Script to extract Windows PE files (EXE, DLL, SYS, unknown) from a given PE, byte blob, memory dump or a similar data structure.
It addresses some of the drawbacks of other tools:
- Extraction support for signed PE files
- Multi file scan support (e.g. for automatically created memory dumps)
- Skip (likely) incomplete page sized PEs from automatically created memory dumps
- Proper extraction of PE files where the last section's
SizeOfRawDatavalue doesn't make the overall file size - Support for XORed PE files
The script has the following options:
usage: pe_extract.py [-h] [-s] [-o] [-a] [-v] input
Extract EXE, DLL, SYS and unknown PE(s) from byte blob(s).
positional arguments:
input Input file/folder (absolute path).
options:
-h, --help show this help message and exit
-s, --skip-xor-extraction
Skip extraction of simple XORed PE files.
-o, --extract-pe-overlays
Extract also possible PE overlay data (unreliable).
-a, --extract-all Extract also (likely) incomplete PEs from memory page size dumps.
-v, --verbose-output Show detailed output.
For example, if you want to extract all PE files from a memory dump memory_dump.bin:
python pe_extract.py C:\memory_dump.bin
The script will create a folder in the same directory of the input file with the extracted PE files.