From de77a930cbefcb697b0f3054ea3f464a9b046050 Mon Sep 17 00:00:00 2001 From: Ero Carrera Date: Mon, 24 May 2021 15:36:56 +0200 Subject: [PATCH] Fixes for issue #322, #321, and #318 * Fixed is_driver(), I was comparing bytes to decoded strings. * Add test for is_driver() check * Fixed some types in warning messages * Made Python >=3.6 a requirement --- pefile.py | 8 ++++---- setup.py | 1 + tests/pefile_test.py | 6 ++++++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/pefile.py b/pefile.py index 8763ab3..456bc8c 100644 --- a/pefile.py +++ b/pefile.py @@ -3967,7 +3967,7 @@ def parse_delay_import_directory(self, rva, size): if error_count > 5: self.__warnings.append( - 'Too may errors parsing the Delay import directory. ' + 'Too many errors parsing the Delay import directory. ' 'Invalid import data at RVA: 0x{0:x}'.format(rva) ) break @@ -4084,7 +4084,7 @@ def parse_import_directory(self, rva, size, dllnames_only=False): if error_count > 5: self.__warnings.append( - 'Too may errors parsing the import directory. ' + 'Too many errors parsing the import directory. ' 'Invalid import data at RVA: 0x{0:x}'.format(rva) ) break @@ -5743,11 +5743,11 @@ def is_driver(self): system_DLLs = set((b'ntoskrnl.exe', b'hal.dll', b'ndis.sys', b'bootvid.dll', b'kdcom.dll')) if system_DLLs.intersection( - [imp.dll.decode('utf-8', 'ignore').lower() for imp in self.DIRECTORY_ENTRY_IMPORT]): + [imp.dll.lower() for imp in self.DIRECTORY_ENTRY_IMPORT]): return True driver_like_section_names = set( - ('page', 'paged')) + (b'page', b'paged')) if driver_like_section_names.intersection( [section.Name.lower().rstrip(b'\x00') for section in self.sections]) and ( self.OPTIONAL_HEADER.Subsystem in ( diff --git a/setup.py b/setup.py index 7fc8f8a..81c48bf 100755 --- a/setup.py +++ b/setup.py @@ -86,6 +86,7 @@ def run(self): long_description = "\n".join(_read_doc().split('\n')), cmdclass={"test": TestCommand}, py_modules = ['pefile', 'peutils'], + python_requires=">=3.6.0", packages = ['ordlookup'], install_requires=[ 'future', diff --git a/tests/pefile_test.py b/tests/pefile_test.py index 2b43114..c37b832 100644 --- a/tests/pefile_test.py +++ b/tests/pefile_test.py @@ -477,6 +477,12 @@ def test_driver_check(self): # Ensure the rebased image is the same as the pre-generated one. self.assertEqual(pe_fast.is_driver(), pe_full.is_driver()) + control_file_pe = os.path.join( + REGRESSION_TESTS_DIR, 'issue_322_plaso_test_driver.sys') + + pe = pefile.PE(control_file_pe, fast_load=False) + self.assertEqual(pe.is_driver(), True) + def test_rebased_image(self): """Test correctness of rebased images"""