ionicons-v5-d 0.17.0 (dd291ae1)
Updated on 23/02/2025, 12:10:07.

Python

Parser

lief.PE.parse(*args) lief.PE.Binary | None
lief.PE.parse(filename: str, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7b0>) lief._lief.PE.Binary | None
lief.PE.parse(raw: collections.abc.Sequence[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7d0>) lief._lief.PE.Binary | None
lief.PE.parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7f0>) lief._lief.PE.Binary | None

Overloaded function.

  1. parse(buffer: bytes, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d790>) -> Optional[lief._lief.PE.Binary]

    Parse the PE binary from the given bytes and return a lief.PE.Binary object.

    The second argument is an optional configuration (ParserConfig) that can be used to define which part(s) of the PE should be parsed or skipped.

  2. parse(filename: str, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7b0>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given file path and return a Binary object

  1. parse(raw: collections.abc.Sequence[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7d0>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given list of bytes and return a lief.PE.Binary object

  1. parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x72bae767d7f0>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given parameter and return a lief.PE.Binary object

class lief.PE.ParserConfig(self)

Bases: object

This class is used to tweak the PE Parser (lief.PE.parse())

all = <lief._lief.PE.ParserConfig object>
default_conf = <lief._lief.PE.ParserConfig object>
property parse_arm64x_binary bool

Whether it should parse nested ARM64X binary

This option is set to off by default since it can introduce a certain overhead.

property parse_exceptions bool

Whether it should parse in-depth exceptions metadata.

This option is set to off by default since it can introduce a certain overhead.

property parse_exports bool

Parse PE Exports Directory

property parse_imports bool

Parse PE Import Directory

property parse_reloc bool

Parse PE relocations

property parse_rsrc bool

Parse PE resources tree

property parse_signature bool

Parse PE Authenticode signature

Binary

class lief.PE.Binary

Bases: Binary

Class which represents a PE binary which is the main interface to manage and modify a PE executable.

This object can be instantiated through lief.parse() or lief.PE.parse() while the constructor of this object can be used to craft a binary from scratch (see: 02 - Create a PE from scratch (Deprecated))

add_debug_info(self, entry: lief.PE.Debug) lief.PE.Debug

Add a new debug entry

add_import(self, import_name: str) lief.PE.Import

Add an imported library (i.e. DLL) to the binary

add_relocation(self, relocation: lief.PE.Relocation) lief.PE.Relocation

Add a Relocation to the binary

add_section(self, section: lief.PE.Section) lief.PE.Section

Add a Section to the binary.

authentihash(self, algorithm: lief.PE.ALGORITHMS) bytes

Compute the authentihash according to the ALGORITHMS given in the first parameter

property authentihash_md5 bytes

Authentihash MD5 value

property authentihash_sha1 bytes

Authentihash SHA1 value

property authentihash_sha256 bytes

Authentihash SHA-256 value

property authentihash_sha512 bytes

Authentihash SHA-512 value

property cert_dir lief.PE.DataDirectory

Return the data directory associated with the certificate table (authenticode).

clear_debug(self) bool

Remove all debug info from the binary

property codeview_pdb lief.PE.CodeViewPDB

Return the CodeViewPDB if present

property coff_string_table lief.PE.Binary.it_strings_table

Iterator over the strings located in the COFF string table

compute_checksum(self) int

Re-compute the value of checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF for the current binary object.

property data_directories lief.PE.Binary.it_data_directories

Return an iterator over the DataDirectory

data_directory(self, type: lief.PE.DataDirectory.TYPES) lief.PE.DataDirectory

Return the DataDirectory object from the given TYPES type

property debug lief.PE.Binary.it_debug

Return the Debug

property debug_dir lief.PE.DataDirectory

Return the data directory associated with the debug table

property delay_dir lief.PE.DataDirectory

Return the data directory associated with delayed imports

property delay_imports lief.PE.Binary.it_delay_imports

Return an iterator over the DelayImport

property dos_header lief.PE.DosHeader

Return the DosHeader

property dos_stub memoryview

DOS stub content as a list of bytes

property exception_functions list[lief.Function]

Function found in the Exception directory

property exceptions lief.PE.Binary.it_exceptions

Iterator over the exception (_RUNTIME_FUNCTION) functions.

Warning

This property requires that the option lief.PE.ParserConfig.parse_exceptions was turned on (default is False) when parsing the binary.

property exceptions_dir lief.PE.DataDirectory

Return the data directory associated with the exceptions

property export_dir lief.PE.DataDirectory

Return the data directory associated with the export table

fill_address(self, address: int, size: int, value: int, addr_type: lief.Binary.VA_TYPES) None

Fill the content at the provided with a fixed value

find_coff_string(self, offset: int) lief.PE.COFFString

Try to find the COFF string at the given offset in the COFF string table.

Warning

This offset must include the first 4 bytes holding the size of the table. Hence, the first string starts a the offset 4.

find_exception_at(self, rva: int) lief.PE.ExceptionInfo

Try to find the exception info at the given RVA.

Warning

This property requires that the option lief.PE.ParserConfig.parse_exceptions was turned on (default is False) when parsing the binary.

property functions list[lief.Function]

All Function found in the binary

get_delay_import(self, import_name: str) lief.PE.DelayImport

Return the DelayImport from the given name or None if not not found

get_export(self) lief.PE.Export

Return the Export object

get_import(self, import_name: str) lief.PE.Import

Return the Import from the given name or None if it can’t be found

get_section(self, section_name: str) lief.PE.Section

Return the Section object from the given name or None if not not found

property has_configuration bool

True if the current binary has LoadConfiguration

property has_debug bool

True if the current binary has a Debug object

has_delay_import(self, import_name: str) bool

True if the binary imports the given library name

property has_delay_imports bool

True if the current binary has delay imports (DelayImport)

property has_exceptions bool

True if the current binary uses Exceptions

property has_exports bool

True if the current binary has a Export object

has_import(self, import_name: str) bool

True if the binary imports the given library name

property has_imports bool

True if the current binary has imports (Import)

property has_relocations bool

True if the current binary uses Relocation

property has_resources bool

True if the current binary has a Resources object

property has_rich_header bool

True if the current binary has a RichHeader object

property has_signatures bool

True if the binary is signed with the PE authenticode (Signature)

property has_tls bool

True if the current binary has a TLS object

property header lief.PE.Header

Return the Header

property iat_dir lief.PE.DataDirectory

Return the data directory associated with the IAT

property import_dir lief.PE.DataDirectory

Return the data directory associated with the import table

property imports lief.PE.Binary.it_imports

Return an iterator over the Import libraries

property is_arm64ec bool

True if this binary is compiled in ARM64EC mode (emulation compatible)

property is_arm64x bool

True if this binary is compiled in ARM64X mode (contains both ARM64 and ARM64EC

property is_reproducible_build bool

True if the binary was compiled with a reproducible build directive (Debug)

class it_const_signatures

Bases: object

Iterator over lief._lief.PE.Signature

class it_data_directories

Bases: object

Iterator over lief._lief.PE.DataDirectory

class it_debug

Bases: object

Iterator over lief._lief.PE.Debug

class it_delay_imports

Bases: object

Iterator over lief._lief.PE.DelayImport

class it_exceptions

Bases: object

Iterator over lief._lief.PE.ExceptionInfo

class it_imports

Bases: object

Iterator over lief._lief.PE.Import

class it_relocations

Bases: object

Iterator over lief._lief.PE.Relocation

class it_section

Bases: object

Iterator over lief._lief.PE.Section

class it_strings_table

Bases: object

Iterator over lief._lief.PE.COFFString

class it_symbols

Bases: object

Iterator over lief._lief.PE.Symbol

property load_config_dir lief.PE.DataDirectory

Return the data directory associated with the load config

property load_configuration lief.PE.LoadConfiguration

Return the LoadConfiguration object or None if not present

property nested_pe_binary lief.PE.Binary

If the current binary contains dynamic relocations (e.g. lief.PE.DynamicFixupARM64X), this function returns the relocated view of the current PE.

This can be used to get the alternative PE binary, targeting a different architecture.

Warning

This property requires that the option lief.PE.ParserConfig.parse_arm64x_binary was turned on (default is False) when parsing the binary.

property optional_header lief.PE.OptionalHeader

Header that follows the header. It is named optional from the COFF specifications but it is mandatory in a PE file.

property overlay memoryview

Return the overlay content as a list of bytes

property overlay_offset int

Return the original overlay offset

property relocation_dir lief.PE.DataDirectory

Return the data directory associated with the relocation table

property relocations lief.PE.DynamicFixupGeneric.it_relocations

Return an iterator over the Relocation

remove(self, section: lief.PE.Section, clear: bool) None

Remove the Section given in first parameter

remove_all_imports(self) None

Remove all imported libraries

remove_all_relocations(self) None
remove_debug(self, entry: lief.PE.Debug) bool

Remove a specific debug entry

remove_import(self, name: str) bool

Remove the imported library with the given name

remove_tls(self) None

Remove the TLS from the binary

property resources lief.PE.ResourceNode

Return the ResourceNode tree or None if not not present

property resources_manager lief.PE.ResourcesManager | lief.lief_errors

Return the ResourcesManager to manage resources

property rich_header lief.PE.RichHeader

RichHeader object (if present)

property rsrc_dir lief.PE.DataDirectory

Return the data directory associated with the resources tree

rva_to_offset(self, rva_address: int) int

Convert a relative virtual address to an offset

The conversion is performed by looking for the section that encompasses the provided RVA.

section_from_offset(self, offset: int) lief.PE.Section

Return the Section which encompasses the provided offset. It returns None if a section can’t be found.

section_from_rva(self, rva: int) lief.PE.Section

Return the Section which encompasses the provided relative virtual address. If a section can’t be found, it returns None.

property sections lief.PE.Binary.it_section

Return binary’s an iterator over the PE’s Section

set_export(self, arg: lief.PE.Export) lief.PE.Export

Add or replace the export table

set_resources(self, new_tree: lief.PE.ResourceNode) lief.PE.ResourceNode

Change or set the current resource tree with the new one provided in parameter.

property signatures lief.PE.Binary.it_const_signatures

Return an iterator over the Signature objects

property sizeof_headers int

Size of all the PE headers

property symbols lief.PE.Binary.it_symbols

Return binary’s Symbol

property tls lief.PE.TLS

TLS object (if present)

property tls_dir lief.PE.DataDirectory

Return the data directory associated with TLS

va_to_offset(self, va_address: int) int

Convert an absolute virtual address into an offset

See: rva_to_offset()

verify_signature(*args) lief.PE.Signature.VERIFICATION_FLAGS

Overloaded function.

  1. verify_signature(self, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS

    Verify the binary against the embedded signature(s) (if any)

    First off, it checks that the embedded signatures are correct (c.f. lief.PE.Signature.check()) and then it checks that the authentihash matches lief.PE.ContentInfo.digest

    One can tweak the verification process with the lief.PE.Signature.VERIFICATION_CHECKS flags

    See also

    lief.PE.Signature.check()

  2. verify_signature(self, signature: lief._lief.PE.Signature, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS

    Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:

    detached = lief.PE.Signature.parse("sig.pkcs7")
binary.verify_signature(detached)
property virtual_size int

Return the binary’s virtual size.

This value should match sizeof_image

write(*args) lief.PE.Builder | None

Overloaded function.

  1. write(self, output_path: str) -> Optional[lief._lief.PE.Builder]

Build the binary and write the result in the given output file

  1. write(self, output_path: str, config: lief._lief.PE.Builder.config_t) -> Optional[lief._lief.PE.Builder]

Build the binary with the given config and write the result in the given output file

write_to_bytes(self) bytes

Dos Header

class lief.PE.DosHeader

Bases: Object

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are not relevant, except addressof_new_exeheader

property addressof_new_exeheader int
property addressof_relocation_table int
property checksum int
copy(self) lief.PE.DosHeader

Duplicate the current instance of this object

create(arg: lief.PE.PE_TYPE) lief.PE.DosHeader = <nanobind.nb_func object>
property file_size_in_pages int
property header_size_in_paragraphs int
property initial_ip int
property initial_relative_cs int
property initial_relative_ss int
property initial_sp int
property magic int
property maximum_extra_paragraphs int
property minimum_extra_paragraphs int
property numberof_relocation int
property oem_id int
property oem_info int
property overlay_number int
property used_bytes_in_last_page int

Optional Header

class lief.PE.OptionalHeader

Bases: Object

Class which represents the PE OptionalHeader structure.

class DLL_CHARACTERISTICS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: IntFlag

APPCONTAINER = 4096
DYNAMIC_BASE = 64
FORCE_INTEGRITY = 128
GUARD_CF = 16384
HIGH_ENTROPY_VA = 32
NO_BIND = 2048
NO_ISOLATION = 512
NO_SEH = 1024
NX_COMPAT = 256
TERMINAL_SERVER_AWARE = 32768
WDM_DRIVER = 8192
from_value(arg: int) lief.PE.OptionalHeader.DLL_CHARACTERISTICS = <nanobind.nb_func object>
class SUBSYSTEM(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

EFI_APPLICATION = 10
EFI_BOOT_SERVICE_DRIVER = 11
EFI_ROM = 13
EFI_RUNTIME_DRIVER = 12
NATIVE = 1
NATIVE_WINDOWS = 8
OS2_CUI = 5
POSIX_CUI = 7
UNKNOWN = 0
WINDOWS_BOOT_APPLICATION = 16
WINDOWS_CE_GUI = 9
WINDOWS_CUI = 3
WINDOWS_GUI = 2
XBOX = 14
from_value(arg: int) lief.PE.OptionalHeader.SUBSYSTEM = <nanobind.nb_func object>
add(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) None

Add the given DLL_CHARACTERISTICS

property addressof_entrypoint int

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

property baseof_code int

Address relative to the imagebase where the binary’s code starts

property baseof_data int

Address relative to the imagebase where the binary’s data starts.

Warning

This value is not present for PE64 files

property checksum int

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

copy(self) lief.PE.OptionalHeader

Duplicate the current instance of this object

create(type: lief.PE.PE_TYPE) lief.PE.OptionalHeader = <nanobind.nb_func object>
property dll_characteristics int

Some characteristics (DLL_CHARACTERISTICS) of the underlying binary like the support of the PIE.

The prefix dll comes from the official PE specifications but these characteristics are also used for executables

property dll_characteristics_lists list[lief.PE.OptionalHeader.DLL_CHARACTERISTICS]

dll_characteristics as a list of DLL_CHARACTERISTICS

property file_alignment int

The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K, inclusive. The default value is 512. If the section_alignment is less than the architecture’s page size, then file_alignment must match section_alignment.

has(self, characteristics: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) bool

True if the given DLL_CHARACTERISTICS is in the dll_characteristics

property imagebase int

The preferred base address when mapping the binary in memory

property loader_flags int

According to the PE specifications, this value is reserved and should be 0.

property magic lief.PE.PE_TYPE

Magic value (PE_TYPE) that identifies a PE32 from a PE64

property major_image_version int

The major version number of the image.

property major_linker_version int

The linker major version number

property major_operating_system_version int

The major version number of the required operating system.

property major_subsystem_version int

The major version number of the subsystem.

property minor_image_version int

The minor version number of the image.

property minor_linker_version int

The linker minor version number

property minor_operating_system_version int

The minor version number of the required operating system.

property minor_subsystem_version int

The minor version number of the subsystem

property numberof_rva_and_size int

The number of DataDirectory that follow this header

remove(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) None

Remove the given DLL_CHARACTERISTICS

property section_alignment int

The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture.

property sizeof_code int

The size of the code .text section or the sum of all the sections that contain code (ie. Section with the flag CNT_CODE)

property sizeof_headers int

The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment.

property sizeof_heap_commit int

The size of the local heap space to commit.

property sizeof_heap_reserve int

The size of the local heap space to reserve.

Only sizeof_heap_commit is available one page at a time until the reserve size is reached.

property sizeof_image int

The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of section_alignment and should match virtual_size.

property sizeof_initialized_data int

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag CNT_INITIALIZED_DATA

property sizeof_stack_commit int

The size of the stack to commit.

property sizeof_stack_reserve int

The size of the stack to reserve.

Only sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

property sizeof_uninitialized_data int

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag CNT_UNINITIALIZED_DATA

property subsystem lief.PE.OptionalHeader.SUBSYSTEM

Target subsystem (SUBSYSTEM) like Driver, XBox, Windows GUI, ..

property win32_version_value int

Reserved, must be zero.

Data Directory

class lief.PE.DataDirectory(self)

Bases: Object

Class that represents a PE data directory entry

class TYPES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ARCHITECTURE = 7
BASE_RELOCATION_TABLE = 5
BOUND_IMPORT = 11
CERTIFICATE_TABLE = 4
CLR_RUNTIME_HEADER = 14
DEBUG_DIR = 6
DELAY_IMPORT_DESCRIPTOR = 13
EXCEPTION_TABLE = 3
EXPORT_TABLE = 0
GLOBAL_PTR = 8
IAT = 12
IMPORT_TABLE = 1
LOAD_CONFIG_TABLE = 10
RESERVED = 15
RESOURCE_TABLE = 2
TLS_TABLE = 9
UNKNOWN = 16
from_value(arg: int) lief.PE.DataDirectory.TYPES = <nanobind.nb_func object>
property content memoryview

Raw content (bytes) referenced by this data directory

copy(self) lief.PE.DataDirectory

Duplicate the current instance of this object

property has_section bool

True if the current data directory is tied to a Section

property rva int

Relative virtual address of the content associated with the current data directory

property section lief.PE.Section

Section associated with the current data directory or None if not linked

property size int

Size in bytes of the content associated with the current data directory

property type lief.PE.DataDirectory.TYPES

Type (TYPES) of the current data directory

Section

Inheritance diagram of lief._lief.PE.Section
class lief.PE.Section(self)
class lief.PE.Section(self, name: str, content: collections.abc.Sequence[int])
class lief.PE.Section(self, name: str)

Bases: Section

Class which represents a PE section.

It extends the base class lief.Section

class CHARACTERISTICS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

ALIGN_1024BYTES = 11534336
ALIGN_128BYTES = 8388608
ALIGN_16BYTES = 5242880
ALIGN_1BYTES = 1048576
ALIGN_2048BYTES = 12582912
ALIGN_256BYTES = 9437184
ALIGN_2BYTES = 2097152
ALIGN_32BYTES = 6291456
ALIGN_4096BYTES = 13631488
ALIGN_4BYTES = 3145728
ALIGN_512BYTES = 10485760
ALIGN_64BYTES = 7340032
ALIGN_8192BYTES = 14680064
ALIGN_8BYTES = 4194304
CNT_CODE = 32
CNT_INITIALIZED_DATA = 64
CNT_UNINITIALIZED_DATA = 128
GPREL = 32768
LNK_COMDAT = 4096
LNK_INFO = 512
LNK_NRELOC_OVFL = 16777216
LNK_OTHER = 256
LNK_REMOVE = 2048
MEM_16BIT = 131072
MEM_DISCARDABLE = 33554432
MEM_EXECUTE = 536870912
MEM_LOCKED = 262144
MEM_NOT_CACHED = 67108864
MEM_NOT_PAGED = 134217728
MEM_PRELOAD = 524288
MEM_PURGEABLE = 65536
MEM_READ = 1073741824
MEM_SHARED = 268435456
MEM_WRITE = 2147483648
TYPE_NO_PAD = 8
from_value(arg: int) lief.PE.Section.CHARACTERISTICS = <nanobind.nb_func object>
property characteristics int

The CHARACTERISTICS that describe the characteristics of the section

property characteristics_lists list[lief.PE.Section.CHARACTERISTICS]

characteristics as a list

property coff_string lief.PE.COFFString

Return the COFF string associated with the section’s name (or None)

This coff string is usually present for long section names whose length does not fit in the 8 bytes allocated by the PE format.

copy(self) lief.PE.Section

Duplicate the current instance of this object

has_characteristic(self, characteristic: lief.PE.Section.CHARACTERISTICS) bool

True if the section has the given CHARACTERISTICS

property is_discardable bool

True if the section can be discarded as needed.

This is typically the case for debug-related sections.

property numberof_line_numbers int

The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.

See: pointerto_line_numbers

property numberof_relocations int

The number of relocation entries for the section.

See: pointerto_relocation

property padding bytes

Section padding content as bytes

property pointerto_line_numbers int

The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

property pointerto_raw_data int

The offset of the section data in the PE file. Alias of offset

property pointerto_relocation int

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by Relocation.

property sizeof_raw_data int

Alias of size (size of the data in the section)

property virtual_size int

The total size of the section when loaded into memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.

Import

class lief.PE.Import(self)
class lief.PE.Import(self, library_name: str)

Bases: Object

Class that represents a PE import

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, library_name: str) -> None

Constructor from a library name

add_entry(*args) lief.PE.ImportEntry

Add an ImportEntry (function) to the current import

property directory lief.PE.DataDirectory

Return the DataDirectory associated with this import.

It should be the one at index lief.PE.DataDirectory.TYPES.IMPORT_TABLE. It can return None if the Import directory can’t be resolved.

property entries lief.PE.Import.it_entries

Iterator over the ImportEntry (functions)

property forwarder_chain int

The index of the first forwarder reference

get_entry(self, function_name: str) lief.PE.ImportEntry

Return the ImportEntry with the given name or None if not found

get_function_rva_from_iat(self, function_name: str) int | lief.lief_errors

Return the relative virtual address of the given function within the Import Address Table

property iat_directory lief.PE.DataDirectory

Return the DataDirectory associated with the IAT table.

It should be the one at index lief.PE.DataDirectory.TYPES.IAT. It can return None if the IAT directory can’t be resolved.

property import_address_table_rva int

The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning

This address could change when re-building the binary

property import_lookup_table_rva int

The RVA of the import lookup table. This table contains the name or the ordinal for all the imports.

class it_entries

Bases: object

Iterator over lief._lief.PE.ImportEntry

property name str | bytes

Library name (e.g. kernel32.dll)

property name_rva int

The original name rva

remove_entry(*args) bool

Overloaded function.

  1. remove_entry(self, name: str) -> bool

    Remove the import entry with the given name.

    Return true if the deletion succeed, false otherwise

  2. remove_entry(self, ord: int) -> bool

    Remove the import entry with the given ordinal number

    Return True if the deletion succeed, false otherwise

property timedatestamp int

The stamp that is set to zero until the image is bound.

After the image is bound, this field is set to the time/data stamp of the DLL

Import Entry

Inheritance diagram of lief._lief.PE.ImportEntry
class lief.PE.ImportEntry(self)
class lief.PE.ImportEntry(self, import_name: str)
class lief.PE.ImportEntry(self, data: int, type: lief._lief.PE.PE_TYPE)

Bases: Symbol

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

Overloaded function.

  1. __init__(self) -> None

  2. __init__(self, import_name: str) -> None

Constructor from a name

  1. __init__(self, data: int, type: lief._lief.PE.PE_TYPE) -> None

copy(self) lief.PE.ImportEntry

Duplicate the current instance of this object

property data int

Raw value

property demangled_name str

Demangled representation of the symbol or an empty string if it can’t be demangled.

property hint int

Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_address int

Original address of the entry in the Import Address Table

property iat_value int

Value of the current entry in the Import Address Table. It should match the lookup table value.

property ilt_value int

Original value in the import lookup table.

This value should match the iat_value

property is_ordinal bool

True if it is an import by ordinal

property name str | bytes

Import name if not ordinal

property ordinal int

Ordinal value (if any). See: is_ordinal

Delay Import

class lief.PE.DelayImport(self, library_name: str)

Bases: Object

Class that represents a PE delay import

Constructor from a library name

property attribute int

Reserved and should be zero according to the PE specifications

property biat int

RVA of the bound delay-load import address table or 0 if the table does not exist.

copy(self) lief.PE.DelayImport

Duplicate the current instance of this object

property entries lief.PE.DelayImport.it_entries

Iterator over the DelayImportEntry (functions)

property handle int

The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

property iat int

RVA of the delay-load import address table.

class it_entries

Bases: object

Iterator over lief._lief.PE.DelayImportEntry

property name str | bytes

Library name (e.g. kernel32.dll)

property names_table int

RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table

property timestamp int

The timestamp of the DLL to which this image has been bound.

property uiat int

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.

Delay Import Entry

Inheritance diagram of lief._lief.PE.DelayImportEntry
class lief.PE.DelayImportEntry(self)

Bases: Symbol

Class that represents an entry (i.e. a delay import) in the delay import table (DelayImport).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

The meaning of lief.Symbol.value for this PE object is the address (as an RVA) in the IAT where the resolution should take place

copy(self) lief.PE.DelayImportEntry

Duplicate the current instance of this object

property data int

Raw value

property demangled_name str

Demangled representation of the symbol or an empty string if it can’t be demangled.

property hint int

Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_value int

Value of the current entry in the delay-loaded import address table. See: iat

property is_ordinal bool

True if it is an import by ordinal

property name str | bytes

Delay import name if not ordinal

property ordinal int

Ordinal value (if any). See: is_ordinal

TLS

class lief.PE.TLS(self)

Bases: Object

Class which represents the PE Thread Local Storage. This PE structure is also used to implement binary/library constructors.

Default constructor

add_callback(self, addr: int) lief.PE.TLS

Add a new TLS callback

property addressof_callbacks int

Pointer to an array of TLS callback functions.

The array is null-terminated, so if there is no callback, this field points to 4 bytes set to zero.

See: callbacks

property addressof_index int

The location to receive the TLS index assigned by the loader. This location should be located in a writable section like .data.

property addressof_raw_data tuple[int, int]

Tuple (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note

These addresses are not RVA. It is addresses for which there should be a base relocation in the .reloc section.

property callbacks list[int]

List of the callbacks associated with the current TLS.

These functions are called before any other functions.

property characteristics int

The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

copy(self) lief.PE.TLS

Duplicate the current instance of this object

property data_template memoryview

The initial content used to initialize TLS data.

property directory lief.PE.DataDirectory

DataDirectory associated with the TLS object (or None if not linked)

property has_data_directory bool

True if there is a DataDirectory associated with the TLS object

property has_section bool

True if there is a Section associated with the TLS object

property section lief.PE.Section

Section associated with the TLS object (or None if not linked)

property sizeof_zero_fill int

Size in bytes of the zeros to be padded after the data specified by data_template.

Symbol

Inheritance diagram of lief._lief.PE.Symbol
class lief.PE.Symbol

Bases: Symbol

Class that represents a PE-COFF symbol.

Usually PE debug information (including symbols) are wrapped in a PDB file referenced by the lief.PE.CodeViewPDB object.

The PE format allows to define (by COFF inheritance) a symbol table that is different from the regular PDB symbols. This table contains COFF(16) symbols which can reference auxiliary symbols.

Warning

The lief.Symbol.value should be interpreted in perspective of the storage_class

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-symbol-table

class BASE_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

BYTE = 12
CHAR = 2
DOUBLE = 7
DWORD = 15
ENUM = 10
FLOAT = 6
INT = 4
LONG = 5
MOE = 11
NULL = 0
SHORT = 3
STRUCT = 8
UINT = 14
UNION = 9
VOID = 1
WORD = 13
from_value(arg: int) lief.PE.Symbol.BASE_TYPE = <nanobind.nb_func object>
class COMPLEX_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ARRAY = 3
FUNCTION = 2
NULL = 0
POINTER = 1
from_value(arg: int) lief.PE.Symbol.COMPLEX_TYPE = <nanobind.nb_func object>
class STORAGE_CLASS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#storage-class

ARGUMENT = 9
AUTOMATIC = 1
BIT_FIELD = 18
BLOCK = 100
CLR_TOKEN = 107
END_OF_FUNCTION = -1
END_OF_STRUCT = 102
ENUM_TAG = 15
EXTERNAL = 2
EXTERNAL_DEF = 5
FILE = 103
FUNCTION = 101
LABEL = 6
MEMBER_OF_ENUM = 16
MEMBER_OF_STRUCT = 8
MEMBER_OF_UNION = 11
NONE = 0
REGISTER = 4
REGISTER_PARAM = 17
SECTION = 104
STATIC = 3
STRUCT_TAG = 10
TYPE_DEFINITION = 13
UNDEFINED_LABEL = 7
UNDEFINED_STATIC = 14
UNION_TAG = 12
WEAK_EXTERNAL = 105
from_value(arg: int) lief.PE.Symbol.STORAGE_CLASS = <nanobind.nb_func object>
property auxiliary_symbols lief.PE.Symbol.it_auxiliary_symbols_t

Auxiliary symbols associated with this symbol.

property base_type lief.PE.Symbol.BASE_TYPE

The simple (base) data type

property coff_name lief.PE.COFFString

COFF string used to represents the (long) symbol name

property complex_type lief.PE.Symbol.COMPLEX_TYPE

The complex type (if any)

property is_external bool
property is_file_record bool
property is_function_line_info bool
property is_undefined bool
property is_weak_external bool
class it_auxiliary_symbols_t

Bases: object

Iterator over lief._lief.PE.AuxiliarySymbol

property section_idx int

The signed integer that identifies the section, using a one-based index into the section table. Some values have special meaning:

  • 0: The symbol record is not yet assigned a section. A value of zero

    indicates that a reference to an external symbol is defined elsewhere. A value of non-zero is a common symbol with a size that is specified by the value.

  • -1: The symbol has an absolute (non-relocatable) value and is not an

    address.

  • -2: The symbol provides general type or debugging information but does

    not correspond to a section. Microsoft tools use this setting along with .file records

property storage_class lief.PE.Symbol.STORAGE_CLASS

Storage class of the symbol which indicates what kind of definition a symbol represents.

property type int

The symbol type. The first byte represents the base type (see: base_type) while the upper byte represents the complex type, if any (see: complex_type).

AuxiliarySymbol

Inheritance diagram of lief._lief.PE.AuxiliarySectionDefinition, lief._lief.PE.AuxiliaryFile, lief._lief.PE.AuxiliaryCLRToken, lief._lief.PE.AuxiliaryWeakExternal, lief._lief.PE.AuxiliarybfAndefSymbol, lief._lief.PE.AuxiliaryFunctionDefinition, lief._lief.PE.AuxiliarySymbol
class lief.PE.AuxiliarySymbol

Bases: object

Class that represents an auxiliary symbol.

An auxiliary symbol has the same size as a regular lief.PE.Symbol (18 bytes) but its content depends on the the parent symbol.

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Type discriminator for the subclasses

BF_AND_EF = 3
CLR_TOKEN = 1
FILE = 5
FUNC_DEF = 2
SEC_DEF = 6
UNKNOWN = 0
WEAK_EXTERNAL = 4
from_value(arg: int) lief.PE.AuxiliarySymbol.TYPE = <nanobind.nb_func object>
copy(self) lief.PE.AuxiliarySymbol | None

Duplicate the current instance of this object

property payload memoryview

For unknown type only, return the raw representation of this symbol

property type lief.PE.AuxiliarySymbol.TYPE

AuxiliaryCLRToken

Inheritance diagram of lief._lief.PE.AuxiliaryCLRToken
class lief.PE.AuxiliarySymbol

Bases: object

Class that represents an auxiliary symbol.

An auxiliary symbol has the same size as a regular lief.PE.Symbol (18 bytes) but its content depends on the the parent symbol.

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Type discriminator for the subclasses

BF_AND_EF = 3
CLR_TOKEN = 1
FILE = 5
FUNC_DEF = 2
SEC_DEF = 6
UNKNOWN = 0
WEAK_EXTERNAL = 4
from_value(arg: int) lief.PE.AuxiliarySymbol.TYPE = <nanobind.nb_func object>
copy(self) lief.PE.AuxiliarySymbol | None

Duplicate the current instance of this object

property payload memoryview

For unknown type only, return the raw representation of this symbol

property type lief.PE.AuxiliarySymbol.TYPE

AuxiliaryFunctionDefinition

Inheritance diagram of lief._lief.PE.AuxiliaryFunctionDefinition
class lief.PE.AuxiliaryFunctionDefinition

Bases: AuxiliarySymbol

This auxiliary symbol marks the beginning of a function definition.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-1-function-definitions

property padding int

Padding value (should be 0)

property ptr_to_line_number int

The file offset of the first COFF line-number entry for the function, or zero if none exists (deprecated)

property ptr_to_next_func int

The symbol-table index of the record for the next function. If the function is the last in the symbol table, this field is set to zero

property tag_index int

The symbol-table index of the corresponding .bf (begin function) symbol record.

property total_size int

The size of the executable code for the function itself.

If the function is in its own section, the SizeOfRawData in the section header is greater or equal to this field, depending on alignment consideration

AuxiliaryWeakExternal

Inheritance diagram of lief._lief.PE.AuxiliaryWeakExternal
class lief.PE.AuxiliaryWeakExternal

Bases: AuxiliarySymbol

“Weak externals” are a mechanism for object files that allows flexibility at link time. A module can contain an unresolved external symbol (sym1), but it can also include an auxiliary record that indicates that if sym1 is not present at link time, another external symbol (sym2) is used to resolve references instead.

If a definition of sym1 is linked, then an external reference to the symbol is resolved normally. If a definition of sym1 is not linked, then all references to the weak external for sym1 refer to sym2 instead. The external symbol, sym2, must always be linked; typically, it is defined in the module that contains the weak reference to sym1.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-3-weak-externals

class CHARACTERISTICS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ANTI_DEPENDENCY = 4
SEARCH_ALIAS = 3
SEARCH_LIBRARY = 2
SEARCH_NOLIBRARY = 1
property characteristics lief.PE.AuxiliaryWeakExternal.CHARACTERISTICS
property padding memoryview
property sym_idx int

The symbol-table index of sym2, the symbol to be linked if sym1 is not found.

AuxiliarybfAndefSymbol

Inheritance diagram of lief._lief.PE.AuxiliarybfAndefSymbol
class lief.PE.AuxiliarybfAndefSymbol

Bases: AuxiliarySymbol

AuxiliarySectionDefinition

Inheritance diagram of lief._lief.PE.AuxiliarySectionDefinition
class lief.PE.AuxiliarySectionDefinition

Bases: AuxiliarySymbol

This auxiliary symbol exposes information about the associated section.

It duplicates some information that are provided in the section header

property checksum int

The checksum for communal data. It is applicable if the IMAGE_SCN_LNK_COMDAT flag is set in the section header.

property length int

The size of section data. The same as SizeOfRawData in the section header.

property nb_line_numbers int

The number of line-number entries for the section.

property nb_relocs int

The number of relocation entries for the section.

property section_idx int

One-based index into the section table for the associated section. This is used when the COMDAT selection setting is 5.

property selection int

The COMDAT selection number. This is applicable if the section is a COMDAT section.

AuxiliaryFile

Inheritance diagram of lief._lief.PE.AuxiliaryFile
class lief.PE.AuxiliaryFile

Bases: AuxiliarySymbol

This auxiliary symbol represents a filename (auxiliary format 4)

The lief.Symbol.name itself should start with .file, and this auxiliary record gives the name of a source-code file.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#auxiliary-format-4-files

property filename str

The associated filename

Relocation

class lief.PE.Relocation(self)

Bases: Object

Class which represents the Base Relocation Block Usually, we find this structure in the .reloc section

add_entry(self, new_entry: lief.PE.RelocationEntry) lief.PE.RelocationEntry

Add a new RelocationEntry

property block_size int

The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

copy(self) lief.PE.Relocation

Duplicate the current instance of this object

property entries lief.PE.Relocation.it_entries

Iterator over the RelocationEntry

class it_entries

Bases: object

Iterator over lief._lief.PE.RelocationEntry

property virtual_address int

The RVA for which the offset of the relocation entries (RelocationEntry) is added

Relocation Entry

Inheritance diagram of lief._lief.PE.RelocationEntry
class lief.PE.RelocationEntry(self)
class lief.PE.RelocationEntry(self, arg0: int, arg1: lief._lief.PE.RelocationEntry.BASE_TYPES, /)

Bases: Relocation

Class which represents an entry of the PE relocation table.

It extends the lief.Relocation object to provide an uniform API across the file formats.

class BASE_TYPES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ABS = 0
ARM_MOV32 = 517
DIR64 = 10
HIGH = 1
HIGH3ADJ = 11
HIGHADJ = 4
HIGHLOW = 3
LOW = 2
MIPS_JMPADDR = 261
MIPS_JMPADDR16 = 9
RISCV_HI20 = 1029
RISCV_LOW12I = 4103
RISCV_LOW12S = 8200
SECTION = 6
THUMB_MOV32 = 2055
UNKNOWN = -1
from_value(arg: int) lief.PE.RelocationEntry.BASE_TYPES = <nanobind.nb_func object>
property data int

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset (position)

property position int

Offset - relative to virtual_address - where the relocation occurs

property type lief.PE.RelocationEntry.BASE_TYPES

Type of the relocation

Export

class lief.PE.Export(self)
class lief.PE.Export(self, name: str, entries: collections.abc.Sequence[lief._lief.PE.ExportEntry])

Bases: Object

Class which represents a PE Export

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, name: str, entries: collections.abc.Sequence[lief._lief.PE.ExportEntry]) -> None

Constructor from DLL name and its exports

add_entry(*args) lief.PE.ExportEntry

Add the given export and return the newly created and added entry

copy(self) lief.PE.Export

Duplicate the current instance of this object

property entries lief.PE.Export.it_entries

Iterator over the ExportEntry

property export_addr_table_cnt int

Number of entries in the export address table

property export_addr_table_rva int

RVA of the export address table

property export_flags int

According to the PE specifications this value is reserved and should be set to 0

find_entry(*args) lief.PE.ExportEntry

Overloaded function.

  1. find_entry(self, name: str) -> lief._lief.PE.ExportEntry

Find the export with the given name

  1. find_entry(self, ordinal: int) -> lief._lief.PE.ExportEntry

Find the export entry with the given ordinal number

find_entry_at(self, rva_addr: int) lief.PE.ExportEntry

Find the export entry at the provided RVA

class it_entries

Bases: object

Iterator over lief._lief.PE.ExportEntry

property major_version int

The major version number (can be user-defined)

property minor_version int

The minor version number (can be user-defined)

property name str | bytes

The name of the library exported (e.g. KERNEL32.dll)

property name_rva int

Address of the ASCII DLL’s name (RVA)

property names_addr_table_cnt int

Number of exports by name

property names_addr_table_rva int

RVA to the list of exported names

property ord_addr_table_rva int

RVA to the list of exported ordinals

property ordinal_base int

The starting number for the exports. Usually this value is set to 1

remove_entry(*args) bool

Overloaded function.

  1. remove_entry(self, entry: lief._lief.PE.ExportEntry) -> bool

Remove the given export entry

  1. remove_entry(self, name: str) -> bool

Remove the export entry with the given name

  1. remove_entry(self, rva: int) -> bool

Remove the export entry with the given RVA

property timestamp int

The time and date that the export data was created

Export Entry

Inheritance diagram of lief._lief.PE.ExportEntry
class lief.PE.ExportEntry(self)
class lief.PE.ExportEntry(self, name: str, addr: int)

Bases: Symbol

Class which represents a PE Export entry (cf. lief.PE.Export)

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, name: str, addr: int) -> None

Constructor with export name and address

property address int
property demangled_name str

Demangled representation of the symbol or an empty string if it can’t be demangled.

property forward_information lief.PE.ExportEntry.forward_information_t
class forward_information_t

Bases: object

property function str
property library str
property function_rva int
property is_extern bool
property is_forwarded bool
property name str | bytes
property ordinal int

Signature

class lief.PE.Signature

Bases: Object

class VERIFICATION_CHECKS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

Flags to tweak the verification process of the signature See lief.PE.Signature.check() and lief.PE.Binary.verify_signature()

DEFAULT = 1
HASH_ONLY = 2
LIFETIME_SIGNING = 4
SKIP_CERT_TIME = 8
from_value(arg: int) lief.PE.Signature.VERIFICATION_CHECKS = <nanobind.nb_func object>
class VERIFICATION_FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

BAD_DIGEST = 128
BAD_SIGNATURE = 256
CERT_EXPIRED = 1024
CERT_FUTURE = 2048
CERT_NOT_FOUND = 8
CORRUPTED_AUTH_DATA = 32
CORRUPTED_CONTENT_INFO = 16
INCONSISTENT_DIGEST_ALGORITHM = 4
INVALID_SIGNER = 1
MISSING_PKCS9_MESSAGE_DIGEST = 64
NO_SIGNATURE = 512
OK = 0
UNSUPPORTED_ALGORITHM = 2
from_value(arg: int) lief.PE.Signature.VERIFICATION_FLAGS = <nanobind.nb_func object>
property certificates lief.PE.Signature.it_const_crt

Return an iterator over x509 certificates

check(self, checks: lief.PE.Signature.VERIFICATION_CHECKS) lief.PE.Signature.VERIFICATION_FLAGS

Check the integrity of the signature and return a lief.PE.Signature.VERIFICATION_FLAGS

By default, it performs the following verifications:

  1. It must contain only one signer info (signers)

  2. lief.PE.Signature.digest_algorithm must match:

  3. The x509 certificate specified by lief.PE.SignerInfo.serial_number and lief.PE.SignerInfo.issuer must exist within lief.PE.Signature.certificates

  4. Given the x509 certificate, compare lief.PE.SignerInfo.encrypted_digest against either:

  5. If they are Authenticated attributes, check that a PKCS9_MESSAGE_DIGEST (lief.PE.PKCS9MessageDigest) attribute exists and that its value matches hash of ContentInfo

  6. Check the validity of the PKCS #9 counter signature if present

  7. If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING and lief.pe.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)

See: lief.PE.Signature.VERIFICATION_CHECKS to tweak the behavior

property content_info lief.PE.ContentInfo

Return the ContentInfo

property digest_algorithm lief.PE.ALGORITHMS

Return the algorithm (ALGORITHMS) used to sign the content of ContentInfo

find_crt(self, serialno: collections.abc.Sequence[int]) lief.PE.x509

Find the x509 certificate according to its serial number

find_crt_issuer(*args) lief.PE.x509

Overloaded function.

  1. find_crt_issuer(self, issuer: str) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer

  1. find_crt_issuer(self, issuer: str, serialno: collections.abc.Sequence[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer AND its serial number

find_crt_subject(*args) lief.PE.x509

Overloaded function.

  1. find_crt_subject(self, subject: str) -> lief._lief.PE.x509

Find the x509 certificate according to its subject

  1. find_crt_subject(self, subject: str, serialno: collections.abc.Sequence[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its subject AND its serial number

class it_const_crt

Bases: object

Iterator over lief._lief.PE.x509

class it_const_signers_t

Bases: object

Iterator over lief._lief.PE.SignerInfo

parse(*args) lief.PE.Signature | None = <nanobind.nb_func object>
property raw_der memoryview

Return the raw original signature as a byte object

property signers lief.PE.Signature.it_const_signers_t

Return an iterator over the signers (SignerInfo)

property version int

Version of the signature. It should be 1

Signature Attribute

Inheritance diagram of lief._lief.PE.ContentType, lief._lief.PE.MsSpcNestedSignature, lief._lief.PE.MsManifestBinaryID, lief._lief.PE.MsCounterSign, lief._lief.PE.MsSpcStatementType, lief._lief.PE.PKCS9SigningTime, lief._lief.PE.Attribute, lief._lief.PE.SigningCertificateV2, lief._lief.PE.PKCS9AtSequenceNumber, lief._lief.PE.PKCS9CounterSignature, lief._lief.PE.PKCS9MessageDigest, lief._lief.PE.SpcRelaxedPeMarkerCheck, lief._lief.PE.SpcSpOpusInfo, lief._lief.PE.GenericType
class lief.PE.Attribute

Bases: Object

Interface over PKCS #7 attribute

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

CONTENT_TYPE = 1
GENERIC_TYPE = 2
MS_COUNTER_SIGN = 6
MS_PLATFORM_MANIFEST_BINARY_ID = 9
MS_SPC_NESTED_SIGN = 7
MS_SPC_STATEMENT_TYPE = 8
PKCS9_AT_SEQUENCE_NUMBER = 10
PKCS9_COUNTER_SIGNATURE = 11
PKCS9_MESSAGE_DIGEST = 12
PKCS9_SIGNING_TIME = 13
SIGNING_CERTIFICATE_V2 = 3
SPC_RELAXED_PE_MARKER_CHECK = 5
SPC_SP_OPUS_INFO = 4
UNKNOWN = 0
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property type lief.PE.Attribute.TYPE

Concrete type of the attribute

Signature ContentType

Inheritance diagram of lief._lief.PE.ContentType
class lief.PE.ContentType

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9) The internal structure is described in the: RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER
property oid str

OID as described in RFC #2985 (string object)

Signature GenericType

Inheritance diagram of lief._lief.PE.GenericType
class lief.PE.GenericType

Bases: Attribute

Interface over an attribute for which the internal structure is not supported by LIEF

property oid str

OID of the original attribute

property raw_content memoryview

Original DER blob of the attribute

Signature MsSpcNestedSignature

Inheritance diagram of lief._lief.PE.MsSpcNestedSignature
class lief.PE.MsSpcNestedSignature

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

With SignedData, the structure described in PKCS #7 RFC (See: lief.PE.Signature)

property signature lief.PE.Signature

Underlying Signature object

Signature MsSpcStatementType

Inheritance diagram of lief._lief.PE.MsSpcStatementType
class lief.PE.MsSpcStatementType

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER
property oid str

According to the documentation:

The SpcStatementType MUST contain one Object Identifier with either
the value ``1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)`` or
``1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID)``.

Signature PKCS9AtSequenceNumber

Inheritance diagram of lief._lief.PE.PKCS9AtSequenceNumber
class lief.PE.PKCS9AtSequenceNumber

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

sequenceNumber ATTRIBUTE ::= {
  WITH SYNTAX SequenceNumber
  EQUALITY MATCHING RULE integerMat
  SINGLE VALUE TRUE
  ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)
property number int

Number as described in the RFC

Signature PKCS9CounterSignature

Inheritance diagram of lief._lief.PE.PKCS9CounterSignature
class lief.PE.PKCS9CounterSignature

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

counterSignature ATTRIBUTE ::= {
  WITH SYNTAX SignerInfo
  ID pkcs-9-at-counterSignature
}
property signer lief.PE.SignerInfo

Return the SignerInfo as described in the RFC #2985

Signature PKCS9MessageDigest

Inheritance diagram of lief._lief.PE.PKCS9MessageDigest
class lief.PE.PKCS9MessageDigest

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

messageDigest ATTRIBUTE ::= {
  WITH SYNTAX MessageDigest
  EQUALITY MATCHING RULE octet
  SINGLE VALUE TRUE
  ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING
property digest bytes

Message digeset as a blob of bytes as described in the RFC

Signature PKCS9SigningTime

Inheritance diagram of lief._lief.PE.PKCS9SigningTime
class lief.PE.PKCS9SigningTime

Bases: Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8
property time list[int]

Time as a list [year, month, day, hour, min, sec]

Signature SpcSpOpusInfo

Inheritance diagram of lief._lief.PE.SpcSpOpusInfo
class lief.PE.SpcSpOpusInfo

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12 The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcSpOpusInfo ::= SEQUENCE {
    programName  [0] EXPLICIT SpcString OPTIONAL,
    moreInfo     [1] EXPLICIT SpcLink OPTIONAL
}
property more_info str | bytes

Other information such as an URL

property program_name str | bytes

Program description provided by the publisher

Signature SpcIndirectData

Inheritance diagram of lief._lief.PE.SpcIndirectData
class lief.PE.SpcIndirectData

Bases: Content

property digest memoryview
property digest_algorithm lief.PE.ALGORITHMS

Digest used to hash the file. This should match digest_algorithm

property file str
property url str

GenericContent

Inheritance diagram of lief._lief.PE.GenericContent
class lief.PE.GenericContent

Bases: Content

RsaInfo

class lief.PE.RsaInfo

Bases: object

Object representing a RSA key

property D bytes

RSA private exponent (in bytes)

property E bytes

RSA public exponent (in bytes)

property N bytes

RSA public modulus (in bytes)

property P bytes

First prime factor (in bytes)

property Q bytes

Second prime factor (in bytes)

property has_private_key bool

True if it embeds a private key

property has_public_key bool

True if it embeds a public key

property key_size int

Size of the public modulus in bits

x509

class lief.PE.x509

Bases: Object

Interface over a x509 certificate

class KEY_TYPES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Public key scheme used by the x509 certificate

ECDSA = 4
ECKEY = 2
ECKEY_DH = 3
NONE = 0
RSA = 1
RSASSA_PSS = 6
RSA_ALT = 5
from_value(arg: int) lief.PE.x509.KEY_TYPES = <nanobind.nb_func object>
class KEY_USAGE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Key usage as defined in RFC #5280 - section-4.2.1.3

CRL_SIGN = 6
DATA_ENCIPHERMENT = 3
DECIPHER_ONLY = 8
DIGITAL_SIGNATURE = 0
ENCIPHER_ONLY = 7
KEY_AGREEMENT = 4
KEY_CERT_SIGN = 5
KEY_ENCIPHERMENT = 2
NON_REPUDIATION = 1
from_value(arg: int) lief.PE.x509.KEY_USAGE = <nanobind.nb_func object>
class VERIFICATION_FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

Verification flags associated with verify

BADCERT_BAD_KEY = 65536
BADCERT_BAD_MD = 16384
BADCERT_BAD_PK = 32768
BADCERT_CN_MISMATCH = 4
BADCERT_EXPIRED = 1
BADCERT_EXT_KEY_USAGE = 4096
BADCERT_FUTURE = 512
BADCERT_KEY_USAGE = 2048
BADCERT_MISSING = 64
BADCERT_NOT_TRUSTED = 8
BADCERT_NS_CERT_TYPE = 8192
BADCERT_OTHERNATURE = 256
BADCERT_REVOKED = 2
BADCERT_SKIP_VERIFY = 128
BADCRL_BAD_KEY = 524288
BADCRL_BAD_MD = 131072
BADCRL_BAD_PK = 262144
BADCRL_EXPIRED = 32
BADCRL_FUTURE = 1024
BADCRL_NOT_TRUSTED = 16
OK = 0
from_value(arg: int) lief.PE.x509.VERIFICATION_FLAGS = <nanobind.nb_func object>
property certificate_policies list[str]

Policy information terms as list of OID (see RFC #5280)

property ext_key_usage list[str]

Indicates one or more purposes for which the certified public key may be used (list of OID)

property is_ca bool
is_trusted_by(self, ca_list: collections.abc.Sequence[lief.PE.x509]) lief.PE.x509.VERIFICATION_FLAGS

Verify this certificate against a list of root CA (list of x509 objects) It returns a set of flags defined by VERIFICATION_FLAGS

Example:
signer = binary.signatures[0].signers[0]
microsoft_ca_bundle = lief.PE.x509.parse("bundle.pem")
print(signer.cert.is_trusted_by(microsoft_ca_bundle))
property issuer str | bytes

Issuer of the certificate

property key_type lief.PE.x509.KEY_TYPES

Return the underlying public-key scheme (KEY_TYPES)

property key_usage list[lief.PE.x509.KEY_USAGE]

Purpose of the key contained in the certificate (see KEY_USAGE)

parse(*args) list[lief.PE.x509] = <nanobind.nb_func object>
property raw bytes

The raw bytes associated with this x509 cert (DER encoded)

property rsa_info lief.PE.RsaInfo | None

If the underlying public-key scheme is RSA, return the RsaInfo associated with this certificate. Otherwise, return None

property serial_number bytes

Unique id for certificate issued by a specific CA.

property signature bytes

The signature of the certificate

property signature_algorithm str

Signature algorithm (OID)

property subject str | bytes

Subject of the certificate

property valid_from list[int]

Start time of certificate validity

property valid_to list[int]

End time of certificate validity

verify(self, ca: lief.PE.x509) lief.PE.x509.VERIFICATION_FLAGS

Verify that this certificate has been used to trust the given x509 certificate

It returns a set of flags defined by VERIFICATION_FLAGS

Example:
ca     = lief.PE.x509.parse("ca.crt")[0]
signer = lief.PE.x509.parse("signer.crt")[0]
print(ca.verify(signer))  # lief.PE.x509.VERIFICATION_FLAGS.OK
property version int

X.509 version. (1=v1, 2=v2, 3=v3)

ContentInfo

Inheritance diagram of lief._lief.PE.SpcIndirectData, lief._lief.PE.GenericContent, lief._lief.PE.PKCS9TSTInfo
class lief.PE.ContentInfo

Bases: Object

ContentInfo as described in the RFC 2315

ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER

In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent

SpcIndirectDataContent ::= SEQUENCE {
 data          SpcAttributeTypeAndOptionalValue,
 messageDigest DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
 type  ObjectID,
 value [0] EXPLICIT ANY OPTIONAL
}

For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData

DigestInfo ::= SEQUENCE {
 digestAlgorithm  AlgorithmIdentifier,
 digest           OCTETSTRING
}

AlgorithmIdentifier ::= SEQUENCE {
 algorithm  ObjectID,
 parameters [0] EXPLICIT ANY OPTIONAL
}
class Content

Bases: Object

property content_type str

OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID

copy(self) lief.PE.ContentInfo.Content | None

Duplicate the current instance of this object

property content_type str

An alias for content_type

copy(self) lief.PE.ContentInfo

Duplicate the current instance of this object

property digest bytes

Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID. Return empty bytes otherwise.

property digest_algorithm lief.PE.ALGORITHMS

Return the hash algorithm used to generate the digest

property value lief.PE.ContentInfo.Content

SignerInfo

class lief.PE.SignerInfo

Bases: Object

SignerInfo as described in the RFC 2315 #Section 9.2

SignerInfo ::= SEQUENCE {
 version                   Version,
 issuerAndSerialNumber     IssuerAndSerialNumber,
 digestAlgorithm           DigestAlgorithmIdentifier,
 authenticatedAttributes   [0] IMPLICIT Attributes OPTIONAL,
 digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
 encryptedDigest           EncryptedDigest,
 unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}

EncryptedDigest ::= OCTET STRING
property authenticated_attributes lief.PE.SignerInfo.it_const_attributes_t

Return an iterator over the authenticated attributes (Attribute)

property cert lief.PE.x509

x509 certificate used by this signer. If it can’t be found, it returns None

property digest_algorithm lief.PE.ALGORITHMS

Algorithm (ALGORITHMS) used to hash the file. This value should match ContentInfo.digest_algorithm and Signature.digest_algorithm

property encrypted_digest bytes

Return the signature created by the signing certificate’s private key

property encryption_algorithm lief.PE.ALGORITHMS

Return algorithm (ALGORITHMS) used to encrypt the digest

get_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the authenticated or un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_auth_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_unauth_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr

property issuer str | bytes

The X509 issuer used to sign the signed-data (see: lief.PE.x509.issuer)

class it_const_attributes_t

Bases: object

Iterator over lief._lief.PE.Attribute

property serial_number bytes

The X509 serial number used to sign the signed-data (see: lief.PE.x509.serial_number)

property unauthenticated_attributes lief.PE.SignerInfo.it_const_attributes_t

Return an iterator over the unauthenticated attributes (Attribute)

property version int

Should be 1

MsCounterSign

class lief.PE.MsCounterSign

Bases: Attribute

This class exposes the ms-counter-signature.

property certificates lief.PE.MsCounterSign.it_const_crt

Return an iterator over x509 certificates

property content_info lief.PE.ContentInfo
property digest_algorithm lief.PE.ALGORITHMS
class it_const_crt

Bases: object

Iterator over lief._lief.PE.x509

class it_const_signers_t

Bases: object

Iterator over lief._lief.PE.SignerInfo

property signers lief.PE.MsCounterSign.it_const_signers_t

Return an iterator over the signers (SignerInfo)

property version int

PKCS9TSTInfo

class lief.PE.PKCS9TSTInfo

Bases: Content

Interface over the structure described by the OID 1.2.840.113549.1.9.16.1.4 (PKCS #9)

The internal structure is described in the RFC #3161

TSTInfo ::= SEQUENCE  {
 version        INTEGER  { v1(1) },
 policy         TSAPolicyId,
 messageImprint MessageImprint,
 serialNumber   INTEGER,
 genTime        GeneralizedTime,
 accuracy       Accuracy                OPTIONAL,
 ordering       BOOLEAN                 DEFAULT FALSE,
 nonce          INTEGER                 OPTIONAL,
 tsa            [0] GeneralName         OPTIONAL,
 extensions     [1] IMPLICIT Extensions OPTIONAL
}

TSAPolicyId    ::= OBJECT IDENTIFIER
MessageImprint ::= SEQUENCE {
  hashAlgorithm  AlgorithmIdentifier,
  hashedMessage  OCTET STRING
}

Accuracy ::= SEQUENCE {
  seconds        INTEGER           OPTIONAL,
  millis     [0] INTEGER  (1..999) OPTIONAL,
  micros     [1] INTEGER  (1..999) OPTIONAL
}

MsManifestBinaryID

class lief.PE.MsManifestBinaryID

Bases: Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.10.3.28 (szOID_PLATFORM_MANIFEST_BINARY_ID)

The internal structure is not documented but we can infer the following structure:

szOID_PLATFORM_MANIFEST_BINARY_ID ::= SET OF BinaryID

BinaryID ::= UTF8STRING
property manifest_id str

The manifest id

SpcRelaxedPeMarkerCheck

class lief.PE.SpcRelaxedPeMarkerCheck

Bases: Attribute

property value int

SigningCertificateV2

class lief.PE.SigningCertificateV2

Bases: Attribute

SigningCertificateV2 ::= SEQUENCE {
  certs    SEQUENCE OF ESSCertIDv2,
  policies SEQUENCE OF PolicyInformation OPTIONAL
}

ESSCertIDv2 ::= SEQUENCE {
  hashAlgorithm AlgorithmIdentifier DEFAULT {algorithm id-sha256},
  certHash      OCTET STRING,
  issuerSerial  IssuerSerial OPTIONAL
}

IssuerSerial ::= SEQUENCE {
  issuer       GeneralNames,
  serialNumber CertificateSerialNumber
}

PolicyInformation ::= SEQUENCE {
  policyIdentifier   OBJECT IDENTIFIER,
  policyQualifiers   SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL
}

Builder

class lief.PE.Builder(self, binary: lief._lief.PE.Binary, config: lief._lief.PE.Builder.config_t)

Bases: object

build(self) lief.ok_t | lief.lief_errors

Perform the build process

bytes(self) bytes
class config_t(self)

Bases: object

This structure is used to configure the build operation.

The default value of these attributes is set to False if the operation modifies the binary layout even though nothing changed. For instance, building the import table always requires relocating the table to another place. Thus, the default value is false and must be explicitly set to true.

property debug bool

Whether the builder should regenerate debug entries

property debug_section str

Section that holds the debug entries

property dos_stub bool

Whether the builder should write back dos stub (including the rich header)

property export_section str

Section that holds the export table

property exports bool

Whether the builder should reconstruct the export table This option should be turned on if you modify exports.

Please check LIEF website for more details

property force_relocating bool
property idata_section str

Section that holds the relocated import table (IAT/ILT)

property imports bool

Whether the builder should reconstruct the imports table. This option should be turned on if you modify imports.

Please check LIEF website for more details

property load_configuration bool

Whether the builder should regenerate the load configuration

property overlay bool

Whether the builder should write back any overlay data

property reloc_section str

Section that holds the relocated relocations

property relocations bool

Whether the builder should regenerate relocations

property resolved_iat_cbk collections.abc.Callable[[lief.PE.Binary, lief.PE.Import, lief.PE.ImportEntry, int], None]
property resources bool

Whether the builder should regenerate the resources tree

property rsrc_section str

If the resources tree needs to be relocated, this attribute defines the name of the new section that contains the relocated tree.

property tls bool

Whether the builder should regenerate the TLS info

property tls_section str

Section that holds the relocated TLS info

property rsrc_data memoryview
write(self, output: str) None

Write the build result into the output file

Resource Node

Inheritance diagram of lief._lief.PE.ResourceNode, lief._lief.PE.ResourceData, lief._lief.PE.ResourceDirectory
class lief.PE.ResourceNode

Bases: Object

Class which represents a Node in the resource tree.

It is extended by lief.PE.ResourceData and lief.PE.ResourceNode

add_child(self, node: lief.PE.ResourceNode) lief.PE.ResourceNode

Add a new child to the current node

property childs lief.PE.ResourceNode.it_childs

Node’s children

copy(self) lief.PE.ResourceNode | None

Duplicate the current instance of this object

delete_child(*args) None

Overloaded function.

  1. delete_child(self, node: lief._lief.PE.ResourceNode) -> None

Delete the given ResourceNode from the current children

  1. delete_child(self, id: int) -> None

    Delete the ResourceNode with the given id from the current children

property depth int

Current depth of the node in the resource tree

property has_name bool

True if the current node uses a name

property id int

Integer that identifies the Type, Name, or Language ID entry.

property is_data bool

True if the current node is a ResourceData

property is_directory bool

True if the current node is a ResourceDirectory

class it_childs

Bases: object

Iterator over lief._lief.PE.ResourceNode

property name str

Resource’s name

parse(bytes: bytes, rva: int) lief.PE.ResourceNode | None = <nanobind.nb_func object>

Resource Directory

Inheritance diagram of lief._lief.PE.ResourceDirectory
class lief.PE.ResourceDirectory(self)
class lief.PE.ResourceDirectory(self, arg: int, /)

Bases: ResourceNode

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, arg: int, /) -> None

Constructor from an ID

property characteristics int

Resource characteristics. This field is reserved for future use. It is currently set to zero.

property major_version int

The major version number, set by the user.

property minor_version int

The minor version number, set by the user.

property numberof_id_entries int

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

property numberof_name_entries int

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table

property time_date_stamp int

The time that the resource data was created by the resource compiler.

Resource Data

Inheritance diagram of lief._lief.PE.ResourceData
class lief.PE.ResourceData(self)
class lief.PE.ResourceData(self, content: collections.abc.Sequence[int], code_page: int = 0)

Bases: ResourceNode

Class which represents a Data Node in the PE resources tree

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, content: collections.abc.Sequence[int], code_page: int = 0) -> None

property code_page int

Return the code page that is used to decode code point values within the resource data. Typically, the code page is the Unicode code page.

property content memoryview

Resource content

property offset int

Offset of the content within the resource

Warning

This value can change when re-building the resource table

property reserved int

Reserved value. Should be 0

Resources Manager

class lief.PE.ResourcesManager(self, node: lief._lief.PE.ResourceNode)

Bases: Object

The Resource Manager provides an enhanced API to manipulate the resource tree

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ACCELERATOR = 9
ANICURSOR = 21
ANIICON = 22
BITMAP = 2
CURSOR = 1
DIALOG = 5
DLGINCLUDE = 17
FONT = 8
FONTDIR = 7
GROUP_CURSOR = 12
GROUP_ICON = 14
HTML = 23
ICON = 3
MANIFEST = 24
MENU = 4
MESSAGETABLE = 11
PLUGPLAY = 19
RCDATA = 10
STRING = 6
VERSION = 16
VXD = 20
from_value(arg: int) lief.PE.ResourcesManager.TYPE = <nanobind.nb_func object>
property accelerator lief.PE.ResourcesManager.it_const_accelerators

Return list of ResourceAccelerator present in the resource

add_icon(self, icon: lief.PE.ResourceIcon) None

Add an icon to the resources

change_icon(self, old_one: lief.PE.ResourceIcon, new_one: lief.PE.ResourceIcon) None

Switch the given icons

property dialogs lief.PE.ResourcesManager.it_const_dialogs

Return the list of the ResourceDialog present in the resource

get_node_type(self, type: lief.PE.ResourcesManager.TYPE) lief.PE.ResourceNode

Return ResourceNode with the given TYPE or None if not found.

property has_accelerator bool

True if resources contain ResourceAccelerator

property has_dialogs bool

true if the resources contain ResourceDialog

property has_html bool

True if resources contain HTML resource

property has_icons bool

true if the resources contain ResourceIcon

property has_manifest bool

True if the resources contain a Manifest element

property has_string_table bool

True if resources contain ResourceStringTable

has_type(self, type: lief.PE.ResourcesManager.TYPE) bool

True if the resource has the given TYPE

property has_version bool

true if the resources contain a ResourceVersion

property html list[str]

HTML resource as the list of string

property icons lief.PE.ResourcesManager.it_const_icons

Return the list of the ResourceIcon present in the resource

class it_const_accelerators

Bases: object

Iterator over lief._lief.PE.ResourceAccelerator

class it_const_dialogs

Bases: object

Iterator over lief._lief.PE.ResourceDialog

class it_const_icons

Bases: object

Iterator over lief._lief.PE.ResourceIcon

property manifest str | bytes

Manifest as a string

print(self, max_depth: int) str

Print the current resource tree

class string_entry_t

Bases: object

property id int
property string str
property string_table list[lief.PE.ResourcesManager.string_entry_t]

Return the list of the strings embedded in the string table (RT_STRING)

property types list[lief.PE.ResourcesManager.TYPE]

Return list of TYPE present in the resources

property version list[lief.PE.ResourceVersion]

Return a list of verison info (VS_VERSIONINFO).

Resource Icon

class lief.PE.ResourceIcon

Bases: Object

property bit_count int

Bits per pixel

property color_count int

Number of colors in image (0 if >=8bpp)

from_serialization(arg: bytes) lief.PE.ResourceIcon | lief.lief_errors = <nanobind.nb_func object>
property height int

Height in pixels of the image

property id int

Id associated with the icon

property lang int

Language associated with the icon

property pixels memoryview
property planes int

Color Planes

property reserved int

Reserved (must be 0)

save(self, filepath: str) None

Save the icon to the given filepath

serialize(self) bytes

Serialize the current icon into bytes

property sublang int

Sublanguage associated with the icon

property width int

Width in pixels of the image

Resource Dialog

Inheritance diagram of lief._lief.PE.ResourceDialog, lief._lief.PE.ResourceDialogRegular, lief._lief.PE.ResourceDialogExtended
class lief.PE.ResourceDialog

Bases: Object

This class is the base class for either a regular (legacy) Dialog or an extended Dialog. These different kinds of Dialogs are documented by MS at the following addresses:

class CONTROL_STYLES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

From: https://learn.microsoft.com/en-us/windows/win32/controls/common-control-styles

ADJUSTABLE = 32
BOTTOM = 3
LEFT = 129
NODIVIDER = 64
NOMOVEX = 130
NOMOVEY = 2
NOPARENTALIGN = 8
NORESIZE = 4
RIGHT = 131
TOP = 1
VERT = 128
from_value(arg: int) lief.PE.ResourceDialog.CONTROL_STYLES = <nanobind.nb_func object>
class DIALOG_STYLES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

From: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dialog-box-styles

ABSALIGN = 1
CENTER = 2048
CENTERMOUSE = 4096
CONTEXTHELP = 8192
CONTROL = 1024
FIXEDSYS = 8
LOCALEDIT = 32
MODALFRAME = 128
NOFAILCREATE = 16
NOIDLEMSG = 256
S3DLOOK = 4
SETFONT = 64
SETFOREGROUND = 512
SHELLFONT = 72
SYSMODAL = 2
from_value(arg: int) lief.PE.ResourceDialog.DIALOG_STYLES = <nanobind.nb_func object>
class Item

Bases: object

property clazz int | str | None

Window class of the control. This can be either: a string that specifies the name of a registered window class or an ordinal value of a predefined system class.

property control_styles list[lief.PE.ResourceDialog.CONTROL_STYLES]

List of CONTROL_STYLES used by this item

property creation_data memoryview

Creation data that is passed to the control’s window procedure

property cx int

The width, in dialog box units, of the control.

property cy int

The height, in dialog box units, of the control.

property extended_style int

The extended styles for a window. This member is not used to create controls in dialog boxes, but applications that use dialog box templates can use it to create other types of windows.

It can take a combination of WINDOW_EXTENDED_STYLES

has(*args) bool

Overloaded function.

  1. has(self, style: lief._lief.PE.ResourceDialog.WINDOW_STYLES) -> bool

Check if this item has the given WINDOW_STYLES

  1. has(self, style: lief._lief.PE.ResourceDialog.CONTROL_STYLES) -> bool

Check if this item has the given CONTROL_STYLES

property id int

The control identifier.

property style int

The style of the control. This can be a combination of WINDOW_STYLES or CONTROL_STYLES.

property title int | str | None

Title of the item which can be either: a string that specifies the initial text or an ordinal value of a resource, such as an icon, in an executable file

property window_styles list[lief.PE.ResourceDialog.WINDOW_STYLES]

List of WINDOW_STYLES used by this item

property x int

The x-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

property y int

The y-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Enum for discriminating the kind of the Dialog (regular vs extended)

EXTENDED = 2
REGULAR = 1
UNKNOWN = 0
class WINDOW_EXTENDED_STYLES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

From: https://docs.microsoft.com/en-us/windows/win32/winmsg/extended-window-styles

ACCEPTFILES = 16
APPWINDOW = 262144
CLIENTEDGE = 512
CONTEXTHELP = 1024
CONTROLPARENT = 65536
DLGMODALFRAME = 1
LEFT = 0
LEFTSCROLLBAR = 16384
MDICHILD = 64
NOPARENTNOTIFY = 4
RIGHT = 4096
RTLREADING = 8192
STATICEDGE = 131072
TOOLWINDOW = 128
TOPMOST = 8
TRANSPARENT_STY = 32
WINDOWEDGE = 256
from_value(arg: int) lief.PE.ResourceDialog.WINDOW_EXTENDED_STYLES = <nanobind.nb_func object>
class WINDOW_STYLES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

From: https://docs.microsoft.com/en-us/windows/win32/winmsg/window-styles

BORDER = 8388608
CAPTION = 12582912
CHILD = 1073741824
CLIPCHILDREN = 33554432
CLIPSIBLINGS = 67108864
DISABLED = 134217728
DLGFRAME = 4194304
GROUP = 131072
HSCROLL = 1048576
MAXIMIZE = 16777216
MINIMIZE = 536870912
OVERLAPPED = 0
POPUP = 2147483648
SYSMENU = 524288
TABSTOP = 65536
THICKFRAME = 262144
VISIBLE = 268435456
VSCROLL = 2097152
from_value(arg: int) lief.PE.ResourceDialog.WINDOW_STYLES = <nanobind.nb_func object>
copy(self) lief.PE.ResourceDialog | None

Duplicate the current instance of this object

property cx int

The width, in dialog box units, of the dialog box.

property cy int

The height, in dialog box units, of the dialog box

property extended_style int

The extended styles for a window. This member is not used to create dialog boxes, but applications that use dialog box templates can use it to create other types of windows. For a list of values, see WINDOW_EXTENDED_STYLES

has(*args) bool

Overloaded function.

  1. has(self, arg: lief._lief.PE.ResourceDialog.DIALOG_STYLES, /) -> bool

Check if the dialog used to given dialog style

  1. has(self, arg: lief._lief.PE.ResourceDialog.WINDOW_STYLES, /) -> bool

Check if the dialog used to given window style

  1. has(self, arg: lief._lief.PE.ResourceDialog.WINDOW_EXTENDED_STYLES, /) -> bool

Check if the dialog used to given extended window style

property menu int | str | None

ordinal or name value of a menu resource

property style int

The style of the dialog box. This member can be a combination of window style values (such as CAPTION and SYSMENU) and dialog box style values (such as CENTER).

property styles_list list[lief.PE.ResourceDialog.DIALOG_STYLES]

List of DIALOG_STYLES used by this dialog

property title str

title of the dialog box

property type lief.PE.ResourceDialog.TYPE
property window_class int | str | None

ordinal of a predefined system window class or name of a registered window class

property windows_ext_styles_list list[lief.PE.ResourceDialog.WINDOW_EXTENDED_STYLES]

List of WINDOW_EXTENDED_STYLES used by this dialog

property windows_styles_list list[lief.PE.ResourceDialog.WINDOW_STYLES]

List of WINDOW_STYLES used by this dialog

property x int

The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.

property y int

The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.

Resource Dialog – Regular

Inheritance diagram of lief._lief.PE.ResourceDialogRegular
class lief.PE.ResourceDialogRegular(self)

Bases: ResourceDialog

Implementation for a regular/legacy dialog box.

See: https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-dlgtemplate

class Item(self)

Bases: Item

This class represents a DLGTEMPLATE item (DLGITEMTEMPLATE) See: https://learn.microsoft.com/en-us/windows/win32/api/winuser/ns-winuser-dlgitemtemplate

add_item(self, item: lief.PE.ResourceDialogRegular.Item) None

Add a new control item to the dialog

property font lief.PE.ResourceDialogRegular.font_t

Additional font information

class font_t

Bases: object

This structure represents additional font information that might be embedded at the end of the DLGTEMPLATE stream

property name str
property point_size int
class it_items

Bases: object

Iterator over lief._lief.PE.Item

property items lief.PE.ResourceDialogRegular.it_items

Iterator over the different control items

property nb_items int

Number of control items

Resource Dialog – Extended

Inheritance diagram of lief._lief.PE.ResourceDialogExtended
class lief.PE.ResourceDialogExtended(self)

Bases: ResourceDialog

Implementation for the new extended dialogbox format.

See: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dlgtemplateex

class Item(self)

Bases: Item

This class represents a DLGTEMPLATEEX item (DLGITEMTEMPLATEEX).

See: https://learn.microsoft.com/en-us/windows/win32/dlgbox/dlgitemtemplateex

property help_id int

The help context identifier for the control. When the system sends a WM_HELP message, it passes the helpID value in the dwContextId member of the HELPINFO structure.

add_item(self, item: lief.PE.ResourceDialogExtended.Item) None

Add a new control item to the dialog

property font lief.PE.ResourceDialogExtended.font_t

Additional font information

class font_t

Bases: object

Font information for the font to use for the text in the dialog box and its controls

property charset int

The character set to be used

property italic bool

Indicates whether the font is italic

property point_size int

The point size of the font

property typeface str

The name of the typeface for the font.

property weight int

The weight of the font

property help_id int

The help context identifier for the dialog box window. When the system sends a WM_HELP message, it passes the helpID value in the dwContextId member of the HELPINFO structure.

class it_items

Bases: object

Iterator over lief._lief.PE.Item

property items lief.PE.ResourceDialogExtended.it_items

Iterator over the different control items

property signature int

Indicates whether a template is an extended dialog box template. If signature is 0xFFFF, this is an extended dialog box template. In this case, the dlgVer member specifies the template version number.

property version int

The version number of the extended dialog box template. This member must be set to 1.

Resource Version

class lief.PE.ResourceVersion

Bases: Object

Class that represents the data associated with the RT_VERSION entry

See: VS_VERSIONINFO – https://docs.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo

property file_info lief.PE.ResourceVersion.fixed_file_info_t

Return the fixed file info (VS_FIXEDFILEINFO)

class fixed_file_info_t

Bases: object

This structure represents the VS_FIXEDFILEINFO structure defined in verrsrc.h.

class FILE_FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

DEBUG = 1
INFO_INFERRED = 16
PATCHED = 4
PRERELEASE = 2
PRIVATEBUILD = 8
SPECIALBUILD = 32
class FILE_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

APP = 1
DLL = 2
DRV = 3
FONT = 4
STATIC_LIB = 7
UNKNOWN = 0
VXD = 5
class FILE_TYPE_DETAILS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

DRV_COMM = 8589934602
DRV_DISPLAY = 8589934596
DRV_INPUTMETHOD = 8589934603
DRV_INSTALLABLE = 8589934600
DRV_KEYBOARD = 8589934594
DRV_LANGUAGE = 8589934595
DRV_MOUSE = 8589934597
DRV_NETWORK = 8589934598
DRV_PRINTER = 8589934593
DRV_SOUND = 8589934601
DRV_SYSTEM = 8589934599
DRV_VERSIONED_PRINTER = 12
FONT_RASTER = 17179869185
FONT_TRUETYPE = 17179869187
FONT_VECTOR = 17179869186
UNKNOWN = 0
class VERSION_OS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

DOS_WINDOWS16 = 65537
DOS_WINDOWS32 = 65540
NT = 262144
NT_WINDOWS32 = 262148
OS216 = 131072
OS216_PM16 = 131074
OS232 = 196608
OS232_PM32 = 196611
PM16 = 2
PM32 = 3
UNKNOWN = 0
WINCE = 327680
WINDOWS16 = 1
WINDOWS32 = 4
property file_date_ls int

The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.

property file_date_ms int

The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.

property file_flags int

Contains a bitmask that specifies the Boolean attributes of the file. This member can include one or more of the values specified in FILE_FLAGS.

property file_flags_mask int

Contains a bitmask that specifies the valid bits in file_flags. A bit is valid only if it was defined when the file was created.

property file_os int

The operating system for which this file was designed. This member can be one of the values specified in VERSION_OS.

property file_subtype int

The function of the file. The possible values depend on the value of file_type.

property file_type int

The general type of file. This member can be one of the values specified in FILE_TYPE. All other values are reserved.

property file_type_details lief.PE.ResourceVersion.fixed_file_info_t.FILE_TYPE_DETAILS
property file_version_ls int

The least significant 32 bits of the file’s binary version number. This member is used with file_version_ms to form a 64-bit value used for numeric comparisons.

property file_version_ms int

The most significant 32 bits of the file’s binary version number. This member is used with file_version_ls to form a 64-bit value used for numeric comparisons.

property flags list[lief.PE.ResourceVersion.fixed_file_info_t.FILE_FLAGS]

List of flags

has(self, flag: lief.PE.ResourceVersion.fixed_file_info_t.FILE_FLAGS) bool

Check if the given flag is present

property product_version_ls int

The least significant 32 bits of the binary version number of the product with which this file was distributed. This member is used with product_version_ms to form a 64-bit value used for numeric comparisons.

property product_version_ms int

The most significant 32 bits of the binary version number of the product with which this file was distributed. This member is used with product_version_ls to form a 64-bit value used for numeric comparisons.

property signature int

Contains the value 0xFEEF04BD. This is used with the szKey member of the VS_VERSIONINFO structure when searching a file for the VS_FIXEDFILEINFO structure.

property struct_version int

The binary version number of this structure. The high-order word of this member contains the major version number, and the low-order word contains the minor version number.

property key str

The Unicode string L”VS_VERSION_INFO”

property string_file_info lief.PE.ResourceStringFileInfo

Return the StringFileInfo element

property type int

The type of data in the version resource: * 1 if it contains text data * 0 if it contains binary data

property var_file_info lief.PE.ResourceVarFileInfo

Return the VarFileInfo element

Resource Var File Info

class lief.PE.ResourceVarFileInfo

Bases: Object

Representation of the VarFileInfo structure

This structure represents the organization of data in a file-version resource. It contains version information not dependent on a particular language and code page combination.

See: https://learn.microsoft.com/en-us/windows/win32/menurc/varfileinfo

class it_vars

Bases: object

Iterator over lief._lief.PE.ResourceVar

property key str

Signature of the structure. Must be the unicode string “VarFileInfo”

property type int

The type of data in the version resource: * 1 if it contains text data * 0 if it contains binary data

property vars lief.PE.ResourceVarFileInfo.it_vars

Iterator over the embedded variables associated to the structure

Resource Var File Info

class lief.PE.ResourceVarFileInfo

Bases: Object

Representation of the VarFileInfo structure

This structure represents the organization of data in a file-version resource. It contains version information not dependent on a particular language and code page combination.

See: https://learn.microsoft.com/en-us/windows/win32/menurc/varfileinfo

class it_vars

Bases: object

Iterator over lief._lief.PE.ResourceVar

property key str

Signature of the structure. Must be the unicode string “VarFileInfo”

property type int

The type of data in the version resource: * 1 if it contains text data * 0 if it contains binary data

property vars lief.PE.ResourceVarFileInfo.it_vars

Iterator over the embedded variables associated to the structure

Resource Var

class lief.PE.ResourceVar

Bases: object

This class represents an element of the ResourceVarFileInfo structure It typically contains a list of language and code page identifier pairs that the version of the application or DLL supports.

See: https://learn.microsoft.com/en-us/windows/win32/menurc/var-str

property key str

Signature of the structure. Must be the unicode string “Translation”

property type int

The type of data in the version resource: * 1 if it contains text data * 0 if it contains binary data

property values list[int]

Return the translation values.

The low-order word of each uint32_t must contain a Microsoft language identifier, and the high-order word must contain the IBM code page number. Either high-order or low-order word can be zero, indicating that the file is language or code page independent

Resource String Table

class lief.PE.ResourceStringTable

Bases: Object

This class represents the StringTable structure. This structure can be seen as a dictionary of key, values with key and values defined a utf-16 string.

property entries lief.PE.ResourceStringTable.it_entries

Iterator over the different entry_t in this table

class entry_t

Bases: object

An entry in this table which is composed of an UTF-16 key and an UTF-16 value.

property key str
property value str
get(self, key: str) str | None
class it_entries

Bases: object

Iterator over lief._lief.PE.entry_t

property key str

An 8-digit hexadecimal number stored as a Unicode string. The four most significant digits represent the language identifier. The four least significant digits represent the code page for which the data is formatted. Each Microsoft Standard Language identifier contains two parts: the low-order 10 bits specify the major language, and the high-order 6 bits specify the sublanguage.

property type int

The type of data in the version resource: * 1 if it contains text data * 0 if it contains binary data

Resource Accelerator

class lief.PE.ResourceAccelerator

Bases: Object

class FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

From: https://docs.microsoft.com/en-us/windows/win32/menurc/acceltableentry

ALT = 16
CONTROL = 8
END = 128
NOINVERT = 2
SHIFT = 4
VIRTKEY = 1
from_value(arg: int) lief.PE.ResourceAccelerator.FLAGS = <nanobind.nb_func object>
add(self, arg: lief.PE.ResourceAccelerator.FLAGS) lief.PE.ResourceAccelerator

Append the given flag

property ansi int

An ANSI character value or a virtual-key code that identifies the accelerator key.

property ansi_str str
property flags int

Describe the keyboard accelerator characteristics.

has(self, arg: lief.PE.ResourceAccelerator.FLAGS) bool

Whether the entry has the given flag

property id int

An identifier for the keyboard accelerator.

property padding int

The number of bytes inserted to ensure that the structure is aligned on a DWORD boundary.

remove(self, arg: lief.PE.ResourceAccelerator.FLAGS) lief.PE.ResourceAccelerator

Remove the given flag

Rich Header

class lief.PE.RichHeader(self)

Bases: Object

Class which represents the not-so-documented rich header

This structure is usually located at the end of the dos_stub and contains information about the build environment.

It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.

add_entry(*args) None

Overloaded function.

  1. add_entry(self, entry: lief._lief.PE.RichEntry) -> None

Add a new RichEntry

  1. add_entry(self, id: int, build_id: int, count: int) -> None

Add a new RichEntry given its id, build_id, count

copy(self) lief.PE.RichHeader

Duplicate the current instance of this object

property entries lief.PE.RichHeader.it_entries

Return an iterator over the RichEntry within the header

hash(*args) list[int]

Overloaded function.

  1. hash(self, algo: lief._lief.PE.ALGORITHMS) -> list[int]

    Compute the hash of the decoded rich header structure with the given hash ALGORITHMS

  2. hash(self, algo: lief._lief.PE.ALGORITHMS, xor_key: int) -> list[int]

    Compute the hash of the rich header structure encoded with the provided key and the given hash ALGORITHMS

class it_entries

Bases: object

Iterator over lief._lief.PE.RichEntry

property key int

Key used to encode the header (xor operation)

raw(*args) list[int]

Overloaded function.

  1. raw(self) -> list[int]

    The raw structure of the Rich header without xor-encoding.

    This function is equivalent as calling the other raw function with a xor_key set to 0

  2. raw(self, xor_key: int) -> list[int]

    Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.

    You can access the decoded data’s structure with the xor_key set to 0

Rich Entry

class lief.PE.RichEntry(self)
class lief.PE.RichEntry(self, id: int, build_id: int, count: int)

Bases: Object

Class which represents an entry associated to the RichHeader

Overloaded function.

  1. __init__(self) -> None

  2. __init__(self, id: int, build_id: int, count: int) -> None

Contructor from id, build_id and count

property build_id int

Builder number of the tool (if any)

copy(self) lief.PE.RichEntry

Duplicate the current instance of this object

property count int

Occurrence count

property id int

Type of the entry

Debug

Inheritance diagram of lief._lief.PE.VCFeature, lief._lief.PE.Repro, lief._lief.PE.Debug, lief._lief.PE.CodeView, lief._lief.PE.ExDllCharacteristics, lief._lief.PE.FPO, lief._lief.PE.CodeViewPDB, lief._lief.PE.PDBChecksum, lief._lief.PE.Pogo
class lief.PE.Debug(self)

Bases: Object

This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: CodeCodeView)

class TYPES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

The entry types

BORLAND = 9
CLSID = 11
CODEVIEW = 2
COFF = 1
EXCEPTION = 5
EX_DLLCHARACTERISTICS = 20
FIXUP = 6
FPO = 3
ILTCG = 14
MISC = 4
MPX = 15
OMAP_FROM_SRC = 8
OMAP_TO_SRC = 7
PDBCHECKSUM = 19
POGO = 13
REPRO = 16
RESERVED10 = 10
UNKNOWN = 0
VC_FEATURE = 12
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property addressof_rawdata int

Address of the debug data relative to the image base

property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property payload memoryview

Debug data associated with this entry

property pointerto_rawdata int

File offset of the debug data

property section lief.PE.Section

The section where debug data is located

property sizeof_data int

Size of the debug data

property timestamp int

The time and date when the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information

Code View

Inheritance diagram of lief._lief.PE.CodeViewPDB, lief._lief.PE.CodeView
class lief.PE.CodeView(self)
class lief.PE.CodeView(self, arg: lief._lief.PE.CodeView.SIGNATURES, /)

Bases: Debug

class SIGNATURES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

CV_41 = 959464014
CV_50 = 825311822
PDB_20 = 808534606
PDB_70 = 1396986706
UNKNOWN = 0
from_value(arg: int) lief.PE.CodeView.SIGNATURES = <nanobind.nb_func object>
property cv_signature lief.PE.CodeView.SIGNATURES

Type of the code view (SIGNATURES)

Code View PDB

Inheritance diagram of lief._lief.PE.CodeViewPDB
class lief.PE.CodeViewPDB(self)
class lief.PE.CodeViewPDB(self, filename: str)

Bases: CodeView

CodeView PDB specialization

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, filename: str) -> None

Filename-based constructor

property age int

Age value to verify. The age does not necessarily correspond to any known time value, it is used to determine if a .pdb file is out of sync with a corresponding .exe file.

property filename str | bytes

The path to the .pdb file

property guid str

The GUID signature to verify against the .pdb file signature.

This attribute might be used to lookup remote PDB file on a symbol server

property parent lief.PE.CodeView

Return a reference to the parent lief.PE.CodeView

property signature list[int]

The 32-bit signature to verify against the .pdb file signature.

Code Integrity

class lief.PE.CodeIntegrity(self)

Bases: Object

property catalog int

0xFFFF means not available

property catalog_offset int
property flags int

Flags to indicate if CI information is available, etc.

property reserved int

Additional bitmask to be defined later

Pogo

Inheritance diagram of lief._lief.PE.Pogo
class lief.PE.Pogo(self)

Bases: Debug

class SIGNATURES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

LCTG = 1280590663
PGI = 1346849024
UNKNOWN = 268435455
ZERO = 0
from_value(arg: int) lief.PE.Pogo.SIGNATURES = <nanobind.nb_func object>
property entries lief.PE.Pogo.it_entries
class it_entries

Bases: object

Iterator over lief._lief.PE.PogoEntry

property signature lief.PE.Pogo.SIGNATURES

Type of the pogo (SIGNATURES)

Pogo Entry

class lief.PE.PogoEntry(self)

Bases: Object

copy(self) lief.PE.PogoEntry

Duplicate the current instance of this object

property name str | bytes
property size int
property start_rva int

Repro

Inheritance diagram of lief._lief.PE.Repro
class lief.PE.Repro

Bases: Debug

This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.

See: https://nikhilism.com/post/2020/windows-deterministic-builds/

property hash memoryview

The hash associated with the reproducible build

PDBChecksum

Inheritance diagram of lief._lief.PE.PDBChecksum
class lief.PE.PDBChecksum(self, algo: lief._lief.PE.PDBChecksum.HASH_ALGO, hash: collections.abc.Sequence[int])

Bases: Debug

This class represents the PDB Checksum debug entry which is essentially an array of bytes representing the checksum of the PDB content.

class HASH_ALGO(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

SHA256 = 1
UNKNOWN = 0
property algorithm lief.PE.PDBChecksum.HASH_ALGO

Algorithm used for hashing the PDB content

property hash memoryview

Hash of the PDB content

VCFeature

Inheritance diagram of lief._lief.PE.VCFeature
class lief.PE.VCFeature

Bases: Debug

This class represents the IMAGE_DEBUG_TYPE_VC_FEATURE debug entry

property c_cpp int

Count for C/C++

property gs int

Count for /GS (number of guard stack)

property guards int

Count for /guardN

property pre_vcpp int

Count for Pre-VC++ 11.00

property sdl int

Whether /sdl was enabled for this binary.

sdl stands for Security Development Lifecycle and provides enhanced security features like changing security-relevant warnings into errors or enforcing guard stack.

ExDllCharacteristics

Inheritance diagram of lief._lief.PE.ExDllCharacteristics
class lief.PE.ExDllCharacteristics

Bases: Debug

This class represents the IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS debug entry

class CHARACTERISTICS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

Extended DLL Characteristics

CET_COMPAT = 1
CET_COMPAT_STRICT_MODE = 2
CET_DYNAMIC_APIS_ALLOW_IN_PROC = 8
CET_RESERVED_1 = 16
CET_RESERVED_2 = 32
CET_SET_CONTEXT_IP_VALIDATION_RELAXED_MODE = 4
FORWARD_CFI_COMPAT = 64
HOTPATCH_COMPATIBLE = 128
from_value(arg: int) lief.PE.ExDllCharacteristics.CHARACTERISTICS = <nanobind.nb_func object>
property ex_characteristics lief.PE.ExDllCharacteristics.CHARACTERISTICS

The extended characteristics

property ex_characteristics_list list[lief.PE.ExDllCharacteristics.CHARACTERISTICS]

Characteristics as a vector

has(self, characteristic: lief.PE.ExDllCharacteristics.CHARACTERISTICS) bool

Check if the given CHARACTERISTICS is used

Frame Pointer Omission (FPO)

Inheritance diagram of lief._lief.PE.FPO
class lief.PE.FPO

Bases: Debug

This class represents the IMAGE_DEBUG_TYPE_FPO debug entry

class FRAME_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

FPO = 0
NON_FPO = 3
TRAP = 1
TSS = 2
from_value(arg: int) lief.PE.FPO.FRAME_TYPE = <nanobind.nb_func object>
property entries lief.PE.FPO.it_entries

Iterator over the different FPO entries

class entry_t

Bases: object

Represents the stack frame layout for a x86 function when frame pointer omission (FPO) optimization is used.

property nb_locals int

The number of local variables.

property nb_saved_regs int

Number of registers saved.

property parameters_size int

The size of the parameters.

property proc_size int

The number of bytes in the function.

property prolog_size int

The number of bytes in the function prolog code.

property reserved int

reserved for future use

property rva int

The function RVA

property type lief.PE.FPO.FRAME_TYPE

Variable that indicates the frame type.

property use_bp bool

Whether the EBP register has been allocated.

property use_seh bool

Whether the function uses structured exception handling.

class it_entries

Bases: object

Iterator over lief._lief.PE.entry_t

COFF String

class lief.PE.COFFString

Bases: object

This class represents a string located in the COFF string table.

Some of these strings can be used for section’s name where its lenght is greater than 8 bytes. See: coff_string.

Reference: https://learn.microsoft.com/en-us/windows/win32/debug/pe-format#coff-string-table

property offset int

The offset of this string the in the COFF string table. This offset includes the first 4-bytes that holds the table size

property string str

The actual string

Exception Info

Inheritance diagram of lief._lief.PE.RuntimeFunctionX64, lief._lief.PE.ExceptionInfo, lief._lief.PE.RuntimeFunctionAArch64, lief._lief.PE.unwind_aarch64.UnpackedFunction, lief._lief.PE.unwind_aarch64.PackedFunction
class lief.PE.ExceptionInfo

Bases: object

This class is the base class for any exception or runtime function entry

class ARCH(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Arch discriminator for the subclasses

ARM64 = 1
UNKNOWN = 0
X86_64 = 2
property arch lief.PE.ExceptionInfo.ARCH

Target architecture of this exception

copy(self) lief.PE.ExceptionInfo | None

Duplicate the current instance of this object

property rva_start int

Function start address

RuntimeFunctionX64

Inheritance diagram of lief._lief.PE.RuntimeFunctionX64
class lief.PE.RuntimeFunctionX64

Bases: ExceptionInfo

This class represents an entry in the exception table (.pdata section) for the x86-64 architecture.

Reference: https://learn.microsoft.com/en-us/cpp/build/exception-handling-x64

class UNWIND_FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

CHAIN_INFO = 4
EXCEPTION_HANDLER = 1
TERMINATE_HANDLER = 2
from_value(arg: int) lief.PE.RuntimeFunctionX64.UNWIND_FLAGS = <nanobind.nb_func object>
class UNWIND_OPCODES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ALLOC_LARGE = 1
ALLOC_SMALL = 2
EPILOG = 6
PUSH_MACHFRAME = 10
PUSH_NONVOL = 0
SAVE_NONVOL = 4
SAVE_NONVOL_FAR = 5
SAVE_XMM128 = 8
SAVE_XMM128_FAR = 9
SET_FPREG = 3
SPARE = 7
from_value(arg: int) lief.PE.RuntimeFunctionX64.UNWIND_OPCODES = <nanobind.nb_func object>
class UNWIND_REG(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

R10 = 10
R11 = 11
R12 = 12
R13 = 13
R14 = 14
R15 = 15
R8 = 8
R9 = 9
RAX = 0
RBP = 5
RBX = 3
RCX = 1
RDI = 7
RDX = 2
RSI = 6
RSP = 4
from_value(arg: int) lief.PE.RuntimeFunctionX64.UNWIND_REG = <nanobind.nb_func object>
property rva_end int

Function end address

property size int

Size of the function (in bytes)

property unwind_info lief.PE.RuntimeFunctionX64.unwind_info_t

Detailed unwind information

class unwind_info_t

Bases: object

property chained lief.PE.RuntimeFunctionX64

If lief.PE.UNWIND_FLAGS.CHAIN_INFO is set, this attributes references the chained runtime function.

property count_opcodes int

The number of slots in the unwind codes array. Some unwind codes, for example, lief.PE.RuntimeFunctionX64.UNWIND_OPCODES.SAVE_NONVOL, require more than one slot in the array.

property flags int

See: lief.PE.RuntimeFunctionX64.UNWIND_FLAGS

property frame_reg int

If nonzero, then the function uses a frame pointer (FP), and this field is the number of the nonvolatile register used as the frame pointer, using the same encoding for the operation info field of UNWIND_OPCODES node

property frame_reg_offset int

If the frame register field is nonzero, this field is the scaled offset from RSP that is applied to the FP register when it’s established

property handler int | None

An image-relative pointer to either the function’s language-specific exception or termination handler. This value is set if one of these flags is set: lief.PE.RuntimeFunctionX64.UNWIND_FLAGS.EXCEPTION_HANDLER, lief.PE.UNWIND_FLAGS.TERMINATE_HANDLER.

has(self, arg: lief.PE.RuntimeFunctionX64.UNWIND_FLAGS) bool

Check if the given flag is used

property opcodes list[lief.PE.unwind_x64.Code | None]

Enhanced representation of the unwind code

property raw_opcodes list[int]

An array of items that explains the effect of the prolog on the nonvolatile registers and RSP

property sizeof_prologue int

Length of the function prolog in bytes.

property version int

Version number of the unwind data, currently 1 or 2.

property unwind_rva int

Unwind info address

unwind_x64 - Code

Inheritance diagram of lief._lief.PE.unwind_x64.SetFPReg, lief._lief.PE.unwind_x64.PushMachFrame, lief._lief.PE.unwind_x64.Epilog, lief._lief.PE.unwind_x64.Alloc, lief._lief.PE.unwind_x64.SaveXMM128, lief._lief.PE.unwind_x64.PushNonVol, lief._lief.PE.unwind_x64.Code, lief._lief.PE.unwind_x64.SaveNonVolatile, lief._lief.PE.unwind_x64.Spare
class lief.PE.unwind_x64.Code

Bases: object

Base class for all unwind operations

property opcode lief.PE.RuntimeFunctionX64.UNWIND_OPCODES

The original opcode

property position int

Offset in the prolog

unwind_x64 - Alloc

Inheritance diagram of lief._lief.PE.unwind_x64.Alloc
class lief.PE.unwind_x64.Alloc

Bases: Code

This class represents a stack-allocation operation (lief.PE.RuntimeFunctionX64.UNWIND_OPCODES.ALLOC_SMALL, lief.PE.RuntimeFunctionX64.UNWIND_OPCODES.ALLOC_LARGE)

property size int

The size allocated

unwind_x64 - PushNonVol

Inheritance diagram of lief._lief.PE.unwind_x64.PushNonVol
class lief.PE.unwind_x64.PushNonVol

Bases: Code

Push a nonvolatile integer register, decrementing RSP by 8

property reg lief.PE.RuntimeFunctionX64.UNWIND_REG

The register pushed

unwind_x64 - PushMachFrame

Inheritance diagram of lief._lief.PE.unwind_x64.PushMachFrame
class lief.PE.unwind_x64.PushMachFrame

Bases: Code

Push a machine frame

property value int

0 or 1

unwind_x64 - SetFPReg

Inheritance diagram of lief._lief.PE.unwind_x64.SetFPReg
class lief.PE.unwind_x64.SetFPReg

Bases: Code

Establish the frame pointer register by setting the register to some offset of the current RSP

property reg lief.PE.RuntimeFunctionX64.UNWIND_REG

Frame pointer register

unwind_x64 - SaveNonVolatile

Inheritance diagram of lief._lief.PE.unwind_x64.SaveNonVolatile
class lief.PE.unwind_x64.SaveNonVolatile

Bases: Code

Save a nonvolatile integer register on the stack using a MOV instead of a PUSH.

property offset int

The offset where to save the register

property reg lief.PE.RuntimeFunctionX64.UNWIND_REG

The register to save

unwind_x64 - SaveXMM128

Inheritance diagram of lief._lief.PE.unwind_x64.SaveXMM128
class lief.PE.unwind_x64.SaveXMM128

Bases: Code

Save all 128 bits of a nonvolatile XMM register on the stack

property num int

XMM register number

property offset int

The offset where to save the register

unwind_x64 - Epilog

Inheritance diagram of lief._lief.PE.unwind_x64.Epilog
class lief.PE.unwind_x64.Epilog

Bases: Code

Describes the function’s epilog

property flags int
property size int

Size of the epilog

unwind_x64 - Spare

Inheritance diagram of lief._lief.PE.unwind_x64.Spare
class lief.PE.unwind_x64.Spare

Bases: Code

RuntimeFunctionAArch64

Inheritance diagram of lief._lief.PE.unwind_aarch64.UnpackedFunction, lief._lief.PE.unwind_aarch64.PackedFunction, lief._lief.PE.RuntimeFunctionAArch64
class lief.PE.RuntimeFunctionAArch64

Bases: ExceptionInfo

This class represents an entry in the exception table (.pdata section) for the AArch64 architecture.

Since the ARM64 unwinding info can be encoded in a packed and unpacked format, this class is inherited by lief.PE.unwind_aarch64.PackedFunction and lief.pe.unwind_aarch64.UnpackedFunction

Reference: https://learn.microsoft.com/en-us/cpp/build/arm64-exception-handling#arm64-exception-handling-information

class PACKED_FLAGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

PACKED = 1
PACKED_FRAGMENT = 2
RESERVED = 3
UNPACKED = 0
property flag lief.PE.RuntimeFunctionAArch64.PACKED_FLAGS

Flag describing the format the unwind data

property length int

Length of the function in bytes

property rva_end int

Function end address

Runtime AArch64 (Packed) Function

Inheritance diagram of lief._lief.PE.unwind_aarch64.PackedFunction
class lief.PE.unwind_aarch64.PackedFunction

Bases: RuntimeFunctionAArch64

This class represents a packed AArch64 exception entry.

An exception entry can be packed if the unwind data fit in 30 bits

Reference: https://learn.microsoft.com/en-us/cpp/build/arm64-exception-handling?view=msvc-170#packed-unwind-data

property CR int

Flag indicating whether the function includes extra instructions to set up a frame chain and return link.

property H int

1-bit flag indicating whether the function homes the integer parameter registers (x0-x7) by storing them at the very start of the function. (0 = doesn’t home registers, 1 = homes registers).

property frame_size int

Size of the allocated stack

property reg_F int

Number of non-volatile FP registers (d8-d15) saved in the canonical stack location

property reg_I int

Number of non-volatile INT registers (x19-x28) saved in the canonical stack location.

Runtime AArch64 (UnpackedFunction) Function

Inheritance diagram of lief._lief.PE.unwind_aarch64.UnpackedFunction
class lief.PE.unwind_aarch64.UnpackedFunction

Bases: RuntimeFunctionAArch64

This class represents an unpacked AArch64 exception entry

Reference: https://learn.microsoft.com/en-us/cpp/build/arm64-exception-handling?view=msvc-170#xdata-records

property E int

1-bit field that indicates that information describing a single epilog is packed into the header (1) rather than requiring more scope words later (0).

property X int

1-bit field that indicates the presence (1) or absence (0) of exception data.

property code_words int

Number of 32-bit words needed to contain all of the unwind codes

property epilog_count int

If E == 0, specifies the count of the total number of epilog scopes. Otherwise, return 0.

property epilog_offset int

If E() == 1, index of the first unwind code that describes the one and only epilog.

class epilog_scope_t

Bases: object

This strucure describes an epilog scope.

property reserved int

Reserved for future expansion. Should be 0.

property start_index int

Byte index of the first unwind code that describes this epilog

property start_offset int

Offset of the epilog relatives to the start of the function

property epilog_scopes lief.PE.unwind_aarch64.UnpackedFunction.it_epilog_scopes

Iterator over the epilog scopes

property exception_handler int

Exception handler RVA (if any)

class it_epilog_scopes

Bases: object

Iterator over lief._lief.PE.unwind_aarch64.epilog_scope_t

property unwind_code memoryview

Bytes that contain unwind codes

property version int

Describes the version of the remaining .xdata.

Currently (2025-01-04), only version 0 is defined, so values of 1-3 aren’t permitted.

property xdata_rva int

RVA where this unpacked data is located (usually pointing in .xdata)

Load Configuration

class lief.PE.LoadConfiguration

Bases: Object

This class represents the load configuration data associated with the IMAGE_LOAD_CONFIG_DIRECTORY.

This structure is frequently updated by Microsoft to add new metadata.

Reference: https://github.com/MicrosoftDocs/sdk-api/blob/cbeab4d371e8bc7e352c4d3a4c5819caa08c6a1c/sdk-api-src/content/winnt/ns-winnt-image_load_config_directory64.md#L2

class IMAGE_GUARD(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Flag

CFW_INSTRUMENTED = 512
CF_ENABLE_EXPORT_SUPPRESSION = 32768
CF_EXPORT_SUPPRESSION_INFO_PRESENT = 16384
CF_FUNCTION_TABLE_PRESENT = 1024
CF_INSTRUMENTED = 256
CF_LONGJUMP_TABLE_PRESENT = 65536
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 8192
EH_CONTINUATION_TABLE_PRESENT = 4194304
NONE = 0
PROTECT_DELAYLOAD_IAT = 4096
RETPOLINE_PRESENT = 1048576
RF_ENABLE = 262144
RF_INSTRUMENTED = 131072
RF_STRICT = 524288
from_value(arg: int) lief.PE.LoadConfiguration.IMAGE_GUARD = <nanobind.nb_func object>
property cast_guard_os_determined_failure_mode int | None
property characteristics int

Characteristics of the structure which is defined by its size

property chpe_metadata lief.PE.CHPEMetadata

Compiled Hybrid Portable Executable (CHPE) metadata (if any)

property chpe_metadata_pointer int | None

VA to the extra Compiled Hybrid Portable Executable (CHPE) metadata.

property code_integrity lief.PE.CodeIntegrity

Code integrity information.

copy(self) lief.PE.LoadConfiguration

Duplicate the current instance of this object

property critical_section_default_timeout int

The critical section default time-out value.

property csd_version int

The service pack version.

property decommit_free_block_threshold int

The size of the minimum block that must be freed before it is freed (de-committed), in bytes. This value is advisory.

property decommit_total_free_threshold int

The size of the minimum total memory that must be freed in the process heap before it is freed (de-committed), in bytes. This value is advisory.

property dependent_load_flags int

Alias for reserved1.

The default load flags used when the operating system resolves the statically linked imports of a module. For more information, see LoadLibraryEx.

property dynamic_relocations lief.PE.LoadConfiguration.it_dynamic_relocations_t
property dynamic_value_reloc_table int | None

VA pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE

property dynamic_value_reloctable_offset int | None

Offset of dynamic relocation table relative to the relocation table

property dynamic_value_reloctable_section int | None

The section index of the dynamic value relocation table

property editlist int

Reserved for use by the system.

property enclave_config lief.PE.EnclaveConfiguration
property enclave_configuration_ptr int | None
property global_flags_clear int

The global flags that control system behavior. For more information, see Gflags.exe.

property global_flags_set int

The global flags that control system behavior. For more information, see Gflags.exe.

property guard_address_taken_iat_entries lief.PE.LoadConfiguration.it_guard_functions

List of RVA pointed by guard_address_taken_iat_entry_table

property guard_address_taken_iat_entry_count int | None

The count of unique RVAs in the table pointed by guard_address_taken_iat_entry_table.

property guard_address_taken_iat_entry_table int | None

The VA where Control Flow Guard address taken IAT table is stored.

property guard_cf_check_function_pointer int | None

The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer int | None

The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list list[lief.PE.LoadConfiguration.IMAGE_GUARD]

List of flags

property guard_cf_function_count int | None

The count of unique RVAs in the guard_cf_function_table table.

property guard_cf_function_table int | None

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_cf_functions lief.PE.LoadConfiguration.it_guard_functions

Iterator over the Control Flow Guard functions referenced by guard_cf_function_table

property guard_eh_continuation_count int | None
property guard_eh_continuation_functions lief.PE.LoadConfiguration.it_guard_functions

List of RVA pointed by guard_eh_continuation_table

property guard_eh_continuation_table int | None
property guard_flags int | None

Control Flow Guard related flags.

class guard_function_t

Bases: object

property extra int
property rva int
property guard_long_jump_target_count int | None

The count of unique RVAs in the table pointed by guard_long_jump_target_table.

property guard_long_jump_target_table int | None

The VA where Control Flow Guard long jump target table is stored.

property guard_long_jump_targets lief.PE.LoadConfiguration.it_guard_functions

List of RVA pointed by guard_long_jump_target_table

property guard_memcpy_function_pointer int | None
property guard_rf_failure_routine int | None

VA of the failure routine

property guard_rf_failure_routine_function_pointer int | None

VA of the failure routine fptr.

property guard_rf_verify_stackpointer_function_pointer int | None

VA of the Function verifying the stack pointer

property guard_xfg_check_function_pointer int | None
property guard_xfg_dispatch_function_pointer int | None
property guard_xfg_table_dispatch_function_pointer int | None
has(self, arg: lief.PE.LoadConfiguration.IMAGE_GUARD) bool

Check if the given flag is present

property hotpatch_table_offset int | None

Offset to the hotpatch table

property hybrid_metadata_pointer int | None

Alias for chpe_metadata_pointer.

class it_dynamic_relocations_t

Bases: object

Iterator over lief._lief.PE.DynamicRelocation

class it_guard_functions

Bases: object

Iterator over lief._lief.PE.guard_function_t

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used. These will be replaced by NOP on single-processor systems. This member is available only for x86.

property major_version int

Major version

property maximum_allocation_size int

The maximum allocation size, in bytes. This member is obsolete and is used only for debugging purposes.

property minor_version int

Minor version

property process_affinity_mask int

The process affinity mask. For more information, see GetProcessAffinityMask. This member is available only for .exe files.

property process_heap_flags int

The process heap flags. For more information, see HeapCreate.

property reserved1 int

See: dependent_load_flags

property reserved2 int | None

Must be 0

property reserved3 int | None
property se_handler_count int | None

The count of unique handlers in the table. This member is available only for x86.

property se_handler_table int | None

The VA of the sorted table of RVAs of each valid, unique handler in the image. This member is available only for x86.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property seh_functions list[int]

Return the list of the function RVA in the SEH table (if any)

property size int

Size of the current structure

property timedatestamp int

The date and time stamp value

property virtual_memory_threshold int

The maximum block size that can be allocated from heap segments, in bytes.

property volatile_metadata lief.PE.VolatileMetadata
property volatile_metadata_pointer int | None

CHPEMetadata

Inheritance diagram of lief._lief.PE.CHPEMetadataX86, lief._lief.PE.CHPEMetadataARM64, lief._lief.PE.CHPEMetadata
class lief.PE.CHPEMetadata

Bases: object

Base class for any Compiled Hybrid Portable Executable (CHPE) metadata.

This class is inherited by architecture-specific implementation.

class KIND(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Discriminator for the subclasses

ARM64 = 1
UNKNOWN = 0
X86 = 2
copy(self) lief.PE.CHPEMetadata | None

Duplicate the current instance of this object

property kind lief.PE.CHPEMetadata.KIND

Determine the type of the concrete implementation

property version int

Version of the structure

CHPEMetadata (ARM64)

Inheritance diagram of lief._lief.PE.CHPEMetadataARM64
class lief.PE.CHPEMetadataARM64

Bases: CHPEMetadata

This class represents hybrid metadata for ARM64EC or ARM64X.

property alternate_entry_point int
property auxiliary_delay_import int
property auxiliary_delay_import_copy int
property auxiliary_iat int
property auxiliary_iat_copy int
property bitfield_info int
property code_map int
property code_map_count int
property code_ranges lief.PE.CHPEMetadataARM64.it_range_entries
property code_ranges_to_entry_points_count int
property code_ranges_to_entrypoints int
property extra_rfe_table int
property extra_rfe_table_size int
property get_x64_information_function_pointer int
class it_range_entries

Bases: object

Iterator over lief._lief.PE.range_entry_t

class it_redirection_entries

Bases: object

Iterator over lief._lief.PE.redirection_entry_t

property os_arm64x_dispatch_call int
property os_arm64x_dispatch_call_no_redirect int
property os_arm64x_dispatch_fptr int
property os_arm64x_dispatch_icall int
property os_arm64x_dispatch_icall_cfg int
property os_arm64x_dispatch_ret int
class range_entry_t

Bases: object

Structure that describes architecture-specific ranges

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

AMD64 = 2
ARM64 = 0
ARM64EC = 1
property end int

End of the range (RVA)

property length int

Range’s length

property start int

Start of the range (RVA)

property start_offset int

Raw data (include start RVA and type

property type lief.PE.CHPEMetadataARM64.range_entry_t.TYPE

Architecture for this range

class redirection_entry_t

Bases: object

Structure that describes a redirection

property dst int
property src int
property redirection_metadata int
property redirection_metadata_count int
property redirections lief.PE.CHPEMetadataARM64.it_redirection_entries
property set_x64_information_function_pointer int

CHPEMetadata (X86)

Inheritance diagram of lief._lief.PE.CHPEMetadataX86
class lief.PE.CHPEMetadataX86

Bases: CHPEMetadata

This class represents hybrid metadata for X86.

property chpe_code_address_range_count int
property chpe_code_address_range_offset int
property compiler_iat_pointer int | None
property wowa64_dispatch_call_function_pointer int
property wowa64_dispatch_indirect_call_cfg_function_pointer int
property wowa64_dispatch_indirect_call_function_pointer int
property wowa64_dispatch_jump_function_pointer int
property wowa64_dispatch_ret_function_pointer int
property wowa64_dispatch_ret_leaf_function_pointer int
property wowa64_exception_handler_function_pointer int
property wowa64_rdtsc_function_pointer int | None

DynamicRelocation

Inheritance diagram of lief._lief.PE.DynamicRelocationV1, lief._lief.PE.DynamicRelocation, lief._lief.PE.DynamicRelocationV2
class lief.PE.DynamicRelocation

Bases: object

This is the base class for any IMAGE_DYNAMIC_RELOCATION32, IMAGE_DYNAMIC_RELOCATION32_V2, IMAGE_DYNAMIC_RELOCATION64, IMAGE_DYNAMIC_RELOCATION64_V2 dynamic relocations.

class IMAGE_DYNAMIC_RELOCATION(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Special symbol values as defined in link.exe - GetDVRTSpecialSymbolName

RELOCATION_ARM64X = 6
RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER = 8
RELOCATION_FUNCTION_OVERRIDE = 7
RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER = 3
RELOCATION_GUARD_INDIR_CONTROL_TRANSFER = 4
RELOCATION_GUARD_RF_EPILOGUE = 2
RELOCATION_GUARD_RF_PROLOGUE = 1
RELOCATION_GUARD_SWITCHTABLE_BRANCH = 5
from_value(arg: int) lief.PE.DynamicRelocation.IMAGE_DYNAMIC_RELOCATION = <nanobind.nb_func object>
copy(self) lief.PE.DynamicRelocation | None

Duplicate the current instance of this object

property fixups lief.PE.DynamicFixup

Return fixups information, where the interpretation may depend on the symbol’s value

property symbol int

Symbol address. Some values have a special meaning (c.f. IMAGE_DYNAMIC_RELOCATION) and define how fixups are encoded.

property version int

Version of the structure

DynamicRelocationV1

Inheritance diagram of lief._lief.PE.DynamicRelocationV1
class lief.PE.DynamicRelocationV1

Bases: DynamicRelocation

This class represents a dynamic relocation (IMAGE_DYNAMIC_RELOCATION32 or IMAGE_DYNAMIC_RELOCATION64).

DynamicRelocationV2

Inheritance diagram of lief._lief.PE.DynamicRelocationV2
class lief.PE.DynamicRelocationV2

Bases: DynamicRelocation

This class represents a dynamic relocation (IMAGE_DYNAMIC_RELOCATION64_V2 or IMAGE_DYNAMIC_RELOCATION32_V2)

DynamicFixup

Inheritance diagram of lief._lief.PE.DynamicFixupARM64X, lief._lief.PE.DynamicFixupGeneric, lief._lief.PE.DynamicFixupUnknown, lief._lief.PE.DynamicFixup, lief._lief.PE.FunctionOverride, lief._lief.PE.DynamicFixupControlTransfer, lief._lief.PE.DynamicFixupARM64Kernel
class lief.PE.DynamicFixup

Bases: object

This is the base class for any fixups located in DynamicRelocation

class KIND(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

ARM64X = 2
ARM64_KERNEL_IMPORT_CALL_TRANSFER = 4
FUNCTION_OVERRIDE = 3
GENERIC = 1
UNKNOWN = 0
from_value(arg: int) lief.PE.DynamicFixup.KIND = <nanobind.nb_func object>
copy(self) lief.PE.DynamicFixup | None

Duplicate the current instance of this object

property kind lief.PE.DynamicFixup.KIND

Encoding of the fixups

DynamicFixupControlTransfer

Inheritance diagram of lief._lief.PE.DynamicFixupControlTransfer
class lief.PE.DynamicFixupControlTransfer

Bases: DynamicFixup

This class wraps fixups associated with the (special) symbol value: IMAGE_DYNAMIC_RELOCATION_GUARD_IMPORT_CONTROL_TRANSFER (3).

NO_IAT_INDEX = 32767
class it_relocations

Bases: object

Iterator over lief._lief.PE.reloc_entry_t

class reloc_entry_t

Bases: object

Mirror IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION

property iat_index int

IAT index of the corresponding import. 0x7FFF is a special value indicating no index.

property is_call bool

True if target instruction is a call, false otherwise

property rva int

RVA to the instruction

property relocations lief.PE.DynamicFixupControlTransfer.it_relocations

Iterator over the relocations

DynamicFixupARM64Kernel

Inheritance diagram of lief._lief.PE.DynamicFixupARM64Kernel
class lief.PE.DynamicFixupARM64Kernel

Bases: DynamicFixup

This class wraps fixups associated with the (special) symbol value: IMAGE_DYNAMIC_RELOCATION_ARM64_KERNEL_IMPORT_CALL_TRANSFER (8).

class IMPORT_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

DELAYED = 1
STATIC = 0
NO_IAT_INDEX = 32767
class it_relocations

Bases: object

Iterator over lief._lief.PE.reloc_entry_t

class reloc_entry_t

Bases: object

Mirror IMAGE_IMPORT_CONTROL_TRANSFER_ARM64_RELOCATION

property iat_index int

IAT index of the corresponding import. 0x7FFF is a special value indicating no index.

property import_type lief.PE.DynamicFixupARM64Kernel.IMPORT_TYPE

See: IMPORT_TYPE

property indirect_call bool

True if target instruction is a blr, false if it’s a br.

property register_index int

Register index used for the indirect call/jump. For instance, if the instruction is br x3, this index is set to 3

property rva int

RVA to the call instruction

property relocations lief.PE.DynamicFixupARM64Kernel.it_relocations

Iterator over the relocations

DynamicFixupARM64X

Inheritance diagram of lief._lief.PE.DynamicFixupARM64X
class lief.PE.DynamicFixupARM64X

Bases: DynamicFixup

This class represents IMAGE_DYNAMIC_RELOCATION_ARM64X

class FIXUP_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

DELTA = 2
VALUE = 1
ZEROFILL = 0
from_value(arg: int) lief.PE.DynamicFixupARM64X.FIXUP_TYPE = <nanobind.nb_func object>
class it_relocations

Bases: object

Iterator over lief._lief.PE.reloc_entry_t

class reloc_entry_t

Bases: object

property raw_bytes list[int]

If the type is class:~.FIXUP_TYPE.VALUE, the bytes associated with the fixup.

property rva int

RVA where the fixup takes place

property size int

Size of the value to patch

property type lief.PE.DynamicFixupARM64X.FIXUP_TYPE

Fixup’s kind

property value int

If the type is class:~.FIXUP_TYPE.DELTA, the (signed) value

property relocations lief.PE.DynamicFixupARM64X.it_relocations

Iterator over the different fixup entries

DynamicFixupGeneric

Inheritance diagram of lief._lief.PE.DynamicFixupGeneric
class lief.PE.DynamicFixupGeneric

Bases: DynamicFixup

This class represents a generic entry where the fixups are regular relocations (lief.PE.Relocation)

class it_relocations

Bases: object

Iterator over lief._lief.PE.Relocation

property relocations lief.PE.DynamicFixupGeneric.it_relocations

Iterator over the relocations

DynamicFixupUnknown

Inheritance diagram of lief._lief.PE.DynamicFixupUnknown
class lief.PE.DynamicFixupUnknown

Bases: DynamicFixup

This class represents an special dynamic relocation where the format of the fixups is not supported by LIEF.

property payload memoryview

Raw fixups

FunctionOverride

Inheritance diagram of lief._lief.PE.FunctionOverride
class lief.PE.FunctionOverride

Bases: DynamicFixup

This class represents IMAGE_DYNAMIC_RELOCATION_FUNCTION_OVERRIDE

property bdd_info lief.PE.FunctionOverride.it_bdd_info

Iterator over the BDD info

find_bdd_info(*args) lief.PE.FunctionOverride.image_bdd_info_t

Overloaded function.

  1. find_bdd_info(self, arg: int, /) -> lief._lief.PE.FunctionOverride.image_bdd_info_t

Find the IMAGE_BDD_INFO at the given offset

  1. find_bdd_info(self, arg: lief._lief.PE.FunctionOverrideInfo, /) -> lief._lief.PE.FunctionOverride.image_bdd_info_t

Find the IMAGE_BDD_INFO associated with the given function override info

property func_overriding_info lief.PE.FunctionOverride.it_func_overriding_info

Iterator over the overriding info

class image_bdd_dynamic_relocation_t

Bases: object

Mirror IMAGE_BDD_DYNAMIC_RELOCATION

property left int
property right int
property value int
class image_bdd_info_t

Bases: object

Mirror IMAGE_BDD_INFO

property original_offset int
property original_size int
property payload list[int]
property relocations list[lief.PE.FunctionOverride.image_bdd_dynamic_relocation_t]
property version int
class it_bdd_info

Bases: object

Iterator over lief._lief.PE.image_bdd_info_t

class it_func_overriding_info

Bases: object

Iterator over lief._lief.PE.FunctionOverrideInfo

FunctionOverrideInfo

class lief.PE.FunctionOverrideInfo

Bases: object

property base_reloc_size int

Size in bytes taken by BaseRelocs

property bdd_offset int

Offset into the BDD region

property functions_rva list[int]
class it_relocations

Bases: object

Iterator over lief._lief.PE.Relocation

property original_rva int

RVA of original function

property relocations lief.PE.DynamicFixupGeneric.it_relocations
property rva_size int

Size in bytes taken by RVAs

EnclaveConfiguration

class lief.PE.EnclaveConfiguration

Bases: object

This class represents the enclave configuration

property enclave_flags int

A flag that indicates whether the image is suitable for use as the primary image in the enclave.

property enclave_size int

The expected virtual size of the private address range for the enclave, in bytes.

property family_id list[int]

The family identifier that the author of the enclave assigned to the enclave.

property image_id list[int]

The image identifier that the author of the enclave assigned to the enclave.

property image_version int

The version number that the author of the enclave assigned to the enclave.

property import_entry_size int

The size of each image in the array of images that the import_list_rva member points to.

property import_list_rva int

The RVA of the array of images that the enclave image may import, with identity information for each image.

property imports lief.PE.EnclaveConfiguration.it_imports

Iterator over the enclave’s imports

property is_debuggable bool

Whether this enclave can be debugged

class it_imports

Bases: object

Iterator over lief._lief.PE.EnclaveImport

property min_required_config_size int

The minimum size of the IMAGE_ENCLAVE_CONFIG(32,64) structure that the image loader must be able to process in order for the enclave to be usable.

This member allows an enclave to inform an earlier version of the image loader that the image loader can safely load the enclave and ignore optional members added to IMAGE_ENCLAVE_CONFIG(32,64) for later versions of the enclave. If the size of IMAGE_ENCLAVE_CONFIG(32,64) that the image loader can process is less than MinimumRequiredConfigSize, the enclave cannot be run securely.

If MinimumRequiredConfigSize is zero, the minimum size of the IMAGE_ENCLAVE_CONFIG(32,64) structure that the image loader must be able to process in order for the enclave to be usable is assumed to be the size of the structure through and including the MinimumRequiredConfigSize member.

property nb_imports int

The number of images in the array of images that the import_list_rva member points to.

property nb_threads int

The maximum number of threads that can be created within the enclave.

property policy_flags int

A flag that indicates whether the enclave permits debugging.

property security_version int

The security version number that the author of the enclave assigned to the enclave.

property size int

The size of the IMAGE_ENCLAVE_CONFIG64/IMAGE_ENCLAVE_CONFIG32 structure, in bytes.

EnclaveImport

class lief.PE.EnclaveImport

Bases: object

Defines an entry in the array of images that an enclave can import.

class TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

AUTHOR_ID = 2
FAMILY_ID = 3
IMAGE_ID = 4
NONE = 0
UNIQUE_ID = 1
property family_id list[int]

The family identifier of the primary module for the enclave.

property id list[int]

The unique identifier of the primary module for the enclave, if the type is UNIQUE_ID. Otherwise, the author identifier of the primary module for the enclave.

property image_id list[int]

The image identifier of the primary module for the enclave.

property import_name str

Resolved import name

property import_name_rva int

The relative virtual address of a NULL-terminated string that contains the same value found in the import directory for the image.

property min_security_version int

The minimum enclave security version that each image must have for the image to be imported successfully. The image is rejected unless its enclave security version is equal to or greater than the minimum value in the import record. Set the value in the import record to zero to turn off the security version check.

property reserved int

Reserved. Should be 0

property type lief.PE.EnclaveImport.TYPE

The type of identifier of the image that must match the value in the import record.

Volatile Metadata

class lief.PE.VolatileMetadata

Bases: object

This class represents volatile metadata which can be enabled at link time with /volatileMetadata.

This metadata aims to improve performances when running x64 code on ARM64.

property access_table list[int]
property access_table_rva int
property access_table_size int
property info_range_rva int
property info_ranges lief.PE.VolatileMetadata.it_info_ranges_t
property info_ranges_size int
class it_info_ranges_t

Bases: object

Iterator over lief._lief.PE.range_t

property max_version int
property min_version int
class range_t

Bases: object

property end int
property size int
property start int
property size int

Utilities

lief.is_pe(*args) bool
lief.is_pe(raw: collections.abc.Sequence[int]) bool

Overloaded function.

  1. is_pe(file: str) -> bool

Check if the given file is a PE

  1. is_pe(raw: collections.abc.Sequence[int]) -> bool

Check if the given raw data is a PE

lief.PE.get_type(*args) lief.PE.PE_TYPE | lief.lief_errors
lief.PE.get_type(raw: collections.abc.Sequence[int]) lief._lief.PE.PE_TYPE | lief._lief.lief_errors

Overloaded function.

  1. get_type(file: str) -> Union[lief._lief.PE.PE_TYPE, lief._lief.lief_errors]

    If the input file is a a valid PE, return the PE_TYPE. Otherwise, return a lief.lief_errors.

  2. get_type(raw: collections.abc.Sequence[int]) -> Union[lief._lief.PE.PE_TYPE, lief._lief.lief_errors]

lief.PE.get_imphash(binary: lief.PE.Binary, mode: lief.PE.IMPHASH_MODE) str

Compute the hash of imported functions

Properties of the hash generated:

  • Order agnostic

  • Casse agnostic

  • Ordinal (in some extent) agnostic

If one needs the same output as Virus Total (i.e. pefile), you can use PEFILE as second parameter.

Warning

The algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation

See also

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

class lief.PE.IMPHASH_MODE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

Enum to define the behavior of get_imphash()

DEFAULT = 0
LIEF = 0
PEFILE = 1
VT = 1
lief.PE.resolve_ordinals(imp: lief.PE.Import, strict: bool, use_std: bool) lief.PE.Import | lief.lief_errors

Take a Import as input and try to resolve its ordinal imports.

If the strict boolean parameter is set, a lief.lief_errors.not_found error is returned upon the first non-resolvable ordinal.

Enums

PE_TYPE

class lief.PE.PE_TYPE(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

PE32 = 267
PE32_PLUS = 523
from_value(arg: int) lief.PE.PE_TYPE = <nanobind.nb_func object>

RESOURCE_LANGS

class lief.PE.RESOURCE_LANGS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

AFRIKAANS = 54
ALBANIAN = 28
ARABIC = 1
ARMENIAN = 43
ASSAMESE = 77
AZERI = 44
BANGLA = 69
BASQUE = 45
BELARUSIAN = 35
BOSNIAN = 26
BRETON = 147
BULGARIAN = 2
CATALAN = 3
CHINESE = 4
CORNISH = 145
CROATIAN = 26
CZECH = 5
DANISH = 6
DIVEHI = 101
DUTCH = 19
ENGLISH = 9
ESPERANTO = 143
ESTONIAN = 37
FAEROESE = 56
FARSI = 41
FINNISH = 11
FRENCH = 12
GAELIC = 60
GALICIAN = 86
GEORGIAN = 55
GERMAN = 7
GREEK = 8
GUJARATI = 71
HEBREW = 13
HINDI = 57
HUNGARIAN = 14
ICELANDIC = 15
INDONESIAN = 33
INUKTITUT = 93
INVARIANT = 127
IRISH = 60
ITALIAN = 16
JAPANESE = 17
KANNADA = 75
KASHMIRI = 96
KAZAK = 63
KONKANI = 87
KOREAN = 18
KYRGYZ = 64
LATVIAN = 38
LITHUANIAN = 39
LOWER_SORBIAN = 46
MACEDONIAN = 47
MALAY = 62
MALAYALAM = 76
MALTESE = 58
MANIPURI = 88
MAORI = 40
MARATHI = 78
MONGOLIAN = 80
NEPALI = 97
NEUTRAL = 0
NORWEGIAN = 20
ORIYA = 72
POLISH = 21
PORTUGUESE = 22
PULAR = 103
PUNJABI = 70
QUECHUA = 107
RHAETO_ROMANCE = 23
ROMANIAN = 24
RUSSIAN = 25
SAMI = 59
SANSKRIT = 79
SERBIAN = 26
SINDHI = 89
SLOVAK = 27
SLOVENIAN = 36
SORBIAN = 46
SPANISH = 10
SUTU = 48
SWAHILI = 65
SWEDISH = 29
SYRIAC = 90
TAMAZIGHT = 95
TAMIL = 73
TATAR = 68
TELUGU = 74
THAI = 30
TIGRINYA = 115
TSONGA = 49
TSWANA = 50
TURKISH = 31
UKRAINIAN = 34
URDU = 32
UZBEK = 67
VALENCIAN = 3
VENDA = 51
VIETNAMESE = 42
WALON = 144
WELSH = 146
XHOSA = 52
ZULU = 53
from_value(arg: int) lief.PE.RESOURCE_LANGS = <nanobind.nb_func object>

ACCELERATOR_CODES

class lief.PE.ACCELERATOR_CODES(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

A = 65
ACCEPT = 30
ADD = 107
APPS = 93
ATTN = 246
B = 66
BACK = 8
BROWSER_BACK = 166
BROWSER_FAVORITES = 171
BROWSER_FORWARD = 167
BROWSER_HOME = 172
BROWSER_REFRESH = 168
BROWSER_STOP = 169
C = 67
CANCEL = 3
CAPITAL = 20
CLEAR = 12
CONTROL = 17
CONVERT = 28
CRSEL = 247
D = 68
DECIMAL = 110
DELETE_K = 46
DIVIDE = 111
DOWN = 40
E = 69
END = 35
EREOF = 249
ESCAPE = 27
EXECUTE = 43
EXSEL = 248
F = 70
F1 = 112
F10 = 121
F11 = 122
F12 = 123
F13 = 124
F14 = 125
F15 = 126
F16 = 127
F17 = 128
F18 = 129
F19 = 130
F2 = 113
F20 = 131
F21 = 132
F22 = 133
F23 = 134
F24 = 135
F3 = 114
F4 = 115
F5 = 116
F6 = 117
F7 = 118
F8 = 119
F9 = 120
FINAL = 24
G = 71
H = 72
HELP = 47
HOME = 36
I = 73
IME_OFF = 26
IME_ON = 22
INSERT = 45
J = 74
JUNJA = 23
K = 75
KANA = 21
KANJI = 25
L = 76
LAUNCH_APP1 = 182
LAUNCH_APP2 = 183
LAUNCH_MAIL = 180
LAUNCH_MEDIA_SELECT = 181
LBUTTON = 1
LCONTROL = 162
LEFT = 37
LMENU = 164
LSHIFT = 160
LWIN = 91
M = 77
MBUTTON = 4
MEDIA_NEXT_TRACK = 176
MEDIA_PLAY_PAUSE = 179
MEDIA_PREV_TRACK = 177
MEDIA_STOP = 178
MENU = 18
MODECHANGE = 31
MULTIPLY = 106
N = 78
NEXT = 34
NONAME = 252
NONCONVERT = 29
NUMLOCK = 144
NUMPAD0 = 96
NUMPAD1 = 97
NUMPAD2 = 98
NUMPAD3 = 99
NUMPAD4 = 100
NUMPAD5 = 101
NUMPAD6 = 102
NUMPAD7 = 103
NUMPAD8 = 104
NUMPAD9 = 105
NUM_0 = 48
NUM_1 = 49
NUM_2 = 50
NUM_3 = 51
NUM_4 = 52
NUM_5 = 53
NUM_6 = 54
NUM_7 = 55
NUM_8 = 56
NUM_9 = 57
O = 79
OEM_1 = 186
OEM_102 = 226
OEM_2 = 191
OEM_4 = 219
OEM_5 = 220
OEM_6 = 221
OEM_7 = 222
OEM_8 = 223
OEM_CLEAR = 254
OEM_COMMA = 188
OEM_MINUS = 189
OEM_PERIOD = 190
OEM_PLUS = 187
P = 80
PA1 = 253
PACKET = 231
PAUSE = 19
PLAY = 250
PRINT = 42
PRIOR = 33
PROCESSKEY = 229
Q = 81
R = 82
RBUTTON = 2
RCONTROL = 163
RETURN = 13
RIGHT = 39
RMENU = 165
RSHIFT = 161
RWIN = 92
S = 83
SCROLL = 145
SELECT = 41
SEPARATOR = 108
SHIFT = 16
SLEEP = 95
SNAPSHOT = 44
SPACE = 32
SUBTRACT = 109
T = 84
TAB = 9
U = 85
UP = 38
V = 86
VOLUME_DOWN = 174
VOLUME_MUTE = 173
VOLUME_UP = 175
W = 87
X = 88
XBUTTON1_K = 5
XBUTTON2_K = 6
Y = 89
Z = 90
ZOOM = 251
from_value(arg: int) lief.PE.ACCELERATOR_CODES = <nanobind.nb_func object>

ALGORITHMS

class lief.PE.ALGORITHMS(value, names=None, *, module=None, qualname=None, type=None, start=1, boundary=None)

Bases: Enum

EC = 9
MD2 = 7
MD4 = 6
MD5 = 5
MD5_RSA = 10
RSA = 8
SHA1_DSA = 11
SHA1_ECDSA = 16
SHA1_RSA = 12
SHA_1 = 4
SHA_256 = 3
SHA_256_ECDSA = 17
SHA_256_RSA = 13
SHA_384 = 2
SHA_384_ECDSA = 18
SHA_384_RSA = 14
SHA_512 = 1
SHA_512_ECDSA = 19
SHA_512_RSA = 15
UNKNOWN = 0
from_value(arg: int) lief.PE.ALGORITHMS = <nanobind.nb_func object>