中的时间戳

Python读取PE文件(exe/dll)中的时间戳,

代码原文地址:

 

直接上代码吧,引用过来以防链接失效:

 1 #! /usr/bin/env python2.7
 2 #
 3 # Author: Pat Litke (C) 2014
 4 #
 5 # This code is free software: you can redistribute it and/or modify
 6 # it under the terms of the GNU Affero General Public License as
 7 # published by the Free Software Foundation, either version 3 of the
 8 # License, or (at your option) any later version.
 9 #
10 # This code is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13 # GNU General Public License for more details.
14 #
15 # You should have received a copy of the GNU Affero General Public License
16 # along with Baku.  If not, see <http://www.gnu.org/licenses/>.
17 #
18 # Description:
19 # Quick and dirty module to read a binary file, look at the DOS header for the PE offset
20 #   Seek to the PE offset, read the third DWORD in, unpack it, and return either EPOCH or GMTIMEs
21 #
22 # Returns 1 if the file doesn't havea a DOS header
23 # Returns 2 if file couldn't be read
24 # Returns the data in epoch or formatted otherwise
25 
26 from struct import unpack
27 from binascii import hexlify
28 from time import gmtime, strftime
29 
30 def getEpoch(filePath, epoch = True):
31     
32     # Open the file in Binary mode
33     try:
34         handle = open(filePath, 'rb')
35         if hexlify(handle.read(2)) != hexlify(u'MZ'):
36             handle.close()
37             return 1
38     except:
39         return 2
40 
41     # Get PE offset (@60, DWORD) from DOS header
42     #    It's little-endian so we have to flip it
43     #    We also need the HEX representation which is an INT value
44     handle.seek(60, 0)
45     offset = handle.read(4)
46     offset = hexlify(offset[::-1])
47     offset = int(offset, 16)
48 
49     # Seek to PE header and read second DWORD
50     handle.seek(offset+8, 0)
51     dword = handle.read(4)
52     handle.close()
53     t = unpack(">L", dword[::-1])[0]
54 
55     if epoch:
56         return t
57     else:
58         return strftime('%Y-%m-%d %H:%M:%S', gmtime(float(t)))
59 
60 
61 
62 def getUTC(filePath):
63     return getEpoch(filepath, False)
64 
65 def getBoth(filePath):
66     return [getEpoch(filepath), getEpoch(filepath, False)]

 

 

如果想修改这个时间戳,按照上述规则,pack后写入即可,另外其中53行那句有些麻烦,其实这么写就可以了:t
= unpack(“<L”, dword)[0] ,即按照小端直接解码即可。

代码原文地址:

标签:

相关文章

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图