pe

Classes, exceptions, and methods to parse a PE.

class pyjectify.windows.core.pe.PE(raw: bytes, base_addr: int = 0, headers_only: bool = False)[source]

This class represents a PE and provides methods to parse it.

Initialization: parse PE headers and sections

Parameters:
  • raw – raw bytes of the PE, from a file or already mapped to memory

  • base_addr – force PE base address (if null, get it from the PE headers)

  • headers_only – specify whether the raw bytes contain the entire PE or just its headers

property raw: bytes

Raw bytes of the PE, mapped to memory

property base_addr: int

Base address of the PE

property dos_header: IMAGE_DOS_HEADER

DOS headers

property nt_header: IMAGE_NT_HEADERS32 | IMAGE_NT_HEADERS64

NT headers

property x86: bool

Specify if the PE is a 32-bit PE

property sections_header: list[IMAGE_SECTION_HEADER]

PE sections headers

property sections: list[tuple[int, int, int]]

PE sections, list of (VirtualAddress, VirtualSize, PageProtection) tuple

property exports: dict[str | int, int]

PE exports, dict of function_name | ordinal -> function_address

Note: addresses are relative to the module base address

property imports: dict[str, list[tuple[str | int, int]]]

PE imports, dict of library_name -> [(function_name | ordinal, function_address)…]

forwarded_export(name: str | int) str[source]

Resolve a forwarded export

Parameters:

name – the name (or the ordinal) of the forwarded export

Returns:

The name of the resolved forwarded export

change_base(base_addr: int) None[source]

Change PE base address and perform base relocation

Parameters:

base_addr – new base address of the PE

patch_import(dll_name: str, import_name: str | int, address: int) None[source]

Patch PE imports

Parameters:
  • dll_name – name of the imported dll

  • import_name – name or ordinal of the imported function

  • address – new function address for the import

exception pyjectify.windows.core.pe.InvalidPEHeader[source]

Exception for PE parsing errors