Python void*
The Python bindings manage opaque void* pointers as Capsules. Given a Capsule, there is no easy way to convert it into a raw address and vice versa. To address this limitation, LIEF exposes lief.to_int() and lief.to_ptr() to convert back and forth between raw addresses and pointers.
Convert an opaque pointer into an address (int)
Convert an integer into an opaque pointer (void*)
Return an iterator over the different modules loaded in the current process
Assemble the provided assembly code at the specified (absolute) virtual address.
The function returns the generated assembly bytes.
from lief import runtime
code = runtime.assemble(0x7f0011223344, """
xor rax, rbx;
mov rcx, rax;
""")
If you need to configure the assembly engine or to define addresses for symbols, you can provide your own AssemblerConfig instance.
Start disassembling instructions at the given absolute virtual address.
from lief import runtime
for inst in runtime.disassemble(0x7f0011223344):
print(inst)
See also
Bases: object
This class represents the current process and provides functions to query process-level information.
Bases: object
This structure wraps environment variables
Bases: object
This class represents an in-memory module which can be an executable or a library
Check if the current module contains the given address
Overloaded function.
dump(self) -> bytes
Return the content of the module as it is currently mapped in memory
dump(self, filepath: str) -> bytes
Same as dump() but also write the content into the file given in parameter
End address of the module
Imagebase of the module
Name of the module (e.g. libc.so.6, kernel32.dll, libsystem_c.dylib)
Path of the module
Virtual size of the current module
Find the module with the given name
Find the module with the given path
Find the module that encompasses the given virtual address (absolute)
Bases: object
This class exposes API to access and manage memory
Bases: object
Represents a contiguous chunk of memory allocated or inspected by the runtime.
Returns the start address of the memory chunk
Returns the start address of the memory chunk as an opaque pointer
Flushes the instruction cache for this memory chunk. This should be used when modifying code in memory (e.g., hooking, JIT).
Changes the permissions of the memory chunk.
Sets the permissions to Read Only.
Sets the permissions to Read and Write.
Sets the permissions to read/write/exec
Sets the permissions to Read and Execute.
Sets the permissions to Execute only.
Returns the address of the end of the page containing this chunk.
Returns the address of the start of the page containing this chunk.
Returns the current permissions of the memory chunk.
Returns the size of the memory chunk in bytes.
Bases: IntFlag
Flags used when creating a memory map (mmap).
Bases: Module
This class exposes a Linux-specific API for a module
Resolve the symbol with the given name for the current module
Return the dlopen handle for this library as an opaque pointer.
Return None if the function fails or if the handler can’t be found
Overloaded function.
parse_from_memory(self) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from memory
parse_from_memory(self, config: lief._lief.ELF.ParserConfig) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from memory with the given configuration
Overloaded function.
parse_from_path(self) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from its path on the filesystem
parse_from_path(self, config: lief._lief.ELF.ParserConfig) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from its path on the filesystem and given the parser configuration
Load the library with the given path or name.
Bases: Module
This class exposes an Android-specific API for a module
Resolve the symbol with the given name for the current module
Return the dlopen handle for this library.
Return a nullptr if the function fails or if the handler can’t be found
Overloaded function.
parse_from_memory(self) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from memory
parse_from_memory(self, config: lief._lief.ELF.ParserConfig) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from memory with the given configuration
Overloaded function.
parse_from_path(self) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from its path on the filesystem
parse_from_path(self, config: lief._lief.ELF.ParserConfig) -> Optional[lief._lief.ELF.Binary]
Parse the ELF module from its path on the filesystem and given the parser configuration
Load the library with the given path/name
Bases: Module
This class exposes an OSX-specific API for a module
Resolve the symbol with the given name for the current module
Return the dlopen handle for this library as an opaque pointer.
Return None if the function fails or if the handler can’t be found
Overloaded function.
parse_from_memory(self) -> Optional[lief._lief.MachO.Binary]
Parse the Mach-O module from memory
parse_from_memory(self, config: lief._lief.MachO.ParserConfig) -> Optional[lief._lief.MachO.Binary]
Parse the Mach-O module from memory with the given configuration
Overloaded function.
parse_from_path(self) -> Optional[lief._lief.MachO.Binary]
Parse the Mach-O module from its path on the filesystem
parse_from_path(self, config: lief._lief.MachO.ParserConfig) -> Optional[lief._lief.MachO.Binary]
Parse the Mach-O module from its path on the filesystem and given the parser configuration
Bases: object
This class exposes OSX-specific host information.
Bases: object
This class represents a macOS version number (major.minor.patch).
Major version number
Minor version number
Patch version number
Bases: Module
This class exposes a Windows-specific API for a module
Resolve the symbol with the given name for the current module
Return the HMODULE handle as an opaque pointer.
Return None if the function fails or if the handler can’t be found
Overloaded function.
parse_from_memory(self) -> Optional[lief._lief.PE.Binary]
Parse the PE module from memory
parse_from_memory(self, config: lief._lief.PE.ParserConfig) -> Optional[lief._lief.PE.Binary]
Parse the PE module from memory with the given configuration
Overloaded function.
parse_from_path(self) -> Optional[lief._lief.PE.Binary]
Parse the PE module from its path on the filesystem
parse_from_path(self, config: lief._lief.PE.ParserConfig) -> Optional[lief._lief.PE.Binary]
Parse the PE module from its path on the filesystem and given the parser configuration
Load the windows library with the given path or name.
Try to get the Module with the given name.
Return None if the module is not found.
if ntdll := lief.runtime.windows.find_module("ntdll.dll"):
print(ntdll.path)
Note
This function relies on the Windows API GetModuleHandle which is more efficient than the generic implementation lief.runtime.module_from_name().
Bases: object
Describes how to spawn a new process and inject a library into it.
Command-line arguments passed to the spawned process.
Environment variables to set in the spawned process. If left empty, the current process environment is inherited.
Absolute path to the library (DLL) that should be injected.
Absolute path to the target executable to spawn.
Spawn the target described by the given injection context and inject the associated library before the main thread starts executing.
Bases: object
This class exposes a user-friendly interface over the Process Environment Block (PEB) of the current process.
It can be accessed through lief.runtime.windows.Process.peb.
Address of the per-process ATL thunk SList (single-linked list).
32-bit value of the ATL thunk SList pointer.
Whether the current process is being debugged.
Iterate over the modules referenced by the loader data of the PEB, in load order, yielding LdrDataTableEntry objects.
Address of the loader data structure (PEB_LDR_DATA) which holds the list of the modules loaded in the current process.
Address of the routine called once the process completed its initialization (PostProcessInitRoutine).
Address of the process parameters (RTL_USER_PROCESS_PARAMETERS) which holds information such as the command line or the current directory.
Session ID associated with the current process.
Bases: object
This class exposes a user-friendly interface over a LDR_DATA_TABLE_ENTRY, the structure used by the Windows loader to describe a module loaded in the current process.
These entries can be enumerated through lief.runtime.windows.PEB.entries().
Base address of the active hot-patch image, if any.
Note
Available on Windows 11 and later.
Base name of the module (BaseDllName), e.g. ntdll.dll.
Hash of the module’s base name used to index the loader tables
Note
Available on Windows 8 and later.
Image checksum cached by the loader
Note
Available on Windows 10 and later.
Address of the dependency-graph node of the module (DdagNode).
Note
Available on Windows 8 and later.
Flags controlling how the statically-linked dependencies of the module are loaded.
Note
Available on Windows 8 and later.
Base address at which the module is mapped in memory (DllBase).
Address of the entry point of the module (EntryPoint).
Address of the activation context associated with the module’s entry point.
Loader flags describing the state of the module (Flags).
Full path of the module (FullDllName), e.g. C:\Windows\System32\ntdll.dll.
State of the hot-patch engine for this module, as a LDR_HOT_PATCH_STATE value.
Note
Available on Windows 11 and later.
Path-search options implied when the module was resolved
Note
Available on Windows 8 and later.
Address of the loader context used while the module is being snapped
Note
Available on Windows 8 and later.
Reason why the module was loaded, as a LDR_DLL_LOAD_REASON value
Note
Available on Windows 8 and later.
Time at which the module was loaded.
Note
Available on Windows 8 and later.
Address of the per-entry loader lock.
Legacy load count of the module (ObsoleteLoadCount). Superseded by reference_count on Windows 8 and later.
Preferred base address recorded in the PE headers
Note
Available on Windows 8 and later.
Base address of the module that triggered the load of this one.
Note
Available on Windows 8 and later.
Number of references currently held on the module.
Note
Available on Windows 8 and later.
Signing level of the module’s image, as a SE_SIGNING_LEVEL value
Note
Available on Windows 10 and later.
Size (in bytes) of the module’s image in memory (SizeOfImage).
Address of the CHPE switch-back context.
Note
Available on Windows 8 and later.
TimeDateStamp of the module as cached by the loader.
TLS slot index assigned to the module, or 0 when it has no TLS (TlsIndex).