问题
Can someone suggest how using python i can get Import address table and Export address table form PE? I currently using pefile module, but not sure i can get IAT and EAT using it. Many thanks for help.
回答1:
The documentation describes how to do it:
Listing the imported symbols
Each directory, if it exists in the PE file being processed, has an entry as DIRECTORY_ENTRY_directoryname in the PE instance. The imported symbols can be listed as follows:
# If the PE file was loaded using the fast_load=True argument, we will need to parse the data directories:
pe.parse_data_directories()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print entry.dll
for imp in entry.imports:
print '\t', hex(imp.address), imp.name
Output
comdlg32.dll
0x10012A0L PageSetupDlgW
0x10012A4L FindTextW
0x10012A8L PrintDlgExW
[snip]
SHELL32.dll
0x1001154L DragFinish
0x1001158L DragQueryFileW
Listing the exported symbols
Similarly, the exported symbols can be listed as follows:
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
print hex(pe.OPTIONAL_HEADER.ImageBase + exp.address), exp.name, exp.ordinal
Output
0x7ca0ab4f SHUpdateRecycleBinIcon 336 0x7cab44c0 SHValidateUNC 173 0x7ca7b0aa SheChangeDirA 337 0x7ca7b665 SheChangeDirExA 338 0x7ca7b3e1 SheChangeDirExW 339 0x7ca7aec6 SheChangeDirW 340 0x7ca8baae SheConvertPathW 341
来源:https://stackoverflow.com/questions/19325402/getting-iat-and-eat-from-pe