In this article, I am sharing with you a small Python script that lets you detect if a file is an executable file and what platform the executable is targeting.

The following formats for 32 bits and 64bits processors are supported:

Mach-O files: both regular and universal formats
Windows PE files
Linux ELF files

The script

#---------------------------------------------------------------------

EXEFLAG_NONE = 0x0000

EXEFLAG_LINUX = 0x0001

EXEFLAG_WINDOWS = 0x0002

EXEFLAG_MACOS = 0x0004

EXEFLAG_MACOS_FAT = 0x0008

EXEFLAG_32BITS = 0x0010

EXEFLAG_64BITS = 0x0020

# Keep signatures sorted by size

_EXE_SIGNATURES = (

("\x4D\x5A", EXEFLAG_WINDOWS),

("\xCE\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_32BITS),

("\xCF\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_64BITS),

("\xBE\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_32BITS | EXEFLAG_MACOS_FAT),

("\xBF\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_64BITS | EXEFLAG_MACOS_FAT),

("\x7F\x45\x4C\x46\x01", EXEFLAG_LINUX | EXEFLAG_32BITS),

("\x7F\x45\x4C\x46\x02", EXEFLAG_LINUX | EXEFLAG_64BITS)

)

def get_exeflags(filepath):

try:

with open(filepath, "rb") as f:

buf = ""

buf_len = 0

for sig, flags in _EXE_SIGNATURES:

sig_len = len(sig)

if buf_len < sig_len:

buf += f.read(sig_len - buf_len)

buf_len = sig_len

if buf == sig:

return flags

except:

pass

return EXEFLAG_NONE

#--------------------------------------------------------------------- EXEFLAG_NONE = 0x0000 EXEFLAG_LINUX = 0x0001 EXEFLAG_WINDOWS = 0x0002 EXEFLAG_MACOS = 0x0004 EXEFLAG_MACOS_FAT = 0x0008 EXEFLAG_32BITS = 0x0010 EXEFLAG_64BITS = 0x0020 # Keep signatures sorted by size _EXE_SIGNATURES = ( ("\x4D\x5A", EXEFLAG_WINDOWS), ("\xCE\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_32BITS), ("\xCF\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_64BITS), ("\xBE\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_32BITS | EXEFLAG_MACOS_FAT), ("\xBF\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_64BITS | EXEFLAG_MACOS_FAT), ("\x7F\x45\x4C\x46\x01", EXEFLAG_LINUX | EXEFLAG_32BITS), ("\x7F\x45\x4C\x46\x02", EXEFLAG_LINUX | EXEFLAG_64BITS) ) def get_exeflags(filepath): try: with open(filepath, "rb") as f: buf = "" buf_len = 0 for sig, flags in _EXE_SIGNATURES: sig_len = len(sig) if buf_len < sig_len: buf += f.read(sig_len - buf_len) buf_len = sig_len if buf == sig: return flags except: pass return EXEFLAG_NONE

#---------------------------------------------------------------------
EXEFLAG_NONE        = 0x0000
EXEFLAG_LINUX       = 0x0001
EXEFLAG_WINDOWS     = 0x0002
EXEFLAG_MACOS       = 0x0004
EXEFLAG_MACOS_FAT   = 0x0008
EXEFLAG_32BITS      = 0x0010
EXEFLAG_64BITS      = 0x0020

# Keep signatures sorted by size
_EXE_SIGNATURES = (
    ("\x4D\x5A", EXEFLAG_WINDOWS),
    ("\xCE\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_32BITS),
    ("\xCF\xFA\xED\xFE", EXEFLAG_MACOS | EXEFLAG_64BITS),
    ("\xBE\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_32BITS | EXEFLAG_MACOS_FAT),
    ("\xBF\xBA\xFE\xCA", EXEFLAG_MACOS | EXEFLAG_64BITS | EXEFLAG_MACOS_FAT),
    ("\x7F\x45\x4C\x46\x01", EXEFLAG_LINUX | EXEFLAG_32BITS),
    ("\x7F\x45\x4C\x46\x02", EXEFLAG_LINUX | EXEFLAG_64BITS)
)

def get_exeflags(filepath):
    try:
        with open(filepath, "rb") as f:
            buf = ""
            buf_len = 0
            for sig, flags in _EXE_SIGNATURES:
                sig_len = len(sig)
                if buf_len < sig_len:
                    buf += f.read(sig_len - buf_len)
                    buf_len = sig_len

                if buf == sig:
                    return flags
    except:
        pass

    return EXEFLAG_NONE

Continue reading “Detect executable format using Python”

Tag: example

Detect executable format using Python

The script

Like this:

Introduction to writing x64 assembly in Visual Studio

Like this:

Introducing COMPEL: A command based interpreter and programming language

Like this:

The script

Share this:

Like this:

Share this:

Like this:

Share this:

Like this: