OSRE LAB2 - Python PE Analyzer

OSRE LAB2 - Python PE Analyzer

·

2 min read

The objective of this lab is to write a Python program to analyze a Windows PE file. We are going to use pefile module together with other PythonFU libraries

The Setup

We will start by installing virtualenv and the pefile module

$ sudo apt update
$ sudo apt install python3-pip
$ pip3 insatall virtualenv
$ vim .bashrc or nano .bashrc

Add the virtualvenv to the PATH

PATH=$PATH:/home/kali/.local/bin
export PATH

Then finally

source .bashrc

Now create a virtual environment for your work using virtualenv

$ virtual pework

Now after you have finished creating a virtualenv, let us activate it and install pefile module using pip

$ source pework/bin/activate
pip install pefile

The Program

Before going into writing the program it's good to recognize the module creator and the documentation: https://github.com/erocarrera/pefilehttps://github.com/erocarrera/pefile/blob/wiki/UsageExamples.md

Now let's jump in:

The first thing to do is to import the pefile module:

import pefile

Now let's analyze a PE file, so we need to load it using pefile :

pe = pefile.PE('/where/tf/isthe/pe.exe')

Now suppose we want to know the address of the Image Base. We can use the following:

hex(pe.OPTIONAL_HEADER.ImageBase)

It's that easy lol....

Also if we want to know the number of sections in this PE file, we can do:

hex(pe.FILE_HEADER.NumberOfSections)

Now let's print all the sections found in the file. This could be done in a for loop like this:

for section in pe.sections:
    print (section.Name, \
        hex(section.VirtualAddress), \
            hex(section.Misc_VirtualSize), \
                section.SizeOfRawData )

After beep booping with my keyboard, the whole code would look like this from my GitHub: PyPEA

That's it thanks for reading, see you in the next lab.