【问题标题】:How to modify the TimeDateStamp field in PE file header?如何修改PE文件头中的TimeDateStamp字段?
【发布时间】:2019-06-14 15:36:18
【问题描述】:

我正在编写一个python程序来修改PE文件的编译时间。根据我的研究,编译时间存储在 TimeDateStamp 字段下的文件头中。但是,我只设法找到读取 TimeDateStamp 值的方法。

例如,

import pe

filename = "C:/Users/User/Desktop/test.exe"
pe = pefile.PE(filename)
print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))

如何改为编辑 PE 文件头中的 TimeDateStamp 字段?

【问题讨论】:

    标签: python portable-executable compilation-time


    【解决方案1】:

    pefile支持更新原文件,这个不需要处理NT头偏移:

    import pefile
    
    pe = pefile.PE("test.exe")
    pe.FILE_HEADER.TimeDateStamp = 1348054607
    pe.write("new.exe")
    

    另外,你的代码对我不起作用。

    【讨论】:

      【解决方案2】:

      我找到了修改PE文件头中timedatesamp字段的方法,方法是稍微修改getPETimeStamp.py created by @geudrik中的代码。

      Python 3

      import pefile
      from struct import unpack
      from binascii import hexlify, a2b_uu
      
      # Reference: https://github.com/deptofdefense/SalSA/wiki/PE-File-Format
      def getTimeDateStamp(filename):
          pe = pefile.PE(filename)
          print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))
      
      # Reference: https://gist.github.com/geudrik/03152ba1a148d9475e81
      def writeTimeDateStamp(filename, newTimeDateStamp):
          # Open file in read or write binary mode r+b
          try:
              filehandle = open(filename, 'r+b')
              # Check that file opened is Portable Executable file
              if hexlify(filehandle.read(2)) != hexlify(bytes('MZ', encoding="utf8")):
                  filehandle.close()
                  print("File is not in PE format!")
                  return
          except Exception as e:
              print(e)
              return
      
          # Find the offset of the timeDateStamp and write into it
          try:
              # Get PE offset (@60, DWORD) from DOS header
              #   It's little-endian so we have to flip it
              #   We also need the HEX representation which is an INT value
              filehandle.seek(60, 0)
              offset = filehandle.read(4)
              offset = hexlify(offset[::-1])
      
              # This was added in due to an issue with offset being set to '' on rare occasions (see comments below)
              if offset == '':
                  print("offset is empty")
                  filehandle.close()
                  return
      
              #   ValueError: invalid literal for int() with base 16: ''
              #   https://stackoverflow.com/questions/11826054/valueerror-invalid-literal-for-int-with-base-16-x0e-xa3-python
              #   https://stackoverflow.com/questions/20375706/valueerror-invalid-literal-for-int-with-base-10-python
              #       This indicates that for some reason, 'offset' from above is being set as '' and thus can't be converted to a base 16 int
              offset = int(offset, 16)
      
              # Seek to PE header and read second DWORD
              filehandle.seek(offset+8, 0)
              filehandle.write(newTimeDateStamp)
              filehandle.close()
          except Exception as e:
              print(e)
              return
      
      getTimeDateStamp("test.exe")
      # Changing timeDateStamp field to 5c4570dd
      writeTimeDateStamp("test.exe", bytes.fromhex('dd70455c'))
      getTimeDateStamp("test.exe")
      

      使用上面的代码,timeDateStamp 字段将更改为 5c4570dd。

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 1970-01-01
        • 2013-07-03
        • 1970-01-01
        • 1970-01-01
        • 2016-09-20
        • 2022-08-19
        • 1970-01-01
        相关资源
        最近更新 更多