Main interface to parse PE binaries. In particular the static functions: Parser::parse should be used to get a LIEF::PE::Binary.
Public Static Functions
Check if the given name is a valid import.
This check verified that:
The name is not too large or empty (cf. https://stackoverflow.com/a/23340781)
All the characters are printable
Check if the given name is a valid DLL name.
This check verifies that:
The name of the DLL is at 4
All the characters are printable
Parse a PE binary from the given filename.
Parse a PE binary from a data buffer.
Parse a PE binary from the given BinaryStream.
This structure is used to tweak the PE Parser (PE::Parser)
Public Members
Parse PE Authenticode signature.
Parse PE Exports Directory.
Parse PE resources tree.
Parse PE relocations.
Public Static Functions
Class which represents a PE binary This is the main interface to manage and modify a PE executable.
Public Types
Internal container for storing PE’s Section.
Iterator that outputs Section& object.
Iterator that outputs const Section& object.
Internal container for storing PE’s DataDirectory.
Iterator that outputs DataDirectory&.
Iterator that outputs const DataDirectory&.
Internal container for storing PE’s Relocation.
Iterator that outputs Relocation&.
Iterator that outputs const Relocation&.
Iterator that output Import&.
Iterator that outputs const Import&.
Internal container for storing PE’s DelayImport.
Iterator that output DelayImport&.
Iterator that outputs const DelayImport&.
Internal container for storing Debug information.
Iterator that outputs Debug&.
Iterator that outputs const Debug&.
Iterator that outputs Symbol&.
Iterator that outputs const Symbol&.
Internal container for storing strings.
Iterator that outputs std::string&.
Iterator that outputs const std::string&.
Internal container for storing PE’s authenticode Signature.
Iterator that outputs Signature&.
Iterator that outputs const Signature&.
Public Functions
Return PE32 or PE32+
Convert a Relative Virtual Address into an offset.
The conversion is performed by looking for the section that encompasses the provided RVA.
Convert the absolute virtual address into an offset.
See also
Convert the given offset into a virtual address.
offset – [in] The offset to convert.
slide – [in] If not 0, it will replace the default base address (if any)
Return binary’s imagebase. 0 if not relevant.
The value is the same as those returned by OptionalHeader::imagebase
Find the section associated that encompasses the given offset.
If no section can be found, return a nullptr
Find the section associated that encompasses the given RVA.
If no section can be found, return a nullptr
Return an iterator over the PE’s Section.
Return a reference to the PE::DosHeader object.
Return a reference to the PE::Header object.
Header that follows the header(). It is named optional from the COFF specfication but it is mandatory in a PE file.
Re-compute the value of OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.
This value is computed by LIEF for the current binary object.
Compute the binary’s virtual size. It should match OptionalHeader::sizeof_image.
Compute the size of all the headers.
Check if the current binary contains signatures.
See also
Check if the current binary has resources.
Check if the current binary has exceptions.
Check if the current binary has relocations.
See also
Check if the current binary contains debug information.
Check if the current binary has a load configuration.
Check if the current binary is reproducible build, replacing timestamps by a compile hash.
See also
Return an iterator over the Signature object(s) if the binary is signed.
Verify the binary against the embedded signature(s) (if any) First, it checks that the embedded signatures are correct (c.f. Signature::check) and then, it checks that the authentihash matches ContentInfo::digest.
One can tweak the verification process with the Signature::VERIFICATION_CHECKS flags
See also
Verify the binary with the Signature object provided in the first parameter. It can be used to verify a detached signature:
result<Signature> detached = LIEF::PE::SignatureParser::parse("sig.pkcs7")
if (detached) {
binary->verify_signature(detached.value());
}
Compute the authentihash according to the algorithm provided in the first parameter.
Try to predict the RVA of the function function in the import library library
Note
It should be used with: LIEF::PE::Builder::build_imports set to true
Warning
The value could be chang if imports change
library – [in] Library name in which the function is located
function – [in] Function name
The address of the function (IAT) in the new import table
Return resources as a tree or a nullptr if there is no resources.
Set a new resource tree.
Set a new resource tree.
Return the ResourcesManager (class to manage resources more easily than the tree one)
Return binary’s section from its name. If the secion can’t be found, return a nullptr.
name – [in] Name of the Section
Return the section associated with import table or a nullptr if the binary does not have an import table.
Delete the section with the given name.
name – [in] Name of section to delete
clear – [in] if true clear the section’s content with 0 before removing (default: false)
Add a section to the binary and return the section added.
Return an iterator over the PE’s Relocation.
Add a PE::Relocation.
Remove all the relocations.
Return an iterator over the DataDirectory present in the Binary.
Return the DataDirectory with the given type (or index)
Check if the current binary has the given DataDirectory::TYPES.
Return an iterator over the Debug entries.
Return the CodeViewPDB object if present.
Retrun the LoadConfiguration object or a nullptr if the binary does not use the LoadConfiguration.
Return the overlay content.
Return the original overlay offset.
Return the DOS stub content.
Update the DOS stub content.
Return a reference to the RichHeader object.
Set a RichHeader object in the current Binary.
Check if the current binary has a RichHeader object.
Return an iterator over the binary imports.
Returns the PE::Import from the given name. If it can’t be found, return a nullptr.
import_name – [in] Name of the import
True if the binary imports the given library name
import_name – [in] Name of the import
Check if the current binary contains delay imports.
See also
See also
Return an iterator over the binary’s delay imports.
Returns the PE::DelayImport from the given name. If it can’t be found, return a nullptr.
import_name – [in] Name of the delay import
True if the binary delay-imports the given library name
import_name – [in] Name of the delay import
Add the function function of the library library. If the function fails, it returns a nullptr.
library – [in] Library name of the function
function – [in] Function’s name from the library to import
Add an imported library (i.e. DLL) to the binary.
Remove the library with the given name
Remove all libraries in the binary.
Reconstruct the binary object and write the raw PE in filename
Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.
Reconstruct the binary object and write the raw PE in os stream.
Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.
Method so that a visitor can visit us.
Patch the content at virtual address address with patch_value.
address – [in] Address to patch
patch_value – [in] Patch to apply
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Patch the address with the given value.
address – [in] Address to patch
patch_value – [in] Patch to apply
size – [in] Size of the value in bytes (1, 2, … 8)
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Return the content located at the provided virtual address.
virtual_address – [in] Virtual address of the data to retrieve
size – [in] Size in bytes of the data to retrieve
addr_type – [in] Type of the Virtual address: VA or RVA. Default: Auto
Return the binary’s entrypoint (It is the same value as OptionalHeader::addressof_entrypoint.
Check if the binary is position independent.
Check if the binary uses NX protection.
Return the list of the binary constructors.
In a PE file, we consider a constructors as a callback in the TLS object
All functions found in the binary
Functions found in the Exception table directory.
Class which represents the DosHeader, the first structure presents at the beginning of a PE file.
Most of the attributes of this structures are no longer relevant.
Public Types
Public Functions
Magic bytes identifying a DOS/PE binary.
Return the offset to the PE::Header structure.
Public Static Attributes
Class that represents the PE header (which follows the DosHeader)
Public Types
Values:
Matsushita AM33
AMD x64
ARM little endian
ARMv7 Thumb mode only
ARMv8 in 64-bits mode
EFI byte code
Intel 386 or later
Intel Itanium processor family
Mitsubishi M32R little endian
MIPS16
MIPS with FPU
MIPS16 with FPU
Power PC little endian
Power PC with floating point
Power PC big endian
MIPS with little endian
RISC-V 32-bit address space
RISC-V 64-bit address space
RISC-V 128-bit address space
Hitachi SH3
Hitachi SH3 DSP
Hitachi SH4
Hitachi SH5
ARM or Thumb
MIPS little-endian WCE v2
Values:
The file does not contain base relocations and must be loaded at its preferred base. If this cannot be done, the loader will error.
File is executable (i.e. no unresolved externel references).
COFF line numbers have been stripped. This is deprecated and should be 0
COFF symbol table entries for local symbols have been removed. This is deprecated and should be 0.
Aggressively trim working set. This is deprecated and must be 0.
Image can handle > 2GiB addresses.
Little endian: the LSB precedes the MSB in memory. This is deprecated and should be 0.
Machine is based on a 32bit word architecture.
Debugging info has been removed.
If the image is on removable media, fully load it and copy it to swap.
If the image is on network media, fully load it and copy it to swap.
The image file is a system file, not a user program.
The image file is a DLL.
This file should only be run on a uniprocessor machine.
Big endian: the MSB precedes the LSB in memory. This is deprecated
Public Functions
Signature (or magic byte) of the header. It must be: PE\0\0
The targeted machine architecture like ARM, x86, AMD64, …
The number of sections in the binary.
The low 32 bits of the number of seconds since January 1, 1970. It indicates when the file was created.
The offset of the COFF symbol table.
This value should be zero for an image because COFF debugging information is deprecated.
The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.
This value should be zero for an image because COFF debugging information is deprecated.
Size of the OptionalHeader AND the data directories which follows this header.
This value is equivalent to: sizeof(pe_optional_header) + NB_DATA_DIR * sizeof(data_directory)
This size should be either:
0xE0 (224) for a PE32 (32 bits)
0xF0 (240) for a PE32+ (64 bits)
Characteristics of the binary like whether it is a DLL or an executable.
Check if the given CHARACTERISTICS is present.
The list of the CHARACTERISTICS.
Class which represents the PE OptionalHeader structure.
Note that the term optional comes from the COFF specifications but this header is mandatory for a PE binary.
Public Types
Values:
ASLR with 64 bit address space.
DLL can be relocated at load time.
Code integrity checks are enforced.
Image is NX compatible.
Isolation aware, but do not isolate the image.
Does not use structured exception handling (SEH). No SEH handler may be called in this image.
Do not bind the image.
Image should execute in an AppContainer.
A WDM driver.
Image supports Control Flow Guard.
Terminal Server aware.
Values:
An unknown subsystem.
Device drivers and native Windows processes.
The Windows GUI subsystem.
The Windows character subsystem.
The OS/2 character subsytem.
The POSIX character subsystem.
Native Windows 9x driver.
Windows CE.
An EFI application.
An EFI driver with boot services.
An EFI driver with run-time services.
An EFI ROM image.
XBOX.
A BCD application.
Public Functions
Magic bytes: either PE32 or PE32+ for 64-bits PE files.
The linker major version.
The linker minor version.
The size of the code .text section or the sum of all the sections that contain code (i.e. PE::Section with the flag Section::CHARACTERISTICS::CNT_CODE)
The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the initialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_INITIALIZED_DATA
The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the uninitialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_UNINITIALIZED_DATA
The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.
An entry point is optional for DLLs. When no entry point is present, this field must be zero.
Address relative to the imagebase where the binary’s code starts.
Address relative to the imagebase where the binary’s data starts.
Warning
This value is not present for PE64 files
The preferred base address when mapping the binary in memory.
The alignment (in bytes) of sections when they are loaded into memory.
It must be greater than or equal to file_alignment and the default is the page size for the architecture.
The section’s file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.
The major version number of the required operating system.
The minor version number of the required operating system.
The major version number of the image.
The minor version number of the image.
The major version number of the subsystem.
The minor version number of the subsystem.
According to the official PE specifications, this value is reserved and should be 0.
The size (in bytes) of the image, including all headers, as the image is loaded in memory.
It must be a multiple of section_alignment and should match Binary::virtual_size
Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.
The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.
The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables
Size of the stack to reserve when loading the PE binary.
Only OptionalHeader::sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.
Size of the stack to commit.
Size of the heap to reserve when loading the PE binary.
Size of the heap to commit.
According to the PE specifications, this value is reserved and should be 0.
The number of DataDirectory that follow this header.
Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.
Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.
Add a DLL_CHARACTERISTICS to the current characteristics.
Remove a DLL_CHARACTERISTICS from the current characteristics.
Public Static Functions
Friends
Class that represents a PE data directory entry.
Public Types
Values:
Public Functions
The relative virtual address of the content of this data directory.
The size of the content.
Check if the content of this data directory is associated with a PE Cection.
Section associated with the DataDirectory.
Public Static Attributes
Friends
Class which represents a PE section.
Public Types
Values:
Public Functions
Return the size of the data in the section.
Return the size of the data when mapped in memory.
If this value is greater than sizeof_raw_data, the section is zero-padded.
The actual content of the section.
Content of the section’s padding area.
The offset of the section data in the PE file.
The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.
For modern PE binaries, this value is usually set to 0 as the relocations are managed by PE::Relocation.
The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.
No longer used in recent PE binaries produced by Visual Studio.
No longer used in recent PE binaries produced by Visual Studio.
Characteristics of the section: it provides information about the permissions of the section when mapped. It can also provide information about the purpose of the section (contain code, BSS-like, …)
Deprecated do not use. It will likely change in a future release of LIEF.
Deprecated do not use. It will likely change in a future release of LIEF.
Check if the section has the given CHARACTERISTICS.
List of the section characteristics as a std::set.
Fill the content of the section with the given char
Change section content.
Change the section’s name.
section’s name
Public Static Attributes
Class that represents a PE import.
Public Types
Public Functions
The index of the first forwarder reference.
The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.
Iterator over the PE::ImportEntry.
The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.
Warning
This address could change when re-building the binary
Return the relative virtual address of the import lookup table.
Warning
This address could change when re-building the binary
Return the Function’s RVA from the import address table (IAT)
Warning
This address could change when re-building the binary
Return the imported function with the given name.
Return the library’s name (e.g. kernel32.dll)
Change the current import name.
Return the PE::DataDirectory associated with this import. It should be the one at index PE::DataDirectory::TYPES::IMPORT_TABLE.
If the data directory can’t be found, return a nullptr
Return the PE::DataDirectory associated associated with the IAT. It should be the one at index PE::DataDirectory::TYPES::IAT.
If the data directory can’t be found, return a nullptr
Add a new import entry (i.e. an imported function)
Add a new import entry with the given name (i.e. an imported function)
Class that represents an entry (i.e. an import) in the import table (Import).
It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
True if it is an import by ordinal
The ordinal value.
See also
Index into the Export::entries that is used to speed-up the symbol resolution.
Value of the current entry in the Import Address Table. It should match the lookup table value.
Raw value.
Friends
Class that represents a PE delayed import.
Public Types
Public Functions
According to the official PE specifications, this value is reserved and should be set to 0.
Return the library’s name (e.g. kernel32.dll)
The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.
RVA of the delay-load import address table.
RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table.
RVA of the bound delay-load import address table or 0 if the table does not exist.
RVA of the unload delay-load import address table or 0 if the table does not exist.
According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.
The timestamp of the DLL to which this image has been bound.
Iterator over the DelayImport’s entries (DelayImportEntry)
Iterator over the DelayImport’s entries (DelayImportEntry)
Friends
Class that represents an entry (i.e. an import) in the delay import table (DelayImport).
It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API.
The meaning of LIEF::Symbol::value for this PE object is the address (as an RVA) in the IAT where the resolution should take place.
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
True if it is an import by ordinal
The ordinal value.
See also
Index into the Export::entries that is used to speed-up the symbol resolution.
Raw value.
Friends
Class which represents the PE Thread Local Storage.
This PE structure is also used to implement binary/library constructors.
Public Functions
List of the callback associated with the current TLS.
These functions are called before any other functions .
Pair (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.
Note
These addresses are not RVA. It is addresses for which there should be a rebase relocation in the .reloc section.
The location to receive the TLS index assigned by the loader. This location should be located in a writable section like .data
Pointer to an array of TLS callback functions.
The array is null-terminated, so if there is no callback function this field points to 4 bytes set to zero.
Size in bytes of the zero to be padded after the data specified by data_template.
The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.
True if there is a data directory associated with this entry.
Return the DataDirectory associated with this object or a nullptr If it exists, its type should be DataDirectory::TYPES::TLS_TABLE.
Check if there is a section associated with this entry.
This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: ! CodeCodeView)
Subclassed by LIEF::PE::CodeView, LIEF::PE::Pogo, LIEF::PE::Repro
Public Types
The entry types.
Values:
COFF debug information.
Frame pointer omission information.
A copy of .pdata section.
Reserved.
The mapping from an RVA in image to an RVA in source image.
The mapping from an RVA in source image to an RVA in image.
Reserved for Borland.
Reserved.
Reserved.
Profile Guided Optimization metadata.
PE determinism or reproducibility.
Public Functions
Reserved should be 0.
The time and date when the debug data was created.
The major version number of the debug data format.
The minor version number of the debug data format.
Size of the debug data.
Address of the debug data relative to the image base.
File offset of the debug data.
Interface for the (generic) Debug CodeView (IMAGE_DEBUG_TYPE_CODEVIEW)
Subclassed by LIEF::PE::CodeViewPDB
Public Types
Public Functions
The signature that defines the underlying type of the payload.
CodeView PDB specialization.
Public Types
Public Functions
The GUID signature to verify against the .pdb file signature. This attribute might be used to lookup remote PDB file on a symbol server.
Age value to verify. The age does not necessarily correspond to any known time value, it is used to determine if a .pdb file is out of sync with a corresponding .exe file.
The 32-bit signature to verify against the .pdb file signature.
The path to the .pdb file.
Friends
Class that represents a PE symbol.
Public Functions
True if symbols are located in a section
Class which represents the Base Relocation Block We usually find this structure in the .reloc section.
Public Types
Public Functions
The RVA for which the offset of the relocation entries (RelocationEntry) is added.
The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)
Iterator over the RelocationEntry.
Friends
Class which represents an entry of the PE relocation table.
It extends the LIEF::Relocation object to provide an uniform API across the file formats
Public Types
Values:
Public Functions
The address of the relocation.
The size of the relocatable pointer.
Raw data of the relocation:
The high 4 bits store the relocation type
The low 12 bits store the relocation offset
Offset relative to Relocation::virtual_address where the relocation occurs.
Type of the relocation.
Method so that the visitor can visit us.
Public Static Functions
Friends
Class which represents a PE Export.
Public Types
Public Functions
According to the PE specifications this value is reserved and should be set to 0.
The time and date that the export data was created.
The major version number (can be user-defined)
The minor version number (can be user-defined)
The starting number for the exports. Usually this value is set to 1.
The name of the library exported (e.g. KERNEL32.dll)
Iterator over the ExportEntry.
Class which represents a PE Export entry (cf. PE::Export)
Public Functions
Demangled representation of the symbol or an empty string if it can’t be demangled.
Friends
Public Functions
Friends
Main interface for the PKCS #7 signature scheme.
Public Types
Flags returned by the verification functions.
Values:
Flags to tweak the verification process of the signature.
See Signature::check and LIEF::PE::Binary::verify_signature
Values:
Default behavior that tries to follow the Microsoft verification process as close as possible
Only check that Binary::authentihash matches ContentInfo::digest regardless of the signature’s validity
Same semantic as WTD_LIFETIME_SIGNING_FLAG
Skip the verification of the certificates time validities so that even though a certificate expired, it returns VERIFICATION_FLAGS::OK
Iterator which outputs const x509& certificates.
Iterator which outputs x509& certificates.
Iterator which outputs const SignerInfo&.
Iterator which outputs SignerInfo&.
Public Functions
Should be 1.
Algorithm used to digest the file.
It should match SignerInfo::digest_algorithm
Return the ContentInfo.
Return an iterator over x509 certificates.
Return an iterator over the signers (SignerInfo) defined in the PKCS #7 signature.
Return the raw original PKCS7 signature.
Find x509 certificate according to its serial number.
Find x509 certificate according to its subject.
Find x509 certificate according to its subject AND serial number.
Find x509 certificate according to its issuer.
Find x509 certificate according to its issuer AND serial number.
Check if this signature is valid according to the Authenticode/PKCS #7 verification scheme.
By default, it performs the following verifications:
It must contain only one signer info
Signature::digest_algorithm must match:
The x509 certificate specified by SignerInfo::serial_number and SignerInfo::issuer must exist within Signature::certificates
Given the x509 certificate, compare SignerInfo::encrypted_digest against either:
hash of authenticated attributes if present
hash of ContentInfo
If authenticated attributes are present, check that a PKCS9_MESSAGE_DIGEST attribute exists and that its value matches hash of ContentInfo
Check the validity of the PKCS #9 counter signature if present
If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See LIEF::PE::Signature::VERIFICATION_CHECKS::LIFETIME_SIGNING and LIEF::PE::Signature::VERIFICATION_CHECKS::SKIP_CERT_TIME)
See: LIEF::PE::Signature::VERIFICATION_CHECKS to tweak the behavior
Public Static Functions
Hash the input given the algorithm.
Convert a verification flag into a humman representation. e.g VERIFICATION_FLAGS.BAD_DIGEST | VERIFICATION_FLAGS.BAD_SIGNATURE | VERIFICATION_FLAGS.CERT_EXPIRED.
Interface over PKCS #7 attribute.
Subclassed by LIEF::PE::ContentType, LIEF::PE::GenericType, LIEF::PE::MsCounterSign, LIEF::PE::MsManifestBinaryID, LIEF::PE::MsSpcNestedSignature, LIEF::PE::MsSpcStatementType, LIEF::PE::PKCS9AtSequenceNumber, LIEF::PE::PKCS9CounterSignature, LIEF::PE::PKCS9MessageDigest, LIEF::PE::PKCS9SigningTime, LIEF::PE::SigningCertificateV2, LIEF::PE::SpcRelaxedPeMarkerCheck, LIEF::PE::SpcSpOpusInfo
Public Types
Values:
Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
ContentType ::= OBJECT IDENTIFIER
Public Functions
OID as described in RFC #2985.
Print information about the attribute.
Interface over an attribute for which the internal structure is not supported by LIEF.
Public Functions
OID of the original attribute.
Original DER blob of the attribute.
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1
The internal structure is not documented but we can infer the following structure:
MsSpcNestedSignature ::= SET OF SignedData
SignedData is the structure described in PKCS #7 RFC (LIEF::PE::Signature)
Public Functions
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11
The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER
Public Functions
According to the documentation:
The SpcStatementType MUST contain one Object Identifier with either the value
1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)or1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID).
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
sequenceNumber ATTRIBUTE ::= {
WITH SYNTAX SequenceNumber
EQUALITY MATCHING RULE integerMatch
SINGLE VALUE TRUE
ID pkcs-9-at-sequenceNumber
}
SequenceNumber ::= INTEGER (1..MAX)
Public Functions
Number as described in the RFC.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
counterSignature ATTRIBUTE ::= {
WITH SYNTAX SignerInfo
ID pkcs-9-at-counterSignature
}
Public Functions
SignerInfo as described in the RFC #2985.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
messageDigest ATTRIBUTE ::= {
WITH SYNTAX MessageDigest
EQUALITY MATCHING RULE octetStringMatch
SINGLE VALUE TRUE
ID pkcs-9-at-messageDigest
}
MessageDigest ::= OCTET STRING
Public Functions
Message digeset as a blob of bytes as described in the RFC.
Print information about the attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
signingTime ATTRIBUTE ::= {
WITH SYNTAX SigningTime
EQUALITY MATCHING RULE signingTimeMatch
SINGLE VALUE TRUE
ID pkcs-9-at-signingTime
}
SigningTime ::= Time -- imported from ISO/IEC 9594-8
Public Types
Time as an array [year, month, day, hour, min, sec].
Public Functions
Print information about the attribute.
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12
The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcSpOpusInfo ::= SEQUENCE {
programName [0] EXPLICIT SpcString OPTIONAL,
moreInfo [1] EXPLICIT SpcLink OPTIONAL
}
Public Functions
Program description provided by the publisher.
Other information such as an url.
Print information about the attribute.
Public Functions
Digest used to hash the file.
It should match LIEF::PE::SignerInfo::digest_algorithm
PE’s authentihash.
See also
Public Static Functions
Public Static Attributes
Friends
Public Functions
Public Static Functions
Friends
Object that wraps a RSA key.
Public Types
Container for BigInt.
Public Functions
True if it embeds a public key.
True if it embeds a private key.
RSA public modulus.
RSA public exponent.
RSA private exponent.
First prime factor.
Second prime factor.
Size of the public modulus (in bits)
Interface over a x509 certificate.
Public Types
Public key scheme.
Values:
Unknown scheme.
RSA Scheme.
Elliptic-curve scheme.
Elliptic-curve Diffie-Hellman.
RSA scheme with an alternative implementation for signing and decrypting.
RSA Probabilistic signature scheme.
Mirror of mbedtls’s X509 Verify codes: MBEDTLS_X509_XX.
It must be sync with include/mbedtls/x509.h
Values:
The verification succeed
The certificate validity has expired.
The certificate has been revoked (is on a CRL).
The certificate Common Name (CN) does not match with the expected CN.
The certificate is not correctly signed by the trusted CA.
The CRL is not correctly signed by the trusted CA.
The CRL is expired.
Certificate was missing.
Certificate verification was skipped.
Other reason (can be used by verify callback)
The certificate validity starts in the future.
The CRL is from the future
Usage does not match the keyUsage extension.
Usage does not match the extendedKeyUsage extension.
Usage does not match the nsCertType extension.
The certificate is signed with an unacceptable hash.
The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
The CRL is signed with an unacceptable hash.
The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
Key usage as defined in RFC #5280 - section-4.2.1.3
Values:
The key is used for digital signature
The key is used for digital signature AND to protects against falsely denying some action
The key is used for enciphering private or secret keys
The key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher
The Key is used for key agreement. (e.g. with Diffie-Hellman)
The key is used for verifying signatures on public key certificates
The key is used for verifying signatures on certificate revocation lists
In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for enciphering data while performing key agreement
In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for deciphering data while performing key agreement
Tuple (Year, Month, Day, Hour, Minute, Second)
Public Functions
X.509 version. (1=v1, 2=v2, 3=v3)
Unique id for certificate issued by a specific CA.
Issuer informations.
Subject informations.
Try to decrypt the given signature and check if it matches the given hash according to the hash algorithm provided.
If the underlying public-key scheme is RSA, return the RSA information. Otherwise, return a nullptr
Verify that this certificate has been used to trust the given certificate.
Verify that this certificate is trusted by the given CA list.
Policy information terms as OID (see RFC #5280)
Indicates one or more purposes for which the certified public key may be used (OID types)
The signature of the certificate.
Public Static Functions
Parse x509 certificate(s) from file path.
Parse x509 certificate(s) from raw blob.
Return True if before is before than after. False otherwise.
ContentInfo as described in the RFC2315 (https://tools.ietf.org/html/rfc2315#section-7)
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
ContentType ::= OBJECT IDENTIFIER
In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent
SpcIndirectDataContent ::= SEQUENCE {
data SpcAttributeTypeAndOptionalValue,
messageDigest DigestInfo
}
SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
type ObjectID,
value [0] EXPLICIT ANY OPTIONAL
}
For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTETSTRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm ObjectID,
parameters [0] EXPLICIT ANY OPTIONAL
}
Public Functions
Return the OID that describes the content wrapped by this object. It should match SPC_INDIRECT_DATA_OBJID (1.3.6.1.4.1.311.2.1.4)
Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID Otherwise, return an empty vector.
Return the digest used to hash the file.
Friends
Subclassed by LIEF::PE::GenericContent, LIEF::PE::PKCS9TSTInfo, LIEF::PE::SpcIndirectData
SignerInfo as described in the RFC 2315
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
EncryptedDigest ::= OCTET STRING
Public Types
Internal container used to store both authenticated and unauthenticated attributes.
Iterator which outputs const Attribute&.
Public Functions
Should be 1.
Return the serial number associated with the x509 certificate used by this signer.
Return the x509::issuer used by this signer.
Algorithm (OID) used to hash the file.
This value should match LIEF::PE::ContentInfo::digest_algorithm and LIEF::PE::Signature::digest_algorithm
Return the (public-key) algorithm used to encrypt the signature.
Return the signature created by the signing certificate’s private key.
Iterator over LIEF::PE::Attribute for authenticated attributes.
Iterator over LIEF::PE::Attribute for unauthenticated attributes.
Return the authenticated or un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
Return the authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
Return the un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.
It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.
x509 certificate used by this signer. If it can’t be found, it returns a nullptr
x509 certificate used by this signer. If it can’t be found, it returns a nullptr
Raw blob that is signed by the signer certificate.
Friends
This class exposes the MS Counter Signature attribute.
Public Types
Public Functions
Iterator over the LIEF::PE::x509 certificates of this counter signature.
Signer iterator (same as LIEF::PE::SignerInfo)
Print information about the underlying attribute.
Interface over the structure described by the OID 1.2.840.113549.1.9.16.1.4 (PKCS #9)
The internal structure is described in the RFC #3161
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
serialNumber INTEGER,
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL
}
TSAPolicyId ::= OBJECT IDENTIFIER
MessageImprint ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier,
hashedMessage OCTET STRING
}
Accuracy ::= SEQUENCE {
seconds INTEGER OPTIONAL,
millis [0] INTEGER (1..999) OPTIONAL,
micros [1] INTEGER (1..999) OPTIONAL
}
Public Functions
Public Static Functions
Public Static Attributes
Interface over the structure described by the OID 1.3.6.1.4.1.311.10.3.28 (szOID_PLATFORM_MANIFEST_BINARY_ID)
The internal structure is not documented but we can infer the following structure:
szOID_PLATFORM_MANIFEST_BINARY_ID ::= SET OF BinaryID
BinaryID being an alias of UTF8STRING
Public Functions
Print information about the attribute.
The manifest id as a string.
Public Functions
Print information about the underlying attribute.
SigningCertificateV2 ::= SEQUENCE { certs SEQUENCE OF ESSCertIDv2, policies SEQUENCE OF PolicyInformation OPTIONAL }.
ESSCertIDv2 ::= SEQUENCE { hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256}, certHash OCTET STRING, issuerSerial IssuerSerial OPTIONAL }
IssuerSerial ::= SEQUENCE { issuer GeneralNames, serialNumber CertificateSerialNumber }
PolicyInformation ::= SEQUENCE { policyIdentifier OBJECT IDENTIFIER, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL }
Public Functions
Print information about the underlying attribute.
Class that is used to rebuild a raw PE binary from a PE::Binary object.
Public Functions
Perform the build process.
Patch the original import table in order to redirect functions to the new import table.
This setting should be used with LIEF::PE::Builder::build_imports set to true
Return the build result.
Write the build result into the output file.
Write the build result into the os stream.
Public Static Functions
Construct a jmp [address] @ from.
It is used when patching import table
Construct a jmp far address @ from.
It is used for hooking
The Resource Manager provides an enhanced API to manipulate the resource tree.
Public Types
The different types of resources Ref: From https://docs.microsoft.com/en-us/windows/win32/menurc/resource-types.
Values:
Public Functions
Return the ResourceNode associated with the given KIND or a nullptr if not found;.
true if resources contain the Manifest element
Return the manifest as a std::string or an empty string if not found or corrupted.
Update the manifest with the given string.
true if resources contain a LIEF::PE::ResourceVersion
Return the ResourceVersion if any.
true if resources contain a LIEF::PE::ResourceIcon
Return the list of the icons present in the resources.
Add an icon to the resources.
Return the list of the dialogs present in the resource.
true if the resources contain a LIEF::PE::ResourceStringTable
Return the list of the string table in the resource.
true if the resources contain html
Return the list of the html resources.
true if the resources contain LIEF::PE::ResourceAccelerator
Return the list of the accelerator in the resource.
Print the resource tree to the given depth.
Public Static Functions
Friends
Class which represents a Node in the resource tree.
Subclassed by LIEF::PE::ResourceData, LIEF::PE::ResourceDirectory
Public Types
Enum that identifies the type of a node in the resource tree.
Values:
Public Functions
Integer that identifies the Type, Name, or Language ID of the entry depending on its depth in the tree.
Name of the entry.
True if the entry uses a name as ID
Current depth of the Node in the resource tree.
True if the current entry is a ResourceDirectory.
It can be safely casted with:
const auto& dir_node = static_cast<const ResourceDirectory&>(node);
True if the current entry is a ResourceData.
It can be safely casted with:
const auto& data_node = static_cast<const ResourceData&>(node);
Add a ResourceDirectory to the current node.
Add a ResourceData to the current node.
Delete the node with the given id
Delete the given node from the node’s children.
Friends
Public Functions
Resource characteristics. This field is reserved for future use. It is currently set to zero.
The time that the resource data was created by the resource compiler.
The major version number, set by the user.
The minor version number, set by the user.
The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).
The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.
Public Static Functions
Friends
Class which represents a Data Node in the PE resources tree.
Public Functions
Return the code page that is used to decode code point values within the resource data. Typically, the code page is the unicode code page.
Resource content.
Reserved value. Should be 0
Offset of the content within the resource.
Warning
This value may change when rebuilding resource table
Public Static Functions
Friends
Public Functions
Id associated with the icon.
Language associated with the icon.
Sub language associated with the icon.
Width in pixels of the image.
Height in pixels of the image.
Number of colors in image (0 if >=8bpp)
Reserved (must be 0)
Color Planes.
Bits per pixel.
Size in bytes of the image.
Pixels of the image (as bytes)
Save the icon to the given filename.
filename – [in] Path to file in which the icon will be saved
Friends
Representation of a dialog box.
Windows allows two kinds of dialog box:
Simple one
Extended one
ResourceDialog::is_extended determine the type of the Dialog
Public Types
Public Functions
true if the dialog is an extended one
The extended windows styles.
Return list of LIEF::PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialog::extended_style value.
The style of the dialog box. This member can be a combination of LIEF::PE::WINDOW_STYLES values and LIEF::PE::DIALOG_BOX_STYLES values.
Return list of LIEF::PE::WINDOW_STYLES associated with the ResourceDialog::style value.
Return list of LIEF::PE::DIALOG_BOX_STYLES associated with the ResourceDialog::style value.
The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.
The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.
The width, in dialog box units, of the dialog box.
The height, in dialog box units, of the dialog box.
Iterator on the controls (ResourceDialogItem) that defines the Dialog (Button, Label…)
RESOURCE_LANGS associated with the Dialog.
RESOURCE_SUBLANGS associated with the Dialog.
The version number of the extended dialog box template. This member must be set to 1.
Indicates whether a template is an extended dialog box template:
0xFFFF: Extended dialog box template
Other value: Standard dialog box template
See also
The help context identifier for the dialog box window.
The weight of the font.
The point size of the font to use for the text in the dialog box and its controls.
Indicates whether the font is italic. If this value is true, the font is italic.
The character to be used.
The title of the dialog box.
The name of the typeface for the font.
Friends
This class represents an item in the ResourceDialog.
Public Functions
True if the control is an extended one
The extended styles for a window.
List of PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialogItem::extended_style value.
Check if the DialogItem has the given PE::EXTENDED_WINDOW_STYLES.
The style of the control.
The x-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.
The y-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.
The width, in dialog box units, of the control.
The height, in dialog box units, of the control.
The control identifier.
The help context identifier for the control.
Initial text of the control.
Friends
Representation of the data associated with the RT_VERSION entry.
See: VS_VERSIONINFO - https://docs.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
Signature of the structure: Must be the unicode string “VS_VERSION_INFO”.
true if the version contains a ResourceFixedFileInfo
true if the version contains a ResourceStringFileInfo
true if the version contains a ResourceVarFileInfo
Object that describes various information about the application’s version. This is an optional information and if it is not present, it returns a nullptr.
Object that describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)
This structure is not always present and if not, it returns a nullptr
Object that describes information about languages supported by the application This structure is not always present and if not, it returns a nullptr.
Friends
Representation of VS_FIXEDFILEINFO Structure.
Public Functions
Must be set to 0xFEEF04BD
The binary version number of this structure.
The high-order word of this member contains the major version number, and the low-order word contains the minor version number.
The most significant 32 bits of the file’s binary version number.
This member is used with ResourceFixedFileInfo::file_version_LS to form a 64-bits value used for numeric comparisons.
The least significant 32 bits of the file’s binary version number.
This member is used with ResourceFixedFileInfo::file_version_MS to form a 64-bits value used for numeric comparisons.
The most significant 32 bits of the product with which this file was distributed.
This member is used with ResourceFixedFileInfo::product_version_LS to form a 64-bits value used for numeric comparisons.
The least significant 32 bits of the product with which this file was distributed.
This member is used with ResourceFixedFileInfo::product_version_MS to form a 64-bits value used for numeric comparisons.
Contains a bitmask that specifies the valid bits in ResourceFixedFileInfo::file_flags.
A bit is valid only if it was defined when the file was created.
Contains a bitmask that specifies the Boolean attributes of the file (PE::FIXED_VERSION_FILE_FLAGS)
The operating system for which this file was designed (PE::FIXED_VERSION_OS).
The general type of file (PE::FIXED_VERSION_FILE_TYPES)
The function of the file (PE::FIXED_VERSION_FILE_SUB_TYPES)
The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.
The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.
Friends
This object describes information about languages supported by the application.
See also
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
Signature of the structure: Must be the unicode string “VarFileInfo”.
List of languages that the application supports.
The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the PE::CODE_PAGES Either most or least 16-bits can be zero, indicating that the file is language or code page independent.
Friends
Representation of the StringFileInfo structure.
It contains version information that can be displayed for a particular language and code page.
See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
Signature of the structure: Must be the unicode string “StringFileInfo”.
List of the LangCodeItem items.
Each LangCodeItem::key indicates the appropriate language and code page for displaying the key: value of LangCodeItem::items
Friends
Class which represents the childs of the ResourceStringFileInfo.
See also
Public Types
Public Functions
The type of data in the version resource.
1 if it contains text data
0 if it contains binary data
A 8-digit hexadecimal number stored as an Unicode string.
The four most significant digits represent the language identifier.
The four least significant digits represent the code page for which the data is formatted.
Code page for which LangCodeItem::items are defined
Lang for which LangCodeItem::items are defined.
Sublang for which LangCodeItem::items are defined.
Friends
Public Functions
The size of the string, not including length field itself.
The variable-length Unicode string data, word-aligned.
Friends
Class which represents the not-so-documented rich header.
This structure is usually located at the end of the Binary::dos_stub and contains information about the build environment. It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.
Public Types
Public Functions
Key used to encode the header (xor operation)
Return an iterator over the PE::RichEntry within the header.
Add a new PE::RichEntry.
Add a new entry given the id, build_id and count.
The raw structure of the Rich header without xor-encoding.
This function is equivalent as calling RichHeader::raw(uint32_t) with a xor_key set to 0
Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.
You can access the decoded data’s structure with the xor_key set to 0
xor_key – [in] The key to use for the xor-encoding (can be 0)
Compute the hash of the decoded rich header structure with the given hash algorithm.
Compute the hash of the rich header structure encoded with the provided key.
Public Static Attributes
Friends
Class which represents an entry associated to the RichHeader.
Public Functions
Entry type.
Build number of the tool (if any)
Occurrence count.
Public Functions
Flags to indicate if CI information is available, etc.
0xFFFF means not available
Additional bitmask to be defined later.
Friends
This class represents a Profile Guided Optimization entry from the debug directory (IMAGE_DEBUG_TYPE_POGO).
Public Types
Values:
Public Functions
An iterator over the different POGO elements.
Public Functions
This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.
See: https://nikhilism.com/post/2020/windows-deterministic-builds/
Public Functions
The hash associated with the reproducible build.
Class that represents the default PE’s LoadConfiguration
It’s the base class for any future versions of the structure
Subclassed by LIEF::PE::LoadConfigurationV0
Public Types
Values:
Public Functions
Characteristics of the structure It usually holds its size.
See also
Size of the current structure which is an alias for characteristics.
Date and time stamp value.
Major Version.
Minor version.
The global loader flags to clear for this process as the loader start the process.
The global loader flags to set for this process as the loader starts the process.
The default timeout value to use for this process’s critical sections that are abandoned.
Memory that must be freed before it is returned to the system, in bytes.
Total amount of free memory, in bytes.
The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.
Warning
For x86 only
Maximum allocation size, in bytes.
Maximum virtual memory size, in bytes.
Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)
Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.
The service pack version identifier.
Must be zero.
Alias for reserved1.
On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags
Reserved for use by the system.
A pointer to a cookie that is used by Visual C++ or GS implementation.
Public Static Functions
Friends
LoadConfiguration enhanced with SEH.
Subclassed by LIEF::PE::LoadConfigurationV1
Public Functions
(SDK) Version of the structure
The VA of the sorted table of RVAs of each valid, unique SE handler in the image.
The count of unique handlers in the table.
Public Static Functions
Public Static Attributes
LoadConfiguration enhanced with Control Flow Guard.
This structure is available from Windows 8.1
Subclassed by LIEF::PE::LoadConfigurationV2
Public Types
Values:
Module performs control flow integrity checks using system-supplied support
Module performs control flow and write integrity checks
Module contains valid control flow target metadata
Module does not make use of the /GS security cookie
Module supports read only delay load IAT
Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected
Module contains suppressed export information. This also infers that the address taken taken IAT table is also present in the load config.
Module enables suppression of exports
Module contains longjmp target information
Module contains return flow instrumentation and metadata
Module requests that the OS enable return flow protection
Module requests that the OS enable return flow protection in strict mode
Module was built with retpoline support
Module contains EH continuation target information
Public Functions
(SDK) Version of the structure
The VA where Control Flow Guard check-function pointer is stored.
The VA where Control Flow Guard dispatch-function pointer is stored.
The VA of the sorted table of RVAs of each Control Flow Guard function in the image.
The count of unique RVAs in the LoadConfigurationV1::guard_cf_function_table.
Control Flow Guard related flags.
Check if the given flag is present in LoadConfigurationV1::guard_flags.
LoadConfigurationV1::guard_flags as a list of LIEF::PE::GUARD_CF_FLAGS.
Public Static Functions
Public Static Attributes
LoadConfiguration enhanced with code integrity.
Subclassed by LIEF::PE::LoadConfigurationV3
Public Functions
(SDK) Version of the structure
CodeIntegrity associated with.
Public Static Functions
Public Static Attributes
LoadConfiguration with Control Flow Guard improved.
Subclassed by LIEF::PE::LoadConfigurationV4
Public Functions
(SDK) Version of the structure
VA of a table associated with CFG’s IAT checks.
Number of entries in the LoadConfigurationV3::guard_address_taken_iat_entry_table.
VA of a table associated with CFG’s long jump
Number of entries in the LoadConfigurationV3::guard_long_jump_target_table.
Public Static Functions
Public Static Attributes
Load Configuration enhanced with.
Kind of dynamic relocations
Hybrid Metadata Pointer
Subclassed by LIEF::PE::LoadConfigurationV5
Public Functions
(SDK) Version of the structure
VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE
Public Static Functions
Public Static Attributes
Load Configuration enhanced with Return Flow Guard.
Subclassed by LIEF::PE::LoadConfigurationV6
Public Functions
(SDK) Version of the structure
VA of the failure routine.
VA of the failure routine fptr.
Offset of dynamic relocation table relative to the relocation table.
The section index of the dynamic value relocation table.
Must be zero.
Public Static Functions
Public Static Attributes
Load Configuration enhanced with Hotpatch and improved RFG.
Subclassed by LIEF::PE::LoadConfigurationV7
Public Functions
(SDK) Version of the structure
VA of the Function verifying the stack pointer.
Offset to the hotpatch table.
Public Static Functions
Public Static Attributes
Subclassed by LIEF::PE::LoadConfigurationV8
Public Functions
(SDK) Version of the structure
Public Static Functions
Public Static Attributes
Subclassed by LIEF::PE::LoadConfigurationV9
Public Functions
(SDK) Version of the structure
Public Static Functions
Public Static Attributes
Subclassed by LIEF::PE::LoadConfigurationV10
Public Functions
(SDK) Version of the structure
Public Static Functions
Public Static Attributes
Subclassed by LIEF::PE::LoadConfigurationV11
Public Functions
(SDK) Version of the structure
Public Static Functions
Public Static Attributes
Public Functions
(SDK) Version of the structure
Public Static Functions
Public Static Attributes
if the input file is a PE one, return PE32 or PE32+
check if the file is a PE file
check if the raw data is a PE file
Compute the hash of imported functions.
By default, it generates an hash with the following properties:
Order agnostic
Casse agnostic
Ordinal (in some extent) agnostic
If one needs the same output as Virus Total (i.e. pefile), you can pass IMPHASH_MODE::PEFILE as second parameter.
Warning
The default algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation
Enum to define the behavior of LIEF::PE::get_imphash.
Values:
Default implementation
Same as IMPHASH_MODE::DEFAULT
Use pefile algorithm
Same as IMPHASH_MODE::PEFILE since Virus Total is using pefile
Take a PE::Import as entry and try to resolve imports by ordinal.
The strict boolean parameter enables to throw an LIEF::not_found exception if the ordinal can’t be resolved. Otherwise it skips the entry.
The PE::import resolved with PE::ImportEntry::name set
Convert an OID to a human-readable string.
Storage class tells where and what the symbol represents.
Values:
Physical end of function.
No symbol.
Stack variable.
External symbol.
Static.
Register variable.
External definition.
Label.
Undefined label.
Member of structure.
Structure tag.
Member of union.
Union tag.
Type definition.
Undefined static.
Enumeration tag.
Member of enumeration.
Register parameter.
Bit field “.bb” or “.eb” - beginning or end of block.
“.bf” or “.ef” - beginning or end of function
End of structure.
File name line number, reformatted as symbol.
Duplicate tag external symbol in dmert public lib.
Values:
No type information or unknown base type.
Used with void pointers and functions.
A character (signed byte).
A 2-byte signed integer.
A natural integer type on the target.
A 4-byte signed integer.
A 4-byte floating-point number.
An 8-byte floating-point number.
A structure.
An union.
An enumerated type.
A member of enumeration (a specific value).
A byte; unsigned 1-byte integer.
A word; unsigned 2-byte integer.
An unsigned integer of natural size.
An unsigned 4-byte integer.
Values:
No complex type; simple scalar variable.
A pointer to base type.
A function that returns a base type.
An array of base type.
Type is formed as (base + (derived << SCT_COMPLEX_TYPE_SHIFT))
Values:
Values:
Values:
Code page from https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers.
Values:
IBM EBCDIC US-Canada
OEM United States
IBM EBCDIC International
Arabic (ASMO 708)
Arabic (Transparent ASMO); Arabic (DOS)
OEM Greek (formerly 437G); Greek (DOS)
OEM Baltic; Baltic (DOS)
OEM Multilingual Latin 1; Western European (DOS)
OEM Latin 2; Central European (DOS)
OEM Cyrillic (primarily Russian)
OEM Turkish; Turkish (DOS)
OEM Multilingual Latin 1 + Euro symbol
OEM Portuguese; Portuguese (DOS)
OEM Icelandic; Icelandic (DOS)
OEM Hebrew; Hebrew (DOS)
OEM French Canadian; French Canadian (DOS)
OEM Arabic; Arabic (864)
OEM Nordic; Nordic (DOS)
OEM Russian; Cyrillic (DOS)
OEM Modern Greek; Greek, Modern (DOS)
IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2
ANSI/OEM Thai (same as 28605, ISO 8859-15); Thai (Windows)
IBM EBCDIC Greek Modern
ANSI/OEM Japanese; Japanese (Shift-JIS)
ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312)
ANSI/OEM Korean (Unified Hangul Code)
ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5)
IBM EBCDIC Turkish (Latin 5)
IBM EBCDIC Latin 1/Open System
IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro)
IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro)
IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro)
IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro)
IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro)
IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro)
IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro)
IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro)
IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro)
IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro)
Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications
Unicode UTF-16, big endian byte order; available only to managed applications
ANSI Central European; Central European (Windows)
ANSI Cyrillic; Cyrillic (Windows)
ANSI Latin 1; Western European (Windows)
ANSI Greek; Greek (Windows)
ANSI Turkish; Turkish (Windows)
ANSI Hebrew; Hebrew (Windows)
ANSI Arabic; Arabic (Windows)
ANSI Baltic; Baltic (Windows)
ANSI/OEM Vietnamese; Vietnamese (Windows)
Korean (Johab)
MAC Roman; Western European (Mac)
Japanese (Mac)
MAC Traditional Chinese (Big5); Chinese Traditional (Mac)
Korean (Mac)
Arabic (Mac)
Hebrew (Mac)
Greek (Mac)
Cyrillic (Mac)
MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac)
Romanian (Mac)
Ukrainian (Mac)
Thai (Mac)
MAC Latin 2; Central European (Mac)
Icelandic (Mac)
Turkish (Mac)
Croatian (Mac)
Unicode UTF-32, little endian byte order; available only to managed applications
Unicode UTF-32, big endian byte order; available only to managed applications
CNS Taiwan; Chinese Traditional (CNS)
TCA Taiwan
Eten Taiwan; Chinese Traditional (Eten)
IBM5550 Taiwan
TeleText Taiwan
Wang Taiwan
IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5)
IA5 German (7-bit)
IA5 Swedish (7-bit)
IA5 Norwegian (7-bit)
US-ASCII (7-bit)
T.61
ISO 6937 Non-Spacing Accent
IBM EBCDIC Germany
IBM EBCDIC Denmark-Norway
IBM EBCDIC Finland-Sweden
IBM EBCDIC Italy
IBM EBCDIC Latin America-Spain
IBM EBCDIC United Kingdom
IBM EBCDIC Japanese Katakana Extended
IBM EBCDIC France
IBM EBCDIC Arabic
IBM EBCDIC Greek
IBM EBCDIC Hebrew
IBM EBCDIC Korean Extended
IBM EBCDIC Thai
Russian (KOI8-R); Cyrillic (KOI8-R)
IBM EBCDIC Icelandic
IBM EBCDIC Cyrillic Russian
IBM EBCDIC Turkish
IBM EBCDIC Latin 1/Open System (1047 + Euro symbol)
Japanese (JIS 0208-1990 and 0121-1990)
Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)
Korean Wansung
IBM EBCDIC Cyrillic Serbian-Bulgarian
Ukrainian (KOI8-U); Cyrillic (KOI8-U)
ISO 8859-1 Latin 1; Western European (ISO)
ISO 8859-2 Central European; Central European (ISO)
ISO 8859-3 Latin 3
ISO 8859-4 Baltic
ISO 8859-5 Cyrillic
ISO 8859-6 Arabic
ISO 8859-7 Greek
ISO 8859-8 Hebrew; Hebrew (ISO-Visual)
ISO 8859-9 Turkish
ISO 8859-13 Estonian
ISO 8859-15 Latin 9
Europa 3
ISO 8859-8 Hebrew; Hebrew (ISO-Logical)
ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS)
ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana)
ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI)
ISO 2022 Korean
ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022)
EUC Japanese
EUC Simplified Chinese; Chinese Simplified (EUC)
EUC Korean
HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ)
Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030)
ISCII Devanagari
ISCII Bengali
ISCII Tamil
ISCII Telugu
ISCII Assamese
ISCII Oriya
ISCII Kannada
ISCII Malayalam
ISCII Gujarati
ISCII Punjabi
Unicode (UTF-7)
Unicode (UTF-8)
From: https://docs.microsoft.com/en-us/windows/win32/winmsg/window-styles.
Values:
From https://docs.microsoft.com/en-us/windows/win32/winmsg/extended-window-styles.
Values:
From https://docs.microsoft.com/en-us/windows/win32/dlgbox/dialog-box-styles.
Values:
Values:
Values:
Values:
Values:
Cryptography algorithms.
Values: