pefile, originally written by Ero Carrera, is a multi-platform Python module to parse and work with Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections' details and their data.
The structures defined in the Windows header files will be accessible as attributes in the PE instance. The naming of fields/attributes will try to adhere to the naming scheme in those headers. Only shortcuts added for convenience will depart from that convention.
pefile requires some basic understanding of the layout of a PE file. Armed with it it's possible to explore nearly every single feature of the file format.
Some of the tasks that pefile makes possible are:
- Inspecting headers
- Analysis of sections' data
- Retrieving embedded data
- Reading strings from the resources
- Warnings for suspicious and malformed values
- Support to write to some of the fields and to other parts of the PE, so it's possible to do some basic butchering of PEs. The functionality won't rearrange structures to make room for new ones, so use it with care. Overwriting fields should mostly be safe.
- Packer detection with PEiD’s signatures
- PEiD signature generation
Please, refer to Usage Examples for some code snippets showing how to use pefile.
A few examples of what a dump produced with pefile look like can be found here for a packed file, here for one of kernel32.dll and here for one of TinyPE.
In order to work with authenticated binaries, including Authenticode signatures, please check the project verify-sigs
pefile runs in several pipelines scanning hundreds of thousands of new PE files every day and, while not perfect, it has grown to be pretty robust over time. That being said small glitches are found every now and then. If you bump into a PE that does not appear to be processed correctly, do report it please! it will help make pefile a tiny bit more tough.
pefile is self-contained. It has no dependecies and it is endianness independent, it works on OS X, Windows, and Linux.
Prompted by the move to GitHub, the need to support Python 3 in addition to resoling a slew of pending issues (some having to do with the old versioning scheme), pefile has changed its version number scheme and from now on it will be using the release date as its version.
- MAEC MAEC is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. MAEC converts pefile's output into their XML format.
- Qiew Qiew - Hex/File format viewer.
- VirusTotal
- bbfreeze
- pyemu: download, whitepaper
- Offensive Computing
- Immunity Debugger 1.1
- PyInstaller
- Cuckoo
PDFs of posters depicting the PE file format:
- Portable Executable Format shows the full view of the headers and structures defined by the Portable Executable format
- Portable Executable Format. A File Walkthrough Shows a walkthrough over the raw view of an executable file with the PE format fields laid out over the corresponding areas
The following links provide detailed information about the PE format and its structures.
- corkami's wiki page about the PE format has grown to be one of the most in-depth repositories of information about the PE format
- corkami's treasure trove of PE weirdness
- An In-Depth Look into the Win32 Portable Executable File Format
- An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- The Portable Executable File Format
- Get icons from Exe or DLL the PE way
- Solar Eclipse's Tiny PE page at "http://www.phreedom.org/solar/code/tinype/" is no longer available, corkami has a copy of TinyPE here
macho_parser
originally written by Tzung-Bi Shih
(penvirus@gmail.com) is a simple macho parser.
Simple example:
def test_dump_info(fn, segs = True, secs = True):
with MachO(fn) as m:
if segs:
print()
print("Dumping segments:")
print("-----------------")
for x in m.get_segments():
print(m.as_string(x.segname))
if secs:
print()
print("Dumping sections:")
print("-----------------")
for x in m.get_sections():
print("Segment: %30s Section: %30s" % (
m.as_string(x.segname), m.as_string(x.sectname)))