malstruct.windows package¶

Submodules¶

malstruct.windows.constants module¶

malstruct.windows.enums module¶

A central location to store common windows enumerations.

malstruct.windows.enums.RegHive(subcon)¶

Converts an integer to registry hive enum.

>>> RegHive(Int32ul).build("HKCU")
b'\x01\x00\x00\x80'
>>> str(RegHive(Int32ul).parse(b'\x01\x00\x00\x80'))
'HKCU'

malstruct.windows.enums.LanguageIdentifier(subcon)¶

Converts an integer to language identifer enum

>>> LanguageIdentifier(Int32ul).build("English (United States)")
b'\t\x04\x00\x00'
>>> str(LanguageIdentifier(Int32ul).parse(b"\x04\x08\x00\x00"))
'Chinese (PRC)'

malstruct.windows.enums.KnownFolderID(subcon)¶

Converts an integer to a CSIDL (KNownFolderID) value

>>> KnownFolderID(Int32ul).build("CSIDL_SYSTEM")
b'%\x00\x00\x00'
>>> str(KnownFolderID(Int32ul).parse(b"\x18\x00\x00\x00"))
'CSIDL_COMMON_STARTUP'

malstruct.windows.enums.AlgorithmID(subcon)¶

Converts an integer to an AlgorithmID value

>>> str(AlgorithmID(Int16ul).parse(b"\x00\xa4"))
'CALG_RSA_KEYX'
>>> AlgorithmID(Int16ul).build("CALG_RC4")
b'\x01h'

malstruct.windows.structures module¶

A central location to store common windows enumerations.

malstruct.windows.structures.PEFILE_HEADER = <Struct>¶: WINSOCK STRUCTURES

malstruct.windows.structures.SOCKADDR_IN_L = <Struct>¶: CRYPTO STRUCTURES

malstruct.windows.structures.PRIVATEKEYBLOB = <Struct>¶: TIME STRUCTURES

class malstruct.windows.structures.SystemTimeAdapter(subcon, tzinfo=None)¶

Bases: Adapter

Adapter to convert SYSTEMTIME structured data to datetime.datetime ISO format.

>>> SystemTimeAdapter(SYSTEMTIME).parse(b'\xdd\x07\t\x00\x03\x00\x12\x00\t\x00.\x00\x15\x00\xf2\x02')
'2013-09-18T09:46:21.754000'
>>> SystemTimeAdapter(SYSTEMTIME, tzinfo=datetime.timezone.utc).parse(b'\xdd\x07\t\x00\x03\x00\x12\x00\t\x00.\x00\x15\x00\xf2\x02')
'2013-09-18T09:46:21.754000+00:00'

class malstruct.windows.structures.FileTimeAdapter(subcon, tz=None)¶