def _pesize(self, pe: PE) -> int:
overlay = pe.get_overlay_data_start_offset() or 0
maxaddr = max(s.PointerToRawData + s.SizeOfRawData
for s in pe.sections)
maxdata = max(
pe.get_offset_from_rva(d.VirtualAddress) + d.Size
for d in pe.OPTIONAL_HEADER.DATA_DIRECTORY)
# The certificate overlay is given as a file offset
# rather than a virtual address.
cert = pe.OPTIONAL_HEADER.DATA_DIRECTORY[
DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']]
certend = cert.VirtualAddress + cert.Size
self.log_debug(F'overlay at 0x{overlay:08X}')
self.log_debug(F'maxaddr at 0x{maxaddr:08X}')
self.log_debug(F'maxdata at 0x{maxdata:08X}')
self.log_debug(F'certend at 0x{certend:08X}')
return max(overlay, maxaddr, maxdata, certend)
def get_overlay(self, pe: pefile.PE) -> dict:
"""Get information on the PE overlay
@return: overlay dict or None.
"""
if not pe:
return None
try:
off = pe.get_overlay_data_start_offset()
except Exception:
log.error(
"Your version of pefile is out of date. "
"Please update to the latest version on https://github.com/erocarrera/pefile"
)
return None
if off is None:
return None
return {
"offset": f"0x{off:08x}",
"size": f"0x{len(pe.__data__) - off:08x}"
}
