Create a gist now

Instantly share code, notes, and snippets.

Script to discover interesting exports in DLLs.
#!/usr/bin/env python
# Script to discover interesting exports in DLLs.
# You can use this script in any way you want.
import os, pefile, re, collections
# Globals
dll_root_dir = 'c:/Windows'
interesting_copyright_re = re.compile('Microsoft')
cpp_fname_re = re.compile('[@_]')
min_interesting_func_len = 40
len_stats = collections.defaultdict(int)
max_func_name_len = 60
# Checks file extension for dll
def is_a_dll(file_name):
return os.path.splitext(file_name)[-1].lower() == '.dll'
# Returns LegalCopyright property (or the empty string)
def get_copyright(pe_obj):
copyrights = [t[1] for e in getattr(pe_obj, 'FileInfo', [])
for s in getattr(e, 'StringTable', [])
for t in s.entries.items() if t[0] == u'LegalCopyright']
if len(copyrights) == 0:
return ''
return copyrights[0].encode('iso-8859-15', 'replace')
# Checks if this is a "system" DLL (by groking the Copyright string)
def is_interesting_dll(file_name):
p = pefile.PE(file_name)
return != None
except pefile.PEFormatError:
return False
# Identifies suspected C++ish exports
def is_cpp_kinda_export(func_name):
return != None
# Checks for exports with long names
def is_interesting_export(func_name):
return len(func_name) >= min_interesting_func_len
def dump_exports(file_name):
p = pefile.PE(file_name)
for e in p.DIRECTORY_ENTRY_EXPORT.symbols:
if != None and not is_cpp_kinda_export(
len_stats[len(] += 1
if is_interesting_export(
print '%d, %s, %s' % (len(,, file_name)
except (AttributeError, pefile.PEFormatError):
def walk_dir_for_interesting_function_names(root):
pefile.fast_load = True
for (dirpath, dirnames, filenames) in os.walk(root):
for f in filenames:
f = os.path.join(dirpath, f)
if is_a_dll(f) and is_interesting_dll(f):
# Dump Stats
file('func_len_stats', 'w').writelines([("%d, %d\n" % (i, len_stats[i])) for i in range(max_func_name_len)])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment