# PE Analysis

Two Windows PE files notepad.exe and notepad_upx.exe are present in the current working directory. The notepad_upx.exe is a packed version of notepad.exe. 

**Note:** PeFile library is available on the system


### Tasks


**Task 1.** Import the library and load notepad.exe binary.

In [2]:
import pefile

pe = pefile.PE('notepad.exe')

pe

<pefile.PE at 0x7f76dc3c0090>

**Task 2.** Print the structure of the file.

In [3]:
dir(pe)

['DIRECTORY_ENTRY_BASERELOC',
 'DIRECTORY_ENTRY_DEBUG',
 'DIRECTORY_ENTRY_IMPORT',
 'DIRECTORY_ENTRY_LOAD_CONFIG',
 'DIRECTORY_ENTRY_RESOURCE',
 'DOS_HEADER',
 'FILE_HEADER',
 'FileInfo',
 'NT_HEADERS',
 'OPTIONAL_HEADER',
 'PE_TYPE',
 'RICH_HEADER',
 'VS_FIXEDFILEINFO',
 'VS_VERSIONINFO',
 '_PE__from_file',
 '__IMAGE_BASE_RELOCATION_ENTRY_format__',
 '__IMAGE_BASE_RELOCATION_format__',
 '__IMAGE_BOUND_FORWARDER_REF_format__',
 '__IMAGE_BOUND_IMPORT_DESCRIPTOR_format__',
 '__IMAGE_DATA_DIRECTORY_format__',
 '__IMAGE_DEBUG_DIRECTORY_format__',
 '__IMAGE_DELAY_IMPORT_DESCRIPTOR_format__',
 '__IMAGE_DOS_HEADER_format__',
 '__IMAGE_EXPORT_DIRECTORY_format__',
 '__IMAGE_FILE_HEADER_format__',
 '__IMAGE_IMPORT_DESCRIPTOR_format__',
 '__IMAGE_LOAD_CONFIG_DIRECTORY64_format__',
 '__IMAGE_LOAD_CONFIG_DIRECTORY_format__',
 '__IMAGE_NT_HEADERS_format__',
 '__IMAGE_OPTIONAL_HEADER64_format__',
 '__IMAGE_OPTIONAL_HEADER_format__',
 '__IMAGE_RESOURCE_DATA_ENTRY_format__',
 '__IMAGE_RESOURCE_DIRECTOR

**Task 3.** Print the PE header

In [6]:
pe.DOS_HEADER

<Structure: [IMAGE_DOS_HEADER] 0x0 0x0 e_magic: 0x5A4D 0x2 0x2 e_cblp: 0x90 0x4 0x4 e_cp: 0x3 0x6 0x6 e_crlc: 0x0 0x8 0x8 e_cparhdr: 0x4 0xA 0xA e_minalloc: 0x0 0xC 0xC e_maxalloc: 0xFFFF 0xE 0xE e_ss: 0x0 0x10 0x10 e_sp: 0xB8 0x12 0x12 e_csum: 0x0 0x14 0x14 e_ip: 0x0 0x16 0x16 e_cs: 0x0 0x18 0x18 e_lfarlc: 0x40 0x1A 0x1A e_ovno: 0x0 0x1C 0x1C e_res: 0x24 0x24 e_oemid: 0x0 0x26 0x26 e_oeminfo: 0x0 0x28 0x28 e_res2: 0x3C 0x3C e_lfanew: 0xE8>

**Task 4.** Import pprint and print the PE header.

In [11]:
import pprint

pprint.pprint(dir(pe.DOS_HEADER))

['__all_zeroes__',
 '__class__',
 '__delattr__',
 '__dict__',
 '__doc__',
 '__field_offsets__',
 '__file_offset__',
 '__format__',
 '__format_length__',
 '__get_format__',
 '__getattribute__',
 '__hash__',
 '__init__',
 '__keys__',
 '__long__',
 '__module__',
 '__native__',
 '__new__',
 '__nonzero__',
 '__pack__',
 '__reduce__',
 '__reduce_ex__',
 '__repr__',
 '__set_format__',
 '__setattr__',
 '__sizeof__',
 '__str__',
 '__subclasshook__',
 '__unicode__',
 '__unpack__',
 '__unpacked_data_elms__',
 '__weakref__',
 'all_zeroes',
 'dump',
 'dump_dict',
 'e_cblp',
 'e_cp',
 'e_cparhdr',
 'e_crlc',
 'e_cs',
 'e_csum',
 'e_ip',
 'e_lfanew',
 'e_lfarlc',
 'e_magic',
 'e_maxalloc',
 'e_minalloc',
 'e_oemid',
 'e_oeminfo',
 'e_ovno',
 'e_res',
 'e_res2',
 'e_sp',
 'e_ss',
 'get_field_absolute_offset',
 'get_field_relative_offset',
 'get_file_offset',
 'name',
 'next',
 'set_file_offset',
 'sizeof',
 'sizeof_type']


**Task 5.** Print the magic number of the PE file in decimal, hex and ASCII

In [18]:
# Decimal
print pe.DOS_HEADER.e_magic

# Hex
print hex(pe.DOS_HEADER.e_magic)

# ASCII Char string
a = hex(pe.DOS_HEADER.e_magic)
a =  a[2:]
print a.decode("hex")

23117
0x5a4d
ZM


**Task 6.** Print number of sections in the PE file

In [20]:
print pe.FILE_HEADER.NumberOfSections

6


**Task 7.** Print sections of the PE file

In [21]:
print pe.sections

[<Structure: [IMAGE_SECTION_HEADER] 0x1F0 0x0 Name: .text 0x1F8 0x8 Misc: 0x18D6E 0x1F8 0x8 Misc_PhysicalAddress: 0x18D6E 0x1F8 0x8 Misc_VirtualSize: 0x18D6E 0x1FC 0xC VirtualAddress: 0x1000 0x200 0x10 SizeOfRawData: 0x18E00 0x204 0x14 PointerToRawData: 0x400 0x208 0x18 PointerToRelocations: 0x0 0x20C 0x1C PointerToLinenumbers: 0x0 0x210 0x20 NumberOfRelocations: 0x0 0x212 0x22 NumberOfLinenumbers: 0x0 0x214 0x24 Characteristics: 0x60000020>, <Structure: [IMAGE_SECTION_HEADER] 0x218 0x0 Name: .rdata 0x220 0x8 Misc: 0x7560 0x220 0x8 Misc_PhysicalAddress: 0x7560 0x220 0x8 Misc_VirtualSize: 0x7560 0x224 0xC VirtualAddress: 0x1A000 0x228 0x10 SizeOfRawData: 0x7600 0x22C 0x14 PointerToRawData: 0x19200 0x230 0x18 PointerToRelocations: 0x0 0x234 0x1C PointerToLinenumbers: 0x0 0x238 0x20 NumberOfRelocations: 0x0 0x23A 0x22 NumberOfLinenumbers: 0x0 0x23C 0x24 Characteristics: 0x40000040>, <Structure: [IMAGE_SECTION_HEADER] 0x240 0x0 Name: .data 0x248 0x8 Misc: 0x2D14 0x248 0x8 Misc_PhysicalAddr

**Task 8.** Print the first section of the PE file

In [24]:
pprint.pprint(dir(pe.sections[0]))

['Characteristics',
 'IMAGE_SCN_ALIGN_1024BYTES',
 'IMAGE_SCN_ALIGN_128BYTES',
 'IMAGE_SCN_ALIGN_16BYTES',
 'IMAGE_SCN_ALIGN_1BYTES',
 'IMAGE_SCN_ALIGN_2048BYTES',
 'IMAGE_SCN_ALIGN_256BYTES',
 'IMAGE_SCN_ALIGN_2BYTES',
 'IMAGE_SCN_ALIGN_32BYTES',
 'IMAGE_SCN_ALIGN_4096BYTES',
 'IMAGE_SCN_ALIGN_4BYTES',
 'IMAGE_SCN_ALIGN_512BYTES',
 'IMAGE_SCN_ALIGN_64BYTES',
 'IMAGE_SCN_ALIGN_8192BYTES',
 'IMAGE_SCN_ALIGN_8BYTES',
 'IMAGE_SCN_ALIGN_MASK',
 'IMAGE_SCN_CNT_CODE',
 'IMAGE_SCN_CNT_INITIALIZED_DATA',
 'IMAGE_SCN_CNT_UNINITIALIZED_DATA',
 'IMAGE_SCN_GPREL',
 'IMAGE_SCN_LNK_COMDAT',
 'IMAGE_SCN_LNK_INFO',
 'IMAGE_SCN_LNK_NRELOC_OVFL',
 'IMAGE_SCN_LNK_OTHER',
 'IMAGE_SCN_LNK_OVER',
 'IMAGE_SCN_LNK_REMOVE',
 'IMAGE_SCN_MEM_16BIT',
 'IMAGE_SCN_MEM_DISCARDABLE',
 'IMAGE_SCN_MEM_EXECUTE',
 'IMAGE_SCN_MEM_FARDATA',
 'IMAGE_SCN_MEM_LOCKED',
 'IMAGE_SCN_MEM_NOT_CACHED',
 'IMAGE_SCN_MEM_NOT_PAGED',
 'IMAGE_SCN_MEM_PRELOAD',
 'IMAGE_SCN_MEM_PROTECTED',
 'IMAGE_SCN_MEM_PURGEABLE',
 'IMAGE_SCN_MEM_READ'

**Task 9.** Print the name and size of raw data for each section.

In [25]:
for section in pe.sections:
    print section.Name
    print section.SizeOfRawData
    print '\n'

.text   
101888


.rdata  
30208


.data   
3072


.pdata  
2560


.rsrc   
105984


.reloc  
1024




**Task 10:** Load notepad_upx.exe file and list the sections.

In [1]:
import pefile

pe = pefile.PE('notepad_upx.exe')

for section in pe.sections:
    print section.Name
    print section.SizeOfRawData
    print '\n'

UPX0    
0


UPX1    
71680


.rsrc   
108032


