Created
January 26, 2017 22:04
-
-
Save rjzak/47c28bf3421241c03653f1619e0d8d92 to your computer and use it in GitHub Desktop.
Use pefile to see if a section in an EXE (PE32) file is executable or not. Convenient, since a lot of EXE's don't have the standard .text section, or have more than one executable section.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| import pefile | |
| import sys | |
| ''' | |
| Test the section characteristics to see if the section is executable. Check for flags: | |
| * 0x00000020 = Section contains code | |
| * 0x20000000 = Section is executable | |
| Not all executable sections are conveniently named .text. And pefile doesn't expose this information directly. | |
| Source: https://msdn.microsoft.com/en-us/library/ms809762.aspx?f=255&MSPPError=-2147217396 | |
| ''' | |
| def isSectionExecutable(section): | |
| characteristics = getattr(section, 'Characteristics') | |
| if characteristics & 0x00000020 > 0 or characteristics & 0x20000000 > 0: | |
| return True | |
| return False | |
| def checkSections(pe): | |
| for section in pe.sections: | |
| if isSectionExecutable(section): | |
| print "%s is executable!" % section.Name | |
| else: | |
| print "%s is not executable" % section.Name | |
| if __name__ == '__main__': | |
| if len(sys.argv) == 1: | |
| print "Provide an EXE file!" | |
| sys.exit(1) | |
| for arg in sys.argv[1:]: | |
| pe = pefile.PE(arg) | |
| print "\n%s..." % arg | |
| checkSections(pe) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
useful !