search

erocarrera / pefile

pefile is a Python module to read and work with PE (Portable Executable) files
MIT License
1.86k stars 519 forks source link

Did pefile support PE32+? #138

Open after1990s opened 8 years ago

nyx0 commented 8 years ago

Seems to work:

$ file ntdll.dll
ntdll.dll: PE32+ executable for MS Windows (DLL) (console)

$ python -c 'import pefile; print pefile.PE("ntdll.dll").dump_info()'
[...]
----------FILE_HEADER----------

[IMAGE_FILE_HEADER]
0xE4       0x0   Machine:                       0x8664    
0xE6       0x2   NumberOfSections:              0x9       
0xE8       0x4   TimeDateStamp:                 0x56540C3B [Tue Nov 24 07:05:31 2015 UTC]
0xEC       0x8   PointerToSymbolTable:          0x0       
0xF0       0xC   NumberOfSymbols:               0x0       
0xF4       0x10  SizeOfOptionalHeader:          0xF0      
0xF6       0x12  Characteristics:               0x2022    
Flags: IMAGE_FILE_DLL, IMAGE_FILE_EXECUTABLE_IMAGE, IMAGE_FILE_LARGE_ADDRESS_AWARE

----------OPTIONAL_HEADER----------

[IMAGE_OPTIONAL_HEADER64]
0xF8       0x0   Magic:                         0x20B     
0xFA       0x2   MajorLinkerVersion:            0xC       
0xFB       0x3   MinorLinkerVersion:            0xA       
0xFC       0x4   SizeOfCode:                    0xFA600   
0x100      0x8   SizeOfInitializedData:         0xBF600   
0x104      0xC   SizeOfUninitializedData:       0x0       
0x108      0x10  AddressOfEntryPoint:           0x0       
0x10C      0x14  BaseOfCode:                    0x1000    
0x110      0x18  ImageBase:                     0x180000000
0x118      0x20  SectionAlignment:              0x1000    
0x11C      0x24  FileAlignment:                 0x200     
0x120      0x28  MajorOperatingSystemVersion:   0xA       
0x122      0x2A  MinorOperatingSystemVersion:   0x0       
0x124      0x2C  MajorImageVersion:             0xA       
0x126      0x2E  MinorImageVersion:             0x0       
0x128      0x30  MajorSubsystemVersion:         0xA       
0x12A      0x32  MinorSubsystemVersion:         0x0       
0x12C      0x34  Reserved1:                     0x0       
0x130      0x38  SizeOfImage:                   0x1C1000  
0x134      0x3C  SizeOfHeaders:                 0x400     
0x138      0x40  CheckSum:                      0x1C03AA  
0x13C      0x44  Subsystem:                     0x3       
0x13E      0x46  DllCharacteristics:            0x4160    
0x140      0x48  SizeOfStackReserve:            0x40000   
0x148      0x50  SizeOfStackCommit:             0x1000    
0x150      0x58  SizeOfHeapReserve:             0x100000  
0x158      0x60  SizeOfHeapCommit:              0x1000    
0x160      0x68  LoaderFlags:                   0x0       
0x164      0x6C  NumberOfRvaAndSizes:           0x10 
[...]
demberto commented 2 years ago

@nyx0 How the hell can ntdll.dll be a PE32+ DLL? Does PE32+ not mean .NET 64-bit?