-
|
Is there a more concise way to use the API to get to section header metadata than the following? I don't want to use anything but the API and Python's core modules. import struct
image_base = bv.start
dos_header = binaryninja.StructuredDataView(bv, 'DOS_Header', image_base)
(e_lfanew, ) = struct.unpack('I', dos_header.e_lfanew.value)
coff_header_offset = e_lfanew + image_base
coff_header = binaryninja.StructuredDataView(bv, 'COFF_Header', coff_header_offset)
coff_header_len = sum([len(coff_header[member].value) for member in list(coff_header._members.keys())])
(num_sections, ) = struct.unpack('H', coff_header.numberOfSections.value)
(opt_header_size, ) = struct.unpack('H', coff_header.sizeOfOptionalHeader.value)
section_header_offset = coff_header_offset + coff_header_len + opt_header_size
cursor = section_header_offset
sections_bn = dict()
for section_number in range(num_sections):
section_header = binaryninja.StructuredDataView(bv, 'Section_Header', cursor)
section_header_len = sum([len(section_header[member].value) for member in list(section_header._members.keys())])
section_name = section_header.name.value.strip(b'\x00').decode()
(virtual_address, ) = struct.unpack('I', section_header.virtualAddress.value)
(ptr2raw, ) = struct.unpack('I', section_header.pointerToRawData.value)
sections_bn[section_name] = {
'virtual_address': virtual_address,
'ptr2raw': ptr2raw
}
cursor += section_header_lenThe following performs the same task, but fewer lines of code (and pefile): pe = pefile.PE('sample.exe')
sections_pefile = dict()
for section in pe.sections:
name = section.Name.strip(b'\x00').decode()
sections_pefile[name] = {
'virtual_address': section.VirtualAddress,
'ptr2raw': section.PointerToRawData
} |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
|
First improvement: use num_sections = sum([1 if s.semantics != 4 else 0 for s in bv.sections.values()])This excludes https://api.binary.ninja/binaryninja.enums-module.html#binaryninja.enums.SectionSemantics Second improvement: use The resulting code is: import struct
num_sections = sum([1 if s.semantics != 4 else 0 for s in bv.sections.values()])
cursor = bv.symbols['__section_headers'][0].address
sections = dict()
for section_number in range(num_sections):
section_header = binaryninja.StructuredDataView(bv, 'Section_Header', cursor)
section_header_len = sum([len(section_header[member].value) for member in list(section_header._members.keys())])
section_name = section_header.name.value.strip(b'\x00').decode()
(virtual_address, ) = struct.unpack('I', section_header.virtualAddress.value)
(ptr2raw, ) = struct.unpack('I', section_header.pointerToRawData.value)
sections[section_name] = {
'virtual_address': virtual_address,
'ptr2raw': ptr2raw
}
cursor += section_header_len |
Beta Was this translation helpful? Give feedback.
-
|
Got it! section_header_address = bv.symbols['__section_headers'][0].address
section_headers = bv.get_data_var_at(section_header_address).value
sections = dict()
for section_header in section_headers:
section_name = section_header['name'].strip(b'\x00').decode()
sections[section_name] = {
'virtual_address': section_header['virtualAddress'],
'ptr2raw': section_header['pointerToRawData']
} |
Beta Was this translation helpful? Give feedback.
-
|
The StructuredDataView api is deprecated and you should use the |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! I had just learned about the deprecation over here: I think I got most of it. The section_header_address = bv.get_symbol_by_raw_name('__section_headers').address
section_headers = bv.get_data_var_at(section_header_address).value
sections = dict()
for section_header in section_headers:
section_name = section_header['name'].strip(b'\x00').decode()
sections[section_name] = {
'virtual_address': section_header['virtualAddress'],
'ptr2raw': section_header['pointerToRawData']
} |
Beta Was this translation helpful? Give feedback.
The StructuredDataView api is deprecated and you should use the
TypedDataAccessorinstead. Its far more convenient.