PE module

The PE module allows you to create more fine-grained rules for PE files by using attributes and features of the PE file format. This module exposes most of the fields present in a PE header and provides functions which can be used to write more expressive and targeted rules. Let's see some examples:

import "pe"

rule single_section
{
    condition:
        pe.number_of_sections == 1
}

rule control_panel_applet
{
    condition:
        pe.exports("CPlApplet")
}

rule is_dll
{
    condition:
        pe.characteristics & pe.DLL
}

rule is_pe
{
    condition:
        pe.is_pe
}

Reference

type machine

Changed in version 3.3.0.

Integer with one of the following values:

type MACHINE_UNKNOWN
type MACHINE_AM33
type MACHINE_AMD64
type MACHINE_ARM
type MACHINE_ARMNT
type MACHINE_ARM64
type MACHINE_EBC
type MACHINE_I386
type MACHINE_IA64
type MACHINE_M32R
type MACHINE_MIPS16
type MACHINE_MIPSFPU
type MACHINE_MIPSFPU16
type MACHINE_POWERPC
type MACHINE_POWERPCFP
type MACHINE_R4000
type MACHINE_SH3
type MACHINE_SH3DSP
type MACHINE_SH4
type MACHINE_SH5
type MACHINE_THUMB
type MACHINE_WCEMIPSV2
type MACHINE_TARGET_HOST
type MACHINE_R3000
type MACHINE_R10000
type MACHINE_ALPHA
type MACHINE_SH3E
type MACHINE_ALPHA64
type MACHINE_AXP64
type MACHINE_TRICORE
type MACHINE_CEF
type MACHINE_CEE

Example: pe.machine == pe.MACHINE_AMD64

type checksum

New in version 3.6.0.

Integer with the "PE checksum" as stored in the OptionalHeader

type calculate_checksum

New in version 3.6.0.

Function that calculates the "PE checksum"

Example: pe.checksum == pe.calculate_checksum()

type subsystem

Integer with one of the following values:

type SUBSYSTEM_UNKNOWN
type SUBSYSTEM_NATIVE
type SUBSYSTEM_WINDOWS_GUI
type SUBSYSTEM_WINDOWS_CUI
type SUBSYSTEM_OS2_CUI
type SUBSYSTEM_POSIX_CUI
type SUBSYSTEM_NATIVE_WINDOWS
type SUBSYSTEM_WINDOWS_CE_GUI
type SUBSYSTEM_EFI_APPLICATION
type SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER
type SUBSYSTEM_EFI_RUNTIME_DRIVER
type SUBSYSTEM_EFI_ROM_IMAGE
type SUBSYSTEM_XBOX
type SUBSYSTEM_WINDOWS_BOOT_APPLICATION

Example: pe.subsystem == pe.SUBSYSTEM_NATIVE

type timestamp

PE timestamp, as an epoch integer.

Example: pe.timestamp >= 1424563200

type pointer_to_symbol_table

New in version 3.8.0.

Value of IMAGE_FILE_HEADER::PointerToSymbolTable. Used when the PE image has COFF debug info.

type number_of_symbols

New in version 3.8.0.

Value of IMAGE_FILE_HEADER::NumberOfSymbols. Used when the PE image has COFF debug info.

type size_of_optional_header

New in version 3.8.0.

Value of IMAGE_FILE_HEADER::SizeOfOptionalHeader. This is real size of the optional header and reflects differences between 32-bit and 64-bit optional header and number of data directories.

type opthdr_magic

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::Magic.

Integer with one of the following values:

type IMAGE_NT_OPTIONAL_HDR32_MAGIC
type IMAGE_NT_OPTIONAL_HDR64_MAGIC
type IMAGE_ROM_OPTIONAL_HDR_MAGIC
type size_of_code

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfCode. This is the sum of raw data sizes in code sections.

type size_of_initialized_data

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfInitializedData.

type size_of_uninitialized_data

Value of IMAGE_OPTIONAL_HEADER::SizeOfUninitializedData.

type entry_point

Entry point file offset or virtual address depending on whether YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

type entry_point_raw

Entry point raw value from the optional header of the PE. This value is not converted to a file offset or an RVA.

New in version 4.1.0.

type base_of_code

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::BaseOfCode.

type base_of_data

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::BaseOfData. This field only exists in 32-bit PE files.

type image_base

Image base relative virtual address.

type section_alignment

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SectionAlignment. When Windows maps a PE image to memory, all raw sizes (including size of header) are aligned up to this value.

type file_alignment

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::FileAlignment. All raw data sizes of sections in the PE image are aligned to this value.

type win32_version_value

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::Win32VersionValue.

type size_of_image

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfImage. This is the total virtual size of header and all sections.

type size_of_headers

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfHeaders. This is the raw data size of the PE headers including DOS header, file header, optional header and all section headers. When PE is mapped to memory, this value is subject to aligning up to SectionAlignment.

type characteristics

Bitmap with PE FileHeader characteristics. Individual characteristics can be inspected by performing a bitwise AND operation with the following constants:

type RELOCS_STRIPPED

Relocation info stripped from file.

type EXECUTABLE_IMAGE

File is executable (i.e. no unresolved external references).

type LINE_NUMS_STRIPPED

Line numbers stripped from file.

type LOCAL_SYMS_STRIPPED

Local symbols stripped from file.

type AGGRESIVE_WS_TRIM

Aggressively trim working set

type LARGE_ADDRESS_AWARE

App can handle >2gb addresses

type BYTES_REVERSED_LO

Bytes of machine word are reversed.

type MACHINE_32BIT

32 bit word machine.

type DEBUG_STRIPPED

Debugging info stripped from file in .DBG file

type REMOVABLE_RUN_FROM_SWAP

If Image is on removable media, copy and run from the swap file.

type NET_RUN_FROM_SWAP

If Image is on Net, copy and run from the swap file.

type SYSTEM

System File.

type DLL

File is a DLL.

type UP_SYSTEM_ONLY

File should only be run on a UP machine

type BYTES_REVERSED_HI

Bytes of machine word are reversed.

Example: pe.characteristics & pe.DLL

type linker_version

An object with two integer attributes, one for each major and minor linker version.

major

Major linker version.

minor

Minor linker version.

type os_version

An object with two integer attributes, one for each major and minor OS version.

major

Major OS version.

minor

Minor OS version.

type image_version

An object with two integer attributes, one for each major and minor image version.

major

Major image version.

minor

Minor image version.

type subsystem_version

An object with two integer attributes, one for each major and minor subsystem version.

major

Major subsystem version.

minor

Minor subsystem version.

type dll_characteristics

Bitmap with PE OptionalHeader DllCharacteristics. Do not confuse these flags with the PE FileHeader Characteristics. Individual characteristics can be inspected by performing a bitwise AND operation with the following constants:

type HIGH_ENTROPY_VA

ASLR with 64 bit address space.

type DYNAMIC_BASE

File can be relocated - also marks the file as ASLR compatible

type FORCE_INTEGRITY
type NX_COMPAT

Marks the file as DEP compatible

type NO_ISOLATION
type NO_SEH

The file does not contain structured exception handlers, this must be set to use SafeSEH

type NO_BIND
type APPCONTAINER

Image should execute in an AppContainer

type WDM_DRIVER

Marks the file as a Windows Driver Model (WDM) device driver.

type GUARD_CF

Image supports Control Flow Guard.

type TERMINAL_SERVER_AWARE

Marks the file as terminal server compatible

type size_of_stack_reserve

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfStackReserve. This is the default amount of virtual memory that will be reserved for stack.

type size_of_stack_commit

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfStackCommit. This is the default amount of virtual memory that will be allocated for stack.

type size_of_heap_reserve

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfHeapReserve. This is the default amount of virtual memory that will be reserved for main process heap.

type size_of_heap_commit

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::SizeOfHeapCommit. This is the default amount of virtual memory that will be allocated for main process heap.

type loader_flags

New in version 3.8.0.

Value of IMAGE_OPTIONAL_HEADER::LoaderFlags.

type number_of_rva_and_sizes

Value of IMAGE_OPTIONAL_HEADER::NumberOfRvaAndSizes. This is the number of items in the IMAGE_OPTIONAL_HEADER::DataDirectory array.

type data_directories

New in version 3.8.0.

A zero-based array of data directories. Each data directory contains virtual address and length of the appropriate data directory. Each data directory has the following entries:

virtual_address

Relative virtual address (RVA) of the PE data directory. If this is zero, then the data directory is missing. Note that for digital signature, this is the file offset, not RVA.

size

Size of the PE data directory, in bytes.

The index for the data directory entry can be one of the following values:

type IMAGE_DIRECTORY_ENTRY_EXPORT

Data directory for exported functions.

type IMAGE_DIRECTORY_ENTRY_IMPORT

Data directory for import directory.

type IMAGE_DIRECTORY_ENTRY_RESOURCE

Data directory for resource section.

type IMAGE_DIRECTORY_ENTRY_EXCEPTION

Data directory for exception information.

type IMAGE_DIRECTORY_ENTRY_SECURITY

This is the raw file offset and length of the image digital signature. If the image has no embedded digital signature, this directory will contain zeros.

type IMAGE_DIRECTORY_ENTRY_BASERELOC

Data directory for image relocation table.

type IMAGE_DIRECTORY_ENTRY_DEBUG

Data directory for debug information.

IMAGE_DEBUG_DIRECTORY::Type values:

type IMAGE_DEBUG_TYPE_UNKNOWN
type IMAGE_DEBUG_TYPE_COFF
type IMAGE_DEBUG_TYPE_CODEVIEW
type IMAGE_DEBUG_TYPE_FPO
type IMAGE_DEBUG_TYPE_MISC
type IMAGE_DEBUG_TYPE_EXCEPTION
type IMAGE_DEBUG_TYPE_FIXUP
type IMAGE_DEBUG_TYPE_OMAP_TO_SRC
type IMAGE_DEBUG_TYPE_OMAP_FROM_SRC
type IMAGE_DEBUG_TYPE_BORLAND
type IMAGE_DEBUG_TYPE_RESERVED10
type IMAGE_DEBUG_TYPE_CLSID
type IMAGE_DEBUG_TYPE_VC_FEATURE
type IMAGE_DEBUG_TYPE_POGO
type IMAGE_DEBUG_TYPE_ILTCG
type IMAGE_DEBUG_TYPE_MPX
type IMAGE_DEBUG_TYPE_REPRO
type IMAGE_DIRECTORY_ENTRY_ARCHITECTURE
type IMAGE_DIRECTORY_ENTRY_COPYRIGHT
type IMAGE_DIRECTORY_ENTRY_TLS

Data directory for image thread local storage.

type IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG

Data directory for image load configuration.

type IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT

Data directory for image bound import table.

type IMAGE_DIRECTORY_ENTRY_IAT

Data directory for image Import Address Table.

type IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT

Data directory for Delayed Import Table. Structure of the delayed import table is linker-dependent. Microsoft version of delayed imports is described in the sources "delayimp.h" and "delayimp.cpp", which can be found in MS Visual Studio 2008 CRT sources.

type IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Data directory for .NET headers.

Example: pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address != 0

type number_of_sections

Number of sections in the PE.

type sections

New in version 3.3.0.

A zero-based array of section objects, one for each section the PE has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name

Section name.

full_name

If the name in the section table contains a slash (/) followed by a representation of the decimal number in ASCII format, then this field contains a string from the specified offset in the string table. Otherwise, this field contains the same value as a name field.

Even though it's not a standard, MinGW and Cygwin compilers use this feature to store section names which are longer than 8 characters.

characteristics

Section characteristics.

virtual_address

Section virtual address.

virtual_size

Section virtual size.

raw_data_offset

Section raw offset.

raw_data_size

Section raw size.

pointer_to_relocations

New in version 3.8.0.

Value of IMAGE_SECTION_HEADER::PointerToRelocations.

pointer_to_line_numbers

New in version 3.8.0.

Value of IMAGE_SECTION_HEADER::PointerToLinenumbers.

number_of_relocations

New in version 3.8.0.

Value of IMAGE_SECTION_HEADER::NumberOfRelocations.

number_of_line_numbers

New in version 3.8.0.

Value of IMAGE_SECTION_HEADER::NumberOfLineNumbers.

Example: pe.sections[0].name == ".text"

Individual section characteristics can be inspected using a bitwise AND operation with the following constants:

type SECTION_NO_PAD
type SECTION_CNT_CODE
type SECTION_CNT_INITIALIZED_DATA
type SECTION_CNT_UNINITIALIZED_DATA
type SECTION_LNK_OTHER
type SECTION_LNK_INFO
type SECTION_LNK_REMOVE
type SECTION_LNK_COMDAT
type SECTION_NO_DEFER_SPEC_EXC
type SECTION_GPREL
type SECTION_MEM_FARDATA
type SECTION_MEM_PURGEABLE
type SECTION_MEM_16BIT
type SECTION_LNK_NRELOC_OVFL
type SECTION_MEM_LOCKED
type SECTION_MEM_PRELOAD
type SECTION_ALIGN_1BYTES
type SECTION_ALIGN_2BYTES
type SECTION_ALIGN_4BYTES
type SECTION_ALIGN_8BYTES
type SECTION_ALIGN_16BYTES
type SECTION_ALIGN_32BYTES
type SECTION_ALIGN_64BYTES
type SECTION_ALIGN_128BYTES
type SECTION_ALIGN_256BYTES
type SECTION_ALIGN_512BYTES
type SECTION_ALIGN_1024BYTES
type SECTION_ALIGN_2048BYTES
type SECTION_ALIGN_4096BYTES
type SECTION_ALIGN_8192BYTES
type SECTION_ALIGN_MASK
type SECTION_MEM_DISCARDABLE
type SECTION_MEM_NOT_CACHED
type SECTION_MEM_NOT_PAGED
type SECTION_MEM_SHARED
type SECTION_MEM_EXECUTE
type SECTION_MEM_READ
type SECTION_MEM_WRITE
type SECTION_SCALE_INDEX

Example: pe.sections[1].characteristics & pe.SECTION_CNT_CODE

type overlay

New in version 3.6.0.

A structure containing the following integer members:

offset

Overlay section offset. This is 0 for PE files that don't have overlaid data and undefined for non-PE files.

size

Overlay section size. This is 0 for PE files that don't have overlaid data and undefined for non-PE files.

Example: uint8(pe.overlay.offset) == 0x0d and pe.overlay.size > 1024

type number_of_resources

Number of resources in the PE.

type resource_timestamp

Resource timestamp. This is stored as an integer.

type resource_version

An object with two integer attributes, major and minor versions.

major

Major resource version.

minor

Minor resource version.

type resources

Changed in version 3.3.0.

A zero-based array of resource objects, one for each resource the PE has. Individual resources can be accessed by using the [] operator. Each resource object has the following attributes:

rva

The RVA of the resource data.

offset

Offset for the resource data. This can be undefined if the RVA is invalid.

length

Length of the resource data.

type

Type of the resource (integer).

id

ID of the resource (integer).

language

Language of the resource (integer).

type_string

Type of the resource as a string, if specified.

name_string

Name of the resource as a string, if specified.

language_string

Language of the resource as a string, if specified.

All resources must have a type, id (name), and language specified. They can be either an integer or string, but never both, for any given level.

Example: pe.resources[0].type == pe.RESOURCE_TYPE_RCDATA

Example: pe.resources[0].name_string == "F\x00I\x00L\x00E\x00"

Resource types can be inspected using the following constants:

type RESOURCE_TYPE_CURSOR
type RESOURCE_TYPE_BITMAP
type RESOURCE_TYPE_ICON
type RESOURCE_TYPE_MENU
type RESOURCE_TYPE_DIALOG
type RESOURCE_TYPE_STRING
type RESOURCE_TYPE_FONTDIR
type RESOURCE_TYPE_FONT
type RESOURCE_TYPE_ACCELERATOR
type RESOURCE_TYPE_RCDATA
type RESOURCE_TYPE_MESSAGETABLE
type RESOURCE_TYPE_GROUP_CURSOR
type RESOURCE_TYPE_GROUP_ICON
type RESOURCE_TYPE_VERSION
type RESOURCE_TYPE_DLGINCLUDE
type RESOURCE_TYPE_PLUGPLAY
type RESOURCE_TYPE_VXD
type RESOURCE_TYPE_ANICURSOR
type RESOURCE_TYPE_ANIICON
type RESOURCE_TYPE_HTML
type RESOURCE_TYPE_MANIFEST

For more information refer to:

http://msdn.microsoft.com/en-us/library/ms648009(v=vs.85).aspx

type version_info

New in version 3.2.0.

Dictionary containing the PE's version information. Typical keys are:

Comments CompanyName FileDescription FileVersion InternalName LegalCopyright LegalTrademarks OriginalFilename ProductName ProductVersion

For more information refer to:

http://msdn.microsoft.com/en-us/library/windows/desktop/ms646987(v=vs.85).aspx

Example: pe.version_info["CompanyName"] contains "Microsoft"

type version_info_list

Array of structures containing information about the PE's version information.

key

Key of version information.

value

Value of version information.

Example: pe.version_info_list[0].value contains "Microsoft"

type number_of_signatures

Number of authenticode signatures in the PE.

type is_signed

True if any of the PE signatures is verified. Verified here means, that the signature is formally correct: digests match, signer public key correctly verifies the encrypted digest, etc. But this doesn't mean that the signer (and thus the signature) can be trusted as there are no trust anchors involved in the verification.

type signatures

A zero-based array of signature objects, one for each authenticode signature in the PE file. Usually PE files have a single signature.

thumbprint

New in version 3.8.0.

A string containing the thumbprint of the signature.

issuer

A string containing information about the issuer. These are some examples:

"/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Code Signing PCA"

"/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Code Signing 2010 CA"

"/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Code Signing CA 2"
subject

A string containing information about the subject.

version

Version number.

algorithm

String representation of the algorithm used for this

signature. Usually "sha1WithRSAEncryption". It depends on the X.509 and PKCS#7 implementations and possibly their versions, consider using algorithm_oid instead.

algorithm_oid

Object ID of the algorithm used for this signature, expressed in numeric ASN.1 dot notation. The name contained in algorithm is derived from this value. The object id is expected to be stable across X.509 and PKCS#7 implementations and their versions.

For example, when using the current OpenSSL-based implementation:

algorithm_oid == "1.2.840.113549.1.1.11"

is functionally equivalent to:

algorithm == "sha1WithRSAEncryption"
serial

A string containing the serial number. This is an example:

"52:00:e5:aa:25:56:fc:1a:86:ed:96:c9:d4:4b:33:c7"
not_before

Unix timestamp on which the validity period for this signature begins.

not_after

Unix timestamp on which the validity period for this signature ends.

valid_on (timestamp)

Function returning true if the signature was valid on the date indicated by timestamp. The following sentence:

pe.signatures[n].valid_on(timestamp)

Is equivalent to:

timestamp >= pe.signatures[n].not_before and timestamp <= pe.signatures[n].not_after
verified

Boolean, true if signature was sucessfully verified. More details about what the verified means is mentioned under the attribute pe.is_signed.

digest_alg

Name of the algorithm used for file digest. Usually "sha1" or "sha256"

digest

Digest of the file signed in the signature.

file_digest

Calculated digest using digest_alg of the analysed file.

number_of_certificates

Number of the certificates stored in the signature, including the ones in countersignatures.

type certificates

A zero-based array of certificates stored in the signature, including the ones in countersignatures. The members of the certificates are identical to those already explained before, with the same name.

thumbprint
issuer
subject
version
algorithm
serial
not_before
not_after
type signer_info

Information about the signature signer.

program_name

Optional program name stored in the signature.

digest

Signed digest of the signature.

digest_alg

Algorithm used for the digest of the signature. Usually "sha1" or "sha256"

length_of_chain

Number of certificates in the signers chain.

type chain

A zero-based array of certificates in the signers chain. The members of the certificates are identical to those already explained before, with the same name.

thumbprint
issuer
subject
version
algorithm
serial
not_before
not_after
number_of_countersignatures

Number of the countersignatures of the signature.

type countersignatures

A zero-based array of the countersignatures of the signature. Almost always it's just single timestamp one.

verified

Boolean, true if countersignature was sucessfully verified. More details about what the verified means is mentioned under the attribute pe.is_signed.

sign_time

Integer - unix time of the timestamp signing time.

digest

Signed digest of the countersignature.

digest_alg

Algorithm used for the digest of the countersignature. Usually "sha1" or "sha256"

length_of_chain

Number of certificates in the countersigners chain.

type chain

A zero-based array of certificates in the countersigners chain. The members of the certificates are identical to those already explained before, with the same name.

thumbprint
issuer
subject
version
algorithm
serial
not_before
not_after
type rich_signature

Structure containing information about the PE's rich signature as documented here.

offset

Offset where the rich signature starts. It will be undefined if the file doesn't have a rich signature.

length

Length of the rich signature, not including the final "Rich" marker.

key

Key used to encrypt the data with XOR.

raw_data

Raw data as it appears in the file.

clear_data

Data after being decrypted by XORing it with the key.

version_data

New in version 4.3.0.

Version fields after being decrypted by XORing it with the key.

version(version, [toolid])

New in version 3.5.0.

Function returning a sum of count values of all matching version records. Provide the optional toolid argument to only match when both match for one entry. More information can be found here:

http://www.ntcore.com/files/richsign.htm

Note: Prior to version 3.11.0, this function returns only a boolean value (0 or 1) if the given version and optional toolid is present in an entry.

Example: pe.rich_signature.version(24215, 261) == 61

toolid(toolid, [version])

New in version 3.5.0.

Function returning a sum of count values of all matching toolid records. Provide the optional version argument to only match when both match for one entry. More information can be found here:

http://www.ntcore.com/files/richsign.htm

Note: Prior to version 3.11.0, this function returns only a boolean value (0 or 1) if the given toolid and optional version is present in an entry.

Example: pe.rich_signature.toolid(170, 40219) >= 99

type pdb_path

New in version 4.0.0.

Path of the PDB file for this PE if present.

Example: pe.pdb_path == "D:\workspace\2018_R9_RelBld\target\checkout\custprof\Release\custprof.pdb"

exports(function_name)

Function returning true if the PE exports function_name or false otherwise.

Example: pe.exports("CPlApplet")

exports(ordinal)

New in version 3.6.0.

Function returning true if the PE exports ordinal or false otherwise.

Example: pe.exports(72)

exports(/regular_expression/)

New in version 3.7.1.

Function returning true if the PE exports regular_expression or false otherwise.

Example: pe.exports(/^AXS@@/)

exports_index(function_name)

New in version 4.0.0.

Function returning the index into the export_details array where the named function is, undefined otherwise.

Example: pe.exports_index("CPlApplet")

exports_index(ordinal)

New in version 4.0.0.

Function returning the index into the export_details array where the exported ordinal is, undefined otherwise.

Example: pe.exports_index(72)

exports_index(/regular_expression/)

New in version 4.0.0.

Function returning the first index into the export_details array where the regular expression matches the exported name, undefined otherwise.

Example: pe.exports_index(/^ERS@@/)

type number_of_exports

New in version 3.6.0.

Number of exports in the PE.

type export_details

New in version 4.0.0.

Array of structures containing information about the PE's exports.

offset

Offset where the exported function starts.

name

Name of the exported function. It will be undefined if the function has no name.

forward_name

The name of the function where this export forwards to. It will be undefined if the export is not a forwarding export.

ordinal

The ordinal of the exported function, after the ordinal base has been applied to it.

type dll_name

New in version 4.0.0.

The name of the DLL, if it exists in the export directory.

type export_timestamp

New in version 4.0.0.

The timestamp the export data was created..

type number_of_imports

New in version 3.6.0.

Number of imported DLLs in the PE.

type number_of_imported_functions

New in version 4.1.0.

Number of imported functions in the PE.

type number_of_delayed_imports

New in version 4.2.0.

Number of delayed imported DLLs in the PE. (Number of IMAGE_DELAYLOAD_DESCRIPTOR parsed from file)

type number_of_delay_imported_functions

New in version 4.2.0.

Number of delayed imported functions in the PE.

imports(dll_name, function_name)

Function returning true if the PE imports function_name from dll_name, or false otherwise. dll_name is case insensitive.

Example: pe.imports("kernel32.dll", "WriteProcessMemory")

imports(dll_name)

New in version 3.5.0.

Changed in version 4.0.0.

Function returning the number of functions from the dll_name, in the PE imports. dll_name is case insensitive.

Note: Prior to version 4.0.0, this function returned only a boolean value indicating if the given DLL name was found in the PE imports. This change is backward compatible, as any number larger than 0 also evaluates as true.

Examples: pe.imports("kernel32.dll"), pe.imports("kernel32.dll") == 10

imports(dll_name, ordinal)

New in version 3.5.0.

Function returning true if the PE imports ordinal from dll_name, or false otherwise. dll_name is case insensitive.

Example: pe.imports("WS2_32.DLL", 3)

imports(dll_regexp, function_regexp)

New in version 3.8.0.

Changed in version 4.0.0.

Function returning the number of functions from the PE imports where a function name matches function_regexp and a DLL name matches dll_regexp. Both dll_regexp and function_regexp are case sensitive unless you use the "/i" modifier in the regexp, as shown in the example below.

Note: Prior to version 4.0.0, this function returned only a boolean value indicating if matching import was found or not. This change is backward compatible, as any number larger than 0 also evaluates as true.

Example: pe.imports(/kernel32.dll/i, /(Read|Write)ProcessMemory/) == 2

imports(import_flag, dll_name, function_name)

New in version 4.2.0.

Function returning true if the PE imports function_name from dll_name, or false otherwise. dll_name is case insensitive.

import_flag is flag which specify type of import which should YARA search for. This value can be composed by bitwise OR these values:

pe.IMPORT_STANDARD

Search in standard imports

pe.IMPORT_DELAYED

Search in delayed imports

pe.IMPORT_ANY

Search in all imports

Example: pe.imports(pe.IMPORT_DELAYED | pe.IMPORT_STANDARD, "kernel32.dll", "WriteProcessMemory")

imports(import_flag, dll_name)

New in version 4.2.0.

Function returning the number of functions from the dll_name, in the PE imports. dll_name is case insensitive.

Examples: pe.imports(pe.IMPORT_DELAYED, "kernel32.dll"), pe.imports("kernel32.dll") == 10

imports(import_flag, dll_name, ordinal)

New in version 4.2.0.

Function returning true if the PE imports ordinal from dll_name, or false otherwise. dll_name is case insensitive.

Example: pe.imports(pe.IMPORT_DELAYED, "WS2_32.DLL", 3)

imports(import_flag, dll_regexp, function_regexp)

New in version 4.2.0.

Function returning the number of functions from the PE imports where a function name matches function_regexp and a DLL name matches dll_regexp. Both dll_regexp and function_regexp are case sensitive unless you use the "/i" modifier in the regexp, as shown in the example below.

Example: pe.imports(pe.IMPORT_DELAYED, /kernel32.dll/i, /(Read|Write)ProcessMemory/) == 2

type import_details

New in version 4.2.0.

Array of structures containing information about the PE's imports libraries.

library_name

Library name.

number_of_functions

Number of imported function.

functions

Array of structures containing information about the PE's imports functions.

name

Name of imported function

ordinal

Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED

rva

New in version 4.3.0.

Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED

*Example: pe.import_details[1].library_name == "library_name"

type delayed_import_details

New in version 4.2.0.

Array of structures containing information about the PE's delayed imports libraries.

library_name

Library name.

number_of_functions

Number of imported function.

functions

Array of structures containing information about the PE's imports functions.

name

Name of imported function

ordinal

Ordinal of imported function. If ordinal does not exist this value is YR_UNDEFINED

rva

New in version 4.3.0.

Relative virtual address (RVA) of imported function. If rva not found then this value is YR_UNDEFINED

*Example: pe.delayed_import_details[1].name == "library_name"

import_rva(dll, function)

New in version 4.3.0.

Function returning the RVA of an import that matches the DLL name and function name.

*Example: pe.import_rva("PtImageRW.dll", "ord4") == 254924

import_rva(dll, ordinal)

New in version 4.3.0.

Function returning the RVA of an import that matches the DLL name and ordinal number.

*Example: pe.import_rva("PtPDF417Decode.dll", 4) == 254924

delayed_import_rva(dll, function)

New in version 4.3.0.

Function returning the RVA of a delayed import that matches the DLL name and function name.

*Example: pe.delayed_import_rva("QDB.dll", "ord116") == 6110705

delayed_import_rva(dll, ordinal)

New in version 4.3.0.

Function returning the RVA of a delayed import that matches the DLL name and ordinal number.

*Example: pe.delayed_import_rva("QDB.dll", 116) == 6110705

locale(locale_identifier)

New in version 3.2.0.

Function returning true if the PE has a resource with the specified locale identifier. Locale identifiers are 16-bit integers and can be found here:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd318693(v=vs.85).aspx

Example: pe.locale(0x0419) // Russian (RU)

language(language_identifier)

New in version 3.2.0.

Function returning true if the PE has a resource with the specified language identifier. Language identifiers are 8-bit integers and can be found here:

http://msdn.microsoft.com/en-us/library/windows/desktop/dd318693(v=vs.85).aspx

Example: pe.language(0x0A) // Spanish

imphash()

New in version 3.2.0.

Function returning the import hash or imphash for the PE. The imphash is an MD5 hash of the PE's import table after some normalization. The imphash for a PE can be also computed with pefile and you can find more information in Mandiant's blog. The returned hash string is always in lowercase.

Example: pe.imphash() == "b8bb385806b89680e13fc0cf24f4431e"

section_index(name)

Function returning the index into the sections array for the section that has name. name is case sensitive.

Example: pe.section_index(".TEXT")

section_index(addr)

New in version 3.3.0.

Function returning the index into the sections array for the section that has addr. addr can be an offset into the file or a memory address.

Example: pe.section_index(pe.entry_point)

type is_pe

New in version 3.8.0.

Return true if the file is a PE.

Example: pe.is_pe

is_dll()

New in version 3.5.0.

Function returning true if the PE is a DLL.

Example: pe.is_dll()

is_32bit()

New in version 3.5.0.

Function returning true if the PE is 32bits.

Example: pe.is_32bit()

is_64bit()

New in version 3.5.0.

Function returning true if the PE is 64bits.

Example: pe.is_64bit()

rva_to_offset(addr)

New in version 3.6.0.

Function returning the file offset for RVA addr. Be careful to pass relative addresses here and not absolute addresses, like pe.entry_point when scanning a process.

Example: pe.rva_to_offset(pe.sections[0].virtual_address) == pe.sections[0].raw_data_offset

This example will make sure the offset for the virtual address in the first section equals the file offset for that section.