PE

Parser

class Parser : public LIEF::Parser

Main interface to parse PE binaries. In particular the static functions: Parser::parse should be used to get a LIEF::PE::Binary.

Public Functions

Parser &operator=(const Parser &copy) = delete
Parser(const Parser &copy) = delete

Public Static Functions

static bool is_valid_import_name(const std::string &name)

Check if the given name is a valid import.

This check verified that:

  1. The name is not too large or empty (cf. https://stackoverflow.com/a/23340781)

  2. All the characters are printable

static bool is_valid_dll_name(const std::string &name)

Check if the given name is a valid DLL name.

This check verifies that:

  1. The name of the DLL is at 4

  2. All the characters are printable

static std::unique_ptr<Binary> parse(const std::string &filename, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from the given filename.

static std::unique_ptr<Binary> parse(std::vector<uint8_t> data, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from a data buffer.

static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from the given BinaryStream.

Public Static Attributes

static size_t MAX_DATA_SIZE = 3_GB

Maximum size of the data read.

static size_t MAX_TLS_CALLBACKS = 3000
static size_t MAX_DLL_NAME_SIZE = 255
static size_t MAX_PADDING_SIZE = 1_GB

Max size of the padding section.

struct ParserConfig

This structure is used to tweak the PE Parser (PE::Parser)

Public Members

bool parse_signature = true

Parse PE Authenticode signature.

bool parse_exports = true

Parse PE Exports Directory.

bool parse_imports = true

Parse PE Import Directory.

bool parse_rsrc = true

Parse PE resources tree.

bool parse_reloc = true

Parse PE relocations.

Public Static Functions

static inline ParserConfig all()

Binary

class Binary : public LIEF::Binary

Class which represents a PE binary This is the main interface to manage and modify a PE executable.

Public Types

using sections_t = std::vector<std::unique_ptr<Section>>

Internal container for storing PE’s Section.

using it_sections = ref_iterator<sections_t&, Section*>

Iterator that outputs Section& object.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>

Iterator that outputs const Section& object.

using data_directories_t = std::vector<std::unique_ptr<DataDirectory>>

Internal container for storing PE’s DataDirectory.

using it_data_directories = ref_iterator<data_directories_t&, DataDirectory*>

Iterator that outputs DataDirectory&.

using it_const_data_directories = const_ref_iterator<const data_directories_t&, const DataDirectory*>

Iterator that outputs const DataDirectory&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing PE’s Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator that outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator that outputs const Relocation&.

using imports_t = std::vector<Import>

Internal container for storing PE’s Import.

using it_imports = ref_iterator<imports_t&>

Iterator that output Import&.

using it_const_imports = const_ref_iterator<const imports_t&>

Iterator that outputs const Import&.

using delay_imports_t = std::vector<DelayImport>

Internal container for storing PE’s DelayImport.

using it_delay_imports = ref_iterator<delay_imports_t&>

Iterator that output DelayImport&.

using it_const_delay_imports = const_ref_iterator<const delay_imports_t&>

Iterator that outputs const DelayImport&.

using debug_entries_t = std::vector<std::unique_ptr<Debug>>

Internal container for storing Debug information.

using it_debug_entries = ref_iterator<debug_entries_t&, Debug*>

Iterator that outputs Debug&.

using it_const_debug_entries = const_ref_iterator<const debug_entries_t&, const Debug*>

Iterator that outputs const Debug&.

using symbols_t = std::vector<Symbol>

Internal container for storing COFF Symbols.

using it_symbols = ref_iterator<symbols_t&>

Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&>

Iterator that outputs const Symbol&.

using strings_table_t = std::vector<std::string>

Internal container for storing strings.

using it_strings_table = ref_iterator<strings_table_t&>

Iterator that outputs std::string&.

using it_const_strings_table = const_ref_iterator<const strings_table_t&>

Iterator that outputs const std::string&.

using signatures_t = std::vector<Signature>

Internal container for storing PE’s authenticode Signature.

using it_signatures = ref_iterator<signatures_t&>

Iterator that outputs Signature&.

using it_const_signatures = const_ref_iterator<const signatures_t&>

Iterator that outputs const Signature&.

Public Functions

Binary(PE_TYPE type)
~Binary() override
inline PE_TYPE type() const

Return PE32 or PE32+

uint64_t rva_to_offset(uint64_t RVA) const

Convert a Relative Virtual Address into an offset.

The conversion is performed by looking for the section that encompasses the provided RVA.

uint64_t va_to_offset(uint64_t VA) const

Convert the absolute virtual address into an offset.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override

Convert the given offset into a virtual address.

Parameters:
  • offset[in] The offset to convert.

  • slide[in] If not 0, it will replace the default base address (if any)

inline virtual uint64_t imagebase() const override

Return binary’s imagebase. 0 if not relevant.

The value is the same as those returned by OptionalHeader::imagebase

Section *section_from_offset(uint64_t offset)

Find the section associated that encompasses the given offset.

If no section can be found, return a nullptr

const Section *section_from_offset(uint64_t offset) const
Section *section_from_rva(uint64_t virtual_address)

Find the section associated that encompasses the given RVA.

If no section can be found, return a nullptr

const Section *section_from_rva(uint64_t virtual_address) const
inline it_sections sections()

Return an iterator over the PE’s Section.

inline it_const_sections sections() const
inline DosHeader &dos_header()

Return a reference to the PE::DosHeader object.

inline const DosHeader &dos_header() const
inline Header &header()

Return a reference to the PE::Header object.

inline const Header &header() const
inline OptionalHeader &optional_header()

Header that follows the header(). It is named optional from the COFF specfication but it is mandatory in a PE file.

inline const OptionalHeader &optional_header() const
uint32_t compute_checksum() const

Re-compute the value of OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF for the current binary object.

uint64_t virtual_size() const

Compute the binary’s virtual size. It should match OptionalHeader::sizeof_image.

uint32_t sizeof_headers() const

Compute the size of all the headers.

inline TLS *tls()

Return a reference to the TLS object.

inline const TLS *tls() const
void tls(const TLS &tls)

Set a TLS object in the current Binary.

inline bool has_tls() const

Check if the current binary has a TLS object.

inline bool has_imports() const

Check if the current binary contains imports.

See also

Import

inline bool has_signatures() const

Check if the current binary contains signatures.

See also

signatures

inline bool has_exports() const

Check if the current binary has exports.

See also

Export

inline bool has_resources() const

Check if the current binary has resources.

bool has_exceptions() const

Check if the current binary has exceptions.

inline bool has_relocations() const

Check if the current binary has relocations.

See also

Relocation

inline bool has_debug() const

Check if the current binary contains debug information.

inline bool has_configuration() const

Check if the current binary has a load configuration.

bool is_reproducible_build() const

Check if the current binary is reproducible build, replacing timestamps by a compile hash.

See also

Repro

inline it_const_signatures signatures() const

Return an iterator over the Signature object(s) if the binary is signed.

inline it_signatures signatures()
Signature::VERIFICATION_FLAGS verify_signature(Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary against the embedded signature(s) (if any) First, it checks that the embedded signatures are correct (c.f. Signature::check) and then, it checks that the authentihash matches ContentInfo::digest.

One can tweak the verification process with the Signature::VERIFICATION_CHECKS flags

Signature::VERIFICATION_FLAGS verify_signature(const Signature &sig, Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary with the Signature object provided in the first parameter. It can be used to verify a detached signature:

result<Signature> detached = LIEF::PE::SignatureParser::parse("sig.pkcs7")
if (detached) {
  binary->verify_signature(detached.value());
}
std::vector<uint8_t> authentihash(ALGORITHMS algo) const

Compute the authentihash according to the algorithm provided in the first parameter.

uint32_t predict_function_rva(const std::string &library, const std::string &function)

Try to predict the RVA of the function function in the import library library

Note

It should be used with: LIEF::PE::Builder::build_imports set to true

Warning

The value could be chang if imports change

Parameters:
  • library[in] Library name in which the function is located

  • function[in] Function name

Returns:

The address of the function (IAT) in the new import table

inline Export *get_export()

Return the Export object.

inline const Export *get_export() const
std::vector<Symbol> &symbols()

Return binary Symbols.

const std::vector<Symbol> &symbols() const
inline ResourceNode *resources()

Return resources as a tree or a nullptr if there is no resources.

inline const ResourceNode *resources() const
void set_resources(const ResourceDirectory &resource)

Set a new resource tree.

void set_resources(const ResourceData &resource)

Set a new resource tree.

result<ResourcesManager> resources_manager() const

Return the ResourcesManager (class to manage resources more easily than the tree one)

Section *get_section(const std::string &name)

Return binary’s section from its name. If the secion can’t be found, return a nullptr.

Parameters:

name[in] Name of the Section

const Section *get_section(const std::string &name) const
const Section *import_section() const

Return the section associated with import table or a nullptr if the binary does not have an import table.

Section *import_section()
virtual void remove_section(const std::string &name, bool clear = false) override

Delete the section with the given name.

Parameters:
  • name[in] Name of section to delete

  • clear[in] if true clear the section’s content with 0 before removing (default: false)

void remove(const Section &section, bool clear = false)

Remove the given section.

Section *add_section(const Section &section, PE_SECTION_TYPES type = PE_SECTION_TYPES::UNKNOWN)

Add a section to the binary and return the section added.

inline it_relocations relocations()

Return an iterator over the PE’s Relocation.

inline it_const_relocations relocations() const
Relocation &add_relocation(const Relocation &relocation)

Add a PE::Relocation.

void remove_all_relocations()

Remove all the relocations.

inline it_data_directories data_directories()

Return an iterator over the DataDirectory present in the Binary.

inline it_const_data_directories data_directories() const
DataDirectory *data_directory(DataDirectory::TYPES type)

Return the DataDirectory with the given type (or index)

const DataDirectory *data_directory(DataDirectory::TYPES type) const
inline bool has(DataDirectory::TYPES type) const

Check if the current binary has the given DataDirectory::TYPES.

inline it_debug_entries debug()

Return an iterator over the Debug entries.

inline it_const_debug_entries debug() const
const CodeViewPDB *codeview_pdb() const

Return the CodeViewPDB object if present.

inline const LoadConfiguration *load_configuration() const

Retrun the LoadConfiguration object or a nullptr if the binary does not use the LoadConfiguration.

inline LoadConfiguration *load_configuration()
inline span<const uint8_t> overlay() const

Return the overlay content.

inline span<uint8_t> overlay()
inline uint64_t overlay_offset() const

Return the original overlay offset.

inline span<const uint8_t> dos_stub() const

Return the DOS stub content.

inline span<uint8_t> dos_stub()
void dos_stub(const std::vector<uint8_t> &content)

Update the DOS stub content.

inline RichHeader *rich_header()

Return a reference to the RichHeader object.

inline const RichHeader *rich_header() const
void rich_header(const RichHeader &rich_header)

Set a RichHeader object in the current Binary.

inline bool has_rich_header() const

Check if the current binary has a RichHeader object.

inline it_imports imports()

Return an iterator over the binary imports.

inline it_const_imports imports() const
Import *get_import(const std::string &import_name)

Returns the PE::Import from the given name. If it can’t be found, return a nullptr.

Parameters:

import_name[in] Name of the import

const Import *get_import(const std::string &import_name) const
inline bool has_import(const std::string &import_name) const

True if the binary imports the given library name

Parameters:

import_name[in] Name of the import

inline bool has_delay_imports() const

Check if the current binary contains delay imports.

See also

DelayImport

See also

has_import

inline it_delay_imports delay_imports()

Return an iterator over the binary’s delay imports.

inline it_const_delay_imports delay_imports() const
DelayImport *get_delay_import(const std::string &import_name)

Returns the PE::DelayImport from the given name. If it can’t be found, return a nullptr.

Parameters:

import_name[in] Name of the delay import

const DelayImport *get_delay_import(const std::string &import_name) const
inline bool has_delay_import(const std::string &import_name) const

True if the binary delay-imports the given library name

Parameters:

import_name[in] Name of the delay import

ImportEntry *add_import_function(const std::string &library, const std::string &function)

Add the function function of the library library. If the function fails, it returns a nullptr.

Parameters:
  • library[in] Library name of the function

  • function[in] Function’s name from the library to import

Import &add_library(const std::string &name)

Add an imported library (i.e. DLL) to the binary.

void remove_library(const std::string &name)

Remove the library with the given name

void remove_all_libraries()

Remove all libraries in the binary.

virtual void write(const std::string &filename) override

Reconstruct the binary object and write the raw PE in filename

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void write(std::ostream &os) override

Reconstruct the binary object and write the raw PE in os stream.

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void accept(Visitor &visitor) const override

Method so that a visitor can visit us.

virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters:
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters:
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • size[in] Size of the value in bytes (1, 2, … 8)

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, Binary::VA_TYPES addr_type = Binary::VA_TYPES::AUTO) const override

Return the content located at the provided virtual address.

Parameters:
  • virtual_address[in] Virtual address of the data to retrieve

  • size[in] Size in bytes of the data to retrieve

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual uint64_t entrypoint() const override

Return the binary’s entrypoint (It is the same value as OptionalHeader::addressof_entrypoint.

virtual bool is_pie() const override

Check if the binary is position independent.

virtual bool has_nx() const override

Check if the binary uses NX protection.

virtual LIEF::Binary::functions_t ctor_functions() const override

Return the list of the binary constructors.

In a PE file, we consider a constructors as a callback in the TLS object

LIEF::Binary::functions_t functions() const

All functions found in the binary

LIEF::Binary::functions_t exception_functions() const

Functions found in the Exception table directory.

virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LIEF::Binary *bin)

Dos Header

class DosHeader : public LIEF::Object

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are no longer relevant.

Public Types

using reserved_t = std::array<uint16_t, 4>
using reserved2_t = std::array<uint16_t, 10>

Public Functions

DosHeader(const details::pe_dos_header &header)
DosHeader(const DosHeader&) = default
DosHeader &operator=(const DosHeader&) = default
DosHeader(DosHeader&&) = default
DosHeader &operator=(DosHeader&&) = default
~DosHeader() override = default
inline uint16_t magic() const

Magic bytes identifying a DOS/PE binary.

inline uint16_t used_bytes_in_last_page() const
inline uint16_t file_size_in_pages() const
inline uint16_t numberof_relocation() const
inline uint16_t header_size_in_paragraphs() const
inline uint16_t minimum_extra_paragraphs() const
inline uint16_t maximum_extra_paragraphs() const
inline uint16_t initial_relative_ss() const
inline uint16_t initial_sp() const
inline uint16_t checksum() const
inline uint16_t initial_ip() const
inline uint16_t initial_relative_cs() const
inline uint16_t addressof_relocation_table() const
inline uint16_t overlay_number() const
inline const reserved_t &reserved() const
inline uint16_t oem_id() const
inline uint16_t oem_info() const
inline const reserved2_t &reserved2() const
inline uint32_t addressof_new_exeheader() const

Return the offset to the PE::Header structure.

inline void magic(uint16_t magic)
inline void used_bytes_in_last_page(uint16_t value)
inline void file_size_in_pages(uint16_t value)
inline void numberof_relocation(uint16_t value)
inline void header_size_in_paragraphs(uint16_t value)
inline void minimum_extra_paragraphs(uint16_t value)
inline void maximum_extra_paragraphs(uint16_t value)
inline void initial_relative_ss(uint16_t value)
inline void initial_sp(uint16_t value)
inline void checksum(uint16_t value)
inline void initial_ip(uint16_t value)
inline void initial_relative_cs(uint16_t value)
inline void addressof_relocation_table(uint16_t value)
inline void overlay_number(uint16_t value)
inline void reserved(const reserved_t &reserved)
inline void oem_id(uint16_t value)
inline void oem_info(uint16_t value)
inline void reserved2(const reserved2_t &reserved2)
inline void addressof_new_exeheader(uint32_t value)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static DosHeader create(PE_TYPE type)

Public Static Attributes

static uint16_t MAGIC = 0x5a4d

Friends

friend std::ostream &operator<<(std::ostream &os, const DosHeader &entry)


Optional Header

class OptionalHeader : public LIEF::Object

Class which represents the PE OptionalHeader structure.

Note that the term optional comes from the COFF specifications but this header is mandatory for a PE binary.

Public Types

enum class DLL_CHARACTERISTICS : size_t

Values:

enumerator HIGH_ENTROPY_VA = 0x0020

ASLR with 64 bit address space.

enumerator DYNAMIC_BASE = 0x0040

DLL can be relocated at load time.

enumerator FORCE_INTEGRITY = 0x0080

Code integrity checks are enforced.

enumerator NX_COMPAT = 0x0100

Image is NX compatible.

enumerator NO_ISOLATION = 0x0200

Isolation aware, but do not isolate the image.

enumerator NO_SEH = 0x0400

Does not use structured exception handling (SEH). No SEH handler may be called in this image.

enumerator NO_BIND = 0x0800

Do not bind the image.

enumerator APPCONTAINER = 0x1000

Image should execute in an AppContainer.

enumerator WDM_DRIVER = 0x2000

A WDM driver.

enumerator GUARD_CF = 0x4000

Image supports Control Flow Guard.

enumerator TERMINAL_SERVER_AWARE = 0x8000

Terminal Server aware.

enum class SUBSYSTEM : size_t

Values:

enumerator UNKNOWN = 0

An unknown subsystem.

enumerator NATIVE = 1

Device drivers and native Windows processes.

enumerator WINDOWS_GUI = 2

The Windows GUI subsystem.

enumerator WINDOWS_CUI = 3

The Windows character subsystem.

enumerator OS2_CUI = 5

The OS/2 character subsytem.

enumerator POSIX_CUI = 7

The POSIX character subsystem.

enumerator NATIVE_WINDOWS = 8

Native Windows 9x driver.

enumerator WINDOWS_CE_GUI = 9

Windows CE.

enumerator EFI_APPLICATION = 10

An EFI application.

enumerator EFI_BOOT_SERVICE_DRIVER = 11

An EFI driver with boot services.

enumerator EFI_RUNTIME_DRIVER = 12

An EFI driver with run-time services.

enumerator EFI_ROM = 13

An EFI ROM image.

enumerator XBOX = 14

XBOX.

enumerator WINDOWS_BOOT_APPLICATION = 16

A BCD application.

Public Functions

OptionalHeader(const details::pe32_optional_header &header)
OptionalHeader(const details::pe64_optional_header &header)
~OptionalHeader() override = default
OptionalHeader &operator=(const OptionalHeader&) = default
OptionalHeader(const OptionalHeader&) = default
inline PE_TYPE magic() const

Magic bytes: either PE32 or PE32+ for 64-bits PE files.

inline uint8_t major_linker_version() const

The linker major version.

inline uint8_t minor_linker_version() const

The linker minor version.

inline uint32_t sizeof_code() const

The size of the code .text section or the sum of all the sections that contain code (i.e. PE::Section with the flag Section::CHARACTERISTICS::CNT_CODE)

inline uint32_t sizeof_initialized_data() const

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_INITIALIZED_DATA

inline uint32_t sizeof_uninitialized_data() const

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_UNINITIALIZED_DATA

inline uint32_t addressof_entrypoint() const

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

inline uint32_t baseof_code() const

Address relative to the imagebase where the binary’s code starts.

inline uint32_t baseof_data() const

Address relative to the imagebase where the binary’s data starts.

Warning

This value is not present for PE64 files

inline uint64_t imagebase() const

The preferred base address when mapping the binary in memory.

inline uint32_t section_alignment() const

The alignment (in bytes) of sections when they are loaded into memory.

It must be greater than or equal to file_alignment and the default is the page size for the architecture.

inline uint32_t file_alignment() const

The section’s file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.

inline uint16_t major_operating_system_version() const

The major version number of the required operating system.

inline uint16_t minor_operating_system_version() const

The minor version number of the required operating system.

inline uint16_t major_image_version() const

The major version number of the image.

inline uint16_t minor_image_version() const

The minor version number of the image.

inline uint16_t major_subsystem_version() const

The major version number of the subsystem.

inline uint16_t minor_subsystem_version() const

The minor version number of the subsystem.

inline uint32_t win32_version_value() const

According to the official PE specifications, this value is reserved and should be 0.

inline uint32_t sizeof_image() const

The size (in bytes) of the image, including all headers, as the image is loaded in memory.

It must be a multiple of section_alignment and should match Binary::virtual_size

inline uint32_t sizeof_headers() const

Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.

inline uint32_t checksum() const

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.

The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

inline SUBSYSTEM subsystem() const

Target subsystem like Driver, XBox, Windows GUI, …

inline uint32_t dll_characteristics() const

Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables

inline uint64_t sizeof_stack_reserve() const

Size of the stack to reserve when loading the PE binary.

Only OptionalHeader::sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

inline uint64_t sizeof_stack_commit() const

Size of the stack to commit.

inline uint64_t sizeof_heap_reserve() const

Size of the heap to reserve when loading the PE binary.

inline uint64_t sizeof_heap_commit() const

Size of the heap to commit.

inline uint32_t loader_flags() const

According to the PE specifications, this value is reserved and should be 0.

inline uint32_t numberof_rva_and_size() const

The number of DataDirectory that follow this header.

inline bool has(DLL_CHARACTERISTICS c) const

Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.

std::vector<DLL_CHARACTERISTICS> dll_characteristics_list() const

Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.

inline void add(DLL_CHARACTERISTICS c)

Add a DLL_CHARACTERISTICS to the current characteristics.

inline void remove(DLL_CHARACTERISTICS c)

Remove a DLL_CHARACTERISTICS from the current characteristics.

inline void magic(PE_TYPE magic)
inline void major_linker_version(uint8_t value)
inline void minor_linker_version(uint8_t value)
inline void sizeof_code(uint32_t value)
inline void sizeof_initialized_data(uint32_t value)
inline void sizeof_uninitialized_data(uint32_t value)
inline void addressof_entrypoint(uint32_t value)
inline void baseof_code(uint32_t value)
inline void baseof_data(uint32_t value)
inline void imagebase(uint64_t value)
inline void section_alignment(uint32_t value)
inline void file_alignment(uint32_t value)
inline void major_operating_system_version(uint16_t value)
inline void minor_operating_system_version(uint16_t value)
inline void major_image_version(uint16_t value)
inline void minor_image_version(uint16_t value)
inline void major_subsystem_version(uint16_t value)
inline void minor_subsystem_version(uint16_t value)
inline void win32_version_value(uint32_t value)
inline void sizeof_image(uint32_t value)
inline void sizeof_headers(uint32_t value)
inline void checksum(uint32_t value)
inline void subsystem(SUBSYSTEM value)
inline void dll_characteristics(uint32_t value)
inline void sizeof_stack_reserve(uint64_t value)
inline void sizeof_stack_commit(uint64_t value)
inline void sizeof_heap_reserve(uint64_t value)
inline void sizeof_heap_commit(uint64_t value)
inline void loader_flags(uint32_t value)
inline void numberof_rva_and_size(uint32_t value)
virtual void accept(Visitor &visitor) const override
inline OptionalHeader &operator+=(DLL_CHARACTERISTICS c)
inline OptionalHeader &operator-=(DLL_CHARACTERISTICS c)

Public Static Functions

static OptionalHeader create(PE_TYPE type)

Friends

friend std::ostream &operator<<(std::ostream &os, const OptionalHeader &entry)

Data Directory

class DataDirectory : public LIEF::Object

Class that represents a PE data directory entry.

Public Types

enum class TYPES : uint32_t

Values:

enumerator EXPORT_TABLE = 0
enumerator IMPORT_TABLE
enumerator RESOURCE_TABLE
enumerator EXCEPTION_TABLE
enumerator CERTIFICATE_TABLE
enumerator BASE_RELOCATION_TABLE
enumerator DEBUG_DIR
enumerator ARCHITECTURE
enumerator GLOBAL_PTR
enumerator TLS_TABLE
enumerator LOAD_CONFIG_TABLE
enumerator BOUND_IMPORT
enumerator IAT
enumerator DELAY_IMPORT_DESCRIPTOR
enumerator CLR_RUNTIME_HEADER
enumerator RESERVED
enumerator UNKNOWN

Public Functions

DataDirectory() = default
inline DataDirectory(TYPES type)
DataDirectory(const details::pe_data_directory &header, TYPES type)
DataDirectory(const DataDirectory &other) = default
DataDirectory &operator=(const DataDirectory &other) = default
DataDirectory(DataDirectory &&other) noexcept = default
DataDirectory &operator=(DataDirectory &&other) noexcept = default
~DataDirectory() override = default
inline uint32_t RVA() const

The relative virtual address of the content of this data directory.

inline uint32_t size() const

The size of the content.

inline bool has_section() const

Check if the content of this data directory is associated with a PE Cection.

inline Section *section()

Section associated with the DataDirectory.

inline const Section *section() const
inline TYPES type() const

Type of the data directory.

inline void size(uint32_t size)
inline void RVA(uint32_t rva)
virtual void accept(Visitor &visitor) const override

Public Static Attributes

static size_t DEFAULT_NB = 16

Friends

friend std::ostream &operator<<(std::ostream &os, const DataDirectory &entry)

Section

class Section : public LIEF::Section

Class which represents a PE section.

Public Types

enum class CHARACTERISTICS : uint64_t

Values:

enumerator TYPE_NO_PAD = 0x00000008
enumerator CNT_CODE = 0x00000020
enumerator CNT_INITIALIZED_DATA = 0x00000040
enumerator CNT_UNINITIALIZED_DATA = 0x00000080
enumerator LNK_OTHER = 0x00000100
enumerator LNK_INFO = 0x00000200
enumerator LNK_REMOVE = 0x00000800
enumerator LNK_COMDAT = 0x00001000
enumerator GPREL = 0x00008000
enumerator MEM_PURGEABLE = 0x00010000
enumerator MEM_16BIT = 0x00020000
enumerator MEM_LOCKED = 0x00040000
enumerator MEM_PRELOAD = 0x00080000
enumerator ALIGN_1BYTES = 0x00100000
enumerator ALIGN_2BYTES = 0x00200000
enumerator ALIGN_4BYTES = 0x00300000
enumerator ALIGN_8BYTES = 0x00400000
enumerator ALIGN_16BYTES = 0x00500000
enumerator ALIGN_32BYTES = 0x00600000
enumerator ALIGN_64BYTES = 0x00700000
enumerator ALIGN_128BYTES = 0x00800000
enumerator ALIGN_256BYTES = 0x00900000
enumerator ALIGN_512BYTES = 0x00A00000
enumerator ALIGN_1024BYTES = 0x00B00000
enumerator ALIGN_2048BYTES = 0x00C00000
enumerator ALIGN_4096BYTES = 0x00D00000
enumerator ALIGN_8192BYTES = 0x00E00000
enumerator LNK_NRELOC_OVFL = 0x01000000
enumerator MEM_DISCARDABLE = 0x02000000
enumerator MEM_NOT_CACHED = 0x04000000
enumerator MEM_NOT_PAGED = 0x08000000
enumerator MEM_SHARED = 0x10000000
enumerator MEM_EXECUTE = 0x20000000
enumerator MEM_READ = 0x40000000
enumerator MEM_WRITE = 0x80000000

Public Functions

Section(const details::pe_section &header)
Section() = default
Section(const std::vector<uint8_t> &data, const std::string &name = "", uint32_t characteristics = 0)
Section(const std::string &name)
Section &operator=(const Section&) = default
Section(const Section&) = default
~Section() override = default
uint32_t sizeof_raw_data() const

Return the size of the data in the section.

inline uint32_t virtual_size() const

Return the size of the data when mapped in memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.

inline virtual span<const uint8_t> content() const override

The actual content of the section.

inline span<const uint8_t> padding() const

Content of the section’s padding area.

uint32_t pointerto_raw_data() const

The offset of the section data in the PE file.

inline uint32_t pointerto_relocation() const

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by PE::Relocation.

inline uint32_t pointerto_line_numbers() const

The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

inline uint16_t numberof_relocations() const

No longer used in recent PE binaries produced by Visual Studio.

inline uint16_t numberof_line_numbers() const

No longer used in recent PE binaries produced by Visual Studio.

inline uint32_t characteristics() const

Characteristics of the section: it provides information about the permissions of the section when mapped. It can also provide information about the purpose of the section (contain code, BSS-like, …)

bool is_type(PE_SECTION_TYPES type) const

Deprecated do not use. It will likely change in a future release of LIEF.

const std::set<PE_SECTION_TYPES> &types() const

Deprecated do not use. It will likely change in a future release of LIEF.

inline bool has_characteristic(CHARACTERISTICS c) const

Check if the section has the given CHARACTERISTICS.

std::vector<CHARACTERISTICS> characteristics_list() const

List of the section characteristics as a std::set.

void clear(uint8_t c)

Fill the content of the section with the given char

virtual void content(const std::vector<uint8_t> &data) override

Change section content.

virtual void name(std::string name) override

Change the section’s name.

inline void virtual_size(uint32_t virtual_sz)
void pointerto_raw_data(uint32_t ptr)
inline void pointerto_relocation(uint32_t ptr)
inline void pointerto_line_numbers(uint32_t ptr)
inline void numberof_relocations(uint16_t nb)
inline void numberof_line_numbers(uint16_t nb)
void sizeof_raw_data(uint32_t sizeOfRawData)
inline void characteristics(uint32_t characteristics)
void type(PE_SECTION_TYPES type)
void add_type(PE_SECTION_TYPES type)
void remove_type(PE_SECTION_TYPES type)
inline void remove_characteristic(Section::CHARACTERISTICS characteristic)
inline void add_characteristic(Section::CHARACTERISTICS characteristic)
virtual void accept(Visitor &visitor) const override

Public Static Attributes

static size_t MAX_SECTION_NAME = 8

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

Import

class Import : public LIEF::Object

Class that represents a PE import.

Public Types

using entries_t = std::vector<ImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Import(const details::pe_import &import)
inline Import(std::string name)
Import() = default
~Import() override = default
Import(const Import &other) = default
Import(Import &&other) noexcept = default
Import &operator=(Import &&other) noexcept = default
Import &operator=(const Import &other) = default
inline uint32_t forwarder_chain() const

The index of the first forwarder reference.

inline uint32_t timedatestamp() const

The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.

inline it_const_entries entries() const

Iterator over the PE::ImportEntry.

inline it_entries entries()
inline uint32_t import_address_table_rva() const

The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning

This address could change when re-building the binary

inline uint32_t import_lookup_table_rva() const

Return the relative virtual address of the import lookup table.

Warning

This address could change when re-building the binary

result<uint32_t> get_function_rva_from_iat(const std::string &function) const

Return the Function’s RVA from the import address table (IAT)

Warning

This address could change when re-building the binary

inline ImportEntry *get_entry(const std::string &name)

Return the imported function with the given name.

const ImportEntry *get_entry(const std::string &name) const
inline const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

inline void name(std::string name)

Change the current import name.

inline DataDirectory *directory()

Return the PE::DataDirectory associated with this import. It should be the one at index PE::DataDirectory::TYPES::IMPORT_TABLE.

If the data directory can’t be found, return a nullptr

inline const DataDirectory *directory() const
inline DataDirectory *iat_directory()

Return the PE::DataDirectory associated associated with the IAT. It should be the one at index PE::DataDirectory::TYPES::IAT.

If the data directory can’t be found, return a nullptr

inline const DataDirectory *iat_directory() const
inline ImportEntry &add_entry(ImportEntry entry)

Add a new import entry (i.e. an imported function)

inline ImportEntry &add_entry(const std::string &name)

Add a new import entry with the given name (i.e. an imported function)

inline void import_lookup_table_rva(uint32_t rva)
inline void import_address_table_rva(uint32_t rva)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Import &entry)

Import Entry

class ImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API

Public Functions

ImportEntry() = default
ImportEntry(uint64_t data, const std::string &name = "")
ImportEntry(uint64_t data, PE_TYPE type, const std::string &name)
ImportEntry(const std::string &name)
ImportEntry(const std::string &name, PE_TYPE type)
ImportEntry(const ImportEntry&) = default
ImportEntry &operator=(const ImportEntry&) = default
~ImportEntry() override = default
bool is_ordinal() const

True if it is an import by ordinal

inline uint16_t ordinal() const

The ordinal value.

inline uint64_t hint_name_rva() const

inline uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

inline uint64_t iat_value() const

Value of the current entry in the Import Address Table. It should match the lookup table value.

inline uint64_t data() const

Raw value.

inline uint64_t iat_address() const

Original address of the entry in the Import Address Table

inline void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ImportEntry &entry)

Delay Import

class DelayImport : public LIEF::Object

Class that represents a PE delayed import.

Public Types

using entries_t = std::vector<DelayImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

DelayImport() = default
DelayImport(const details::delay_imports &import, PE_TYPE type)
inline DelayImport(std::string name)
~DelayImport() override = default
DelayImport(const DelayImport&) = default
DelayImport &operator=(const DelayImport&) = default
DelayImport(DelayImport&&) noexcept = default
DelayImport &operator=(DelayImport&&) noexcept = default
void swap(DelayImport &other)
inline uint32_t attribute() const

According to the official PE specifications, this value is reserved and should be set to 0.

inline void attribute(uint32_t hdl)
inline const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

inline void name(std::string name)
inline uint32_t handle() const

The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

inline void handle(uint32_t hdl)
inline uint32_t iat() const

RVA of the delay-load import address table.

inline void iat(uint32_t iat)
inline uint32_t names_table() const

RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table.

inline void names_table(uint32_t value)
inline uint32_t biat() const

RVA of the bound delay-load import address table or 0 if the table does not exist.

inline void biat(uint32_t value)
inline uint32_t uiat() const

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.

inline void uiat(uint32_t value)
inline uint32_t timestamp() const

The timestamp of the DLL to which this image has been bound.

inline void timestamp(uint32_t value)
inline it_entries entries()

Iterator over the DelayImport’s entries (DelayImportEntry)

inline it_const_entries entries() const

Iterator over the DelayImport’s entries (DelayImportEntry)

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImport &entry)

Delay Import Entry

class DelayImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the delay import table (DelayImport).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API.

The meaning of LIEF::Symbol::value for this PE object is the address (as an RVA) in the IAT where the resolution should take place.

Public Functions

DelayImportEntry() = default
inline DelayImportEntry(uint64_t data, PE_TYPE type)
DelayImportEntry(const DelayImportEntry&) = default
DelayImportEntry &operator=(const DelayImportEntry&) = default
DelayImportEntry(DelayImportEntry&&) noexcept = default
DelayImportEntry &operator=(DelayImportEntry&&) noexcept = default
~DelayImportEntry() override = default
bool is_ordinal() const

True if it is an import by ordinal

inline uint16_t ordinal() const

The ordinal value.

inline uint64_t hint_name_rva() const

inline uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

inline uint64_t iat_value() const

Value of the current entry in the Import Address Table.

inline uint64_t data() const

Raw value.

inline void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImportEntry &entry)

TLS

class TLS : public LIEF::Object

Class which represents the PE Thread Local Storage.

This PE structure is also used to implement binary/library constructors.

Public Functions

TLS() = default
TLS(const details::pe32_tls &header)
TLS(const details::pe64_tls &header)
~TLS() override = default
TLS(const TLS &copy) = default
TLS &operator=(const TLS &copy) = default
TLS(TLS &&other) noexcept = default
TLS &operator=(TLS &&other) noexcept = default
inline const std::vector<uint64_t> &callbacks() const

List of the callback associated with the current TLS.

These functions are called before any other functions .

inline const std::pair<uint64_t, uint64_t> &addressof_raw_data() const

Pair (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note

These addresses are not RVA. It is addresses for which there should be a rebase relocation in the .reloc section.

inline uint64_t addressof_index() const

The location to receive the TLS index assigned by the loader. This location should be located in a writable section like .data

inline uint64_t addressof_callbacks() const

Pointer to an array of TLS callback functions.

The array is null-terminated, so if there is no callback function this field points to 4 bytes set to zero.

inline uint32_t sizeof_zero_fill() const

Size in bytes of the zero to be padded after the data specified by data_template.

inline uint32_t characteristics() const

The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

inline span<const uint8_t> data_template() const

The initial content used to initialize TLS data.

inline bool has_data_directory() const

True if there is a data directory associated with this entry.

inline DataDirectory *directory()

Return the DataDirectory associated with this object or a nullptr If it exists, its type should be DataDirectory::TYPES::TLS_TABLE.

inline const DataDirectory *directory() const
inline bool has_section() const

Check if there is a section associated with this entry.

inline Section *section()

The section associated with the entry (or a nullptr)

inline const Section *section() const
inline void callbacks(std::vector<uint64_t> callbacks)
inline void addressof_raw_data(std::pair<uint64_t, uint64_t> addresses)
inline void addressof_index(uint64_t addr_idx)
inline void addressof_callbacks(uint64_t addr)
inline void sizeof_zero_fill(uint32_t size)
inline void characteristics(uint32_t characteristics)
inline void data_template(std::vector<uint8_t> data_template)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const TLS &entry)

Debug

class Debug : public LIEF::Object

This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: ! CodeCodeView)

Subclassed by LIEF::PE::CodeView, LIEF::PE::Pogo, LIEF::PE::Repro

Public Types

enum class TYPES

The entry types.

Values:

enumerator UNKNOWN = 0
enumerator COFF = 1

COFF debug information.

enumerator CODEVIEW = 2

CodeView debug information (pdb & cie)

enumerator FPO = 3

Frame pointer omission information.

enumerator MISC = 4

CodeView Debug Information.

enumerator EXCEPTION = 5

A copy of .pdata section.

enumerator FIXUP = 6

Reserved.

enumerator OMAP_TO_SRC = 7

The mapping from an RVA in image to an RVA in source image.

enumerator OMAP_FROM_SRC = 8

The mapping from an RVA in source image to an RVA in image.

enumerator BORLAND = 9

Reserved for Borland.

enumerator RESERVED10 = 10

Reserved.

enumerator CLSID = 11

Reserved.

enumerator VC_FEATURE = 12
enumerator POGO = 13

Profile Guided Optimization metadata.

enumerator ILTCG = 14
enumerator MPX = 15
enumerator REPRO = 16

PE determinism or reproducibility.

enumerator EX_DLLCHARACTERISTICS = 20

Public Functions

Debug() = default
inline Debug(TYPES type)
Debug(const details::pe_debug &debug_s)
Debug(const Debug &other) = default
Debug &operator=(const Debug &other) = default
~Debug() override = default
inline virtual std::unique_ptr<Debug> clone() const
inline uint32_t characteristics() const

Reserved should be 0.

inline uint32_t timestamp() const

The time and date when the debug data was created.

inline uint16_t major_version() const

The major version number of the debug data format.

inline uint16_t minor_version() const

The minor version number of the debug data format.

inline TYPES type() const

The format DEBUG_TYPES of the debugging information.

inline uint32_t sizeof_data() const

Size of the debug data.

inline uint32_t addressof_rawdata() const

Address of the debug data relative to the image base.

inline uint32_t pointerto_rawdata() const

File offset of the debug data.

inline void characteristics(uint32_t characteristics)
inline void timestamp(uint32_t timestamp)
inline void major_version(uint16_t major_version)
inline void minor_version(uint16_t minor_version)
inline void sizeof_data(uint32_t sizeof_data)
inline void addressof_rawdata(uint32_t addressof_rawdata)
inline void pointerto_rawdata(uint32_t pointerto_rawdata)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Debug &entry)

Code View

class CodeView : public LIEF::PE::Debug

Interface for the (generic) Debug CodeView (IMAGE_DEBUG_TYPE_CODEVIEW)

Subclassed by LIEF::PE::CodeViewPDB

Public Types

enum class SIGNATURES

Code view signatures.

Values:

enumerator UNKNOWN = 0
enumerator PDB_70 = 0x53445352
enumerator PDB_20 = 0x3031424e
enumerator CV_50 = 0x3131424e
enumerator CV_41 = 0x3930424e

Public Functions

inline CodeView()
inline CodeView(SIGNATURES sig)
CodeView(const details::pe_debug &debug, SIGNATURES sig)
CodeView(const CodeView &other) = default
CodeView &operator=(const CodeView &other) = default
~CodeView() override = default
inline SIGNATURES signature() const

The signature that defines the underlying type of the payload.

inline virtual std::unique_ptr<Debug> clone() const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeView &entry)

Code View PDB

class CodeViewPDB : public LIEF::PE::CodeView

CodeView PDB specialization.

Public Types

using signature_t = std::array<uint8_t, 16>

Public Functions

CodeViewPDB() = default
CodeViewPDB(const details::pe_debug &debug_info, const details::pe_pdb_70 &pdb_70)
CodeViewPDB(const CodeViewPDB &other) = default
CodeViewPDB &operator=(const CodeViewPDB &other) = default
std::string guid() const

The GUID signature to verify against the .pdb file signature. This attribute might be used to lookup remote PDB file on a symbol server.

inline uint32_t age() const

Age value to verify. The age does not necessarily correspond to any known time value, it is used to determine if a .pdb file is out of sync with a corresponding .exe file.

inline const signature_t &signature() const

The 32-bit signature to verify against the .pdb file signature.

inline const std::string &filename() const

The path to the .pdb file.

inline void age(uint32_t age)
inline void signature(const signature_t &sig)
inline void filename(std::string filename)
inline virtual std::unique_ptr<Debug> clone() const override
virtual void accept(Visitor &visitor) const override
~CodeViewPDB() override = default

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeViewPDB &entry)

Symbol

class Symbol : public LIEF::Symbol

Class that represents a PE symbol.

Public Functions

Symbol(const details::pe_symbol &header)
Symbol()
~Symbol() override
Symbol &operator=(Symbol other)
Symbol(const Symbol &other)
void swap(Symbol &other)
int16_t section_number() const
uint16_t type() const
SYMBOL_BASE_TYPES base_type() const
SYMBOL_COMPLEX_TYPES complex_type() const
SYMBOL_STORAGE_CLASS storage_class() const
uint8_t numberof_aux_symbols() const
std::wstring wname() const
Section *section()
const Section *section() const
bool has_section() const

True if symbols are located in a section

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)

Relocation

class Relocation : public LIEF::Object

Class which represents the Base Relocation Block We usually find this structure in the .reloc section.

Public Types

using entries_t = std::vector<std::unique_ptr<RelocationEntry>>
using it_entries = ref_iterator<entries_t&, RelocationEntry*>
using it_const_entries = const_ref_iterator<const entries_t&, RelocationEntry*>

Public Functions

Relocation() = default
Relocation(const Relocation &other)
Relocation &operator=(Relocation other)
Relocation(const details::pe_base_relocation_block &header)
~Relocation() override = default
void swap(Relocation &other)
inline uint32_t virtual_address() const

The RVA for which the offset of the relocation entries (RelocationEntry) is added.

inline uint32_t block_size() const

The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

inline it_const_entries entries() const

Iterator over the RelocationEntry.

inline it_entries entries()
inline void virtual_address(uint32_t virtual_address)
inline void block_size(uint32_t block_size)
RelocationEntry &add_entry(const RelocationEntry &entry)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Entry

class RelocationEntry : public LIEF::Relocation

Class which represents an entry of the PE relocation table.

It extends the LIEF::Relocation object to provide an uniform API across the file formats

Public Types

enum class BASE_TYPES

Values:

enumerator UNKNOWN = -1
enumerator ABS = 0
enumerator HIGH = 1
enumerator LOW = 2
enumerator HIGHLOW = 3
enumerator HIGHADJ = 4
enumerator MIPS_JMPADDR = 5
enumerator ARM_MOV32A = 5 + 0x101
enumerator ARM_MOV32 = 5 + 0x102
enumerator RISCV_HI20 = 5 + 0x103
enumerator SECTION = 6
enumerator REL = 7
enumerator ARM_MOV32T = 7 + 0x201
enumerator THUMB_MOV32 = 7 + 0x202
enumerator RISCV_LOW12I = 7 + 0x203
enumerator RISCV_LOW12S = 8
enumerator IA64_IMM64 = 9
enumerator MIPS_JMPADDR16 = 9 + 0x300
enumerator DIR64 = 10
enumerator HIGH3ADJ = 11

Public Functions

RelocationEntry() = default
RelocationEntry(const RelocationEntry &other)
RelocationEntry &operator=(RelocationEntry other)
RelocationEntry(uint16_t position, BASE_TYPES type)
~RelocationEntry() override = default
void swap(RelocationEntry &other)
virtual uint64_t address() const override

The address of the relocation.

virtual void address(uint64_t address) override
virtual size_t size() const override

The size of the relocatable pointer.

virtual void size(size_t size) override
uint16_t data() const

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset

inline uint16_t position() const

Offset relative to Relocation::virtual_address where the relocation occurs.

inline BASE_TYPES type() const

Type of the relocation.

void data(uint16_t data)
inline void position(uint16_t position)
inline void type(BASE_TYPES type)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

Public Static Functions

static inline RelocationEntry from_raw(Header::MACHINE_TYPES arch, uint16_t raw)

Friends

friend class PE::Relocation
friend std::ostream &operator<<(std::ostream &os, const RelocationEntry &entry)

Export

class Export : public LIEF::Object

Class which represents a PE Export.

Public Types

using entries_t = std::vector<ExportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Export() = default
Export(const details::pe_export_directory_table &header)
Export(const Export&) = default
Export &operator=(const Export&) = default
~Export() override = default
inline uint32_t export_flags() const

According to the PE specifications this value is reserved and should be set to 0.

inline uint32_t timestamp() const

The time and date that the export data was created.

inline uint16_t major_version() const

The major version number (can be user-defined)

inline uint16_t minor_version() const

The minor version number (can be user-defined)

inline uint32_t ordinal_base() const

The starting number for the exports. Usually this value is set to 1.

inline const std::string &name() const

The name of the library exported (e.g. KERNEL32.dll)

inline it_entries entries()

Iterator over the ExportEntry.

inline it_const_entries entries() const
inline void export_flags(uint32_t flags)
inline void timestamp(uint32_t timestamp)
inline void major_version(uint16_t major_version)
inline void minor_version(uint16_t minor_version)
inline void ordinal_base(uint32_t ordinal_base)
inline void name(std::string name)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Export &exp)

Export Entry

class ExportEntry : public LIEF::Symbol

Class which represents a PE Export entry (cf. PE::Export)

Public Functions

ExportEntry() = default
ExportEntry(uint32_t address, bool is_extern, uint16_t ordinal, uint32_t function_rva)
ExportEntry(const ExportEntry&) = default
ExportEntry &operator=(const ExportEntry&) = default
~ExportEntry() override = default
inline uint16_t ordinal() const
inline uint32_t address() const
inline bool is_extern() const
inline bool is_forwarded() const
inline forward_information_t forward_information() const
inline uint32_t function_rva() const
inline void ordinal(uint16_t ordinal)
inline void address(uint32_t address)
inline void is_extern(bool is_extern)
inline virtual uint64_t value() const override
inline virtual void value(uint64_t value) override
inline void set_forward_info(std::string lib, std::string function)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportEntry &exportEntry)
struct forward_information_t

Public Functions

inline operator bool() const

Public Members

std::string library
std::string function

Friends

friend std::ostream &operator<<(std::ostream &os, const forward_information_t &info)

Signature

class Signature : public LIEF::Object

Main interface for the PKCS #7 signature scheme.

Public Types

enum class VERIFICATION_FLAGS : uint32_t

Flags returned by the verification functions.

Values:

enumerator OK = 0
enumerator INVALID_SIGNER = 1 << 0
enumerator UNSUPPORTED_ALGORITHM = 1 << 1
enumerator INCONSISTENT_DIGEST_ALGORITHM = 1 << 2
enumerator CERT_NOT_FOUND = 1 << 3
enumerator CORRUPTED_CONTENT_INFO = 1 << 4
enumerator CORRUPTED_AUTH_DATA = 1 << 5
enumerator MISSING_PKCS9_MESSAGE_DIGEST = 1 << 6
enumerator BAD_DIGEST = 1 << 7
enumerator BAD_SIGNATURE = 1 << 8
enumerator NO_SIGNATURE = 1 << 9
enumerator CERT_EXPIRED = 1 << 10
enumerator CERT_FUTURE = 1 << 11
enum class VERIFICATION_CHECKS : uint32_t

Flags to tweak the verification process of the signature.

See Signature::check and LIEF::PE::Binary::verify_signature

Values:

enumerator DEFAULT = 1 << 0

Default behavior that tries to follow the Microsoft verification process as close as possible

enumerator HASH_ONLY = 1 << 1

Only check that Binary::authentihash matches ContentInfo::digest regardless of the signature’s validity

enumerator LIFETIME_SIGNING = 1 << 2

Same semantic as WTD_LIFETIME_SIGNING_FLAG

enumerator SKIP_CERT_TIME = 1 << 3

Skip the verification of the certificates time validities so that even though a certificate expired, it returns VERIFICATION_FLAGS::OK

using it_const_crt = const_ref_iterator<const std::vector<x509>&>

Iterator which outputs const x509& certificates.

using it_crt = ref_iterator<std::vector<x509>&>

Iterator which outputs x509& certificates.

using it_const_signers_t = const_ref_iterator<const std::vector<SignerInfo>&>

Iterator which outputs const SignerInfo&.

using it_signers_t = ref_iterator<std::vector<SignerInfo>&>

Iterator which outputs SignerInfo&.

Public Functions

Signature()
Signature(const Signature&)
Signature &operator=(const Signature&)
Signature(Signature&&)
Signature &operator=(Signature&&)
inline uint32_t version() const

Should be 1.

inline ALGORITHMS digest_algorithm() const

Algorithm used to digest the file.

It should match SignerInfo::digest_algorithm

inline const ContentInfo &content_info() const

Return the ContentInfo.

inline it_const_crt certificates() const

Return an iterator over x509 certificates.

inline it_crt certificates()
inline it_const_signers_t signers() const

Return an iterator over the signers (SignerInfo) defined in the PKCS #7 signature.

inline it_signers_t signers()
inline span<const uint8_t> raw_der() const

Return the raw original PKCS7 signature.

const x509 *find_crt(const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its serial number.

const x509 *find_crt_subject(const std::string &subject) const

Find x509 certificate according to its subject.

const x509 *find_crt_subject(const std::string &subject, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its subject AND serial number.

const x509 *find_crt_issuer(const std::string &issuer) const

Find x509 certificate according to its issuer.

const x509 *find_crt_issuer(const std::string &issuer, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its issuer AND serial number.

VERIFICATION_FLAGS check(VERIFICATION_CHECKS checks = VERIFICATION_CHECKS::DEFAULT) const

Check if this signature is valid according to the Authenticode/PKCS #7 verification scheme.

By default, it performs the following verifications:

  1. It must contain only one signer info

  2. Signature::digest_algorithm must match:

  3. The x509 certificate specified by SignerInfo::serial_number and SignerInfo::issuer must exist within Signature::certificates

  4. Given the x509 certificate, compare SignerInfo::encrypted_digest against either:

    • hash of authenticated attributes if present

    • hash of ContentInfo

  5. If authenticated attributes are present, check that a PKCS9_MESSAGE_DIGEST attribute exists and that its value matches hash of ContentInfo

  6. Check the validity of the PKCS #9 counter signature if present

  7. If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See LIEF::PE::Signature::VERIFICATION_CHECKS::LIFETIME_SIGNING and LIEF::PE::Signature::VERIFICATION_CHECKS::SKIP_CERT_TIME)

See: LIEF::PE::Signature::VERIFICATION_CHECKS to tweak the behavior

virtual void accept(Visitor &visitor) const override
~Signature() override

Public Static Functions

static inline std::vector<uint8_t> hash(const std::vector<uint8_t> &input, ALGORITHMS algo)

Hash the input given the algorithm.

static std::vector<uint8_t> hash(const uint8_t *buffer, size_t size, ALGORITHMS algo)
static std::string flag_to_string(VERIFICATION_FLAGS flag)

Convert a verification flag into a humman representation. e.g VERIFICATION_FLAGS.BAD_DIGEST | VERIFICATION_FLAGS.BAD_SIGNATURE | VERIFICATION_FLAGS.CERT_EXPIRED.

Friends

friend std::ostream &operator<<(std::ostream &os, const Signature &signature)

Signature Attribute

class Attribute : public LIEF::Object

Interface over PKCS #7 attribute.

Subclassed by LIEF::PE::ContentType, LIEF::PE::GenericType, LIEF::PE::MsSpcNestedSignature, LIEF::PE::MsSpcStatementType, LIEF::PE::PKCS9AtSequenceNumber, LIEF::PE::PKCS9CounterSignature, LIEF::PE::PKCS9MessageDigest, LIEF::PE::PKCS9SigningTime, LIEF::PE::SpcSpOpusInfo

Public Types

enum class TYPE

Values:

enumerator UNKNOWN = 0
enumerator CONTENT_TYPE
enumerator GENERIC_TYPE
enumerator SPC_SP_OPUS_INFO
enumerator MS_COUNTER_SIGN
enumerator MS_SPC_NESTED_SIGN
enumerator MS_SPC_STATEMENT_TYPE
enumerator PKCS9_AT_SEQUENCE_NUMBER
enumerator PKCS9_COUNTER_SIGNATURE
enumerator PKCS9_MESSAGE_DIGEST
enumerator PKCS9_SIGNING_TIME

Public Functions

Attribute() = delete
Attribute(const Attribute&) = default
Attribute &operator=(const Attribute&) = default
virtual std::unique_ptr<Attribute> clone() const = 0
inline virtual TYPE type() const

Concrete type of the attribute.

virtual std::string print() const = 0

Print information about the underlying attribute.

virtual void accept(Visitor &visitor) const override
~Attribute() override = default

Friends

friend std::ostream &operator<<(std::ostream &os, const Attribute &Attribute)

Signature ContentType

class ContentType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER

Public Functions

inline ContentType()
inline ContentType(oid_t oid)
ContentType(const ContentType&) = default
ContentType &operator=(const ContentType&) = default
inline const oid_t &oid() const

OID as described in RFC #2985.

virtual std::string print() const override

Print information about the attribute.

inline virtual std::unique_ptr<Attribute> clone() const override
virtual void accept(Visitor &visitor) const override
~ContentType() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature GenericType

class GenericType : public LIEF::PE::Attribute

Interface over an attribute for which the internal structure is not supported by LIEF.

Public Functions

inline GenericType()
inline GenericType(oid_t oid, std::vector<uint8_t> raw)
GenericType(const GenericType&) = default
GenericType &operator=(const GenericType&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const oid_t &oid() const

OID of the original attribute.

inline span<const uint8_t> raw_content() const

Original DER blob of the attribute.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~GenericType() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature MsSpcNestedSignature

class MsSpcNestedSignature : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

SignedData is the structure described in PKCS #7 RFC (LIEF::PE::Signature)

Public Functions

MsSpcNestedSignature() = delete
inline MsSpcNestedSignature(Signature sig)
MsSpcNestedSignature(const MsSpcNestedSignature&) = default
MsSpcNestedSignature &operator=(const MsSpcNestedSignature&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const Signature &sig() const

Underlying Signature object.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~MsSpcNestedSignature() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature MsSpcStatementType

class MsSpcStatementType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER

Public Functions

MsSpcStatementType() = delete
inline MsSpcStatementType(oid_t oid)
MsSpcStatementType(const MsSpcStatementType&) = default