crackinglandia / pype32 Goto Github PK
View Code? Open in Web Editor NEWYet another Python library to read and write PE/PE+ files.
License: BSD 3-Clause "New" or "Revised" License
Yet another Python library to read and write PE/PE+ files.
License: BSD 3-Clause "New" or "Revised" License
There are some malware samples that use #- instead of #~ and still operate correctly.
pype32 can not handle these files.
>>> pe = pype32.PE('Lum_1.exe')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Python27\lib\site-packages\pype32\pype32.py", line 126, in __init__
self._internalParse(rd)
File "C:\Python27\lib\site-packages\pype32\pype32.py", line 493, in _internalParse
self._parseDirectories(self.ntHeaders.optionalHeader.dataDirectory, self.PE_TYPE)
File "C:\Python27\lib\site-packages\pype32\pype32.py", line 938, in _parseDirectories
dataDirectoryInstance[directory[0]].info = directory[1](dir.rva.value, dir.size.value, magic)
File "C:\Python27\lib\site-packages\pype32\pype32.py", line 1429, in _parseNetDirectory
for i in netDirectoryClass.netMetaDataStreams["#~"].info.tables["ManifestResource"]:
KeyError: '#~'
>>>
WARNING LIVE MALWARE
Have provided a sample for Testing FileName 'Lum_1.exe'
http://repo.doesntexist.com/public.php?service=files&t=1bf02f3de6eae2762f9c8304fc0af29f
There are no tests. I'd recommend looking into a corpus of PE files and using Travis CI, Shippable, or Circle Ci to ensure that all of the files parse correctly. In particular, it's probably worth getting some really old (16-bit) and really new (Windows 10), and relatively uncommon (Windows on ARM) files to make sure that everything parses.
Currently, pype32 only supports the Python 2.x branch. It would be useful to support the branch 3.x as well.
When parsing these files, pype32 adds extra data to the #strings structure.
At least, _parseExportDirectory, needs some refactoring. When loading certain files, the loading process is too slow.
This issue happends with a PE file dumped from memory that will not run because import directory (and probably other fields) is invalid.
The import directory contains an rva that is out of the file. When pype32 tries to read the string at that rva, it enters an infinite loop into the function readStringAtRva:
d = self.getDataAtRva(rva, 1)
resultStr = datatypes.String("")
while d != "\x00":
resultStr.value += d
rva += 1
**d = self.getDataAtRva(rva, 1)**
return resultStr
The variable 'rva' is increased infinitely, and self.getDataAtRva seems to return an empty string because it cant read from the given rva, and the execution never leaves the while loop.
Ran into this executable which ended up consuming 32GB of RAM. Not actually sure what the causes is, so including the hash so you can download.
~/bug$ cat bug.py
import pype32
data = open("test.exe", "rb").read()
pe = pype32.PE(data=data)
~/bug$ md5sum test.exe
ca25e1bf52a1848512cac8a07c9c0d30 test.exe
~/bug$ pip list | grep pype
pype32 (0.1-alpha4)
Hello,
I want to package your software for Arch Linux. Could you please change your version format?Don't use -alphaX
as prefix. In nearly all linux distributions is the character -
forbidden in the version number. It would make packaging easier.. thx
Since the changes to the net parser the old version of pype32 is not compatible with my scripts.
The new version is not on pip so anyone installing from there can not use my code base.
When trying to install pype32 with pip (Python 2.7.9 (default, Dec 10 2014, 12:24:55) [MSC v.1500 32 bit (Intel)] on win32) an error occurs and the package cannot be installed.
The command was:
D:\Python27>pip search pype32
pype32 - Yet another Python library to read and write
PE/PE+ files.
D:\Python27>pip install pype32
Downloading/unpacking pype32
Could not find a version that satisfies the requirement pype32 (from versions:
0.1-alpha4)
Cleaning up...
No distributions matching the version for pype32
Storing debug log for failure in C:\Users\XXXX\pip\pip.log
The pip.log file contents:
Downloading/unpacking pype32
Getting page https://pypi.python.org/simple/pype32/
URLs to search for versions for pype32:
Read the data from each .NET Resource
And then parse each resource from a .resources file. - https://msdn.microsoft.com/en-us/library/system.resources.resourcereader(v=vs.110).aspx
WARNING LIVE MALWARE
Have provided some samples for testing
http://repo.doesntexist.com/public.php?service=files&t=1bf02f3de6eae2762f9c8304fc0af29f
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.