Main interface to parse PE binaries. In particular the static functions: Parser::parse should be used to get a LIEF::PE::Binary.
Public Functions
Public Static Functions
Check if the given name is a valid import.
This check verified that:
The name is not too large or empty (cf. https://stackoverflow.com/a/23340781)
All the characters are printable
Check if the given name is a valid DLL name.
This check verifies that:
The name of the DLL is at 4
All the characters are printable
Parse a PE binary from the given filename.
Parse a PE binary from a data buffer.
Parse a PE binary from the given BinaryStream.
This structure is used to tweak the PE Parser (PE::Parser)
Public Functions
Public Members
Parse PE Authenticode signature.
Parse PE Exports Directory.
Parse PE resources tree.
Parse PE relocations.
Whether it should parse in-depth exceptions metadata.
This option is set to off by default since it can introduce a certain overhead.
Whether it should parse nested ARM64X binary.
This option is set to off by default since it can introduce a certain overhead.
Public Static Functions
Friends
Class which represents a PE binary This is the main interface to manage and modify a PE executable.
Public Types
Internal container for storing PE’s Section.
Iterator that outputs Section& object.
Iterator that outputs const Section& object.
Internal container for storing PE’s DataDirectory.
Iterator that outputs DataDirectory&.
Iterator that outputs const DataDirectory&.
Internal container for storing PE’s Relocation.
Iterator that outputs Relocation&.
Iterator that outputs const Relocation&.
Iterator that output Import&.
Iterator that outputs const Import&.
Internal container for storing PE’s DelayImport.
Iterator that output DelayImport&.
Iterator that outputs const DelayImport&.
Internal container for storing Debug information.
Iterator that outputs Debug&.
Iterator that outputs const Debug&.
Internal container for storing COFF Symbols.
Iterator that outputs Symbol&.
Iterator that outputs const Symbol&.
Internal container for storing strings.
Iterator that outputs std::string&.
Iterator that outputs const std::string&.
Internal container for storing PE’s authenticode Signature.
Iterator that outputs Signature&.
Iterator that outputs const Signature&.
Internal container for storing runtime function associated with exceptions.
Iterator that outputs ExceptionInfo&.
Iterator that outputs const ExceptionInfo&.
Public Functions
Convert a Relative Virtual Address into an offset.
The conversion is performed by looking for the section that encompasses the provided RVA.
Convert the absolute virtual address into an offset.
See also
Convert the given offset into a virtual address.
offset – [in] The offset to convert.
slide – [in] If not 0, it will replace the default base address (if any)
Return binary’s imagebase. 0 if not relevant.
The value is the same as those returned by OptionalHeader::imagebase
Find the section associated that encompasses the given offset.
If no section can be found, return a nullptr
Find the section associated that encompasses the given RVA.
If no section can be found, return a nullptr
Return an iterator over the PE’s Section.
Return a reference to the PE::DosHeader object.
Return a reference to the PE::Header object.
Header that follows the header(). It is named optional from the COFF specfication but it is mandatory in a PE file.
Re-compute the value of OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.
This value is computed by LIEF for the current binary object.
Compute the binary’s virtual size. It should match OptionalHeader::sizeof_image.
Compute the size of all the headers.
Check if the current binary contains signatures.
See also
Check if the current binary has resources.
Check if the current binary has exceptions.
Check if the current binary has relocations.
See also
Check if the current binary contains debug information.
Check if the current binary has a load configuration.
Check if the current binary is reproducible build, replacing timestamps by a compile hash.
See also
Return an iterator over the Signature object(s) if the binary is signed.
Verify the binary against the embedded signature(s) (if any) First, it checks that the embedded signatures are correct (c.f. Signature::check) and then, it checks that the authentihash matches ContentInfo::digest.
One can tweak the verification process with the Signature::VERIFICATION_CHECKS flags
See also
Verify the binary with the Signature object provided in the first parameter. It can be used to verify a detached signature:
result<Signature> detached = LIEF::PE::SignatureParser::parse("sig.pkcs7")
if (detached) {
binary->verify_signature(detached.value());
}
Compute the authentihash according to the algorithm provided in the first parameter.
Return binary Symbols.
Iterator over the strings located in the COFF string table.
Try to find the COFF string at the given offset in the COFF string table.
Warning
This offset must include the first 4 bytes holding the size of the table. Hence, the first string starts a the offset 4.
Return resources as a tree or a nullptr if there is no resources.
Change or set the current resource tree with the new one provided in parameter.
Return the ResourcesManager (class to manage resources more easily than the tree one)
Return binary’s section from its name. If the secion can’t be found, return a nullptr.
name – [in] Name of the Section
Return the section associated with import table or a nullptr if the binary does not have an import table.
Delete the section with the given name.
name – [in] Name of section to delete
clear – [in] if true clear the section’s content with 0 before removing (default: false)
Add a section to the binary and return the section added.
Return an iterator over the PE’s Relocation.
Add a new PE Relocation.
Remove all the relocations.
Return an iterator over the DataDirectory present in the Binary.
Return the DataDirectory with the given type (or index)
Check if the current binary has the given DataDirectory::TYPES.
Return an iterator over the Debug entries.
Remove all debug info from the binary.
Return the CodeViewPDB object if present.
Retrun the LoadConfiguration object or a nullptr if the binary does not use the LoadConfiguration.
Return the overlay content.
Return the original overlay offset.
Return the DOS stub content.
Update the DOS stub content.
Return a reference to the RichHeader object.
Set a RichHeader object in the current Binary.
Check if the current binary has a RichHeader object.
Return an iterator over the binary imports.
Return the Import matching the provided name (case sensitive)
If the import can’t be found, it returns a nullptr
True if the binary imports the given library name
Check if the current binary contains delay imports.
Return an iterator over the binary’s delay imports.
Returns the DelayImport matching the given name. If it can’t be found, it returns a nullptr.
True if the binary delay-imports the given library name
Add an imported library (i.e. DLL) to the binary.
Remove the imported library with the given name
Return true if the deletion succeed, false otherwise.
Remove all libraries in the binary.
Reconstruct the binary object and write the raw PE in filename
Reconstruct the binary object with the given configuration and write it in filename
Reconstruct the binary object and write the raw PE in os stream.
Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.
Method so that a visitor can visit us.
Patch the content at virtual address address with patch_value.
address – [in] Address to patch
patch_value – [in] Patch to apply
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Patch the address with the given value.
address – [in] Address to patch
patch_value – [in] Patch to apply
size – [in] Size of the value in bytes (1, 2, … 8)
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Fill the content at the provided with a fixed value.
Return the content located at the provided virtual address.
virtual_address – [in] Virtual address of the data to retrieve
size – [in] Size in bytes of the data to retrieve
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Return the binary’s entrypoint (It is the same value as OptionalHeader::addressof_entrypoint.
Check if the binary is position independent.
Check if the binary uses NX protection.
Return the data directory associated with the export table.
Return the data directory associated with the import table.
Return the data directory associated with the resources tree.
Return the data directory associated with the exceptions.
Return the data directory associated with the certificate table (authenticode)
Return the data directory associated with the relocation table.
Return the data directory associated with the debug table.
Return the data directory associated with TLS.
Return the data directory associated with the load config.
Return the data directory associated with the IAT.
Return the data directory associated with delayed imports.
Return the list of the binary constructors.
In a PE file, we consider a constructors as a callback in the TLS object
All functions found in the binary
Functions found in the Exception table directory.
Iterator over the exception (_RUNTIME_FUNCTION) functions.
Warning
This function requires that the option LIEF::PE::ParserConfig::parse_exceptions was turned on (default is false) when parsing the binary
Try to find the exception info at the given RVA.
Warning
This function requires that the option LIEF::PE::ParserConfig::parse_exceptions was turned on (default is false) when parsing the binary
True if this binary is compiled in ARM64EC mode (emulation compatible)
True if this binary is compiled in ARM64X mode (contains both ARM64 and ARM64EC code)
If the current binary contains dynamic relocations (e.g. LIEF::PE::DynamicFixupARM64X), this function returns the relocated view of the current PE.
This can be used to get the alternative PE binary, targeting a different architectures.
Warning
This function requires that the option LIEF::PE::ParserConfig::parse_arm64x_binary was turned on (default is false) when parsing the binary
Class which represents the DosHeader, the first structure presents at the beginning of a PE file.
Most of the attributes of this structures are no longer relevant.
Public Types
Public Functions
Magic bytes identifying a DOS/PE binary.
Return the offset to the PE::Header structure.
Public Static Attributes
Class that represents the PE header (which follows the DosHeader)
Public Types
Values:
Alpha AXP, 32-bit address space
Alpha AXP, 64-bit address space
Matsushita AM33
AMD x64
ARM little endian
ARMv7 Thumb mode only
ARMv8 in 64-bits mode
EFI byte code
Intel 386 or later
Intel Itanium processor family
LoongArch 32-bit processor family
LoongArch 64-bit processor family
Mitsubishi M32R little endian
MIPS16
MIPS with FPU
MIPS16 with FPU
Power PC little endian
Power PC with floating point
Power PC big endian
MIPS with little endian
RISC-V 32-bit address space
RISC-V 64-bit address space
RISC-V 128-bit address space
Hitachi SH3
Hitachi SH3 DSP
Hitachi SH4
Hitachi SH5
ARM or Thumb
MIPS little-endian WCE v2
Values:
The file does not contain base relocations and must be loaded at its preferred base. If this cannot be done, the loader will error.
File is executable (i.e. no unresolved externel references).
COFF line numbers have been stripped. This is deprecated and should be 0
COFF symbol table entries for local symbols have been removed. This is deprecated and should be 0.
Aggressively trim working set. This is deprecated and must be 0.
Image can handle > 2GiB addresses.
Little endian: the LSB precedes the MSB in memory. This is deprecated and should be 0.
Machine is based on a 32bit word architecture.
Debugging info has been removed.
If the image is on removable media, fully load it and copy it to swap.
If the image is on network media, fully load it and copy it to swap.
The image file is a system file, not a user program.
The image file is a DLL.
This file should only be run on a uniprocessor machine.
Big endian: the MSB precedes the LSB in memory. This is deprecated
Public Functions
Signature (or magic byte) of the header. It must be: PE\0\0
The targeted machine architecture like ARM, x86, AMD64, …
The number of sections in the binary.
The low 32 bits of the number of seconds since January 1, 1970. It indicates when the file was created.
The offset of the COFF symbol table.
This value should be zero for an image because COFF debugging information is deprecated.
The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.
This value should be zero for an image because COFF debugging information is deprecated.
Size of the OptionalHeader AND the data directories which follows this header.
This value is equivalent to: sizeof(pe_optional_header) + NB_DATA_DIR * sizeof(data_directory)
This size should be either:
0xE0 (224) for a PE32 (32 bits)
0xF0 (240) for a PE32+ (64 bits)
Characteristics of the binary like whether it is a DLL or an executable.
Check if the given CHARACTERISTICS is present.
The list of the CHARACTERISTICS.
Public Static Functions
Class which represents the PE OptionalHeader structure.
Note that the term optional comes from the COFF specifications but this header is mandatory for a PE binary.
Public Types
Values:
ASLR with 64 bit address space.
DLL can be relocated at load time.
Code integrity checks are enforced.
Image is NX compatible.
Isolation aware, but do not isolate the image.
Does not use structured exception handling (SEH). No SEH handler may be called in this image.
Do not bind the image.
Image should execute in an AppContainer.
A WDM driver.
Image supports Control Flow Guard.
Terminal Server aware.
Values:
An unknown subsystem.
Device drivers and native Windows processes.
The Windows GUI subsystem.
The Windows character subsystem.
The OS/2 character subsytem.
The POSIX character subsystem.
Native Windows 9x driver.
Windows CE.
An EFI application.
An EFI driver with boot services.
An EFI driver with run-time services.
An EFI ROM image.
XBOX.
A BCD application.
Public Functions
The linker major version.
The linker minor version.
The size of the code .text section or the sum of all the sections that contain code (i.e. PE::Section with the flag Section::CHARACTERISTICS::CNT_CODE)
The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the initialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_INITIALIZED_DATA
The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the uninitialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_UNINITIALIZED_DATA
The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.
An entry point is optional for DLLs. When no entry point is present, this field must be zero.
Address relative to the imagebase where the binary’s code starts.
Address relative to the imagebase where the binary’s data starts.
Warning
This value is not present for PE64 files
The preferred base address when mapping the binary in memory.
The alignment (in bytes) of sections when they are loaded into memory.
It must be greater than or equal to file_alignment and the default is the page size for the architecture.
The section’s file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.
The major version number of the required operating system.
The minor version number of the required operating system.
The major version number of the image.
The minor version number of the image.
The major version number of the subsystem.
The minor version number of the subsystem.
According to the official PE specifications, this value is reserved and should be 0.
The size (in bytes) of the image, including all headers, as the image is loaded in memory.
It must be a multiple of section_alignment and should match Binary::virtual_size
Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.
The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.
The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables
Size of the stack to reserve when loading the PE binary.
Only OptionalHeader::sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.
Size of the stack to commit.
Size of the heap to reserve when loading the PE binary.
Size of the heap to commit.
According to the PE specifications, this value is reserved and should be 0.
The number of DataDirectory that follow this header.
Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.
Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.
Add a DLL_CHARACTERISTICS to the current characteristics.
Remove a DLL_CHARACTERISTICS from the current characteristics.
Public Static Functions
Friends
Class that represents a PE data directory entry.
Public Types
Values:
Public Functions
The relative virtual address of the content of this data directory.
The size of the content.
Check if the content of this data directory is associated with a PE Section.
Raw content (bytes) referenced by this data directory.
Section associated with the DataDirectory.
Public Static Attributes
Friends
Class which represents a PE section.
Public Types
Values:
Public Functions
Return the size of the data in the section.
Return the size of the data when mapped in memory.
If this value is greater than sizeof_raw_data, the section is zero-padded.
The actual content of the section.
Content of the section’s padding area.
The offset of the section data in the PE file.
The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.
For modern PE binaries, this value is usually set to 0 as the relocations are managed by PE::Relocation.
The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.
No longer used in recent PE binaries produced by Visual Studio.
No longer used in recent PE binaries produced by Visual Studio.
Characteristics of the section: it provides information about the permissions of the section when mapped. It can also provide information about the purpose of the section (contain code, BSS-like, …)
Check if the section has the given CHARACTERISTICS.
List of the section characteristics.
True if the section can be discarded as needed.
This is typically the case for debug-related sections
Fill the content of the section with the given char
Change section content.
Change the section’s name.
Return the COFF string associated with the section’s name (or a nullptr)
This coff string is usually present for long section names whose length does not fit in the 8 bytes allocated by the PE format.
section’s name
Public Static Attributes
Class that represents a PE import.
Public Types
Public Functions
The index of the first forwarder reference.
The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.
Iterator over the PE::ImportEntry.
The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.
Warning
This address could change when re-building the binary
Return the relative virtual address of the import lookup table.
Warning
This address could change when re-building the binary
Return the Function’s RVA from the import address table (IAT)
Warning
This address could change when re-building the binary
Return the imported function with the given name.
Return the library’s name (e.g. kernel32.dll)
Change the current import name.
The original name rva.
Return the PE::DataDirectory associated with this import. It should be the one at index PE::DataDirectory::TYPES::IMPORT_TABLE.
If the data directory can’t be found, return a nullptr
Return the PE::DataDirectory associated associated with the IAT. It should be the one at index PE::DataDirectory::TYPES::IAT.
If the data directory can’t be found, return a nullptr
Add a new import entry (i.e. an imported function)
Add a new import entry with the given name (i.e. an imported function)
Remove the import entry with the given name.
Return true if the deletion succeed, false otherwise
Remove the import entry with the given ordinal number.
Return true if the deletion succeed, false otherwise
Class that represents an entry (i.e. an import) in the import table (Import).
It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
True if it is an import by ordinal
The ordinal value.
See also
Index into the Export::entries that is used to speed-up the symbol resolution.
Value of the current entry in the Import Address Table. It should match the lookup table value.
Original value in the import lookup table. This value should match the iat_value().
Raw value.
Friends
Class that represents a PE delayed import.
Public Types
Public Functions
According to the official PE specifications, this value is reserved and should be set to 0.
Return the library’s name (e.g. kernel32.dll)
The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.
RVA of the delay-load import address table.
RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table.
RVA of the bound delay-load import address table or 0 if the table does not exist.
RVA of the unload delay-load import address table or 0 if the table does not exist.
According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.
The timestamp of the DLL to which this image has been bound.
Iterator over the DelayImport’s entries (DelayImportEntry)
Iterator over the DelayImport’s entries (DelayImportEntry)
Friends
Class that represents an entry (i.e. an import) in the delay import table (DelayImport).
It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API.
The meaning of LIEF::Symbol::value for this PE object is the address (as an RVA) in the IAT where the resolution should take place.
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
True if it is an import by ordinal
The ordinal value.
See also
Index into the Export::entries that is used to speed-up the symbol resolution.
Raw value.
Friends
Class which represents the PE Thread Local Storage.
This PE structure is also used to implement binary/library constructors.
Public Functions
List of the callback associated with the current TLS.
These functions are called before any other functions.
Pair (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.
Note
These addresses are not RVA. It is addresses for which there should be a rebase relocation in the .reloc section.
The location to receive the TLS index assigned by the loader. This location should be located in a writable section like .data
Pointer to an array of TLS callback functions.
The array is null-terminated, so if there is no callback function this field points to 4 bytes set to zero.
Size in bytes of the zero to be padded after the data specified by data_template.
The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.
True if there is a data directory associated with this entry.
Return the DataDirectory associated with this object or a nullptr If it exists, its type should be DataDirectory::TYPES::TLS_TABLE.
Check if there is a section associated with this entry.
This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: CodeCodeView)
Subclassed by LIEF::PE::CodeView, LIEF::PE::ExDllCharacteristics, LIEF::PE::FPO, LIEF::PE::PDBChecksum, LIEF::PE::Pogo, LIEF::PE::Repro, LIEF::PE::VCFeature
Public Types
The entry types.
Values:
Frame pointer omission information.
Miscellaneous debug information.
The mapping from an RVA in image to an RVA in source image.
The mapping from an RVA in source image to an RVA in image.
Reserved for Borland.
Reserved.
Reserved.
Visual C++ feature information.
Profile Guided Optimization metadata.
Incremental Link Time Code Generation metadata.
PE determinism or reproducibility information.
Checksum of the PDB file.
Extended DLL characteristics.
Public Functions
Reserved should be 0.
The time and date when the debug data was created.
The major version number of the debug data format.
The minor version number of the debug data format.
Size of the debug data.
Address of the debug data relative to the image base.
File offset of the debug data.
Public Static Functions
Interface for the (generic) Debug CodeView (IMAGE_DEBUG_TYPE_CODEVIEW)
Subclassed by LIEF::PE::CodeViewPDB
Public Types
Public Functions
The signature that defines the underlying type of the payload.
CodeView PDB specialization.
Public Types
Public Functions
The GUID signature to verify against the .pdb file signature. This attribute might be used to lookup remote PDB file on a symbol server.
Age value to verify. The age does not necessarily correspond to any known time value, it is used to determine if a .pdb file is out of sync with a corresponding .exe file.
The 32-bit signature to verify against the .pdb file signature.
The path to the .pdb file.
Class that represents a PE-COFF symbol.
Usually PE debug information (including symbols) are wrapped in a PDB file referenced by the CodeViewPDB object.
The PE format allows to define (by COFF inheritance) a symbol table that is different from the regular PDB symbols. This table contains COFF(16) symbols which can reference auxiliary symbols.
Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-symbol-table
Warning
The LIEF::Symbol::value() should be interpreted in perspective of the Symbol::storage_class().
Public Types
Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#storage-class.
Values:
Physical end of function.
No symbol.
Stack variable.
External symbol.
Static.
Register variable.
External definition.
Label.
Undefined label.
Member of structure.
Structure tag.
Member of union.
Union tag.
Type definition.
Undefined static.
Enumeration tag.
Member of enumeration.
Register parameter.
Bit field.
End of structure.
File name.
Duplicate tag.
Values:
No type information or unknown base type.
Used with void pointers and functions.
A character (signed byte).
A 2-byte signed integer.
A natural integer type on the target.
A 4-byte signed integer.
A 4-byte floating-point number.
An 8-byte floating-point number.
A structure.
An union.
An enumerated type.
A member of enumeration (a specific value).
A byte; unsigned 1-byte integer.
A word; unsigned 2-byte integer.
An unsigned integer of natural size.
An unsigned 4-byte integer.
Values:
No complex type; simple scalar variable.
A pointer to base type.
A function that returns a base type.
An array of base type.
Public Functions
The symbol type. The first byte represents the base type (see: base_type()) while the upper byte represents the complex type, if any (see: complex_type()).
Storage class of the symbol which indicates what kind of definition a symbol represents.
The complex type (if any)
The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning:
0: The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value.
-1: The symbol has an absolute (non-relocatable) value and is not an address.
-2: The symbol provides general type or debugging information but does not correspond to a section. Microsoft tools use this setting along with .file records
Auxiliary symbols associated with this symbol.
Name of the symbol. If the symbol does not use a short name, it returns the string pointed by the COFF string offset.
COFF string used to represents the (long) symbol name.
Add a new auxiliary record.
Public Static Functions
Check if the given section index is a reserved value.
Public Static Attributes
The symbol provides general type or debugging information but does not correspond to a section. Microsoft tools use this setting along with .file records.
The symbol has an absolute (non-relocatable) value and is not an address.
The symbol record is not yet assigned a section. A value of zero indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value.
Class that represents an auxiliary symbol.
An auxiliary symbol has the same size as a regular LIEF::PE::Symbol (18 bytes) but its content depends on the the parent symbol.
Subclassed by LIEF::PE::AuxiliaryCLRToken, LIEF::PE::AuxiliaryFile, LIEF::PE::AuxiliaryFunctionDefinition, LIEF::PE::AuxiliarySectionDefinition, LIEF::PE::AuxiliaryWeakExternal, LIEF::PE::AuxiliarybfAndefSymbol
Public Types
Type discriminator for the subclasses.
Values:
Auxiliary Format 1 from the PE-COFF documentation.
Auxiliary Format 2: .bf and .ef Symbols from the PE-COFF documentation.
Auxiliary Format 3: Weak Externals from the PE-COFF documentation.
Auxiliary Format 4: Files from the PE-COFF documentation.
Public Functions
For unknown type only, return the raw representation of this symbol.
Helper to downcast a AuxiliarySymbol into a concrete implementation.
Public Static Functions
Friends
Public Functions
Public Static Functions
This auxiliary symbols marks the beginning of a function definition.
Public Functions
The symbol-table index of the corresponding .bf (begin function) symbol record.
The size of the executable code for the function itself.
If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment considerations.
The file offset of the first COFF line-number entry for the function, or zero if none exists (deprecated)
The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero.
Padding value (should be 0)
Public Static Functions
“Weak externals” are a mechanism for object files that allows flexibility at link time. A module can contain an unresolved external symbol (sym1), but it can also include an auxiliary record that indicates that if sym1 is not present at link time, another external symbol (sym2) is used to resolve references instead.
If a definition of sym1 is linked, then an external reference to the symbol is resolved normally. If a definition of sym1 is not linked, then all references to the weak external for sym1 refer to sym2 instead. The external symbol, sym2, must always be linked; typically, it is defined in the module that contains the weak reference to sym1.
Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-3-weak-externals
Public Types
Public Functions
The symbol-table index of sym2, the symbol to be linked if sym1 is not found.
Public Static Functions
Public Functions
Public Static Functions
This auxiliary symbol exposes information about the associated section.
It duplicates some information that are provided in the section header
Public Functions
The size of section data. The same as SizeOfRawData in the section header.
The number of relocation entries for the section.
The number of line-number entries for the section.
The checksum for communal data. It is applicable if the IMAGE_SCN_LNK_COMDAT flag is set in the section header.
One-based index into the section table for the associated section. This is used when the COMDAT selection setting is 5.
The COMDAT selection number. This is applicable if the section is a COMDAT section.
Public Static Functions
This auxiliary symbol represents a filename (auxiliary format 4)
The Symbol::name itself should start with .file, and this auxiliary record gives the name of a source-code file.
Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-4-files
Public Functions
The associated filename.
Public Static Functions
Class which represents the Base Relocation Block We usually find this structure in the .reloc section.
Public Types
Public Functions
The RVA for which the offset of the relocation entries (RelocationEntry) is added.
The total number of bytes in the base relocation block.
block_size = sizeof(BaseRelocationBlock) +
nb_of_relocs * sizeof(uint16_t = RelocationEntry)
Iterator over the RelocationEntry.
Public Static Functions
Friends
Class which represents an entry of the PE relocation table.
It extends the LIEF::Relocation object to provide an uniform API across the file formats
Public Types
Relocation type as described in https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#base-relocation-types.
Values:
This value matches: IMAGE_REL_BASED_ABSOLUTE The base relocation is skipped. This type can be used to pad a block.
This value matches: IMAGE_REL_BASED_HIGH The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word.
Operation:
write<int16_t>(ADDR, ((read<int16_t>(ADDR) << 16) + DELTA) >> 16)
The base relocation adds the low 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the low half of a 32-bit word.
Operation:
write<int16_t>(ADDR, ((int32_t_t)read<int16_t>(ADDR) + DELTA))
This value matches IMAGE_REL_BASED_HIGHLOW
The base relocation applies all 32 bits of the difference to the 32-bit field at offset.
Operation:
write<int32_t_t>(ADDR, read<int32_t_t>(ADDR) + DELTA)
This value matches IMAGE_REL_BASED_HIGHADJ
The base relocation adds the high 16 bits of the difference to the 16-bit field at offset. The 16-bit field represents the high value of a 32-bit word. The low 16 bits of the 32-bit value are stored in the 16-bit word that follows this base relocation. This means that this base relocation occupies two slots.
This value matches IMAGE_REL_BASED_DIR64
The base relocation applies the difference to the 64-bit field at offset.
Operation:
write<int64_t_t>(ADDR, read<int64_t_t>(ADDR) + DELTA)
Public Functions
The address of the relocation.
The size of the relocatable pointer.
Raw data of the relocation:
The high 4 bits store the relocation type
The low 12 bits store the relocation offset
Offset relative to Relocation::virtual_address where the relocation occurs.
Type of the relocation.
Method so that the visitor can visit us.
Public Static Functions
Public Static Attributes
Friends
Class which represents a PE Export.
Public Types
Public Functions
According to the PE specifications this value is reserved and should be set to 0.
The time and date that the export data was created.
The major version number (can be user-defined)
The minor version number (can be user-defined)
The starting number for the exports. Usually this value is set to 1.
The name of the library exported (e.g. KERNEL32.dll)
Iterator over the ExportEntry.
Address of the ASCII DLL’s name (RVA)
RVA of the export address table.
Number of entries in the export address table.
RVA to the list of exported names.
Number of exports by name.
RVA to the list of exported ordinals.
Find the export entry with the given name.
Find the export entry with the given ordinal number.
Find the export entry at the provided RVA.
Add the given export and return the newly created and added export.
Remove the given export entry.
Remove the export entry with the given name.
Remove the export entry with the given RVA.
Class which represents a PE Export entry (cf. PE::Export)
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
Ordinal value associated with this exported entry.
This value is computed as the index of this entry in the address table plus the ordinal base (Export::ordinal_base)
Address of the current exported function in the DLL.
Warning
If this entry is external to the DLL then it returns 0 and the external address is returned by function_rva()
Friends
Friends
Main interface for the PKCS #7 signature scheme.
Public Types
Flags returned by the verification functions.
Values:
Flags to tweak the verification process of the signature.
See Signature::check and LIEF::PE::Binary::verify_signature
Values:
Default behavior that tries to follow the Microsoft verification process as close as possible
Only check that Binary::authentihash matches ContentInfo::digest regardless of the signature’s validity
Same semantic as WTD_LIFETIME_SIGNING_FLAG
Skip the verification of the certificates time validities so that even though a certificate expired, it returns VERIFICATION_FLAGS::OK
Iterator which outputs const x509& certificates.
Iterator which outputs x509& certificates.
Iterator which outputs const SignerInfo&.
Iterator which outputs SignerInfo&.
Public Functions
Should be 1.
Algorithm used to digest the file.
It should match SignerInfo::digest_algorithm
Return the ContentInfo.
Return an iterator over x509 certificates.
Return an iterator over the signers (SignerInfo) defined in the PKCS #7 signature.
Return the raw original PKCS7 signature.
Find x509 certificate according to its serial number.
Find x509 certificate according to its subject.
Find x509 certificate according to its subject AND serial number.
Find x509 certificate according to its issuer.
Find x509 certificate according to its issuer AND serial number.
Check if this signature is valid according to the Authenticode/PKCS #7 verification scheme.
By default, it performs the following verifications:
It must contain only one signer info
Signature::digest_algorithm must match:
The x509 certificate specified by SignerInfo::serial_number and SignerInfo::issuer must exist within Signature::certificates
Given the x509 certificate, compare SignerInfo::encrypted_digest against either:
hash of authenticated attributes if present
hash of ContentInfo
If authenticated attributes are present, check that a PKCS9_MESSAGE_DIGEST attribute exists and that its value matches hash of ContentInfo
Check the validity of the PKCS #9 counter signature if present
If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See LIEF::PE::Signature::VERIFICATION_CHECKS::LIFETIME_SIGNING and LIEF::PE::Signature::VERIFICATION_CHECKS::SKIP_CERT_TIME)
See: LIEF::PE::Signature::VERIFICATION_CHECKS to tweak the behavior
Public Static Functions
Hash the input given the algorithm.
Convert a verification flag into a humman representation. e.g VERIFICATION_FLAGS.BAD_DIGEST | VERIFICATION_FLAGS.BAD_SIGNATURE | VERIFICATION_FLAGS.CERT_EXPIRED.
Interface over PKCS #7 attribute.
Subclassed by LIEF::PE::ContentType, LIEF::PE::GenericType, LIEF::PE::MsCounterSign, LIEF::PE::MsManifestBinaryID, LIEF::PE::MsSpcNestedSignature, LIEF::PE::MsSpcStatementType, LIEF::PE::PKCS9AtSequenceNumber, LIEF::PE::PKCS9CounterSignature, LIEF::PE::PKCS9MessageDigest, LIEF::PE::PKCS9SigningTime, LIEF::PE::SigningCertificateV2, LIEF::PE::SpcRelaxedPeMarkerCheck, LIEF::PE::SpcSpOpusInfo
Public Types
Values:
Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
ContentType ::= OBJECT IDENTIFIER
Public Functions
OID as described in RFC #2985.
Print information about the attribute.
Interface over an attribute for which the internal structure is not supported by LIEF.
Public Functions
OID of the original attribute.
Original DER blob of the attribute.
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1
The internal structure is not documented but we can infer the following structure:
MsSpcNestedSignature ::= SET OF SignedData
SignedData is the structure described in PKCS #7 RFC (LIEF::PE::Signature)
Public Functions
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11
The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER
Public Functions
According to the documentation:
The SpcStatementType MUST contain one Object Identifier with either the value
1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)or1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID).
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
sequenceNumber ATTRIBUTE ::= {
WITH SYNTAX SequenceNumber
EQUALITY MATCHING RULE integerMatch
SINGLE VALUE TRUE
ID pkcs-9-at-sequenceNumber
}
SequenceNumber ::= INTEGER (1..MAX)
Public Functions
Number as described in the RFC.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
counterSignature ATTRIBUTE ::= {
WITH SYNTAX SignerInfo
ID pkcs-9-at-counterSignature
}
Public Functions
SignerInfo as described in the RFC #2985.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
messageDigest ATTRIBUTE ::= {
WITH SYNTAX MessageDigest
EQUALITY MATCHING RULE octetStringMatch
SINGLE VALUE TRUE
ID pkcs-9-at-messageDigest
}
MessageDigest ::= OCTET STRING
Public Functions
Message digeset as a blob of bytes as described in the RFC.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
signingTime ATTRIBUTE ::= {
WITH SYNTAX SigningTime
EQUALITY MATCHING RULE signingTimeMatch
SINGLE VALUE TRUE
ID pkcs-9-at-signingTime
}
SigningTime ::= Time -- imported from ISO/IEC 9594-8
Public Types
Time as an array [year, month, day, hour, min, sec].
Public Functions
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12
The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcSpOpusInfo ::= SEQUENCE {
programName [0] EXPLICIT SpcString OPTIONAL,
moreInfo [1] EXPLICIT SpcLink OPTIONAL
}
Public Functions
Program description provided by the publisher.
Other information such as an url.
Print information about the attribute.
Public Functions
Digest used to hash the file.
It should match LIEF::PE::SignerInfo::digest_algorithm
PE’s authentihash.
See also
Public Static Functions
Public Static Attributes
Friends
Public Functions
Public Static Functions
Friends
Object that wraps a RSA key.
Public Types
Container for BigInt.
Public Functions
True if it embeds a public key.
True if it embeds a private key.
RSA public modulus.
RSA public exponent.
RSA private exponent.
First prime factor.
Second prime factor.
Size of the public modulus (in bits)
Interface over a x509 certificate.
Public Types
Public key scheme.
Values:
Unknown scheme.
RSA Scheme.
Elliptic-curve scheme.
Elliptic-curve Diffie-Hellman.
RSA scheme with an alternative implementation for signing and decrypting.
RSA Probabilistic signature scheme.
Mirror of mbedtls’s X509 Verify codes: MBEDTLS_X509_XX.
It must be sync with include/mbedtls/x509.h
Values:
The verification succeed
The certificate validity has expired.
The certificate has been revoked (is on a CRL).
The certificate Common Name (CN) does not match with the expected CN.
The certificate is not correctly signed by the trusted CA.
The CRL is not correctly signed by the trusted CA.
The CRL is expired.
Certificate was missing.
Certificate verification was skipped.
Other reason (can be used by verify callback)
The certificate validity starts in the future.
The CRL is from the future
Usage does not match the keyUsage extension.
Usage does not match the extendedKeyUsage extension.
Usage does not match the nsCertType extension.
The certificate is signed with an unacceptable hash.
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
The CRL is signed with an unacceptable hash.
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
Key usage as defined in RFC #5280 - section-4.2.1.3
Values:
The key is used for digital signature
The key is used for digital signature AND to protects against falsely denying some action
The key is used for enciphering private or secret keys
The key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher
The Key is used for key agreement. (e.g. with Diffie-Hellman)
The key is used for verifying signatures on public key certificates
The key is used for verifying signatures on certificate revocation lists
In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for enciphering data while performing key agreement
In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for deciphering data while performing key agreement
Tuple (Year, Month, Day, Hour, Minute, Second)
Public Functions
X.509 version. (1=v1, 2=v2, 3=v3)
Unique id for certificate issued by a specific CA.
Issuer informations.
Subject informations.
Try to decrypt the given signature and check if it matches the given hash according to the hash algorithm provided.
If the underlying public-key scheme is RSA, return the RSA information. Otherwise, return a nullptr
Verify that this certificate has been used to trust the given certificate.
Verify that this certificate is trusted by the given CA list.
Policy information terms as OID (see RFC #5280)
Indicates one or more purposes for which the certified public key may be used (OID types)
The signature of the certificate.
Public Static Functions
Parse x509 certificate(s) from file path.
Parse x509 certificate(s) from raw blob.
Return True if before is before than after. False otherwise.
ContentInfo as described in the RFC2315 (https://tools.ietf.org/html/rfc2315#section-7)
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
ContentType ::= OBJECT IDENTIFIER
In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent
SpcIndirectDataContent ::= SEQUENCE {
data SpcAttributeTypeAndOptionalValue,
messageDigest DigestInfo
}
SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
type ObjectID,
value [0] EXPLICIT ANY OPTIONAL
}
For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTETSTRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm ObjectID,
parameters [0] EXPLICIT ANY OPTIONAL
}
Public Functions
Return the OID that describes the content wrapped by this object. It should match SPC_INDIRECT_DATA_OBJID (1.3.6.1.4.1.311.2.1.4)
Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID Otherwise, return an empty vector.
Return the digest used to hash the file.
Friends
Subclassed by LIEF::PE::GenericContent, LIEF::PE::PKCS9TSTInfo, LIEF::PE::SpcIndirectData
SignerInfo as described in the RFC 2315
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
EncryptedDigest ::= OCTET STRING
Public Types
Internal container used to store both authenticated and unauthenticated attributes.
Iterator which outputs const Attribute&.
Public Functions
Should be 1.
Return the serial number associated with the x509 certificate used by this signer.
Return the x509::issuer used by this signer.
Algorithm (OID) used to hash the file.
This value should match LIEF::PE::ContentInfo::digest_algorithm and LIEF::PE::Signature::digest_algorithm
Return the (public-key) algorithm used to encrypt the signature.
Return the signature created by the signing certificate’s private key.
Iterator over LIEF::PE::Attribute for authenticated attributes.
Iterator over LIEF::PE::Attribute for unauthenticated attributes.
Return the authenticated or un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
Return the authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
Return the un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
x509 certificate used by this signer. If it can’t be found, it returns a nullptr
x509 certificate used by this signer. If it can’t be found, it returns a nullptr
Raw blob that is signed by the signer certificate.
Friends
This class exposes the MS Counter Signature attribute.
Public Types
Public Functions
Iterator over the LIEF::PE::x509 certificates of this counter signature.
Signer iterator (same as LIEF::PE::SignerInfo)
Print information about the underlying attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.16.1.4 (PKCS #9)
The internal structure is described in the RFC #3161
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
serialNumber INTEGER,
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL
}
TSAPolicyId ::= OBJECT IDENTIFIER
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING
}
Accuracy ::= SEQUENCE {
seconds INTEGER OPTIONAL,
millis [0] INTEGER (1..999) OPTIONAL,
micros [1] INTEGER (1..999) OPTIONAL
}
Public Functions
Public Static Functions
Public Static Attributes
Interface over the structure described by the OID 1.3.6.1.4.1.311.10.3.28 (szOID_PLATFORM_MANIFEST_BINARY_ID)
The internal structure is not documented but we can infer the following structure:
szOID_PLATFORM_MANIFEST_BINARY_ID ::= SET OF BinaryID
BinaryID being an alias of UTF8STRING
Public Functions
Print information about the attribute.
The manifest id as a string.
Public Functions
Print information about the underlying attribute.
SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL }.
ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256}, certHash OCTET STRING, issuerSerial IssuerSerial OPTIONAL }
IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber CertificateSerialNumber }
PolicyInformation ::= SEQUENCE { policyIdentifier OBJECT IDENTIFIER, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
Public Functions
Print information about the underlying attribute.
Class that is used to rebuild a raw PE binary from a PE::Binary object.
Public Functions
Perform the build process.
Return the build result.
Write the build result into the output file.
Write the build result into the os stream.
This structure is used to configure the build operation.
The default value of these attributes is set to false if the operation modifies the binary layout even though nothing changed. For instance, building the import table always requires relocating the table to another place. Thus, the default value is false and must be explicitly set to true.
Public Types
Public Members
Whether the builder should reconstruct the imports table. This option should be turned on if you modify imports.
Please check LIEF website for more details
Whether the builder should reconstruct the export table This option should be turned on if you modify exports.
Please check LIEF website for more details
Whether the builder should regenerate the resources tree.
Whether the builder should regenerate relocations.
Whether the builder should regenerate the load config.
Whether the builder should write back any overlay data.
Whether the builder should regenerate debug entries.
Whether the builder should write back dos stub (including the rich header)
If the resources tree needs to be relocated, this defines the name of the new section that contains the relocated tree.
The Resource Manager provides an enhanced API to manipulate the resource tree.
Public Types
The different types of resources From https://learn.microsoft.com/en-us/windows/win32/menurc/resource-types.
Values:
Public Functions
Return the ResourceNode associated with the given TYPE or a nullptr if not found;.
true if resources contain the Manifest element
Return the manifest as a std::string or an empty string if not found or corrupted.
Change or set the manifest. If the manifest node path does not exist, all required nodes are created.
true if resources a LIEF::PE::ResourceVersion
Return a list of verison info (VS_VERSIONINFO).
true if resources contain a LIEF::PE::ResourceIcon
Return the list of the icons present in the resources.
Add an icon to the resources.
true if resources contain dialogs
Return the list of the dialogs present in the resource.
true if the resources contain a string table
Return the list of the strings embedded in the string table (RT_STRING)
true if the resources contain html
Return the list of the html resources.
true if the resources contain accelerator info
Return the list of the accelerator in the resource.
Print the resource tree to the given depth.
Friends
Class which represents a Node in the resource tree.
Subclassed by LIEF::PE::ResourceData, LIEF::PE::ResourceDirectory
Public Types
Enum that identifies the type of a node in the resource tree.
Values:
Public Functions
Integer that identifies the Type, Name, or Language ID of the entry depending on its depth in the tree.
Name of the entry (if any)
True if the entry uses a name as ID
Current depth of the Node in the resource tree.
True if the current entry is a ResourceDirectory.
It can be safely casted with:
const auto* dir_node = node.cast<ResourceDirectory>();
True if the current entry is a ResourceData.
It can be safely casted with:
const auto* data_node = node.cast<ResourceData>();
Add a new child to the current node, taking the ownership of the provided unique_ptr
Add a new child to the current node.
Delete the node with the given id
Delete the given node from the node’s children.
Public Static Functions
Parse the resource tree from the provided BinaryStream stream and with the original RVA provided in the second parameter.
The RVA value should be come from the DataDirectory::RVA associated with the resource tree.
Parse the resource tree from the provided buffer referenced by a pointer and the size. The second parameter is the RVA where the resource is (or was) located.
See doc from other parse functions.
See doc from other parse functions.
Friends
Public Functions
Resource characteristics. This field is reserved for future use. It is currently set to zero.
The time that the resource data was created by the resource compiler.
The major version number, set by the user.
The minor version number, set by the user.
The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).
The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.
Public Static Functions
Class which represents a Data Node in the PE resources tree.
Public Functions
Return the code page that is used to decode code point values within the resource data. Typically, the code page is the unicode code page.
Resource content.
Reserved value. Should be 0
Offset of the content within the resource.
Warning
This value may change when rebuilding resource table
Public Static Functions
Public Functions
Id associated with the icon.
Language associated with the icon.
Sub language associated with the icon.
Width in pixels of the image.
Height in pixels of the image.
Number of colors in image (0 if >=8bpp)
Reserved (must be 0)
Color Planes.
Bits per pixel.
Size in bytes of the image.
Pixels of the image (as bytes)
Save the icon to the given filename.
filename – [in] Path to file in which the icon will be saved
Public Static Functions
Friends
This class is the base class for either a regular (legacy) Dialog or an extended Dialog. These different kinds of Dialogs are documented by MS at the following addresses:
https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-dlgtemplate
https://learn.microsoft.com/fr-fr/windows/win32/dlgbox/dlgitemtemplateex
Subclassed by LIEF::PE::ResourceDialogExtended, LIEF::PE::ResourceDialogRegular
Public Types
Enum for discriminating the kind of the Dialog (regular vs extended)
Values:
From: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dialog-box-styles.
Values:
From: https://docs.microsoft.com/en-us/windows/win32/winmsg/window-styles.
Values:
From https://docs.microsoft.com/en-us/windows/win32/winmsg/extended-window-styles.
Values:
From: https://learn.microsoft.com/en-us/windows/win32/controls/common-control-styles.
Values:
Public Functions
The style of the dialog box. This member can be a combination of window style values (such as WINDOW_STYLES::CAPTION and WINDOW_STYLES::SYSMENU) and dialog box style values (such as DIALOG_STYLES::CENTER).
The extended styles for a window. This member is not used to create dialog boxes, but applications that use dialog box templates can use it to create other types of windows. For a list of values, see WINDOW_EXTENDED_STYLES.
The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.
The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.
The width, in dialog box units, of the dialog box.
The height, in dialog box units, of the dialog box.
Check if the dialog used to given dialog style.
Check if the dialog used to given window style.
Check if the dialog used to given extended window style.
List of DIALOG_STYLES used by this dialog.
List of WINDOW_STYLES used by this dialog.
List of WINDOW_EXTENDED_STYLES used by this dialog.
title of the dialog box
title of the dialog box
ordinal or name value of a menu resource.
ordinal of a predefined system window class or name of a registered window class
Helper to downcast a ResourceDialog into a ResourceDialogRegular or a ResourceDialogExtended.
Public Static Functions
Parse dialogs from the given resource data node.
Friends
This class represents an element of the dialog. It can be for instance, a button, or a caption.
This class is inherited by the regular or extended dialog’s item:
Subclassed by LIEF::PE::ResourceDialogExtended::Item, LIEF::PE::ResourceDialogRegular::Item
Public Types
Public Functions
The style of the control. This can be a combination of WINDOW_STYLES or CONTROL_STYLES.
The extended styles for a window. This member is not used to create controls in dialog boxes, but applications that use dialog box templates can use it to create other types of windows.
It can take a combination of WINDOW_EXTENDED_STYLES
The control identifier.
Check if this item has the given WINDOW_STYLES.
Check if this item has the given CONTROL_STYLES.
List of WINDOW_STYLES used by this item.
List of CONTROL_STYLES used by this item.
The x-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.
The y-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.
The width, in dialog box units, of the control.
The height, in dialog box units, of the control.
Window class of the control. This can be either: a string that specifies the name of a registered window class or an ordinal value of a predefined system class.
Title of the item which can be either: a string that specifies the initial text or an ordinal value of a resource, such as an icon, in an executable file.
Creation data that is passed to the control’s window procedure.
This structure wraps either an ordinal value (uint16_t) or a string. The ordinal value should refer to an existing resource id in the resource tree.
Public Functions
Public Members
Implementation for a regular/legacy dialog box.
See: https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-dlgtemplate
Public Types
Public Functions
Number of control items.
Public Static Functions
This structure represents additional font information that might be embedded at the end of the DLGTEMPLATE stream.
This class represents a DLGTEMPLATE item: DLGITEMTEMPLATE
See: https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-dlgitemtemplate
Public Functions
Public Static Functions
Implementation for the new extended dialogbox format.
See: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dlgtemplateex
Public Types
Public Functions
The version number of the extended dialog box template. This member must be set to 1.
Indicates whether a template is an extended dialog box template. If signature is 0xFFFF, this is an extended dialog box template. In this case, the dlgVer member specifies the template version number.
The help context identifier for the dialog box window. When the system sends a WM_HELP message, it passes the helpID value in the dwContextId member of the HELPINFO structure.
Public Static Functions
Font information for the font to use for the text in the dialog box and its controls.
Public Functions
This class represents a DLGTEMPLATEEX item (DLGITEMTEMPLATEEX).
See: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dlgitemtemplateex
Public Functions
The help context identifier for the control. When the system sends a WM_HELP message, it passes the helpID value in the dwContextId member of the HELPINFO structure.
Public Static Functions
Representation of the data associated with the RT_VERSION entry.
See: VS_VERSIONINFO at https://learn.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo
Public Functions
Return the fixed file info (VS_FIXEDFILEINFO)
Return the StringFileInfo element.
Return the VarFileInfo element.
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
The Unicode string L"VS_VERSION_INFO".
The key as an utf8 string.
Public Static Functions
Friends
This structure represents the VS_FIXEDFILEINFO structure defined in verrsrc.h.
Public Types
Values:
The operating system for which the file was designed is unknown to the system.
The file was designed for MS-DOS.
The file was designed for 16-bit OS/2.
The file was designed for 32-bit OS/2.
The file was designed for Windows NT.
The file was designed for Windows CE (Windows Embedded Compact).
The file was designed for 16-bit Windows.
The file was designed for 16-bit Presentation Manager.
The file was designed for 32-bit Presentation Manager.
The file was designed for 32-bit Windows.
The file was designed for 16-bit Windows running on MS-DOS.
The file was designed for 32-bit Windows running on MS-DOS.
The file was designed for 16-bit Presentation Manager running on 16-bit OS/2.
Values:
The file type is unknown to the system.
The file contains an application.
The file contains a DLL.
The file contains a device driver. If dwFileType is VFT_DRV, dwFileSubtype contains a more specific description of the driver.
The file contains a font. If dwFileType is VFT_FONT, dwFileSubtype contains a more specific description of the font file.
The file contains a virtual device.
The file contains a static-link library.
Values:
The type is unknown by the system.
The file contains a versioned printer driver.
Values:
The file contains debugging information or is compiled with debugging features enabled.
The file’s version structure was created dynamically; therefore, some of the members in this structure may be empty or incorrect. This flag should never be set in a file’s VS_VERSIONINFO data.
The file has been modified and is not identical to the original shipping file of the same version number.
The file is a development version, not a commercially released product.
The file was not built using standard release procedures. If this flag is set, the StringFileInfo structure should contain a PrivateBuild entry.
The file was built by the original company using standard release procedures but is a variation of the normal file of the same version number. If this flag is set, the StringFileInfo structure should contain a SpecialBuild entry.
Public Functions
Check if the given FILE_FLAGS is present.
List of FILE_FLAGS.
Public Members
Contains the value 0xFEEF04BD. This is used with the szKey member of the VS_VERSIONINFO structure when searching a file for the VS_FIXEDFILEINFO structure.
The binary version number of this structure. The high-order word of this member contains the major version number, and the low-order word contains the minor version number.
The most significant 32 bits of the file’s binary version number. This member is used with file_version_ls to form a 64-bit value used for numeric comparisons.
The least significant 32 bits of the file’s binary version number. This member is used with file_version_ms to form a 64-bit value used for numeric comparisons.
The most significant 32 bits of the binary version number of the product with which this file was distributed. This member is used with product_version_ls to form a 64-bit value used for numeric comparisons.
The least significant 32 bits of the binary version number of the product with which this file was distributed. This member is used with product_version_ms to form a 64-bit value used for numeric comparisons.
Contains a bitmask that specifies the valid bits in file_flags. A bit is valid only if it was defined when the file was created.
Contains a bitmask that specifies the Boolean attributes of the file. This member can include one or more of the values specified in FILE_FLAGS.
The operating system for which this file was designed. This member can be one of the values specified in VERSION_OS.
The general type of file. This member can be one of the values specified in FILE_TYPE. All other values are reserved.
The function of the file. The possible values depend on the value of file_type.
The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.
The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.
Public Static Attributes
Friends
Representation of the VarFileInfo structure.
This structure represents the organization of data in a file-version resource. It contains version information not dependent on a particular language and code page combination.
See: https://learn.microsoft.com/en-us/windows/win32/menurc/varfileinfo
Public Types
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
Signature of the structure. Must be the unicode string “VarFileInfo”.
Key as an utf8 string.
Public Static Functions
Friends
This class represents an element of the ResourceVarFileInfo structure It typically contains a list of language and code page identifier pairs that the version of the application or DLL supports.
See: https://learn.microsoft.com/en-us/windows/win32/menurc/var-str
Public Types
Translation values as a vector of uint32_t.
Public Functions
The Unicode string L"Translation"
The type of data in the version resource:
1 if it contains text data
0 if it contains binary
The key as an utf8 string.
Return the translation values.
The low-order word of each uint32_t must contain a Microsoft language identifier, and the high-order word must contain the IBM code page number. Either high-order or low-order word can be zero, indicating that the file is language or code page independent
Public Static Functions
Friends
Representation of the StringFileInfo structure.
It contains version information that can be displayed for a particular language and code page.
See: https://learn.microsoft.com/en-us/windows/win32/menurc/stringfileinfo
Public Types
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
Signature of the structure. Must be the unicode string “StringFileInfo”.
Iterator over the children values.
The key as an utf8 string.
Public Static Functions
Friends
This class represents the StringTable structure. This structure can be seen as a dictionary of key, values with key and values defined a utf-16 string.
Public Types
Public Functions
An 8-digit hexadecimal number stored as a Unicode string. The four most significant digits represent the language identifier. The four least significant digits represent the code page for which the data is formatted. Each Microsoft Standard Language identifier contains two parts: the low-order 10 bits specify the major language, and the high-order 6 bits specify the sublanguage.
The type of data in the version resource:
1 if it contains text data
0 if it contains binary
The key as an utf8 string.
Iterator over the different entry_t element of this table.
Public Static Functions
Friends
An entry in this table which is composed of an UTF-16 key and an UTF-16 value.
Public Types
From: https://docs.microsoft.com/en-us/windows/win32/menurc/acceltableentry.
Values:
The accelerator key is a virtual-key code. If this flag is not specified, the accelerator key is assumed to specify an ASCII character code.
A menu item on the menu bar is not highlighted when an accelerator is used. This attribute is obsolete and retained only for backward compatibility with resource files designed for 16-bit Windows.
The accelerator is activated only if the user presses the SHIFT key. This flag applies only to virtual keys.
The accelerator is activated only if the user presses the CTRL key. This flag applies only to virtual keys.
The accelerator is activated only if the user presses the ALT key. This flag applies only to virtual keys.
The entry is last in an accelerator table.
Public Functions
Describe the keyboard accelerator characteristics.
An ANSI character value or a virtual-key code that identifies the accelerator key.
An identifier for the keyboard accelerator.
The number of bytes inserted to ensure that the structure is aligned on a DWORD boundary.
Friends
Class which represents the not-so-documented rich header.
This structure is usually located at the end of the Binary::dos_stub and contains information about the build environment. It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.
Public Types
Public Functions
Key used to encode the header (xor operation)
Return an iterator over the PE::RichEntry within the header.
Add a new PE::RichEntry.
Add a new entry given the id, build_id and count.
The raw structure of the Rich header without xor-encoding.
This function is equivalent as calling RichHeader::raw(uint32_t) with a xor_key set to 0
Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.
You can access the decoded data’s structure with the xor_key set to 0
xor_key – [in] The key to use for the xor-encoding (can be 0)
Compute the hash of the decoded rich header structure with the given hash algorithm.
Compute the hash of the rich header structure encoded with the provided key.
Public Static Attributes
Friends
Class which represents an entry associated to the RichHeader.
Public Functions
Entry type.
Build number of the tool (if any)
Occurrence count.
Public Functions
Flags to indicate if CI information is available, etc.
0xFFFF means not available
Additional bitmask to be defined later.
Public Static Functions
Friends
This class represents a Profile Guided Optimization entry from the debug directory (IMAGE_DEBUG_TYPE_POGO).
Public Types
Values:
Public Functions
An iterator over the different POGO elements.
Public Functions
This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.
See: https://nikhilism.com/post/2020/windows-deterministic-builds/
Public Functions
The hash associated with the reproducible build.
This class represents the PDB Checksum debug entry which is essentially an array of bytes representing the checksum of the PDB content.
Public Functions
Hash of the PDB content.
Public Static Functions
This class represents the IMAGE_DEBUG_TYPE_VC_FEATURE debug entry.
Public Functions
Count for Pre-VC++ 11.00
Count for C/C++
Count for /GS (number of guard stack)
Whether /sdl was enabled for this binary.
sdl stands for Security Development Lifecycle and provides enhanced security features like changing security-relevant warnings into errors or enforcing guard stack.
Count for /guardN
This class represents the IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS debug entry.
Public Types
Extended DLL Characteristics.
Values:
Public Functions
Return the characteristics.
Characteristics as a vector.
Check if the given CHARACTERISTICS is used.
Public Static Functions
This class represents the IMAGE_DEBUG_TYPE_FPO debug entry.
Public Types
Values:
Public Functions
Iterator over the FPO entries.
Public Static Functions
Represents the stack frame layout for a x86 function when frame pointer omission (FPO) optimization is used.
Public Functions
Public Members
The function RVA.
The number of bytes in the function.
The number of local variables.
The size of the parameters.
The number of bytes in the function prolog code.
Number of registers saved.
Whether the function uses structured exception handling.
Whether the EBP register has been allocated.
Reserved for future use.
Variable that indicates the frame type.
This class represents a string located in the COFF string table.
Some of these strings can be used for section names that are greater than 8 bytes. See: Section::coff_string()
Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-string-table
Public Functions
The actual string.
The offset of this string the in the COFF string table. This offset includes the first 4-bytes that holds the table size.
Friends
This class is the base class for any exception or runtime function entry.
Subclassed by LIEF::PE::RuntimeFunctionAArch64, LIEF::PE::RuntimeFunctionX64
Public Types
Public Functions
Helper to downcast an ExceptionInfo into a concrete implementation.
Public Static Functions
Friends
This class represents an entry in the exception table (.pdata section) for the x86-64 architecture.
Reference: https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64
Public Types
Values:
The function has an exception handler that should be called when looking for functions that need to examine exceptions.
The function has a termination handler that should be called when unwinding an exception.
The chained info payload references a previous RUNTIME_FUNCTION
Values:
Push a nonvolatile integer register, decrementing RSP by 8. The operation info is the number of the register. Because of the constraints on epilogs, PUSH_NONVOL unwind codes must appear first in the prolog and correspondingly, last in the unwind code array. This relative ordering applies to all other unwind codes except UNWIND_OPCODES::PUSH_MACHFRAME.
Allocate a large-sized area on the stack. There are two forms. If the operation info equals 0, then the size of the allocation divided by 8 is recorded in the next slot, allowing an allocation up to 512K - 8. If the operation info equals 1, then the unscaled size of the allocation is recorded in the next two slots in little-endian format, allowing allocations up to 4GB - 8.
Allocate a small-sized area on the stack. The size of the allocation is the operation info field * 8 + 8, allowing allocations from 8 to 128 bytes.
Establish the frame pointer register by setting the register to some offset of the current RSP. The offset is equal to the Frame Register offset (scaled) field in the UNWIND_INFO * 16, allowing offsets from 0 to 240. The use of an offset permits establishing a frame pointer that points to the middle of the fixed stack allocation, helping code density by allowing more accesses to use short instruction forms. The operation info field is reserved and shouldn’t be used.
Save a nonvolatile integer register on the stack using a MOV instead of a PUSH. This code is primarily used for shrink-wrapping, where a nonvolatile register is saved to the stack in a position that was previously allocated. The operation info is the number of the register. The scaled-by-8 stack offset is recorded in the next unwind operation code slot, as described in the note above.
Save a nonvolatile integer register on the stack with a long offset, using a MOV instead of a PUSH. This code is primarily used for shrink-wrapping, where a nonvolatile register is saved to the stack in a position that was previously allocated. The operation info is the number of the register. The unscaled stack offset is recorded in the next two unwind operation code slots, as described in the note above.
This entry is only revelant for version 2. It describes the function epilog.
Reserved Originally SAVE_XMM128_FAR in version 1, but deprecated and removed.
Save all 128 bits of a nonvolatile XMM register on the stack. The operation info is the number of the register. The scaled-by-16 stack offset is recorded in the next slot.
Save all 128 bits of a nonvolatile XMM register on the stack with a long offset. The operation info is the number of the register. The unscaled stack offset is recorded in the next two slots.
Push a machine frame. This unwind code is used to record the effect of a hardware interrupt or exception.
Public Functions
Unwind info address.
Size of the function (in bytes)
Detailed unwind information.
Public Static Functions
This structure represents the UNWIND_INFO which records the effects a function has on the stack pointer, and where the nonvolatile registers are saved on the stack.
Public Functions
Check if the given flag is used.
Pretty representation of this structure as a string.
Public Members
Version number of the unwind data, currently 1 or 2.
See: UNWIND_FLAGS.
Length of the function prolog in bytes.
The number of slots in the unwind codes array. Some unwind codes, for example, UNWIND_OPCODES::SAVE_NONVOL, require more than one slot in the array.
If nonzero, then the function uses a frame pointer (FP), and this field is the number of the nonvolatile register used as the frame pointer, using the same encoding for the operation info field of UNWIND_OPCODES nodes.
If the frame register field is nonzero, this field is the scaled offset from RSP that is applied to the FP register when it’s established.
An array of items that explains the effect of the prolog on the nonvolatile registers and RSP.
An image-relative pointer to either the function’s language-specific exception or termination handler. This value is set if one of these flags is set: UNWIND_FLAGS::EXCEPTION_HANDLER, UNWIND_FLAGS::TERMINATE_HANDLER.
If UNWIND_FLAGS::CHAIN_INFO is set, this attributes references the chained runtime function.
Friends
Base class for all unwind operations.
Subclassed by LIEF::PE::unwind_x64::Alloc, LIEF::PE::unwind_x64::Epilog, LIEF::PE::unwind_x64::PushMachFrame, LIEF::PE::unwind_x64::PushNonVol, LIEF::PE::unwind_x64::SaveNonVolatile, LIEF::PE::unwind_x64::SaveXMM128, LIEF::PE::unwind_x64::SetFPReg, LIEF::PE::unwind_x64::Spare
Public Types
This class represents an entry in the exception table (.pdata section) for the AArch64 architecture.
Since the ARM64 unwinding info can be encoded in a packed and unpacked format, this class is inherited by LIEF::PE::unwind_aarch64::PackedFunction and LIEF::PE::unwind_aarch64::UnpackedFunction
Subclassed by LIEF::PE::unwind_aarch64::PackedFunction, LIEF::PE::unwind_aarch64::UnpackedFunction
Public Types
Public Functions
Length of the function in bytes.
Flag describing the format the unwind data.
Public Static Functions
This class represents a packed AArch64 exception entry.
An excepted entry can be packed if the unwind data fit in 30 bits
Public Functions
Size of the allocated stack.
Number of non-volatile INT registers (x19-x28) saved in the canonical stack location.
Number of non-volatile FP registers (d8-d15) saved in the canonical stack location.
1-bit flag indicating whether the function homes the integer parameter registers (x0-x7) by storing them at the very start of the function. (0 = doesn’t home registers, 1 = homes registers).
Flag indicating whether the function includes extra instructions to set up a frame chain and return link.
Public Static Functions
This class represents an unpacked AArch64 exception entry.
Reference: https://learn.microsoft.com/en-us/cpp/build/arm64-exception-handling?view=msvc-170#xdata-records
Public Types
Public Functions
RVA where this unpacked data is located (usually pointing in .xdata)
Describes the version of the remaining .xdata.
Currently (2025-01-04), only version 0 is defined, so values of 1-3 aren’t permitted.
1-bit field that indicates the presence (1) or absence (0) of exception data.
1-bit field that indicates that information describing a single epilog is packed into the header (1) rather than requiring more scope words later (0).
If E() == 0, specifies the count of the total number of epilog scopes. Otherwise, return 0
If E() == 1, index of the first unwind code that describes the one and only epilog.
Number of 32-bit words needed to contain all of the unwind codes.
Exception handler RVA (if any)
Bytes that contain the unwind codes.
Iterator over the epilog scopes.
Public Static Functions
This strucure describes an epilog scope.
Public Members
Offset of the epilog relatives to the start of the function.
Byte index of the first unwind code that describes this epilog.
Reserved for future expansion. Should be 0.
Public Static Functions
This class represents the load configuration data associated with the IMAGE_LOAD_CONFIG_DIRECTORY.
This structure is frequently updated by Microsoft to add new metadata.
Public Types
Values:
Module performs control flow integrity checks using system-supplied support.
Module performs control flow and write integrity checks.
Module contains valid control flow target metadata.
Module does not make use of the /GS security cookie.
Module supports read only delay load IAT.
Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected.
Module contains suppressed export information. This also infers that the address taken IAT table is also present in the load config.
Module enables suppression of exports.
Module contains longjmp target information.
Module contains EH continuation target information.
Public Functions
Characteristics of the structure which is defined by its size.
Size of the current structure.
The date and time stamp value.
Major version.
Minor version.
The global flags that control system behavior. For more information, see Gflags.exe.
The global flags that control system behavior. For more information, see Gflags.exe.
The critical section default time-out value.
The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.
The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes. This value is advisory.
The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This member is available only for x86.
The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.
The maximum block size that can be allocated from heap segments, in bytes.
The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.
The process heap flags. For more information, see HeapCreate.
The service pack version.
Alias for reserved1().
The default load flags used when the operating system resolves the statically linked imports of a module. For more information, see LoadLibraryEx.
Reserved for use by the system.
A pointer to a cookie that is used by Visual C++ or GS implementation.
The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.
The count of unique handlers in the table. This member is available only for x86.
Return the list of the function RVA in the SEH table (if any)
The VA where Control Flow Guard check-function pointer is stored.
The VA where Control Flow Guard dispatch-function pointer is stored.
The VA of the sorted table of RVAs of each Control Flow Guard function in the image.
The count of unique RVAs in the guard_cf_function_table() table.
Iterator over the Control Flow Guard functions referenced by guard_cf_function_table()
Control Flow Guard related flags.
Check if the given flag is present.
List of flags.
Code integrity information.
The VA where Control Flow Guard address taken IAT table is stored.
The count of unique RVAs in the table pointed by guard_address_taken_iat_entry_table().
List of RVA pointed by guard_address_taken_iat_entry_table()
The VA where Control Flow Guard long jump target table is stored.
The count of unique RVAs in the table pointed by guard_long_jump_target_table.
List of RVA pointed by guard_address_taken_iat_entry_table()
VA pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE
Return an iterator over the Dynamic relocations (DVRT)
Alias for chpe_metadata_pointer()
VA to the extra Compiled Hybrid Portable Executable (CHPE) metadata.
Compiled Hybrid Portable Executable (CHPE) metadata (if any)
VA of the failure routine.
VA of the failure routine fptr.
Offset of dynamic relocation table relative to the relocation table.
The section index of the dynamic value relocation table.
Must be zero.
VA of the Function verifying the stack pointer.
Offset to the hotpatch table.
Public Static Functions
Friends
Base class for any Compiled Hybrid Portable Executable (CHPE) metadata.
This class is inherited by architecture-specific implementation.
Subclassed by LIEF::PE::CHPEMetadataARM64, LIEF::PE::CHPEMetadataX86
Public Types
Public Functions
Version of the structure.
Public Static Functions
Friends
This class represents hybrid metadata for ARM64EC or ARM64X.
Public Types
Public Functions
RVA to the array that describes architecture-specific ranges.
Number of entries in the code map.
RVA to this architecture-specific exception table.
architecture-specific exception table size
Public Static Functions
Structure that describes architecture-specific ranges.
Public Types
Public Functions
Start of the range (RVA)
End of the range (RVA)
Public Members
Raw data (include start RVA and type)
Range’s length.
Public Static Attributes
Structure that describes a redirection.
This class represents hybrid metadata for X86.
Public Functions
Public Static Functions
This is the base class for any IMAGE_DYNAMIC_RELOCATION32, IMAGE_DYNAMIC_RELOCATION32_V2, IMAGE_DYNAMIC_RELOCATION64, IMAGE_DYNAMIC_RELOCATION64_V2 dynamic relocations.
Subclassed by LIEF::PE::DynamicRelocationV1, LIEF::PE::DynamicRelocationV2
Public Types
Special symbol values as defined in link.exe - GetDVRTSpecialSymbolName
Values:
Mirror IMAGE_DYNAMIC_RELOCATION_GUARD_RF_PROLOGUE
Mirror IMAGE_DYNAMIC_RELOCATION_GUARD_RF_EPILOGUE
Mirror IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER
Mirror IMAGE_DYNAMIC_RELOCATION_GUARD_INDIR_CONTROL_TRANSFER
Mirror IMAGE_DYNAMIC_RELOCATION_GUARD_SWITCHTABLE_BRANCH
Mirror IMAGE_DYNAMIC_RELOCATION_ARM64X
Mirror IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE
Mirror IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER
Public Functions
Version of the structure.
Symbol address. Some values have a special meaning (c.f. IMAGE_DYNAMIC_RELOCATION) and define how fixups are encoded.
Return fixups information, where the interpretation may depend on the symbol’s value.
Friends
This class represents a dynamic relocation (IMAGE_DYNAMIC_RELOCATION32 or IMAGE_DYNAMIC_RELOCATION64)
Public Functions
Public Static Functions
This class represents a dynamic relocation (IMAGE_DYNAMIC_RELOCATION64_V2 or IMAGE_DYNAMIC_RELOCATION32_V2)
Public Functions
Public Static Functions
This is the base class for any fixups located in DynamicRelocation.
Subclassed by LIEF::PE::DynamicFixupARM64Kernel, LIEF::PE::DynamicFixupARM64X, LIEF::PE::DynamicFixupControlTransfer, LIEF::PE::DynamicFixupGeneric, LIEF::PE::DynamicFixupUnknown, LIEF::PE::FunctionOverride
Public Types
Values:
If DynamicRelocation::symbol is a special value that is not supported by LIEF.
If DynamicRelocation::symbol is not a special value.
If DynamicRelocation::symbol is set to IMAGE_DYNAMIC_RELOCATION_ARM64X
If DynamicRelocation::symbol is set to IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE
If DynamicRelocation::symbol is set to IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER
If DynamicRelocation::symbol is set to IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER
Public Functions
Friends
This class wraps fixups associated with the (special) symbol value: IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER (3).
Public Types
Public Functions
Iterator over the relocations.
Public Static Functions
Public Static Attributes
Mirror IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION
Public Functions
Public Members
RVA to the call instruction.
True if target instruction is a call, false otherwise.
IAT index of the corresponding import. 0x7FFF is a special value indicating no index.
Friends
This class wraps fixups associated with the (special) symbol value: IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER (8).
Public Types
Public Functions
Iterator over the relocations.
Public Static Functions
Public Static Attributes
Mirror IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION
Public Functions
Public Members
RVA to the call instruction.
True if target instruction is a blr, false if it’s a br.
Register index used for the indirect call/jump. For instance, if the instruction is br x3, this index is set to 3
See IMPORT_TYPE.
IAT index of the corresponding import. 0x7FFF is a special value indicating no index.
Friends
This class represents IMAGE_DYNAMIC_RELOCATION_ARM64X
Public Types
Public Functions
Iterator over the different fixup entries.
Public Static Functions
Public Functions
Public Members
RVA where the fixup takes place.
Fixup’s kind.
Size of the value to patch.
If the type is FIXUP_TYPE::VALUE, the bytes associated to the fixup entry.
If the type is FIXUP_TYPE::DELTA, the (signed) value.
Friends
This class represents a generic entry where fixups are regular relocations (LIEF::PE::Relocation)
Public Types
Public Functions
Iterator over the relocations.
Public Static Functions
This class represents an special dynamic relocation where the format of the fixups is not supported by LIEF.
Public Functions
Raw fixups.
Public Static Functions
This class represents IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE
Public Types
Public Functions
Iterator over the overriding info.
Iterator over the BDD info.
Find the IMAGE_BDD_INFO at the given offset.
Find the IMAGE_BDD_INFO associated with the given info.
Public Static Functions
Mirror IMAGE_BDD_DYNAMIC_RELOCATION
Mirror IMAGE_BDD_INFO
Public Types
Public Functions
RVA of the original function.
Offset into the BDD region.
Size in bytes taken by RVAs.
Size in bytes taken by BaseRelocs.
Friends
This class represents the enclave configuration.
Public Types
Public Functions
The size of the IMAGE_ENCLAVE_CONFIG64/IMAGE_ENCLAVE_CONFIG32 structure, in bytes.
The minimum size of the IMAGE_ENCLAVE_CONFIG(32,64) structure that the image loader must be able to process in order for the enclave to be usable.
This member allows an enclave to inform an earlier version of the image loader that the image loader can safely load the enclave and ignore optional members added to IMAGE_ENCLAVE_CONFIG(32,64) for later versions of the enclave. If the size of IMAGE_ENCLAVE_CONFIG(32,64) that the image loader can process is less than MinimumRequiredConfigSize, the enclave cannot be run securely.
If MinimumRequiredConfigSize is zero, the minimum size of the IMAGE_ENCLAVE_CONFIG(32,64) structure that the image loader must be able to process in order for the enclave to be usable is assumed to be the size of the structure through and including the MinimumRequiredConfigSize member.
A flag that indicates whether the enclave permits debugging.
Whether this enclave can be debugged.
The RVA of the array of images that the enclave image may import, with identity information for each image.
The size of each image in the array of images that the import_list_rva() member points to.
The number of images in the array of images that the import_list_rva() member points to.
Return an iterator over the enclave’s imports.
The family identifier that the author of the enclave assigned to the enclave.
The image identifier that the author of the enclave assigned to the enclave.
The version number that the author of the enclave assigned to the enclave.
The security version number that the author of the enclave assigned to the enclave.
The expected virtual size of the private address range for the enclave, in bytes.
The maximum number of threads that can be created within the enclave.
A flag that indicates whether the image is suitable for use as the primary image in the enclave.
Friends
Defines an entry in the array of images that an enclave can import.
Public Types
Values:
None of the identifiers of the image need to match the value in the import record.
The value of the enclave unique identifier of the image must match the value in the import record. Otherwise, loading of the image fails.
The value of the enclave author identifier of the image must match the value in the import record. Otherwise, loading of the image fails. If this flag is set and the import record indicates an author identifier of all zeros, the imported image must be part of the Windows installation.
The value of the enclave family identifier of the image must match the value in the import record. Otherwise, loading of the image fails.
The value of the enclave image identifier of the image must match the value in the import record. Otherwise, loading of the image fails.
Public Functions
The type of identifier of the image that must match the value in the import record.
The minimum enclave security version that each image must have for the image to be imported successfully. The image is rejected unless its enclave security version is equal to or greater than the minimum value in the import record. Set the value in the import record to zero to turn off the security version check.
The unique identifier of the primary module for the enclave, if the type() is TYPE::UNIQUE_ID. Otherwise, the author identifier of the primary module for the enclave.
The family identifier of the primary module for the enclave.
The image identifier of the primary module for the enclave.
The relative virtual address of a NULL-terminated string that contains the same value found in the import directory for the image.
Resolved import name.
Reserved. Should be 0.
Friends
This class represents volatile metadata which can be enabled at link time with /volatileMetadata.
This metadata aims to improve performances when running x64 code on ARM64.
Public Types
Public Functions
Size (in bytes) of the current raw structure.
Friends
if the input file is a PE one, return PE32 or PE32+
check if the file is a PE file
check if the raw data is a PE file
Compute the hash of imported functions.
By default, it generates an hash with the following properties:
Order agnostic
Casse agnostic
Ordinal (in some extent) agnostic
If one needs the same output as Virus Total (i.e. pefile), you can pass IMPHASH_MODE::PEFILE as second parameter.
Warning
The default algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation
Enum to define the behavior of LIEF::PE::get_imphash.
Values:
Default implementation
Same as IMPHASH_MODE::DEFAULT
Use pefile algorithm
Same as IMPHASH_MODE::PEFILE since Virus Total is using pefile
Take a PE::Import as entry and try to resolve imports by ordinal.
The strict boolean parameter enables to throw an LIEF::not_found exception if the ordinal can’t be resolved. Otherwise it skips the entry.
The PE::import resolved with PE::ImportEntry::name set
Convert an OID to a human-readable string.
Values:
32bits
64 bits
Code page from https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers.
Values:
IBM EBCDIC US-Canada
OEM United States
IBM EBCDIC International
Arabic (ASMO 708)
Arabic (Transparent ASMO); Arabic (DOS)
OEM Greek (formerly 437G); Greek (DOS)
OEM Baltic; Baltic (DOS)
OEM Multilingual Latin 1; Western European (DOS)
OEM Latin 2; Central European (DOS)
OEM Cyrillic (primarily Russian)
OEM Turkish; Turkish (DOS)
OEM Multilingual Latin 1 + Euro symbol
OEM Portuguese; Portuguese (DOS)
OEM Icelandic; Icelandic (DOS)
OEM Hebrew; Hebrew (DOS)
OEM French Canadian; French Canadian (DOS)
OEM Arabic; Arabic (864)
OEM Nordic; Nordic (DOS)
OEM Russian; Cyrillic (DOS)
OEM Modern Greek; Greek, Modern (DOS)
IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2
ANSI/OEM Thai (same as 28605, ISO 8859-15); Thai (Windows)
IBM EBCDIC Greek Modern
ANSI/OEM Japanese; Japanese (Shift-JIS)
ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312)
ANSI/OEM Korean (Unified Hangul Code)
ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5)
IBM EBCDIC Turkish (Latin 5)
IBM EBCDIC Latin 1/Open System
IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro)
IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro)
IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro)
IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro)
IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro)
IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro)
IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro)
IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro)
IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro)
IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro)
Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications
Unicode UTF-16, big endian byte order; available only to managed applications
ANSI Central European; Central European (Windows)
ANSI Cyrillic; Cyrillic (Windows)
ANSI Latin 1; Western European (Windows)
ANSI Greek; Greek (Windows)
ANSI Turkish; Turkish (Windows)
ANSI Hebrew; Hebrew (Windows)
ANSI Arabic; Arabic (Windows)
ANSI Baltic; Baltic (Windows)
ANSI/OEM Vietnamese; Vietnamese (Windows)
Korean (Johab)
MAC Roman; Western European (Mac)
Japanese (Mac)
MAC Traditional Chinese (Big5); Chinese Traditional (Mac)
Korean (Mac)
Arabic (Mac)
Hebrew (Mac)
Greek (Mac)
Cyrillic (Mac)
MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac)
Romanian (Mac)
Ukrainian (Mac)
Thai (Mac)
MAC Latin 2; Central European (Mac)
Icelandic (Mac)
Turkish (Mac)
Croatian (Mac)
Unicode UTF-32, little endian byte order; available only to managed applications
Unicode UTF-32, big endian byte order; available only to managed applications
CNS Taiwan; Chinese Traditional (CNS)
TCA Taiwan
Eten Taiwan; Chinese Traditional (Eten)
IBM5550 Taiwan
TeleText Taiwan
Wang Taiwan
IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5)
IA5 German (7-bit)
IA5 Swedish (7-bit)
IA5 Norwegian (7-bit)
US-ASCII (7-bit)
T.61
ISO 6937 Non-Spacing Accent
IBM EBCDIC Germany
IBM EBCDIC Denmark-Norway
IBM EBCDIC Finland-Sweden
IBM EBCDIC Italy
IBM EBCDIC Latin America-Spain
IBM EBCDIC United Kingdom
IBM EBCDIC Japanese Katakana Extended
IBM EBCDIC France
IBM EBCDIC Arabic
IBM EBCDIC Greek
IBM EBCDIC Hebrew
IBM EBCDIC Korean Extended
IBM EBCDIC Thai
Russian (KOI8-R); Cyrillic (KOI8-R)
IBM EBCDIC Icelandic
IBM EBCDIC Cyrillic Russian
IBM EBCDIC Turkish
IBM EBCDIC Latin 1/Open System (1047 + Euro symbol)
Japanese (JIS 0208-1990 and 0121-1990)
Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)
Korean Wansung
IBM EBCDIC Cyrillic Serbian-Bulgarian
Ukrainian (KOI8-U); Cyrillic (KOI8-U)
ISO 8859-1 Latin 1; Western European (ISO)
ISO 8859-2 Central European; Central European (ISO)
ISO 8859-3 Latin 3
ISO 8859-4 Baltic
ISO 8859-5 Cyrillic
ISO 8859-6 Arabic
ISO 8859-7 Greek
ISO 8859-8 Hebrew; Hebrew (ISO-Visual)
ISO 8859-9 Turkish
ISO 8859-13 Estonian
ISO 8859-15 Latin 9
Europa 3
ISO 8859-8 Hebrew; Hebrew (ISO-Logical)
ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS)
ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana)
ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI)
ISO 2022 Korean
ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022)
EUC Japanese
EUC Simplified Chinese; Chinese Simplified (EUC)
EUC Korean
HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ)
Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030)
ISCII Devanagari
ISCII Bengali
ISCII Tamil
ISCII Telugu
ISCII Assamese
ISCII Oriya
ISCII Kannada
ISCII Malayalam
ISCII Gujarati
ISCII Punjabi
Unicode (UTF-7)
Unicode (UTF-8)
Cryptography algorithms.
Values:
From https://docs.microsoft.com/en-us/windows/win32/inputdev/virtual-key-codes.
Values: