如何修改PE文件头中的TimeDateStamp字段?

2024-09-28 22:56:34 发布

您现在位置:Python中文网/ 问答频道 /正文
2747 3

我正在写一个python程序来修改PE文件的编译时间。根据我的研究,编译时间存储在TimeDateStamp字段下的文件头中。但是,我只设法找到读取TimeDateStamp值的方法。在

例如

import pe

filename = "C:/Users/User/Desktop/test.exe"
pe = pefile.PE(filename)
print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))

如何编辑PE文件头中的TimeDateStamp字段?在


Tags: 文件方法testimport程序时间filenameexe
2条回答
网友
1楼 · 编辑于 2024-09-28 22:56:34

我已经找到了修改PE文件头中的timedatestamp字段的方法,方法是稍微修改getPETimeStamp.py created by @geudrik中的代码。在

Python 3

import pefile
from struct import unpack
from binascii import hexlify, a2b_uu

# Reference: https://github.com/deptofdefense/SalSA/wiki/PE-File-Format
def getTimeDateStamp(filename):
    pe = pefile.PE(filename)
    print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))

# Reference: https://gist.github.com/geudrik/03152ba1a148d9475e81
def writeTimeDateStamp(filename, newTimeDateStamp):
    # Open file in read or write binary mode r+b
    try:
        filehandle = open(filename, 'r+b')
        # Check that file opened is Portable Executable file
        if hexlify(filehandle.read(2)) != hexlify(bytes('MZ', encoding="utf8")):
            filehandle.close()
            print("File is not in PE format!")
            return
    except Exception as e:
        print(e)
        return

    # Find the offset of the timeDateStamp and write into it
    try:
        # Get PE offset (@60, DWORD) from DOS header
        #   It's little-endian so we have to flip it
        #   We also need the HEX representation which is an INT value
        filehandle.seek(60, 0)
        offset = filehandle.read(4)
        offset = hexlify(offset[::-1])

        # This was added in due to an issue with offset being set to '' on rare occasions (see comments below)
        if offset == '':
            print("offset is empty")
            filehandle.close()
            return

        #   ValueError: invalid literal for int() with base 16: ''
        #   https://stackoverflow.com/questions/11826054/valueerror-invalid-literal-for-int-with-base-16-x0e-xa3-python
        #   https://stackoverflow.com/questions/20375706/valueerror-invalid-literal-for-int-with-base-10-python
        #       This indicates that for some reason, 'offset' from above is being set as '' and thus can't be converted to a base 16 int
        offset = int(offset, 16)

        # Seek to PE header and read second DWORD
        filehandle.seek(offset+8, 0)
        filehandle.write(newTimeDateStamp)
        filehandle.close()
    except Exception as e:
        print(e)
        return

getTimeDateStamp("test.exe")
# Changing timeDateStamp field to 5c4570dd
writeTimeDateStamp("test.exe", bytes.fromhex('dd70455c'))
getTimeDateStamp("test.exe")

使用上面的代码,timeDateStamp字段将更改为5c4570dd

网友
2楼 · 编辑于 2024-09-28 22:56:34

pefile支持更新原始文件,此文件不需要处理NT头偏移:

import pefile

pe = pefile.PE("test.exe")
pe.FILE_HEADER.TimeDateStamp = 1348054607
pe.write("new.exe")

而且,你的代码对我也不管用。在

相关问题 更多 >

    编程相关推荐