search

erocarrera / pefile

pefile is a Python module to read and work with PE (Portable Executable) files
MIT License
1.87k stars 519 forks source link

get_string_at_rva returns an int #106

Open pashashocky opened 8 years ago

pashashocky commented 8 years ago

Hello,

The function get_string_at_rva seems to return an int in some situations, when it should be a string. 


 File "/var/cuckoo-live/utils/../modules/processing/static.py", line 338, in _get_exported_dll_name
    return convert_to_printable(self.pe.get_string_at_rva(self.pe.DIRECTORY_ENTRY_EXPORT.struct.Name))
  File "/var/cuckoo-live/utils/../lib/cuckoo/common/utils.py", line 137, in convert_to_printable
    if is_printable(s):
  File "/var/cuckoo-live/utils/../lib/cuckoo/common/utils.py", line 110, in is_printable
    if c not in PRINTABLE_CHARACTERS:
TypeError: 'in <string>' requires string as left operand, not int

This became an issue in version 2016.3.28, 1.2.9 worked fine

codewarrior0 commented 8 years ago

get_string_at_rva actually returns a bytes type, which is an array of int. To use it as a string, you will have to call .decode('ASCII') on the result. (The PE spec mandates ASCII encoding for most if not all strings, the exception being the "Unicode" strings in the version info, which are UTF-16. Side note: pefile throws away any non-ASCII characters in these particular strings.)

@erocarrera Is it deliberate that get_string_at_rva returns a bytes type and not str?