Download Archive Back
# Copyright (c) 2013 Geir Skjotskift
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
About
Read PE files and check for properties. Output in return code for easy scripting.
Dependency
pefile - https://code.google.com/p/pefile/
argparse - (inlcuded in python >= 2.7)
Both can be install via easy_install :
# easy_install pefile
# easy_install argparse
Man
usage: pecantrip.py [-h] [-v] [-i | -e | -w] FILE
positional arguments:
FILE Name of the file to check
optional arguments:
-h, --help show this help message and exit
-v, --verbose Verbose output to stderr
-i, --imports exit code 1 if no import table, or 2 if this is not a PE
file
-e, --exports exit code 1 if no export table, or 2 if this is not a PE
file
-w, --warnings exit code 1 there are PE parsing warnings, or 2 if this is
not a PE file
Example:
#!/usr/bin/env bash
#
# EXAMPLE USAGE : pecantrip.py
#
# Sort files based on missing import table.
#
mkdir good 2> /dev/null
[ $? -ne 0 ] && echo "Directory 'good' allready exists. Exiting" && exit 1
mkdir bad 2> /dev/null
[ $? -ne 0 ] && echo "Directory 'bad' allready exists. Exiting" && exit 1
mkdir unknown 2> /dev/null
[ $? -ne 0 ] && echo "Directory 'unknown' allready exists. Exiting" && exit 1
for f in `find . -type f`; do
pecantrip.py -i $f
RETVAL=$?
[ $RETVAL -eq 0 ] && mv $f good/.
[ $RETVAL -eq 1 ] && mv $f bad/.
[ $RETVAL -eq 2 ] && mv $f unknown/.
done