python判断是否为“PE文件”

什么是PE文件？

PE文件被称为可移植的执行体是Portable Execute的全称，常见的EXE、DLL、OCX、SYS、COM都是PE文件，PE文件是微软Windows操作系统上的程序文件（可能是间接被执行，如DLL）。

怎么识别PE文件？

1、首先，PE文件一定是MZ（0x4D5A）起头的。

2、其次，3C位置的值（即如图所示E8）指向的值是PE（0x5045)

代码如下：

#coding: UTF-8import linecache,os,struct,sys#get all PE files of a directorydef readFileChar(path):    try:        fileHandle=open(path,"rb")        data_id = struct.unpack("h",fileHandle.read(2))        return data_id[0]        fileHandle.close()    except Exception ,e:        print e        return "kkk"        def getShifting(path):    try:        #获得0x3c地址的值，pe文件应为0x45 50        fileHandle=open(path,"rb")        fileHandle.seek(60,0)        data_id = struct.unpack("h",fileHandle.read(2))[0]        fileHandle.close()        #print data_id        fileHandle=open(path,"rb")        fileHandle.seek(data_id,0)        pe = struct.unpack("h",fileHandle.read(2))[0]        fileHandle.close()        return pe    except:        return  "kkk"if __name__=="__main__":    paths=[]    pePath=[]    #paths:all files' paths    insPath=sys.argv[1]    savefile=insPath.split("\\")[-1]    #cur_path=os.path.abspath(os.path.join(os.path.dirname(__file__), "%s_PEfile.txt"%savefile))    cur_path=os.path.abspath(os.path.join("c:\\", "%s_PEfile.txt"%savefile))    #print "cur_path",cur_path    savefileHandle=open(cur_path,'w')    #print insPath    for root,dirs,files in os.walk(insPath):        for file in files:            paths.append(root+file)            path=root+"\\"+file            shifting = getShifting(path)            # print "readFileChar",readFileChar(path)            # print "shifting",shifting            if readFileChar(path)==23117 and shifting==17744:                pePath.append(file)                print path,"is ----------------->pe file "                savefileHandle.write(file+'\n')    savefileHandle.close()