get overlay data using pefile
44 views
Skip to first unread message
作为风影,lz
Sep 1, 2009, 11:02:55 AM9/1/09
to pefile
Usually, virus or trojan read overlay data in the end of PE file.
Here's a sample:
def get_overlay(filename):
pe = pefile.PE(filename, fast_load=True)
filebuffer = pe.write()
# get the last section offset and length
s = pe.sections[-1]
if (len(filebuffer) > s.PointerToRawData + s.SizeOfRawData):
return filebuffer[s.PointerToRawData + s.SizeOfRawData:]
Here's a sample:
def get_overlay(filename):
pe = pefile.PE(filename, fast_load=True)
filebuffer = pe.write()
# get the last section offset and length
s = pe.sections[-1]
if (len(filebuffer) > s.PointerToRawData + s.SizeOfRawData):
return filebuffer[s.PointerToRawData + s.SizeOfRawData:]
Reply all
Reply to author
Forward
0 new messages