I want to extract raw bytes of DOS stub using pefile library. Does pefile have a feature for this?
If it doesn't then I have to do it manually. I guess DOS stub always starts at offset 0x40 but where does it end?
It can't be assumed that DOS stub continues until reaching "PE" signature pointed to by e_lfanew. This is because a Rich header may be present between DOS stub and "PE" signature. pefile provides parse_rich_header method but that apparently doesn't return the offset of the Rich header. It only returns the content of the Rich header.
Besides programs can determine their own DOS stub. So the size of DOS stub can vary. Is there a maximum for size of DOS stub?
Values of e_cp and e_cblp fields of DOS header cannot be trusted. They can be easily forged (See this.) I have files that have wrong values for these fields. 2, 3, and 20050 are three most common values for e_cp in my files. Clearly 1 should be the most common value for e_cp.