检测PE文件是否有额外数据

tests/test_pe_size.py

@@ -0,0 +1,19 @@
+# coding:utf8
+
+from pathlib import Path
+from xanalyzer.file import FileAnalyzer
+from xanalyzer.file_process.pe import PeAnalyzer
+
+
+cur_dir_path = Path(__file__).parent
+
+
+def test_pe_size():
+    pe_path = cur_dir_path / 'test_data' / 'HelloCSharp.exe_append_data_'
+
+    pe_analyzer = PeAnalyzer(pe_path)
+    pe_size = pe_analyzer.get_pe_size()
+    assert pe_size == 0x1200
+
+    file_analyzer = FileAnalyzer(pe_path)
+    assert file_analyzer.file_size == 0x1205

xanalyzer/file_process/pe.py

@@ -1,9 +1,9 @@
 # coding:utf8
 
-from datetime import datetime
+import os
 import pefile
 import peutils
-
+from datetime import datetime
 from signify.authenticode.signed_pe import SignedPEFile
 
 from xanalyzer.config import Config
@@ -21,6 +21,14 @@ def __init__(self, file_path):
     def __del__(self):
         self.pe_file.close()
 
+    def get_pe_size(self):
+        """
+        计算真实PE大小
+        """
+        last_section = self.pe_file.sections[-1]
+        pe_size = last_section.PointerToRawData + last_section.SizeOfRawData
+        return pe_size
+
     def get_versioninfo(self):
         """Get version info.
         @return: info dict or None.
@@ -108,6 +116,15 @@ def verify_cert(self):
                 log.error('{}'.format(e))
         return cert_info_list
 
+    def pe_size_scan(self):
+        """
+        判断文件大小是否和纯PE匹配，是否有多余数据
+        """
+        file_size = os.path.getsize(self.file_path)
+        pe_size = self.get_pe_size()
+        if file_size != pe_size:
+            log.warning(f'weird size: file_size {file_size}, pe_size {pe_size}')
+
     def compile_time_scan(self):
         """
         查看编译时间
@@ -171,6 +188,7 @@ def cert_scan(self):
                     log.warning('   Verify result: {}'.format(verify_result))
 
     def run(self):
+        self.pe_size_scan()
         self.compile_time_scan()
         self.pdb_scan()
         self.versioninfo_scan()