Last active
February 28, 2022 20:25
-
-
Save wizche/d1741a4fd14cc1b0bc2f6a8abbc553fe to your computer and use it in GitHub Desktop.
Generate summary of UNWIND_INFO versions on all DLLs in System32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import pefile | |
| import os | |
| search_path = "C:\Windows\System32" | |
| files = 0 | |
| totals = {} | |
| for file in os.listdir(search_path): | |
| if file.endswith(('.exe', '.dll')): | |
| pe = pefile.PE(os.path.join(search_path, file)) | |
| pe.parse_data_directories( directories=[ | |
| pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXCEPTION'] ]) | |
| versions = {} | |
| if not hasattr(pe, 'DIRECTORY_ENTRY_EXCEPTION'): | |
| continue | |
| for ex in pe.DIRECTORY_ENTRY_EXCEPTION: | |
| if ex.unwindinfo.Version not in versions: | |
| versions[ex.unwindinfo.Version] = 0 | |
| versions[ex.unwindinfo.Version] += 1 | |
| print(f"{file}: {', '.join([f'{key}: {value}' for key, value in versions.items()])}") | |
| for key, value in versions.items(): | |
| if not key in totals: | |
| totals[key] = 0 | |
| totals[key] += value | |
| files+=1 | |
| print(totals) | |
| print(f"{files}: {', '.join([f'{key}: {value}' for key, value in totals.items()])}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Results
Windows 11 Enterprise
Version 21H2, build 22000.438
3584: 1: 3868549, 2: 56237
Windows 10 Pro
Version 10.0.19044 Build 19044
3678: 1: 4290453, 2: 92231