Copyright 2019-2021 Philippe Paquet
pe2json is a Python based command line utility that reads Portable Executables (PE) files and output JSON.
JSON output include all the PE internal structures such as:
- IMAGE_BASE_RELOCATION
- IMAGE_DEBUG_DIRECTORY
- IMAGE_DOS_HEADER
- IMAGE_EXPORT_DIRECTORY
- IMAGE_FILE_HEADER
- IMAGE_IMPORT_DESCRIPTOR
- IMAGE_LOAD_CONFIG_DIRECTORY
- IMAGE_NT_HEADERS
- IMAGE_OPTIONAL_HEADER
- IMAGE_RESOURCE_DATA_ENTRY
- IMAGE_RESOURCE_DIRECTORY
- IMAGE_RESOURCE_DIRECTORY_ENTRY
- IMAGE_SECTION_HEADER
- etc...
JSON output also include additional information such as:
- File Name
- File Size
- Imphash
- MD5
- SHA-1
- SHA-256
- SHA-512
For the specifications of the PE format, check Microsoft PE Format documentation.
pe2json requires the pefile python package created by Ero Carrera. You can find pefile on github or pypi.
You can use the following command line to install pefile using pip.
pip install pefilepython3 -m pip install pefileIf you want to keep everything within one directory, you install pefile in a packages subdirectory.
pip install --target=packages pefilepython3 -m pip install --target=packages pefilepe2json will recognize the packages subdirectory and will automatically import packages from that location first.
Using pe2json is extremely simple.
python3 pe2json.py <input>input can be either a file name or a directory name.
If input is a file name, the JSON output will be optimized for readability.
If input is a directory name, the JSON output will be one line per file (LDJSON or line delimited JSON).
Only files with the following extensions will be considered for analysis for directories:
- dll
- drv
- exe
- sys
In the example directory, you will find an example JSON output from analyzing kernel32.dll named kernel32.dll.json.
Bug reports and suggestions for improvements are most welcome.
If you have any questions, comments or suggestions, do not hesitate to contact me at philippe@paquet.email