; gIGch@sldZdZdZdZdkZdkZdkZdkZdkZdk Z dk Z dk Z e e e e f\Z ZZZy1dkZei Z eiZeiZeiZWnkej o_ydkZeiZ Wnej onXydkZeiZWqej oqXnXeZdZdZdZdZdZd Zd Zd Zd Zd Z ddfddfddfddfddfddfddfddfddfd d!fd"d#fd$d%fd&d'fd(d)fd*d+fd,d-fgZ!e"gi#Z$e!D]Z%e$e%de%dfq[$e!Z&d.dfd/dfd0dfd1dfd2d fd3d4fd5d6fd7d8fd9d:fd;d<fd=d>fd?d@fdAdBfdCdDfdEdFfdGdHfgZ'e"gi#Z$e'D]Z%e$e%de%dfq[$e'Z(dId4fdJd6fdKd8fdLd:fdMd<fdNd@fdOdBfdPdHfdQdRfdSdRfdTdUfdVdWfdXdYfdZd[fd\d]fd^d_fd`dafdbdcfdddefdfdgfdhdifdjdkfdldmfdndofdpdqfdrdsfdtdufdvdwfdxdyfdzd{fd|d}fd~dfddfddfdd fg#Z)e"gi#Z$e)D]Z%e$e%de%dfq[[$e)Z*ddfddfddfddfddfddfddfddfddfdd!fdd#fg Z+e"gi#Z$e+D]Z%e$e%de%dfq[$e+Z,ddfddfddfddfddfddfdd!fdd#fdd%fdd'fdd)fdd+fg Z-e"gi#Z$e-D]Z%e$e%de%dfq[$e-Z.ddfddfddfddfddfddfdd<fddfddfddfddfddfddfddfddfddfddfddfddfddfgZ/e"gi#Z$e/D]Z%e$e%de%dfq[$e/Z0ddfddfddfddfddfddfddfddfdd!fdd!fdd#fdd%fg Z1e"gi#Z$e1D]Z%e$e%de%dfq^[$e1Z2ddfddfddfddfdd6fdd8fdd:fdd<fdd>fdd@fddBfddDfddHfg Z3e"gi#Z$e3D]Z%e$e%de%dfq[$e3Z4ddfddfddfddfddfddfddfddfdd!fdd#fdd%fdd'fdd+fdd fddfddfddfddfddfddfddfgZ5e"gi#Z$e5D]Z%e$e%de%dfq [$e5Z6ddfddfddfddfddfddfddfddfddfddfd d fd dfd dfd dfddfddfddfddfddfdd!fddfddfddfdd%fdd'fddfd d!fd"dfd#dfd$d%fd&d)fd'd(fd)d+fd*d-fd+d,fd-d fd.dfd/d0fd1d2fd3d4fd5d6fd7d8fd9d6fd:d;fd<d=fd>d?fd@dAfdBdCfdDdEfdFdGfdHdIfdJdKfdLdfdMdNfdOdfdPdfdQdRfdSdfdTdUfdVdWfdXdfdYdZfd[d\fd]d^fd_d#fd`dafdbdcfdddefdfdgfdhdifdjdkfdldmfdndofdpdqfdrd4fdsdtfdudvfdwdxfdydzfd{d|fd}dfd~dfddfddfddfddfddfddfddfddfddfddfddfddfg^Z7e"e7gi#Z$e7D]Z%e$e%de%dfq [$Z8ddfddfddfddfddfddfddfddfddfddfddfdd!fdd#fdd%fdd'fdd)fdd+fdd-fdd fddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfdd!fdd#fdd%fdd'fdd)fddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfdd!fdd#fdd%fdd'fdd)fdd+fdd-fdd fddfdd8fddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfddfggZ9e"e9gi#Z$e9D]Z%e$e%de%dfq[$Z:dfdYZ;de<fdYZ=dfdYZ>dfdYZ?de?fdYZ@d fd YZAd eAfd YZBd eAfdYZCdeAfdYZDdeAfdYZEdeAfdYZFdeAfdYZGdeAfdYZHdeAfdYZIdeAfdYZJdeAfdYZKdeAfd YZLd!eAfd"YZMd#eAfd$YZNd%fd&YZOdS('spefile, Portable Executable reader module All the PE file basic structures are available with their default names as attributes of the instance returned. Processed elements such as the import table are made available with lowercase names, to differentiate them from the upper case basic structure names. pefile has been tested against the limits of valid PE headers, that is, malware. Lots of packed malware attempt to abuse the format way beyond its standard use. To the best of my knowledge most of the abuses are handled gracefully. Copyright (c) 2005, 2006, 2007 Ero Carrera All rights reserved. For detailed copyright information see the file COPYING in the root of the distribution archive. s Ero Carreras1.2.8s ero@dkbza.orgNiMZiNEiLEiPEilli i sIMAGE_DIRECTORY_ENTRY_EXPORTisIMAGE_DIRECTORY_ENTRY_IMPORTisIMAGE_DIRECTORY_ENTRY_RESOURCEisIMAGE_DIRECTORY_ENTRY_EXCEPTIONisIMAGE_DIRECTORY_ENTRY_SECURITYisIMAGE_DIRECTORY_ENTRY_BASERELOCisIMAGE_DIRECTORY_ENTRY_DEBUGisIMAGE_DIRECTORY_ENTRY_COPYRIGHTisIMAGE_DIRECTORY_ENTRY_GLOBALPTRisIMAGE_DIRECTORY_ENTRY_TLSi s!IMAGE_DIRECTORY_ENTRY_LOAD_CONFIGi s"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORTi sIMAGE_DIRECTORY_ENTRY_IATi s"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORTi s$IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTORisIMAGE_DIRECTORY_ENTRY_RESERVEDisIMAGE_FILE_RELOCS_STRIPPEDsIMAGE_FILE_EXECUTABLE_IMAGEsIMAGE_FILE_LINE_NUMS_STRIPPEDsIMAGE_FILE_LOCAL_SYMS_STRIPPEDsIMAGE_FILE_AGGRESIVE_WS_TRIMsIMAGE_FILE_LARGE_ADDRESS_AWAREi sIMAGE_FILE_16BIT_MACHINEi@sIMAGE_FILE_BYTES_REVERSED_LOisIMAGE_FILE_32BIT_MACHINEisIMAGE_FILE_DEBUG_STRIPPEDis"IMAGE_FILE_REMOVABLE_RUN_FROM_SWAPisIMAGE_FILE_NET_RUN_FROM_SWAPisIMAGE_FILE_SYSTEMisIMAGE_FILE_DLLi sIMAGE_FILE_UP_SYSTEM_ONLYi@sIMAGE_FILE_BYTES_REVERSED_HIisIMAGE_SCN_CNT_CODEsIMAGE_SCN_CNT_INITIALIZED_DATAs IMAGE_SCN_CNT_UNINITIALIZED_DATAsIMAGE_SCN_LNK_OTHERsIMAGE_SCN_LNK_INFOsIMAGE_SCN_LNK_REMOVEsIMAGE_SCN_LNK_COMDATsIMAGE_SCN_MEM_FARDATAsIMAGE_SCN_MEM_PURGEABLEisIMAGE_SCN_MEM_16BITsIMAGE_SCN_MEM_LOCKEDisIMAGE_SCN_MEM_PRELOADisIMAGE_SCN_ALIGN_1BYTESisIMAGE_SCN_ALIGN_2BYTESi sIMAGE_SCN_ALIGN_4BYTESi0sIMAGE_SCN_ALIGN_8BYTESi@sIMAGE_SCN_ALIGN_16BYTESiPsIMAGE_SCN_ALIGN_32BYTESi`sIMAGE_SCN_ALIGN_64BYTESipsIMAGE_SCN_ALIGN_128BYTESisIMAGE_SCN_ALIGN_256BYTESisIMAGE_SCN_ALIGN_512BYTESisIMAGE_SCN_ALIGN_1024BYTESisIMAGE_SCN_ALIGN_2048BYTESisIMAGE_SCN_ALIGN_4096BYTESisIMAGE_SCN_ALIGN_8192BYTESisIMAGE_SCN_ALIGN_MASKisIMAGE_SCN_LNK_NRELOC_OVFLisIMAGE_SCN_MEM_DISCARDABLEisIMAGE_SCN_MEM_NOT_CACHEDisIMAGE_SCN_MEM_NOT_PAGEDisIMAGE_SCN_MEM_SHAREDisIMAGE_SCN_MEM_EXECUTEi sIMAGE_SCN_MEM_READi@sIMAGE_SCN_MEM_WRITEsIMAGE_DEBUG_TYPE_UNKNOWNsIMAGE_DEBUG_TYPE_COFFsIMAGE_DEBUG_TYPE_CODEVIEWsIMAGE_DEBUG_TYPE_FPOsIMAGE_DEBUG_TYPE_MISCsIMAGE_DEBUG_TYPE_EXCEPTIONsIMAGE_DEBUG_TYPE_FIXUPsIMAGE_DEBUG_TYPE_OMAP_TO_SRCsIMAGE_DEBUG_TYPE_OMAP_FROM_SRCsIMAGE_DEBUG_TYPE_BORLANDsIMAGE_DEBUG_TYPE_RESERVED10sIMAGE_SUBSYSTEM_UNKNOWNsIMAGE_SUBSYSTEM_NATIVEsIMAGE_SUBSYSTEM_WINDOWS_GUIsIMAGE_SUBSYSTEM_WINDOWS_CUIsIMAGE_SUBSYSTEM_OS2_CUIsIMAGE_SUBSYSTEM_POSIX_CUIsIMAGE_SUBSYSTEM_WINDOWS_CE_GUIsIMAGE_SUBSYSTEM_EFI_APPLICATIONs(IMAGE_SUBSYSTEM_EFI_BOOT_ SERVICE_DRIVERs#IMAGE_SUBSYSTEM_EFI_RUNTIME_ DRIVERsIMAGE_SUBSYSTEM_EFI_ROMsIMAGE_SUBSYSTEM_XBOXsIMAGE_FILE_MACHINE_UNKNOWNsIMAGE_FILE_MACHINE_AM33isIMAGE_FILE_MACHINE_AMD64idsIMAGE_FILE_MACHINE_ARMisIMAGE_FILE_MACHINE_EBCisIMAGE_FILE_MACHINE_I386iLsIMAGE_FILE_MACHINE_IA64sIMAGE_FILE_MACHINE_MR32iAsIMAGE_FILE_MACHINE_MIPS16ifsIMAGE_FILE_MACHINE_MIPSFPUifsIMAGE_FILE_MACHINE_MIPSFPU16ifsIMAGE_FILE_MACHINE_POWERPCisIMAGE_FILE_MACHINE_POWERPCFPisIMAGE_FILE_MACHINE_R4000ifsIMAGE_FILE_MACHINE_SH3isIMAGE_FILE_MACHINE_SH3DSPisIMAGE_FILE_MACHINE_SH4isIMAGE_FILE_MACHINE_SH5isIMAGE_FILE_MACHINE_THUMBisIMAGE_FILE_MACHINE_WCEMIPSV2iisIMAGE_REL_BASED_ABSOLUTEsIMAGE_REL_BASED_HIGHsIMAGE_REL_BASED_LOWsIMAGE_REL_BASED_HIGHLOWsIMAGE_REL_BASED_HIGHADJsIMAGE_REL_BASED_MIPS_JMPADDRsIMAGE_REL_BASED_SECTIONsIMAGE_REL_BASED_RELsIMAGE_REL_BASED_MIPS_JMPADDR16sIMAGE_REL_BASED_IA64_IMM64sIMAGE_REL_BASED_DIR64sIMAGE_REL_BASED_HIGH3ADJs)IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0001s)IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0002s)IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0004s)IMAGE_DLL_CHARACTERISTICS_RESERVED_0x0008s&IMAGE_DLL_CHARACTERISTICS_DYNAMIC_BASEs)IMAGE_DLL_CHARACTERISTICS_FORCE_INTEGRITYs#IMAGE_DLL_CHARACTERISTICS_NX_COMPATs&IMAGE_DLL_CHARACTERISTICS_NO_ISOLATIONs IMAGE_DLL_CHARACTERISTICS_NO_SEHs!IMAGE_DLL_CHARACTERISTICS_NO_BINDs)IMAGE_DLL_CHARACTERISTICS_RESERVED_0x1000s$IMAGE_DLL_CHARACTERISTICS_WDM_DRIVERs/IMAGE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWAREs RT_CURSORs RT_BITMAPsRT_ICONsRT_MENUs RT_DIALOGs RT_STRINGs RT_FONTDIRsRT_FONTsRT_ACCELERATORs RT_RCDATAsRT_MESSAGETABLEsRT_GROUP_CURSORs RT_GROUP_ICONs RT_VERSIONs RT_DLGINCLUDEis RT_PLUGPLAYisRT_VXDis RT_ANICURSORis RT_ANIICONisRT_HTMLis RT_MANIFESTis LANG_NEUTRALsLANG_INVARIANTisLANG_AFRIKAANSi6s LANG_ALBANIANis LANG_ARABICs LANG_ARMENIANi+s LANG_ASSAMESEiMs LANG_AZERIi,s LANG_BASQUEi-sLANG_BELARUSIANi#s LANG_BENGALIiEsLANG_BULGARIANs LANG_CATALANs LANG_CHINESEs LANG_CROATIANis LANG_CZECHs LANG_DANISHs LANG_DIVEHIies LANG_DUTCHs LANG_ENGLISHs LANG_ESTONIANi%s LANG_FAEROESEi8s LANG_FARSIi)s LANG_FINNISHs LANG_FRENCHs LANG_GALICIANiVs LANG_GEORGIANi7s LANG_GERMANs LANG_GREEKs LANG_GUJARATIiGs LANG_HEBREWs LANG_HINDIi9sLANG_HUNGARIANsLANG_ICELANDICsLANG_INDONESIANi!s LANG_ITALIANs LANG_JAPANESEs LANG_KANNADAiKs LANG_KASHMIRIi`s LANG_KAZAKi?s LANG_KONKANIiWs LANG_KOREANis LANG_KYRGYZs LANG_LATVIANi&sLANG_LITHUANIANi'sLANG_MACEDONIANi/s LANG_MALAYi>sLANG_MALAYALAMiLs LANG_MANIPURIiXs LANG_MARATHIiNsLANG_MONGOLIANiPs LANG_NEPALIiasLANG_NORWEGIANs LANG_ORIYAiHs LANG_POLISHsLANG_PORTUGUESEs LANG_PUNJABIiFs LANG_ROMANIANs LANG_RUSSIANis LANG_SANSKRITiOs LANG_SERBIANs LANG_SINDHIiYs LANG_SLOVAKisLANG_SLOVENIANi$s LANG_SPANISHs LANG_SWAHILIiAs LANG_SWEDISHis LANG_SYRIACiZs LANG_TAMILiIs LANG_TATARiDs LANG_TELUGUiJs LANG_THAIis LANG_TURKISHisLANG_UKRAINIANi"s LANG_URDUs LANG_UZBEKiCsLANG_VIETNAMESEi*s LANG_GAELICi<s LANG_MALTESEi:s LANG_MAORIi(sLANG_RHAETO_ROMANCEs LANG_SAAMIi;s LANG_SORBIANi.s LANG_SUTUi0s LANG_TSONGAi1s LANG_TSWANAi2s LANG_VENDAi3s LANG_XHOSAi4s LANG_ZULUi5sLANG_ESPERANTOis LANG_WALONis LANG_CORNISHis LANG_WELSHis LANG_BRETONisSUBLANG_NEUTRALsSUBLANG_DEFAULTsSUBLANG_SYS_DEFAULTsSUBLANG_ARABIC_SAUDI_ARABIAsSUBLANG_ARABIC_IRAQsSUBLANG_ARABIC_EGYPTsSUBLANG_ARABIC_LIBYAsSUBLANG_ARABIC_ALGERIAsSUBLANG_ARABIC_MOROCCOsSUBLANG_ARABIC_TUNISIAsSUBLANG_ARABIC_OMANsSUBLANG_ARABIC_YEMENsSUBLANG_ARABIC_SYRIAsSUBLANG_ARABIC_JORDANsSUBLANG_ARABIC_LEBANONsSUBLANG_ARABIC_KUWAITsSUBLANG_ARABIC_UAEsSUBLANG_ARABIC_BAHRAINsSUBLANG_ARABIC_QATARsSUBLANG_AZERI_LATINsSUBLANG_AZERI_CYRILLICsSUBLANG_CHINESE_TRADITIONALsSUBLANG_CHINESE_SIMPLIFIEDsSUBLANG_CHINESE_HONGKONGsSUBLANG_CHINESE_SINGAPOREsSUBLANG_CHINESE_MACAUs SUBLANG_DUTCHsSUBLANG_DUTCH_BELGIANsSUBLANG_ENGLISH_USsSUBLANG_ENGLISH_UKsSUBLANG_ENGLISH_AUSsSUBLANG_ENGLISH_CANsSUBLANG_ENGLISH_NZsSUBLANG_ENGLISH_EIREsSUBLANG_ENGLISH_SOUTH_AFRICAsSUBLANG_ENGLISH_JAMAICAsSUBLANG_ENGLISH_CARIBBEANsSUBLANG_ENGLISH_BELIZEsSUBLANG_ENGLISH_TRINIDADsSUBLANG_ENGLISH_ZIMBABWEsSUBLANG_ENGLISH_PHILIPPINESsSUBLANG_FRENCHsSUBLANG_FRENCH_BELGIANsSUBLANG_FRENCH_CANADIANsSUBLANG_FRENCH_SWISSsSUBLANG_FRENCH_LUXEMBOURGsSUBLANG_FRENCH_MONACOsSUBLANG_GERMANsSUBLANG_GERMAN_SWISSsSUBLANG_GERMAN_AUSTRIANsSUBLANG_GERMAN_LUXEMBOURGsSUBLANG_GERMAN_LIECHTENSTEINsSUBLANG_ITALIANsSUBLANG_ITALIAN_SWISSsSUBLANG_KASHMIRI_SASIAsSUBLANG_KASHMIRI_INDIAsSUBLANG_KOREANsSUBLANG_LITHUANIANsSUBLANG_MALAY_MALAYSIAsSUBLANG_MALAY_BRUNEI_DARUSSALAMsSUBLANG_NEPALI_INDIAsSUBLANG_NORWEGIAN_BOKMALsSUBLANG_NORWEGIAN_NYNORSKsSUBLANG_PORTUGUESEsSUBLANG_PORTUGUESE_BRAZILIANsSUBLANG_SERBIAN_LATINsSUBLANG_SERBIAN_CYRILLICsSUBLANG_SPANISHsSUBLANG_SPANISH_MEXICANsSUBLANG_SPANISH_MODERNsSUBLANG_SPANISH_GUATEMALAsSUBLANG_SPANISH_COSTA_RICAsSUBLANG_SPANISH_PANAMAs"SUBLANG_SPANISH_DOMINICAN_REPUBLICsSUBLANG_SPANISH_VENEZUELAsSUBLANG_SPANISH_COLOMBIAsSUBLANG_SPANISH_PERUsSUBLANG_SPANISH_ARGENTINAsSUBLANG_SPANISH_ECUADORsSUBLANG_SPANISH_CHILEsSUBLANG_SPANISH_URUGUAYsSUBLANG_SPANISH_PARAGUAYsSUBLANG_SPANISH_BOLIVIAsSUBLANG_SPANISH_EL_SALVADORsSUBLANG_SPANISH_HONDURASsSUBLANG_SPANISH_NICARAGUAsSUBLANG_SPANISH_PUERTO_RICOsSUBLANG_SWEDISHsSUBLANG_SWEDISH_FINLANDsSUBLANG_URDU_PAKISTANsSUBLANG_URDU_INDIAsSUBLANG_UZBEK_LATINsSUBLANG_UZBEK_CYRILLICsSUBLANG_DUTCH_SURINAMsSUBLANG_ROMANIANsSUBLANG_ROMANIAN_MOLDAVIAsSUBLANG_RUSSIANsSUBLANG_RUSSIAN_MOLDAVIAsSUBLANG_CROATIANsSUBLANG_LITHUANIAN_CLASSICsSUBLANG_GAELICsSUBLANG_GAELIC_SCOTTISHsSUBLANG_GAELIC_MANXs!UnicodeStringWrapperPostProcessorcBshtZdZdZdZdZdZdZdZdZ dZ d Z d Z RS( sThis class attemps to help the process of identifying strings that might be plain Unicode or Pascal. A list of strings will be wrapped on it with the hope the overlappings will help make the decission about their type.cCs||_||_t|_dS(N(spesselfsrva_ptrsNonesstring(sselfspesrva_ptr((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__s  cCs |iSdS(sGet the RVA of the string.N(sselfsrva_ptr(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_rvascCsVd}|io;digi}|iD]}|||q*~SndSdS(s6Return the escaped ASCII representation of the string.cCs*|tijo|Sndt|SdS(Ns\x%02x(scharsstrings printablesord(schar((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys convert_charssN(s convert_charsselfsstringsjoinsappends_[1]sc(sselfs convert_chars_[1]sc((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__str__s   ;cCs t}dS(s>Make this instance None, to express it's no known string type.N(sNonesself(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys invalidatescCs,|ii|idd|i|_dS(Nis max_length(sselfspesget_string_u_at_rvasrva_ptrs8_UnicodeStringWrapperPostProcessor__get_pascal_16_lengthsstring(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysrender_pascal_16 scCsA|i}|||iddjo||_tSntSdS(sThe next RVA is taken to be the one immediately following this one. Such RVA could indicate the natural end of the string and will be checked with the possible length contained in the first word. iN(sselfs8_UnicodeStringWrapperPostProcessor__get_pascal_16_lengthslengths next_rva_ptrsrva_ptrsTruesFalse(sselfs next_rva_ptrslength((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys ask_pascal_16s   cCs|i|iSdS(N(sselfs9_UnicodeStringWrapperPostProcessor__get_word_value_at_rvasrva_ptr(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__get_pascal_16_length$scCsky|ii|id}Wntj o }tSnXt|djotSnt i d|dSdS(Nis/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__get_word_value_at_rva)s cCs:|i|ddjo||i|_tSntSdS(sThe next RVA is taken to be the one immediately following this one. Such RVA could indicate the natural end of the string and will be checked to see if there's a Unicode NULL character there. iiN(sselfs9_UnicodeStringWrapperPostProcessor__get_word_value_at_rvas next_rva_ptrsrva_ptrslengthsTruesFalse(sselfs next_rva_ptr((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysask_unicode_16:s cCs|ii|i|_dS(sN(sselfspesget_string_u_at_rvasrva_ptrsstring(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysrender_unicode_16Hs( s__name__s __module__s__doc__s__init__sget_rvas__str__s invalidatesrender_pascal_16s ask_pascal_16s8_UnicodeStringWrapperPostProcessor__get_pascal_16_lengths9_UnicodeStringWrapperPostProcessor__get_word_value_at_rvasask_unicode_16srender_unicode_16(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys!UnicodeStringWrapperPostProcessors          s PEFormatErrorcBs tZdZdZdZRS(s"Generic PE format error exception.cCs ||_dS(N(svaluesself(sselfsvalue((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__QscCst|iSdS(N(sreprsselfsvalue(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__str__Ts(s__name__s __module__s__doc__s__init__s__str__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys PEFormatErrorNs  sDumpcBsVtZdZdZddZddZddZdZdZdZ RS( s1Convenience class for dumping the PE information.cCs d|_dS(Ns(sselfstext(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__[sicCs%x|D]}|i||qWdS(smAdds a list of lines. The list can be indented with the optional argument 'indent'. N(stxtslinesselfsadd_linesindent(sselfstxtsindentsline((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys add_lines_scCs|i|d|dS(sdAdds a line. The line can be indented with the optional argument 'indent'. s N(sselfsaddstxtsindent(sselfstxtsindent((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysadd_linehscCst|tolg}xP|D]H}y|it|Wqtj o}|it |qXqWdi |}n|i d||7_ dS(sAdds some text, no newline will be appended. The text can be indented with the optional argument 'indent'. ss N(s isinstancestxtsunicodessscsappendsstrsUnicodeEncodeErrorsesreprsjoinsselfstextsindent(sselfstxtsindentscssse((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysaddqscCs%|idd|ddddS(sAdds a header element.s-i s N(sselfsadd_linestxt(sselfstxt((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys add_headerscCs|id7_dS(sAdds a newline.s N(sselfstext(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys add_newlinescCs |iSdS(s"Get the text in its current state.N(sselfstext(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_texts( s__name__s __module__s__doc__s__init__s add_linessadd_linesadds add_headers add_newlinesget_text(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysDumpXs     s StructurecBsqtZdZeedZdZdZdZdZdZ dZ dZ d Z d d Z RS( sPrepare structure object to extract members from data. Format is a list containing definitions for the elements of the structure. cCsld|_g|_d|_|i|dt|_t|_ ||_ |o ||_ n|d|_ dS(Ns/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__s       cCs |iSdS(N(sselfs __format__(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__get_format__scCs |iSdS(N(sselfs__file_offset__(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_file_offsetscCs ||_dS(N(soffsetsselfs__file_offset__(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_file_offsetscCs |iSdS(s0Returns true is the unpacked data is all zeroes.N(sselfs _all_zeroes(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys all_zeroessc Csx|D]}d|jo|idd\}}|i|7_|id}g}x|D]~}||i jo[gi }|i D]} || t | q~}|i|} |dt| }n|i |q]W|i i |qqWti|i|_dS(Ns,is_(sformatselmssplitselm_typeselm_namesselfs __format__s elm_namessnamess__keys__sappends_[1]sxslens search_listscounts occ_countsstrsstructscalcsizes__format_length__( sselfsformatselms elm_namess search_listselm_names_[1]selm_typesnamess occ_countsx((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__set_format__s  4cCs |iSdS(sReturn size of the structure.N(sselfs__format_length__(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pyssizeofscCst||ijo||i }n't||ijotdn|itdt|jo t|_nt i |i ||_ xLt t|i D]5}x,|i|D]}t|||i |qWqWdS(Ns-Data length less than expected header length.i(slensdatasselfs__format_length__s PEFormatErrorscountschrsTrues _all_zeroessstructsunpacks __format__s__unpacked_data_elms__sxrangesis__keys__skeyssetattr(sselfsdatasiskey((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys __unpack__s" cCsg}xptt|iD]Y}xC|i|D]4}t||}|i|}||joPq0q0W|i |qWt i |i|SdS(N(s new_valuessxrangeslensselfs__unpacked_data_elms__sis__keys__skeysgetattrsnew_valsold_valsappendsstructspacks __format__(sselfsold_valsnew_valsis new_valuesskey((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__pack__s   icCs'g}|id|ix|iD]}x|D]}t||}t |t p t |t oud|}|djp |djoMy$|dt it i|7}Wqtij o}|d7}qXqn"ditdt|}|id |d |fq1Wq$W|Sd S( s1Returns a string representation of the structure.s[%s]s0x%-8Xs TimeDateStamps dwTimeStamps [%s UTC]s [INVALID TIME]scCs |djS(Ns(sc(sc((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysss%-30s %ss:N(sdumpsappendsselfsnames__keys__skeysskeysgetattrsvals isinstancesintslongsval_strstimesasctimesgmtimes exceptionss ValueErrorsesjoinsfiltersstr(sselfs indentationsval_strsesdumpsvalskeysskey((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysdump s$   $!#(s__name__s __module__s__doc__sNones__init__s__get_format__sget_file_offsetsset_file_offsets all_zeroess__set_format__ssizeofs __unpack__s__pack__sdump(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys Structures         sSectionStructurecBstZdZedZdZdZdZdZdZ dZ dZ d Z d Z d Zd Zd ZRS(s#Convenience section handling class.cCsC||i}|o||}nt|i}|i||!SdS(sGet data chunk from a section. Allows to query data from the section by passing the addresses where the PE file would be loaded by default. It is then possible to retrieve code and data by its real addresses as it would be if loaded. N(sstartsselfsVirtualAddresssoffsetslengthsendslensdata(sselfsstartslengthsendsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_data)s  cCs||i|iSdS(N(soffsetsselfsPointerToRawDatasVirtualAddress(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_rva_from_offset<scCs||i|iSdS(N(srvasselfsVirtualAddresssPointerToRawData(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_offset_from_rva@scCs?|i otSn|i|jo|i|ijnSdS(s<Check whether the section contains the file offset provided.N(sselfsPointerToRawDatasFalsesoffsetsVirtualAddresss SizeOfRawData(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pyscontains_offsetDs cCsdt|i|ijo |i}nt|i|i}|i|jo|i|jnSdS(s8Check whether the section contains the address provided.N( slensselfsdatas SizeOfRawDatasMisc_VirtualSizessizesmaxsVirtualAddresssrva(sselfsrvassize((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys contains_rvaNs  cCs|i|SdS(N(sselfs contains_rvasrva(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pyscontains^scCs ||_dS(s&Set the data belonging to the section.N(sdatasself(sselfsdata((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_datacscCs|i|iSdS(s1Calculate and return the entropy for the section.N(sselfs entropy_Hsdata(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys get_entropyiscCs(ttj ot|iiSndS(s/Get the SHA-1 hex-digest of the section's data.N(ssha1sNonesselfsdatas hexdigest(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys get_hash_sha1os cCs(ttj ot|iiSndS(s1Get the SHA-256 hex-digest of the section's data.N(ssha256sNonesselfsdatas hexdigest(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_hash_sha256vs cCs(ttj ot|iiSndS(s1Get the SHA-512 hex-digest of the section's data.N(ssha512sNonesselfsdatas hexdigest(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_hash_sha512}s cCs(ttj ot|iiSndS(s-Get the MD5 hex-digest of the section's data.N(smd5sNonesselfsdatas hexdigest(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys get_hash_md5s cCst|djodSntiddgd}x$|D]}|t|cd7/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys entropy_Hs"(s__name__s __module__s__doc__sNonesget_datasget_rva_from_offsetsget_offset_from_rvascontains_offsets contains_rvascontainssset_datas get_entropys get_hash_sha1sget_hash_sha256sget_hash_sha512s get_hash_md5s entropy_H(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysSectionStructure&s            s DataContainercBstZdZdZRS(sGeneric data container.cKs1x*|iD]\}}t|||q WdS(N(sargssitemsskeysvaluessetattrsself(sselfsargssvalueskey((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__s (s__name__s __module__s__doc__s__init__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys DataContainers sImportDescDatacBstZdZRS(sHolds import descriptor information. dll: name of the imported DLL imports: list of imported symbols (ImportData instances) struct: IMAGE_IMPORT_DESCRIPTOR sctruture (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysImportDescDatas s ImportDatacBstZdZRS(sHolds imported symbol's information. ordinal: Ordinal of the symbol name: Name of the symbol bound: If the symbol is bound, this contains the address. (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys ImportDatas s ExportDirDatacBstZdZRS(sHolds export directory information. struct: IMAGE_EXPORT_DIRECTORY structure symbols: list of exported symbols (ExportData instances) (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys ExportDirDatas s ExportDatacBstZdZRS(shHolds exported symbols' information. ordinal: ordinal of the symbol address: address of the symbol name: name of the symbol (None if the symbol is exported by ordinal only) forwarder: if the symbol is forwarded it will contain the name of the target symbol, None otherwise. (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys ExportDatas sResourceDirDatacBstZdZRS(sHolds resource directory information. struct: IMAGE_RESOURCE_DIRECTORY structure entries: list of entries (ResourceDirEntryData instances) (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysResourceDirDatas sResourceDirEntryDatacBstZdZRS(sHHolds resource directory entry data. struct: IMAGE_RESOURCE_DIRECTORY_ENTRY structure name: If the resource is identified by name this attribute will contain the name string. None otherwise. If identified by id, the id is availabe at 'struct.Id' id: the id, also in struct.Id directory: If this entry has a lower level directory this attribute will point to the ResourceDirData instance representing it. data: If this entry has no futher lower directories and points to the actual resource data, this attribute will reference the corresponding ResourceDataEntryData instance. (Either of the 'directory' or 'data' attribute will exist, but not both.) (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysResourceDirEntryDatas sResourceDataEntryDatacBstZdZRS(sHolds resource data entry information. struct: IMAGE_RESOURCE_DATA_ENTRY structure lang: Primary language ID sublang: Sublanguage ID (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysResourceDataEntryDatas s DebugDatacBstZdZRS(sRHolds debug information. struct: IMAGE_DEBUG_DIRECTORY structure (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys DebugDatas sBaseRelocationDatacBstZdZRS(sHolds base relocation information. struct: IMAGE_BASE_RELOCATION structure entries: list of relocation data (RelocationData instances) (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysBaseRelocationDatas sRelocationDatacBstZdZRS(sHolds relocation information. type: Type of relocation The type string is can be obtained by RELOCATION_TYPE[type] rva: RVA of the relocation (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysRelocationDatas sTlsDatacBstZdZRS(sNHolds TLS information. struct: IMAGE_TLS_DIRECTORY structure (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysTlsDatas sBoundImportDescDatacBstZdZRS(sHolds bound import descriptor data. This directory entry will provide with information on the DLLs this PE files has been bound to (if bound at all). The structure will contain the name and timestamp of the DLL at the time of binding so that the loader can know whether it differs from the one currently present in the system and must, therefore, re-bind the PE's imports. struct: IMAGE_BOUND_IMPORT_DESCRIPTOR structure name: DLL name entries: list of entries (BoundImportRefData instances) the entries will exist if this DLL has forwarded symbols. If so, the destination DLL will have an entry in this list. (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysBoundImportDescData s sBoundImportRefDatacBstZdZRS(sHolds bound import forwader reference data. Contains the same information as the bound descriptor but for forwarded DLLs, if any. struct: IMAGE_BOUND_FORWARDER_REF structure name: dll name (s__name__s __module__s__doc__(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysBoundImportRefDatas sPEcBstZdZddddddddd d d d d dddddddffZddddddddffZdddffZd d!d"d#d$d%d&d'd(d)d*d+d,d-d.d/d0d1d2d3d4d5d6d7d8d9d:d;d<d=d>ffZd?d!d"d#d$d%d&d'd(d@d+d,d-d.d/d0d1d2d3d4d5d6d7d8dAdBdCdDd=d>ffZdEdFffZdGdHdIddJdKdLdMdNdOdPf fZ dQdRdSdTdUdVdWdXdYffZ dZd[dd\d]d^ffZ d_dPdd`dad]dbdcdddedfdgf fZ dhdPdd`dadidjffZ dkd]dlffZdmdlddndoffZdpdqdrdsffZdtdFdudvdwdxdydzd{d|d}d~ddf fZddqdrdsffZddqdrdsffZddqdrdsffZddqdrdsffZddffZddffZddPdd`daddddKffZdddffZdddddddPffZdddddddPffZddddffZddddffZeeedZdZ dZ!dZ"dZ#dZ$edZ%dZ&dZ'dZ(dZ)dZ*dZ+dZ,dZ-dZ.deddZ/dZ0dZ1dZ2dZ3dZ4dZ5dZ6dZ7dZ8dedZ9edZ:dZ;dZ<dZ=dZ>dddZ?dZ@dZAdZBdZCedZDdZEdZFdZGdZHdZIdZJdZKdZLdZMdZNdZOdZPdZQdZRdZSdZTdZUdZVdZWdZXdZYdZZRS(s A Portable Executable representation. This class provides access to most of the information in a PE file. It expects to be supplied the name of the file to load or PE data to process and an optional argument 'fast_load' (False by default) which controls whether to load all the directories information, which can be quite time consuming. pe = pefile.PE('module.dll') pe = pefile.PE(name='module.dll') would load 'module.dll' and process it. If the data would be already available in a buffer the same could be achieved with: pe = pefile.PE(data=module_dll_data) The "fast_load" can be set to a default by setting its value in the module itself by means,for instance, of a "pefile.fast_load = True". That will make all the subsequent instances not to load the whole PE structure. The "full_load" method can be used to parse the missing data at a later stage. Basic headers information will be available in the attributes: DOS_HEADER NT_HEADERS FILE_HEADER OPTIONAL_HEADER All of them will contain among their attrbitues the members of the corresponding structures as defined in WINNT.H The raw data corresponding to the header (from the beginning of the file up to the start of the first section) will be avaiable in the instance's attribute 'header' as a string. The sections will be available as a list in the 'sections' attribute. Each entry will contain as attributes all the structure's members. Directory entries will be available as attributes (if they exist): (no other entries are processed at this point) DIRECTORY_ENTRY_IMPORT (list of ImportDescData instances) DIRECTORY_ENTRY_EXPORT (ExportDirData instance) DIRECTORY_ENTRY_RESOURCE (ResourceDirData instance) DIRECTORY_ENTRY_DEBUG (list of DebugData instances) DIRECTORY_ENTRY_BASERELOC (list of BaseRelocationData instances) DIRECTORY_ENTRY_TLS DIRECTORY_ENTRY_BOUND_IMPORT (list of BoundImportData instances) The following dictionary attributes provide ways of mapping different constants. They will accept the numeric value and return the string representation and the opposite, feed in the string and get the numeric constant: DIRECTORY_ENTRY IMAGE_CHARACTERISTICS SECTION_CHARACTERISTICS DEBUG_TYPE SUBSYSTEM_TYPE MACHINE_TYPE RELOCATION_TYPE RESOURCE_TYPE LANG SUBLANG sIMAGE_DOS_HEADERs H,e_magicsH,e_cblpsH,e_cpsH,e_crlcs H,e_cparhdrs H,e_minallocs H,e_maxallocsH,e_sssH,e_spsH,e_csumsH,e_ipsH,e_css H,e_lfarlcsH,e_ovnos8s,e_ress H,e_oemids H,e_oeminfos 20s,e_res2s L,e_lfanewsIMAGE_FILE_HEADERs H,MachinesH,NumberOfSectionssL,TimeDateStampsL,PointerToSymbolTablesL,NumberOfSymbolssH,SizeOfOptionalHeadersH,CharacteristicssIMAGE_DATA_DIRECTORYsL,VirtualAddresssL,SizesIMAGE_OPTIONAL_HEADERsH,MagicsB,MajorLinkerVersionsB,MinorLinkerVersions L,SizeOfCodesL,SizeOfInitializedDatasL,SizeOfUninitializedDatasL,AddressOfEntryPoints L,BaseOfCodes L,BaseOfDatas L,ImageBasesL,SectionAlignmentsL,FileAlignmentsH,MajorOperatingSystemVersionsH,MinorOperatingSystemVersionsH,MajorImageVersionsH,MinorImageVersionsH,MajorSubsystemVersionsH,MinorSubsystemVersions L,Reserved1s L,SizeOfImagesL,SizeOfHeaderss L,CheckSums H,SubsystemsH,DllCharacteristicssL,SizeOfStackReservesL,SizeOfStackCommitsL,SizeOfHeapReservesL,SizeOfHeapCommits L,LoaderFlagssL,NumberOfRvaAndSizessIMAGE_OPTIONAL_HEADER64s Q,ImageBasesQ,SizeOfStackReservesQ,SizeOfStackCommitsQ,SizeOfHeapReservesQ,SizeOfHeapCommitsIMAGE_NT_HEADERSs L,SignaturesIMAGE_SECTION_HEADERs8s,Names,L,Misc,Misc_PhysicalAddress,Misc_VirtualSizesL,SizeOfRawDatasL,PointerToRawDatasL,PointerToRelocationssL,PointerToLinenumberssH,NumberOfRelocationssH,NumberOfLinenumberssL,CharacteristicssIMAGE_DELAY_IMPORT_DESCRIPTORs L,grAttrssL,szNamesL,phmodsL,pIATsL,pINTs L,pBoundIATs L,pUnloadIATs L,dwTimeStampsIMAGE_IMPORT_DESCRIPTORs$L,OriginalFirstThunk,CharacteristicssL,ForwarderChainsL,Names L,FirstThunksIMAGE_EXPORT_DIRECTORYsH,MajorVersionsH,MinorVersionsL,BasesL,NumberOfFunctionssL,NumberOfNamessL,AddressOfFunctionssL,AddressOfNamessL,AddressOfNameOrdinalssIMAGE_RESOURCE_DIRECTORYsH,NumberOfNamedEntriessH,NumberOfIdEntriessIMAGE_RESOURCE_DIRECTORY_ENTRYsL,OffsetToDatasIMAGE_RESOURCE_DATA_ENTRYs L,CodePages L,ReservedsVS_VERSIONINFOsH,Lengths H,ValueLengthsH,TypesVS_FIXEDFILEINFOsL,StrucVersionsL,FileVersionMSsL,FileVersionLSsL,ProductVersionMSsL,ProductVersionLSsL,FileFlagsMasks L,FileFlagssL,FileOSs L,FileTypes L,FileSubtypes L,FileDateMSs L,FileDateLSsStringFileInfos StringTablesStringsVarsIMAGE_THUNK_DATAs0L,ForwarderString,Function,Ordinal,AddressOfDatas0Q,ForwarderString,Function,Ordinal,AddressOfDatasIMAGE_DEBUG_DIRECTORYsL,Types L,SizeOfDatasL,AddressOfRawDatasIMAGE_BASE_RELOCATIONs L,SizeOfBlocksIMAGE_TLS_DIRECTORYsL,StartAddressOfRawDatasL,EndAddressOfRawDatasL,AddressOfIndexsL,AddressOfCallBackssL,SizeOfZeroFillsQ,StartAddressOfRawDatasQ,EndAddressOfRawDatasQ,AddressOfIndexsQ,AddressOfCallBackssIMAGE_BOUND_IMPORT_DESCRIPTORsH,OffsetModuleNamesH,NumberOfModuleForwarderRefssIMAGE_BOUND_FORWARDER_REFs H,ReservedcCslg|_g|_t|_| o| odSng|_| ot d}n|i |||dS(Ns fast_load( sselfssectionss _PE__warningssNonesPE_TYPEsnamesdatas__structures__s fast_loadsglobalss __parse__(sselfsnamesdatas fast_load((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__init__s    cCs~t|d|}y|i|Wn@tj o4}|i i d|d|t |ft SnX|i i ||SdS(sApply structure format to raw data. Returns and unpacked structure object if successful, None otherwise. s file_offsets4Corrupt header "%s" at file offset %d. Exception: %siN(s Structuresformats file_offsets structures __unpack__sdatas PEFormatErrorserrsselfs _PE__warningssappendsstrsNones__structures__(sselfsformatsdatas file_offsetserrs structure((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__unpack_data__s' cCs|o,t|d} | i|_| in|o ||_n|i|i |idd|_ |i p|i i t jot dn|i it|ijot dn|i i} |i|i|i| d| |_|i p |ii ot dn|iitjot dn|i|i|i| dd| d|_|itd }|i ot d n|i|i|ii|| d|ii}||ii} |i|i |i|d||_!d }|i!t#jot|i||jo=d }|i|d |}|i|i |d||_!n|i!t#j o|i!i&t'jo t'|_(qX|i!i&t)jot)|_(|i|i*|i|d||_!d d}|i!t#jot|i||jo=d }|i|d |}|i|i*|d||_!qTqXn|i ot d n|i(t#jp |i!t#jot dn|it+d}|i|i!|i!i-|g|i!_.||i!i} |i|i_|i!|i_!|i!i0djo"|i1i2dd|i!i0nx(t3t4d|i!i0@D] }t|i| djoPnt|i| djo|i| d d}n|i| }|i|i6|d| }|t#joPnyt8||_9Wnt:t;fj oPnX| |i7} |i!i.i2|| ||i!iddjoPq`q`W|i<| } gi2}|i>D]'}|i@djo||i@qq~}t|djotB|} nt#} | p | | jo|i| |_Dn|i| |_D|iE|i!iFt#j oQ|iG|i!iF}|t|ijo"|i1i2dd|i!iFqn|i1i2dd|i!iF| o|iJndS(sParse a Portable Executable file. Loads a PE file, parsing all its structures and making them available through the instance's attributes. srbs file_offsetisDOS Header magic not found.s.Invalid e_lfanew value, probably not a PE filesNT Headers not found.sInvalid NT Headers signature.is IMAGE_FILE_sFile Header missingiEiss4No Optional Header found, invalid PE32 or PE32+ filesIMAGE_DLL_CHARACTERISTICS_is7Suspicious NumberOfRvaAndSizes in the Optional Header. s<Normal values are never larger than 0x10, the value is: 0x%xlisBPossibly corrupt file. AddressOfEntryPoint lies outside the file. sAddressOfEntryPoint: 0x%xs;AddressOfEntryPoint lies outside the sections' boundaries. N(Ksfnamesfilesfdsreadsselfs__data__sclosesdatas__unpack_data__s__IMAGE_DOS_HEADER_format__s DOS_HEADERse_magicsIMAGE_DOS_SIGNATUREs PEFormatErrorse_lfanewslensnt_headers_offsets__IMAGE_NT_HEADERS_format__s NT_HEADERSs SignaturesIMAGE_NT_SIGNATUREs__IMAGE_FILE_HEADER_format__s FILE_HEADERsretrieve_flagssIMAGE_CHARACTERISTICSs image_flagss set_flagssCharacteristicsssizeofsoptional_header_offsetsSizeOfOptionalHeaderssections_offsets __IMAGE_OPTIONAL_HEADER_format__sOPTIONAL_HEADERs&MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZEsNonespadding_lengths padded_datasMagicsOPTIONAL_HEADER_MAGIC_PEsPE_TYPEsOPTIONAL_HEADER_MAGIC_PE_PLUSs"__IMAGE_OPTIONAL_HEADER64_format__sDLL_CHARACTERISTICSsdll_characteristics_flagssDllCharacteristicssDATA_DIRECTORYsoffsetsNumberOfRvaAndSizess _PE__warningssappendsxrangesintsis__IMAGE_DATA_DIRECTORY_format__s dir_entrysDIRECTORY_ENTRYsnamesKeyErrorsAttributeErrorsparse_sectionss_[1]ssectionssssPointerToRawDatasrawDataPointerssminslowest_section_offsetsheadersget_section_by_rvasAddressOfEntryPointsget_offset_from_rvas ep_offsets fast_loadsparse_data_directories(sselfsfnamesdatas fast_loadsdll_characteristics_flagss_[1]soptional_header_offsets ep_offsets padded_dataslowest_section_offsetssections_offsetsnt_headers_offsetsfdsoffsetspadding_lengthsis image_flagssssrawDataPointerss dir_entrys&MINIMUM_VALID_OPTIONAL_HEADER_RAW_SIZE((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys __parse__(s          *      *      "     "  A&cCs |iSdS(sReturn the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method returns the full list. N(sselfs _PE__warnings(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys get_warnings2scCs!x|iD]}dG|GHq WdS(sPrint the list of warnings. Non-critical problems found when parsing the PE file are appended to a list of warnings. This method prints the full list to standard output. s>N(sselfs _PE__warningsswarning(sselfswarning((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys show_warnings=s cCs|idS(sProcess the data directories. This mathod will load the data directories which might not have been loaded if the "fast_load" option was used. N(sselfsparse_data_directories(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys full_loadIscCst|i}xF|iD];}t|i}|i}||||t |+qWdi |}|o*t|d}|i||in|SdS(sWrite the PE file. This function will process all headers and components of the PE file and include all changes made (by just assigning to attributes in the PE objects) and write the changes back to a file whose name is provided as an argument. The filename is optional. The data to be written to the file will be returned as a 'str' object. sswb+N(slistsselfs__data__s file_datas__structures__sstructs__pack__s struct_datasget_file_offsetsoffsetslensjoins new_file_datasfilenamesfilesfswritesclose(sselfsfilenamesstructsfs file_datas struct_datasoffsets new_file_data((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pyswriteSs    c Csg|_x<t|iiD](}t|i}| oPn||i |}|i ||i |i||ii||it|ijo|iid|dn|it|ijo|iid|dn|idjo|iid|dn|idjo|iid|dn|ii}|i}|i|iidjo(|iid|d d d d n||i}|i|i||!|itd }|i ||i!||i"i#dt$o|i"i#dt$o |iid|ddn|ii|qW|iidjo|io#||idi |iiSn|SdS(s8Fetch the PE file sections. The sections will be readily available in the "sections" attribute. Its attributes will contain all the section information plus "data" a buffer containing the section's data. The "Characteristics" member will be processed and attributes representing the section characteristics (with the 'IMAGE_SCN_' string trimmed from the constant's names) will be added to the section instance. Refer to the SectionStructure class for additional info. sError parsing section %d. s"SizeOfRawData is larger than file.s3PointerToRawData points beyond the end of the file.is+Suspicious value found parsing section %d. s(VirtualSize is extremely large > 256MiB.s$VirtualAddress is beyond 0x10000000.is;Suspicious value for FileAlignment in the Optional Header. s@Normally the PointerToRawData entry of the sections' structures s:is a multiple of FileAlignment, this might imply the file s7is trying to confuse tools which parse this incorrectlys IMAGE_SCN_sIMAGE_SCN_MEM_WRITEsIMAGE_SCN_MEM_EXECUTEs%Suspicious flags set for section %d. s;Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set.s(This might indicate a packed executable.N(%sselfssectionssxranges FILE_HEADERsNumberOfSectionssisSectionStructures__IMAGE_SECTION_HEADER_format__ssectionsoffsetssizeofssection_offsetsset_file_offsets __unpack__s__data__s__structures__sappends SizeOfRawDataslens _PE__warningssPointerToRawDatasMisc_VirtualSizesVirtualAddresssOPTIONAL_HEADERs FileAlignments alignmentssection_data_startssection_data_endsset_datasretrieve_flagssSECTION_CHARACTERISTICSs section_flagss set_flagssCharacteristicss__dict__sgetsFalse( sselfsoffsetsissection_offsetssection_data_ends section_flagsssections alignmentssection_data_start((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_sectionsqsB     ( , #cCsigi}|iD]J}t|dto|di|o||d|dfqq~SdS(sRead the flags from a dictionary and return them in a usable form. Will return a list of (flag, value) for all flags in "flag_dict" matching the filter "flag_filter". iiN( sappends_[1]s flag_dictsitemssfs isinstancesstrs startswiths flag_filter(sselfs flag_dicts flag_filtersfs_[1]((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysretrieve_flagsscCsPxI|D]A}|d|@ot||dtqt||dtqWdS(s!Will process the flags and set attributes in the object accordingly. The object "obj" will gain attritutes named after the flags provided in "flags" and valued True/False, matching the results of applyin each flag value from "flags" to flag_field. iiN(sflagssflags flag_fieldssetattrsobjsTruesFalse(sselfsobjs flag_fieldsflagssflag((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys set_flagss c Csd|ifd|ifd|ifd|ifd|ifd|ifd|ifd|iff}x|D]}y|i i t |d }Wntj oPnX|io@|d |i|i}|ot||d d |qqmqmWd S( s1Parse and process the PE file's data directories.sIMAGE_DIRECTORY_ENTRY_IMPORTsIMAGE_DIRECTORY_ENTRY_EXPORTsIMAGE_DIRECTORY_ENTRY_RESOURCEsIMAGE_DIRECTORY_ENTRY_DEBUGsIMAGE_DIRECTORY_ENTRY_BASERELOCsIMAGE_DIRECTORY_ENTRY_TLSs"IMAGE_DIRECTORY_ENTRY_DELAY_IMPORTs"IMAGE_DIRECTORY_ENTRY_BOUND_IMPORTiiiN(sselfsparse_import_directorysparse_export_directorysparse_resources_directorysparse_debug_directorysparse_relocations_directorysparse_directory_tlssparse_delay_import_directorysparse_directory_bound_importssdirectory_parsingsentrysOPTIONAL_HEADERsDATA_DIRECTORYsDIRECTORY_ENTRYs dir_entrys IndexErrorsVirtualAddresssSizesvaluessetattr(sselfsvalues dir_entrysentrysdirectory_parsing((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_data_directoriessf  c Cst|i}|i}|}g} xWt oO|i |i|i |||!d|}|t jo|i iddSn|ioPn||i7}g}xt|iD]}|i |i|i |||!d|}| otdn||i7}|itd|d|i||i|i qW| itd|d|i||i|i d|q*W| SdS(ss file_offsets7The Bound Imports directory exists but can't be parsed.Ns(IMAGE_BOUND_FORWARDER_REF cannot be readsstructsnamesentries(s Structuresselfs(__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__s bnd_descrssizeofsbnd_descr_sizesrvasstarts bound_importssTrues__unpack_data__s__data__sNones _PE__warningssappends all_zeroessforwarder_refssxrangesNumberOfModuleForwarderRefssidxs$__IMAGE_BOUND_FORWARDER_REF_format__s bnd_frwd_refs PEFormatErrorsBoundImportRefDatasget_string_from_datasOffsetModuleNamesBoundImportDescData( sselfsrvassizes bnd_frwd_refsforwarder_refssidxsbnd_descr_sizesstarts bnd_descrs bound_imports((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_directory_bound_importss>       'cCs|itjo |i}n|itjo |i}n|i||i|d|i |}| ot Snt d|SdS(ss file_offsetsstructN(sselfsPE_TYPEsOPTIONAL_HEADER_MAGIC_PEs__IMAGE_TLS_DIRECTORY_format__sformatsOPTIONAL_HEADER_MAGIC_PE_PLUSs __IMAGE_TLS_DIRECTORY64_format__s__unpack_data__sget_datasrvasget_offset_from_rvas tls_structsNonesTlsData(sselfsrvassizesformats tls_struct((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_directory_tls<s    cCst|i}|i}||}g}x||joy4|i |i|i ||d|i |}Wn1t j o%|iidd|t}nX| oPn|i|||i|i|}|itd|d||i oPn||i7}q.W|SdS(ss file_offsets+Invalid relocation information. Can't read sdata at RVA: 0x%xsstructsentriesN(s Structuresselfs __IMAGE_BASE_RELOCATION_format__srlcssizeofsrlc_sizesrvassizesends relocationss__unpack_data__sget_datasget_offset_from_rvas PEFormatErrors _PE__warningssappendsNonesparse_relocationssVirtualAddresss SizeOfBlocks reloc_entriessBaseRelocationData(sselfsrvassizesendsrlcs reloc_entriessrlc_sizes relocations((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_relocations_directoryPs.     #  c Cs|i||} g}x{tt| dD]c}t i d| |d|dd!d}|d?}|d@}|itd|d||q/W|Sd S( sis/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_relocations{s)  c Cst|i}|i}g}xt||D]}y|i ||||}Wn1t j o%}|iidd|tSnX|i|i|d|i|||}| otSn|itd|q2W|SdS(ss&Invalid debug information. Can't read sdata at RVA: 0x%xs file_offsetsstructN(s Structuresselfs __IMAGE_DEBUG_DIRECTORY_format__sdbgssizeofsdbg_sizesdebugsxrangessizesidxsget_datasrvasdatas PEFormatErrorses _PE__warningssappendsNones__unpack_data__sget_offset_from_rvas DebugData( sselfsrvassizesesidxsdbgsdebugsdbg_sizesdata((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_debug_directorys"    ic Cs|}|tjo |}n|i|}y|i|}Wn1t j o%}|i i dd|tSnX|i |i|d|i|} | tjo |i i dd|tSng}|| i7}| i| i}t}x}t|D]o}|i|} | tjo#|i i dd||fPnt}t}|| ijo | i}nb|| i}y t!||}|i |Wn1t j o%}|i i ddd|nX| i#ox||| i$joPn'|i%|| i$d |d |d } | oPn|i t(d | d |d|d| nw|i)|| i$} | oYt+d | d| id@d| id?d@} |i t(d | d |d|d| n|| i7}|djo| i-t.djowt/|djo|d}nt}y$|i2i3di2i3dii*}WnnX|tj o|i4|qoqqWgi }|D]}||i7q~}|i9x$t:|D]\}}|i;qWt<d | d|SdS(sParse the resources directory. Given the rva of the resources directory, it will process all its entries. The root will have the corresponding member of its structure, IMAGE_RESOURCE_DIRECTORY plus 'entries', a list of all the entries in the directory. Those entries will have, correspondingly, all the structure's members (IMAGE_RESOURCE_DIRECTORY_ENTRY) and an additional one, "directory", pointing to the IMAGE_RESOURCE_DIRECTORY structure representing upper layers of the tree. This one will also have an 'entries' attribute, pointing to the 3rd, and last, level. Another directory with more entries. Those last entries will have a new atribute (both 'leaf' or 'data_entry' can be used to access it). This structure finally points to the resource data. All the members of this structure, IMAGE_RESOURCE_DATA_ENTRY, are available as its attributes. s(Invalid resources directory. Can't read sdirectory data at RVA: 0x%xs file_offsets)Invalid resources directory. Can't parse s'Error parsing the resources directory, s!Entry %d is invalid, RVA = 0x%x. sattempting to read entry name. s(Can't read unicode string at offset 0x%xsbase_rvaslevelisstructsnamesids directoryslangissublangisdatais RT_VERSIONisentriesN(=srvas original_rvasbase_rvasNonesselfsget_section_by_rvasresources_sectionsget_datasdatas PEFormatErrorses _PE__warningssappends__unpack_data__s#__IMAGE_RESOURCE_DIRECTORY_format__sget_offset_from_rvas resource_dirs dir_entriesssizeofsNumberOfNamedEntriessNumberOfIdEntriessnumber_of_entriesslistsstrings_to_postprocesssxrangesidxsparse_resource_entrysress entry_namesentry_idsNames NameOffsets ustr_offsets!UnicodeStringWrapperPostProcessorsexcpsDataIsDirectorysOffsetToDirectorysparse_resources_directoryslevelsentry_directorysResourceDirEntryDatasparse_resource_data_entrysstructsResourceDataEntryDatas entry_datasIds RESOURCE_TYPEslens last_entrysrt_version_structs directorysentriessparse_version_informations_[1]sssget_rvas string_rvasssorts enumeratesrender_pascal_16sResourceDirData(sselfsrvassizesbase_rvaslevels string_rvassrt_version_structs last_entrys entry_namesentry_directorys resource_dirsstructsress entry_datasresources_sections ustr_offsetsexcpsstrings_to_postprocesss original_rvasnumber_of_entriessdatas dir_entriessesidxs_[1]sssentry_id((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_resources_directorys         !   !$ -   cCssy|i|}Wn1tj o%}|iidd|tSnX|i |i |d|i |}|SdS(s0Parse a data entry from the resources directory.s/Error parsing a resource directory data entry, sthe RVA is invalid: 0x%xs file_offsetN( sselfsget_datasrvasdatas PEFormatErrorsexcps _PE__warningssappendsNones__unpack_data__s$__IMAGE_RESOURCE_DATA_ENTRY_format__sget_offset_from_rvas data_entry(sselfsrvasexcps data_entrysdata((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_resource_data_entry]s cCs|i|i|i|d|i|}|tjotSn|id@|_ |id@|_ |id@|_ |i d@d?|_ |i d@|_|SdS(s5Parse a directory entry from the resources directory.s file_offsetlllliN(sselfs__unpack_data__s)__IMAGE_RESOURCE_DIRECTORY_ENTRY_format__sget_datasrvasget_offset_from_rvasresourcesNonesNames NameOffsets_PE__padsIds OffsetToDatasDataIsDirectorysOffsetToDirectory(sselfsrvasresource((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_resource_entryqs c CsH|i|i}|i|||i!}|i|i |d|} | t jodSn|i| i }y|i|} Wn7tj o+}|iiddd|t } nX| djo|iiddSn| |_| |i_|i| i dt| d |i}|i|i||d||}| odSn||_|i||i |i}|}t|_xt o|i|i!||d||}|t jo|iid t Sn|i|| i }y|i|}Wn2tj o&}|iidd d|PnX||_|ii||d jo|i$d jo |i%d jo[|i||i dt|d |i}t|_'xt o|i|i(||d||}| oPn|i||i }y|i|}Wn2tj o&}|iiddd|PnX||_+t,|_-|i'i||i||i dt|d |i} x| ||i/jo|i|i0|| d|| } | oPn|i| | i }y|i|}Wn2tj o&}|iiddd|PnX|idt|d | | i |i}|i|}y|i|d| i%}Wn2tj o&}|iiddd|PnX| i/d jo||i/} n|i| i/| |i} g}xI|D]A}t7|djo|idt7|q/|i|q/Wdi8|}t9|||||i-|||d||}| oPn|i||i }y|i|}Wn2tj o&}|iiddd|PnX| i=i||idt|d ||i |i}|}x}|||i%joh|iC|||d!d }|iC||d|d!d }|d7}h|d||f<|_Fq?W|i||i/|i}|||i/joPq_q_Wqn|i|i/||i}|i/d jp || i/joPqqWdS(sParse version information structure. The date will be made available in three attributes of the PE object. VS_VERSIONINFO will contain the first three fields of the main structure: 'Length', 'ValueLength', and 'Type' VS_FIXEDFILEINFO will hold the rest of the fields, accessible as sub-attributes: 'Signature', 'StrucVersion', 'FileVersionMS', 'FileVersionLS', 'ProductVersionMS', 'ProductVersionLS', 'FileFlagsMask', 'FileFlags', 'FileOS', 'FileType', 'FileSubtype', 'FileDateMS', 'FileDateLS' FileInfo is a list of all StringFileInfo and VarFileInfo structures. StringFileInfo structures will have a list as an attribute named 'StringTable' containing all the StringTable structures. Each of those structures contains a dictionary 'entries' with all the key/value version information string pairs. VarFileInfo structures will have a list as an attribute named 'Var' containing all Var structures. Each Var structure will have a dictionary as an attribute named 'entry' which will contain the name and value of the Var. s file_offsetNs'Error parsing the version information, s1attempting to read VS_VERSION_INFO string. Can't s"read unicode string at offset 0x%xuVS_VERSION_INFOsInvalid VS_VERSION_INFO blockiis/Error parsing StringFileInfo/VarFileInfo structs0attempting to read StringFileInfo string. Can't uStringFileInfois-attempting to read StringTable string. Can't s1attempting to read StringTable Key string. Can't s max_lengths-attempting to read StringTable Value string. s(Can't read unicode string at offset 0x%xis\x%02xsu VarFileInfos VarFileInfos+attempting to read VarFileInfo Var string. is 0x%04x 0x%04x(Gsselfsget_offset_from_rvasversion_structs OffsetToDatas start_offsets__data__sSizesraw_datas__unpack_data__s__VS_VERSIONINFO_format__sversioninfo_structsNonessizeofs ustr_offsetsget_string_u_at_rvasversioninfo_strings PEFormatErrorsexcps _PE__warningssappendsVS_VERSIONINFOsKeys dword_alignslensfixedfileinfo_offsets__VS_FIXEDFILEINFO_format__sfixedfileinfo_structsVS_FIXEDFILEINFOsstringfileinfo_offsetsoriginal_stringfileinfo_offsetslistsFileInfosTrues__StringFileInfo_format__sstringfileinfo_structsstringfileinfo_stringsTypes ValueLengthsstringtable_offsets StringTables__StringTable_format__sstringtable_structsstringtable_stringsLangIDsdictsentriess entry_offsetsLengths__String_format__s string_structskeys value_offsetsvalues key_as_charscsordsjoinssetattrsvarfileinfo_structsnames var_offsetsVars__Var_format__s var_structs var_stringsvarword_offsetsorig_varword_offsetsget_word_from_datasword1sword2sentry( sselfsversion_structsoriginal_stringfileinfo_offsets var_offsetsstringfileinfo_stringsword1sword2sorig_varword_offsetsstringtable_offsets string_structsversioninfo_strings entry_offsetsversioninfo_structsvarfileinfo_structs ustr_offsetsexcpsstringfileinfo_offsetsstringfileinfo_structs key_as_chars start_offsetskeys var_structscsraw_datas var_stringsvaluesvarword_offsetsfixedfileinfo_offsets value_offsetsstringtable_stringsfixedfileinfo_structsstringtable_struct((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_version_informations      !          %     % %       %   % ! !  c Csy1|i|i|i|d|i|}Wn+tj o|ii d|dSnX| odSnyX|i|i |i d} |i|i |i d}|i|i|id}Wn+tj o|ii d|dSnXg}xt|i D]} |i|i| | } |i|| } | dt|jo|i|| }ntS||jo|||jo|i|}nt}|i td|i | d|d| d|q Wgi }|D]}||i#q~}xt|iD]} | |i |j o||i|| }||jo|||jo|i|}nt}|i td|i | d|dtd|qqWt&d |d |SdS( sQParse the export directory. Given the rva of the export directory, it will process all its entries. The exports will be made available through a list "exports" containing a tuple with the following elements: (ordinal, symbol_address, symbol_name) And also through a dicionary "exports_by_ordinal" whose keys will be the ordinals and the values tuples of the from: (symbol_address, symbol_name) The symbol addresses are relative, not absolute. s file_offsets+Error parsing export directory at RVA: 0x%xNisordinalsaddresssnames forwardersstructssymbols('sselfs__unpack_data__s!__IMAGE_EXPORT_DIRECTORY_format__sget_datasrvasget_offset_from_rvas export_dirs PEFormatErrors _PE__warningssappendsAddressOfNamess NumberOfNamessaddress_of_namessAddressOfNameOrdinalssaddress_of_name_ordinalssAddressOfFunctionssNumberOfFunctionssaddress_of_functionssexportssxrangesisget_string_at_rvasget_dword_from_datas symbol_namesget_word_from_datassymbol_ordinalslenssymbol_addresssNonessizes forwarder_strs ExportDatasBases_[1]sexpsordinalsordinalssidxs ExportDirData(sselfsrvassizes forwarder_strssymbol_addresss export_dirsexportssaddress_of_name_ordinalssexpssymbol_ordinalsaddress_of_namess symbol_namesidxsisordinalss_[1]saddress_of_functions((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_export_directory s\   *   cCs&||7}|d|dd|SdS(Nii(soffsetsbase(sselfsoffsetsbase((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys dword_align: s c CsIg}x8to0y|i|}Wn*tj o}|ii d|PnX|i |i |d|i |}| p |ioPn||i7}y|i|i|it}Wn.tj o"}|ii dd|PnX| oq n|i|i}|o&|i td|d|d|q q W|SdS( s*Walk and parse the delay import directory.s5Error parsing the Delay import directory at RVA: 0x%xs file_offsets*Error parsing the Delay import directory. s Invalid import data at RVA: 0x%xsstructsimportssdllN(s import_descssTruesselfsget_datasrvasdatas PEFormatErrorses _PE__warningssappends__unpack_data__s(__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__sget_offset_from_rvas import_descs all_zeroesssizeofs parse_importsspINTspIATsNones import_datasget_string_at_rvasszNamesdllsImportDescData( sselfsrvassizeses import_descsdlls import_datas import_descssdata((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_delay_import_directory@ s:   c CsLg}x;to3y|i|} Wn*tj o}|ii d|PnX|i |i | d|i |}| p |ioPn||i7}y"|i|i|i|i}Wn.tj o"}|ii dd|PnX| oq n|i|i}|o&|i td|d|d|q q W|SdS( s$Walk and parse the import directory.s/Error parsing the Import directory at RVA: 0x%xs file_offsets$Error parsing the Import directory. s Invalid Import data at RVA: 0x%xsstructsimportssdllN(s import_descssTruesselfsget_datasrvasdatas PEFormatErrorses _PE__warningssappends__unpack_data__s"__IMAGE_IMPORT_DESCRIPTOR_format__sget_offset_from_rvas import_descs all_zeroesssizeofs parse_importssOriginalFirstThunks FirstThunksForwarderChains import_datasexcpsget_string_at_rvasNamesdllsImportDescData( sselfsrvassizesesexcps import_descsdlls import_datas import_descssdata((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysparse_import_directoryu s:  c Csg}|i|}| o tdn|i|}|i|} | o| otddn| o|o |}n| o| o | }n|o6t |ot | djpt |t | jo |}n=|o t |djo| o t | o | }nt Sxt t |D]} t }t } || io|itjo t}n|itjo t}n|| i|@o|| id@}t } qyI|i|| id} |i| d}|i|| id} Wqtj o } qXn||ii| d}| o|o|| i| | ijo| | i}nt }| djo |p| o,|i!t"d |d | d |d |q7q7W|Sd S(sParse the imported symbols. It will fill a list, which will be avalable as the dictionary attribute "imports". Its keys will be the DLL names and the values all the symbols imported from that object. sInvalid/corrupt imports.s"Invalid Import Table information. s%Both ILT and IAT appear to be broken.iiiissordinalsnamesboundsaddressN(#simported_symbolssselfsget_section_by_rvas first_thunksimports_sections PEFormatErrorsget_import_tablesoriginal_first_thunksiltsiatstableslensNonesxrangesidxsimp_ordsimp_names AddressOfDatasPE_TYPEsOPTIONAL_HEADER_MAGIC_PEsIMAGE_ORDINAL_FLAGs ordinal_flagsOPTIONAL_HEADER_MAGIC_PE_PLUSsIMAGE_ORDINAL_FLAG64sget_datasdatasget_word_from_datasget_string_at_rvasesOPTIONAL_HEADERs ImageBases imp_addresss imp_boundsappends ImportData(sselfsoriginal_first_thunks first_thunksforwarder_chains imp_addressstables imp_bounds ordinal_flagsimports_sectionsiatsdatasesidxsimp_namesimp_ordsiltsimported_symbols((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys parse_imports s\   @ .     )cCsg}xto|oy|i|}Wn1tj o%}|ii dd|t SnX|i t jo |i }n|i tjo |i}n|i||d|i|}| p |ioPn||i7}|i |q W|SdS(Ns Error parsing the import table. sInvalid data at RVA: 0x%xs file_offset(stablesTruesrvasselfsget_datasdatas PEFormatErrorses _PE__warningssappendsNonesPE_TYPEsOPTIONAL_HEADER_MAGIC_PEs__IMAGE_THUNK_DATA_format__sformatsOPTIONAL_HEADER_MAGIC_PE_PLUSs__IMAGE_THUNK_DATA64_format__s__unpack_data__sget_offset_from_rvas thunk_datas all_zeroesssizeof(sselfsrvasesdatasformats thunk_datastable((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_import_table s$   !icCs|i}x|iD]}|idjp |idjoqn|it|ijoqn|i t|ijoqn|i |joqn|i t|}|djo|d|7}n|djo|| }n||i7}qW|SdS(sReturns the data corresponding to the memory layout of the PE file. The data includes the PE header and the sections loaded at offsets corresponding to their relative virtual addresses. (the VirtualAddress section header member). Any offset in this data corresponds to the absolute memory address ImageBase+offset. The optional argument 'max_virtual_address' provides with means of limiting which section are processed. Any section with their VirtualAddress beyond this value will be skipped. Normally, sections with values beyond this range are just there to confuse tools. It's a common trick to see in packed executables. If the 'ImageBase' optional argument is supplied, the file's relocations will be applied to the image by calling the 'relocate_image()' method. isN( sselfsheadersdatassectionsssectionsMisc_VirtualSizes SizeOfRawDataslens__data__sPointerToRawDatasVirtualAddresssmax_virtual_addressspadding_length(sselfsmax_virtual_addresss ImageBasespadding_lengthsdatassection((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_memory_mapped_image s&     cCs{|i|}| oP|t|ijo-|o||}nt}|i||!Snt dn|i ||SdS(sGet data regardless of the section where it lies on. Given a rva and the size of the chunk to retrieve, this method will find the section where the data lies and return the data. s-data at RVA can't be fetched. Corrupt header?N( sselfsget_section_by_rvasrvassslensheaderslengthsendsNones PEFormatErrorsget_data(sselfsrvaslengthsendss((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_dataM s cCs<|i|}| otd|n|i|SdS(s/Get the rva corresponding to this file offset. s6specified offset (0x%x) doesn't belong to any section.N(sselfsget_section_by_offsetsoffsetsss PEFormatErrorsget_rva_from_offset(sselfsoffsetss((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_rva_from_offsetc s cCs5|i|}| o tdn|i|SdS(sGet the file offset corresponding to this rva. Given a rva , this method will find the section where the data lies and return the offset within the file. s-data at RVA can't be fetched. Corrupt header?N(sselfsget_section_by_rvasrvasss PEFormatErrorsget_offset_from_rva(sselfsrvass((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_offset_from_rvak s  cCsj|i|}| o5|t|ijo|i||iSntSn|i||i|i SdS(s1Get an ASCII string located at the given address.N( sselfsget_section_by_rvasrvassslensheadersget_string_from_datasNonesVirtualAddresssdata(sselfsrvass((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_string_at_rvaz scCst}y||}Wntj o dSnXd}xKt|o=||7}|d7}y||}Wq7tj oPq7Xq7W|SdS(s)Get an ASCII string from within the data.siN(sNonesbsdatasoffsets IndexErrorsssord(sselfsoffsetsdatasbss((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_string_from_data s      iicCsy|i|d}Wntj o }tSnXd}xt|D]v}y.t i d|i|d|dd}Wnt ij oPnXt|djoPn|t|7}qEW|SdS(s3Get an Unicode string located at the given address.ius/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_string_u_at_rva s   .cCsYgi}|iD]$}|i|o||qq~}|o |dSntSdS(s1Get the section containing the given file offset.iN(sappends_[1]sselfssectionsssscontains_offsetsoffsetsNone(sselfsoffsets_[1]ssssections((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_section_by_offset s > cCsYgi}|iD]$}|i|o||qq~}|o |dSntSdS(s-Get the section containing the given address.iN(sappends_[1]sselfssectionssss contains_rvasrvasNone(sselfsrvas_[1]ssssections((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_section_by_rva s > cCs|iSdS(N(sselfs dump_info(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys__str__ scCs|iGHdS(s=Print all the PE header information in a human readable from.N(sselfs dump_info(sself((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys print_info scCs |tjo t}n|i} | o9|idx)| D]}|i||i qAWn|id|i |i i|i |id|i |i i|i |id|i |i i|itd}|idg}x:|D]2}t|i |do|i|dqqW|idi||i t|d o |itj o'|id |i |iin|itd } |id g}x:| D]2}t|i|do|i|dqqW|idi||i |id |itd }xH|iD]=}|i |i|idg}x7|D]/}t||do|i|dqqW|idi||id|it tj o|id|i!nt"tj o|id|i#nt$tj o|id|i%nt&tj o|id|i'n|i qWWt|d ot|idoa|idxCt(t)|ii*D])}|ii*|}|i |iqW|i nt|do |id|i |i-i|i t|do$|i |i.i|i nt|dox|i/D]}|i |i|i t|dox|i1D]}gi}|iD]}||id|q~|id|i5|i x8|i6i7D]'} |id| dd| dqPWqW|i qt|dox||i9D]q}gi}|iD]}||id|q~|id|i0i;dd|i0i<dqW|i qqWq6nt|d o|id!|i |i=i>i|i |id"d#d$d%fxc|i=i?D]U}|id&|iA|iB|iCf|iDo|id'|iDq|i qW|i nt|d(o|id)x|iED]}|i |i>i|i xf|iGD][}|id*|iI|iCtJ|iAf|iKo|id+|iKq[|i q[W|i q+Wnt|d,o|id-x|iLD]}|i |i>i|id.|iC|i xK|i6D]@}|i |i>id/|id.|iCd/|i q7WqWnt|d0o|id1x|iOD]}|i |i>i|i xf|iGD][}|id*|iI|iCtJ|iAf|iKo|id+|iKq|i qW|i qWnt|d2o|id3|i |iPi>ix|iPi6D]}|iCtj o|id4|iCd5n3|id6|i>iRtSiT|i>iRd7fd5|i |i>id5t|d8o|i |i,i>id/x|i,i6D]}|iCtj o|id4|iCd9n|id:|i>iRd9|i |i>id9|i |i,i>id;xI|i,i6D];} |i | i>id<|i | iWi>id=q WqC Wn|i q W|i nt|d>o|iXo |iXi>o4|id?|i |iXi>i|i nt|d@o|idAx|iYD]r}|i |i>iy|idBt[|i>i\Wn*t]j o|idC|i>i\nX|i q Wnt|dDo|idEx|i^D]}|i |i>ixs|i6D]h} y,|idF| iatb| icdGfd/Wq| t]j o'|idH| ia| icfd/q| Xq| W|i qV Wn|idSdIS(Js>Dump all the PE header information into human readable string.sParsing Warningss DOS_HEADERs NT_HEADERSs FILE_HEADERs IMAGE_FILE_sFlags: is, sOPTIONAL_HEADERsIMAGE_DLL_CHARACTERISTICS_sDllCharacteristics: s PE Sectionss IMAGE_SCN_sEntropy: %f (Min=0.0, Max=8.0)sMD5 hash: %ssSHA-1 hash: %ssSHA-256 hash: %ssSHA-512 hash: %ssDATA_DIRECTORYs DirectoriessVS_VERSIONINFOsVersion InformationsVS_FIXEDFILEINFOsFileInfos StringTables s LangID: s s: isVarsDIRECTORY_ENTRY_EXPORTsExported symbolss%-10s %-10s %ssOrdinalsRVAsNames%-10d 0x%08Xh %ss forwarder: %ssDIRECTORY_ENTRY_IMPORTsImported symbolss %s.%s Ord[%s]s Bound: 0x%08XsDIRECTORY_ENTRY_BOUND_IMPORTs Bound importssDLL: %sisDIRECTORY_ENTRY_DELAY_IMPORTsDelay Imported symbolssDIRECTORY_ENTRY_RESOURCEsResource directorys Name: [%s]isId: [0x%X] (%s)s-s directoryis Id: [0x%X]ii i sDIRECTORY_ENTRY_TLSsTLSsDIRECTORY_ENTRY_DEBUGsDebug informationsType: sType: 0x%x(Unknown)sDIRECTORY_ENTRY_BASERELOCsBase relocationss%08Xh %sis0x%08X 0x%x(Unknown)N(esdumpsNonesDumpsselfs get_warningsswarningss add_headerswarningsadd_lines add_newlines add_liness DOS_HEADERs NT_HEADERSs FILE_HEADERsretrieve_flagssIMAGE_CHARACTERISTICSs image_flagssaddsflagssflagsgetattrsappendsjoinshasattrsOPTIONAL_HEADERsDLL_CHARACTERISTICSsdll_characteristics_flagssSECTION_CHARACTERISTICSs section_flagsssectionsssections get_entropysmd5s get_hash_md5ssha1s get_hash_sha1ssha256sget_hash_sha256ssha512sget_hash_sha512sxrangeslensDATA_DIRECTORYsidxs directorysVS_VERSIONINFOsVS_FIXEDFILEINFOsFileInfosentrys StringTablesst_entrys_[1]slinesLangIDsentriessitemss str_entrysVars var_entryskeyssvaluessDIRECTORY_ENTRY_EXPORTsstructssymbolssexportsordinalsaddresssnames forwardersDIRECTORY_ENTRY_IMPORTsmodulesimportsssymbolsdllsstrsboundsDIRECTORY_ENTRY_BOUND_IMPORTsbound_imp_descs bound_imp_refsDIRECTORY_ENTRY_DELAY_IMPORTsDIRECTORY_ENTRY_RESOURCEs resource_typesIds RESOURCE_TYPEsgets resource_ids resource_langsdatasDIRECTORY_ENTRY_TLSsDIRECTORY_ENTRY_DEBUGsdbgs DEBUG_TYPEsTypesKeyErrorsDIRECTORY_ENTRY_BASERELOCs base_relocsrelocsrvasRELOCATION_TYPEstypesget_text(sselfsdumps resource_idsmoduleswarningsexportsbound_imp_descs var_entrys_[1]sdll_characteristics_flagss resource_langs str_entrysrelocswarningsssymbols bound_imp_refsflagsdbgslines section_flagssidxsst_entrys image_flagssflagss directorysentryssections resource_types base_reloc((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys dump_info s                       #      8 ) 87   #     )         )   +  ('      ! cCs/y|i|SWntj o tSnXdS(s;Gets the physical address in the PE file from an RVA value.N(sselfsget_offset_from_rvasrvas ExceptionsNone(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_physical_by_rva s cCstid|SdS(sNReturn a four byte string representing the double word value. (little endian).s/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_data_from_dword scCsN|ddt|jotSntid||d|dd!dSdS(s*Convert four bytes of data to a double word (little endian) 'offset' is assumed to index into a dword array. So setting it to N will return a dword out of the data sarting at offset N*4. Returns None if the data can't be turned into a double word. iis/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_dword_from_data scCs?y!|i|i|d dSWntj o tSnXdS(sReturn the double word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. iiN(sselfsget_dword_from_datasget_datasrvas PEFormatErrorsNone(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_dword_at_rva s !cCsD|dt|ijotSn|i|i||d!dSdS(sFReturn the double word value at the given file offset. (little endian)iiN(soffsetslensselfs__data__sNonesget_dword_from_data(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_dword_from_offset scCs|i||i|SdS(sLSet the double word value at the file offset corresponding to the given RVA.N(sselfsset_bytes_at_rvasrvasget_data_from_dwordsdword(sselfsrvasdword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_dword_at_rva scCs|i||i|SdS(s3Set the double word value at the given file offset.N(sselfsset_bytes_at_offsetsoffsetsget_data_from_dwordsdword(sselfsoffsetsdword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_dword_at_offset scCstid|SdS(sFReturn a two byte string representing the word value. (little endian).s/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_data_from_word scCsN|ddt|jotSntid||d|dd!dSdS(sConvert two bytes of data to a word (little endian) 'offset' is assumed to index into a word array. So setting it to N will return a dword out of the data sarting at offset N*2. Returns None if the data can't be turned into a word. iis/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_word_from_data# scCs?y!|i|i|d dSWntj o tSnXdS(sReturn the word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. iiN(sselfsget_word_from_datasget_datasrvas PEFormatErrorsNone(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_word_at_rva2 s !cCsD|dt|ijotSn|i|i||d!dSdS(s?Return the word value at the given file offset. (little endian)iiN(soffsetslensselfs__data__sNonesget_word_from_data(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_word_from_offset? scCs|i||i|SdS(sESet the word value at the file offset corresponding to the given RVA.N(sselfsset_bytes_at_rvasrvasget_data_from_wordsword(sselfsrvasword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_word_at_rvaH scCs|i||i|SdS(s,Set the word value at the given file offset.N(sselfsset_bytes_at_offsetsoffsetsget_data_from_wordsword(sselfsoffsetsword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_word_at_offsetM scCstid|SdS(sMReturn a eight byte string representing the quad-word value. (little endian).s/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_data_from_qwordV scCsN|ddt|jotSntid||d|dd!dSdS(sConvert eight bytes of data to a word (little endian) 'offset' is assumed to index into a word array. So setting it to N will return a dword out of the data sarting at offset N*8. Returns None if the data can't be turned into a quad word. iis/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_qword_from_data[ scCs?y!|i|i|d dSWntj o tSnXdS(sReturn the quad-word value at the given RVA. Returns None if the value can't be read, i.e. the RVA can't be mapped to a file offset. iiN(sselfsget_qword_from_datasget_datasrvas PEFormatErrorsNone(sselfsrva((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_qword_at_rvaj s !cCsD|dt|ijotSn|i|i||d!dSdS(sDReturn the quad-word value at the given file offset. (little endian)iiN(soffsetslensselfs__data__sNonesget_qword_from_data(sselfsoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysget_qword_from_offsetw scCs|i||i|SdS(sJSet the quad-word value at the file offset corresponding to the given RVA.N(sselfsset_bytes_at_rvasrvasget_data_from_qwordsqword(sselfsrvasqword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_qword_at_rva scCs|i||i|SdS(s1Set the quad-word value at the given file offset.N(sselfsset_bytes_at_offsetsoffsetsget_data_from_qwordsqword(sselfsoffsetsqword((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_qword_at_offset scCs5|i|}| o tn|i||SdS(sOverwrite, with the given string, the bytes at the file offset corresponding to the given RVA. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. N(sselfsget_physical_by_rvasrvasoffsetsFalsesset_bytes_at_offsetsdata(sselfsrvasdatasoffset((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_bytes_at_rva s  cCst|t otdn|djo|t|ijo-|i| ||i|t||_ntSx:|i D]/}|i }||i }|i||!|_qWtSdS(sOverwrite the bytes at the given file offset with the given string. Return True if successful, False otherwise. It can fail if the offset is outside the file's boundaries. sdata should be of type: striN(s isinstancesdatasstrs TypeErrorsoffsetslensselfs__data__sFalsessectionsssectionsPointerToRawDatassection_data_starts SizeOfRawDatassection_data_endsTrue(sselfsoffsetsdatassection_data_endssectionssection_data_start((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysset_bytes_at_offset s#-   c Cs ||ii}x|iD]}|ii}|ii }d}x|t |ijo|i|}|d7}|itdjoqA|itdjo/|i|i|i|i|d?d@qA|itdjo+|i|i|i|i|d@qA|itdjo'|i|i|i|i|qA|itd jol|t |ijoPn|i|}|d7}|i|i|i|id>|i|d @d?qA|itd jo'|i|i|i|i|qAqAWqWd S( sRApply the relocation information to the image using the provided new image base. This method will apply the relocation information to the image. Given the new base, all the relocations will be processed and both the raw data and the section's data will be fixed accordingly. The resulting image can be retrieved as well through the method: get_memory_mapped_image() In order to get something that would more closely match what could be found in memory once the Windows loader finished its work. iisIMAGE_REL_BASED_ABSOLUTEsIMAGE_REL_BASED_HIGHiisIMAGE_REL_BASED_LOWsIMAGE_REL_BASED_HIGHLOWsIMAGE_REL_BASED_HIGHADJisIMAGE_REL_BASED_DIR64N(s new_ImageBasesselfsOPTIONAL_HEADERs ImageBasesrelocation_differencesDIRECTORY_ENTRY_BASERELOCsrelocsstructsVirtualAddresssvirtual_addresss SizeOfBlocks size_of_blocks entry_idxslensentriessentrystypesRELOCATION_TYPEsset_word_at_rvasrvasget_word_at_rvasset_dword_at_rvasget_dword_at_rvas next_entrysset_qword_at_rvasget_qword_at_rva( sselfs new_ImageBases entry_idxs next_entrysvirtual_addresssrelocsentrys size_of_blocksrelocation_difference((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysrelocate_image s@       #      . ([s__name__s __module__s__doc__s__IMAGE_DOS_HEADER_format__s__IMAGE_FILE_HEADER_format__s__IMAGE_DATA_DIRECTORY_format__s __IMAGE_OPTIONAL_HEADER_format__s"__IMAGE_OPTIONAL_HEADER64_format__s__IMAGE_NT_HEADERS_format__s__IMAGE_SECTION_HEADER_format__s(__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__s"__IMAGE_IMPORT_DESCRIPTOR_format__s!__IMAGE_EXPORT_DIRECTORY_format__s#__IMAGE_RESOURCE_DIRECTORY_format__s)__IMAGE_RESOURCE_DIRECTORY_ENTRY_format__s$__IMAGE_RESOURCE_DATA_ENTRY_format__s__VS_VERSIONINFO_format__s__VS_FIXEDFILEINFO_format__s__StringFileInfo_format__s__StringTable_format__s__String_format__s__Var_format__s__IMAGE_THUNK_DATA_format__s__IMAGE_THUNK_DATA64_format__s __IMAGE_DEBUG_DIRECTORY_format__s __IMAGE_BASE_RELOCATION_format__s__IMAGE_TLS_DIRECTORY_format__s __IMAGE_TLS_DIRECTORY64_format__s(__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__s$__IMAGE_BOUND_FORWARDER_REF_format__sNones__init__s__unpack_data__s __parse__s get_warningss show_warningss full_loadswritesparse_sectionssretrieve_flagss set_flagssparse_data_directoriessparse_directory_bound_importssparse_directory_tlssparse_relocations_directorysparse_relocationssparse_debug_directorysparse_resources_directorysparse_resource_data_entrysparse_resource_entrysparse_version_informationsparse_export_directorys dword_alignsparse_delay_import_directorysparse_import_directorys parse_importssget_import_tablesget_memory_mapped_imagesget_datasget_rva_from_offsetsget_offset_from_rvasget_string_at_rvasget_string_from_datasget_string_u_at_rvasget_section_by_offsetsget_section_by_rvas__str__s print_infos dump_infosget_physical_by_rvasget_data_from_dwordsget_dword_from_datasget_dword_at_rvasget_dword_from_offsetsset_dword_at_rvasset_dword_at_offsetsget_data_from_wordsget_word_from_datasget_word_at_rvasget_word_from_offsetsset_word_at_rvasset_word_at_offsetsget_data_from_qwordsget_qword_from_datasget_qword_at_rvasget_qword_from_offsetsset_qword_at_rvasset_qword_at_offsetsset_bytes_at_rvasset_bytes_at_offsetsrelocate_image(((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pysPE*s CE!fc*$-3$   [   :  +     G m  5 3 S 3                  (Ps__doc__s __author__s __version__s __contact__sossstructstimesmathsres exceptionssstringsarraysNonessha1ssha256ssha512smd5shashlibs ImportErrorsshasnewsFalses fast_loadsIMAGE_DOS_SIGNATUREsIMAGE_OS2_SIGNATUREsIMAGE_OS2_SIGNATURE_LEsIMAGE_VXD_SIGNATUREsIMAGE_NT_SIGNATUREs IMAGE_NUMBEROF_DIRECTORY_ENTRIESsIMAGE_ORDINAL_FLAGsIMAGE_ORDINAL_FLAG64sOPTIONAL_HEADER_MAGIC_PEsOPTIONAL_HEADER_MAGIC_PE_PLUSsdirectory_entry_typessdictsappends_[1]sesDIRECTORY_ENTRYsimage_characteristicssIMAGE_CHARACTERISTICSssection_characteristicssSECTION_CHARACTERISTICSs debug_typess DEBUG_TYPEssubsystem_typessSUBSYSTEM_TYPEs machine_typess MACHINE_TYPEsrelocation_typessRELOCATION_TYPEsdll_characteristicssDLL_CHARACTERISTICSs resource_types RESOURCE_TYPEslangsLANGssublangsSUBLANGs!UnicodeStringWrapperPostProcessors Exceptions PEFormatErrorsDumps StructuresSectionStructures DataContainersImportDescDatas ImportDatas ExportDirDatas ExportDatasResourceDirDatasResourceDirEntryDatasResourceDataEntryDatas DebugDatasBaseRelocationDatasRelocationDatasTlsDatasBoundImportDescDatasBoundImportRefDatasPE(HsIMAGE_VXD_SIGNATUREsIMAGE_ORDINAL_FLAG64sPEs ExportDatasSUBSYSTEM_TYPEsIMAGE_OS2_SIGNATUREsOPTIONAL_HEADER_MAGIC_PE_PLUSsIMAGE_NT_SIGNATUREsOPTIONAL_HEADER_MAGIC_PEsTlsDatasIMAGE_CHARACTERISTICSsResourceDataEntryDatasarrays StructuresLANGs machine_typessstructs DebugDatassection_characteristicssImportDescDatasSUBLANGsDLL_CHARACTERISTICSsresResourceDirEntryDatasDIRECTORY_ENTRYs DataContainerssha256ssha512smaths ImportDataslangsBoundImportDescDatasSectionStructuresstrings PEFormatErrors debug_typessBoundImportRefDatasDumps ExportDirDatasResourceDirDatas __author__ssubsystem_typessimage_characteristicss fast_loadsesRELOCATION_TYPEsrelocation_typess __version__smd5sIMAGE_ORDINAL_FLAGsdll_characteristicsshashlibssha1s!UnicodeStringWrapperPostProcessors RESOURCE_TYPEs IMAGE_NUMBEROF_DIRECTORY_ENTRIESsossdirectory_entry_typessRelocationDatasIMAGE_OS2_SIGNATURE_LEs_[1]sshasBaseRelocationDatasSECTION_CHARACTERISTICSs MACHINE_TYPEstimes exceptionss DEBUG_TYPEsIMAGE_DOS_SIGNATUREssublangs resource_types __contact__((s>/mnt/gmirror/ports/devel/py-pefile/work/pefile-1.2.8/pefile.pys?s                  ??B%?i ?r??r?{??W`?i?i ?z