pefile, Portable Executable reader module
 
 
All the PE file basic structures are available with their default names
as attributes of the instance returned.
 
Processed elements such as the import table are made available with lowercase
names, to differentiate them from the upper case basic structure names.
 
pefile has been tested against the limits of valid PE headers, that is, malware.
Lots of packed malware attempt to abuse the format way beyond its standard use.
To the best of my knowledge most of the abuses are handled gracefully.
 
Copyright (c) 2005, 2006, 2007 Ero Carrera <ero@dkbza.org>
 
All rights reserved.
 
For detailed copyright information see the file COPYING in
the root of the distribution archive.

Modules
		exceptions math os re struct time

Classes
		exceptions.Exception(exceptions.BaseException) PEFormatError DataContainer BaseRelocationData BoundImportDescData BoundImportRefData DebugData ExportData ExportDirData ImportData ImportDescData RelocationData ResourceDataEntryData ResourceDirData ResourceDirEntryData TlsData Dump PE Structure SectionStructure   class BaseRelocationData(DataContainer)     Holds base relocation information.   struct:     IMAGE_BASE_RELOCATION structure entries:    list of relocation data (RelocationData instances)     Methods inherited from DataContainer: __init__(self, **args)   class BoundImportDescData(DataContainer)     Holds bound import descriptor data.   This directory entry will provide with information on the DLLs this PE files has been bound to (if bound at all). The structure will contain the name and timestamp of the DLL at the time of binding so that the loader can know whether it differs from the one currently present in the system and must, therefore, re-bind the PE's imports.   struct:     IMAGE_BOUND_IMPORT_DESCRIPTOR structure name:       DLL name entries:    list of entries (BoundImportRefData instances)             the entries will exist if this DLL has forwarded             symbols. If so, the destination DLL will have an             entry in this list.     Methods inherited from DataContainer: __init__(self, **args)   class BoundImportRefData(DataContainer)     Holds bound import forwader reference data.   Contains the same information as the bound descriptor but for forwarded DLLs, if any.   struct:     IMAGE_BOUND_FORWARDER_REF structure name:       dll name     Methods inherited from DataContainer: __init__(self, **args)   class DataContainer     Generic data container.     Methods defined here: __init__(self, **args)   class DebugData(DataContainer)     Holds debug information.   struct:     IMAGE_DEBUG_DIRECTORY structure     Methods inherited from DataContainer: __init__(self, **args)   class Dump     Convenience class for dumping the PE information.     Methods defined here: __init__(self) add(self, txt, indent=0) Adds some text, no newline will be appended.   The text can be indented with the optional argument 'indent'. add_header(self, txt) Adds a header element. add_line(self, txt, indent=0) Adds a line.   The line can be indented with the optional argument 'indent'. add_lines(self, txt, indent=0) Adds a list of lines.   The list can be indented with the optional argument 'indent'. add_newline(self) Adds a newline. get_text(self) Get the text in its current state.   class ExportData(DataContainer)     Holds exported symbols' information.   ordinal:    ordinal of the symbol address:    address of the symbol name:       name of the symbol (None if the symbol is             exported by ordinal only) forwarder:  if the symbol is forwarded it will             contain the name of the target symbol,             None otherwise.     Methods inherited from DataContainer: __init__(self, **args)   class ExportDirData(DataContainer)     Holds export directory information.                  struct:     IMAGE_EXPORT_DIRECTORY structure symbols:    list of exported symbols (ExportData instances)     Methods inherited from DataContainer: __init__(self, **args)   class ImportData(DataContainer)     Holds imported symbol's information.   ordinal:    Ordinal of the symbol name:       Name of the symbol bound:      If the symbol is bound, this contains             the address.     Methods inherited from DataContainer: __init__(self, **args)   class ImportDescData(DataContainer)     Holds import descriptor information.   dll:        name of the imported DLL imports:    list of imported symbols (ImportData instances) struct:     IMAGE_IMPORT_DESCRIPTOR sctruture     Methods inherited from DataContainer: __init__(self, **args)   class PE     A Portable Executable representation.   This class provides access to most of the information in a PE file.   It expects to be supplied the name of the file to load or PE data to process and an optional argument 'fast_load' (False by default) which controls whether to load all the directories information, which can be quite time consuming.   pe = pefile.PE('module.dll') pe = pefile.PE(name='module.dll')   would load 'module.dll' and process it. If the data would be already available in a buffer the same could be achieved with:   pe = pefile.PE(data=module_dll_data)   The "fast_load" can be set to a default by setting its value in the module itself by means,for instance, of a "pefile.fast_load = True". That will make all the subsequent instances not to load the whole PE structure. The "full_load" method can be used to parse the missing data at a later stage.   Basic headers information will be available in the attributes:   DOS_HEADER NT_HEADERS FILE_HEADER OPTIONAL_HEADER   All of them will contain among their attrbitues the members of the corresponding structures as defined in WINNT.H   The raw data corresponding to the header (from the beginning of the file up to the start of the first section) will be avaiable in the instance's attribute 'header' as a string.   The sections will be available as a list in the 'sections' attribute. Each entry will contain as attributes all the structure's members.   Directory entries will be available as attributes (if they exist): (no other entries are processed at this point)   DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances) DIRECTORY_ENTRY_EXPORT (ExportDirData instance) DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance) DIRECTORY_ENTRY_DEBUG (list of DebugData instances) DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances) DIRECTORY_ENTRY_TLS  DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances)   The following dictionary attributes provide ways of mapping different constants. They will accept the numeric value and return the string representation and the opposite, feed in the string and get the numeric constant:   DIRECTORY_ENTRY IMAGE_CHARACTERISTICS SECTION_CHARACTERISTICS DEBUG_TYPE SUBSYSTEM_TYPE MACHINE_TYPE RELOCATION_TYPE RESOURCE_TYPE LANG SUBLANG     Methods defined here: __init__(self, name=None, data=None, fast_load=None) __parse__(self, fname, data, fast_load) Parse a Portable Executable file.   Loads a PE file, parsing all its structures and making them available through the instance's attributes. __str__(self) __unpack_data__(self, format, data, file_offset) Apply structure format to raw data.   Returns and unpacked structure object if successful, None otherwise. dump_info(self, dump=None) Dump all the PE header information into human readable string. dword_align(self, offset, base) full_load(self) Process the data directories.   This mathod will load the data directories which might not have been loaded if the "fast_load" option was used. get_data(self, rva, length=None) Get data regardless of the section where it lies on.   Given a rva and the size of the chunk to retrieve, this method will find the section where the data lies and return the data. get_dword_from_data(self, data, offset) get_import_table(self, rva) get_memory_mapped_image(self, max_virtual_address=268435456) Returns the data corresponding to the memory layout of the PE file.   The data includes the PE header and the sections loaded at offsets corresponding to their relative virtual addresses. (the VirtualAddress section header member). Any offset in this data corresponds to the absolute memory address ImageBase+offset.   The optional argument 'max_virtual_address' provides with means of limiting which section are processed. Any section with their VirtualAddress beyond this value will be skipped. Normally, sections with values beyond this range are just there to confuse tools. It's a common trick to see in packed executables. get_offset_from_rva(self, rva) Get the file offset corresponding to this rva.   Given a rva , this method will find the section where the data lies and return the offset within the file. get_physical_by_rva(self, rva) Gets the physical address in the PE file from an RVA value. get_rva_from_offset(self, offset) Get the rva corresponding to this file offset. get_section_by_offset(self, offset) Get the section containing the given file offset. get_section_by_rva(self, rva) Get the section containing the given address. get_string_at_rva(self, rva) Get an ASCII string located at the given address. get_string_from_data(self, offset, data) Get an ASCII string from within the data. get_string_u_at_rva(self, rva, max_length=65536) Get an Unicode string located at the given address. get_warnings(self) Return the list of warnings.   Non-critical problems found when parsing the PE file are appended to a list of warnings. This method returns the full list. get_word_from_data(self, data, offset) parse_data_directories(self) Parse and process the PE file's data directories. parse_debug_directory(self, rva, size) parse_delay_import_directory(self, rva, size) Walk and parse the delay import directory. parse_directory_bound_imports(self, rva, size) parse_directory_tls(self, rva, size) parse_export_directory(self, rva, size) Parse the export directory.   Given the rva of the export directory, it will process all its entries.   The exports will be made available through a list "exports" containing a tuple with the following elements:       (ordinal, symbol_address, symbol_name)      And also through a dicionary "exports_by_ordinal" whose keys will be the ordinals and the values tuples of the from:       (symbol_address, symbol_name)      The symbol addresses are relative, not absolute. parse_import_directory(self, rva, size) Walk and parse the import directory. parse_imports(self, original_first_thunk, first_thunk, forwarder_chain) Parse the imported symbols.   It will fill a list, which will be avalable as the dictionary attribute "imports". Its keys will be the DLL names and the values all the symbols imported from that object. parse_relocations(self, data_rva, rva, size) parse_relocations_directory(self, rva, size) parse_resource_data_entry(self, rva) Parse a data entry from the resources directory. parse_resource_entry(self, rva) Parse a directory entry from the resources directory. parse_resources_directory(self, rva, size=0, base_rva=None, level=0) Parse the resources directory.   Given the rva of the resources directory, it will process all its entries.   The root will have the corresponding member of its structure, IMAGE_RESOURCE_DIRECTORY plus 'entries', a list of all the entries in the directory.   Those entries will have, correspondingly, all the structure's members (IMAGE_RESOURCE_DIRECTORY_ENTRY) and an additional one, "directory", pointing to the IMAGE_RESOURCE_DIRECTORY structure representing upper layers of the tree. This one will also have an 'entries' attribute, pointing to the 3rd, and last, level. Another directory with more entries. Those last entries will have a new atribute (both 'leaf' or 'data_entry' can be used to access it). This structure finally points to the resource data. All the members of this structure, IMAGE_RESOURCE_DATA_ENTRY, are available as its attributes. parse_sections(self, offset) Fetch the PE file sections.   The sections will be readily available in the "sections" attribute. Its attributes will contain all the section information plus "data" a buffer containing the section's data.   The "Characteristics" member will be processed and attributes  representing the section characteristics (with the 'IMAGE_SCN_' string trimmed from the constant's names) will be added to the section instance.   Refer to the SectionStructure class for additional info. parse_version_information(self, version_struct) Parse version information structure.   The date will be made available in three attributes of the PE object.   VS_VERSIONINFO     will contain the first three fields of the main structure:     'Length', 'ValueLength', and 'Type'      VS_FIXEDFILEINFO    will hold the rest of the fields, accessible as sub-attributes:     'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS',     'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags',     'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS'      FileInfo    is a list of all StringFileInfo and VarFileInfo structures.   StringFileInfo structures will have a list as an attribute named 'StringTable' containing all the StringTable structures. Each of those structures contains a  dictionary 'entries' with all the key/value version information string pairs.   VarFileInfo structures will have a list as an attribute named 'Var' containing all Var structures. Each Var structure will have a dictionary as an attribute named 'entry' which will contain the name and value of the Var. print_info(self) Print all the PE header information in a human readable from. retrieve_flags(self, flag_dict, flag_filter) Read the flags from a dictionary and return them in a usable form.   Will return a list of (flag, value) for all flags in "flag_dict" matching the filter "flag_filter". set_flags(self, obj, flag_field, flags) Will process the flags and set attributes in the object accordingly.   The object "obj" will gain attritutes named after the flags provided in "flags" and valued True/False, matching the results of applyin each flag value from "flags" to flag_field. show_warnings(self) Print the list of warnings.   Non-critical problems found when parsing the PE file are appended to a list of warnings. This method prints the full list to standard output. write(self, filename=None) Write the PE file.   This function will process all headers and components of the PE file and include all changes made (by just assigning to attributes in the PE objects) and write the changes back to a file whose name is provided as an argument. The filename is optional. The data to be written to the file will be returned as a 'str' object. Data and other attributes defined here: __IMAGE_BASE_RELOCATION_format__ = ('IMAGE_BASE_RELOCATION', ('L,VirtualAddress', 'L,SizeOfBlock')) __IMAGE_BOUND_FORWARDER_REF_format__ = ('IMAGE_BOUND_FORWARDER_REF', ('L,TimeDateStamp', 'H,OffsetModuleName', 'H,Reserved')) __IMAGE_BOUND_IMPORT_DESCRIPTOR_format__ = ('IMAGE_BOUND_IMPORT_DESCRIPTOR', ('L,TimeDateStamp', 'H,OffsetModuleName', 'H,NumberOfModuleForwarderRefs')) __IMAGE_DATA_DIRECTORY_format__ = ('IMAGE_DATA_DIRECTORY', ('L,VirtualAddress', 'L,Size')) __IMAGE_DEBUG_DIRECTORY_format__ = ('IMAGE_DEBUG_DIRECTORY', ('L,Characteristics', 'L,TimeDateStamp', 'H,MajorVersion', 'H,MinorVersion', 'L,Type', 'L,SizeOfData', 'L,AddressOfRawData', 'L,PointerToRawData')) __IMAGE_DELAY_IMPORT_DESCRIPTOR_format__ = ('IMAGE_DELAY_IMPORT_DESCRIPTOR', ('L,grAttrs', 'L,szName', 'L,phmod', 'L,pIAT', 'L,pINT', 'L,pBoundIAT', 'L,pUnloadIAT', 'L,dwTimeStamp')) __IMAGE_DOS_HEADER_format__ = ('IMAGE_DOS_HEADER', ('H,e_magic', 'H,e_cblp', 'H,e_cp', 'H,e_crlc', 'H,e_cparhdr', 'H,e_minalloc', 'H,e_maxalloc', 'H,e_ss', 'H,e_sp', 'H,e_csum', 'H,e_ip', 'H,e_cs', 'H,e_lfarlc', 'H,e_ovno', '8s,e_res', 'H,e_oemid', 'H,e_oeminfo', '20s,e_res2', 'L,e_lfanew')) __IMAGE_EXPORT_DIRECTORY_format__ = ('IMAGE_EXPORT_DIRECTORY', ('L,Characteristics', 'L,TimeDateStamp', 'H,MajorVersion', 'H,MinorVersion', 'L,Name', 'L,Base', 'L,NumberOfFunctions', 'L,NumberOfNames', 'L,AddressOfFunctions', 'L,AddressOfNames', 'L,AddressOfNameOrdinals')) __IMAGE_FILE_HEADER_format__ = ('IMAGE_FILE_HEADER', ('H,Machine', 'H,NumberOfSections', 'L,TimeDateStamp', 'L,PointerToSymbolTable', 'L,NumberOfSymbols', 'H,SizeOfOptionalHeader', 'H,Characteristics')) __IMAGE_IMPORT_DESCRIPTOR_format__ = ('IMAGE_IMPORT_DESCRIPTOR', ('L,OriginalFirstThunk,Characteristics', 'L,TimeDateStamp', 'L,ForwarderChain', 'L,Name', 'L,FirstThunk')) __IMAGE_NT_HEADERS_format__ = ('IMAGE_NT_HEADERS', ('L,Signature',)) __IMAGE_OPTIONAL_HEADER64_format__ = ('IMAGE_OPTIONAL_HEADER64', ('H,Magic', 'B,MajorLinkerVersion', 'B,MinorLinkerVersion', 'L,SizeOfCode', 'L,SizeOfInitializedData', 'L,SizeOfUninitializedData', 'L,AddressOfEntryPoint', 'L,BaseOfCode', 'Q,ImageBase', 'L,SectionAlignment', 'L,FileAlignment', 'H,MajorOperatingSystemVersion', 'H,MinorOperatingSystemVersion', 'H,MajorImageVersion', 'H,MinorImageVersion', 'H,MajorSubsystemVersion', 'H,MinorSubsystemVersion', 'L,Reserved1', 'L,SizeOfImage', 'L,SizeOfHeaders', ...)) __IMAGE_OPTIONAL_HEADER_format__ = ('IMAGE_OPTIONAL_HEADER', ('H,Magic', 'B,MajorLinkerVersion', 'B,MinorLinkerVersion', 'L,SizeOfCode', 'L,SizeOfInitializedData', 'L,SizeOfUninitializedData', 'L,AddressOfEntryPoint', 'L,BaseOfCode', 'L,BaseOfData', 'L,ImageBase', 'L,SectionAlignment', 'L,FileAlignment', 'H,MajorOperatingSystemVersion', 'H,MinorOperatingSystemVersion', 'H,MajorImageVersion', 'H,MinorImageVersion', 'H,MajorSubsystemVersion', 'H,MinorSubsystemVersion', 'L,Reserved1', 'L,SizeOfImage', ...)) __IMAGE_RESOURCE_DATA_ENTRY_format__ = ('IMAGE_RESOURCE_DATA_ENTRY', ('L,OffsetToData', 'L,Size', 'L,CodePage', 'L,Reserved')) __IMAGE_RESOURCE_DIRECTORY_ENTRY_format__ = ('IMAGE_RESOURCE_DIRECTORY_ENTRY', ('L,Name', 'L,OffsetToData')) __IMAGE_RESOURCE_DIRECTORY_format__ = ('IMAGE_RESOURCE_DIRECTORY', ('L,Characteristics', 'L,TimeDateStamp', 'H,MajorVersion', 'H,MinorVersion', 'H,NumberOfNamedEntries', 'H,NumberOfIdEntries')) __IMAGE_SECTION_HEADER_format__ = ('IMAGE_SECTION_HEADER', ('8s,Name', 'L,Misc,Misc_PhysicalAddress,Misc_VirtualSize', 'L,VirtualAddress', 'L,SizeOfRawData', 'L,PointerToRawData', 'L,PointerToRelocations', 'L,PointerToLinenumbers', 'H,NumberOfRelocations', 'H,NumberOfLinenumbers', 'L,Characteristics')) __IMAGE_THUNK_DATA64_format__ = ('IMAGE_THUNK_DATA', ('Q,ForwarderString,Function,Ordinal,AddressOfData',)) __IMAGE_THUNK_DATA_format__ = ('IMAGE_THUNK_DATA', ('L,ForwarderString,Function,Ordinal,AddressOfData',)) __IMAGE_TLS_DIRECTORY64_format__ = ('IMAGE_TLS_DIRECTORY', ('Q,StartAddressOfRawData', 'Q,EndAddressOfRawData', 'Q,AddressOfIndex', 'Q,AddressOfCallBacks', 'L,SizeOfZeroFill', 'L,Characteristics')) __IMAGE_TLS_DIRECTORY_format__ = ('IMAGE_TLS_DIRECTORY', ('L,StartAddressOfRawData', 'L,EndAddressOfRawData', 'L,AddressOfIndex', 'L,AddressOfCallBacks', 'L,SizeOfZeroFill', 'L,Characteristics')) __StringFileInfo_format__ = ('StringFileInfo', ('H,Length', 'H,ValueLength', 'H,Type')) __StringTable_format__ = ('StringTable', ('H,Length', 'H,ValueLength', 'H,Type')) __String_format__ = ('String', ('H,Length', 'H,ValueLength', 'H,Type')) __VS_FIXEDFILEINFO_format__ = ('VS_FIXEDFILEINFO', ('L,Signature', 'L,StrucVersion', 'L,FileVersionMS', 'L,FileVersionLS', 'L,ProductVersionMS', 'L,ProductVersionLS', 'L,FileFlagsMask', 'L,FileFlags', 'L,FileOS', 'L,FileType', 'L,FileSubtype', 'L,FileDateMS', 'L,FileDateLS')) __VS_VERSIONINFO_format__ = ('VS_VERSIONINFO', ('H,Length', 'H,ValueLength', 'H,Type')) __Var_format__ = ('Var', ('H,Length', 'H,ValueLength', 'H,Type'))   class PEFormatError(exceptions.Exception)     Generic PE format error exception.     Method resolution order: PEFormatError exceptions.Exception exceptions.BaseException __builtin__.object Methods defined here: __init__(self, value) __str__(self) Data descriptors defined here: __weakref__ list of weak references to the object (if defined) Data and other attributes inherited from exceptions.Exception: __new__ = <built-in method __new__ of type object at 0x2fba40> T.__new__(S, ...) -> a new object with type S, a subtype of T Methods inherited from exceptions.BaseException: __delattr__(...) x.__delattr__('name') <==> del x.name __getattribute__(...) x.__getattribute__('name') <==> x.name __getitem__(...) x.__getitem__(y) <==> x[y] __reduce__(...) __repr__(...) x.__repr__() <==> repr(x) __setattr__(...) x.__setattr__('name', value) <==> x.name = value __setstate__(...) Data descriptors inherited from exceptions.BaseException: __dict__ args message exception message   class RelocationData(DataContainer)     Holds relocation information.   type:       Type of relocation             The type string is can be obtained by             RELOCATION_TYPE[type] rva:        RVA of the relocation     Methods inherited from DataContainer: __init__(self, **args)   class ResourceDataEntryData(DataContainer)     Holds resource data entry information.   struct:     IMAGE_RESOURCE_DATA_ENTRY structure lang:       Primary language ID sublang:    Sublanguage ID     Methods inherited from DataContainer: __init__(self, **args)   class ResourceDirData(DataContainer)     Holds resource directory information.   struct:     IMAGE_RESOURCE_DIRECTORY structure entries:    list of entries (ResourceDirEntryData instances)     Methods inherited from DataContainer: __init__(self, **args)   class ResourceDirEntryData(DataContainer)     Holds resource directory entry data.   struct:     IMAGE_RESOURCE_DIRECTORY_ENTRY structure name:       If the resource is identified by name this             attribute will contain the name string. None             otherwise. If identified by id, the id is             availabe at 'struct.Id' id:         the id, also in struct.Id directory:  If this entry has a lower level directory             this attribute will point to the             ResourceDirData instance representing it. data:       If this entry has no futher lower directories             and points to the actual resource data, this             attribute will reference the corresponding             ResourceDataEntryData instance. (Either of the 'directory' or 'data' attribute will exist, but not both.)     Methods inherited from DataContainer: __init__(self, **args)   class SectionStructure(Structure)     Convenience section handling class.     Methods defined here: contains(self, rva) contains_offset(self, offset) Check whether the section contains the file offset provided. contains_rva(self, rva) Check whether the section contains the address provided. entropy_H(self, data) Calculate the entropy of a chunk of data. get_data(self, start, length=None) Get data chunk from a section.   Allows to query data from the section by passing the addresses where the PE file would be loaded by default. It is then possible to retrieve code and data by its real addresses as it would be if loaded. get_offset_from_rva(self, rva) get_rva_from_offset(self, offset) Methods inherited from Structure: __get_format__(self) __init__(self, format, name=None, file_offset=None) __pack__(self) __set_format__(self, format) __unpack__(self, data) all_zeroes(self) Returns true is the unpacked data is all zeroes. dump(self, indentation=0) Returns a string representation of the structure. get_file_offset(self) set_file_offset(self, offset) sizeof(self) Return size of the structure.   class Structure     Prepare structure object to extract members from data.   Format is a list containing definitions for the elements of the structure.     Methods defined here: __get_format__(self) __init__(self, format, name=None, file_offset=None) __pack__(self) __set_format__(self, format) __unpack__(self, data) all_zeroes(self) Returns true is the unpacked data is all zeroes. dump(self, indentation=0) Returns a string representation of the structure. get_file_offset(self) set_file_offset(self, offset) sizeof(self) Return size of the structure.   class TlsData(DataContainer)     Holds TLS information.   struct:     IMAGE_TLS_DIRECTORY structure     Methods inherited from DataContainer: __init__(self, **args)

Data
		DEBUG_TYPE = {0: 'IMAGE_DEBUG_TYPE_UNKNOWN', 1: 'IMAGE_DEBUG_TYPE_COFF', 2: 'IMAGE_DEBUG_TYPE_CODEVIEW', 3: 'IMAGE_DEBUG_TYPE_FPO', 4: 'IMAGE_DEBUG_TYPE_MISC', 5: 'IMAGE_DEBUG_TYPE_EXCEPTION', 6: 'IMAGE_DEBUG_TYPE_FIXUP', 7: 'IMAGE_DEBUG_TYPE_OMAP_TO_SRC', 8: 'IMAGE_DEBUG_TYPE_OMAP_FROM_SRC', 9: 'IMAGE_DEBUG_TYPE_BORLAND', ...} DIRECTORY_ENTRY = {0: 'IMAGE_DIRECTORY_ENTRY_EXPORT', 1: 'IMAGE_DIRECTORY_ENTRY_IMPORT', 2: 'IMAGE_DIRECTORY_ENTRY_RESOURCE', 3: 'IMAGE_DIRECTORY_ENTRY_EXCEPTION', 4: 'IMAGE_DIRECTORY_ENTRY_SECURITY', 5: 'IMAGE_DIRECTORY_ENTRY_BASERELOC', 6: 'IMAGE_DIRECTORY_ENTRY_DEBUG', 7: 'IMAGE_DIRECTORY_ENTRY_COPYRIGHT', 8: 'IMAGE_DIRECTORY_ENTRY_GLOBALPTR', 9: 'IMAGE_DIRECTORY_ENTRY_TLS', ...} IMAGE_CHARACTERISTICS = {1: 'IMAGE_FILE_RELOCS_STRIPPED', 2: 'IMAGE_FILE_EXECUTABLE_IMAGE', 4: 'IMAGE_FILE_LINE_NUMS_STRIPPED', 8: 'IMAGE_FILE_LOCAL_SYMS_STRIPPED', 16: 'IMAGE_FILE_AGGRESIVE_WS_TRIM', 32: 'IMAGE_FILE_LARGE_ADDRESS_AWARE', 64: 'IMAGE_FILE_16BIT_MACHINE', 128: 'IMAGE_FILE_BYTES_REVERSED_LO', 256: 'IMAGE_FILE_32BIT_MACHINE', 512: 'IMAGE_FILE_DEBUG_STRIPPED', ...} IMAGE_DOS_SIGNATURE = 23117 IMAGE_NT_SIGNATURE = 17744 IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16 IMAGE_ORDINAL_FLAG = 2147483648L IMAGE_ORDINAL_FLAG64 = 9223372036854775808L IMAGE_OS2_SIGNATURE = 17742 IMAGE_OS2_SIGNATURE_LE = 17740 IMAGE_VXD_SIGNATURE = 17740 LANG = {0: 'LANG_NEUTRAL', 1: 'LANG_ARABIC', 2: 'LANG_BULGARIAN', 3: 'LANG_CATALAN', 4: 'LANG_CHINESE', 5: 'LANG_CZECH', 6: 'LANG_DANISH', 7: 'LANG_GERMAN', 8: 'LANG_GREEK', 9: 'LANG_ENGLISH', ...} MACHINE_TYPE = {0: 'IMAGE_FILE_MACHINE_UNKNOWN', 332: 'IMAGE_FILE_MACHINE_I386', 358: 'IMAGE_FILE_MACHINE_R4000', 361: 'IMAGE_FILE_MACHINE_WCEMIPSV2', 418: 'IMAGE_FILE_MACHINE_SH3', 419: 'IMAGE_FILE_MACHINE_SH3DSP', 422: 'IMAGE_FILE_MACHINE_SH4', 424: 'IMAGE_FILE_MACHINE_SH5', 448: 'IMAGE_FILE_MACHINE_ARM', 450: 'IMAGE_FILE_MACHINE_THUMB', ...} OPTIONAL_HEADER_MAGIC_PE = 267 OPTIONAL_HEADER_MAGIC_PE_PLUS = 523 RELOCATION_TYPE = {0: 'IMAGE_REL_BASED_ABSOLUTE', 1: 'IMAGE_REL_BASED_HIGH', 2: 'IMAGE_REL_BASED_LOW', 3: 'IMAGE_REL_BASED_HIGHLOW', 4: 'IMAGE_REL_BASED_HIGHADJ', 5: 'IMAGE_REL_BASED_MIPS_JMPADDR', 6: 'IMAGE_REL_BASED_SECTION', 7: 'IMAGE_REL_BASED_REL', 9: 'IMAGE_REL_BASED_IA64_IMM64', 10: 'IMAGE_REL_BASED_DIR64', ...} RESOURCE_TYPE = {1: 'RT_CURSOR', 2: 'RT_BITMAP', 3: 'RT_ICON', 4: 'RT_MENU', 5: 'RT_DIALOG', 6: 'RT_STRING', 7: 'RT_FONTDIR', 8: 'RT_FONT', 9: 'RT_ACCELERATOR', 10: 'RT_RCDATA', ...} SECTION_CHARACTERISTICS = {32: 'IMAGE_SCN_CNT_CODE', 64: 'IMAGE_SCN_CNT_INITIALIZED_DATA', 128: 'IMAGE_SCN_CNT_UNINITIALIZED_DATA', 256: 'IMAGE_SCN_LNK_OTHER', 512: 'IMAGE_SCN_LNK_INFO', 2048: 'IMAGE_SCN_LNK_REMOVE', 4096: 'IMAGE_SCN_LNK_COMDAT', 32768: 'IMAGE_SCN_MEM_FARDATA', 131072: 'IMAGE_SCN_MEM_16BIT', 262144: 'IMAGE_SCN_MEM_LOCKED', ...} SUBLANG = {0: 'SUBLANG_NEUTRAL', 1: 'SUBLANG_GAELIC', 2: 'SUBLANG_GAELIC_SCOTTISH', 3: 'SUBLANG_GAELIC_MANX', 4: 'SUBLANG_SPANISH_GUATEMALA', 5: 'SUBLANG_SPANISH_COSTA_RICA', 6: 'SUBLANG_SPANISH_PANAMA', 7: 'SUBLANG_SPANISH_DOMINICAN_REPUBLIC', 8: 'SUBLANG_SPANISH_VENEZUELA', 9: 'SUBLANG_SPANISH_COLOMBIA', ...} SUBSYSTEM_TYPE = {0: 'IMAGE_SUBSYSTEM_UNKNOWN', 1: 'IMAGE_SUBSYSTEM_NATIVE', 2: 'IMAGE_SUBSYSTEM_WINDOWS_GUI', 3: 'IMAGE_SUBSYSTEM_WINDOWS_CUI', 5: 'IMAGE_SUBSYSTEM_OS2_CUI', 7: 'IMAGE_SUBSYSTEM_POSIX_CUI', 14: 'IMAGE_SUBSYSTEM_XBOX', 'IMAGE_SUBSYSTEM_NATIVE': 1, 'IMAGE_SUBSYSTEM_OS2_CUI': 5, 'IMAGE_SUBSYSTEM_POSIX_CUI': 7, ...} __author__ = 'Ero Carrera' __contact__ = 'ero@dkbza.org' __version__ = '1.2.6' debug_types = [('IMAGE_DEBUG_TYPE_UNKNOWN', 0), ('IMAGE_DEBUG_TYPE_COFF', 1), ('IMAGE_DEBUG_TYPE_CODEVIEW', 2), ('IMAGE_DEBUG_TYPE_FPO', 3), ('IMAGE_DEBUG_TYPE_MISC', 4), ('IMAGE_DEBUG_TYPE_EXCEPTION', 5), ('IMAGE_DEBUG_TYPE_FIXUP', 6), ('IMAGE_DEBUG_TYPE_OMAP_TO_SRC', 7), ('IMAGE_DEBUG_TYPE_OMAP_FROM_SRC', 8), ('IMAGE_DEBUG_TYPE_BORLAND', 9), ('IMAGE_DEBUG_TYPE_RESERVED10', 10)] directory_entry_types = [('IMAGE_DIRECTORY_ENTRY_EXPORT', 0), ('IMAGE_DIRECTORY_ENTRY_IMPORT', 1), ('IMAGE_DIRECTORY_ENTRY_RESOURCE', 2), ('IMAGE_DIRECTORY_ENTRY_EXCEPTION', 3), ('IMAGE_DIRECTORY_ENTRY_SECURITY', 4), ('IMAGE_DIRECTORY_ENTRY_BASERELOC', 5), ('IMAGE_DIRECTORY_ENTRY_DEBUG', 6), ('IMAGE_DIRECTORY_ENTRY_COPYRIGHT', 7), ('IMAGE_DIRECTORY_ENTRY_GLOBALPTR', 8), ('IMAGE_DIRECTORY_ENTRY_TLS', 9), ('IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG', 10), ('IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT', 11), ('IMAGE_DIRECTORY_ENTRY_IAT', 12), ('IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT', 13), ('IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR', 14), ('IMAGE_DIRECTORY_ENTRY_RESERVED', 15)] e = ('SUBLANG_GAELIC_MANX', 3) fast_load = False image_characteristics = [('IMAGE_FILE_RELOCS_STRIPPED', 1), ('IMAGE_FILE_EXECUTABLE_IMAGE', 2), ('IMAGE_FILE_LINE_NUMS_STRIPPED', 4), ('IMAGE_FILE_LOCAL_SYMS_STRIPPED', 8), ('IMAGE_FILE_AGGRESIVE_WS_TRIM', 16), ('IMAGE_FILE_LARGE_ADDRESS_AWARE', 32), ('IMAGE_FILE_16BIT_MACHINE', 64), ('IMAGE_FILE_BYTES_REVERSED_LO', 128), ('IMAGE_FILE_32BIT_MACHINE', 256), ('IMAGE_FILE_DEBUG_STRIPPED', 512), ('IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP', 1024), ('IMAGE_FILE_NET_RUN_FROM_SWAP', 2048), ('IMAGE_FILE_SYSTEM', 4096), ('IMAGE_FILE_DLL', 8192), ('IMAGE_FILE_UP_SYSTEM_ONLY', 16384), ('IMAGE_FILE_BYTES_REVERSED_HI', 32768)] lang = [('LANG_NEUTRAL', 0), ('LANG_INVARIANT', 127), ('LANG_AFRIKAANS', 54), ('LANG_ALBANIAN', 28), ('LANG_ARABIC', 1), ('LANG_ARMENIAN', 43), ('LANG_ASSAMESE', 77), ('LANG_AZERI', 44), ('LANG_BASQUE', 45), ('LANG_BELARUSIAN', 35), ('LANG_BENGALI', 69), ('LANG_BULGARIAN', 2), ('LANG_CATALAN', 3), ('LANG_CHINESE', 4), ('LANG_CROATIAN', 26), ('LANG_CZECH', 5), ('LANG_DANISH', 6), ('LANG_DIVEHI', 101), ('LANG_DUTCH', 19), ('LANG_ENGLISH', 9), ...] machine_types = [('IMAGE_FILE_MACHINE_UNKNOWN', 0), ('IMAGE_FILE_MACHINE_AM33', 467), ('IMAGE_FILE_MACHINE_AMD64', 34404), ('IMAGE_FILE_MACHINE_ARM', 448), ('IMAGE_FILE_MACHINE_EBC', 3772), ('IMAGE_FILE_MACHINE_I386', 332), ('IMAGE_FILE_MACHINE_IA64', 512), ('IMAGE_FILE_MACHINE_MR32', 36929), ('IMAGE_FILE_MACHINE_MIPS16', 614), ('IMAGE_FILE_MACHINE_MIPSFPU', 870), ('IMAGE_FILE_MACHINE_MIPSFPU16', 1126), ('IMAGE_FILE_MACHINE_POWERPC', 496), ('IMAGE_FILE_MACHINE_POWERPCFP', 497), ('IMAGE_FILE_MACHINE_R4000', 358), ('IMAGE_FILE_MACHINE_SH3', 418), ('IMAGE_FILE_MACHINE_SH3DSP', 419), ('IMAGE_FILE_MACHINE_SH4', 422), ('IMAGE_FILE_MACHINE_SH5', 424), ('IMAGE_FILE_MACHINE_THUMB', 450), ('IMAGE_FILE_MACHINE_WCEMIPSV2', 361)] relocation_types = [('IMAGE_REL_BASED_ABSOLUTE', 0), ('IMAGE_REL_BASED_HIGH', 1), ('IMAGE_REL_BASED_LOW', 2), ('IMAGE_REL_BASED_HIGHLOW', 3), ('IMAGE_REL_BASED_HIGHADJ', 4), ('IMAGE_REL_BASED_MIPS_JMPADDR', 5), ('IMAGE_REL_BASED_SECTION', 6), ('IMAGE_REL_BASED_REL', 7), ('IMAGE_REL_BASED_MIPS_JMPADDR16', 9), ('IMAGE_REL_BASED_IA64_IMM64', 9), ('IMAGE_REL_BASED_DIR64', 10), ('IMAGE_REL_BASED_HIGH3ADJ', 11)] resource_type = [('RT_CURSOR', 1), ('RT_BITMAP', 2), ('RT_ICON', 3), ('RT_MENU', 4), ('RT_DIALOG', 5), ('RT_STRING', 6), ('RT_FONTDIR', 7), ('RT_FONT', 8), ('RT_ACCELERATOR', 9), ('RT_RCDATA', 10), ('RT_MESSAGETABLE', 11), ('RT_GROUP_CURSOR', 12), ('RT_GROUP_ICON', 14), ('RT_VERSION', 16), ('RT_DLGINCLUDE', 17), ('RT_PLUGPLAY', 19), ('RT_VXD', 20), ('RT_ANICURSOR', 21), ('RT_ANIICON', 22), ('RT_HTML', 23), ...] section_characteristics = [('IMAGE_SCN_CNT_CODE', 32), ('IMAGE_SCN_CNT_INITIALIZED_DATA', 64), ('IMAGE_SCN_CNT_UNINITIALIZED_DATA', 128), ('IMAGE_SCN_LNK_OTHER', 256), ('IMAGE_SCN_LNK_INFO', 512), ('IMAGE_SCN_LNK_REMOVE', 2048), ('IMAGE_SCN_LNK_COMDAT', 4096), ('IMAGE_SCN_MEM_FARDATA', 32768), ('IMAGE_SCN_MEM_PURGEABLE', 131072), ('IMAGE_SCN_MEM_16BIT', 131072), ('IMAGE_SCN_MEM_LOCKED', 262144), ('IMAGE_SCN_MEM_PRELOAD', 524288), ('IMAGE_SCN_ALIGN_1BYTES', 1048576), ('IMAGE_SCN_ALIGN_2BYTES', 2097152), ('IMAGE_SCN_ALIGN_4BYTES', 3145728), ('IMAGE_SCN_ALIGN_8BYTES', 4194304), ('IMAGE_SCN_ALIGN_16BYTES', 5242880), ('IMAGE_SCN_ALIGN_32BYTES', 6291456), ('IMAGE_SCN_ALIGN_64BYTES', 7340032), ('IMAGE_SCN_ALIGN_128BYTES', 8388608), ...] sublang = [('SUBLANG_NEUTRAL', 0), ('SUBLANG_DEFAULT', 1), ('SUBLANG_SYS_DEFAULT', 2), ('SUBLANG_ARABIC_SAUDI_ARABIA', 1), ('SUBLANG_ARABIC_IRAQ', 2), ('SUBLANG_ARABIC_EGYPT', 3), ('SUBLANG_ARABIC_LIBYA', 4), ('SUBLANG_ARABIC_ALGERIA', 5), ('SUBLANG_ARABIC_MOROCCO', 6), ('SUBLANG_ARABIC_TUNISIA', 7), ('SUBLANG_ARABIC_OMAN', 8), ('SUBLANG_ARABIC_YEMEN', 9), ('SUBLANG_ARABIC_SYRIA', 10), ('SUBLANG_ARABIC_JORDAN', 11), ('SUBLANG_ARABIC_LEBANON', 12), ('SUBLANG_ARABIC_KUWAIT', 13), ('SUBLANG_ARABIC_UAE', 14), ('SUBLANG_ARABIC_BAHRAIN', 15), ('SUBLANG_ARABIC_QATAR', 16), ('SUBLANG_AZERI_LATIN', 1), ...] subsystem_types = [('IMAGE_SUBSYSTEM_UNKNOWN', 0), ('IMAGE_SUBSYSTEM_NATIVE', 1), ('IMAGE_SUBSYSTEM_WINDOWS_GUI', 2), ('IMAGE_SUBSYSTEM_WINDOWS_CUI', 3), ('IMAGE_SUBSYSTEM_OS2_CUI', 5), ('IMAGE_SUBSYSTEM_POSIX_CUI', 7), ('IMAGE_SUBSYSTEM_XBOX', 14)]

Author
		Ero Carrera