發(fā)現(xiàn)很多的朋友經(jīng)常用到PE格式相關(guān)的開(kāi)發(fā)，如解析PE文件的格式，獲取相關(guān)的內(nèi)容。

比如常常用到的靜態(tài)的病毒啟發(fā)式檢測(cè)模型的建立、病毒樣本分類(lèi)、查殼脫殼等。

搜索了一下發(fā)現(xiàn)論壇里面沒(méi)有我要講的這個(gè)東西，于是我在這里向大家推薦pefile這個(gè)python庫(kù)。

這個(gè)是基于MIT licence的一個(gè)開(kāi)源項(xiàng)目，你可以在上面做更多的開(kāi)發(fā)。

開(kāi)發(fā)包的下載地址：http://code.google.com/p/pefile/

我覺(jué)得有以下幾點(diǎn)大家可以注意：

• 這個(gè)需要使用python語(yǔ)言開(kāi)發(fā)，優(yōu)點(diǎn)是敏捷開(kāi)發(fā)，方便快捷，而且源代碼可讀，易懂，當(dāng)然肯定不會(huì)用于商業(yè)的，作為學(xué)習(xí)研究非常方便。
• 由于基于PE的結(jié)構(gòu)pefile已經(jīng)做了非常充分的解析，所以對(duì)于我們做二次開(kāi)發(fā)非常方便。各種關(guān)鍵的數(shù)據(jù)結(jié)構(gòu)能夠非常容易的獲得。
• 由于python的編寫(xiě)的快速、低門(mén)檻。另外pefile已經(jīng)做了很多的功能，這個(gè)pefile模塊非常適合需要快速達(dá)到目的和一些需要入門(mén)的朋友。
• 免費(fèi)的開(kāi)源項(xiàng)目

話(huà)不多說(shuō)，直接教大家使用，看完后，方可知道pefile的強(qiáng)大。

1. 當(dāng)然是要安裝python開(kāi)發(fā)包。

2. 下載pefile到本地，解壓，新建一個(gè)文件petest.py

import os, string, shutil,reimport pefile ##記得import pefile PEfile_Path = r"C:\temp\test.exe" pe = pefile.PE(PEfile_Path)print PEfile_Pathprint pe

實(shí)驗(yàn)一結(jié)果

C:\temp\test.exe----------DOS_HEADER---------- [IMAGE_DOS_HEADER]e_magic:                       0x5A4D    e_cblp:                        0x90      e_cp:                          0x3       e_crlc:                        0x0       e_cparhdr:                     0x4       e_minalloc:                    0x0       e_maxalloc:                    0xFFFF    e_ss:                          0x0       e_sp:                          0xB8      e_csum:                        0x0       e_ip:                          0x0       e_cs:                          0x0       e_lfarlc:                      0x40      e_ovno:                        0x0       e_res:                         e_oemid:                       0x0       e_oeminfo:                     0x0       e_res2:                        e_lfanew:                      0xD0       ----------NT_HEADERS---------- [IMAGE_NT_HEADERS]Signature:                     0x4550     ----------FILE_HEADER---------- [IMAGE_FILE_HEADER]Machine:                       0x14C     NumberOfSections:              0x2       TimeDateStamp:                 0x46A8C07C [Thu Jul 26 15:40:44 2007 UTC]PointerToSymbolTable:          0x0       NumberOfSymbols:               0x0       SizeOfOptionalHeader:          0xE0      Characteristics:               0x10F     Flags: IMAGE_FILE_LOCAL_SYMS_STRIPPED, IMAGE_FILE_32BIT_MACHINE, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LINE_NUMS_STRIPPED, IMAGE_FILE_RELOCS_STRIPPED ----------OPTIONAL_HEADER---------- [IMAGE_OPTIONAL_HEADER]Magic:                         0x10B     MajorLinkerVersion:            0x6       MinorLinkerVersion:            0x0       SizeOfCode:                    0x420     SizeOfInitializedData:         0x130     SizeOfUninitializedData:       0x0       AddressOfEntryPoint:           0x522     BaseOfCode:                    0x220     BaseOfData:                    0x640     ImageBase:                     0x400000  SectionAlignment:              0x10      FileAlignment:                 0x10      MajorOperatingSystemVersion:   0x4       MinorOperatingSystemVersion:   0x0       MajorImageVersion:             0x0       MinorImageVersion:             0x0       MajorSubsystemVersion:         0x4       MinorSubsystemVersion:         0x0       Reserved1:                     0x0       SizeOfImage:                   0x768     SizeOfHeaders:                 0x420     CheckSum:                      0x0       Subsystem:                     0x2       DllCharacteristics:            0x0       SizeOfStackReserve:            0x100000  SizeOfStackCommit:             0x1000    SizeOfHeapReserve:             0x100000  SizeOfHeapCommit:              0x1000    LoaderFlags:                   0x0       NumberOfRvaAndSizes:           0x10      DllCharacteristics:  ----------PE Sections---------- [IMAGE_SECTION_HEADER]Name:                          .textMisc:                          0x418     Misc_PhysicalAddress:          0x418     Misc_VirtualSize:              0x418     VirtualAddress:                0x220     SizeOfRawData:                 0x420     PointerToRawData:              0x420     PointerToRelocations:          0x0       PointerToLinenumbers:          0x0       NumberOfRelocations:           0x0       NumberOfLinenumbers:           0x0       Characteristics:               0x60000020Flags: IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READEntropy: 6.385628 (Min=0.0, Max=8.0)MD5     hash: 37ae973124ba5655ce156536f4018759SHA-1   hash: 6354d772105b66ac33fb8950b76a289edafa230fSHA-256 hash: f6dfe337c6c6278e60a687552d8fc3be2a2ed41a4278713cfd0dc631296befdcSHA-512 hash: 9d22cdd011d7276f47e3b1844804d58be2e73eef826ad285769d449f03dbfcde743303b31a9172e513be571432b7b2080afe571e5819ec7968acd76c0d82207a [IMAGE_SECTION_HEADER]Name:                          .rsrcMisc:                          0x128     Misc_PhysicalAddress:          0x128     Misc_VirtualSize:              0x128     VirtualAddress:                0x640     SizeOfRawData:                 0x130     PointerToRawData:              0x840     PointerToRelocations:          0x0       PointerToLinenumbers:          0x0       NumberOfRelocations:           0x0       NumberOfLinenumbers:           0x0       Characteristics:               0x40000040Flags: IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READEntropy: 2.905524 (Min=0.0, Max=8.0)MD5     hash: cfd4f1a98445485c616ea2ff9390278eSHA-1   hash: 7480ffe5427a540e17353df9c490dbba86fd0c3bSHA-256 hash: 93f9ad56e464614b6aa9521f2b80f3f7f2fd5e2b6d8d6fd6489a0b1cdb1f948eSHA-512 hash: b054ba77825a4bb92d9beecb606d04f7a4bf4d16529d909e03e6b882175e23fb495c1c3dc9d921c3124210a6567bf68e70879d3163ece1a1cbb786f3ec94af43 ----------Directories---------- [IMAGE_DIRECTORY_ENTRY_EXPORT]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_IMPORT]VirtualAddress:                0x574     Size:                          0x3C      [IMAGE_DIRECTORY_ENTRY_RESOURCE]VirtualAddress:                0x640     Size:                          0x128     [IMAGE_DIRECTORY_ENTRY_EXCEPTION]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_SECURITY]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_BASERELOC]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_DEBUG]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_COPYRIGHT]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_GLOBALPTR]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_TLS]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_IAT]VirtualAddress:                0x220     Size:                          0x1C      [IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR]VirtualAddress:                0x0       Size:                          0x0       [IMAGE_DIRECTORY_ENTRY_RESERVED]VirtualAddress:                0x0       Size:                          0x0        ----------Imported symbols---------- [IMAGE_IMPORT_DESCRIPTOR]OriginalFirstThunk:            0x5B0     Characteristics:               0x5B0     TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]ForwarderChain:                0x0       Name:                          0x5E0     FirstThunk:                    0x220      KERNEL32.dll.GetModuleHandleA Hint[294] [IMAGE_IMPORT_DESCRIPTOR]OriginalFirstThunk:            0x5B8     Characteristics:               0x5B8     TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]ForwarderChain:                0x0       Name:                          0x62C     FirstThunk:                    0x228      USER32.dll.EndDialog Hint[185]USER32.dll.GetDlgItemTextA Hint[260]USER32.dll.DialogBoxParamA Hint[147]USER32.dll.MessageBoxA Hint[446] ----------Resource directory---------- [IMAGE_RESOURCE_DIRECTORY]Characteristics:               0x0       TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]MajorVersion:                  0x0       MinorVersion:                  0x0       NumberOfNamedEntries:          0x0       NumberOfIdEntries:             0x1         Id: [0x5] (RT_DIALOG)  [IMAGE_RESOURCE_DIRECTORY_ENTRY]  Name:                          0x5         OffsetToData:                  0x80000018    [IMAGE_RESOURCE_DIRECTORY]    Characteristics:               0x0           TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]    MajorVersion:                  0x0           MinorVersion:                  0x0           NumberOfNamedEntries:          0x0           NumberOfIdEntries:             0x1             Id: [0x65]      [IMAGE_RESOURCE_DIRECTORY_ENTRY]      Name:                          0x65            OffsetToData:                  0x80000030        [IMAGE_RESOURCE_DIRECTORY]        Characteristics:               0x0               TimeDateStamp:                 0x0        [Thu Jan 01 00:00:00 1970 UTC]        MajorVersion:                  0x0               MinorVersion:                  0x0               NumberOfNamedEntries:          0x0               NumberOfIdEntries:             0x1                 [IMAGE_RESOURCE_DIRECTORY_ENTRY]          Name:                          0x804               OffsetToData:                  0x48                  [IMAGE_RESOURCE_DATA_ENTRY]            OffsetToData:                  0x6A0                 Size:                          0xC8                  CodePage:                      0x0                   Reserved:                      0x0       

實(shí)驗(yàn)一只是做了簡(jiǎn)簡(jiǎn)單單的print，但是可以看出pefile對(duì)test.exe做了全面的解析從DOS_Header 到 OPTIONAL_HEADER 再到PE SECTIONS。每個(gè)結(jié)構(gòu)都可以完全的取得。細(xì)心的朋友還可以發(fā)現(xiàn)，他甚至可以做對(duì)一個(gè)section header的hash運(yùn)算，包括md5, sha1, sha-256, sha-512，對(duì)導(dǎo)入導(dǎo)出函數(shù)也做了列舉。

當(dāng)然大家會(huì)問(wèn)，未必我們就直接一個(gè)print就行了，然后做字符串解析，匹配來(lái)獲得我們想要的信息？那pefile肯定不至于那么愚昧，當(dāng)然要提供更多的接口。比如得到entrypoint

代碼:

print hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)

實(shí)驗(yàn)二代碼:

import os, string, shutil,reimport pefile ##記得import pefile PEfile_Path = r"C:\temp\test.exe" pe = pefile.PE(PEfile_Path)print PEfile_Path for section in pe.sections:    print section

代碼: 實(shí)驗(yàn)二結(jié)果

C:\temp\test.exe[IMAGE_SECTION_HEADER]Name:                          .textMisc:                          0x418     Misc_PhysicalAddress:          0x418     Misc_VirtualSize:              0x418     VirtualAddress:                0x220     SizeOfRawData:                 0x420     PointerToRawData:              0x420     PointerToRelocations:          0x0       PointerToLinenumbers:          0x0       NumberOfRelocations:           0x0       NumberOfLinenumbers:           0x0       Characteristics:               0x60000020[IMAGE_SECTION_HEADER]Name:                          .rsrcMisc:                          0x128     Misc_PhysicalAddress:          0x128     Misc_VirtualSize:              0x128     VirtualAddress:                0x640     SizeOfRawData:                 0x130     PointerToRawData:              0x840     PointerToRelocations:          0x0       PointerToLinenumbers:          0x0       NumberOfRelocations:           0x0       NumberOfLinenumbers:           0x0       Characteristics:               0x40000040

可以看出此文件有2個(gè)節(jié).text 和 .rsrc，并且給出了節(jié)的相關(guān)信息。當(dāng)然如果你需要獲得某一節(jié)的具體的某個(gè)信息如Characteristics，可以采用

print hex(pe.sections[i].Characteristics)

實(shí)驗(yàn)三 代碼:

import os, string, shutil,reimport pefile ##記得import pefile PEfile_Path = r"C:\temp\test.exe" pe = pefile.PE(PEfile_Path)print PEfile_Path for importeddll in pe.DIRECTORY_ENTRY_IMPORT:    print importeddll.dll    ##or use    #print pe.DIRECTORY_ENTRY_IMPORT[0].dll    for importedapi in importeddll.imports:        print importedapi.name    ##or use    #print pe.DIRECTORY_ENTRY_IMPORT[0].imports[0].name

代碼: 實(shí)驗(yàn)三-結(jié)果

C:\temp\test.exeKERNEL32.dllGetModuleHandleAUSER32.dllEndDialogGetDlgItemTextADialogBoxParamAMessageBoxA

實(shí)驗(yàn)三得出test.exe導(dǎo)入了kernel32.dll和user32.dll然后分別導(dǎo)入了1個(gè)和4個(gè)API函數(shù)。

關(guān)于pefile的使用和他的強(qiáng)大功能想必大家也是有所體會(huì)，他還有很多的其他功能，比如修改PE結(jié)構(gòu)，另外導(dǎo)入PEiD的特征庫(kù)就可以支持查殼等等。大家可以試著用一下。

希望這個(gè)pefile和強(qiáng)大功能和python的簡(jiǎn)單易用能幫助到大家。

• http://bbs.pediy.com/showthread.php?t=89838