如何修改 PE 文件头中的“时间日期戳”字段

我正在编写一个python程序来修改PE文件的编译时间。根据我的研究，编译时间存储在 TimeDateStamp 字段下的文件头中。但是，我只设法找到了读取TimeDateStamp值的方法。

例如

import pe
filename = "C:/Users/User/Desktop/test.exe"
pe = pefile.PE(filename)
print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))

如何改为编辑 PE 文件头中的"时间戳"字段？

我找到了通过稍微修改@geudrik创建 getPETimeStamp.py 的代码来修改 PE 文件头中的时间戳字段的方法。

蟒蛇 3

import pefile
from struct import unpack
from binascii import hexlify, a2b_uu
# Reference: https://github.com/deptofdefense/SalSA/wiki/PE-File-Format
def getTimeDateStamp(filename):
    pe = pefile.PE(filename)
    print("TimeDateStamp: "+hex(pe.FILE_HEADER.TimeDateStamp))
# Reference: https://gist.github.com/geudrik/03152ba1a148d9475e81
def writeTimeDateStamp(filename, newTimeDateStamp):
    # Open file in read or write binary mode r+b
    try:
        filehandle = open(filename, 'r+b')
        # Check that file opened is Portable Executable file
        if hexlify(filehandle.read(2)) != hexlify(bytes('MZ', encoding="utf8")):
            filehandle.close()
            print("File is not in PE format!")
            return
    except Exception as e:
        print(e)
        return
    # Find the offset of the timeDateStamp and write into it
    try:
        # Get PE offset (@60, DWORD) from DOS header
        #   It's little-endian so we have to flip it
        #   We also need the HEX representation which is an INT value
        filehandle.seek(60, 0)
        offset = filehandle.read(4)
        offset = hexlify(offset[::-1])
        # This was added in due to an issue with offset being set to '' on rare occasions (see comments below)
        if offset == '':
            print("offset is empty")
            filehandle.close()
            return
        #   ValueError: invalid literal for int() with base 16: ''
        #   https://stackoverflow.com/questions/11826054/valueerror-invalid-literal-for-int-with-base-16-x0e-xa3-python
        #   https://stackoverflow.com/questions/20375706/valueerror-invalid-literal-for-int-with-base-10-python
        #       This indicates that for some reason, 'offset' from above is being set as '' and thus can't be converted to a base 16 int
        offset = int(offset, 16)
        # Seek to PE header and read second DWORD
        filehandle.seek(offset+8, 0)
        filehandle.write(newTimeDateStamp)
        filehandle.close()
    except Exception as e:
        print(e)
        return
getTimeDateStamp("test.exe")
# Changing timeDateStamp field to 5c4570dd
writeTimeDateStamp("test.exe", bytes.fromhex('dd70455c'))
getTimeDateStamp("test.exe")

使用上面的代码，timeDateStamp 字段将更改为 5c4570dd。

pefile 支持更新原始文件，这个不需要处理 NT 标头偏移量：

import pefile
pe = pefile.PE("test.exe")
pe.FILE_HEADER.TimeDateStamp = 1348054607
pe.write("new.exe")

另外，您的代码对我不起作用。

你试过使用十六进制编辑器吗？您可以轻松修改任何字段的任何值，前提是您知道字段的偏移量。

我相信TimeDateStamp字段距离NumberOfSection字段2个字节，该字段距离机器字段2个字节。

很简单。

相关内容

最新更新

热门标签：