def _pesize(self, pe: PE) -> int: overlay = pe.get_overlay_data_start_offset() or 0 maxaddr = max(s.PointerToRawData + s.SizeOfRawData for s in pe.sections) maxdata = max( pe.get_offset_from_rva(d.VirtualAddress) + d.Size for d in pe.OPTIONAL_HEADER.DATA_DIRECTORY) # The certificate overlay is given as a file offset # rather than a virtual address. cert = pe.OPTIONAL_HEADER.DATA_DIRECTORY[ DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_SECURITY']] certend = cert.VirtualAddress + cert.Size self.log_debug(F'overlay at 0x{overlay:08X}') self.log_debug(F'maxaddr at 0x{maxaddr:08X}') self.log_debug(F'maxdata at 0x{maxdata:08X}') self.log_debug(F'certend at 0x{certend:08X}') return max(overlay, maxaddr, maxdata, certend)
def get_overlay(self, pe: pefile.PE) -> dict: """Get information on the PE overlay @return: overlay dict or None. """ if not pe: return None try: off = pe.get_overlay_data_start_offset() except Exception: log.error( "Your version of pefile is out of date. " "Please update to the latest version on https://github.com/erocarrera/pefile" ) return None if off is None: return None return { "offset": f"0x{off:08x}", "size": f"0x{len(pe.__data__) - off:08x}" }