In [2]:
# Cell 1: Import and load PE file
import pefile

pe_file = 'notepad.exe'  # Change to your PE file path
pe = pefile.PE(pe_file)
print(f"Loaded PE file: {pe_file}")


Loaded PE file: notepad.exe


In [5]:
print("=== DOS HEADER ===")
for value in pe.DOS_HEADER.__dict__.items():
    print(f" {value}")


=== DOS HEADER ===
 ('__format_str__', '<HHHHHHHHHHHHHH8sHH20sI')
 ('__keys__', [['e_magic'], ['e_cblp'], ['e_cp'], ['e_crlc'], ['e_cparhdr'], ['e_minalloc'], ['e_maxalloc'], ['e_ss'], ['e_sp'], ['e_csum'], ['e_ip'], ['e_cs'], ['e_lfarlc'], ['e_ovno'], ['e_res'], ['e_oemid'], ['e_oeminfo'], ['e_res2'], ['e_lfanew']])
 ('__format_length__', 64)
 ('__field_offsets__', {'e_magic': 0, 'e_cblp': 2, 'e_cp': 4, 'e_crlc': 6, 'e_cparhdr': 8, 'e_minalloc': 10, 'e_maxalloc': 12, 'e_ss': 14, 'e_sp': 16, 'e_csum': 18, 'e_ip': 20, 'e_cs': 22, 'e_lfarlc': 24, 'e_ovno': 26, 'e_res': 28, 'e_oemid': 36, 'e_oeminfo': 38, 'e_res2': 40, 'e_lfanew': 60})
 ('__unpacked_data_elms__', (23117, 144, 3, 0, 4, 0, 65535, 0, 184, 0, 0, 0, 64, 0, b'\x00\x00\x00\x00\x00\x00\x00\x00', 0, 0, b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00', 256))
 ('__all_zeroes__', False)
 ('__file_offset__', 0)
 ('name', 'IMAGE_DOS_HEADER')
 ('e_magic', 23117)
 ('e_cblp', 144)
 ('e_cp', 3)
 ('e_crlc'

In [4]:


# --- DOS Header ---
print("=== DOS HEADER ===")
print(f"e_magic (DOS signature): {hex(pe.DOS_HEADER.e_magic)}")  # MZ
print(f"e_lfanew (PE header offset): {pe.DOS_HEADER.e_lfanew} bytes")

# --- PE Header ---
pe_offset = pe.DOS_HEADER.e_lfanew
print(f"\nPE header starts at offset: {pe_offset} bytes (from e_lfanew)")

# Read PE signature directly from file
with open("notepad.exe", "rb") as f:
    f.seek(pe_offset)
    pe_signature = f.read(4)  # first 4 bytes of PE header
print(f"PE signature (should be 'PE\\0\\0'): {pe_signature} -> {pe_signature.decode(errors='ignore')}")


=== DOS HEADER ===
e_magic (DOS signature): 0x5a4d
e_lfanew (PE header offset): 256 bytes

PE header starts at offset: 256 bytes (from e_lfanew)
PE signature (should be 'PE\0\0'): b'PE\x00\x00' -> PE  


In [3]:
# Cell 3: List sections (name, virtual size, raw size)
print("Sections:")
for section in pe.sections:
    print(section.Name.decode().rstrip('\x00'),
          section.Misc_VirtualSize,
          section.SizeOfRawData)


Sections:
.text 148623 148992
.rdata 37512 37888
.data 10008 3584
.pdata 4332 4608
.didat 376 512
.rsrc 3032 3072
.reloc 728 1024


In [4]:
# Cell 4: List imported DLLs and functions
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    print("Imports:")
    for entry in pe.DIRECTORY_ENTRY_IMPORT:
        print(" ", entry.dll.decode())
        for imp in entry.imports:
            name = imp.name.decode() if imp.name else f"Ordinal_{imp.ordinal}"
            print("   ", name)
else:
    print("No import table found.")


Imports:
  KERNEL32.dll
    GetProcAddress
    CreateMutexExW
    AcquireSRWLockShared
    DeleteCriticalSection
    GetCurrentProcessId
    GetProcessHeap
    GetModuleHandleW
    DebugBreak
    IsDebuggerPresent
    GlobalFree
    GetLocaleInfoW
    CreateFileW
    ReadFile
    GetACP
    MulDiv
    GetCurrentProcess
    GetCommandLineW
    HeapSetInformation
    FreeLibrary
    LocalFree
    LocalAlloc
    FindFirstFileW
    FindClose
    FoldStringW
    GetModuleFileNameW
    GetUserDefaultUILanguage
    HeapFree
    HeapAlloc
    GetTimeFormatW
    WideCharToMultiByte
    WriteFile
    GetFileAttributesW
    LocalLock
    LocalUnlock
    DeleteFileW
    SetEndOfFile
    GetFileAttributesExW
    GetFileInformationByHandle
    CreateFileMappingW
    MapViewOfFile
    MultiByteToWideChar
    LocalReAlloc
    UnmapViewOfFile
    GetFullPathNameW
    LocalSize
    GetStartupInfoW
    lstrcmpiW
    FindNLSString
    GlobalLock
    GlobalUnlock
    GlobalAlloc
    GetDiskFreeSpaceExW
   