{"id":2187,"library":"pefile","title":"pefile: Python PE Parsing Library","description":"pefile is a Python module for parsing and working with Portable Executable (PE) files, commonly found on Windows systems. It allows security analysts and developers to inspect various aspects of PE files, such as sections, imports, exports, resources, and header information. The library is actively maintained, with a recent release (2024.8.26) and frequent updates addressing bugs and adding features, primarily focusing on Python 3.","status":"active","version":"2024.8.26","language":"en","source_language":"en","source_url":"https://github.com/erocarrera/pefile","tags":["security","malware-analysis","pe-parser","windows","executable","forensics"],"install":[{"cmd":"pip install pefile","lang":"bash","label":"Install pefile"}],"dependencies":[],"imports":[{"symbol":"PE","correct":"import pefile\npe = pefile.PE('path/to/executable.exe')"},{"note":"Useful for catching errors when parsing non-PE or malformed files.","symbol":"PEFormatError","correct":"from pefile import PEFormatError"}],"quickstart":{"code":"import pefile\nimport os\n\n# Create a dummy executable for demonstration if one doesn't exist\ndummy_exe_path = 'dummy_app.exe'\nif not os.path.exists(dummy_exe_path):\n    # This is not a real PE file, just a placeholder\n    with open(dummy_exe_path, 'wb') as f:\n        f.write(b'MZ\\x90\\x00\\x03\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\xff\\xff\\x00\\x00\\xb8\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x0e\\x1f\\xba\\x0e\\x00\\xb4\\x09\\xcd\\x21\\xb8\\x01\\x4c\\xcd\\x21This is a dummy executable file.')\n\n\ntry:\n    pe = pefile.PE(dummy_exe_path)\n    print(f\"[*] Successfully parsed: {dummy_exe_path}\")\n    print(f\"    Image Base: 0x{pe.OPTIONAL_HEADER.ImageBase:X}\")\n    print(f\"    Number of Sections: {pe.FILE_HEADER.NumberOfSections}\")\n\n    print(\"\\n[*] Sections:\")\n    for section in pe.sections:\n        print(f\"    Name: {section.Name.decode().strip(chr(0))}, Virtual Address: 0x{section.VirtualAddress:X}, Virtual Size: 0x{section.Misc_VirtualSize:X}\")\n\n    # Attempt to print imports if any (unlikely for a dummy file)\n    if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):\n        print(\"\\n[*] Imports:\")\n        for entry in pe.DIRECTORY_ENTRY_IMPORT:\n            print(f\"    DLL: {entry.dll.decode().strip(chr(0))}\")\n            for imp in entry.imports:\n                if imp.name:\n                    print(f\"        Function: {imp.name.decode().strip(chr(0))}\")\n                else:\n                    print(f\"        Ordinal: {imp.ordinal}\")\n\nexcept pefile.PEFormatError as e:\n    print(f\"[!] PEFormatError: {e}\")\nexcept Exception as e:\n    print(f\"[!] An unexpected error occurred: {e}\")\nfinally:\n    # Clean up the dummy file\n    if os.path.exists(dummy_exe_path):\n        os.remove(dummy_exe_path)\n\n","lang":"python","description":"This quickstart demonstrates how to initialize a `pefile.PE` object from a file, access its headers and sections, and iterate through basic structures like imports. It includes error handling for non-PE files."},"warnings":[{"fix":"Migrate your codebase to Python 3. `pefile` is now Python 3-only, with `future` dependency also removed in v2023.2.7.","message":"Python 2.x support was officially dropped starting with versions 2021.5.13 and 2021.9.2. Code written for Python 2 will require migration.","severity":"breaking","affected_versions":"<=2021.5.13"},{"fix":"Upgrade to `pefile` version 2024.8.26 or newer to ensure correct `PE.get_data()` behavior. If you relied on older behavior, review changes.","message":"A bug in `PE.get_data()` (fixed in v2024.8.26) could have led to incorrect data retrieval, especially when dealing with specific PE file structures or data overlays.","severity":"gotcha","affected_versions":"<2024.8.26"},{"fix":"Prefer using `pefile`'s public API methods (e.g., `get_data()`) rather than directly manipulating internal attributes like `__data__`. Upgrade to v2024.8.26 to benefit from internal stability fixes.","message":"The internal `__data__` attribute, which holds the raw file content, had issues with closing and reassignment fixed in v2024.8.26. While an internal detail, it might affect scenarios where `PE` objects are extensively modified or reused in memory.","severity":"gotcha","affected_versions":"<2024.8.26"},{"fix":"Always wrap `pefile.PE()` instantiation in a `try...except pefile.PEFormatError` block, and consider a broader `Exception` catch for unexpected issues, as shown in the quickstart.","message":"Due to the nature of PE files (which can be malformed, packed, or protected), `pefile` might raise `PEFormatError` or other exceptions for certain files. Robust error handling is crucial.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}