pe

class pydecipher.artifact_types.pe.PortableExecutable(pe_path_or_bytes: str | PathLike | BinaryIO, output_dir: PathLike | None = None, **kwargs)

The artifact class representing a Portable Executable Windows binary.

Much of the functionality is just an augmentation of the pefile library to aid in analysis of python packaged artifacts.

file_path

If this artifact comes from a file on disk, this is the path to that file.

Type:

pathlib.Path, optional

file_contents

The contents of the file read into memory.

Type:

bytes

output_dir

Where any output extracted from this artifact should get dumped.

Type:

os.PathLike

python_version

The version of Python used to create this frozen artifact.

Type:

str

overlay

The overlay of the PE (the data that is appended to the binary).

Type:

bytes

pe

The pefile library PE object for this file.

Type:

pefile.PE

version_info

The version info resource of this executable stored as key:value pairs.

Type:

Dict[bytes, bytes]

certificates_dumped

Whether or not the certificates (if they exist in the PE) have been dumped to the output directory on disk.

Type:

bool

INTERESTING_RESOURCES

String-matching patterns for resources that should be dumped to disk if found within a PE.

Type:

List[str]

kwargs

Any keyword arguments needed for the parsing of this artifact, or for parsing nested artifacts.

Type:

Any

Raises:

TypeError – Will raise a TypeError if the file_path_or_bytes item is not a recognizable PE object.

dump_certificates(output_dir: Path | None = None) → None

Dump Authenticode certificates from the PE’s certificate attribute table.

Parameters:

output_dir (pathlib.Path, optional) – An optional alternative output directory to dump the certificates, besides the class’s output directory.

dump_overlay() → Path

Check to see if this binary has data appended, and if so, dump it for further analysis.

python’s pefile library puts the certificate table in the overlay section even though its not really traditional overlay data.

Relevant links: https://github.com/erocarrera/pefile/issues/104#issuecomment-429037686 https://www.cs.auckland.ac.nz/~pgut001/pubs/authenticode.txt https://blog.barthe.ph/2009/02/22/change-signed-executable/

Returns:

The path to the dumped overlay on disk.

Return type:

pathlib.Path

dump_resource(resource_name: str) → Path

Dump the specified resource to the output directory on disk.

Parameters:

resource_name – The name of the resource within the PE’s resources to extract.

Returns:

The path to the dumped resource.

Return type:

pathlib.Path

load_version_info(quiet: bool = False) → None

Extract the VersionInfo dictionary from the pefile.PE object.

If pydecipher is running in anything but ‘quiet’ mode, it will print the version info to the log. Additionally, it will search for Python version strings within the version info.

Parameters:

quiet (bool, optional) – Whether or not to print the version info dictionary to the log.

unpack() → None

Dump any interesting aspects of this PE for further investigation.

This will log the PEs version info resource for manual inspection, dump any Authenticode certificates, and look for frozen Python artifacts within the PE’s resources and overlay.