pefile is a multi-platform Python module to parse and work with Portable Executable (PE) files. Most of the information contained in the PE file headers is accessible, as well as all the sections' details and data.
The structures defined in the Windows header files will be accessible as attributes in the PE instance. The naming of fields/attributes will try to adhere to the naming scheme in those headers. Only shortcuts added for convenience will depart from that convention.
pefile requires some basic understanding of the layout of a PE file — with it, it's possible to explore nearly every single feature of the PE file format.
To install pefile through pip:
pip3 install pefile
Some of the tasks that pefile makes possible are:
- Inspecting headers
- Analyzing of sections' data
- Retrieving embedded data
- Reading strings from the resources
- Warnings for suspicious and malformed values
- Basic butchering of PEs, like writing to some fields and other parts of the PE
- This functionality won't rearrange PE file structures to make room for new fields, so use it with care.
- Overwriting fields should mostly be safe.
- Packer detection with PEiD’s signatures
- PEiD signature generation
Please, refer to Usage Examples for some code snippets that demonstrate how to use pefile.
Here are a few examples of what a dump produced with pefile looks like for different types of files:
To work with authenticated binaries, including Authenticode signatures, please check the project verify-sigs.
pefile runs in several pipelines scanning hundreds of thousands of new PE files every day, and, while not perfect, it has grown to be pretty robust over time. That being said, small glitches are found now and then. If you bump into a PE that does not appear to be processed correctly, do report it, please! It will help make pefile a tiny bit more powerful.
pefile is self-contained. The module has no dependencies; it is endianness independent; and it works on OS X, Windows, and Linux.
Prompted by the move to GitHub, the need to support Python 3 in addition to resolving a slew of pending issues (some having to do with the old versioning scheme), pefile has changed its version number scheme and from now on it will be using the release date as its version.
- Didier Stevens' pecheck, a tool for displaying PE file info, handles PEiD files better then pefile does.
- MAEC, a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. MAEC converts pefile's output into their XML format.
- Qiew, a Hex/File format viewer.
- VirusTotal
- bbfreeze
- pyemu: download, whitepaper
- Immunity Debugger 1.1
- Cuckoo
- MultiScanner
PDFs of posters depicting the PE file format:
- Portable Executable Format Layout shows the full view of the headers and structures defined by the PE format.
- Portable Executable Header Walkthrough shows the raw view of an executable file with the PE format fields laid out over the corresponding areas.
The following links provide detailed information about the PE format and its structures.
- corkami's wiki page about the PE format has grown to be one of the most in-depth repositories of information about the PE format.
- corkami's treasure trove of PE weirdness
- An In-Depth Look into the Win32 Portable Executable File Format
- An In-Depth Look into the Win32 Portable Executable File Format, Part 2
- The Portable Executable File Format
- Get icons from Exe or DLL the PE way
- Solar Eclipse's Tiny PE page at "http://www.phreedom.org/solar/code/tinype/" is no longer available (html-only archive), corkami's TinyPE is available here (Code only)