@@ -3650,20 +3650,6 @@ def parse_sections(self, offset):
36503650 # Set the section's flags according to the Characteristics member
36513651 set_flags (section , section .Characteristics , section_flags )
36523652
3653- if section .__dict__ .get (
3654- "IMAGE_SCN_MEM_WRITE" , False
3655- ) and section .__dict__ .get ("IMAGE_SCN_MEM_EXECUTE" , False ):
3656- if section .Name .rstrip (b"\x00 " ) == b"PAGE" and self .is_driver ():
3657- # Drivers can have a PAGE section with those flags set without
3658- # implying that it is malicious
3659- pass
3660- else :
3661- self .__warnings .append (
3662- f"Suspicious flags set for section { i }
3663- "Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set. "
3664- "This might indicate a packed executable."
3665- )
3666-
36673653 self .sections .append (section )
36683654
36693655 # Sort the sections by their VirtualAddress and add a field to each of them
@@ -3678,6 +3664,21 @@ def parse_sections(self, offset):
36783664 idx + 1
36793665 ].VirtualAddress
36803666
3667+ for section in self .sections :
3668+ if section .__dict__ .get (
3669+ "IMAGE_SCN_MEM_WRITE" , False
3670+ ) and section .__dict__ .get ("IMAGE_SCN_MEM_EXECUTE" , False ):
3671+ if section .Name .rstrip (b"\x00 " ) == b"PAGE" and self .is_driver ():
3672+ # Drivers can have a PAGE section with those flags set without
3673+ # implying that it is malicious
3674+ pass
3675+ else :
3676+ self .__warnings .append (
3677+ f"Suspicious flags set for section { i }
3678+ "Both IMAGE_SCN_MEM_WRITE and IMAGE_SCN_MEM_EXECUTE are set. "
3679+ "This might indicate a packed executable."
3680+ )
3681+
36813682 if self .FILE_HEADER .NumberOfSections > 0 and self .sections :
36823683 return (
36833684 offset + self .sections [0 ].sizeof () * self .FILE_HEADER .NumberOfSections
0 commit comments