In a memory mapped image, regions that exist due to section/page alignment requirements should contain zeroes. Currently, pefile bleeds section data into such regions.
Reproduction: Take any Windows binary that has file-aligned sections (so not a memory dump) and check what's at offset 0x400 (which in most common binaries is where the PE header ends).
>>> import pefile
>>> pe = pefile.PE(name="C:\\Windows\\explorer.exe")
>>> image = pe.get_memory_mapped_image()
>>> assert image[0x400:0x1000] != image[0x1000:0x1C00]
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AssertionError
This can cause considerable confusion if you're doing a regex search over the mapped image and RIP-relative data references get screwed up.
In a memory mapped image, regions that exist due to section/page alignment requirements should contain zeroes. Currently, pefile bleeds section data into such regions.
Reproduction: Take any Windows binary that has file-aligned sections (so not a memory dump) and check what's at offset 0x400 (which in most common binaries is where the PE header ends).
This can cause considerable confusion if you're doing a regex search over the mapped image and RIP-relative data references get screwed up.