Created
April 9, 2025 08:09
-
-
Save pierrehpezier/061d92f4f39a48035ced0f56e86221a3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import struct | |
| import magic | |
| from PIL import Image | |
| import sys | |
| img = Image.open(open(sys.argv[1], "rb")) | |
| img_data = b"" | |
| for x in range(img.width): | |
| if len(img_data) >= 2 and not img_data.startswith(b"MZ"): | |
| print("Not a valid PE file") | |
| break | |
| for y in range(img.height): | |
| r, g, b, *_ = img.getpixel((x, y)) | |
| img_data += struct.pack("<BBB", r, g, b) | |
| if (file_type := magic.from_buffer(img_data)).startswith("PE32"): | |
| print("Extracted stage2:", file_type) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment