A Python library for converting output from Ero Carrera's pefile utility to Malware Attribute Enumeration and Characterization (MAEC™) XML content. It is currently in the BETA phase.
pefile-to-maec uses the pefile package: "pefile is a multi-platform Python module to read and work with Portable Executable (aka PE) files. Most of the information in the PE Header is accessible, as well as all the sections, section's information and data."
This package consists of a module that captures the pefile output for binary files in MAEC format (
/pefile_to_maec), and a script that uses that module (
The pefile-to-maec script depends on the presence of certain packages/libraries to function. Please refer to their installation documentation for installation instructions.
The script can be called with:
python pefile_to_maec.py infile outfile
infile refers to the input PE binary file and
outfile the name of
the MAEC XML file to which the output will be written.
The module exposes the following functions:
generate_package_from_binary_filepath- given an filepath, return a python-maec Package object with the PEFile output.
To use these module functions, the module must first be installed with setuptools:
python setup.py install
At which point it can be used as a library:
The pefile-to-maec library is tested and written against python
2.7.x. Compatibility with other python versions is neither guaranteed nor implied.
The following features are mapped from the PEFile output and captured in MAEC:
- File name (on disk)
- File path
- File size (in bytes)
- Hashes (MD5, SHA1)
- DOS header
- File header
- Optional header
- Resource directories
Bug reports and feature requests are welcome and encouraged. Pull requests are especially appreciated. Feel free to use the issue tracker on GitHub, join the MAEC Community Email Discussion List, or send an email directly to email@example.com.