C++¶

Parser¶

class Parser¶

Public Types

using SymSecMap = std::vector<SymSec>¶: <=> std::unordered_multimap<section index, Symbol*>

Public Functions

~Parser()¶

Public Static Functions

static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &config = ParserConfig::default_conf())¶: Parse the COFF binary referenced by the stream argument with the given config.

static inline std::unique_ptr<Binary> parse(const std::string &file, const ParserConfig &config = ParserConfig::default_conf())¶: Parse the COFF binary pointed by the file argument with the given config.

class ParserConfig¶

Class used to configure the COFF parser.

Public Static Functions

static inline const ParserConfig &default_conf()¶

Binary¶

class Binary¶

Class that represents a COFF Binary.

Public Types

using sections_t = std::vector<std::unique_ptr<Section>>¶: Internal container used to store COFF’s section.

using it_sections = ref_iterator<sections_t&, Section*>¶: Iterator that outputs Section& object.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>¶: Iterator that outputs const Section& object.

using relocations_t = std::vector<std::unique_ptr<Relocation>>¶: Internal container used to store COFF’s relocations.

using it_relocations = ref_iterator<relocations_t&, Relocation*>¶: Iterator that outputs Relocation& object.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>¶: Iterator that outputs const Relocation& object.

using strings_table_t = std::vector<String>¶: Internal container used to store COFF’s strings.

using it_strings_table = ref_iterator<strings_table_t&>¶: Iterator that outputs String& object.

using it_const_strings_table = const_ref_iterator<const strings_table_t&>¶: Iterator that outputs const String& object.

using symbols_t = std::vector<std::unique_ptr<Symbol>>¶: Internal container used to store COFF’s symbols.

using it_symbols = ref_iterator<symbols_t&, Symbol*>¶: Iterator that outputs Symbol& object.

using it_const_symbols = const_ref_iterator<const symbols_t&, const Symbol*>¶: Iterator that outputs Symbol& object.

using instructions_it = iterator_range<assembly::Instruction::Iterator>¶: Instruction iterator.

using it_functions = filter_iterator<symbols_t&, Symbol*>¶: Iterator which outputs COFF symbols representing functions.

using it_const_function = const_filter_iterator<const symbols_t&, const Symbol*>¶: Iterator which outputs COFF symbols representing functions.

Public Functions

inline const Header &header() const¶: The COFF header.

inline Header &header()¶

inline it_sections sections()¶: Iterator over the different sections located in this COFF binary.

inline it_const_sections sections() const¶

inline it_relocations relocations()¶: Iterator over all the relocations used by this COFF binary.

inline it_const_relocations relocations() const¶

inline it_symbols symbols()¶: Iterator over the COFF’s symbols.

inline it_const_symbols symbols() const¶

inline it_const_strings_table string_table() const¶: Iterator over the COFF’s strings.

inline it_strings_table string_table()¶

inline String *find_string(uint32_t offset)¶: Try to find the COFF string at the given offset in the COFF string table.

Warning

This offset must include the first 4 bytes holding the size of the table. Hence, the first string starts a the offset 4.

inline const String *find_string(uint32_t offset) const¶

it_const_function functions() const¶: Iterator over the functions implemented in this COFF.

it_functions functions()¶

const Symbol *find_function(const std::string &name) const¶: Try to find the function (symbol) with the given name.

inline Symbol *find_function(const std::string &name)¶

const Symbol *find_demangled_function(const std::string &name) const¶: Try to find the function (symbol) with the given demangled name.

inline Symbol *find_demangled_function(const std::string &name)¶

instructions_it disassemble(const Symbol &symbol) const¶

Disassemble code for the given symbol.

const Symbol* func = binary->find_demangled_function("int __cdecl my_function(int, int)");
auto insts = binary->disassemble(*func);
for (std::unique_ptr<assembly::Instruction> inst : insts) {
  std::cout << inst->to_string() << '\n';
}

See also

LIEF::assembly::Instruction

instructions_it disassemble(const std::string &symbol) const¶

Disassemble code for the given symbol name.

auto insts = binary->disassemble("main");
for (std::unique_ptr<assembly::Instruction> inst : insts) {
  std::cout << inst->to_string() << '\n';
}

See also

LIEF::assembly::Instruction

instructions_it disassemble(const uint8_t *buffer, size_t size, uint64_t address = 0) const¶

Disassemble code provided by the given buffer at the specified address parameter.

See also

LIEF::assembly::Instruction

inline instructions_it disassemble(const std::vector<uint8_t> &buffer, uint64_t address = 0) const¶

Disassemble code provided by the given vector of bytes at the specified address parameter.

See also

LIEF::assembly::Instruction

inline instructions_it disassemble(LIEF::span<const uint8_t> buffer, uint64_t address = 0) const¶

inline instructions_it disassemble(LIEF::span<uint8_t> buffer, uint64_t address = 0) const¶

std::string to_string() const¶

~Binary()¶

Friends

friend class Parser

inline friend std::ostream &operator<<(std::ostream &os, const Binary &bin)¶

class Header¶

Class that represents the COFF header. It is subclassed by LIEF::COFF::RegularHeader and LIEF::COFF::BigObjHeader for normal vs /bigobj files.

Subclassed by LIEF::COFF::BigObjHeader, LIEF::COFF::RegularHeader

Public Types

enum class KIND¶

Values:

enumerator UNKNOWN = 0¶

enumerator REGULAR¶

enumerator BIGOBJ¶

using MACHINE_TYPES = LIEF::PE::Header::MACHINE_TYPES ¶: The different architectures (mirrored from PE)

Public Functions

Header() = default¶

inline Header(KIND kind)¶

Header &operator=(const Header&) = default¶

Header(const Header&) = default¶

Header &operator=(Header&&) = default¶

Header(Header&&) = default¶

virtual std::unique_ptr<Header> clone() const = 0¶

inline KIND kind() const¶: The type of this header: whether it is regular or using the /bigobj format.

inline MACHINE_TYPES machine() const¶: The machine type targeted by this COFF.

inline uint32_t nb_sections() const¶: The number of sections.

inline uint32_t pointerto_symbol_table() const¶: Offset of the symbols table.

inline uint32_t nb_symbols() const¶: Number of symbols (including auxiliary symbols)

inline uint32_t timedatestamp() const¶: Timestamp when the COFF has been generated.

inline void machine(MACHINE_TYPES machine)¶

inline void nb_sections(uint32_t value)¶

inline void pointerto_symbol_table(uint32_t value)¶

inline void nb_symbols(uint32_t value)¶

inline void timedatestamp(uint32_t value)¶

virtual std::string to_string() const¶

template<class T> inline const T *as() const¶

virtual ~Header() = default¶

Public Static Functions

static std::unique_ptr<Header> create(BinaryStream &stream)¶: Create a header from the given stream.

static std::unique_ptr<Header> create(BinaryStream &stream, KIND kind)¶

Friends

inline friend std::ostream &operator<<(std::ostream &os, const Header &hdr)¶

Regular Header¶

class RegularHeader : public LIEF::COFF::Header ¶

This class represents the COFF header for non-bigobj.

Public Functions

inline RegularHeader()¶

RegularHeader &operator=(const RegularHeader&) = default¶

RegularHeader(const RegularHeader&) = default¶

RegularHeader &operator=(RegularHeader&&) = default¶

RegularHeader(RegularHeader&&) = default¶

inline virtual std::unique_ptr<Header> clone() const override¶

inline uint16_t sizeof_optionalheader() const¶: The size of the optional header that follows this header (should be 0)

inline uint16_t characteristics() const¶: Characteristics.

inline void sizeof_optionalheader(uint16_t value)¶

inline void characteristics(uint16_t value)¶

~RegularHeader() override = default¶

virtual std::string to_string() const override¶

Public Static Functions

static std::unique_ptr<RegularHeader> create(BinaryStream &stream)¶: Create a RegularHeader from the given stream.

static inline bool classof(const Header *header)¶

BigOject Header¶

class BigObjHeader : public LIEF::COFF::Header ¶

This class represents the header for a COFF object compiled with /bigobj support (i.e. the number of sections can exceed 65536).

The raw definition of the bigobj header is located in winnt.h and named ANON_OBJECT_HEADER_BIGOBJ

Public Functions

inline BigObjHeader()¶

BigObjHeader &operator=(const BigObjHeader&) = default¶

BigObjHeader(const BigObjHeader&) = default¶

BigObjHeader &operator=(BigObjHeader&&) = default¶

BigObjHeader(BigObjHeader&&) = default¶

inline virtual std::unique_ptr<Header> clone() const override¶

inline uint16_t version() const¶: The version of this header which must be >= 2.

inline span<const uint8_t> uuid() const¶: Originally named ClassID, this uuid should match: {D1BAA1C7-BAEE-4ba9-AF20-FAF66AA4DCB8}

inline uint32_t sizeof_data() const¶: Size of data that follows the header.

inline uint32_t flags() const¶: 1 means that it contains metadata

inline uint32_t metadata_size() const¶: Size of CLR metadata.

inline uint32_t metadata_offset() const¶: Offset of CLR metadata.

inline void version(uint16_t value)¶

inline void sizeof_data(uint32_t value)¶

inline void flags(uint32_t value)¶

inline void metadata_size(uint32_t value)¶

inline void metadata_offset(uint32_t value)¶

~BigObjHeader() override = default¶

virtual std::string to_string() const override¶

Public Static Functions

static std::unique_ptr<BigObjHeader> create(BinaryStream &stream)¶

static inline bool classof(const Header *header)¶

Public Static Attributes

static auto UUID_SZ = 16¶

Section¶

class Section : public LIEF::Section ¶

This class represents a COFF section.

Public Types

using COMDAT_SELECTION = AuxiliarySectionDefinition::COMDAT_SELECTION ¶

using CHARACTERISTICS = LIEF::PE::Section::CHARACTERISTICS ¶: Mirror Characteristics from PE.

using relocations_t = std::vector<Relocation*>¶: Container for the relocations in this section (owned by the Binary object)

using it_relocations = ref_iterator<relocations_t&, Relocation*>¶: Iterator that outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>¶: Iterator that outputs const Relocation&.

using symbols_t = std::vector<Symbol*>¶: Container for the symbols associated with this section (owned by the Binary object)

using it_symbols = ref_iterator<symbols_t&, Symbol*>¶: Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&, const Symbol*>¶: Iterator that outputs const Symbol&.

Public Functions

inline uint32_t sizeof_raw_data() const¶: Return the size of the data in the section.

inline uint32_t virtual_size() const¶: Virtual size of the section (should be 0)

inline virtual span<const uint8_t> content() const override¶: Content wrapped by this section.

inline uint32_t pointerto_raw_data() const¶: Offset to the section’s content.

inline uint32_t pointerto_relocation() const¶: Offset to the relocation table.

inline uint32_t pointerto_line_numbers() const¶

The file pointer to the beginning of line-number entries for the section.

This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

inline uint16_t numberof_relocations() const¶: Number of relocations.

Warning

If the number of relocations is greater than 0xFFFF (maximum value for 16-bits integer), then the number of relocations is stored in the virtual address of the first relocation.

inline uint16_t numberof_line_numbers() const¶: Number of line number entries (if any).

inline uint32_t characteristics() const¶: Characteristics of the section: it provides information about the permissions of the section when mapped. It can also provide information about the purpose of the section (contain code, BSS-like, …)

inline bool has_characteristic(CHARACTERISTICS c) const¶: Check if the section has the given CHARACTERISTICS.

inline std::vector<CHARACTERISTICS> characteristics_list() const¶: List of the section characteristics.

inline bool is_discardable() const¶

True if the section can be discarded as needed.

This is typically the case for debug-related sections

inline void clear(uint8_t c)¶

inline it_relocations relocations()¶: Iterator over the relocations associated with this section.

inline it_const_relocations relocations() const¶

inline it_symbols symbols()¶: Iterator over the symbols associated with this section.

inline it_const_symbols symbols() const¶

optional<ComdatInfo> comdat_info() const¶: Return comdat infomration (only if the section has the CHARACTERISTICS::LNK_COMDAT characteristic)

inline bool has_extended_relocations() const¶: Whether there is a large number of relocations whose number need to be stored in the virtual address attribute.

inline virtual void content(const std::vector<uint8_t> &data) override¶: Change section content.

virtual void name(std::string name) override¶: Change the section’s name.

inline void virtual_size(uint32_t virtual_sz)¶

inline void pointerto_raw_data(uint32_t ptr)¶

inline void pointerto_relocation(uint32_t ptr)¶

inline void pointerto_line_numbers(uint32_t ptr)¶

inline void numberof_relocations(uint16_t nb)¶

inline void numberof_line_numbers(uint16_t nb)¶

inline void sizeof_raw_data(uint32_t size)¶

inline void characteristics(uint32_t characteristics)¶

std::string to_string() const¶

~Section() override = default¶

inline virtual std::string name() const¶: section’s name

Public Static Functions

static std::unique_ptr<Section> parse(BinaryStream &stream)¶: Parse a section from the given stream.

Friends

friend class Parser

inline friend std::ostream &operator<<(std::ostream &os, const Section &sec)¶

struct ComdatInfo¶

This structure wraps comdat information which is composed of the symbol associated with the comdat section and its selection flag.

Public Members

Symbol *symbol = nullptr¶

COMDAT_SELECTION kind = COMDAT_SELECTION::NONE¶

Relocation¶

class Relocation : public LIEF::Relocation ¶

This class represents a COFF relocation.

Public Types

enum class TYPE : uint32_t¶

The different relocation types.

Please note that the original type is encoded on 16 bits but we encode the type on 32-bits by adding a discriminator from the 17th bit

Values:

enumerator UNKNOWN = uint32_t(-1)¶

enumerator I386_ABSOLUTE = I386 + 0x0000¶

enumerator I386_DIR16 = I386 + 0x0001¶

enumerator I386_REL16 = I386 + 0x0002¶

enumerator I386_DIR32 = I386 + 0x0006¶

enumerator I386_DIR32NB = I386 + 0x0007¶

enumerator I386_SEG12 = I386 + 0x0009¶

enumerator I386_SECTION = I386 + 0x000A¶

enumerator I386_SECREL = I386 + 0x000B¶

enumerator I386_TOKEN = I386 + 0x000C¶

enumerator I386_SECREL7 = I386 + 0x000D¶

enumerator I386_REL32 = I386 + 0x0014¶

enumerator AMD64_ABSOLUTE = X64 + 0x0000¶

enumerator AMD64_ADDR64 = X64 + 0x0001¶

enumerator AMD64_ADDR32 = X64 + 0x0002¶

enumerator AMD64_ADDR32NB = X64 + 0x0003¶

enumerator AMD64_REL32 = X64 + 0x0004¶

enumerator AMD64_REL32_1 = X64 + 0x0005¶

enumerator AMD64_REL32_2 = X64 + 0x0006¶

enumerator AMD64_REL32_3 = X64 + 0x0007¶

enumerator AMD64_REL32_4 = X64 + 0x0008¶

enumerator AMD64_REL32_5 = X64 + 0x0009¶

enumerator AMD64_SECTION = X64 + 0x000A¶

enumerator AMD64_SECREL = X64 + 0x000B¶

enumerator AMD64_SECREL7 = X64 + 0x000C¶

enumerator AMD64_TOKEN = X64 + 0x000D¶

enumerator AMD64_SREL32 = X64 + 0x000E¶

enumerator AMD64_PAIR = X64 + 0x000F¶

enumerator AMD64_SSPAN32 = X64 + 0x0010¶

enumerator ARM_ABSOLUTE = ARM + 0x0000¶

enumerator ARM_ADDR32 = ARM + 0x0001¶

enumerator ARM_ADDR32NB = ARM + 0x0002¶

enumerator ARM_BRANCH24 = ARM + 0x0003¶

enumerator ARM_BRANCH11 = ARM + 0x0004¶

enumerator ARM_TOKEN = ARM + 0x0005¶

enumerator ARM_BLX24 = ARM + 0x0008¶

enumerator ARM_BLX11 = ARM + 0x0009¶

enumerator ARM_REL32 = ARM + 0x000A¶

enumerator ARM_SECTION = ARM + 0x000E¶

enumerator ARM_SECREL = ARM + 0x000F¶

enumerator ARM_MOV32A = ARM + 0x0010¶

enumerator ARM_MOV32T = ARM + 0x0011¶

enumerator ARM_BRANCH20T = ARM + 0x0012¶

enumerator ARM_BRANCH24T = ARM + 0x0014¶

enumerator ARM_BLX23T = ARM + 0x0015¶

enumerator ARM_PAIR = ARM + 0x0016¶

enumerator ARM64_ABSOLUTE = ARM64 + 0x0000¶

enumerator ARM64_ADDR32 = ARM64 + 0x0001¶

enumerator ARM64_ADDR32NB = ARM64 + 0x0002¶

enumerator ARM64_BRANCH26 = ARM64 + 0x0003¶

enumerator ARM64_PAGEBASE_REL21 = ARM64 + 0x0004¶

enumerator ARM64_REL21 = ARM64 + 0x0005¶

enumerator ARM64_PAGEOFFSET_12A = ARM64 + 0x0006¶

enumerator ARM64_PAGEOFFSET_12L = ARM64 + 0x0007¶

enumerator ARM64_SECREL = ARM64 + 0x0008¶

enumerator ARM64_SECREL_LOW12A = ARM64 + 0x0009¶

enumerator ARM64_SECREL_HIGH12A = ARM64 + 0x000A¶

enumerator ARM64_SECREL_LOW12L = ARM64 + 0x000B¶

enumerator ARM64_TOKEN = ARM64 + 0x000C¶

enumerator ARM64_SECTION = ARM64 + 0x000D¶

enumerator ARM64_ADDR64 = ARM64 + 0x000E¶

enumerator ARM64_BRANCH19 = ARM64 + 0x000F¶

enumerator ARM64_BRANCH14 = ARM64 + 0x0010¶

enumerator ARM64_REL32 = ARM64 + 0x0011¶

enumerator MIPS_ABSOLUTE = MIPS + 0x0000¶

enumerator MIPS_REFHALF = MIPS + 0x0001¶

enumerator MIPS_REFWORD = MIPS + 0x0002¶

enumerator MIPS_JMPADDR = MIPS + 0x0003¶

enumerator MIPS_REFHI = MIPS + 0x0004¶

enumerator MIPS_REFLO = MIPS + 0x0005¶

enumerator MIPS_GPREL = MIPS + 0x0006¶

enumerator MIPS_LITERAL = MIPS + 0x0007¶

enumerator MIPS_SECTION = MIPS + 0x000A¶

enumerator MIPS_SECREL = MIPS + 0x000B¶

enumerator MIPS_SECRELLO = MIPS + 0x000C¶

enumerator MIPS_SECRELHI = MIPS + 0x000D¶

enumerator MIPS_JMPADDR16 = MIPS + 0x0010¶

enumerator MIPS_REFWORDNB = MIPS + 0x0022¶

enumerator MIPS_PAIR = MIPS + 0x0025¶

Public Functions

inline uint32_t symbol_idx() const¶: Symbol index associated with this relocation.

inline Symbol *symbol()¶: Symbol associated with the relocation (if any)

inline const Symbol *symbol() const¶

inline TYPE type() const¶: Type of the relocation.

inline Section *section()¶: Section in which the relocation takes place.

inline const Section *section() const¶

std::string to_string() const¶

~Relocation() override = default¶

Public Static Functions

static inline uint16_t to_value(TYPE rtype)¶: Convert a relocation enum type into a 16-bits value.

static inline TYPE from_value(uint16_t value, Header::MACHINE_TYPES arch)¶: Create a relocation type from its raw value and the architecture.

static std::unique_ptr<Relocation> parse(BinaryStream &stream, Header::MACHINE_TYPES arch)¶: Create a relocation from the given stream.

Public Static Attributes

static uint32_t I386 = 1 << 17¶

static uint32_t X64 = 1 << 18¶

static uint32_t ARM = 1 << 19¶

static uint32_t ARM64 = 1 << 20¶

static uint32_t MIPS = 1 << 21¶

Friends

friend class Parser

inline friend std::ostream &operator<<(std::ostream &os, const Relocation &R)¶

String¶

class String¶

This class represents a string located in the COFF string table.

Some of these strings can be used for section names that are greater than 8 bytes. See: LIEF::PE::Section::coff_string()

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-string-table

Public Functions

String() = default¶

inline String(uint32_t offset, std::string str)¶

String(const String&) = default¶

String &operator=(const String&) = default¶

String(String&&) = default¶

String &operator=(String&&) = default¶

~String() = default¶

inline const std::string &str() const¶: The actual string.

inline uint32_t offset() const¶: The offset of this string the in the COFF string table. This offset includes the first 4-bytes that holds the table size.

inline String &str(std::string str)¶

inline String &offset(uint32_t value)¶

Friends

inline friend std::ostream &operator<<(std::ostream &os, const String &str)¶

Symbol¶

class Symbol : public LIEF::Symbol ¶

This class represents a COFF symbol.

Public Types

enum class STORAGE_CLASS : int32_t¶

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#storage-class.

Values:

enumerator INVALID = 0xFF¶

enumerator END_OF_FUNCTION = -1¶: Physical end of function.

enumerator NONE = 0¶: No symbol.

enumerator AUTOMATIC = 1¶: Stack variable.

enumerator EXTERNAL = 2¶: External symbol.

enumerator STATIC = 3¶: Static.

enumerator REGISTER = 4¶: Register variable.

enumerator EXTERNAL_DEF = 5¶: External definition.

enumerator LABEL = 6¶: Label.

enumerator UNDEFINED_LABEL = 7¶: Undefined label.

enumerator MEMBER_OF_STRUCT = 8¶: Member of structure.

enumerator ARGUMENT = 9¶: Function argument.

enumerator STRUCT_TAG = 10¶: Structure tag.

enumerator MEMBER_OF_UNION = 11¶: Member of union.

enumerator UNION_TAG = 12¶: Union tag.

enumerator TYPE_DEFINITION = 13¶: Type definition.

enumerator UNDEFINED_STATIC = 14¶: Undefined static.

enumerator ENUM_TAG = 15¶: Enumeration tag.

enumerator MEMBER_OF_ENUM = 16¶: Member of enumeration.

enumerator REGISTER_PARAM = 17¶: Register parameter.

enumerator BIT_FIELD = 18¶: Bit field.

enumerator BLOCK = 100¶

enumerator FUNCTION = 101¶

enumerator END_OF_STRUCT = 102¶: End of structure.

enumerator FILE = 103¶: File name.

enumerator SECTION = 104¶

enumerator WEAK_EXTERNAL = 105¶: Duplicate tag.

enumerator CLR_TOKEN = 107¶

enum class BASE_TYPE : uint32_t¶

Values:

enumerator TY_NULL = 0¶: No type information or unknown base type.

enumerator TY_VOID = 1¶: Used with void pointers and functions.

enumerator TY_CHAR = 2¶: A character (signed byte).

enumerator TY_SHORT = 3¶: A 2-byte signed integer.

enumerator TY_INT = 4¶: A natural integer type on the target.

enumerator TY_LONG = 5¶: A 4-byte signed integer.

enumerator TY_FLOAT = 6¶: A 4-byte floating-point number.

enumerator TY_DOUBLE = 7¶: An 8-byte floating-point number.

enumerator TY_STRUCT = 8¶: A structure.

enumerator TY_UNION = 9¶: An union.

enumerator TY_ENUM = 10¶: An enumerated type.

enumerator TY_MOE = 11¶: A member of enumeration (a specific value).

enumerator TY_BYTE = 12¶: A byte; unsigned 1-byte integer.

enumerator TY_WORD = 13¶: A word; unsigned 2-byte integer.

enumerator TY_UINT = 14¶: An unsigned integer of natural size.

enumerator TY_DWORD = 15¶: An unsigned 4-byte integer.

enum class COMPLEX_TYPE : uint32_t¶

Values:

enumerator TY_NULL = 0¶: No complex type; simple scalar variable.

enumerator TY_POINTER = 1¶: A pointer to base type.

enumerator TY_FUNCTION = 2¶: A function that returns a base type.

enumerator TY_ARRAY = 3¶: An array of base type.

using auxiliary_symbols_t = std::vector<std::unique_ptr<AuxiliarySymbol>>¶

using it_auxiliary_symbols_t = ref_iterator<auxiliary_symbols_t&, AuxiliarySymbol*>¶

using it_const_auxiliary_symbols_t = const_ref_iterator<const auxiliary_symbols_t&, AuxiliarySymbol*>¶

Public Functions

Symbol()¶

Symbol(const Symbol&)¶

Symbol &operator=(const Symbol&)¶

Symbol(Symbol&&)¶

Symbol &operator=(Symbol&&)¶

inline uint16_t type() const¶: The symbol type. The first byte represents the base type (see: base_type()) while the upper byte represents the complex type, if any (see: complex_type()).

inline STORAGE_CLASS storage_class() const¶: Storage class of the symbol which indicates what kind of definition a symbol represents.

inline BASE_TYPE base_type() const¶: The simple (base) data type.

inline COMPLEX_TYPE complex_type() const¶: The complex type (if any)

inline int16_t section_idx() const¶

The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning:

0: The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value.
-1: The symbol has an absolute (non-relocatable) value and is not an address.
-2: The symbol provides general type or debugging information but does not correspond to a section. Microsoft tools use this setting along with .file records

inline Section *section()¶: Section associated with this symbol (if any)

inline const Section *section() const¶

inline bool is_external() const¶

inline bool is_weak_external() const¶

inline bool is_absolute() const¶

inline bool is_undefined() const¶

inline bool is_function_line_info() const¶

inline bool is_function() const¶

inline bool is_file_record() const¶

inline it_auxiliary_symbols_t auxiliary_symbols()¶: Auxiliary symbols associated with this symbol.

inline it_const_auxiliary_symbols_t auxiliary_symbols() const¶

virtual const std::string &name() const override¶: Name of the symbol. If the symbol does not use a short name, it returns the string pointed by the COFF string offset.

virtual std::string &name() override¶

inline const String *coff_name() const¶: COFF string used to represents the (long) symbol name.

inline String *coff_name()¶

std::string demangled_name() const¶: Demangled representation of the symbol or an empty string if it can’t be demangled.

inline Symbol &type(uint16_t ty)¶

inline Symbol &storage_class(uint8_t value)¶

inline Symbol &section_idx(int16_t idx)¶

AuxiliarySymbol &add_aux(std::unique_ptr<AuxiliarySymbol> sym)¶: Add a new auxiliary record.

std::string to_string() const¶

~Symbol() override¶

Public Static Functions

static std::unique_ptr<Symbol> parse(parsing_context_t &ctx, BinaryStream &stream, size_t *idx)¶

static inline bool is_reversed_sec_idx(int16_t idx)¶: Check if the given section index is a reserved value.

Public Static Attributes

static auto SYM_SEC_IDX_DEBUG = -2¶: The symbol provides general type or debugging information but does not correspond to a section. Microsoft tools use this setting along with .file records.

static auto SYM_SEC_IDX_ABS = -1¶: The symbol has an absolute (non-relocatable) value and is not an address.

static auto SYM_SEC_IDX_UNDEF = 0¶: The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value.

static auto SYM_COMPLEX_TYPE_SHIFT = 4¶

Friends

friend class Parser

inline friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)¶

struct parsing_context_t¶

Public Members

std::function<String*(uint32_t)> find_string¶

bool is_bigobj¶

AuxiliarySymbol¶

class AuxiliarySymbol¶

Class that represents an auxiliary symbol.

An auxiliary symbol has the same size as a regular LIEF::PE::Symbol (18 bytes) but its content depends on the the parent symbol.

Subclassed by LIEF::COFF::AuxiliaryCLRToken, LIEF::COFF::AuxiliaryFile, LIEF::COFF::AuxiliaryFunctionDefinition, LIEF::COFF::AuxiliarySectionDefinition, LIEF::COFF::AuxiliaryWeakExternal, LIEF::COFF::AuxiliarybfAndefSymbol

Public Types

enum class TYPE¶

Type discriminator for the subclasses.

Values:

enumerator UNKNOWN = 0¶

enumerator CLR_TOKEN¶

enumerator FUNC_DEF¶: Auxiliary Format 1 from the PE-COFF documentation.

enumerator BF_AND_EF¶: Auxiliary Format 2: .bf and .ef Symbols from the PE-COFF documentation.

enumerator WEAK_EXTERNAL¶: Auxiliary Format 3: Weak Externals from the PE-COFF documentation.

enumerator FILE¶: Auxiliary Format 4: Files from the PE-COFF documentation.

enumerator SEC_DEF¶: Auxiliary Format 5: Section Definitions from the PE-COFF documentation.

Public Functions

AuxiliarySymbol() = default¶

inline AuxiliarySymbol(std::vector<uint8_t> payload)¶

AuxiliarySymbol(const AuxiliarySymbol&) = default¶

AuxiliarySymbol &operator=(const AuxiliarySymbol&) = default¶

AuxiliarySymbol(AuxiliarySymbol&&) = default¶

AuxiliarySymbol &operator=(AuxiliarySymbol&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const¶

inline AuxiliarySymbol(TYPE ty)¶

inline TYPE type() const¶

inline span<const uint8_t> payload() const¶: For unknown type only, return the raw representation of this symbol.

inline span<uint8_t> payload()¶

virtual std::string to_string() const¶

virtual ~AuxiliarySymbol() = default¶

template<class T> inline const T *as() const¶: Helper to downcast a AuxiliarySymbol into a concrete implementation.

template<class T> inline T *as()¶

Public Static Functions

static std::unique_ptr<AuxiliarySymbol> parse(Symbol &sym, std::vector<uint8_t> payload)¶

static TYPE get_aux_type(const Symbol &sym)¶

Friends

inline friend std::ostream &operator<<(std::ostream &os, const AuxiliarySymbol &aux)¶

AuxiliaryCLRToken¶

class AuxiliaryCLRToken : public LIEF::COFF::AuxiliarySymbol ¶

Auxiliary symbol associated with the CLR_TOKEN storage class.

Public Functions

inline AuxiliaryCLRToken()¶

inline AuxiliaryCLRToken(uint8_t aux_type, uint8_t reserved, uint32_t symbol_idx, std::vector<uint8_t> rgb_reserved)¶

AuxiliaryCLRToken(const AuxiliaryCLRToken&) = default¶

AuxiliaryCLRToken &operator=(const AuxiliaryCLRToken&) = default¶

AuxiliaryCLRToken(AuxiliaryCLRToken&&) = default¶

AuxiliaryCLRToken &operator=(AuxiliaryCLRToken&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline uint8_t aux_type() const¶: IMAGE_AUX_SYMBOL_TYPE which should be IMAGE_AUX_SYMBOL_TYPE_TOKEN_DEF (1)

inline uint8_t reserved() const¶: Reserved value (should be 0)

inline uint32_t symbol_idx() const¶: Index in the symbol table.

inline const Symbol *symbol() const¶: Symbol referenced by symbol_idx() (if resolved)

inline Symbol *symbol()¶

inline span<const uint8_t> rgb_reserved() const¶: Reserved (padding) values. Should be 0.

virtual std::string to_string() const override¶

~AuxiliaryCLRToken() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliaryCLRToken> parse(const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

Friends

friend class Parser

AuxiliaryFunctionDefinition¶

class AuxiliaryFunctionDefinition : public LIEF::COFF::AuxiliarySymbol ¶

This auxiliary symbols marks the beginning of a function definition.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-1-function-definitions

Public Functions

inline AuxiliaryFunctionDefinition()¶

inline AuxiliaryFunctionDefinition(uint32_t tagidx, uint32_t totalsz, uint32_t ptr_line, uint32_t ptr_next_func, uint16_t padding)¶

AuxiliaryFunctionDefinition(const AuxiliaryFunctionDefinition&) = default¶

AuxiliaryFunctionDefinition &operator=(const AuxiliaryFunctionDefinition&) = default¶

AuxiliaryFunctionDefinition(AuxiliaryFunctionDefinition&&) = default¶

AuxiliaryFunctionDefinition &operator=(AuxiliaryFunctionDefinition&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline uint32_t tag_index() const¶: The symbol-table index of the corresponding .bf (begin function) symbol record.

inline uint32_t total_size() const¶

The size of the executable code for the function itself.

If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment considerations.

inline uint32_t ptr_to_line_number() const¶: The file offset of the first COFF line-number entry for the function, or zero if none exists (deprecated)

inline uint32_t ptr_to_next_func() const¶: The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero.

inline uint16_t padding() const¶: Padding value (should be 0)

virtual std::string to_string() const override¶

~AuxiliaryFunctionDefinition() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliaryFunctionDefinition> parse(const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

AuxiliaryWeakExternal¶

class AuxiliaryWeakExternal : public LIEF::COFF::AuxiliarySymbol ¶

“Weak externals” are a mechanism for object files that allows flexibility at link time. A module can contain an unresolved external symbol (sym1), but it can also include an auxiliary record that indicates that if sym1 is not present at link time, another external symbol (sym2) is used to resolve references instead.

If a definition of sym1 is linked, then an external reference to the symbol is resolved normally. If a definition of sym1 is not linked, then all references to the weak external for sym1 refer to sym2 instead. The external symbol, sym2, must always be linked; typically, it is defined in the module that contains the weak reference to sym1.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-3-weak-externals

Public Types

enum class CHARACTERISTICS : uint32_t¶

Values:

enumerator SEARCH_NOLIBRARY = 1¶: No library search for sym1 should be performed.

enumerator SEARCH_LIBRARY = 2¶: A library search for sym1 should be performed.

enumerator SEARCH_ALIAS = 3¶: sym1 is an alias for sym2

enumerator ANTI_DEPENDENCY = 4¶

Public Functions

inline AuxiliaryWeakExternal()¶

inline AuxiliaryWeakExternal(uint32_t sym_idx, uint32_t characteristics, std::vector<uint8_t> padding)¶

AuxiliaryWeakExternal(const AuxiliaryWeakExternal&) = default¶

AuxiliaryWeakExternal &operator=(const AuxiliaryWeakExternal&) = default¶

AuxiliaryWeakExternal(AuxiliaryWeakExternal&&) = default¶

AuxiliaryWeakExternal &operator=(AuxiliaryWeakExternal&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline uint32_t sym_idx() const¶: The symbol-table index of sym2, the symbol to be linked if sym1 is not found.

inline CHARACTERISTICS characteristics() const¶

inline span<const uint8_t> padding() const¶

virtual std::string to_string() const override¶

~AuxiliaryWeakExternal() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliaryWeakExternal> parse(const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

AuxiliarybfAndefSymbol¶

class AuxiliarybfAndefSymbol : public LIEF::COFF::AuxiliarySymbol ¶

Public Functions

inline AuxiliarybfAndefSymbol()¶

AuxiliarybfAndefSymbol(const AuxiliarybfAndefSymbol&) = default¶

AuxiliarybfAndefSymbol &operator=(const AuxiliarybfAndefSymbol&) = default¶

AuxiliarybfAndefSymbol(AuxiliarybfAndefSymbol&&) = default¶

AuxiliarybfAndefSymbol &operator=(AuxiliarybfAndefSymbol&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline virtual std::string to_string() const override¶

~AuxiliarybfAndefSymbol() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliarybfAndefSymbol> parse(Symbol &sym, const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

AuxiliarySectionDefinition¶

class AuxiliarySectionDefinition : public LIEF::COFF::AuxiliarySymbol ¶

This auxiliary symbol exposes information about the associated section.

It duplicates some information that are provided in the section header

Public Types

enum class COMDAT_SELECTION : uint8_t¶

Values for the AuxiliarySectionDefinition::selection attribute.

See: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#comdat-sections-object-only

Values:

enumerator NONE = 0¶

enumerator NODUPLICATES = 1¶: If this symbol is already defined, the linker issues a multiply defined symbol error.

enumerator ANY¶: Any section that defines the same COMDAT symbol can be linked; the rest are removed.

enumerator SAME_SIZE¶: The linker chooses an arbitrary section among the definitions for this symbol. If all definitions are not the same size, a multiply defined symbol error is issued.

enumerator EXACT_MATCH¶: The linker chooses an arbitrary section among the definitions for this symbol. If all definitions do not match exactly, a multiply defined symbol error is issued.

enumerator ASSOCIATIVE¶: The section is linked if a certain other COMDAT section is linked. This other section is indicated by the Number field of the auxiliary symbol record for the section definition. This setting is useful for definitions that have components in multiple sections (for example, code in one and data in another), but where all must be linked or discarded as a set. The other section this section is associated with must be a COMDAT section, which can be another associative COMDAT section. An associative COMDAT section’s section association chain can’t form a loop. The section association chain must eventually come to a COMDAT section that doesn’t have COMDAT_SELECTION::ASSOCIATIVE set.

enumerator LARGEST¶: The linker chooses the largest definition from among all of the definitions for this symbol. If multiple definitions have this size, the choice between them is arbitrary.

Public Functions

inline AuxiliarySectionDefinition()¶

inline AuxiliarySectionDefinition(uint32_t length, uint16_t nb_relocs, uint16_t nb_lines, uint32_t checksum, uint32_t sec_idx, uint8_t selection, uint8_t reserved)¶

AuxiliarySectionDefinition(const AuxiliarySectionDefinition&) = default¶

AuxiliarySectionDefinition &operator=(const AuxiliarySectionDefinition&) = default¶

AuxiliarySectionDefinition(AuxiliarySectionDefinition&&) = default¶

AuxiliarySectionDefinition &operator=(AuxiliarySectionDefinition&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline uint32_t length() const¶: The size of section data. The same as SizeOfRawData in the section header.

inline uint16_t nb_relocs() const¶: The number of relocation entries for the section.

inline uint16_t nb_line_numbers() const¶: The number of line-number entries for the section.

inline uint32_t checksum() const¶: The checksum for communal data. It is applicable if the IMAGE_SCN_LNK_COMDAT flag is set in the section header.

inline uint32_t section_idx() const¶: One-based index into the section table for the associated section. This is used when the COMDAT selection setting is 5.

inline COMDAT_SELECTION selection() const¶: The COMDAT selection number. This is applicable if the section is a COMDAT section.

inline uint8_t reserved() const¶: Reserved value (should be 0)

virtual std::string to_string() const override¶

~AuxiliarySectionDefinition() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliarySectionDefinition> parse(const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

AuxiliaryFile¶

class AuxiliaryFile : public LIEF::COFF::AuxiliarySymbol ¶

This auxiliary symbol represents a filename (auxiliary format 4)

The Symbol::name itself should start with .file, and this auxiliary record gives the name of a source-code file.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-4-files

Public Functions

inline AuxiliaryFile()¶

inline AuxiliaryFile(std::string file)¶

AuxiliaryFile(const AuxiliaryFile&) = default¶

AuxiliaryFile &operator=(const AuxiliaryFile&) = default¶

AuxiliaryFile(AuxiliaryFile&&) = default¶

AuxiliaryFile &operator=(AuxiliaryFile&&) = default¶

inline virtual std::unique_ptr<AuxiliarySymbol> clone() const override¶

inline const std::string &filename() const¶: The associated filename.

inline AuxiliaryFile &filename(std::string file)¶

inline virtual std::string to_string() const override¶

~AuxiliaryFile() override = default¶

Public Static Functions

static std::unique_ptr<AuxiliaryFile> parse(const std::vector<uint8_t> &payload)¶

static inline bool classof(const AuxiliarySymbol *sym)¶

Utilities¶

Header::KIND LIEF::COFF::get_kind(BinaryStream &stream)¶: This function determines if the given stream wraps a COFF binary and if so, whether it’s a regular or bigobj COFF.

inline bool LIEF::COFF::is_coff(BinaryStream &stream)¶: Check if the given stream wraps a COFF file.

inline bool LIEF::COFF::is_coff(const std::string &file)¶: Check if the file is a COFF.

inline bool LIEF::COFF::is_coff(const std::vector<uint8_t> &buffer)¶: Check if the given buffer points to a COFF file.

inline bool LIEF::COFF::is_coff(const uint8_t *buffer, size_t size)¶: Check if the given buffer points to a COFF file.

inline bool LIEF::COFF::is_bigobj(BinaryStream &stream)¶: Check if the COFF file wrapped by the given stream is a bigobj

inline bool LIEF::COFF::is_regular(BinaryStream &stream)¶: Check if the COFF file wrapped by the given stream is regular (i.e. not a bigobj)