Python¶

Parser¶

lief.PE.parse(*args) → lief.PE.Binary | None¶

lief.PE.parse(raw: list[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x796719c8d790>) → lief._lief.PE.Binary | None

lief.PE.parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x796719c8d7b0>) → lief._lief.PE.Binary | None

Overloaded function.

parse(filename: str, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x796719c8d770>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given file path and return a Binary object

parse(raw: list[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x796719c8d790>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given list of bytes and return a lief.PE.Binary object

parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x796719c8d7b0>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given parameter and return a lief.PE.Binary object

class lief.PE.ParserConfig(self)¶

Bases: object

This class is used to tweak the PE Parser (Parser)

all = <lief._lief.PE.ParserConfig object>¶

property parse_exports → bool¶: Parse PE Exports Directory

property parse_imports → bool¶: Parse PE Import Directory

property parse_reloc → bool¶: Parse PE relocations

property parse_rsrc → bool¶: Parse PE resources tree

property parse_signature → bool¶: Parse PE Authenticode signature

Binary¶

class lief.PE.Binary(self, type: lief._lief.PE.PE_TYPE)¶

Bases: Binary

Class which represents a PE binary which is the main interface to manage and modify a PE executable.

This object can be instantiated through lief.parse() or lief.PE.parse() while the constructor of this object can be used to craft a binary from scratch (see: 02 - Create a PE from scratch)

add_import_function(self, import_name: str, function_name: str) → lief.PE.ImportEntry¶: Add a function to the given Import name

add_library(self, import_name: str) → lief.PE.Import¶: Add an Import by name

add_relocation(self, relocation: lief.PE.Relocation) → lief.PE.Relocation¶: Add a Relocation to the binary

add_section(self, section: lief.PE.Section, type: lief.PE.SECTION_TYPES) → lief.PE.Section¶: Add a Section to the binary.

authentihash(self, algorithm: lief.PE.ALGORITHMS) → bytes¶: Compute the authentihash according to the ALGORITHMS given in the first parameter

property authentihash_md5 → bytes¶: Authentihash MD5 value

property authentihash_sha1 → bytes¶: Authentihash SHA1 value

property authentihash_sha256 → bytes¶: Authentihash SHA-256 value

property authentihash_sha512 → bytes¶: Authentihash SHA-512 value

property codeview_pdb → lief.PE.CodeViewPDB¶: Return the CodeViewPDB if present

compute_checksum(self) → int¶

Re-compute the value of checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF for the current binary object.

property data_directories → lief.PE.Binary.it_data_directories¶: Return an iterator over the DataDirectory

data_directory(self, type: lief.PE.DataDirectory.TYPES) → lief.PE.DataDirectory¶: Return the DataDirectory object from the given TYPES type

property debug → lief.PE.Binary.it_debug¶: Return the Debug

property delay_imports → lief.PE.Binary.it_delay_imports¶: Return an iterator over the DelayImport

property dos_header → lief.PE.DosHeader¶: Return the DosHeader

property dos_stub → memoryview¶: DOS stub content as a list of bytes

property exception_functions → list[lief.Function]¶: Function found in the Exception directory

property functions → list[lief.Function]¶: All Function found in the binary

get_delay_import(self, import_name: str) → lief.PE.DelayImport¶: Return the DelayImport from the given name or None if not not found

get_export(self) → lief.PE.Export¶: Return the Export object

get_import(self, import_name: str) → lief.PE.Import¶: Return the Import from the given name or None if not not found

get_section(self, section_name: str) → lief.PE.Section¶: Return the Section object from the given name or None if not not found

property has_configuration → bool¶: True if the current binary has LoadConfiguration

property has_debug → bool¶: True if the current binary has a Debug object

has_delay_import(self, import_name: str) → bool¶: True if the binary imports the given library name

property has_delay_imports → bool¶: True if the current binary has delay imports (DelayImport)

property has_exceptions → bool¶: True if the current binary uses Exceptions

property has_exports → bool¶: True if the current binary has a Export object

has_import(self, import_name: str) → bool¶: True if the binary imports the given library name

property has_imports → bool¶: True if the current binary has imports (Import)

property has_relocations → bool¶: True if the current binary uses Relocation

property has_resources → bool¶: True if the current binary has a Resources object

property has_rich_header → bool¶: True if the current binary has a RichHeader object

property has_signatures → bool¶: True if the binary is signed with the PE authenticode (Signature)

property has_tls → bool¶: True if the current binary has a TLS object

property header → lief.PE.Header¶: Return the Header

property imports → lief.PE.Binary.it_imports¶: Return an iterator over the Import libraries

property is_reproducible_build → bool¶: True if the binary was compiled with a reproducible build directive (Debug)

class it_const_signatures¶

Bases: object

Iterator over lief._lief.PE.Signature

class it_data_directories¶

Bases: object

Iterator over lief._lief.PE.DataDirectory

class it_debug¶

Bases: object

Iterator over lief._lief.PE.Debug

class it_delay_imports¶

Bases: object

Iterator over lief._lief.PE.DelayImport

class it_imports¶

Bases: object

Iterator over lief._lief.PE.Import

class it_relocations¶

Bases: object

Iterator over lief._lief.PE.Relocation

class it_section¶

Bases: object

Iterator over lief._lief.PE.Section

class it_symbols¶

Bases: object

Iterator over lief._lief.PE.Symbol

property load_configuration → lief.PE.LoadConfiguration¶: Return the LoadConfiguration object or None if not present

property optional_header → lief.PE.OptionalHeader¶: Header that follows the header. It is named optional from the COFF specifications but it is mandatory in a PE file.

property overlay → memoryview¶: Return the overlay content as a list of bytes

property overlay_offset → int¶: Return the original overlay offset

predict_function_rva(self, library: str, function: str) → int¶: Try to predict the RVA of the given function name in the given import library name

property relocations → lief.PE.Binary.it_relocations¶: Return an iterator over the Relocation

remove(self, section: lief.PE.Section, clear: bool) → None¶: Remove the Section given in first parameter

remove_all_libraries(self) → None¶: Remove all imported libraries

remove_all_relocations(self) → None¶

remove_library(self, import_name: str) → None¶: Remove the Import from the given name

property resources → lief.PE.ResourceNode¶: Return the ResourceNode tree or None if not not present

property resources_manager → lief.PE.ResourcesManager | lief.lief_errors¶: Return the ResourcesManager to manage resources

property rich_header → lief.PE.RichHeader¶: RichHeader object (if present)

rva_to_offset(self, rva_address: int) → int¶

Convert a relative virtual address to an offset

The conversion is performed by looking for the section that encompasses the provided RVA.

section_from_offset(self, offset: int) → lief.PE.Section¶: Return the Section which encompasses the provided offset. It returns None if a section can’t be found.

section_from_rva(self, rva: int) → lief.PE.Section¶: Return the Section which encompasses the provided relative virtual address. If a section can’t be found, it returns None.

property sections → lief.PE.Binary.it_section¶: Return binary’s an iterator over the PE’s Section

property signatures → lief.PE.Binary.it_const_signatures¶: Return an iterator over the Signature objects

property sizeof_headers → int¶: Size of all the PE headers

property symbols → list[lief.PE.Symbol]¶: Return binary’s Symbol

property tls → lief.PE.TLS¶: TLS object (if present)

va_to_offset(self, va_address: int) → int¶

Convert an absolute virtual address into an offset

See: rva_to_offset()

verify_signature(*args) → lief.PE.Signature.VERIFICATION_FLAGS¶

Overloaded function.

verify_signature(self, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = lief.PE.VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS

Verify the binary against the embedded signature(s) (if any)
First off, it checks that the embedded signatures are correct (c.f. lief.PE.Signature.check()) and then it checks that the authentihash matches lief.PE.ContentInfo.digest
One can tweak the verification process with the lief.PE.Signature.VERIFICATION_CHECKS flags
See also
lief.PE.Signature.check()
verify_signature(self, signature: lief._lief.PE.Signature, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = lief.PE.VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS
Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:
detached = lief.PE.Signature.parse("sig.pkcs7") binary.verify_signature(detached)

property virtual_size → int¶

Return the binary’s virtual size.

This value should match sizeof_image

write(self, output_path: str) → None¶: Build the binary and write the result to the given output file

Dos Header¶

class lief.PE.DosHeader¶

Bases: Object

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are not relevant, except addressof_new_exeheader

property addressof_new_exeheader → int¶

property addressof_relocation_table → int¶

property checksum → int¶

copy(self) → lief.PE.DosHeader¶: Duplicate the current instance of this object

create(arg: lief.PE.PE_TYPE) → lief.PE.DosHeader = <nanobind.nb_func object>¶

property file_size_in_pages → int¶

property header_size_in_paragraphs → int¶

property initial_ip → int¶

property initial_relative_cs → int¶

property initial_relative_ss → int¶

property initial_sp → int¶

property magic → int¶

property maximum_extra_paragraphs → int¶

property minimum_extra_paragraphs → int¶

property numberof_relocation → int¶

property oem_id → int¶

property oem_info → int¶

property overlay_number → int¶

property used_bytes_in_last_page → int¶

class lief.PE.Header¶

Bases: Object

Class that represents the PE header (which follows the lief.PE.DosHeader)

class CHARACTERISTICS¶

Bases: object

AGGRESSIVE_WS_TRIM = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.AGGRESSIVE_WS_TRIM: 16>¶

BYTES_REVERSED_HI = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.BYTES_REVERSED_HI: 32768>¶

BYTES_REVERSED_LO = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.BYTES_REVERSED_LO: 128>¶

DEBUG_STRIPPED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.DEBUG_STRIPPED: 512>¶

DLL = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.DLL: 8192>¶

EXECUTABLE_IMAGE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.EXECUTABLE_IMAGE: 2>¶

LARGE_ADDRESS_AWARE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LARGE_ADDRESS_AWARE: 32>¶

LINE_NUMS_STRIPPED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LINE_NUMS_STRIPPED: 4>¶

LOCAL_SYMS_STRIPPED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LOCAL_SYMS_STRIPPED: 8>¶

NEED_32BIT_MACHINE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.NEED_32BIT_MACHINE: 256>¶

NET_RUN_FROM_SWAP = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.NET_RUN_FROM_SWAP: 2048>¶

RELOCS_STRIPPED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.RELOCS_STRIPPED: 1>¶

REMOVABLE_RUN_FROM_SWAP = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.REMOVABLE_RUN_FROM_SWAP: 1024>¶

SYSTEM = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.SYSTEM: 4096>¶

UP_SYSTEM_ONLY = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.UP_SYSTEM_ONLY: 16384>¶

from_value(arg: int) → lief.PE.Header.CHARACTERISTICS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

class MACHINE_TYPES¶

Bases: object

AM33 = lief._lief.PE.MACHINE_TYPES.AM33¶

AMD64 = lief._lief.PE.MACHINE_TYPES.AMD64¶

ARM = lief._lief.PE.MACHINE_TYPES.ARM¶

ARM64 = lief._lief.PE.MACHINE_TYPES.ARM64¶

ARMNT = lief._lief.PE.MACHINE_TYPES.ARMNT¶

EBC = lief._lief.PE.MACHINE_TYPES.EBC¶

I386 = lief._lief.PE.MACHINE_TYPES.I386¶

IA64 = lief._lief.PE.MACHINE_TYPES.IA64¶

M32R = lief._lief.PE.MACHINE_TYPES.M32R¶

MIPS16 = lief._lief.PE.MACHINE_TYPES.MIPS16¶

MIPSFPU = lief._lief.PE.MACHINE_TYPES.MIPSFPU¶

MIPSFPU16 = lief._lief.PE.MACHINE_TYPES.MIPSFPU16¶

POWERPC = lief._lief.PE.MACHINE_TYPES.POWERPC¶

POWERPCBE = lief._lief.PE.MACHINE_TYPES.POWERPCBE¶

POWERPCFP = lief._lief.PE.MACHINE_TYPES.POWERPCFP¶

R4000 = lief._lief.PE.MACHINE_TYPES.R4000¶

SH3 = lief._lief.PE.MACHINE_TYPES.SH3¶

SH3DSP = lief._lief.PE.MACHINE_TYPES.SH3DSP¶

SH4 = lief._lief.PE.MACHINE_TYPES.SH4¶

SH5 = lief._lief.PE.MACHINE_TYPES.SH5¶

THUMB = lief._lief.PE.MACHINE_TYPES.THUMB¶

UNKNOWN = lief._lief.PE.MACHINE_TYPES.UNKNOWN¶

WCEMIPSV2 = lief._lief.PE.MACHINE_TYPES.WCEMIPSV2¶

from_value(arg: int) → lief.PE.Header.MACHINE_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

add_characteristic(self, characteristic: lief.PE.Header.CHARACTERISTICS) → None¶: Add the given CHARACTERISTICS to the header

property characteristics → int¶: The CHARACTERISTICS that indicate the attributes of the file.

property characteristics_list → list[lief.PE.Header.CHARACTERISTICS]¶: Return the CHARACTERISTICS as a list

copy(self) → lief.PE.Header¶: Duplicate the current instance of this object

create(type: lief.PE.PE_TYPE) → lief.PE.Header = <nanobind.nb_func object>¶

has_characteristic(self, characteristic: lief.PE.Header.CHARACTERISTICS) → bool¶: True if the header has the given CHARACTERISTICS

property machine → lief.PE.Header.MACHINE_TYPES¶: The target machine architecture (MACHINE_TYPES)

property numberof_sections → int¶: Number of sections in the binary

property numberof_symbols → int¶

The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.

This value should be zero for an image because COFF debugging information is deprecated.

property pointerto_symbol_table → int¶

The file offset of the COFF symbol table, or zero if no COFF symbol table is present.

This value should be zero for an image because COFF debugging information is deprecated.

remove_characteristic(self, characteristic: lief.PE.Header.CHARACTERISTICS) → None¶: Remove the given CHARACTERISTICS from the header

property signature → list[int]¶: Signature (or magic byte) of the header. It must be: PE\0\0

property sizeof_optional_header → int¶

Size of the OptionalHeader AND the data directories which follows this header.

This value is equivalent to: sizeof(pe_optional_header) + NB_DATA_DIR * sizeof(data_directory)

This size should be either:

0xE0 (224) for a PE32 (32 bits)
0xF0 (240) for a PE32+ (64 bits)

property time_date_stamps → int¶: The low 32 bits of the number of seconds since 00:00 January 1, 1970 that indicates when the file was created.

Optional Header¶

class lief.PE.OptionalHeader¶

Bases: Object

Class which represents the PE OptionalHeader structure.

class DLL_CHARACTERISTICS¶

Bases: object

APPCONTAINER = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.APPCONTAINER: 4096>¶

DYNAMIC_BASE = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE: 64>¶

FORCE_INTEGRITY = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.FORCE_INTEGRITY: 128>¶

GUARD_CF = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.GUARD_CF: 16384>¶

HIGH_ENTROPY_VA = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.HIGH_ENTROPY_VA: 32>¶

NO_BIND = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.NO_BIND: 2048>¶

NO_ISOLATION = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.NO_ISOLATION: 512>¶

NO_SEH = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.NO_SEH: 1024>¶

NX_COMPAT = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.NX_COMPAT: 256>¶

TERMINAL_SERVER_AWARE = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.TERMINAL_SERVER_AWARE: 32768>¶

WDM_DRIVER = <lief.PE.DLL_CHARACTERISTICS.lief.PE.DLL_CHARACTERISTICS.WDM_DRIVER: 8192>¶

from_value(arg: int) → lief.PE.OptionalHeader.DLL_CHARACTERISTICS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

class SUBSYSTEM¶

Bases: object

EFI_APPLICATION = lief._lief.PE.SUBSYSTEM.EFI_APPLICATION¶

EFI_BOOT_SERVICE_DRIVER = lief._lief.PE.SUBSYSTEM.EFI_BOOT_SERVICE_DRIVER¶

EFI_ROM = lief._lief.PE.SUBSYSTEM.EFI_ROM¶

EFI_RUNTIME_DRIVER = lief._lief.PE.SUBSYSTEM.EFI_RUNTIME_DRIVER¶

NATIVE = lief._lief.PE.SUBSYSTEM.NATIVE¶

NATIVE_WINDOWS = lief._lief.PE.SUBSYSTEM.NATIVE_WINDOWS¶

OS2_CUI = lief._lief.PE.SUBSYSTEM.OS2_CUI¶

POSIX_CUI = lief._lief.PE.SUBSYSTEM.POSIX_CUI¶

UNKNOWN = lief._lief.PE.SUBSYSTEM.UNKNOWN¶

WINDOWS_BOOT_APPLICATION = lief._lief.PE.SUBSYSTEM.WINDOWS_BOOT_APPLICATION¶

WINDOWS_CE_GUI = lief._lief.PE.SUBSYSTEM.WINDOWS_CE_GUI¶

WINDOWS_CUI = lief._lief.PE.SUBSYSTEM.WINDOWS_CUI¶

WINDOWS_GUI = lief._lief.PE.SUBSYSTEM.WINDOWS_GUI¶

XBOX = lief._lief.PE.SUBSYSTEM.XBOX¶

from_value(arg: int) → lief.PE.OptionalHeader.SUBSYSTEM = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

add(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) → None¶: Add the given DLL_CHARACTERISTICS

property addressof_entrypoint → int¶

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

property baseof_code → int¶: Address relative to the imagebase where the binary’s code starts

property baseof_data → int¶: Address relative to the imagebase where the binary’s data starts.

Warning
This value is not present for PE64 files

property checksum → int¶: The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

copy(self) → lief.PE.OptionalHeader¶: Duplicate the current instance of this object

create(type: lief.PE.PE_TYPE) → lief.PE.OptionalHeader = <nanobind.nb_func object>¶

property dll_characteristics → int¶

Some characteristics (DLL_CHARACTERISTICS) of the underlying binary like the support of the PIE.

The prefix dll comes from the official PE specifications but these characteristics are also used for executables

property dll_characteristics_lists → list[lief.PE.OptionalHeader.DLL_CHARACTERISTICS]¶: dll_characteristics as a list of DLL_CHARACTERISTICS

property file_alignment → int¶: The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K, inclusive. The default value is 512. If the section_alignment is less than the architecture’s page size, then file_alignment must match section_alignment.

has(self, characteristics: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) → bool¶: True if the given DLL_CHARACTERISTICS is in the dll_characteristics

property imagebase → int¶: The preferred base address when mapping the binary in memory

property loader_flags → int¶: According to the PE specifications, this value is reserved and should be 0.

property magic → lief.PE.PE_TYPE¶: Magic value (PE_TYPE) that identifies a PE32 from a PE64

property major_image_version → int¶: The major version number of the image.

property major_linker_version → int¶: The linker major version number

property major_operating_system_version → int¶: The major version number of the required operating system.

property major_subsystem_version → int¶: The major version number of the subsystem.

property minor_image_version → int¶: The minor version number of the image.

property minor_linker_version → int¶: The linker minor version number

property minor_operating_system_version → int¶: The minor version number of the required operating system.

property minor_subsystem_version → int¶: The minor version number of the subsystem

property numberof_rva_and_size → int¶: The number of DataDirectory that follow this header

remove(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) → None¶: Remove the given DLL_CHARACTERISTICS

property section_alignment → int¶: The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture.

property sizeof_code → int¶: The size of the code .text section or the sum of all the sections that contain code (ie. Section with the flag CNT_CODE)

property sizeof_headers → int¶: The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment.

property sizeof_heap_commit → int¶: The size of the local heap space to commit.

property sizeof_heap_reserve → int¶

The size of the local heap space to reserve.

Only sizeof_heap_commit is available one page at a time until the reserve size is reached.

property sizeof_image → int¶: The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of section_alignment and should match virtual_size.

property sizeof_initialized_data → int¶

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag CNT_INITIALIZED_DATA

property sizeof_stack_commit → int¶: The size of the stack to commit.

property sizeof_stack_reserve → int¶

The size of the stack to reserve.

Only sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

property sizeof_uninitialized_data → int¶

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag CNT_UNINITIALIZED_DATA

property subsystem → lief.PE.OptionalHeader.SUBSYSTEM¶: Target subsystem (SUBSYSTEM) like Driver, XBox, Windows GUI, ..

property win32_version_value → int¶: Reserved, must be zero.

Data Directory¶

class lief.PE.DataDirectory(self)¶

Bases: Object

Class that represents a PE data directory entry

class TYPES¶

Bases: object

ARCHITECTURE = lief._lief.PE.TYPES.ARCHITECTURE¶

BASE_RELOCATION_TABLE = lief._lief.PE.TYPES.BASE_RELOCATION_TABLE¶

BOUND_IMPORT = lief._lief.PE.TYPES.BOUND_IMPORT¶

CERTIFICATE_TABLE = lief._lief.PE.TYPES.CERTIFICATE_TABLE¶

CLR_RUNTIME_HEADER = lief._lief.PE.TYPES.CLR_RUNTIME_HEADER¶

DEBUG_DIR = lief._lief.PE.TYPES.DEBUG_DIR¶

DELAY_IMPORT_DESCRIPTOR = lief._lief.PE.TYPES.DELAY_IMPORT_DESCRIPTOR¶

EXCEPTION_TABLE = lief._lief.PE.TYPES.EXCEPTION_TABLE¶

EXPORT_TABLE = lief._lief.PE.TYPES.EXPORT_TABLE¶

GLOBAL_PTR = lief._lief.PE.TYPES.GLOBAL_PTR¶

IAT = lief._lief.PE.TYPES.IAT¶

IMPORT_TABLE = lief._lief.PE.TYPES.IMPORT_TABLE¶

LOAD_CONFIG_TABLE = lief._lief.PE.TYPES.LOAD_CONFIG_TABLE¶

RESERVED = lief._lief.PE.TYPES.RESERVED¶

RESOURCE_TABLE = lief._lief.PE.TYPES.RESOURCE_TABLE¶

TLS_TABLE = lief._lief.PE.TYPES.TLS_TABLE¶

UNKNOWN = lief._lief.PE.TYPES.UNKNOWN¶

from_value(arg: int) → lief.PE.DataDirectory.TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

copy(self) → lief.PE.DataDirectory¶: Duplicate the current instance of this object

property has_section → bool¶: True if the current data directory is tied to a Section

property rva → int¶: Relative virtual address of the content associated with the current data directory

property section → lief.PE.Section¶: Section associated with the current data directory or None if not linked

property size → int¶: Size in bytes of the content associated with the current data directory

property type → lief.PE.DataDirectory.TYPES¶: Type (TYPES) of the current data directory

Section¶

class lief.PE.Section(self)¶

class lief.PE.Section(self, content: list[int], name: str = '', characteristics: int = 0)

class lief.PE.Section(self, name: str)

Bases: Section

Class which represents a PE section.

It extends the base class lief.Section

Overloaded function.

__init__(self, content: list[int], name: str = '', characteristics: int = 0) -> None

Constructor from content, name and characteristics

__init__(self, name: str) -> None

Constructor from a name

class CHARACTERISTICS¶

Bases: object

ALIGN_1024BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_1024BYTES: 11534336>¶

ALIGN_128BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_128BYTES: 8388608>¶

ALIGN_16BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_16BYTES: 5242880>¶

ALIGN_1BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_1BYTES: 1048576>¶

ALIGN_2048BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_2048BYTES: 12582912>¶

ALIGN_256BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_256BYTES: 9437184>¶

ALIGN_2BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_2BYTES: 2097152>¶

ALIGN_32BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_32BYTES: 6291456>¶

ALIGN_4096BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_4096BYTES: 13631488>¶

ALIGN_4BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_4BYTES: 3145728>¶

ALIGN_512BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_512BYTES: 10485760>¶

ALIGN_64BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_64BYTES: 7340032>¶

ALIGN_8192BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_8192BYTES: 14680064>¶

ALIGN_8BYTES = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.ALIGN_8BYTES: 4194304>¶

CNT_CODE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.CNT_CODE: 32>¶

CNT_INITIALIZED_DATA = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.CNT_INITIALIZED_DATA: 64>¶

CNT_UNINITIALIZED_DATA = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.CNT_UNINITIALIZED_DATA: 128>¶

GPREL = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.GPREL: 32768>¶

LNK_COMDAT = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LNK_COMDAT: 4096>¶

LNK_INFO = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LNK_INFO: 512>¶

LNK_NRELOC_OVFL = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LNK_NRELOC_OVFL: 16777216>¶

LNK_OTHER = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LNK_OTHER: 256>¶

LNK_REMOVE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.LNK_REMOVE: 2048>¶

MEM_16BIT = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_16BIT: 131072>¶

MEM_DISCARDABLE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_DISCARDABLE: 33554432>¶

MEM_EXECUTE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_EXECUTE: 536870912>¶

MEM_LOCKED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_LOCKED: 262144>¶

MEM_NOT_CACHED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_NOT_CACHED: 67108864>¶

MEM_NOT_PAGED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_NOT_PAGED: 134217728>¶

MEM_PRELOAD = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_PRELOAD: 524288>¶

MEM_PURGEABLE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_PURGEABLE: 65536>¶

MEM_READ = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_READ: 1073741824>¶

MEM_SHARED = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_SHARED: 268435456>¶

MEM_WRITE = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.MEM_WRITE: 2147483648>¶

TYPE_NO_PAD = <lief.PE.CHARACTERISTICS.lief.PE.CHARACTERISTICS.TYPE_NO_PAD: 8>¶

from_value(arg: int) → lief.PE.Section.CHARACTERISTICS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property characteristics → int¶: The CHARACTERISTICS that describe the characteristics of the section

property characteristics_lists → list[lief.PE.Section.CHARACTERISTICS]¶: characteristics as a list

copy(self) → lief.PE.Section¶: Duplicate the current instance of this object

has_characteristic(self, characteristic: lief.PE.Section.CHARACTERISTICS) → bool¶: True if the section has the given CHARACTERISTICS

property numberof_line_numbers → int¶

The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.

See: pointerto_line_numbers

property numberof_relocations → int¶

The number of relocation entries for the section.

See: pointerto_relocation

property padding → bytes¶: Section padding content as bytes

property pointerto_line_numbers → int¶: The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

property pointerto_raw_data → int¶: The offset of the section data in the PE file. Alias of offset

property pointerto_relocation → int¶

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by Relocation.

property sizeof_raw_data → int¶: Alias of size (size of the data in the section)

property virtual_size → int¶

The total size of the section when loaded into memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.

Import¶

class lief.PE.Import(self)¶

class lief.PE.Import(self, library_name: str)

Bases: Object

Class that represents a PE import

Overloaded function.

__init__(self) -> None

Default constructor

__init__(self, library_name: str) -> None

Constructor from a library name

add_entry(*args) → lief.PE.ImportEntry¶

Overloaded function.

add_entry(self, entry: lief._lief.PE.ImportEntry) -> lief._lief.PE.ImportEntry

Add an ImportEntry (function) to the current import

add_entry(self, function_name: str) -> lief._lief.PE.ImportEntry

Add an ImportEntry (function) to the current import

property directory → lief.PE.DataDirectory¶

Return the DataDirectory associated with this import.

It should be the one at index lief.PE.DataDirectory.TYPES.IMPORT_TABLE. It can return None if the Import directory can’t be resolved.

property entries → lief.PE.Import.it_entries¶: Iterator over the ImportEntry (functions)

property forwarder_chain → int¶: The index of the first forwarder reference

get_entry(self, function_name: str) → lief.PE.ImportEntry¶: Return the ImportEntry with the given name or None if not found

get_function_rva_from_iat(self, function_name: str) → int | lief.lief_errors¶: Return the relative virtual address of the given function within the Import Address Table

property iat_directory → lief.PE.DataDirectory¶

Return the DataDirectory associated with the IAT table.

It should be the one at index lief.PE.DataDirectory.TYPES.IAT. It can return None if the IAT directory can’t be resolved.

property import_address_table_rva → int¶: The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning
This address could change when re-building the binary

property import_lookup_table_rva → int¶: The RVA of the import lookup table. This table contains the name or the ordinal for all the imports.

class it_entries¶

Bases: object

Iterator over lief._lief.PE.ImportEntry

property name → str | bytes¶: Library name (e.g. kernel32.dll)

property timedatestamp → int¶

The stamp that is set to zero until the image is bound.

After the image is bound, this field is set to the time/data stamp of the DLL

Import Entry¶

class lief.PE.ImportEntry(self)¶

class lief.PE.ImportEntry(self, import_name: str)

class lief.PE.ImportEntry(self, data: int, name: str = '')

class lief.PE.ImportEntry(self, data: int, type: lief._lief.PE.PE_TYPE, name: str = '')

class lief.PE.ImportEntry(self, name: str, type: lief._lief.PE.PE_TYPE)

Bases: Symbol

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

Overloaded function.

__init__(self, import_name: str) -> None

Constructor from a name

__init__(self, data: int, name: str = '') -> None

Constructor from a data and an optionally name

__init__(self, data: int, type: lief._lief.PE.PE_TYPE, name: str = '') -> None

Constructor from a data, a type and an optional name

__init__(self, name: str, type: lief._lief.PE.PE_TYPE) -> None

Constructor from a name, and a type

copy(self) → lief.PE.ImportEntry¶: Duplicate the current instance of this object

property data → int¶: Raw value

property demangled_name → str¶: Demangled representation of the symbol or an empty string if it can’t be demangled.

property hint → int¶: Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_address → int¶: Original address of the entry in the Import Address Table

property iat_value → int¶: Value of the current entry in the Import Address Table. It should match the lookup table value.

property is_ordinal → bool¶: True if it is an import by ordinal

property name → str | bytes¶: Import name if not ordinal

property ordinal → int¶: Ordinal value (if any). See: is_ordinal

Delay Import¶

class lief.PE.DelayImport(self, library_name: str)¶

Bases: Object

Class that represents a PE delay import

Constructor from a library name

property attribute → int¶: Reserved and should be zero according to the PE specifications

property biat → int¶: RVA of the bound delay-load import address table or 0 if the table does not exist.

copy(self) → lief.PE.DelayImport¶: Duplicate the current instance of this object

property entries → lief.PE.DelayImport.it_entries¶: Iterator over the DelayImportEntry (functions)

property handle → int¶: The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

property iat → int¶: RVA of the delay-load import address table.

class it_entries¶

Bases: object

Iterator over lief._lief.PE.DelayImportEntry

property name → str | bytes¶: Library name (e.g. kernel32.dll)

property names_table → int¶: RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table

property timestamp → int¶: The timestamp of the DLL to which this image has been bound.

property uiat → int¶

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.

Delay Import Entry¶

class lief.PE.DelayImportEntry(self)¶

Bases: Symbol

Class that represents an entry (i.e. a delay import) in the delay import table (DelayImport).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

The meaning of lief.Symbol.value for this PE object is the address (as an RVA) in the IAT where the resolution should take place

copy(self) → lief.PE.DelayImportEntry¶: Duplicate the current instance of this object

property data → int¶: Raw value

property demangled_name → str¶: Demangled representation of the symbol or an empty string if it can’t be demangled.

property hint → int¶: Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_value → int¶: Value of the current entry in the delay-loaded import address table. See: iat

property is_ordinal → bool¶: True if it is an import by ordinal

property name → str | bytes¶: Delay import name if not ordinal

property ordinal → int¶: Ordinal value (if any). See: is_ordinal

TLS¶

class lief.PE.TLS(self)¶

Bases: Object

Class which represents the PE Thread Local Storage. This PE structure is also used to implement binary/library constructors.

Default constructor

property addressof_callbacks → int¶

Pointer to an array of TLS callback functions.

The array is null-terminated, so if there is no callback, this field points to 4 bytes set to zero.

See: callbacks

property addressof_index → int¶: The location to receive the TLS index assigned by the loader. This location should be located in a writable section like .data.

property addressof_raw_data → tuple[int, int]¶: Tuple (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note
These addresses are not RVA. It is addresses for which there should be a base relocation in the .reloc section.

property callbacks → list[int]¶

List of the callback associated with the current TLS.

These functions are called before any other functions.

property characteristics → int¶: The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

copy(self) → lief.PE.TLS¶: Duplicate the current instance of this object

property data_template → memoryview¶: The initial content used to initialize TLS data.

property directory → lief.PE.DataDirectory¶: DataDirectory associated with the TLS object (or None if not linked)

property has_data_directory → bool¶: True if there is a DataDirectory associated with the TLS object

property has_section → bool¶: True if there is a Section associated with the TLS object

property section → lief.PE.Section¶: Section associated with the TLS object (or None if not linked)

property sizeof_zero_fill → int¶: Size in bytes of the zeros to be padded after the data specified by data_template.

Symbol¶

class lief.PE.Symbol(self)¶

Bases: Symbol

property base_type → lief.PE.SYMBOL_BASE_TYPES¶

property complex_type → lief.PE.SYMBOL_COMPLEX_TYPES¶

property has_section → bool¶: True if symbols are located in a section

property name → str¶

property numberof_aux_symbols → int¶

property section → lief.PE.Section¶

property section_number → int¶

property storage_class → lief.PE.SYMBOL_STORAGE_CLASS¶

property type → int¶

Relocation¶

class lief.PE.Relocation(self)¶

Bases: Object

Class which represents the Base Relocation Block Usually, we find this structure in the .reloc section

add_entry(self, new_entry: lief.PE.RelocationEntry) → lief.PE.RelocationEntry¶: Add a new RelocationEntry

property block_size → int¶: The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

copy(self) → lief.PE.Relocation¶: Duplicate the current instance of this object

property entries → lief.PE.Relocation.it_entries¶: Iterator over the RelocationEntry

class it_entries¶

Bases: object

Iterator over lief._lief.PE.RelocationEntry

property virtual_address → int¶: The RVA for which the offset of the relocation entries (RelocationEntry) is added

Relocation Entry¶

class lief.PE.RelocationEntry(self)¶

Bases: Relocation

Class which represents an entry of the PE relocation table.

It extends the lief.Relocation object to provide an uniform API across the file formats.

class BASE_TYPES¶

Bases: object

ABS = lief._lief.PE.BASE_TYPES.ABS¶

ARM_MOV32 = lief._lief.PE.BASE_TYPES.ARM_MOV32¶

ARM_MOV32A = lief._lief.PE.BASE_TYPES.ARM_MOV32A¶

ARM_MOV32T = lief._lief.PE.BASE_TYPES.ARM_MOV32T¶

DIR64 = lief._lief.PE.BASE_TYPES.DIR64¶

HIGH = lief._lief.PE.BASE_TYPES.HIGH¶

HIGH3ADJ = lief._lief.PE.BASE_TYPES.HIGH3ADJ¶

HIGHADJ = lief._lief.PE.BASE_TYPES.HIGHADJ¶

HIGHLOW = lief._lief.PE.BASE_TYPES.HIGHLOW¶

IA64_IMM64 = lief._lief.PE.BASE_TYPES.IA64_IMM64¶

LOW = lief._lief.PE.BASE_TYPES.LOW¶

MIPS_JMPADDR = lief._lief.PE.BASE_TYPES.MIPS_JMPADDR¶

MIPS_JMPADDR16 = lief._lief.PE.BASE_TYPES.MIPS_JMPADDR16¶

REL = lief._lief.PE.BASE_TYPES.REL¶

RISCV_HI20 = lief._lief.PE.BASE_TYPES.RISCV_HI20¶

RISCV_LOW12I = lief._lief.PE.BASE_TYPES.RISCV_LOW12I¶

RISCV_LOW12S = lief._lief.PE.BASE_TYPES.RISCV_LOW12S¶

SECTION = lief._lief.PE.BASE_TYPES.SECTION¶

THUMB_MOV32 = lief._lief.PE.BASE_TYPES.THUMB_MOV32¶

UNKNOWN = lief._lief.PE.BASE_TYPES.UNKNOWN¶

from_value(arg: int) → lief.PE.RelocationEntry.BASE_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property data → int¶

Raw data of the relocation:

The high 4 bits store the relocation type
The low 12 bits store the relocation offset (position)

property position → int¶: Offset - relative to virtual_address - where the relocation occurs

property type → lief.PE.RelocationEntry.BASE_TYPES¶: Type of the relocation

Export¶

class lief.PE.Export(self)¶

Bases: Object

Class which represents a PE Export

copy(self) → lief.PE.Export¶: Duplicate the current instance of this object

property entries → lief.PE.Export.it_entries¶: Iterator over the ExportEntry

property export_flags → int¶: According to the PE specifications this value is reserved and should be set to 0

class it_entries¶

Bases: object

Iterator over lief._lief.PE.ExportEntry

property major_version → int¶: The major version number (can be user-defined)

property minor_version → int¶: The minor version number (can be user-defined)

property name → str | bytes¶: The name of the library exported (e.g. KERNEL32.dll)

property ordinal_base → int¶: The starting number for the exports. Usually this value is set to 1

property timestamp → int¶: The time and date that the export data was created

Export Entry¶

class lief.PE.ExportEntry(self)¶

Bases: Symbol

Class which represents a PE Export entry (cf. lief.PE.Export)

property address → int¶

property demangled_name → str¶: Demangled representation of the symbol or an empty string if it can’t be demangled.

property forward_information → lief.PE.ExportEntry.forward_information_t¶

class forward_information_t¶

Bases: object

property function → str¶

property library → str¶

property function_rva → int¶

property is_extern → bool¶

property is_forwarded → bool¶

property name → str | bytes¶

property ordinal → int¶

Signature¶

class lief.PE.Signature¶

Bases: Object

class VERIFICATION_CHECKS¶

Bases: object

DEFAULT = <lief.PE.VERIFICATION_CHECKS.lief.PE.VERIFICATION_CHECKS.DEFAULT: 1>¶

HASH_ONLY = <lief.PE.VERIFICATION_CHECKS.lief.PE.VERIFICATION_CHECKS.HASH_ONLY: 2>¶

LIFETIME_SIGNING = <lief.PE.VERIFICATION_CHECKS.lief.PE.VERIFICATION_CHECKS.LIFETIME_SIGNING: 4>¶

SKIP_CERT_TIME = <lief.PE.VERIFICATION_CHECKS.lief.PE.VERIFICATION_CHECKS.SKIP_CERT_TIME: 8>¶

from_value(arg: int) → lief.PE.Signature.VERIFICATION_CHECKS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

class VERIFICATION_FLAGS¶

Bases: object

BAD_DIGEST = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BAD_DIGEST: 128>¶

BAD_SIGNATURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BAD_SIGNATURE: 256>¶

CERT_EXPIRED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.CERT_EXPIRED: 1024>¶

CERT_FUTURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.CERT_FUTURE: 2048>¶

CERT_NOT_FOUND = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.CERT_NOT_FOUND: 8>¶

CORRUPTED_AUTH_DATA = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.CORRUPTED_AUTH_DATA: 32>¶

CORRUPTED_CONTENT_INFO = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.CORRUPTED_CONTENT_INFO: 16>¶

INCONSISTENT_DIGEST_ALGORITHM = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.INCONSISTENT_DIGEST_ALGORITHM: 4>¶

INVALID_SIGNER = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.INVALID_SIGNER: 1>¶

MISSING_PKCS9_MESSAGE_DIGEST = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.MISSING_PKCS9_MESSAGE_DIGEST: 64>¶

NO_SIGNATURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.NO_SIGNATURE: 512>¶

OK = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.OK: 0>¶

UNSUPPORTED_ALGORITHM = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.UNSUPPORTED_ALGORITHM: 2>¶

from_value(arg: int) → lief.PE.Signature.VERIFICATION_FLAGS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property certificates → lief.PE.Signature.it_const_crt¶: Return an iterator over x509 certificates

check(self, checks: lief.PE.Signature.VERIFICATION_CHECKS) → lief.PE.Signature.VERIFICATION_FLAGS¶

Check the integrity of the signature and return a lief.PE.Signature.VERIFICATION_FLAGS

By default, it performs the following verifications:

It must contain only one signer info (signers)
lief.PE.Signature.digest_algorithm must match:
- lief.PE.ContentInfo.digest_algorithm
- lief.PE.SignerInfo.digest_algorithm
The x509 certificate specified by lief.PE.SignerInfo.serial_number and lief.PE.SignerInfo.issuer must exist within lief.PE.Signature.certificates
Given the x509 certificate, compare lief.PE.SignerInfo.encrypted_digest against either:
- hash of authenticated attributes (authenticated_attributes) if present
- hash of ContentInfo
If they are Authenticated attributes, check that a PKCS9_MESSAGE_DIGEST (lief.PE.PKCS9MessageDigest) attribute exists and that its value matches hash of ContentInfo
Check the validity of the PKCS #9 counter signature if present
If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING and lief.pe.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)

See: lief.PE.Signature.VERIFICATION_CHECKS to tweak the behavior

property content_info → lief.PE.ContentInfo¶: Return the ContentInfo

property digest_algorithm → lief.PE.ALGORITHMS¶: Return the algorithm (ALGORITHMS) used to sign the content of ContentInfo

find_crt(self, serialno: list[int]) → lief.PE.x509¶: Find the x509 certificate according to its serial number

find_crt_issuer(*args) → lief.PE.x509¶

Overloaded function.

find_crt_issuer(self, issuer: str) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer

find_crt_issuer(self, issuer: str, serialno: list[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer AND its serial number

find_crt_subject(*args) → lief.PE.x509¶

Overloaded function.

find_crt_subject(self, subject: str) -> lief._lief.PE.x509

Find the x509 certificate according to its subject

find_crt_subject(self, subject: str, serialno: list[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its subject AND its serial number

class it_const_crt¶

Bases: object

Iterator over lief._lief.PE.x509

class it_const_signers_t¶

Bases: object

Iterator over lief._lief.PE.SignerInfo

parse(*args) → lief.PE.Signature | None = <nanobind.nb_func object>¶

property raw_der → memoryview¶: Return the raw original signature as a byte object

property signers → lief.PE.Signature.it_const_signers_t¶: Return an iterator over the signers (SignerInfo)

property version → int¶: Version of the signature. It should be 1

Signature Attribute¶

Inheritance diagram of lief._lief.PE.SpcSpOpusInfo, lief._lief.PE.MsManifestBinaryID, lief._lief.PE.PKCS9MessageDigest, lief._lief.PE.MsCounterSign, lief._lief.PE.PKCS9SigningTime, lief._lief.PE.MsSpcNestedSignature, lief._lief.PE.Attribute, lief._lief.PE.MsSpcStatementType, lief._lief.PE.SpcRelaxedPeMarkerCheck, lief._lief.PE.GenericType, lief._lief.PE.SigningCertificateV2, lief._lief.PE.PKCS9AtSequenceNumber, lief._lief.PE.PKCS9CounterSignature, lief._lief.PE.ContentType

class lief.PE.Attribute¶

Bases: Object

Interface over PKCS #7 attribute

class TYPE¶

Bases: object

CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE¶

GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE¶

MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN¶

MS_PLATFORM_MANIFEST_BINARY_ID = lief._lief.PE.TYPE.MS_PLATFORM_MANIFEST_BINARY_ID¶

MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN¶

MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE¶

PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER¶

PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE¶

PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST¶

PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME¶

SIGNING_CERTIFICATE_V2 = lief._lief.PE.TYPE.SIGNING_CERTIFICATE_V2¶

SPC_RELAXED_PE_MARKER_CHECK = lief._lief.PE.TYPE.SPC_RELAXED_PE_MARKER_CHECK¶

SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO¶

UNKNOWN = lief._lief.PE.TYPE.UNKNOWN¶

from_value(arg: int) → lief.PE.Attribute.TYPE = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property type → lief.PE.Attribute.TYPE¶: Concrete type of the attribute

Signature ContentType¶

Inheritance diagram of lief._lief.PE.ContentType

class lief.PE.ContentType¶

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9) The internal structure is described in the: RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER

property oid → str¶: OID as described in RFC #2985 (string object)

Signature GenericType¶

Inheritance diagram of lief._lief.PE.GenericType

class lief.PE.GenericType¶

Bases: Attribute

Interface over an attribute for which the internal structure is not supported by LIEF

property oid → str¶: OID of the original attribute

property raw_content → memoryview¶: Original DER blob of the attribute

Signature MsSpcNestedSignature¶

Inheritance diagram of lief._lief.PE.MsSpcNestedSignature

class lief.PE.MsSpcNestedSignature¶

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

With SignedData, the structure described in PKCS #7 RFC (See: lief.PE.Signature)

property signature → lief.PE.Signature¶: Underlying Signature object

Signature MsSpcStatementType¶

Inheritance diagram of lief._lief.PE.MsSpcStatementType

class lief.PE.MsSpcStatementType¶

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER

property oid → str¶

According to the documentation:

The SpcStatementType MUST contain one Object Identifier with either
the value ``1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)`` or
``1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID)``.

Signature PKCS9AtSequenceNumber¶

Inheritance diagram of lief._lief.PE.PKCS9AtSequenceNumber

class lief.PE.PKCS9AtSequenceNumber¶

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

sequenceNumber ATTRIBUTE ::= {
  WITH SYNTAX SequenceNumber
  EQUALITY MATCHING RULE integerMat
  SINGLE VALUE TRUE
  ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)

property number → int¶: Number as described in the RFC

Signature PKCS9CounterSignature¶

Inheritance diagram of lief._lief.PE.PKCS9CounterSignature

class lief.PE.PKCS9CounterSignature¶

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

counterSignature ATTRIBUTE ::= {
  WITH SYNTAX SignerInfo
  ID pkcs-9-at-counterSignature
}

property signer → lief.PE.SignerInfo¶: Return the SignerInfo as described in the RFC #2985

Signature PKCS9MessageDigest¶

Inheritance diagram of lief._lief.PE.PKCS9MessageDigest

class lief.PE.PKCS9MessageDigest¶

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

messageDigest ATTRIBUTE ::= {
  WITH SYNTAX MessageDigest
  EQUALITY MATCHING RULE octet
  SINGLE VALUE TRUE
  ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING

property digest → bytes¶: Message digeset as a blob of bytes as described in the RFC

Signature PKCS9SigningTime¶

Inheritance diagram of lief._lief.PE.PKCS9SigningTime

class lief.PE.PKCS9SigningTime¶

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8

property time → list[int]¶: Time as a list [year, month, day, hour, min, sec]

Signature SpcSpOpusInfo¶

Inheritance diagram of lief._lief.PE.SpcSpOpusInfo

class lief.PE.SpcSpOpusInfo¶

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12 The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcSpOpusInfo ::= SEQUENCE {
    programName  [0] EXPLICIT SpcString OPTIONAL,
    moreInfo     [1] EXPLICIT SpcLink OPTIONAL
}

property more_info → str | bytes¶: Other information such as an URL

property program_name → str | bytes¶: Program description provided by the publisher

Signature SpcIndirectData¶

Inheritance diagram of lief._lief.PE.SpcIndirectData

class lief.PE.SpcIndirectData¶

Bases: Content

property digest → memoryview¶

property digest_algorithm → lief.PE.ALGORITHMS¶: Digest used to hash the file. This should match digest_algorithm

property file → str¶

GenericContent¶

class lief.PE.GenericContent¶: Bases: Content

RsaInfo¶

class lief.PE.RsaInfo¶

Bases: object

Object representing a RSA key

property D → bytes¶: RSA private exponent (in bytes)

property E → bytes¶: RSA public exponent (in bytes)

property N → bytes¶: RSA public modulus (in bytes)

property P → bytes¶: First prime factor (in bytes)

property Q → bytes¶: Second prime factor (in bytes)

property has_private_key → bool¶: True if it embeds a private key

property has_public_key → bool¶: True if it embeds a public key

property key_size → int¶: Size of the public modulus in bits

x509¶

class lief.PE.x509¶

Bases: Object

Interface over a x509 certificate

class KEY_TYPES¶

Bases: object

ECDSA = lief._lief.PE.KEY_TYPES.ECDSA¶

ECKEY = lief._lief.PE.KEY_TYPES.ECKEY¶

ECKEY_DH = lief._lief.PE.KEY_TYPES.ECKEY_DH¶

NONE = lief._lief.PE.KEY_TYPES.NONE¶

RSA = lief._lief.PE.KEY_TYPES.RSA¶

RSASSA_PSS = lief._lief.PE.KEY_TYPES.RSASSA_PSS¶

RSA_ALT = lief._lief.PE.KEY_TYPES.RSA_ALT¶

from_value(arg: int) → lief.PE.x509.KEY_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

class KEY_USAGE¶

Bases: object

CRL_SIGN = lief._lief.PE.KEY_USAGE.CRL_SIGN¶

DATA_ENCIPHERMENT = lief._lief.PE.KEY_USAGE.DATA_ENCIPHERMENT¶

DECIPHER_ONLY = lief._lief.PE.KEY_USAGE.DECIPHER_ONLY¶

DIGITAL_SIGNATURE = lief._lief.PE.KEY_USAGE.DIGITAL_SIGNATURE¶

ENCIPHER_ONLY = lief._lief.PE.KEY_USAGE.ENCIPHER_ONLY¶

KEY_AGREEMENT = lief._lief.PE.KEY_USAGE.KEY_AGREEMENT¶

KEY_CERT_SIGN = lief._lief.PE.KEY_USAGE.KEY_CERT_SIGN¶

KEY_ENCIPHERMENT = lief._lief.PE.KEY_USAGE.KEY_ENCIPHERMENT¶

NON_REPUDIATION = lief._lief.PE.KEY_USAGE.NON_REPUDIATION¶

from_value(arg: int) → lief.PE.x509.KEY_USAGE = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

class VERIFICATION_FLAGS¶

Bases: object

BADCERT_BAD_KEY = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_KEY: 65536>¶

BADCERT_BAD_MD = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_MD: 16384>¶

BADCERT_BAD_PK = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_PK: 32768>¶

BADCERT_CN_MISMATCH = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_CN_MISMATCH: 4>¶

BADCERT_EXPIRED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_EXPIRED: 1>¶

BADCERT_EXT_KEY_USAGE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_EXT_KEY_USAGE: 4096>¶

BADCERT_FUTURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_FUTURE: 512>¶

BADCERT_KEY_USAGE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_KEY_USAGE: 2048>¶

BADCERT_MISSING = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_MISSING: 64>¶

BADCERT_NOT_TRUSTED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_NOT_TRUSTED: 8>¶

BADCERT_NS_CERT_TYPE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_NS_CERT_TYPE: 8192>¶

BADCERT_OTHERNATURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_OTHERNATURE: 256>¶

BADCERT_REVOKED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_REVOKED: 2>¶

BADCERT_SKIP_VERIFY = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCERT_SKIP_VERIFY: 128>¶

BADCRL_BAD_KEY = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_KEY: 524288>¶

BADCRL_BAD_MD = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_MD: 131072>¶

BADCRL_BAD_PK = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_PK: 262144>¶

BADCRL_EXPIRED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_EXPIRED: 32>¶

BADCRL_FUTURE = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_FUTURE: 1024>¶

BADCRL_NOT_TRUSTED = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.BADCRL_NOT_TRUSTED: 16>¶

OK = <lief.PE.VERIFICATION_FLAGS.lief.PE.VERIFICATION_FLAGS.OK: 0>¶

from_value(arg: int) → lief.PE.x509.VERIFICATION_FLAGS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property certificate_policies → list[str]¶: Policy information terms as list of OID (see RFC #5280)

property ext_key_usage → list[str]¶: Indicates one or more purposes for which the certified public key may be used (list of OID)

property is_ca → bool¶

is_trusted_by(self, ca_list: list[lief.PE.x509]) → lief.PE.x509.VERIFICATION_FLAGS¶

Verify this certificate against a list of root CA (list of x509 objects) It returns a set of flags defined by VERIFICATION_FLAGS

Example:

signer = binary.signatures[0].signers[0]
microsoft_ca_bundle = lief.PE.x509.parse("bundle.pem")
print(signer.cert.is_trusted_by(microsoft_ca_bundle))

property issuer → str | bytes¶: Issuer of the certificate

property key_type → lief.PE.x509.KEY_TYPES¶: Return the underlying public-key scheme (KEY_TYPES)

property key_usage → list[lief.PE.x509.KEY_USAGE]¶: Purpose of the key contained in the certificate (see KEY_USAGE)

parse(*args) → list[lief.PE.x509] = <nanobind.nb_func object>¶

property raw → bytes¶: The raw bytes associated with this x509 cert (DER encoded)

property rsa_info → lief.PE.RsaInfo | None¶: If the underlying public-key scheme is RSA, return the RsaInfo associated with this certificate. Otherwise, return None

property serial_number → bytes¶: Unique id for certificate issued by a specific CA.

property signature → bytes¶: The signature of the certificate

property signature_algorithm → str¶: Signature algorithm (OID)

property subject → str | bytes¶: Subject of the certificate

property valid_from → list[int]¶: Start time of certificate validity

property valid_to → list[int]¶: End time of certificate validity

verify(self, ca: lief.PE.x509) → lief.PE.x509.VERIFICATION_FLAGS¶

Verify that this certificate has been used to trust the given x509 certificate

It returns a set of flags defined by VERIFICATION_FLAGS

Example:

ca     = lief.PE.x509.parse("ca.crt")[0]
signer = lief.PE.x509.parse("signer.crt")[0]
print(ca.verify(signer))  # lief.PE.x509.VERIFICATION_FLAGS.OK

property version → int¶: X.509 version. (1=v1, 2=v2, 3=v3)

ContentInfo¶

Inheritance diagram of lief._lief.PE.GenericContent, lief._lief.PE.SpcIndirectData, lief._lief.PE.PKCS9TSTInfo

class lief.PE.ContentInfo¶

Bases: Object

ContentInfo as described in the RFC 2315

ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER

In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent

SpcIndirectDataContent ::= SEQUENCE {
 data          SpcAttributeTypeAndOptionalValue,
 messageDigest DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
 type  ObjectID,
 value [0] EXPLICIT ANY OPTIONAL
}

For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData

DigestInfo ::= SEQUENCE {
 digestAlgorithm  AlgorithmIdentifier,
 digest           OCTETSTRING
}

AlgorithmIdentifier ::= SEQUENCE {
 algorithm  ObjectID,
 parameters [0] EXPLICIT ANY OPTIONAL
}

class Content¶

Bases: Object

property content_type → str¶: OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID

copy(self) → lief.PE.ContentInfo.Content | None¶: Duplicate the current instance of this object

property content_type → str¶: An alias for content_type

copy(self) → lief.PE.ContentInfo¶: Duplicate the current instance of this object

property digest → bytes¶: Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID. Return empty bytes otherwise.

property digest_algorithm → lief.PE.ALGORITHMS¶: Return the hash algorithm used to generate the digest

property value → lief.PE.ContentInfo.Content¶

SignerInfo¶

class lief.PE.SignerInfo¶

Bases: Object

SignerInfo as described in the RFC 2315 #Section 9.2

SignerInfo ::= SEQUENCE {
 version                   Version,
 issuerAndSerialNumber     IssuerAndSerialNumber,
 digestAlgorithm           DigestAlgorithmIdentifier,
 authenticatedAttributes   [0] IMPLICIT Attributes OPTIONAL,
 digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
 encryptedDigest           EncryptedDigest,
 unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}

EncryptedDigest ::= OCTET STRING

property authenticated_attributes → lief.PE.SignerInfo.it_const_attributes_t¶: Return an iterator over the authenticated attributes (Attribute)

property cert → lief.PE.x509¶: x509 certificate used by this signer. If it can’t be found, it returns None

property digest_algorithm → lief.PE.ALGORITHMS¶: Algorithm (ALGORITHMS) used to hash the file. This value should match ContentInfo.digest_algorithm and Signature.digest_algorithm

property encrypted_digest → bytes¶: Return the signature created by the signing certificate’s private key

property encryption_algorithm → lief.PE.ALGORITHMS¶: Return algorithm (ALGORITHMS) used to encrypt the digest

get_attribute(self, type: lief.PE.Attribute.TYPE) → lief.PE.Attribute¶: Return the authenticated or un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_auth_attribute(self, type: lief.PE.Attribute.TYPE) → lief.PE.Attribute¶: Return the authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_unauth_attribute(self, type: lief.PE.Attribute.TYPE) → lief.PE.Attribute¶: Return the un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr

property issuer → str | bytes¶: The X509 issuer used to sign the signed-data (see: lief.PE.x509.issuer)

class it_const_attributes_t¶

Bases: object

Iterator over lief._lief.PE.Attribute

property serial_number → bytes¶: The X509 serial number used to sign the signed-data (see: lief.PE.x509.serial_number)

property unauthenticated_attributes → lief.PE.SignerInfo.it_const_attributes_t¶: Return an iterator over the unauthenticated attributes (Attribute)

property version → int¶: Should be 1

MsCounterSign¶

class lief.PE.MsCounterSign¶

Bases: Attribute

This class exposes the ms-counter-signature.

property certificates → lief.PE.MsCounterSign.it_const_crt¶: Return an iterator over x509 certificates

property content_info → lief.PE.ContentInfo¶

property digest_algorithm → lief.PE.ALGORITHMS¶

class it_const_crt¶

Bases: object

Iterator over lief._lief.PE.x509

class it_const_signers_t¶

Bases: object

Iterator over lief._lief.PE.SignerInfo

property signers → lief.PE.MsCounterSign.it_const_signers_t¶: Return an iterator over the signers (SignerInfo)

property version → int¶

PKCS9TSTInfo¶

class lief.PE.PKCS9TSTInfo¶

Bases: Content

Interface over the structure described by the OID 1.2.840.113549.1.9.16.1.4 (PKCS #9)

The internal structure is described in the RFC #3161

TSTInfo ::= SEQUENCE  {
 version        INTEGER  { v1(1) },
 policy         TSAPolicyId,
 messageImprint MessageImprint,
 serialNumber   INTEGER,
 genTime        GeneralizedTime,
 accuracy       Accuracy                OPTIONAL,
 ordering       BOOLEAN                 DEFAULT FALSE,
 nonce          INTEGER                 OPTIONAL,
 tsa            [0] GeneralName         OPTIONAL,
 extensions     [1] IMPLICIT Extensions OPTIONAL
}

TSAPolicyId    ::= OBJECT IDENTIFIER
MessageImprint ::= SEQUENCE {
  hashAlgorithm  AlgorithmIdentifier,
  hashedMessage  OCTET STRING
}

Accuracy ::= SEQUENCE {
  seconds        INTEGER           OPTIONAL,
  millis     [0] INTEGER  (1..999) OPTIONAL,
  micros     [1] INTEGER  (1..999) OPTIONAL
}

MsManifestBinaryID¶

class lief.PE.MsManifestBinaryID¶

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.10.3.28 (szOID_PLATFORM_MANIFEST_BINARY_ID)

The internal structure is not documented but we can infer the following structure:

szOID_PLATFORM_MANIFEST_BINARY_ID ::= SET OF BinaryID

BinaryID ::= UTF8STRING

property manifest_id → str¶: The manifest id

SpcRelaxedPeMarkerCheck¶

class lief.PE.SpcRelaxedPeMarkerCheck¶

Bases: Attribute

property value → int¶

SigningCertificateV2¶

class lief.PE.SigningCertificateV2¶

Bases: Attribute

SigningCertificateV2 ::= SEQUENCE {
  certs    SEQUENCE OF ESSCertIDv2,
  policies SEQUENCE OF PolicyInformation OPTIONAL
}

ESSCertIDv2 ::= SEQUENCE {
  hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256},
  certHash      OCTET STRING,
  issuerSerial  IssuerSerial OPTIONAL
}

IssuerSerial ::= SEQUENCE {
  issuer       GeneralNames,
  serialNumber CertificateSerialNumber
}

PolicyInformation ::= SEQUENCE {
  policyIdentifier   OBJECT IDENTIFIER,
  policyQualifiers   SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
}

Builder¶

class lief.PE.Builder(self, pe_binary: lief._lief.PE.Binary)¶

Bases: object

Class that is used to rebuild a raw PE binary from a PE::Binary object

Constructor that takes a Binary

build(self) → lief.ok_t | lief.lief_errors¶: Perform the build process

build_dos_stub(self, enable: bool) → lief.PE.Builder¶: Rebuild the DOS stub

build_imports(self, enable: bool) → lief.PE.Builder¶: Rebuild the import table into another section

build_overlay(self, enable: bool) → lief.PE.Builder¶: Rebuild the binary’s overlay

build_relocations(self, enable: bool) → lief.PE.Builder¶: Rebuild the relocation table in another section

build_resources(self, enable: bool) → lief.PE.Builder¶: Rebuid the resources in another section

build_tls(self, enable: bool) → lief.PE.Builder¶: Rebuild TLS object in another section

get_build(self) → list[int]¶: Return the build result as a list of bytes

patch_imports(self, enable: bool) → lief.PE.Builder¶

Patch the original import table in order to redirect functions to the new import table.

This setting should be used with build_imports set to True

write(self, output: str) → None¶: Write the build result into the output file

Resource Node¶

class lief.PE.ResourceNode¶

Bases: Object

Class which represents a Node in the resource tree. It is extended by lief.PE.ResourceData and lief.PE.ResourceNode

add_data_node(self, resource_data: lief.PE.ResourceData) → lief.PE.ResourceNode¶: Add a ResourceData to the current node

add_directory_node(self, resource_directory: lief.PE.ResourceDirectory) → lief.PE.ResourceNode¶: Add a ResourceDirectory to the current node

property childs → lief.PE.ResourceNode.it_childs¶: Node’s childs

copy(self) → lief.PE.ResourceNode | None¶: Duplicate the current instance of this object

delete_child(*args) → None¶

Overloaded function.

delete_child(self, node: lief._lief.PE.ResourceNode) -> None

Delete the given ResourceNode from childs

delete_child(self, id: int) -> None

Delete the ResourceNode with the given id from childs

property depth → int¶: Current depth of the entry in the resource tree

property has_name → bool¶: True if the current resource uses a name

property id → int¶: Integer that identifies the Type, Name, or Language ID entry.

property is_data → bool¶: True if the current resource is a ResourceData

property is_directory → bool¶: True if the current resource is a ResourceDirectory

class it_childs¶

Bases: object

Iterator over lief._lief.PE.ResourceNode

property name → str | bytes¶: Resource’s name

Resource Directory¶

class lief.PE.ResourceDirectory(self)¶

Bases: ResourceNode

Default constructor

property characteristics → int¶: Resource characteristics. This field is reserved for future use. It is currently set to zero.

property major_version → int¶: The major version number, set by the user.

property minor_version → int¶: The minor version number, set by the user.

property numberof_id_entries → int¶: The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

property numberof_name_entries → int¶: The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table

property time_date_stamp → int¶: The time that the resource data was created by the resource compiler.

Resource Data¶

class lief.PE.ResourceData(self)¶

class lief.PE.ResourceData(self, content: list[int], code_page: int)

Bases: ResourceNode

Class which represents a Data Node in the PE resources tree

Default constructor

property code_page → int¶: Return the code page that is used to decode code point values within the resource data. Typically, the code page is the Unicode code page.

property content → memoryview¶: Resource content

property offset → int¶: Offset of the content within the resource

Warning
This value can change when re-building the resource table

property reserved → int¶: Reserved value. Should be 0

Resources Manager¶

class lief.PE.ResourcesManager(self, arg: lief._lief.PE.ResourceNode, /)¶

Bases: Object

The Resource Manager provides an enhanced API to manipulate the resource tree

class TYPE¶

Bases: object

ACCELERATOR = lief._lief.PE.TYPE.ACCELERATOR¶

ANICURSOR = lief._lief.PE.TYPE.ANICURSOR¶

ANIICON = lief._lief.PE.TYPE.ANIICON¶

BITMAP = lief._lief.PE.TYPE.BITMAP¶

CURSOR = lief._lief.PE.TYPE.CURSOR¶

DIALOG = lief._lief.PE.TYPE.DIALOG¶

DLGINCLUDE = lief._lief.PE.TYPE.DLGINCLUDE¶

FONT = lief._lief.PE.TYPE.FONT¶

FONTDIR = lief._lief.PE.TYPE.FONTDIR¶

GROUP_CURSOR = lief._lief.PE.TYPE.GROUP_CURSOR¶

GROUP_ICON = lief._lief.PE.TYPE.GROUP_ICON¶

HTML = lief._lief.PE.TYPE.HTML¶

ICON = lief._lief.PE.TYPE.ICON¶

MANIFEST = lief._lief.PE.TYPE.MANIFEST¶

MENU = lief._lief.PE.TYPE.MENU¶

MESSAGETABLE = lief._lief.PE.TYPE.MESSAGETABLE¶

PLUGPLAY = lief._lief.PE.TYPE.PLUGPLAY¶

RCDATA = lief._lief.PE.TYPE.RCDATA¶

STRING = lief._lief.PE.TYPE.STRING¶

VERSION = lief._lief.PE.TYPE.VERSION¶

VXD = lief._lief.PE.TYPE.VXD¶

from_value(arg: int) → lief.PE.ResourcesManager.TYPE = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property accelerator → lief.PE.ResourcesManager.it_const_accelerators¶: Return list of ResourceAccelerator present in the resource

add_icon(self, icon: lief.PE.ResourceIcon) → None¶: Add an icon to the resources

change_icon(self, old_one: lief.PE.ResourceIcon, new_one: lief.PE.ResourceIcon) → None¶: Switch the given icons

property dialogs → lief.PE.ResourcesManager.it_const_dialogs¶: Return the list of the ResourceDialog present in the resource

get_node_type(self, type: lief.PE.ResourcesManager.TYPE) → lief.PE.ResourceNode¶: Return ResourceNode with the given TYPE or None if not found.

property has_accelerator → bool¶: True if resources contain ResourceAccelerator

property has_dialogs → bool¶: true if the resources contain ResourceDialog

property has_html → bool¶: True if resources contain HTML resource

property has_icons → bool¶: true if the resources contain ResourceIcon

property has_manifest → bool¶: True if the resources contain a Manifest element

property has_string_table → bool¶: True if resources contain ResourceStringTable

has_type(self, type: lief.PE.ResourcesManager.TYPE) → bool¶: True if the resource has the given TYPE

property has_version → bool¶: true if the resources contain a ResourceVersion

property html → list[str]¶: HTML resource as the list of string

property icons → lief.PE.ResourcesManager.it_const_icons¶: Return the list of the ResourceIcon present in the resource

class it_const_accelerators¶

Bases: object

Iterator over lief._lief.PE.ResourceAccelerator

class it_const_dialogs¶

Bases: object

Iterator over lief._lief.PE.ResourceDialog

class it_const_icons¶

Bases: object

Iterator over lief._lief.PE.ResourceIcon

class it_const_strings_table¶

Bases: object

Iterator over lief._lief.PE.ResourceStringTable

property manifest → str | bytes¶: Manifest as a string

property string_table → lief.PE.ResourcesManager.it_const_strings_table¶: Return list of ResourceStringTable present in the resource

property types → list[lief.PE.ResourcesManager.TYPE]¶: Return list of TYPE present in the resources

property version → lief.PE.ResourceVersion | lief.lief_errors¶: Return the ResourceVersion

Resource Icon¶

class lief.PE.ResourceIcon¶

Bases: Object

property bit_count → int¶: Bits per pixel

property color_count → int¶: Number of colors in image (0 if >=8bpp)

property height → int¶: Height in pixels of the image

property id → int¶: Id associated with the icon

property lang → int¶: Language associated with the icon

property pixels → memoryview¶

property planes → int¶: Color Planes

property reserved → int¶: Reserved (must be 0)

save(self, filepath: str) → None¶: Save the icon to the given filepath

property sublang → int¶: Sublanguage associated with the icon

property width → int¶: Width in pixels of the image

Resource Dialog¶

class lief.PE.ResourceDialog¶

Bases: Object

Representation of a dialog box.

Windows allows two kinds of dialog box:

Simple one
Extended one

is_extended can be used to determine which one is implemented

property charset → int¶: The character set to be used

property cx → int¶: The width, in dialog box units, of the dialog box.

property cy → int¶: The height, in dialog box units, of the dialog box.

property dialogbox_style_list → set[lief.PE.DIALOG_BOX_STYLES]¶: Return list of DIALOG_BOX_STYLES associated with the style member

property extended_style → int¶: The extended windows styles (EXTENDED_WINDOW_STYLES)

property extended_style_list → set[lief.PE.DIALOG_BOX_STYLES]¶: Return list of EXTENDED_WINDOW_STYLES associated with the extended_style member

has_dialogbox_style(self, style: lief.PE.DIALOG_BOX_STYLES) → bool¶: Check if the style member has the given DIALOG_BOX_STYLES

has_extended_style(self, style: lief.PE.EXTENDED_WINDOW_STYLES) → bool¶: Check if the extended_style member has the given EXTENDED_WINDOW_STYLES

has_style(self, style: lief.PE.WINDOW_STYLES) → bool¶: Check if the style member has the given WINDOW_STYLES

property help_id → int¶: The help context identifier for the dialog box window

property is_extended → bool¶: True if the dialog is an extended one

class it_const_items¶

Bases: object

Iterator over lief._lief.PE.ResourceDialogItem

property items → lief.PE.ResourceDialog.it_const_items¶: Iterator over the controls (ResourceDialogItem) that defines the Dialog (Button, Label…)

property lang → int¶: Primary language associated with the dialog

property point_size → int¶: The point size of the font to use for the text in the dialog box and its controls.

property signature → int¶

Indicate whether a template is an extended dialog box template:

0xFFFF: Extended dialog box template
Other value: Standard dialog box template

property style → int¶: The style of the dialog box. This member can be a combination of WINDOW_STYLES and DIALOG_BOX_STYLES

property style_list → set[lief.PE.WINDOW_STYLES]¶: Return list of WINDOW_STYLES associated with the style member

property sub_lang → int¶: Secondary language associated with the dialog

property title → str¶: The title of the dialog box

property typeface → str¶: The name of the typeface for the font

property version → int¶: The version number of the extended dialog box template. This member must be set to 1.

property weight → int¶: The weight of the font

property x → int¶: The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.

property y → int¶: The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.

Resource Dialog Item¶

class lief.PE.ResourceDialogItem¶

Bases: Object

This class represents an item in the lief.PE.ResourceDialog

property cx → int¶: The width, in dialog box units, of the control

property cy → int¶: The height, in dialog box units, of the control

property extended_style → int¶: The extended styles for the window

property help_id → int¶: The help context identifier for the control

property id → int¶: The control identifier

property is_extended → bool¶: True if the control is an extended one

property style → int¶: The style of the control. This member can be a combination of WINDOW_STYLES values and one or more of the control style values.

property title → str¶: Initial text of the control

property x → int¶: The x-coordinate, in dialog box units, of the upper-left corner of the control

property y → int¶: The y-coordinate, in dialog box units, of the upper-left corner of the control

Resource Version¶

class lief.PE.ResourceVersion¶

Bases: Object

Class that represents the data associated with the RT_VERSION entry

See: VS_VERSIONINFO

property fixed_file_info → lief.PE.ResourceFixedFileInfo¶

ResourceFixedFileInfo associated with the version (if any). This object describes various information about the application’s version.

If not present, this property is set to None

property has_fixed_file_info → bool¶: True if the version contains a ResourceFixedFileInfo

property has_string_file_info → bool¶: True if the version contains a ResourceStringFileInfo

property has_var_file_info → bool¶: True if the version contains a ResourceVarFileInfo

property key → str¶: Signature of the structure. Must be VS_VERSION_INFO

remove_fixed_file_info(self) → None¶: Remove the ResourceFixedFileInfo from the version

remove_string_file_info(self) → None¶: Remove the ResourceStringFileInfo from the version

remove_var_file_info(self) → None¶: Remove the ResourceVarFileInfo from the version

property string_file_info → lief.PE.ResourceStringFileInfo¶

ResourceStringFileInfo associated with the version (if any) This object describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)

If the current ResourceVersion does not use ResourceStringFileInfo, it returns None.

property type → int¶: The type of data in the version resource * 1 if it contains text data * 0 if it contains binary data

property var_file_info → lief.PE.ResourceVarFileInfo¶

ResourceVarFileInfo associated with the version (if any) This object describes information about languages supported by the application.

If the current ResourceVersion does not use ResourceVarFileInfo, it returns None.

Resource Fixed File Info¶

class lief.PE.ResourceFixedFileInfo¶

Bases: Object

Representation of the VS_FIXEDFILEINFO structure

property file_date_LS → int¶: The least significant 32 bits of the file’s 64-bit binary creation date and time stamp

property file_date_MS → int¶: The most significant 32 bits of the file’s 64-bit binary creation date and time stamp

property file_flags → int¶: Contains a bitmask that specifies the Boolean attributes of the file (FIXED_VERSION_FILE_FLAGS)

property file_flags_mask → int¶: Contains a bitmask that specifies the valid bits in file_flags. A bit is valid only if it was defined when the file was created.

property file_os → lief.PE.FIXED_VERSION_OS¶: The operating system for which this file was designed (FIXED_VERSION_OS)

property file_subtype → lief.PE.FIXED_VERSION_FILE_SUB_TYPES¶: The function of the file (FIXED_VERSION_FILE_SUB_TYPES)

property file_type → lief.PE.FIXED_VERSION_FILE_TYPES¶: The general type of file (FIXED_VERSION_FILE_TYPES)

property file_version_LS → int¶

The least significant 32 bits of the file’s binary version number

This member is used with file_version_MS to form a 64-bits value used for numeric comparisons.

property file_version_MS → int¶

The most significant 32 bits of the file’s binary version number

This member is used with file_version_LS to form a 64-bits value used for numeric comparisons.

property product_version_LS → int¶

The least significant 32 bits of the product with which this file was distributed

This member is used with product_version_MS to form a 64-bits value used for numeric comparisons.

property product_version_MS → int¶

The most significant 32 bits of the product with which this file was distributed

This member is used with product_version_LS to form a 64-bits value used for numeric comparisons.

property signature → int¶: Must be set to 0xFEEF04BD

property struct_version → int¶

The binary version number of this structure.

The high-order word of this member contains the major version number.
The low-order word contains the minor version number

Resource Var File Info¶

class lief.PE.ResourceVarFileInfo¶

Bases: Object

This object describes information about languages supported by the application

property key → str¶: Signature of the structure. Must be VarFileInfo

property translations → list[int]¶

List of languages that the application supports

The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the CODE_PAGES Either most or least 16-bits can be zero, indicating that the file is language or code page independent.

property type → int¶

The type of data in the version resource

1 if it contains text data
0 if it contains binary data

Resource String File Info¶

class lief.PE.ResourceStringFileInfo¶

Bases: Object

Representation of the StringFileInfo structure

See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo

property key → str¶: Signature of the structure. Must be StringFileInfo

property langcode_items → list[lief.PE.LangCodeItem]¶

List of the LangCodeItem items

Each key indicates the appropriate language and code page for displaying the key: value of items

property type → int¶

The type of data in the version resource:

1 if it contains text data
0 if it contains binary data

Lang code item¶

class lief.PE.LangCodeItem¶

Bases: Object

Class which represents the childs of the ResourceStringFileInfo

See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringtable

property code_page → lief.PE.CODE_PAGES¶

CODE_PAGES for which items are defined.

See: https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers

property items → dict¶

property key → str¶

A 8-digit hexadecimal number stored as an Unicode string

The four most significant digits represent the language identifier.
The four least significant digits represent the code page for which the data is formatted.

See:

code_page
lang
sublang

property lang → int¶: Language for which items are defined

property sublang → int¶: Sublanguage for which items are defined

property type → int¶

The type of data in the version resource

1 if it contains text data
0 if it contains binary data

Resource String Table¶

class lief.PE.ResourceStringTable¶

Bases: Object

property length → int¶: The size of the string, not including length field itself.

property name → str¶: The variable-length Unicode string data, word-aligned.

Rich Header¶

class lief.PE.RichHeader(self)¶

Bases: Object

Class which represents the not-so-documented rich header

This structure is usually located at the end of the dos_stub and contains information about the build environment.

It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.

add_entry(*args) → None¶

Overloaded function.

add_entry(self, entry: lief._lief.PE.RichEntry) -> None

Add a new RichEntry

add_entry(self, id: int, build_id: int, count: int) -> None

Add a new RichEntry given its id, build_id, count

copy(self) → lief.PE.RichHeader¶: Duplicate the current instance of this object

property entries → lief.PE.RichHeader.it_entries¶: Return an iterator over the RichEntry within the header

hash(*args) → list[int]¶

Overloaded function.

hash(self, algo: lief._lief.PE.ALGORITHMS) -> list[int]

Compute the hash of the decoded rich header structure with the given hash ALGORITHMS
hash(self, algo: lief._lief.PE.ALGORITHMS, xor_key: int) -> list[int]

Compute the hash of the rich header structure encoded with the provided key and the given hash ALGORITHMS

class it_entries¶

Bases: object

Iterator over lief._lief.PE.RichEntry

property key → int¶: Key used to encode the header (xor operation)

raw(*args) → list[int]¶

Overloaded function.

raw(self) -> list[int]

The raw structure of the Rich header without xor-encoding.
This function is equivalent as calling the other raw function with a xor_key set to 0
raw(self, xor_key: int) -> list[int]

Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.
You can access the decoded data’s structure with the xor_key set to 0

Rich Entry¶

class lief.PE.RichEntry(self)¶

class lief.PE.RichEntry(self, id: int, build_id: int, count: int)

Bases: Object

Class which represents an entry associated to the RichHeader

Contructor from id, build_id and count

property build_id → int¶: Builder number of the tool (if any)

copy(self) → lief.PE.RichEntry¶: Duplicate the current instance of this object

property count → int¶: Occurrence count

property id → int¶: Type of the entry

Debug¶

class lief.PE.Debug(self)¶

Bases: Object

This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: ! CodeCodeView)

class TYPES¶

Bases: object

BORLAND = lief._lief.PE.TYPES.BORLAND¶

CLSID = lief._lief.PE.TYPES.CLSID¶

CODEVIEW = lief._lief.PE.TYPES.CODEVIEW¶

COFF = lief._lief.PE.TYPES.COFF¶

EXCEPTION = lief._lief.PE.TYPES.EXCEPTION¶

EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS¶

FIXUP = lief._lief.PE.TYPES.FIXUP¶

FPO = lief._lief.PE.TYPES.FPO¶

ILTCG = lief._lief.PE.TYPES.ILTCG¶

MISC = lief._lief.PE.TYPES.MISC¶

MPX = lief._lief.PE.TYPES.MPX¶

OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC¶

OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC¶

POGO = lief._lief.PE.TYPES.POGO¶

REPRO = lief._lief.PE.TYPES.REPRO¶

RESERVED = lief._lief.PE.TYPES.RESERVED¶

UNKNOWN = lief._lief.PE.TYPES.UNKNOWN¶

VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE¶

from_value(arg: int) → lief.PE.Debug.TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property addressof_rawdata → int¶: Address of the debug data relative to the image base

property characteristics → int¶: Reserved should be 0

copy(self) → lief.PE.Debug | None¶: Duplicate the current instance of this object

property major_version → int¶: The major version number of the debug data format.

property minor_version → int¶: The minor version number of the debug data format.

property pointerto_rawdata → int¶: File offset of the debug data

property sizeof_data → int¶: Size of the debug data

property timestamp → int¶: The time and date when the debug data was created.

property type → lief.PE.Debug.TYPES¶: The format (TYPES) of the debugging information

Code View¶

class lief.PE.CodeView(self)¶

class lief.PE.CodeView(self, arg: lief._lief.PE.CodeView.SIGNATURES, /)

Bases: Debug

class SIGNATURES¶

Bases: object

CV_41 = lief._lief.PE.SIGNATURES.CV_41¶

CV_50 = lief._lief.PE.SIGNATURES.CV_50¶

PDB_20 = lief._lief.PE.SIGNATURES.PDB_20¶

PDB_70 = lief._lief.PE.SIGNATURES.PDB_70¶

UNKNOWN = lief._lief.PE.SIGNATURES.UNKNOWN¶

from_value(arg: int) → lief.PE.CodeView.SIGNATURES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property cv_signature → lief.PE.CodeView.SIGNATURES¶: Type of the code view (SIGNATURES)

Code View PDB¶

class lief.PE.CodeViewPDB(self)¶

Bases: CodeView

CodeView PDB specialization

property age → int¶: Age value to verify. The age does not necessarily correspond to any known time value, it is used to determine if a .pdb file is out of sync with a corresponding .exe file.

property filename → str | bytes¶: The path to the .pdb file

property guid → str¶

The GUID signature to verify against the .pdb file signature.

This attribute might be used to lookup remote PDB file on a symbol server

property parent → lief.PE.CodeView¶: Return a reference to the parent lief.PE.CodeView

property signature → list[int]¶: The 32-bit signature to verify against the .pdb file signature.

Code Integrity¶

class lief.PE.CodeIntegrity(self)¶

Bases: Object

property catalog → int¶: 0xFFFF means not available

property catalog_offset → int¶

property flags → int¶: Flags to indicate if CI information is available, etc.

property reserved → int¶: Additional bitmask to be defined later

Pogo¶

class lief.PE.Pogo(self)¶

Bases: Debug

class SIGNATURES¶

Bases: object

LCTG = lief._lief.PE.SIGNATURES.LCTG¶

PGI = lief._lief.PE.SIGNATURES.PGI¶

UNKNOWN = lief._lief.PE.SIGNATURES.UNKNOWN¶

ZERO = lief._lief.PE.SIGNATURES.ZERO¶

from_value(arg: int) → lief.PE.Pogo.SIGNATURES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property entries → lief.PE.Pogo.it_entries¶

class it_entries¶

Bases: object

Iterator over lief._lief.PE.PogoEntry

property signature → lief.PE.Pogo.SIGNATURES¶: Type of the pogo (SIGNATURES)

Pogo Entry¶

class lief.PE.PogoEntry(self)¶

Bases: Object

copy(self) → lief.PE.PogoEntry¶: Duplicate the current instance of this object

property name → str | bytes¶

property size → int¶

property start_rva → int¶

Repro¶

class lief.PE.Repro¶

Bases: Debug

This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.

See: https://nikhilism.com/post/2020/windows-deterministic-builds/

property hash → memoryview¶: The hash associated with the reproducible build

Load Configuration¶

class lief.PE.LoadConfiguration(self)¶

Bases: Object

Class that represents the default PE’s LoadConfiguration It’s the base class for any future versions of the structure

class VERSION¶

Bases: object

SEH = lief._lief.PE.VERSION.SEH¶

UNKNOWN = lief._lief.PE.VERSION.UNKNOWN¶

WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286¶

WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383¶

WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901¶

WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002¶

WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237¶

WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362¶

WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534¶

WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879¶

WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019¶

WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16¶

WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1¶

from_value(arg: int) → lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

property characteristics → int¶: Characteristics of the structure.

copy(self) → lief.PE.LoadConfiguration¶: Duplicate the current instance of this object

property critical_section_default_timeout → int¶: The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version → int¶: The service pack version identifier.

property decommit_free_block_threshold → int¶: Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold → int¶: Total amount of free memory, in bytes

property dependent_load_flags → int¶: On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist → int¶: Reserved for use by the system.

property global_flags_clear → int¶: The global loader flags to clear for this process as the loader start the process.

property global_flags_set → int¶: The global loader flags to set for this process as the loader starts the process.

property lock_prefix_table → int¶: The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version → int¶: Major Version

property maximum_allocation_size → int¶: Maximum allocation size, in bytes.

property minor_version → int¶: Minor version

property process_affinity_mask → int¶: Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags → int¶: Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 → int¶: Must be zero.

property security_cookie → int¶: A pointer to a cookie that is used by Visual C++ or GS implementation.

property size → int¶: Size of the structure which is an alias for characteristics

property timedatestamp → int¶: Date and time stamp value

property version → lief.PE.LoadConfiguration.VERSION¶: (SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold → int¶: Maximum virtual memory size, in bytes.

Load Configuration V0¶

class lief.PE.LoadConfigurationV0(self)¶

Bases: LoadConfiguration

LoadConfiguration enhanced with SEH. It is associated with the WIN_VERSION: SEH

copy(self) → lief.PE.LoadConfigurationV0¶: Duplicate the current instance of this object

property se_handler_count → int¶: The count of unique handlers in the table.

property se_handler_table → int¶: The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

Load Configuration V1¶

class lief.PE.LoadConfigurationV1(self)¶

Bases: LoadConfigurationV0

LoadConfigurationV0 enhanced with Control Flow Guard. It is associated with the WIN_VERSION set to WIN_8_1

class IMAGE_GUARD¶

Bases: object

CFW_INSTRUMENTED = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>¶

CF_ENABLE_EXPORT_SUPPRESSION = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>¶

CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>¶

CF_FUNCTION_TABLE_PRESENT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>¶

CF_INSTRUMENTED = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>¶

CF_LONGJUMP_TABLE_PRESENT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>¶

DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>¶

EH_CONTINUATION_TABLE_PRESENT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>¶

NONE = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.NONE: 0>¶

PROTECT_DELAYLOAD_IAT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>¶

RETPOLINE_PRESENT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>¶

RF_ENABLE = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>¶

RF_INSTRUMENTED = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>¶

RF_STRICT = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.RF_STRICT: 524288>¶

SECURITY_COOKIE_UNUSED = <lief.PE.IMAGE_GUARD.lief.PE.IMAGE_GUARD.SECURITY_COOKIE_UNUSED: 2048>¶

from_value(arg: int) → lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

copy(self) → lief.PE.LoadConfigurationV1¶: Duplicate the current instance of this object

property guard_cf_check_function_pointer → int¶: The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer → int¶: The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list → list[lief.PE.LoadConfigurationV1.IMAGE_GUARD]¶: Return list of GUARD_CF_FLAGS present in guard_flags

property guard_cf_function_count → int¶: The count of unique RVAs in the guard_cf_function_table

property guard_cf_function_table → int¶: The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_flags → lief.PE.LoadConfigurationV1.IMAGE_GUARD¶: Control Flow Guard related flags.

has(self, flag: lief.PE.LoadConfigurationV1.IMAGE_GUARD) → bool¶: Check if the given GUARD_CF_FLAGS is present in guard_flags

Load Configuration V2¶

class lief.PE.LoadConfigurationV2(self)¶

Bases: LoadConfigurationV1

LoadConfigurationV1 enhanced with code integrity. It is associated with the WIN_VERSION set to WIN10_0_9879

property code_integrity → lief.PE.CodeIntegrity¶: CodeIntegrity object

copy(self) → lief.PE.LoadConfigurationV2¶: Duplicate the current instance of this object

Load Configuration V3¶

class lief.PE.LoadConfigurationV3(self)¶

Bases: LoadConfigurationV2

LoadConfigurationV2 with Control Flow Guard improved.

It is associated with the WIN_VERSION set to WIN10_0_14286

copy(self) → lief.PE.LoadConfigurationV3¶: Duplicate the current instance of this object

property guard_address_taken_iat_entry_count → int¶: Number of entries in the guard_address_taken_iat_entry_table

property guard_address_taken_iat_entry_table → int¶: VA of a table associated with CFG’s IAT checks

property guard_long_jump_target_count → int¶: Number of entries in the guard_address_taken_iat_entry_table

property guard_long_jump_target_table → int¶: VA of a table associated with CFG’s long jump

Load Configuration V4¶

class lief.PE.LoadConfigurationV4(self)¶

Bases: LoadConfigurationV3

LoadConfigurationV3 enhanced with:

Kind of dynamic relocations
Hybrid Metadata Pointer

It is associated with the WIN_VERSION set to WIN10_0_14383

copy(self) → lief.PE.LoadConfigurationV4¶: Duplicate the current instance of this object

property dynamic_value_reloc_table → int¶: VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE

property hybrid_metadata_pointer → int¶

Load Configuration V5¶

class lief.PE.LoadConfigurationV5(self)¶

Bases: LoadConfigurationV4

LoadConfigurationV4 enhanced nhanced with Return Flow Guard.

It is associated with the WIN_VERSION set to WIN10_0_14901

copy(self) → lief.PE.LoadConfigurationV5¶: Duplicate the current instance of this object

property dynamic_value_reloctable_offset → int¶: Offset of dynamic relocation table relative to the relocation table

property dynamic_value_reloctable_section → int¶: The section index of the dynamic value relocation table

property guard_rf_failure_routine → int¶: VA of the failure routine

property guard_rf_failure_routine_function_pointer → int¶: VA of the failure routine fptr

property reserved2 → int¶: Must be zero

Load Configuration V6¶

class lief.PE.LoadConfigurationV6(self)¶

Bases: LoadConfigurationV5

LoadConfigurationV5 enhanced with Hotpatch and improved RFG.

It is associated with the WIN_VERSION set to WIN10_0_15002

copy(self) → lief.PE.LoadConfigurationV6¶: Duplicate the current instance of this object

property guard_rf_verify_stackpointer_function_pointer → int¶: VA of the Function verifying the stack pointer

property hotpatch_table_offset → int¶: Offset to the hotpatch table

Load Configuration V7¶

class lief.PE.LoadConfigurationV7(self)¶

Bases: LoadConfigurationV6

property addressof_unicode_string → int¶

copy(self) → lief.PE.LoadConfigurationV7¶: Duplicate the current instance of this object

property reserved3 → int¶

Load Configuration V8¶

class lief.PE.LoadConfigurationV8(self)¶

Bases: LoadConfigurationV7

copy(self) → lief.PE.LoadConfigurationV8¶: Duplicate the current instance of this object

property volatile_metadata_pointer → int¶

Load Configuration V9¶

class lief.PE.LoadConfigurationV9(self)¶

Bases: LoadConfigurationV8

copy(self) → lief.PE.LoadConfigurationV9¶: Duplicate the current instance of this object

property guard_eh_continuation_count → int¶

property guard_eh_continuation_table → int¶

Load Configuration V10¶

class lief.PE.LoadConfigurationV10(self)¶

Bases: LoadConfigurationV9

copy(self) → lief.PE.LoadConfigurationV10¶: Duplicate the current instance of this object

property guard_xfg_check_function_pointer → int¶

property guard_xfg_dispatch_function_pointer → int¶

property guard_xfg_table_dispatch_function_pointer → int¶

Load Configuration V11¶

class lief.PE.LoadConfigurationV11(self)¶

Bases: LoadConfigurationV10

property cast_guard_os_determined_failure_mode → int¶

copy(self) → lief.PE.LoadConfigurationV11¶: Duplicate the current instance of this object

Utilities¶

lief.is_pe(*args) → bool¶

lief.is_pe(raw: list[int]) → bool

Overloaded function.

is_pe(file: str) -> bool

Check if the given file is a PE

is_pe(raw: list[int]) -> bool

Check if the given raw data is a PE

lief.PE.get_type(*args) → lief.PE.PE_TYPE | lief.lief_errors¶
lief.PE.get_type(raw: list[int]) → lief._lief.PE.PE_TYPE | lief._lief.lief_errors: If the input file is a a valid PE, return the PE_TYPE. Otherwise, return a lief.lief_errors.

lief.PE.get_imphash(binary: lief.PE.Binary, mode: lief.PE.IMPHASH_MODE) → str¶

Compute the hash of imported functions

Properties of the hash generated:

Order agnostic
Casse agnostic
Ordinal (in some extent) agnostic

If one needs the same output as Virus Total (i.e. pefile), you can use PEFILE as second parameter.

Warning

The algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation

Enums¶

PE_TYPE¶

class lief.PE.PE_TYPE¶

Bases: object

PE32 = lief._lief.PE.PE_TYPE.PE32¶

PE32_PLUS = lief._lief.PE.PE_TYPE.PE32_PLUS¶

from_value(arg: int) → lief.PE.PE_TYPE = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

SECTION_TYPES¶

class lief.PE.SECTION_TYPES¶

Bases: object

BSS = lief._lief.PE.SECTION_TYPES.BSS¶

DATA = lief._lief.PE.SECTION_TYPES.DATA¶

EXPORT = lief._lief.PE.SECTION_TYPES.EXPORT¶

IDATA = lief._lief.PE.SECTION_TYPES.IDATA¶

RELOCATION = lief._lief.PE.SECTION_TYPES.RELOCATION¶

RESOURCE = lief._lief.PE.SECTION_TYPES.RESOURCE¶

TEXT = lief._lief.PE.SECTION_TYPES.TEXT¶

TLS_ = lief._lief.PE.SECTION_TYPES.TLS_¶

UNKNOWN = lief._lief.PE.SECTION_TYPES.UNKNOWN¶

from_value(arg: int) → lief.PE.SECTION_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

SYMBOL_BASE_TYPES¶

class lief.PE.SYMBOL_BASE_TYPES¶

Bases: object

BYTE = lief._lief.PE.SYMBOL_BASE_TYPES.BYTE¶

CHAR = lief._lief.PE.SYMBOL_BASE_TYPES.CHAR¶

DOUBLE = lief._lief.PE.SYMBOL_BASE_TYPES.DOUBLE¶

DWORD = lief._lief.PE.SYMBOL_BASE_TYPES.DWORD¶

ENUM = lief._lief.PE.SYMBOL_BASE_TYPES.ENUM¶

FLOAT = lief._lief.PE.SYMBOL_BASE_TYPES.FLOAT¶

INT = lief._lief.PE.SYMBOL_BASE_TYPES.INT¶

LONG = lief._lief.PE.SYMBOL_BASE_TYPES.LONG¶

MOE = lief._lief.PE.SYMBOL_BASE_TYPES.MOE¶

NULL = lief._lief.PE.SYMBOL_BASE_TYPES.NULL¶

SHORT = lief._lief.PE.SYMBOL_BASE_TYPES.SHORT¶

STRUCT = lief._lief.PE.SYMBOL_BASE_TYPES.STRUCT¶

UINT = lief._lief.PE.SYMBOL_BASE_TYPES.UINT¶

UNION = lief._lief.PE.SYMBOL_BASE_TYPES.UNION¶

VOID = lief._lief.PE.SYMBOL_BASE_TYPES.VOID¶

WORD = lief._lief.PE.SYMBOL_BASE_TYPES.WORD¶

from_value(arg: int) → lief.PE.SYMBOL_BASE_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

SYMBOL_COMPLEX_TYPES¶

class lief.PE.SYMBOL_COMPLEX_TYPES¶

Bases: object

ARRAY = lief._lief.PE.SYMBOL_COMPLEX_TYPES.ARRAY¶

COMPLEX_TYPE_SHIFT = lief._lief.PE.SYMBOL_COMPLEX_TYPES.COMPLEX_TYPE_SHIFT¶

FUNCTION = lief._lief.PE.SYMBOL_COMPLEX_TYPES.FUNCTION¶

NULL = lief._lief.PE.SYMBOL_COMPLEX_TYPES.NULL¶

POINTER = lief._lief.PE.SYMBOL_COMPLEX_TYPES.POINTER¶

from_value(arg: int) → lief.PE.SYMBOL_COMPLEX_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

SYMBOL_SECTION_NUMBER¶

class lief.PE.SYMBOL_SECTION_NUMBER¶

Bases: object

ABSOLUTE = lief._lief.PE.SYMBOL_SECTION_NUMBER.ABSOLUTE¶

DEBUG = lief._lief.PE.SYMBOL_SECTION_NUMBER.DEBUG¶

UNDEFINED = lief._lief.PE.SYMBOL_SECTION_NUMBER.UNDEFINED¶

from_value(arg: int) → lief.PE.SYMBOL_SECTION_NUMBER = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

SYMBOL_STORAGE_CLASS¶

class lief.PE.SYMBOL_STORAGE_CLASS¶

Bases: object

AUTOMATIC = lief._lief.PE.SYMBOL_STORAGE_CLASS.AUTOMATIC¶

BIT_FIELD = lief._lief.PE.SYMBOL_STORAGE_CLASS.BIT_FIELD¶

BLOCK = lief._lief.PE.SYMBOL_STORAGE_CLASS.BLOCK¶

CLR_TOKEN = lief._lief.PE.SYMBOL_STORAGE_CLASS.CLR_TOKEN¶

END_OF_FUNCTION = lief._lief.PE.SYMBOL_STORAGE_CLASS.END_OF_FUNCTION¶

END_OF_STRUCT = lief._lief.PE.SYMBOL_STORAGE_CLASS.END_OF_STRUCT¶

ENUM_TAG = lief._lief.PE.SYMBOL_STORAGE_CLASS.ENUM_TAG¶

EXTERNAL = lief._lief.PE.SYMBOL_STORAGE_CLASS.EXTERNAL¶

EXTERNAL_DEF = lief._lief.PE.SYMBOL_STORAGE_CLASS.EXTERNAL_DEF¶

FILE = lief._lief.PE.SYMBOL_STORAGE_CLASS.FILE¶

FUNCTION = lief._lief.PE.SYMBOL_STORAGE_CLASS.FUNCTION¶

LABEL = lief._lief.PE.SYMBOL_STORAGE_CLASS.LABEL¶

MEMBER_OF_ENUM = lief._lief.PE.SYMBOL_STORAGE_CLASS.MEMBER_OF_ENUM¶

MEMBER_OF_STRUCT = lief._lief.PE.SYMBOL_STORAGE_CLASS.MEMBER_OF_STRUCT¶

NULL = lief._lief.PE.SYMBOL_STORAGE_CLASS.NULL¶

REGISTER = lief._lief.PE.SYMBOL_STORAGE_CLASS.REGISTER¶

REGISTER_PARAM = lief._lief.PE.SYMBOL_STORAGE_CLASS.REGISTER_PARAM¶

SECTION = lief._lief.PE.SYMBOL_STORAGE_CLASS.SECTION¶

STATIC = lief._lief.PE.SYMBOL_STORAGE_CLASS.STATIC¶

TYPE_DEFINITION = lief._lief.PE.SYMBOL_STORAGE_CLASS.TYPE_DEFINITION¶

UDEFINED_STATIC = lief._lief.PE.SYMBOL_STORAGE_CLASS.UDEFINED_STATIC¶

UNDEFINED_LABEL = lief._lief.PE.SYMBOL_STORAGE_CLASS.UNDEFINED_LABEL¶

UNION_TAG = lief._lief.PE.SYMBOL_STORAGE_CLASS.UNION_TAG¶

WEAK_EXTERNAL = lief._lief.PE.SYMBOL_STORAGE_CLASS.WEAK_EXTERNAL¶

from_value(arg: int) → lief.PE.SYMBOL_STORAGE_CLASS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

FIXED_VERSION_FILE_SUB_TYPES¶

class lief.PE.CODE_PAGES¶

Bases: object

ASMO_708 = lief._lief.PE.CODE_PAGES.ASMO_708¶

BIG5 = lief._lief.PE.CODE_PAGES.BIG5¶

CP1025 = lief._lief.PE.CODE_PAGES.CP1025¶

CP866 = lief._lief.PE.CODE_PAGES.CP866¶

CP875 = lief._lief.PE.CODE_PAGES.CP875¶

CSISO2022JP = lief._lief.PE.CODE_PAGES.CSISO2022JP¶

DOS_720 = lief._lief.PE.CODE_PAGES.DOS_720¶

DOS_862 = lief._lief.PE.CODE_PAGES.DOS_862¶

EUC_CN = lief._lief.PE.CODE_PAGES.EUC_CN¶

EUC_JP = lief._lief.PE.CODE_PAGES.EUC_JP¶

EUC_JP_JIS = lief._lief.PE.CODE_PAGES.EUC_JP_JIS¶

EUC_KR = lief._lief.PE.CODE_PAGES.EUC_KR¶

GB18030 = lief._lief.PE.CODE_PAGES.GB18030¶

GB2312 = lief._lief.PE.CODE_PAGES.GB2312¶

HZ_GB_2312 = lief._lief.PE.CODE_PAGES.HZ_GB_2312¶

IBM00858 = lief._lief.PE.CODE_PAGES.IBM00858¶

IBM00924 = lief._lief.PE.CODE_PAGES.IBM00924¶

IBM01047 = lief._lief.PE.CODE_PAGES.IBM01047¶

IBM01140 = lief._lief.PE.CODE_PAGES.IBM01140¶

IBM01141 = lief._lief.PE.CODE_PAGES.IBM01141¶

IBM01142 = lief._lief.PE.CODE_PAGES.IBM01142¶

IBM01143 = lief._lief.PE.CODE_PAGES.IBM01143¶

IBM01144 = lief._lief.PE.CODE_PAGES.IBM01144¶

IBM01145 = lief._lief.PE.CODE_PAGES.IBM01145¶

IBM01146 = lief._lief.PE.CODE_PAGES.IBM01146¶

IBM01147 = lief._lief.PE.CODE_PAGES.IBM01147¶

IBM01148 = lief._lief.PE.CODE_PAGES.IBM01148¶

IBM01149 = lief._lief.PE.CODE_PAGES.IBM01149¶

IBM037 = lief._lief.PE.CODE_PAGES.IBM037¶

IBM1026 = lief._lief.PE.CODE_PAGES.IBM1026¶

IBM273 = lief._lief.PE.CODE_PAGES.IBM273¶

IBM277 = lief._lief.PE.CODE_PAGES.IBM277¶

IBM278 = lief._lief.PE.CODE_PAGES.IBM278¶

IBM280 = lief._lief.PE.CODE_PAGES.IBM280¶

IBM284 = lief._lief.PE.CODE_PAGES.IBM284¶

IBM285 = lief._lief.PE.CODE_PAGES.IBM285¶

IBM290 = lief._lief.PE.CODE_PAGES.IBM290¶

IBM297 = lief._lief.PE.CODE_PAGES.IBM297¶

IBM420 = lief._lief.PE.CODE_PAGES.IBM420¶

IBM423 = lief._lief.PE.CODE_PAGES.IBM423¶

IBM424 = lief._lief.PE.CODE_PAGES.IBM424¶

IBM437 = lief._lief.PE.CODE_PAGES.IBM437¶

IBM500 = lief._lief.PE.CODE_PAGES.IBM500¶

IBM737 = lief._lief.PE.CODE_PAGES.IBM737¶

IBM775 = lief._lief.PE.CODE_PAGES.IBM775¶

IBM850 = lief._lief.PE.CODE_PAGES.IBM850¶

IBM852 = lief._lief.PE.CODE_PAGES.IBM852¶

IBM855 = lief._lief.PE.CODE_PAGES.IBM855¶

IBM857 = lief._lief.PE.CODE_PAGES.IBM857¶

IBM860 = lief._lief.PE.CODE_PAGES.IBM860¶

IBM861 = lief._lief.PE.CODE_PAGES.IBM861¶

IBM863 = lief._lief.PE.CODE_PAGES.IBM863¶

IBM864 = lief._lief.PE.CODE_PAGES.IBM864¶

IBM865 = lief._lief.PE.CODE_PAGES.IBM865¶

IBM869 = lief._lief.PE.CODE_PAGES.IBM869¶

IBM870 = lief._lief.PE.CODE_PAGES.IBM870¶

IBM871 = lief._lief.PE.CODE_PAGES.IBM871¶

IBM880 = lief._lief.PE.CODE_PAGES.IBM880¶

IBM905 = lief._lief.PE.CODE_PAGES.IBM905¶

IBM_THAI = lief._lief.PE.CODE_PAGES.IBM_THAI¶

ISO_2022_JP = lief._lief.PE.CODE_PAGES.ISO_2022_JP¶

ISO_2022_JP_JIS = lief._lief.PE.CODE_PAGES.ISO_2022_JP_JIS¶

ISO_2022_KR = lief._lief.PE.CODE_PAGES.ISO_2022_KR¶

ISO_8859_1 = lief._lief.PE.CODE_PAGES.ISO_8859_1¶

ISO_8859_13 = lief._lief.PE.CODE_PAGES.ISO_8859_13¶

ISO_8859_15 = lief._lief.PE.CODE_PAGES.ISO_8859_15¶

ISO_8859_2 = lief._lief.PE.CODE_PAGES.ISO_8859_2¶

ISO_8859_3 = lief._lief.PE.CODE_PAGES.ISO_8859_3¶

ISO_8859_4 = lief._lief.PE.CODE_PAGES.ISO_8859_4¶

ISO_8859_5 = lief._lief.PE.CODE_PAGES.ISO_8859_5¶

ISO_8859_6 = lief._lief.PE.CODE_PAGES.ISO_8859_6¶

ISO_8859_7 = lief._lief.PE.CODE_PAGES.ISO_8859_7¶

ISO_8859_8 = lief._lief.PE.CODE_PAGES.ISO_8859_8¶

ISO_8859_8_I = lief._lief.PE.CODE_PAGES.ISO_8859_8_I¶

ISO_8859_9 = lief._lief.PE.CODE_PAGES.ISO_8859_9¶

JOHAB = lief._lief.PE.CODE_PAGES.JOHAB¶

KOI8_R = lief._lief.PE.CODE_PAGES.KOI8_R¶

KOI8_U = lief._lief.PE.CODE_PAGES.KOI8_U¶

KS_C_5601_1987 = lief._lief.PE.CODE_PAGES.KS_C_5601_1987¶

MACINTOSH = lief._lief.PE.CODE_PAGES.MACINTOSH¶

SHIFT_JIS = lief._lief.PE.CODE_PAGES.SHIFT_JIS¶

UNICODEFFFE = lief._lief.PE.CODE_PAGES.UNICODEFFFE¶

US_ASCII = lief._lief.PE.CODE_PAGES.US_ASCII¶

UTF_16 = lief._lief.PE.CODE_PAGES.UTF_16¶

UTF_32 = lief._lief.PE.CODE_PAGES.UTF_32¶

UTF_32BE = lief._lief.PE.CODE_PAGES.UTF_32BE¶

UTF_7 = lief._lief.PE.CODE_PAGES.UTF_7¶

UTF_8 = lief._lief.PE.CODE_PAGES.UTF_8¶

WINDOWS_1250 = lief._lief.PE.CODE_PAGES.WINDOWS_1250¶

WINDOWS_1251 = lief._lief.PE.CODE_PAGES.WINDOWS_1251¶

WINDOWS_1252 = lief._lief.PE.CODE_PAGES.WINDOWS_1252¶

WINDOWS_1253 = lief._lief.PE.CODE_PAGES.WINDOWS_1253¶

WINDOWS_1254 = lief._lief.PE.CODE_PAGES.WINDOWS_1254¶

WINDOWS_1255 = lief._lief.PE.CODE_PAGES.WINDOWS_1255¶

WINDOWS_1256 = lief._lief.PE.CODE_PAGES.WINDOWS_1256¶

WINDOWS_1257 = lief._lief.PE.CODE_PAGES.WINDOWS_1257¶

WINDOWS_1258 = lief._lief.PE.CODE_PAGES.WINDOWS_1258¶

WINDOWS_874 = lief._lief.PE.CODE_PAGES.WINDOWS_874¶

X_CHINESE_CNS = lief._lief.PE.CODE_PAGES.X_CHINESE_CNS¶

X_CHINESE_ETEN = lief._lief.PE.CODE_PAGES.X_CHINESE_ETEN¶

X_CP20001 = lief._lief.PE.CODE_PAGES.X_CP20001¶

X_CP20003 = lief._lief.PE.CODE_PAGES.X_CP20003¶

X_CP20004 = lief._lief.PE.CODE_PAGES.X_CP20004¶

X_CP20005 = lief._lief.PE.CODE_PAGES.X_CP20005¶

X_CP20261 = lief._lief.PE.CODE_PAGES.X_CP20261¶

X_CP20269 = lief._lief.PE.CODE_PAGES.X_CP20269¶

X_CP20936 = lief._lief.PE.CODE_PAGES.X_CP20936¶

X_CP20949 = lief._lief.PE.CODE_PAGES.X_CP20949¶

X_CP50227 = lief._lief.PE.CODE_PAGES.X_CP50227¶

X_EBCDIC_KOREANEXTENDED = lief._lief.PE.CODE_PAGES.X_EBCDIC_KOREANEXTENDED¶

X_EUROPA = lief._lief.PE.CODE_PAGES.X_EUROPA¶

X_IA5 = lief._lief.PE.CODE_PAGES.X_IA5¶

X_IA5_GERMAN = lief._lief.PE.CODE_PAGES.X_IA5_GERMAN¶

X_IA5_NORWEGIAN = lief._lief.PE.CODE_PAGES.X_IA5_NORWEGIAN¶

X_IA5_SWEDISH = lief._lief.PE.CODE_PAGES.X_IA5_SWEDISH¶

X_ISCII_AS = lief._lief.PE.CODE_PAGES.X_ISCII_AS¶

X_ISCII_BE = lief._lief.PE.CODE_PAGES.X_ISCII_BE¶

X_ISCII_DE = lief._lief.PE.CODE_PAGES.X_ISCII_DE¶

X_ISCII_GU = lief._lief.PE.CODE_PAGES.X_ISCII_GU¶

X_ISCII_KA = lief._lief.PE.CODE_PAGES.X_ISCII_KA¶

X_ISCII_MA = lief._lief.PE.CODE_PAGES.X_ISCII_MA¶

X_ISCII_OR = lief._lief.PE.CODE_PAGES.X_ISCII_OR¶

X_ISCII_PA = lief._lief.PE.CODE_PAGES.X_ISCII_PA¶

X_ISCII_TA = lief._lief.PE.CODE_PAGES.X_ISCII_TA¶

X_ISCII_TE = lief._lief.PE.CODE_PAGES.X_ISCII_TE¶

X_MAC_ARABIC = lief._lief.PE.CODE_PAGES.X_MAC_ARABIC¶

X_MAC_CE = lief._lief.PE.CODE_PAGES.X_MAC_CE¶

X_MAC_CHINESESIMP = lief._lief.PE.CODE_PAGES.X_MAC_CHINESESIMP¶

X_MAC_CHINESETRAD = lief._lief.PE.CODE_PAGES.X_MAC_CHINESETRAD¶

X_MAC_CROATIAN = lief._lief.PE.CODE_PAGES.X_MAC_CROATIAN¶

X_MAC_CYRILLIC = lief._lief.PE.CODE_PAGES.X_MAC_CYRILLIC¶

X_MAC_GREEK = lief._lief.PE.CODE_PAGES.X_MAC_GREEK¶

X_MAC_HEBREW = lief._lief.PE.CODE_PAGES.X_MAC_HEBREW¶

X_MAC_ICELANDIC = lief._lief.PE.CODE_PAGES.X_MAC_ICELANDIC¶

X_MAC_JAPANESE = lief._lief.PE.CODE_PAGES.X_MAC_JAPANESE¶

X_MAC_KOREAN = lief._lief.PE.CODE_PAGES.X_MAC_KOREAN¶

X_MAC_ROMANIAN = lief._lief.PE.CODE_PAGES.X_MAC_ROMANIAN¶

X_MAC_THAI = lief._lief.PE.CODE_PAGES.X_MAC_THAI¶

X_MAC_TURKISH = lief._lief.PE.CODE_PAGES.X_MAC_TURKISH¶

X_MAC_UKRAINIAN = lief._lief.PE.CODE_PAGES.X_MAC_UKRAINIAN¶

from_value(arg: int) → lief.PE.CODE_PAGES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

WINDOW_STYLES¶

class lief.PE.WINDOW_STYLES¶

Bases: object

BORDER = lief._lief.PE.WINDOW_STYLES.BORDER¶

CAPTION = lief._lief.PE.WINDOW_STYLES.CAPTION¶

CHILD = lief._lief.PE.WINDOW_STYLES.CHILD¶

CLIPCHILDREN = lief._lief.PE.WINDOW_STYLES.CLIPCHILDREN¶

CLIPSIBLINGS = lief._lief.PE.WINDOW_STYLES.CLIPSIBLINGS¶

DISABLED = lief._lief.PE.WINDOW_STYLES.DISABLED¶

DLGFRAME = lief._lief.PE.WINDOW_STYLES.DLGFRAME¶

GROUP = lief._lief.PE.WINDOW_STYLES.MINIMIZEBOX¶

HSCROLL = lief._lief.PE.WINDOW_STYLES.HSCROLL¶

MAXIMIZE = lief._lief.PE.WINDOW_STYLES.MAXIMIZE¶

MAXIMIZEBOX = lief._lief.PE.WINDOW_STYLES.MAXIMIZEBOX¶

MINIMIZE = lief._lief.PE.WINDOW_STYLES.MINIMIZE¶

MINIMIZEBOX = lief._lief.PE.WINDOW_STYLES.MINIMIZEBOX¶

OVERLAPPED = lief._lief.PE.WINDOW_STYLES.OVERLAPPED¶

POPUP = lief._lief.PE.WINDOW_STYLES.POPUP¶

SYSMENU = lief._lief.PE.WINDOW_STYLES.SYSMENU¶

TABSTOP = lief._lief.PE.WINDOW_STYLES.MAXIMIZEBOX¶

THICKFRAME = lief._lief.PE.WINDOW_STYLES.THICKFRAME¶

VISIBLE = lief._lief.PE.WINDOW_STYLES.VISIBLE¶

VSCROLL = lief._lief.PE.WINDOW_STYLES.VSCROLL¶

from_value(arg: int) → lief.PE.WINDOW_STYLES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

EXTENDED_WINDOW_STYLES¶

class lief.PE.EXTENDED_WINDOW_STYLES¶

Bases: object

ACCEPTFILES = lief._lief.PE.EXTENDED_WINDOW_STYLES.ACCEPTFILES¶

APPWINDOW = lief._lief.PE.EXTENDED_WINDOW_STYLES.APPWINDOW¶

CLIENTEDGE = lief._lief.PE.EXTENDED_WINDOW_STYLES.CLIENTEDGE¶

CONTEXTHELP = lief._lief.PE.EXTENDED_WINDOW_STYLES.CONTEXTHELP¶

CONTROLPARENT = lief._lief.PE.EXTENDED_WINDOW_STYLES.CONTROLPARENT¶

DLGMODALFRAME = lief._lief.PE.EXTENDED_WINDOW_STYLES.DLGMODALFRAME¶

LEFT = lief._lief.PE.EXTENDED_WINDOW_STYLES.RIGHTSCROLLBAR¶

LEFTSCROLLBAR = lief._lief.PE.EXTENDED_WINDOW_STYLES.LEFTSCROLLBAR¶

LTRREADING = lief._lief.PE.EXTENDED_WINDOW_STYLES.RIGHTSCROLLBAR¶

MDICHILD = lief._lief.PE.EXTENDED_WINDOW_STYLES.MDICHILD¶

NOPARENTNOTIFY = lief._lief.PE.EXTENDED_WINDOW_STYLES.NOPARENTNOTIFY¶

RIGHT = lief._lief.PE.EXTENDED_WINDOW_STYLES.RIGHT¶

RIGHTSCROLLBAR = lief._lief.PE.EXTENDED_WINDOW_STYLES.RIGHTSCROLLBAR¶

RTLREADING = lief._lief.PE.EXTENDED_WINDOW_STYLES.RTLREADING¶

STATICEDGE = lief._lief.PE.EXTENDED_WINDOW_STYLES.STATICEDGE¶

TOOLWINDOW = lief._lief.PE.EXTENDED_WINDOW_STYLES.TOOLWINDOW¶

TOPMOST = lief._lief.PE.EXTENDED_WINDOW_STYLES.TOPMOST¶

TRANSPARENT = lief._lief.PE.EXTENDED_WINDOW_STYLES.TRANSPARENT¶

WINDOWEDGE = lief._lief.PE.EXTENDED_WINDOW_STYLES.WINDOWEDGE¶

from_value(arg: int) → lief.PE.EXTENDED_WINDOW_STYLES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

DIALOG_BOX_STYLES¶

class lief.PE.DIALOG_BOX_STYLES¶

Bases: object

ABSALIGN = lief._lief.PE.DIALOG_BOX_STYLES.ABSALIGN¶

CENTER = lief._lief.PE.DIALOG_BOX_STYLES.CENTER¶

CENTERMOUSE = lief._lief.PE.DIALOG_BOX_STYLES.CENTERMOUSE¶

CONTEXTHELP = lief._lief.PE.DIALOG_BOX_STYLES.CONTEXTHELP¶

CONTROL = lief._lief.PE.DIALOG_BOX_STYLES.CONTROL¶

D3DLOOK = lief._lief.PE.DIALOG_BOX_STYLES.D3DLOOK¶

FIXEDSYS = lief._lief.PE.DIALOG_BOX_STYLES.FIXEDSYS¶

LOCALEDIT = lief._lief.PE.DIALOG_BOX_STYLES.LOCALEDIT¶

MODALFRAME = lief._lief.PE.DIALOG_BOX_STYLES.MODALFRAME¶

NOFAILCREATE = lief._lief.PE.DIALOG_BOX_STYLES.NOFAILCREATE¶

NOIDLEMSG = lief._lief.PE.DIALOG_BOX_STYLES.NOIDLEMSG¶

SETFONT = lief._lief.PE.DIALOG_BOX_STYLES.SETFONT¶

SETFOREGROUND = lief._lief.PE.DIALOG_BOX_STYLES.SETFOREGROUND¶

SHELLFONT = lief._lief.PE.DIALOG_BOX_STYLES.SHELLFONT¶

SYSMODAL = lief._lief.PE.DIALOG_BOX_STYLES.SYSMODAL¶

from_value(arg: int) → lief.PE.DIALOG_BOX_STYLES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

FIXED_VERSION_OS¶

class lief.PE.FIXED_VERSION_OS¶

Bases: object

DOS = lief._lief.PE.FIXED_VERSION_OS.DOS¶

DOS_WINDOWS16 = lief._lief.PE.FIXED_VERSION_OS.DOS_WINDOWS16¶

DOS_WINDOWS32 = lief._lief.PE.FIXED_VERSION_OS.DOS_WINDOWS32¶

NT = lief._lief.PE.FIXED_VERSION_OS.NT¶

NT_WINDOWS32 = lief._lief.PE.FIXED_VERSION_OS.NT_WINDOWS32¶

OS216 = lief._lief.PE.FIXED_VERSION_OS.OS216¶

OS216_PM16 = lief._lief.PE.FIXED_VERSION_OS.OS216_PM16¶

OS232 = lief._lief.PE.FIXED_VERSION_OS.OS232¶

OS232_PM32 = lief._lief.PE.FIXED_VERSION_OS.OS232_PM32¶

PM16 = lief._lief.PE.FIXED_VERSION_OS.PM16¶

PM32 = lief._lief.PE.FIXED_VERSION_OS.PM32¶

UNKNOWN = lief._lief.PE.FIXED_VERSION_OS.UNKNOWN¶

WINDOWS16 = lief._lief.PE.FIXED_VERSION_OS.WINDOWS16¶

WINDOWS32 = lief._lief.PE.FIXED_VERSION_OS.WINDOWS32¶

from_value(arg: int) → lief.PE.FIXED_VERSION_OS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

FIXED_VERSION_FILE_FLAGS¶

class lief.PE.FIXED_VERSION_FILE_FLAGS¶

Bases: object

DEBUG = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.DEBUG¶

INFOINFERRED = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.INFOINFERRED¶

PATCHED = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.PATCHED¶

PRERELEASE = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.PRERELEASE¶

PRIVATEBUILD = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.PRIVATEBUILD¶

SPECIALBUILD = lief._lief.PE.FIXED_VERSION_FILE_FLAGS.SPECIALBUILD¶

from_value(arg: int) → lief.PE.FIXED_VERSION_FILE_FLAGS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

FIXED_VERSION_FILE_TYPES¶

class lief.PE.FIXED_VERSION_FILE_TYPES¶

Bases: object

APP = lief._lief.PE.FIXED_VERSION_FILE_TYPES.APP¶

DLL = lief._lief.PE.FIXED_VERSION_FILE_TYPES.DLL¶

DRV = lief._lief.PE.FIXED_VERSION_FILE_TYPES.DRV¶

FONT = lief._lief.PE.FIXED_VERSION_FILE_TYPES.FONT¶

STATIC_LIB = lief._lief.PE.FIXED_VERSION_FILE_TYPES.STATIC_LIB¶

UNKNOWN = lief._lief.PE.FIXED_VERSION_FILE_TYPES.UNKNOWN¶

VXD = lief._lief.PE.FIXED_VERSION_FILE_TYPES.VXD¶

from_value(arg: int) → lief.PE.FIXED_VERSION_FILE_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

RESOURCE_LANGS¶

class lief.PE.RESOURCE_LANGS¶

Bases: object

AFRIKAANS = lief._lief.PE.RESOURCE_LANGS.AFRIKAANS¶

ALBANIAN = lief._lief.PE.RESOURCE_LANGS.ALBANIAN¶

ARABIC = lief._lief.PE.RESOURCE_LANGS.ARABIC¶

ARMENIAN = lief._lief.PE.RESOURCE_LANGS.ARMENIAN¶

ASSAMESE = lief._lief.PE.RESOURCE_LANGS.ASSAMESE¶

AZERI = lief._lief.PE.RESOURCE_LANGS.AZERI¶

BANGLA = lief._lief.PE.RESOURCE_LANGS.BANGLA¶

BASQUE = lief._lief.PE.RESOURCE_LANGS.BASQUE¶

BELARUSIAN = lief._lief.PE.RESOURCE_LANGS.BELARUSIAN¶

BOSNIAN = lief._lief.PE.RESOURCE_LANGS.SERBIAN¶

BRETON = lief._lief.PE.RESOURCE_LANGS.BRETON¶

BULGARIAN = lief._lief.PE.RESOURCE_LANGS.BULGARIAN¶

CATALAN = lief._lief.PE.RESOURCE_LANGS.VALENCIAN¶

CHINESE = lief._lief.PE.RESOURCE_LANGS.CHINESE¶

CORNISH = lief._lief.PE.RESOURCE_LANGS.CORNISH¶

CROATIAN = lief._lief.PE.RESOURCE_LANGS.SERBIAN¶

CZECH = lief._lief.PE.RESOURCE_LANGS.CZECH¶

DANISH = lief._lief.PE.RESOURCE_LANGS.DANISH¶

DIVEHI = lief._lief.PE.RESOURCE_LANGS.DIVEHI¶

DUTCH = lief._lief.PE.RESOURCE_LANGS.DUTCH¶

ENGLISH = lief._lief.PE.RESOURCE_LANGS.ENGLISH¶

ESPERANTO = lief._lief.PE.RESOURCE_LANGS.ESPERANTO¶

ESTONIAN = lief._lief.PE.RESOURCE_LANGS.ESTONIAN¶

FAEROESE = lief._lief.PE.RESOURCE_LANGS.FAEROESE¶

FARSI = lief._lief.PE.RESOURCE_LANGS.FARSI¶

FINNISH = lief._lief.PE.RESOURCE_LANGS.FINNISH¶

FRENCH = lief._lief.PE.RESOURCE_LANGS.FRENCH¶

GAELIC = lief._lief.PE.RESOURCE_LANGS.IRISH¶

GALICIAN = lief._lief.PE.RESOURCE_LANGS.GALICIAN¶

GEORGIAN = lief._lief.PE.RESOURCE_LANGS.GEORGIAN¶

GERMAN = lief._lief.PE.RESOURCE_LANGS.GERMAN¶

GREEK = lief._lief.PE.RESOURCE_LANGS.GREEK¶

GUJARATI = lief._lief.PE.RESOURCE_LANGS.GUJARATI¶

HEBREW = lief._lief.PE.RESOURCE_LANGS.HEBREW¶

HINDI = lief._lief.PE.RESOURCE_LANGS.HINDI¶

HUNGARIAN = lief._lief.PE.RESOURCE_LANGS.HUNGARIAN¶

ICELANDIC = lief._lief.PE.RESOURCE_LANGS.ICELANDIC¶

INDONESIAN = lief._lief.PE.RESOURCE_LANGS.INDONESIAN¶

INUKTITUT = lief._lief.PE.RESOURCE_LANGS.INUKTITUT¶

INVARIANT = lief._lief.PE.RESOURCE_LANGS.INVARIANT¶

IRISH = lief._lief.PE.RESOURCE_LANGS.IRISH¶

ITALIAN = lief._lief.PE.RESOURCE_LANGS.ITALIAN¶

JAPANESE = lief._lief.PE.RESOURCE_LANGS.JAPANESE¶

KANNADA = lief._lief.PE.RESOURCE_LANGS.KANNADA¶

KASHMIRI = lief._lief.PE.RESOURCE_LANGS.KASHMIRI¶

KAZAK = lief._lief.PE.RESOURCE_LANGS.KAZAK¶

KONKANI = lief._lief.PE.RESOURCE_LANGS.KONKANI¶

KOREAN = lief._lief.PE.RESOURCE_LANGS.KOREAN¶

KYRGYZ = lief._lief.PE.RESOURCE_LANGS.KYRGYZ¶

LATVIAN = lief._lief.PE.RESOURCE_LANGS.LATVIAN¶

LITHUANIAN = lief._lief.PE.RESOURCE_LANGS.LITHUANIAN¶

LOWER_SORBIAN = lief._lief.PE.RESOURCE_LANGS.LOWER_SORBIAN¶

MACEDONIAN = lief._lief.PE.RESOURCE_LANGS.MACEDONIAN¶

MALAY = lief._lief.PE.RESOURCE_LANGS.MALAY¶

MALAYALAM = lief._lief.PE.RESOURCE_LANGS.MALAYALAM¶

MALTESE = lief._lief.PE.RESOURCE_LANGS.MALTESE¶

MANIPURI = lief._lief.PE.RESOURCE_LANGS.MANIPURI¶

MAORI = lief._lief.PE.RESOURCE_LANGS.MAORI¶

MARATHI = lief._lief.PE.RESOURCE_LANGS.MARATHI¶

MONGOLIAN = lief._lief.PE.RESOURCE_LANGS.MONGOLIAN¶

NEPALI = lief._lief.PE.RESOURCE_LANGS.NEPALI¶

NEUTRAL = lief._lief.PE.RESOURCE_LANGS.NEUTRAL¶

NORWEGIAN = lief._lief.PE.RESOURCE_LANGS.NORWEGIAN¶

ORIYA = lief._lief.PE.RESOURCE_LANGS.ORIYA¶

POLISH = lief._lief.PE.RESOURCE_LANGS.POLISH¶

PORTUGUESE = lief._lief.PE.RESOURCE_LANGS.PORTUGUESE¶

PULAR = lief._lief.PE.RESOURCE_LANGS.PULAR¶

PUNJABI = lief._lief.PE.RESOURCE_LANGS.PUNJABI¶

QUECHUA = lief._lief.PE.RESOURCE_LANGS.QUECHUA¶

RHAETO_ROMANCE = lief._lief.PE.RESOURCE_LANGS.RHAETO_ROMANCE¶

ROMANIAN = lief._lief.PE.RESOURCE_LANGS.ROMANIAN¶

RUSSIAN = lief._lief.PE.RESOURCE_LANGS.RUSSIAN¶

SAMI = lief._lief.PE.RESOURCE_LANGS.SAMI¶

SANSKRIT = lief._lief.PE.RESOURCE_LANGS.SANSKRIT¶

SERBIAN = lief._lief.PE.RESOURCE_LANGS.SERBIAN¶

SINDHI = lief._lief.PE.RESOURCE_LANGS.SINDHI¶

SLOVAK = lief._lief.PE.RESOURCE_LANGS.SLOVAK¶

SLOVENIAN = lief._lief.PE.RESOURCE_LANGS.SLOVENIAN¶

SORBIAN = lief._lief.PE.RESOURCE_LANGS.LOWER_SORBIAN¶

SPANISH = lief._lief.PE.RESOURCE_LANGS.SPANISH¶

SUTU = lief._lief.PE.RESOURCE_LANGS.SUTU¶

SWAHILI = lief._lief.PE.RESOURCE_LANGS.SWAHILI¶

SWEDISH = lief._lief.PE.RESOURCE_LANGS.SWEDISH¶

SYRIAC = lief._lief.PE.RESOURCE_LANGS.SYRIAC¶

TAMAZIGHT = lief._lief.PE.RESOURCE_LANGS.TAMAZIGHT¶

TAMIL = lief._lief.PE.RESOURCE_LANGS.TAMIL¶

TATAR = lief._lief.PE.RESOURCE_LANGS.TATAR¶

TELUGU = lief._lief.PE.RESOURCE_LANGS.TELUGU¶

THAI = lief._lief.PE.RESOURCE_LANGS.THAI¶

TIGRINYA = lief._lief.PE.RESOURCE_LANGS.TIGRINYA¶

TSONGA = lief._lief.PE.RESOURCE_LANGS.TSONGA¶

TSWANA = lief._lief.PE.RESOURCE_LANGS.TSWANA¶

TURKISH = lief._lief.PE.RESOURCE_LANGS.TURKISH¶

UKRAINIAN = lief._lief.PE.RESOURCE_LANGS.UKRAINIAN¶

URDU = lief._lief.PE.RESOURCE_LANGS.URDU¶

UZBEK = lief._lief.PE.RESOURCE_LANGS.UZBEK¶

VALENCIAN = lief._lief.PE.RESOURCE_LANGS.VALENCIAN¶

VENDA = lief._lief.PE.RESOURCE_LANGS.VENDA¶

VIETNAMESE = lief._lief.PE.RESOURCE_LANGS.VIETNAMESE¶

WALON = lief._lief.PE.RESOURCE_LANGS.WALON¶

WELSH = lief._lief.PE.RESOURCE_LANGS.WELSH¶

XHOSA = lief._lief.PE.RESOURCE_LANGS.XHOSA¶

ZULU = lief._lief.PE.RESOURCE_LANGS.ZULU¶

from_value(arg: int) → lief.PE.RESOURCE_LANGS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

FIXED_VERSION_FILE_SUB_TYPES¶

class lief.PE.FIXED_VERSION_FILE_SUB_TYPES¶

Bases: object

DRV_COMM = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_COMM¶

DRV_DISPLAY = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_DISPLAY¶

DRV_INSTALLABLE = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_INSTALLABLE¶

DRV_KEYBOARD = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_VECTOR¶

DRV_LANGUAGE = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_TRUETYPE¶

DRV_MOUSE = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_MOUSE¶

DRV_NETWORK = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_NETWORK¶

DRV_PRINTER = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_RASTER¶

DRV_SOUND = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_SOUND¶

DRV_SYSTEM = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_SYSTEM¶

DRV_VERSIONED_PRINTER = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.DRV_VERSIONED_PRINTER¶

FONT_RASTER = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_RASTER¶

FONT_TRUETYPE = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_TRUETYPE¶

FONT_VECTOR = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.FONT_VECTOR¶

UNKNOWN = lief._lief.PE.FIXED_VERSION_FILE_SUB_TYPES.UNKNOWN¶

from_value(arg: int) → lief.PE.FIXED_VERSION_FILE_SUB_TYPES = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value

ALGORITHMS¶

class lief.PE.ALGORITHMS¶

Bases: object

EC = lief._lief.PE.ALGORITHMS.EC¶

MD2 = lief._lief.PE.ALGORITHMS.MD2¶

MD4 = lief._lief.PE.ALGORITHMS.MD4¶

MD5 = lief._lief.PE.ALGORITHMS.MD5¶

MD5_RSA = lief._lief.PE.ALGORITHMS.MD5_RSA¶

RSA = lief._lief.PE.ALGORITHMS.RSA¶

SHA1_DSA = lief._lief.PE.ALGORITHMS.SHA1_DSA¶

SHA1_ECDSA = lief._lief.PE.ALGORITHMS.SHA1_ECDSA¶

SHA1_RSA = lief._lief.PE.ALGORITHMS.SHA1_RSA¶

SHA_1 = lief._lief.PE.ALGORITHMS.SHA_1¶

SHA_256 = lief._lief.PE.ALGORITHMS.SHA_256¶

SHA_256_ECDSA = lief._lief.PE.ALGORITHMS.SHA_256_ECDSA¶

SHA_256_RSA = lief._lief.PE.ALGORITHMS.SHA_256_RSA¶

SHA_384 = lief._lief.PE.ALGORITHMS.SHA_384¶

SHA_384_ECDSA = lief._lief.PE.ALGORITHMS.SHA_384_ECDSA¶

SHA_384_RSA = lief._lief.PE.ALGORITHMS.SHA_384_RSA¶

SHA_512 = lief._lief.PE.ALGORITHMS.SHA_512¶

SHA_512_ECDSA = lief._lief.PE.ALGORITHMS.SHA_512_ECDSA¶

SHA_512_RSA = lief._lief.PE.ALGORITHMS.SHA_512_RSA¶

UNKNOWN = lief._lief.PE.ALGORITHMS.UNKNOWN¶

from_value(arg: int) → lief.PE.ALGORITHMS = <nanobind.nb_func object>¶

property value → int¶: The underlying integer value