5.3 PE Info Lookup

Request

Value

Method

GET

URL

https://api.metadefender.com/v3/hash/:hash/peinfo

Summary

PE info lookup of a hash by md5, sha1 or sha256. With PEinfo (portable executable file format) specifications for executable files information like executable headers, section headers, import and export tables, application resources and others can be viewed and analyzed. MetaDefender Cloud has this information for most of it's executables, but it is not guaranteed that all executables will have such data associated. The amount and complexity of the displayed information depends on the file analysed.

When doing a hash lookup, if the body of the response contains `pe_info: true`, it means that this particular hash has PEinfo information associated and can be retrieved using this endpoint.

Request

HTTP URL parameters

 

Description

Example

:hash

The hash value for which you need PE info (MD5/SHA1/SHA256)

8952089536C5489C5B38EE426450ADFC

HTTP Header Parameters

 

Description

Allowed Values

Required

Authorization

give rights to use the endpoint (API Authentication Mechanisms)

apikey

YES

Response

HTTP Status Codes

Please refer to Status Codes for more information.

Body

Example of successful product info:

{
"success": true,
"data": {
"section_headers": [
{
"name": ".text",
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_MEM_EXECUTE",
"IMAGE_SCN_CNT_CODE",
"IMAGE_SCN_MEM_READ"
],
"virtual_address": "0x1000",
"pointer_to_linenumbers": "0x0",
"pointer_to_raw_data": "0x400",
"entropy": 6.38492393996,
"raw_size": 34304,
"pointer_to_relocations": "0x0",
"virtual_size": 34096,
"number_of_linenumbers": 0,
"md5": "933dd465f2fadc12cd8b040d979642d1"
},
{
"name": ".rdata",
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"virtual_address": "0xa000",
"pointer_to_linenumbers": "0x0",
"pointer_to_raw_data": "0x8a00",
"entropy": 4.9756962316,
"raw_size": 11776,
"pointer_to_relocations": "0x0",
"virtual_size": 11715,
"number_of_linenumbers": 0,
"md5": "2a2e17b209d2117e4c56b3f95549660b"
},
{
"name": ".data",
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_WRITE",
"IMAGE_SCN_MEM_READ"
],
"virtual_address": "0xd000",
"pointer_to_linenumbers": "0x0",
"pointer_to_raw_data": "0xb800",
"entropy": 2.47812653937,
"raw_size": 3584,
"pointer_to_relocations": "0x0",
"virtual_size": 7232,
"number_of_linenumbers": 0,
"md5": "21173c2b9e70400a8ccfa1d648a2eb10"
},
{
"name": ".rsrc",
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_READ"
],
"virtual_address": "0xf000",
"pointer_to_linenumbers": "0x0",
"pointer_to_raw_data": "0xc600",
"entropy": 4.52644656901,
"raw_size": 1536,
"pointer_to_relocations": "0x0",
"virtual_size": 1256,
"number_of_linenumbers": 0,
"md5": "f4b3e23e28dad0f9b00f84931b248021"
},
{
"name": ".reloc",
"number_of_relocations": 0,
"characteristics": [
"IMAGE_SCN_CNT_INITIALIZED_DATA",
"IMAGE_SCN_MEM_DISCARDABLE",
"IMAGE_SCN_MEM_READ"
],
"virtual_address": "0x10000",
"pointer_to_linenumbers": "0x0",
"pointer_to_raw_data": "0xcc00",
"entropy": 4.84729024547,
"raw_size": 6656,
"pointer_to_relocations": "0x0",
"virtual_size": 6478,
"number_of_linenumbers": 0,
"md5": "618125446dae749f610f707a6e854e45"
}
],
"imported_dlls": [
{
"functions": [
"EnterCriticalSection",
"ResetEvent",
"CreateEventW",
"DeleteCriticalSection",
"CloseHandle",
"Sleep",
"FreeLibrary",
"GetCurrentProcess",
"GetLastError",
"LoadLibraryW",
"GetProcAddress",
"WaitForMultipleObjects",
"LeaveCriticalSection",
"GetOverlappedResult",
"CreateFileW",
"GetVersionExW",
"InterlockedCompareExchange",
"InterlockedExchange",
"CreateSemaphoreW",
"ReleaseSemaphore",
"CreateThread",
"SetEvent",
"WaitForSingleObject",
"SetThreadPriority",
"GetSystemInfo",
"InitializeCriticalSection",
"InterlockedDecrement",
"CancelIo",
"InterlockedIncrement",
"HeapAlloc",
"HeapFree",
"EncodePointer",
"DecodePointer",
"GetCurrentThreadId",
"GetCommandLineA",
"TerminateProcess",
"UnhandledExceptionFilter",
"SetUnhandledExceptionFilter",
"IsDebuggerPresent",
"RaiseException",
"GetModuleHandleW",
"ExitProcess",
"WriteFile",
"GetStdHandle",
"GetModuleFileNameW",
"HeapCreate",
"HeapDestroy",
"HeapSize",
"TlsAlloc",
"TlsGetValue",
"TlsSetValue",
"TlsFree",
"SetLastError",
"SetHandleCount",
"InitializeCriticalSectionAndSpinCount",
"GetFileType",
"GetStartupInfoW",
"GetModuleFileNameA",
"FreeEnvironmentStringsW",
"WideCharToMultiByte",
"GetEnvironmentStringsW",
"QueryPerformanceCounter",
"GetTickCount",
"GetCurrentProcessId",
"GetSystemTimeAsFileTime",
"HeapReAlloc",
"RtlUnwind",
"GetCPInfo",
"GetACP",
"GetOEMCP",
"IsValidCodePage",
"LCMapStringW",
"MultiByteToWideChar",
"GetStringTypeW",
"IsProcessorFeaturePresent"
],
"name": "KERNEL32.dll"
},
{
"functions": [
"LookupPrivilegeValueW",
"OpenProcessToken",
"AdjustTokenPrivileges"
],
"name": "ADVAPI32.dll"
}
],
"vs_version_info": {
"original_filename": "gzfltum.dll",
"comments": "",
"product_version": "1.0.0.1",
"legal_copyright": "Copyright © 1997-2011 BitDefender",
"company_name": "BitDefender",
"internal_name": "gzfltum.dll",
"product_name": "BitDefender",
"file_description": "gzflt user mode library"
},
"imphash": "1a617e36732cae691794fa6880f714a0",
"optional_headers": {
"subsystem": "IMAGE_SUBSYSTEM_WINDOWS_GUI",
"subsystem_version": "5.1",
"linker_version": "10.0",
"image_version": "0.0",
"checksum": "122196",
"os_version": "5.1",
"entry_point": "0x4e3e",
"image_size": 73728,
"initialized_data_size": 23552,
"uninitialized_data_size": 0,
"code_size": 34304,
"pe_type": "0x10b"
},
"headers": {
"characteristics": [
"IMAGE_FILE_32BIT_MACHINE",
"IMAGE_FILE_EXECUTABLE_IMAGE",
"IMAGE_FILE_DLL"
],
"number_of_sections": 5,
"pointer_to_symbol_table": "0",
"machine_type": "IMAGE_FILE_MACHINE_I386",
"compilation_time": "2015-02-24T14:52:25.000Z",
"number_of_symbols": 0
},
"pehash": "12007627c7051d8e450fa63d41acba7cdaa518c3",
"exported_functions": [
"module_cleanup",
"module_init"
],
"resource_info": [
{
"resource_ids": [
{
"resource_langs": [
"LANG_ENGLISH"
],
"name": "0x1"
}
],
"name": "RT_VERSION"
},
{
"resource_ids": [
{
"resource_langs": [
"LANG_ENGLISH"
],
"name": "0x2"
}
],
"name": "RT_MANIFEST"
}
]
}
}

Example of the parameter being invalid:

{
"success": false,
"error": {
"code": 400064,
"messages": [
"The hash value is not valid"
]
}
}

Descriptions of response:

data

Object containing PE info extracted

Errors

Please refer to Errors for more information.

Sample code (Node.js)

var http = require("https");
 
var options = {
"method": "GET",
"hostname": [
"api",
"metadefender",
"com"
],
"path": [
"v3",
"hash",
"8952089536C5489C5B38EE426450ADFC",
"peinfo"
],
"headers": {
"Authorization": "apikey " + process.env.APIKEY
}
};
 
var req = http.request(options, function (res) {
var chunks = [];
 
res.on("data", function (chunk) {
chunks.push(chunk);
});
 
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
 
req.end();

Sample code (cURL)

curl -X GET \
https://api.metadefender.com/v3/hash/8952089536C5489C5B38EE426450ADFC/peinfo \
-H 'Authorization: apikey ${APIKEY}'