1. Advisor
  2. pefile
  3. functions
  4. pefile.SUBSYSTEM_TYPE.get
View all pefile analysis

How to use the pefile.SUBSYSTEM_TYPE.get function in pefile

To help you get started, we’ve selected a few pefile examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github lmco / laikaboss / laikaboss / modules / meta_pe.py View on Github external
}
            scanObject.addMetadata(
                self.module_name, 'Machine Type', machineData)

            # Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339%28v=vs.85%29.aspx
            scanObject.addMetadata(
                self.module_name,
                'Image Magic',
                IMAGE_MAGIC_LOOKUP.get(pe.OPTIONAL_HEADER.Magic, 'Unknown'))

            dllChars = dump_dict.get('DllCharacteristics', [])
            scanObject.addMetadata(
                self.module_name, 'DLL Characteristics', dllChars)

            subsystem = pe.OPTIONAL_HEADER.Subsystem
            subName = pefile.SUBSYSTEM_TYPE.get(subsystem)
            scanObject.addMetadata(self.module_name, 'Subsystem', subName)

            # Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms648009%28v=vs.85%29.aspx

            scanObject.addMetadata(
                self.module_name,
                'Stack Reserve Size',
                pe.OPTIONAL_HEADER.SizeOfStackReserve)
            scanObject.addMetadata(
                self.module_name,
                'Stack Commit Size',
                pe.OPTIONAL_HEADER.SizeOfStackCommit)
            scanObject.addMetadata(
                self.module_name,
                'Heap Reserve Size',
                pe.OPTIONAL_HEADER.SizeOfHeapReserve)
github target / strelka / src / python / strelka / scanners / scan_pe.py View on Github external
'data': {
                    'initialized': pe.OPTIONAL_HEADER.SizeOfInitializedData,
                    'uninitialized': pe.OPTIONAL_HEADER.SizeOfUninitializedData,
                },
                'headers': pe.OPTIONAL_HEADER.SizeOfHeaders,
                'heap': {
                    'reserve': pe.OPTIONAL_HEADER.SizeOfHeapReserve,
                    'commit': pe.OPTIONAL_HEADER.SizeOfHeapCommit,
                },
                'image': pe.OPTIONAL_HEADER.SizeOfImage,
                'stack': {
                    'commit': pe.OPTIONAL_HEADER.SizeOfStackCommit,
                    'reserve': pe.OPTIONAL_HEADER.SizeOfStackReserve,
                },
            },
            'subsystem': pefile.SUBSYSTEM_TYPE.get(pe.OPTIONAL_HEADER.Subsystem).replace('IMAGE_SUBSYSTEM_', ''),
            'timestamp': pe.FILE_HEADER.TimeDateStamp,
            'version': {
                'image': float(f'{pe.OPTIONAL_HEADER.MajorImageVersion}.{pe.OPTIONAL_HEADER.MinorImageVersion}'),
                'linker': float(f'{pe.OPTIONAL_HEADER.MajorLinkerVersion}.{pe.OPTIONAL_HEADER.MinorLinkerVersion}'),
                'operating_system': float(f'{pe.OPTIONAL_HEADER.MajorOperatingSystemVersion}.{pe.OPTIONAL_HEADER.MinorOperatingSystemVersion}'),
                'subsystem': float(f'{pe.OPTIONAL_HEADER.MajorSubsystemVersion}.{pe.OPTIONAL_HEADER.MinorSubsystemVersion}'),
            },
        }

        if hasattr(pe.OPTIONAL_HEADER, 'BaseOfData'):
            self.event['header']['address']['data'] = pe.OPTIONAL_HEADER.BaseOfData

        for o in CHARACTERISTICS_DLL:
            if pe.OPTIONAL_HEADER.DllCharacteristics & o:
                self.event['header']['characteristics']['dll'].append(CHARACTERISTICS_DLL[o])
github target / strelka / server / scanners / scan_pe.py View on Github external
def scan(self, file_object, options):
        self.metadata["total"] = {"sections": 0}

        try:
            pe = pefile.PE(data=file_object.data)
            pe_dictionary = pe.dump_dict()

            self.metadata["total"]["sections"] = pe.FILE_HEADER.NumberOfSections
            self.metadata["warnings"] = pe.get_warnings()
            self.metadata["timestamp"] = datetime.utcfromtimestamp(pe.FILE_HEADER.TimeDateStamp).isoformat(timespec="seconds")
            machine = pe.FILE_HEADER.Machine
            self.metadata["machine"] = {"id": machine, "type": pefile.MACHINE_TYPE.get(machine)}
            # Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms680339%28v=vs.85%29.aspx
            self.metadata["imageMagic"] = IMAGE_MAGIC_LOOKUP.get(pe.OPTIONAL_HEADER.Magic, "Unknown")
            subsystem = pe.OPTIONAL_HEADER.Subsystem
            self.metadata["subsystem"] = pefile.SUBSYSTEM_TYPE.get(subsystem)
            self.metadata["stackReserveSize"] = pe.OPTIONAL_HEADER.SizeOfStackReserve
            self.metadata["stackCommitSize"] = pe.OPTIONAL_HEADER.SizeOfStackCommit
            self.metadata["heapReserveSize"] = pe.OPTIONAL_HEADER.SizeOfHeapReserve
            self.metadata["heapCommitSize"] = pe.OPTIONAL_HEADER.SizeOfHeapCommit
            self.metadata["entryPoint"] = pe.OPTIONAL_HEADER.AddressOfEntryPoint
            self.metadata["imageBase"] = pe.OPTIONAL_HEADER.ImageBase
            self.metadata["entryPoint"] = pe.OPTIONAL_HEADER.AddressOfEntryPoint
            self.metadata["entryPoint"] = pe.OPTIONAL_HEADER.AddressOfEntryPoint

            image_characteristics = pe_dictionary.get("Flags")
            if image_characteristics is not None:
                self.metadata["imageCharacteristics"] = image_characteristics
            dll_characteristics = pe_dictionary.get("DllCharacteristics")
            if dll_characteristics is not None:
                self.metadata["dllCharacteristics"] = dll_characteristics

pefile

Python PE parsing module

GitHub
MIT
Latest version published 2 months ago

Package Health Score

83 / 100
Full package analysis

Popular pefile functions

Similar packages