newbie questions
12 views
Skip to first unread message
mike
Mar 24, 2009, 2:54:27 PM3/24/09
to pefile
Thanks for reading this. I am new to forums, so if I am in the wrong
place, please forgive me. I have been working with working with
pefile.py (version 1.2.4) for a few weeks and have just happened upon
the site today. As I have been working with pefile.py in Ubuntu and
Windows XP SP2, I noticed that the section SHA-1 values do not always
match. Below are two portions of the output I get when I run filepe
against adprop.dll. The first is from Ubuntu the second is from
Windows XP. Notice that the SHA-1 values in section 0x1000 differ. I
looked for a version update at http://packages.ubuntu.com/intrepid/python/python-pefile
but the latest version is not as current as what is on the site. I
then downloaded and installed this sites latest version. (I do not see
the method that will list the section hash values.) My questions....
1. Please provide me an example of how to view the SHA-1 value for
each section in pefile.py.
2. Will the hash value for each section differ in ubuntu when compared
to Windows?
Thanks
Mike
P.S. Sorry if this note is the wrong forum.
from ubuntu...
adprop.dll$ df4368c9ddf6783f6d9d18534da5945292a5aa27$ 659968$
998085161$ 667648$ 5.1.2600.0 (xpclient.010817-1148)$ Windows Active
Directory Admin Property Pages$ 327681$ 170393600$ 3B7D84191$ ( (.text
0x1000, 0x47c27, a1c6dadb2557e5f5e016b15bb0e93adcb35d19a0), )$
( ( 0x1000* 0x1000* .text 2f89d5c04a9b3d963127a058c9145bb016cc6111*
2091d19d71c3b4d63d4506d5a58b6f66e415c1e1* [(1444L, 4), (1448L, 4),
(1452L, 4), (1456L, 4), (1460L, 4), (1464L, 4), (1468L, 4), (1472L,
4), (1476L, 4), (1480L, 4), (1484L, 4), (1488L, 4), (1492L, 4),
(1496L, 4), (1500L, 4), (1504L, 4), (1508L, 4), (1512L, 4), (1516L,
4), (1520L, 4), (1524L, 4), (1528L, 4), (1628L, 4), (2228L, 4),
(2232L, 4), (2472L, 4), (2476L, 4), (2480L, 4), (2932L, 4), (2936L,
4), (2940L, 4), (2944L, 4), (2948L, 4), (2952L, 4), (2956L, 4),
(2960L, 4), (0L, 1440L), (1552L, 28L)] )% ( 0x2000* 0x1000*
f96205522b1ea8c750b1929b5313db6841a06cef*
02fc3abae4103aa4e29f644babc3afaceae7e50b* [(176L, 4), (180L, 4),
(184L, 4), (188L, 4), (192L, 4), (196L, 4), (200L, 4), (204L, 4),
(208L, 4), (212L, 4), (216L, 4), (220L, 4), (340L, 4), (344L, 4),
(348L, 4), (352L, 4), (356L, 4), (360L, 4), (364L, 4), (368L, 4),
(372L, 4), (376L, 4), (628L, 4), (632L, 4), (636L, 4), (640L, 4),
(644L, 4), (648L, 4), (652L, 4), (656L, 4), (660L, 4), (664L, 4),
(768L, 4), (772L, 4), (776L, 4), (780L, 4), (784L, 4), (788L, 4),
(792L, 4), (796L, 4), (800L, 4), (804L, 4), (808L, 4), (812L, 4),
(816L, 4), (820L, 4), (824L, 4), (828L, 4), (832L, 4), (836L, 4),
(840L, 4), (844L, 4), (848L, 4), (852L, 4), (856L, 4), (860L, 4),
(864L, 4), (868L, 4), (872L, 4), (876L, 4), (880L, 4), (884L, 4),
(888L, 4), (892L, 4), (896L, 4), (900L, 4), (904L, 4), (908L, 4),
(1008L, 4), (1076L, 4), (1080L, 4), (1084L, 4), (1088L, 4), (1092L,
4), (1096L, 4), (1100L, 4), (1104L, 4), (1108L, 4), (1112L, 4),
(1116L, 4), (1120L, 4)] )% ( 0x19000* 0x1000* .text
from Windows XP
adprop.dll$ df4368c9ddf6783f6d9d18534da5945292a5aa27$ 659968$
998085161$ 667648$ 5.1.2600.0 (xpclient.010817-1148)$ Windows Active
Directory Admin Property Pages$ 327681$ 170393600$ 3B7D84191$
( (.text 0x1000, 0x47c27, a1c6dadb2557e5f5e016b15bb0e93adcb35d19a0), )
$ ( ( 0x1000* 0x1000* .textf96205522b1ea8c750b1929b5313db6841a06cef*
02fc3abae4103aa4e29f644babc3afaceae7e50b* [(176, 4), (180, 4), (184,
4), (188, 4), (192, 4), (196, 4), (200, 4), (204, 4), (208, 4), (212,
4), (216, 4), (220, 4), (340, 4), (344, 4), (348, 4), (352, 4), (356,
4), (360, 4), (364, 4), (368, 4), (372, 4), (376, 4), (628, 4), (632,
4), (636, 4), (640, 4), (644, 4), (648, 4), (652, 4), (656, 4), (660,
4), (664, 4), (768, 4), (772, 4), (776, 4), (780, 4), (784, 4), (788,
4), (792, 4), (796, 4), (800, 4), (804, 4), (808, 4), (812, 4), (816,
4), (820, 4), (824, 4), (828, 4), (832, 4), (836, 4), (840, 4), (844,
4), (848, 4), (852, 4), (856, 4), (860, 4), (864, 4), (868, 4), (872,
4), (876, 4), (880, 4), (884, 4), (888, 4), (892, 4), (896, 4), (900,
4), (904, 4), (908, 4), (1008, 4), (1076, 4), (1080, 4), (1084, 4),
(1088, 4), (1092, 4), (1096, 4), (1100, 4), (1104, 4), (1108, 4),
(1112, 4), (1116, 4), (1120, 4)] )%
place, please forgive me. I have been working with working with
pefile.py (version 1.2.4) for a few weeks and have just happened upon
the site today. As I have been working with pefile.py in Ubuntu and
Windows XP SP2, I noticed that the section SHA-1 values do not always
match. Below are two portions of the output I get when I run filepe
against adprop.dll. The first is from Ubuntu the second is from
Windows XP. Notice that the SHA-1 values in section 0x1000 differ. I
looked for a version update at http://packages.ubuntu.com/intrepid/python/python-pefile
but the latest version is not as current as what is on the site. I
then downloaded and installed this sites latest version. (I do not see
the method that will list the section hash values.) My questions....
1. Please provide me an example of how to view the SHA-1 value for
each section in pefile.py.
2. Will the hash value for each section differ in ubuntu when compared
to Windows?
Thanks
Mike
P.S. Sorry if this note is the wrong forum.
from ubuntu...
adprop.dll$ df4368c9ddf6783f6d9d18534da5945292a5aa27$ 659968$
998085161$ 667648$ 5.1.2600.0 (xpclient.010817-1148)$ Windows Active
Directory Admin Property Pages$ 327681$ 170393600$ 3B7D84191$ ( (.text
0x1000, 0x47c27, a1c6dadb2557e5f5e016b15bb0e93adcb35d19a0), )$
( ( 0x1000* 0x1000* .text 2f89d5c04a9b3d963127a058c9145bb016cc6111*
2091d19d71c3b4d63d4506d5a58b6f66e415c1e1* [(1444L, 4), (1448L, 4),
(1452L, 4), (1456L, 4), (1460L, 4), (1464L, 4), (1468L, 4), (1472L,
4), (1476L, 4), (1480L, 4), (1484L, 4), (1488L, 4), (1492L, 4),
(1496L, 4), (1500L, 4), (1504L, 4), (1508L, 4), (1512L, 4), (1516L,
4), (1520L, 4), (1524L, 4), (1528L, 4), (1628L, 4), (2228L, 4),
(2232L, 4), (2472L, 4), (2476L, 4), (2480L, 4), (2932L, 4), (2936L,
4), (2940L, 4), (2944L, 4), (2948L, 4), (2952L, 4), (2956L, 4),
(2960L, 4), (0L, 1440L), (1552L, 28L)] )% ( 0x2000* 0x1000*
f96205522b1ea8c750b1929b5313db6841a06cef*
02fc3abae4103aa4e29f644babc3afaceae7e50b* [(176L, 4), (180L, 4),
(184L, 4), (188L, 4), (192L, 4), (196L, 4), (200L, 4), (204L, 4),
(208L, 4), (212L, 4), (216L, 4), (220L, 4), (340L, 4), (344L, 4),
(348L, 4), (352L, 4), (356L, 4), (360L, 4), (364L, 4), (368L, 4),
(372L, 4), (376L, 4), (628L, 4), (632L, 4), (636L, 4), (640L, 4),
(644L, 4), (648L, 4), (652L, 4), (656L, 4), (660L, 4), (664L, 4),
(768L, 4), (772L, 4), (776L, 4), (780L, 4), (784L, 4), (788L, 4),
(792L, 4), (796L, 4), (800L, 4), (804L, 4), (808L, 4), (812L, 4),
(816L, 4), (820L, 4), (824L, 4), (828L, 4), (832L, 4), (836L, 4),
(840L, 4), (844L, 4), (848L, 4), (852L, 4), (856L, 4), (860L, 4),
(864L, 4), (868L, 4), (872L, 4), (876L, 4), (880L, 4), (884L, 4),
(888L, 4), (892L, 4), (896L, 4), (900L, 4), (904L, 4), (908L, 4),
(1008L, 4), (1076L, 4), (1080L, 4), (1084L, 4), (1088L, 4), (1092L,
4), (1096L, 4), (1100L, 4), (1104L, 4), (1108L, 4), (1112L, 4),
(1116L, 4), (1120L, 4)] )% ( 0x19000* 0x1000* .text
from Windows XP
adprop.dll$ df4368c9ddf6783f6d9d18534da5945292a5aa27$ 659968$
998085161$ 667648$ 5.1.2600.0 (xpclient.010817-1148)$ Windows Active
Directory Admin Property Pages$ 327681$ 170393600$ 3B7D84191$
( (.text 0x1000, 0x47c27, a1c6dadb2557e5f5e016b15bb0e93adcb35d19a0), )
$ ( ( 0x1000* 0x1000* .textf96205522b1ea8c750b1929b5313db6841a06cef*
02fc3abae4103aa4e29f644babc3afaceae7e50b* [(176, 4), (180, 4), (184,
4), (188, 4), (192, 4), (196, 4), (200, 4), (204, 4), (208, 4), (212,
4), (216, 4), (220, 4), (340, 4), (344, 4), (348, 4), (352, 4), (356,
4), (360, 4), (364, 4), (368, 4), (372, 4), (376, 4), (628, 4), (632,
4), (636, 4), (640, 4), (644, 4), (648, 4), (652, 4), (656, 4), (660,
4), (664, 4), (768, 4), (772, 4), (776, 4), (780, 4), (784, 4), (788,
4), (792, 4), (796, 4), (800, 4), (804, 4), (808, 4), (812, 4), (816,
4), (820, 4), (824, 4), (828, 4), (832, 4), (836, 4), (840, 4), (844,
4), (848, 4), (852, 4), (856, 4), (860, 4), (864, 4), (868, 4), (872,
4), (876, 4), (880, 4), (884, 4), (888, 4), (892, 4), (896, 4), (900,
4), (904, 4), (908, 4), (1008, 4), (1076, 4), (1080, 4), (1084, 4),
(1088, 4), (1092, 4), (1096, 4), (1100, 4), (1104, 4), (1108, 4),
(1112, 4), (1116, 4), (1120, 4)] )%
Ero Carrera
Mar 24, 2009, 5:47:50 PM3/24/09
to pefile
Hi,
I've just tried under Ubuntu, OSX and Windows XP and all hashes
matched for all systems, at least when doing a "print pe.dump_info()"
This was with 1.2.10-63.
Can you describe the steps you took to get to the data? are you
opening the files yourself or letting pefile do it? beware of opening
files in text vs binary mode in Windows.
cheers,
--
Ero
On Mar 24, 11:54 am, mike <mikek94n...@yahoo.com> wrote:
> Thanks for reading this. I am new to forums, so if I am in the wrong
> place, please forgive me. I have been working with working with
> pefile.py (version 1.2.4) for a few weeks and have just happened upon
> the site today. As I have been working with pefile.py in Ubuntu and
> Windows XP SP2, I noticed that the section SHA-1 values do not always
> match. Below are two portions of the output I get when I run filepe
> against adprop.dll. The first is from Ubuntu the second is from
> Windows XP. Notice that the SHA-1 values in section 0x1000 differ. I
Reply all
Reply to author
Forward
0 new messages