pefile is a multi-platform Python module to parse and work with Portable Executable (PE) files. Most of the information contained in the PE file headers is accessible, as well as all the sections' details and data.
The structures defined in the Windows header files will be accessible as attributes in the PE instance. The naming of fields/attributes will try to adhere to the naming scheme in those headers. Only shortcuts added for convenience will depart from that convention.
pefile requires some basic understanding of the layout of a PE file — with it, it's possible to explore nearly every single feature of the PE file format.
To install pefile through pip:
pip3 install pefile
Some of the tasks that pefile makes possible are:
Please, refer to Usage Examples for some code snippets that demonstrate how to use pefile.
Here are a few examples of what a dump produced with pefile looks like for different types of files:
To work with authenticated binaries, including Authenticode signatures, please check the project verify-sigs.
pefile runs in several pipelines scanning hundreds of thousands of new PE files every day, and, while not perfect, it has grown to be pretty robust over time. That being said, small glitches are found now and then. If you bump into a PE that does not appear to be processed correctly, do report it, please! It will help make pefile a tiny bit more powerful.
pefile is self-contained. The module has no dependencies; it is endianness independent; and it works on OS X, Windows, and Linux.
Prompted by the move to GitHub, the need to support Python 3 in addition to resolving a slew of pending issues (some having to do with the old versioning scheme), pefile has changed its version number scheme and from now on it will be using the release date as its version.
PDFs of posters depicting the PE file format:
The following links provide detailed information about the PE format and its structures.