symbolsZimp_dllZsuspicious_symbolr6rrrrs                  zPE.parse_import_directorycCsg}||||}||||}|r0t|dkr`|r@t|dkr`|jd|dd|dgSd} |rn|} n|rx|} ndSd} d} |jtkrt} n|jtkrt} d} d } nt} d} t | D]\}}d}d}d}d}d}|j r|j | @rd }|j d @}d}d}ntd }zZ|j | @}| |d }| |d}| |j d t}t|sRtd}||j d }WntyxYn0|}||}||jj|| }d}z>|r|r||j ||j kr||j }||}nd}Wntyd}Yn0|dkr|dkrtd|tdkrL| dkrB| |krBtd| d7} q|sV|r|t||||||||||||||dq|S)zParse the imported symbols. It will fill a list, which will be available as the dictionary attribute "imports". Its keys will be the DLL names and the values of all the symbols imported from that object. rz\Damaged Import Table information. ILT and/or IAT appear to be broken. OriginalFirstThunk: 0xrz FirstThunk: 0xNr?rrElTrFr;rbz"Invalid entries, aborting parsing.rz)Too many invalid names, aborting parsing.r0)rrrimport_by_ordinalrrhintr6rrrhint_name_table_rva thunk_offset thunk_rva)get_import_tablerrrrrrrrrCrrrQr[MAX_IMPORT_NAME_LENGTHrZrrrr>rrnr_rr)rZoriginal_first_thunkZ first_thunkZforwarder_chainrroZimported_symbolsZiltZiattableZ imp_offsetZ address_maskrZ num_invalidrEZ tbl_entryZimp_ordZimp_hintZimp_namerrrr(rrZ imp_addressrZ imp_boundrrrrg?s           "    zPE.parse_importscCsg}|jtkrt}|j}n |jtkr0t}|j}n t}|j}d}d}d} t} t} |} |r|dur|| |kr|j dq|j t kr|j d|j t fq|j d7_ | |krgS| rt | t | |krgS| rt | t | |krgSd} z||t|}Wnty*d} Yn0| sHt|t|kr\|j d |dS|j||||d }|r||j|_||j|_||j|_||j|_|r|j| kr|j|kr|j d |q|rX|jrX|j|@r|jd @d krXgSnF|j| vs*|j| vr2| d7} |jdkrL| |jn | |j|r|rlq||7}| |qV|S)NrYrPrz9Error parsing the import table. Entries go beyond bounds.z$Excessive number of imports %d (>%s)r0FTz9Error parsing the import table. Invalid data at RVA: 0x%xrz\Error parsing the import table. AddressOfData overlaps with THUNK_DATA for THUNK at RVA 0x%xrr)rrr__IMAGE_THUNK_DATA_format__rr__IMAGE_THUNK_DATA64_format__rVrrrrhrrrr2rBrrrrrarrrrrrA)rrrrorrrZMAX_ADDRESS_SPREADZMAX_REPEATED_ADDRESSESZrepeated_addressZaddresses_of_data_set_64Zaddresses_of_data_set_32Z start_rvafailedr(Z thunk_datarrrrs          zPE.get_import_tablerZc Cs|dur|j}|||jdd}|jD]}|jdkrF|jdkrFq,|j}||j|jj}| |j |jj |jj}|t |jks,|t |jks,||t |jks,||krq,|t |} | dkr|d| 7}n| dkr|d| }|| 7}q,|dur||_|S)aReturns the data corresponding to the memory layout of the PE file. The data includes the PE header and the sections loaded at offsets corresponding to their relative virtual addresses. (the VirtualAddress section header member). Any offset in this data corresponds to the absolute memory address ImageBase+offset. The optional argument 'max_virtual_address' provides with means of limiting which sections are processed. Any section with their VirtualAddress beyond this value will be skipped. Normally, sections with values beyond this range are just there to confuse tools. It's a common trick to see in packed executables. If the 'ImageBase' optional argument is supplied, the file's relocations will be applied to the image by calling the 'relocate_image()' method. Beware that the relocation information is applied permanently. NrrW)rvrelocate_imagerrrurmrlrnrorrrqrsrr) rZmax_virtual_addressr_Z original_dataZ mapped_datarZsrdZprdrkrrrrget_memory_mapped_imagegsD        zPE.get_memory_mapped_imagecCsvg}t|drr|jjD]Z}t|dr|jjD]B}t|dr,t|jdr,|jjr,t|jjD]}||q^q,q|S)aReturns a list of all the strings found withing the resources (if any). This method will scan all entries in the resources directory of the PE, if there is one, and will return a [] with the strings. An empty list will be returned otherwise. DIRECTORY_ENTRY_RESOURCEr)r7)r|rrr)r7rrr)rZresources_stringsres_typer> res_stringrrrget_resources_stringss        zPE.get_resources_stringscCsl||}|r||}nd}|s`|t|jkr<|j||S|t|jkrX|j||Std|||S)zGet data regardless of the section where it lies on. Given a RVA and the size of the chunk to retrieve, this method will find the section where the data lies and return the data. Nz-data at RVA can't be fetched. Corrupt header?)rrrrvrr)rrrrrxrrrrs   z PE.get_datacsJ|}|s@jr.N)rrrr)rr-rZ lowest_rvarrrrs    zPE.get_rva_from_offsetcCs<||}|s2|t|jkr |Std|dd||S)zGet the file offset corresponding to this RVA. Given a RVA , this method will find the section where the data lies and return the offset within the file. zdata at RVA 0xrz can't be fetched)rrrvrr)rrrrrrr s  zPE.get_offset_from_rvacCsJ|dur dS||}|s4|d|j|||S|d|j||dS)z1Get an ASCII string located at the given address.Nr)r)rrrvr)rrrrrrrr["s  zPE.get_string_at_rvacCs2|t|krdS||d}t|tr.t|S|S)rxr4N)rrrr)rr-r(rrrrget_bytes_from_data-s    zPE.get_bytes_from_datacCs.|||}|d}|dkr*|d|}|S)zGet an ASCII string from data.rWrN)rr)rr-r(rrxrrrr6s    zPE.get_string_from_datarWc Cs|dkr dS||d}|dK}t|d}|||}d}|d|d}|dkrt|}||ksj||krxt|d?}q||||||7}|d}|}q:|ddkr:|dL}qq:td||d |d}d tt |} |rt | |d St | d d S) z3Get an Unicode string located at the given address.rr4r;r0rSrsz<{:d}HNrrr) rrrrrrrrmaprXrr) rrrrFr(Z requestedZ null_indexZ data_lengthZuchrsrrrrr>s0     zPE.get_string_u_at_rvacCs"|jD]}||r|SqdS)z1Get the section containing the given file offset.N)rr)rr-rrrrris   zPE.get_section_by_offsetcCs"|jD]}||r|SqdS)z-Get the section containing the given address.N)rr)rrrrrrrrs   zPE.get_section_by_rvacCs|Sr ) dump_inforrrrr{sz PE.__str__cCs t|dS)z.Checks if the PE file has relocation directoryDIRECTORY_ENTRY_BASERELOC)r|rrrr has_relocs~sz PE.has_relocsrcCst|j|ddS)z=Print all the PE header information in a human readable from.rEN)rr)rrFrrr print_infosz PE.print_inforDc! s durt|}|r@d|D]}|q(d|jd|jd|j t t d} dg}t |D]"}t|j |dr||dqd |t|d r,|jdur,d |jt td } d g}t |D]&}t|j|drL||dqLd |d t td} |jD]} |  dg}t | D]$}t| |dr||dqΈd |d| tdur6d| tdurRd| tdurnd| tdurd| qt|d rt|jdrd|jj D]} | durˆ| qˆt|drt!|j"D]\} } t#|j"dkr0d| dn d| durR| t|dr|j$| t|drt#|j%| kr|j%| D]6}|t|drd|j&D]}fdd|Dd|j'(|d t t)|j*+D]0}d!|d(|d |d(|d q$qֈnzt|d"r|j,D]^}t|d#rvfd$d|Dd!t)|j-.d(d%d t)|j-/dqvqqt|d&rd'|j0j1d(d)|j0j2D]r}|j3dur,t4d*}|j5rR|j5} d+|j6|j3|(|f|j7rd,|j7(|d nq,t|d-rڈd.|j8D]}|j1|j9s d/|:|j1j;(|d |j9D]}|j|j?rˆd4|j?nqqt|d5rtd6|j@D]|}|j1d7|j5(|d |j*D]<}|j1d8d7|j5(|d d8q2qt|d9r@d:|jAD]}|j1|j9D]}|j|j?r(d4|j?nqqt|d= rd>|jBj1|jBj*D]}|j5dur|j5(|d }d?|d@dAn0tCD|j1jEdB}dC|j1jEdDdE|dFdA|j1dAt|dG rx|jFj1d8|jFj*D]d}|j5du rF|j5(d%d }d?|d@dHndC|j1jEdDd@dH|j1dHt|dG r|jFj1dI|jFj*D]r}t|dJ rdK|jGjH|jGjItJD|jGjHdLtK|jGjH|jGjIfdI|j1dM|jGj1dN qt|jFdO r|jFjL rdPdMt)t |jFjL+D],\} }dQ| |MdRdS(dTdN qF qqpt|dU r|jN r|jNj1 rΈdV|jNj1t|dW r|jO r|jOj1 rdX|jOj1t|dY rdZ|jPD]}|j1zd[tQ|j1jRWn(tS yd\|j1jRYn0|j- r,|j-d8 q,|T rPd]|jUD]}|j1|j*D]\}z(d^|jVtW|jXd_dfd8Wn,tS y>d`|jV|jXfd8Yn0 q qt|da rt#|jYdk rdb|jYD]@} | j1t| dc r|| jZdu r|| jZd8 q|[S)dz>Dump all the PE header information into human readable string.NParsing Warningsrrrrr rr rnrzDllCharacteristics: PE Sectionsrzz!Entropy: {0:f} (Min=0.0, Max=8.0)zMD5 hash: {0}zSHA-1 hash: %szSHA-256 hash: %szSHA-512 hash: %sr Directoriesr~r0zVersion Information Version Informationrrrcsg|]}d|qSz rr1rrNrrr3r4z PE.dump_info..z LangID: {0}rz {0}: {1}rrcsg|]}d|qSrrrrrrr3 srDIRECTORY_ENTRY_EXPORTExported symbolsz%-10s %-10s %srRVArNonez%-10d 0x%08X %sz forwarder: {0}rwImported symbolsz Name -> {0}Tz*{0}.{1} Ordinal[{2}] (Imported by Ordinal)z&{0} Ordinal[{1}] (Imported by Ordinal)z{0}.{1} Hint[{2:d}]z Bound: 0x{0:08X}DIRECTORY_ENTRY_BOUND_IMPORT Bound importszDLL: {0}r?DIRECTORY_ENTRY_DELAY_IMPORTDelay Imported symbolsz({0} Ordinal[{1:d}] (Imported by Ordinal)z{0}.{1} Hint[{2}]rResource directoryzName: []r;-zId: [0xXz] (r~r)rCrEr(z\--- LANG [%d,%d][%s,%s]rrIrLr7z [STRINGS]z {0:6d}: {1}unicode-escaperrDDIRECTORY_ENTRY_TLSTLSDIRECTORY_ENTRY_LOAD_CONFIG LOAD_CONFIGDIRECTORY_ENTRY_DEBUGDebug informationzType: zType: 0x{0:x}(Unknown)Base relocationsz%08Xh %sr.z0x%08X 0x%x(Unknown)DIRECTORY_ENTRY_EXCEPTIONz"Unwind data for exception handlingr)\rrr rr rrrNrrrrrsortedrHrrr|rnrr{rrrrrrrrrrrrrCr~rrrrrNrrrrrrrrrrrVrrr6rrrwrdr[rrrerrrrrr4rr9r)r(r+r,rrr7rrrr DEBUG_TYPEr#rrrrRELOCATION_TYPErrrr)!rrNrFwarningsrrrrrr}rr)rEZ vinfo_entryrr str_entry var_entryexportr6modulerrbound_imp_desc bound_imp_refrZ res_type_idr>r?rr% base_relocrelocr rrrrs                                                                                                     z PE.dump_infoc. Cs` i}|}|r||d<|j|d<|j|d<|j|d<ttd}g|d<|D]&}t|j|drX|d|dqXt |dr|j d ur|j |d<tt d }g|d <|D]&}t|j |dr|d |dqg|d <tt d }|j D]}|}|d |g|d<|D](}t||dr|d|dq||d<td urj||d<td ur||d<td ur||d<td ur||d<qt |drt |j drg|d<t|j jD]&\} } | d ur|d| qt |drg|d<t|jD]b\} } g} | | t |dr\| |j| t |drtt|j| krtg} | | |j| D]}| |t |dr i}|jD]D}| ||j|d<t |j!"D]}|d||d<qq| |nft |dr|j#D]R}i}t |dr| |t |j$%d|t |j$&d<| |qq|d| q t |drg|d<|d|j'j(|j'j)D]N}i}|j*d ur|+|j,|j*|j-d |j.r|j.|d!<|d|qt |d"rg|d#<|j/D]}g}|d#|||j(|j0D]f}i}|j1d$urx|j2|d%<|j,|d&<n|j2|d%<|j-|d'<|j3|d(<|j4r|j4|d)<||qNq"t |d*r4g|d+<|j5D]^}i}|d+||+|j(|j-|d%<|j!D]$}i}|+|j(|j-|d%<q qt |d,rg|d-<|j6D]}g}|d-|||j(|j0D]f}i}|j1d$ur|j2|d%<|j,|d&<n|j2|d%<|j-|d'<|j3|d(<|j4r|j4|d)<||qzqNt |d.rg|d/<|d/|j7j(|j7j!D]}i} |j-d ur:|j-| d'<n|j(j8t9:|j(j8d0f| d1<| +|j(|d/| t |d2rg}!|!|j;j(|d/|!|j;j!D]N}"i}#|"j-d ur|"j-|#d'<n |"j(j8|#d1<|#+|"j(|!|#t |"d2rg}$|$|"j;j(|!|$|"j;j!D]}%t |%d3r(i}&|%j|&d5<t?:|%j|&d8<|&+|%j(|&+|%j<t |d?r^|jEr^|jEj(r^|jEj(|d@<t |dArg|dB<|jFD]@}(i})|dB|)|)+|(j(tG:|(j(jH|(j(jH|)dC<qx|I r\g|dD<|jJD]}*g}+|dD|+|+|*j(|*j!D]X},i}-|+|-|,jK|-dE<ztL|,jMdFd |-dC<WntN yR|,jM|-dC<Yn0qq|S)Gz5Dump all the PE header information into a dictionary.rrrrrrrrnNrrrrzZEntropyZMD5ZSHA1ZSHA256ZSHA512rrr~rrrrrNr0rrrrrrrwrTZDLLrrZHintZBoundrrrrrrrr9r)r(rrrZ LANG_NAMEZ SUBLANG_NAMEr7rrrDrrrrrrr#rrr.)OrrrhrrrrrHrr|rnrr{rrrrrrrrrrrCrr~rrrrrrNrrrrrrrrrrVrr6rr6rrwrdrrerrrrrr9r4rr)r(r+r,rrr7rrrrrrr#rrrrrr).rrhrrrrr}rZ section_dictrEr)Zvs_vinfoZversion_info_listZ fileinfo_listrZstringtable_dictrrrZvar_dictrZ export_dictrZ import_listrrZ symbol_dictrZbound_imp_desc_dictrZbound_imp_ref_dictZ module_listrZresource_type_dictZdirectory_listr>Zresource_id_dictZresource_id_listr?Zresource_lang_dictrr%Zdbg_dictrZbase_reloc_listrZ reloc_dictrrrrh%s                                                                            z PE.dump_dictcCs&z ||WSty YdS0dS)z;Gets the physical address in the PE file from an RVA value.N)rrrrrrget_physical_by_rvaKs  zPE.get_physical_by_rvacCstd|d@S)zMReturn a four byte string representing the double word value (little endian).rrrI)rdwordrrrget_data_from_dwordVszPE.get_data_from_dwordcCs<|ddt|krdStd||d|dddS)aConvert four bytes of data to a double word (little endian) 'offset' is assumed to index into a dword array. So setting it to N will return a dword out of the data starting at offset N*4. Returns None if the data can't be turned into a double word. r0r?Nrrrrrrr(r-rrrrZZs zPE.get_dword_from_datacCs0z|||ddWSty*YdS0dS)zReturn the double word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. r?rN)rZrrrrrrget_dword_at_rvahs zPE.get_dword_at_rvacCs0|dt|jkrdS||j||ddS)zFReturn the double word value at the given file offset. (little endian)r?Nr)rrvrZr?rrrget_dword_from_offsettszPE.get_dword_from_offsetcCs||||S)zLSet the double word value at the file offset corresponding to the given RVA.)set_bytes_at_rvar)rrrrrrset_dword_at_rva|szPE.set_dword_at_rvacCs||||S)z3Set the double word value at the given file offset.)rr)rr-rrrrrszPE.set_dword_at_offsetcCs td|S)zFReturn a two byte string representing the word value. (little endian).rrrrrrrget_data_from_wordszPE.get_data_from_wordcCs<|ddt|krdStd||d|dddS)a Convert two bytes of data to a word (little endian) 'offset' is assumed to index into a word array. So setting it to N will return a dword out of the data starting at offset N*2. Returns None if the data can't be turned into a word. r0r;NrrrrrrrrQs zPE.get_word_from_datacCs6z|||dddWSty0YdS0dS)zReturn the word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. Nr;r)rQrrrrrrget_word_at_rvas zPE.get_word_at_rvacCs0|dt|jkrdS||j||ddS)z?Return the word value at the given file offset. (little endian)r;Nr)rrvrQr?rrrget_word_from_offsetszPE.get_word_from_offsetcCs||||S)zESet the word value at the file offset corresponding to the given RVA.)rr)rrrrrrset_word_at_rvaszPE.set_word_at_rvacCs||||S)z,Set the word value at the given file offset.)rr)rr-rrrrrszPE.set_word_at_offsetcCs td|S)zMReturn an eight byte string representing the quad-word value (little endian).|j|d@d ?qt|j t dkrt||j||j|qtqj||j_t|dr|jD]"}|jD]}|j|7_qqt|drR|jjj|7_|jjj|7_|jjj|7_|jjj|7_t|dr|jjjr||jjj|7_|jjj r|jjj |7_ |jjj!r|jjj!|7_!|jjj"r|jjj"|7_"|jjj#r|jjj#|7_#|jjj$r|jjj$|7_$dS)a2Apply the relocation information to the image using the provided image base. This method will apply the relocation information to the image. Given the new base, all the relocations will be processed and both the raw data and the section's data will be fixed accordingly. The resulting image can be retrieved as well through the method: get_memory_mapped_image() In order to get something that would more closely match what could be found in memory once the Windows loader finished its work. rCrArr@rzZRelocating image but PE does not have (or pefile cannot parse) a DIRECTORY_ENTRY_BASERELOCrr0rdrer.rrfrgrhrArirwrrN)%rnr_rrrIr|rrrrrrrrrrrrrrrrwrdrrrZStartAddressOfRawDataZEndAddressOfRawDataZAddressOfIndexZAddressOfCallBacksrZLockPrefixTableZEditListZSecurityCookieZSEHandlerTableZGuardCFCheckFunctionPointerZGuardCFFunctionTable) rZ new_ImageBaseZrelocation_differencerZ entry_idxrZ next_entryrefuncrrrr#s                                   zPE.relocate_imagecCs|jj|kSr )rnZCheckSumgenerate_checksumrrrrverify_checksumszPE.verify_checksumcCs(||_|jd}d}t|jd}t|jd||dk}tt|dD]}|t|dkrjqT|dt|dkr|rtd|j|dddd|d}n&td|j|d|ddd}||7}|dkrT|d@|d ?}qT|d @|d ?}||d ?}|d @}|t|jS) NrRrr?r0rrWrrr-rr.) rrvrnr>rrrrr)rZchecksum_offsetr remainderZdata_lenrrrrrrs, & zPE.generate_checksumcCs0td}|s,|s,||jj@|kr,dSdS)zCheck whether the file is a standard executable. This will return true only if the file has the IMAGE_FILE_EXECUTABLE_IMAGE flag set and the IMAGE_FILE_DLL not set and the file does not appear to be a driver either. rQTF)ris_dllrrry)rZEXE_flagrrris_exesz PE.is_execCs td}||jj@|krdSdS)zCheck whether the file is a standard DLL. This will return true only if the image has the IMAGE_FILE_DLL flag set. rUTF)rrry)rZDLL_flagrrrrsz PE.is_dllcCst|ds|jtdgdt|ds*dStd}|dd|jDrLdStd }|d d|jDr|jjt d t d fvrdSdS) zCheck whether the file is a Windows driver. This will return true only if there are reliable indicators of the image being a driver. rwr9rF)s ntoskrnl.exeshal.dllsndis.syss bootvid.dlls kdcom.dllcSsg|]}|jqSr)rerl)r1r|rrrr3Gr4z PE.is_driver..T)spagespagedcSsg|]}|jdqS)rW)rrlra)r1rrrrr3Mr4r^r_) r|rrrV intersectionrwrrnZ SubsystemSUBSYSTEM_TYPE)rZ system_DLLsZdriver_like_section_namesrrrrs2   z PE.is_driverc sdt|jffdd }t|dr:||j|jjf|jD]}||j|j fq@t dg}t |jj D]D\}}||vr~qlz|| |j|jfWqltyYqlYql0qlt|jtkrtSdS)zoGet the offset of data appended to the file and not contained within the area described in the headers.rcs$t||kr t|tkr |SSr )sum)Zoffset_and_size file_sizeZlargest_offset_and_sizerr'update_if_sum_is_larger_and_within_file_s zQPE.get_overlay_data_start_offset..update_if_sum_is_larger_and_within_filernr>N)rrvr|rnr>rrrrlrurrCrrrqrIrr)rrrZskip_directoriesrEr)rrrget_overlay_data_start_offsetYs4      z PE.get_overlay_data_start_offsetcCs"|}|dur|j|dSdS)zeGet the data appended to the file and not contained within the area described in the headers.NrrvrZoverlay_data_offsetrrr get_overlayszPE.get_overlaycCs,|}|dur|jd|S|jddS)zKReturn the just data defined by the PE headers, removing any overlaid data.NrrrrrtrimszPE.trimcCs:|tkr0|jdur0t|s0|jd|d|_t||S)NFz=If FileAlignment > 0x200 it should be a power of 2. Value: %xT)rrrrrr!)rrr rrrrmszPE.adjust_FileAlignmentcCs@|tkr4||kr4|jdur4|jd||fd|_t|||S)NFzAIf FileAlignment(%x) < 0x200 it should equal SectionAlignment(%x)T)rrrrr$)rrr#r rrrrrszPE.adjust_SectionAlignment)N)NFF)rNrN)F)r)F)NF)NF)rZN)rN)rWN)r)NrD)urrrrrrrrrrrrfrrWr.rBr@rGrKrLrMrOrPrrr"rrrrrrrrr MAX_SYMBOL_EXPORT_COUNTrrrrrrrrrrrrrrrrrrrr8r0r:rrJrarrur}rrgrrrrrrrr[rrrrrrrrrrhrrrZrrrrrrQrrrrrrrrrrrrrrrrrrrrrrrmrrrrrrr[sH $#     . rQ   7 aZw:- 98   m % n   I "   +    "(    )0 :. r[cCsddl}d}|jdds$t|nx|jddkr|jddsJ|dt|jd}|jjD]"}tt|jj |j |j |j q`ntt|jd dS)Nrz1pefile.py pefile.py exports r0r]r;zerror: required)rvargvrexitr[rrVrrnr_rr6rr)rvusagerrTrrrmains   r__main__)r FF)r __author__ __version__ __contact__rXrrrr]rrrrZhashlibrrrrrr r rjregister_error lookup_errorrr\rr!r$r)rrrhrrir\rr/r-rrrrrrrrZ IMAGE_NUMBEROF_DIRECTORY_ENTRIESrrrrr7Zdirectory_entry_typesrZimage_characteristicsrZsection_characteristicsr{Z debug_typesrZsubsystem_typesrZ machine_typesr Zrelocation_typesrZdll_characteristicsrrrrZ registersr rr#r*r,r1r8rEr=rArCZ resource_typer4r+rr,rr5rrrrrrrrrrrrrrr!r1r2rirrrrrrrrrrrrrrrrrrrrrr"r)r+r0r7r<r@rBrDrascii_lowercaseascii_uppercaserrTrXrYrZr[rrrrrrs         1"aj   K *  +L.  Ql  B1 ! - @"