`pe`

Classes, exceptions, and methods to parse a PE.

class pyjectify.windows.core.pe.PE(raw: bytes, base_addr: int = 0, headers_only: bool = False)[source]

This class represents a PE and provides methods to parse it

raw: bytes: Raw bytes of the PE, mapped to memory

sections_header: list[IMAGE_SECTION_HEADER]: PE sections headers

sections: list: PE sections, list of (VirtualAddress, VirtualSize, PageProtection) tuple

exports: dict: PE exports, dict of function_name -> function_address ; addresses are relative to the module base address

imports: dict: PE imports, dict of library_name -> [(function_name, function_address)…]

dos_header: IMAGE_DOS_HEADER: DOS headers

x86: bool: Specify if the PE is a 32-bit PE

nt_header: IMAGE_NT_HEADERS32: NT headers

base_addr: int: Base address of the PE

forwarded_export(name: str) → str[source]

Resolve a forwarded export

Parameters:: name – the name of the forwarded export
Returns:: The name of the resolved forwarded export

change_base(base_addr: int) → None[source]

Change PE base address and perform base relocation

Parameters:: base_addr – new base address of the PE

patch_import(thunk_addr: int, address: int) → None[source]

Patch PE imports

Parameters:

thunk_addr – address of the thunk data of the import
address – new function address for the import

exception pyjectify.windows.core.pe.InvalidPEHeader[source]: Exception for PE parsing errors