Python: module PyPeLoader

PyPeLoader (version 1.0.0)

This package implements a basic PE loader in python to load executables in memory.

Classes



builtins.object

ImportFunction

class ImportFunction(builtins.object)

    ImportFunction(name: Union[int, str], module_name: str, module: int, address: int, import_address: int, module_container: str, hook: Callable = None, count_call: int = 0) -> None This dataclass store informations about a import function.

Methods defined here:

__eq__(self, other)
Return self==value.

__init__(self, name: Union[int, str], module_name: str, module: int, address: int, import_address: int, module_container: str, hook: Callable = None, count_call: int = 0) -> None
Initialize self.  See help(type(self)) for accurate signature.

__repr__(self)
Return repr(self).

Data descriptors defined here:

__dict__

dictionary for instance variables (if defined)

__weakref__

list of weak references to the object (if defined)

Data and other attributes defined here:

__annotations__ = {'address': <class 'int'>, 'count_call': <class 'int'>, 'hook': typing.Callable, 'import_address': <class 'int'>, 'module': <class 'int'>, 'module_container': <class 'str'>, 'module_name': <class 'str'>, 'name': typing.Union[int, str]}

__dataclass_fields__ = {'address': Field(name='address',type=<class 'int'>,default=...appingproxy({}),kw_only=False,_field_type=_FIELD), 'count_call': Field(name='count_call',type=<class 'int'>,defau...appingproxy({}),kw_only=False,_field_type=_FIELD), 'hook': Field(name='hook',type=typing.Callable,default=N...appingproxy({}),kw_only=False,_field_type=_FIELD), 'import_address': Field(name='import_address',type=<class 'int'>,d...appingproxy({}),kw_only=False,_field_type=_FIELD), 'module': Field(name='module',type=<class 'int'>,default=<...appingproxy({}),kw_only=False,_field_type=_FIELD), 'module_container': Field(name='module_container',type=<class 'str'>...appingproxy({}),kw_only=False,_field_type=_FIELD), 'module_name': Field(name='module_name',type=<class 'str'>,defa...appingproxy({}),kw_only=False,_field_type=_FIELD), 'name': Field(name='name',type=typing.Union[int, str],de...appingproxy({}),kw_only=False,_field_type=_FIELD)}

__dataclass_params__ = _DataclassParams(init=True,repr=True,eq=True,order=False,unsafe_hash=False,frozen=False)

__hash__ = None

__match_args__ = ('name', 'module_name', 'module', 'address', 'import_address', 'module_container', 'hook', 'count_call')

count_call = 0

hook = None

Functions

get_imports(pe_headers: PyPeLoader.PeHeaders, ImageBase: int, module_container: str) -> List[PyPeLoader.ImportFunction]
This function returns imports for a in memory module, this function loads modules (DLL) when is not loaded to get the module address and functions addresses required in the ImportFunction.

get_peb() -> PyPeLoader.PEB
This function gets PEB from NtQueryInformationProcess.

load(file: _io._BufferedIOBase) -> None
This function does all steps to load and execute the PE program in memory.

load_headers(file: _io._BufferedIOBase) -> PyPeLoader.PeHeaders
This function returns all PE headers structure from file.

load_imports(functions: List[PyPeLoader.ImportFunction]) -> None
This function loads imports (DLL, libraries), finds the functions addresses and write them in the IAT (Import Address Table).

load_in_memory(file: _io._BufferedIOBase, pe_headers: PyPeLoader.PeHeaders) -> int
This function loads the PE program in memory using the file and all PE headers.

load_relocations(pe_headers: PyPeLoader.PeHeaders, ImageBase: int) -> None
This function overwrites the relocations with the difference between image base in memory and image base in PE headers.

main() -> int
This is the main function to start the program from command line.

modify_executable_path_name(peb: PyPeLoader.PEB, module_name: str, fullpath: str) -> None
This function modify the executable module path and name.

modify_process_informations(peb: PyPeLoader.PEB, executable_path: str, command_line: str) -> None
This function modify the unicode strings for command line and executable full path.

set_command_lines(command_line: str) -> None
This function modify ANSI and Unicode command lines in Win32 API.

Data

__all__ = ['main', 'load', 'load_headers', 'load_in_memory', 'load_imports', 'get_imports', 'load_relocations', 'ImportFunction', 'get_peb', 'modify_process_informations', 'modify_executable_path_name', 'set_command_lines']
__author_email__ = 'mauricelambert434@gmail.com'
__copyright__ = '\nPyPeLoader Copyright (C) 2025 Maurice Lambert...ome to redistribute it\nunder certain conditions.\n'
__description__ = '\nThis package implements a basic PE loader in python to\nload executables in memory.\n'
__license__ = 'GPL-3.0 License'
__maintainer__ = 'Maurice Lambert'
__maintainer_email__ = 'mauricelambert434@gmail.com'
__url__ = 'https://github.com/mauricelambert/PyPeLoader'

Author

Maurice Lambert

Data
		__all__ = ['main', 'load', 'load_headers', 'load_in_memory', 'load_imports', 'get_imports', 'load_relocations', 'ImportFunction', 'get_peb', 'modify_process_informations', 'modify_executable_path_name', 'set_command_lines'] __author_email__ = 'mauricelambert434@gmail.com' __copyright__ = '\nPyPeLoader Copyright (C) 2025 Maurice Lambert...ome to redistribute it\nunder certain conditions.\n' __description__ = '\nThis package implements a basic PE loader in python to\nload executables in memory.\n' __license__ = 'GPL-3.0 License' __maintainer__ = 'Maurice Lambert' __maintainer_email__ = 'mauricelambert434@gmail.com' __url__ = 'https://github.com/mauricelambert/PyPeLoader'