PE wrapperο
- class malduck.pe.PE(data: ProcessMemory | bytes, fast_load: bool = False)[source]ο
Wrapper around
pefile.PE
, accepts either bytes (raw file contents) orProcessMemory
instance.- directory(name: str) Any [source]ο
Get pefile directory entry by identifier
- Parameters:
name β shortened pefile directory entry identifier (e.g. βIMPORTβ for βIMAGE_DIRECTORY_ENTRY_IMPORTβ)
- Return type:
pefile.Structure
- property dos_header: Anyο
Dos header
- property file_header: Anyο
File header
- property headers_size: intο
Estimated size of PE headers (first section offset). If there are no sections: returns 0x1000 or size of input if provided data are shorter than single page
- property is32bit: Anyο
Is it 32-bit file (PE)?
- property is64bit: Anyο
Is it 64-bit file (PE+)?
- property nt_headers: Anyο
NT headers
- property optional_header: Anyο
Optional header
- resource(name: int | str | bytes) bytes | None [source]ο
Retrieves single resource by specified name or type
- Parameters:
name (int or str or bytes) β String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)
- Return type:
bytes or None
- resources(name: int | str | bytes) Iterator[bytes] [source]ο
Finds resource objects by specified name or type
- Parameters:
name (int or str or bytes) β String name (e2) or type (e1), numeric identifier name (e2) or RT_* type (e1)
- Return type:
Iterator[bytes]
- section(name: str | bytes) Any [source]ο
Get section by name
- Parameters:
name (str or bytes) β Section name
- property sections: listο
Sections
- structure(rva: int, format: Any) Any [source]ο
Get internal pefile Structure from specified rva
- Parameters:
rva β Relative virtual address of structure
format β
pefile.Structure
format (e.g.pefile.PE.__IMAGE_LOAD_CONFIG_DIRECTORY64_format__
)
- Return type:
pefile.Structure
- validate_import_names() bool [source]ο
Returns True if the first 8 imported library entries have valid library names