Main interface to parse an executable regardless of its format.
Subclassed by LIEF::ELF::Parser, LIEF::MachO::BinaryParser, LIEF::MachO::Parser, LIEF::PE::Parser
Public Static Functions
Construct an LIEF::Binary from the given filename.
See also
Warning
If the target file is a FAT Mach-O, it will return the last one
Construct an LIEF::Binary from the given raw data.
See also
Warning
If the target file is a FAT Mach-O, it will return the last one
Construct an LIEF::Binary from the given stream.
See also
Warning
If the target file is a FAT Mach-O, it will return the last one
Public Types
Values:
Public Functions
Target architecture.
Public Static Functions
Abstract binary that exposes an uniform API for the different executable file formats.
Subclassed by LIEF::ELF::Binary, LIEF::MachO::Binary, LIEF::PE::Binary
Public Types
Type of a virtual address.
Values:
Try to guess if it’s relative or not.
Relative.
Absolute.
Values:
Iterator that outputs LIEF::Section&.
Iterator that outputs const LIEF::Section&.
Iterator that outputs LIEF::Symbol&.
Iterator that outputs const LIEF::Symbol&.
Internal container.
Iterator that outputs LIEF::Relocation&.
Iterator that outputs const LIEF::Relocation&.
Instruction iterator.
Public Functions
Return an iterator over the abstracted symbols in which the elements can be modified.
Return an iterator over the abstracted symbols in which the elements can’t be modified.
Return the Symbol with the given name If the symbol does not exist, return a nullptr.
Return an iterator over the binary’s sections (LIEF::Section)
Remove all the sections in the underlying binary.
Return an iterator over the binary relocation (LIEF::Relocation)
Return the functions exported by the binary.
Return libraries which are imported by the binary.
Return functions imported by the binary.
Return the address of the given function name.
Method so that a visitor
can visit us.
Patch the content at virtual address address
with patch_value
.
address – [in] Address to patch
patch_value – [in] Patch to apply
addr_type – [in] Specify if the address should be used as an absolute virtual address or a RVA
Patch the address with the given value.
address – [in] Address to patch
patch_value – [in] Patch to apply
size – [in] Size of the value in bytes (1, 2, … 8)
addr_type – [in] Specify if the address should be used as an absolute virtual address or an RVA
Return the content located at the given virtual address.
Get the integer value at the given virtual address.
Change binary’s original size.
Warning
This function should be used carefully as some optimizations can be performed with this value
Check if the binary is position independent.
Check if the binary uses NX
protection.
Default image base address if the ASLR is not enabled.
Constructor functions that are called prior any other functions.
Convert the given offset into a virtual address.
offset – [in] The offset to convert.
slide – [in] If not 0, it will replace the default base address (if any)
Build & transform the Binary object representation into a real executable.
Return the debug info if present. It can be either a LIEF::dwarf::DebugInfo or a LIEF::pdb::DebugInfo.
For ELF and Mach-O binaries, it returns the given DebugInfo object only if the binary embeds the DWARF debug info in the binary itself.
For PE file, this function tries to find the external PDB using the LIEF::PE::CodeViewPDB::filename() output (if present). One can also use LIEF::pdb::load() or LIEF::pdb::DebugInfo::from_file() to get PDB debug info.
Warning
This function requires LIEF’s extended version otherwise it always return a nullptr
Disassemble code starting a the given virtual address and with the given size.
auto insts = binary->disassemble(0xacde, 100);
for (std::unique_ptr<assembly::Instruction> inst : insts) {
std::cout << inst->to_string() << '\n';
}
See also
Disassemble code starting a the given virtual address.
auto insts = binary->disassemble(0xacde);
for (std::unique_ptr<assembly::Instruction> inst : insts) {
std::cout << inst->to_string() << '\n';
}
See also
Disassemble code for the given symbol name.
auto insts = binary->disassemble("__libc_start_main");
for (std::unique_ptr<assembly::Instruction> inst : insts) {
std::cout << inst->to_string() << '\n';
}
See also
Disassemble code provided by the given buffer at the specified address
parameter.
See also
Disassemble code provided by the given vector of bytes at the specified address
parameter.
See also
Assemble and patch the provided assembly code at the specified address.
The function returns the generated assembly bytes
bin->assemble(0x12000440, R"asm(
xor rax, rbx;
mov rcx, rax;
)asm");
Class which represents an abstracted section.
Subclassed by LIEF::ELF::Section, LIEF::MachO::Section, LIEF::PE::Section
Public Functions
section’s name
Return the complete section’s name which might trailing (0
) bytes.
section’s content
Change the section size.
section’s size (size in the binary, not the virtual size)
Offset in the binary.
Address where the section should be mapped.
Change the section’s name.
Change section content.
Method so that the visitor
can visit us.
Public Static Attributes
This class represents a symbol in an executable format.
Subclassed by LIEF::ELF::Symbol, LIEF::Function, LIEF::MachO::Symbol, LIEF::PE::DelayImportEntry, LIEF::PE::ExportEntry, LIEF::PE::ImportEntry, LIEF::PE::Symbol
Public Functions
Return the symbol’s name.
Set symbol name.
This size of the symbol (when applicable)
Method so that the visitor
can visit us.
Class which represents an abstracted Relocation.
Subclassed by LIEF::ELF::Relocation, LIEF::MachO::Relocation, LIEF::PE::RelocationEntry
Public Functions
Constructor from a relocation’s address and size.
Relocation’s address.
Relocation size in bits
Method so that the visitor
can visit us.
Comparaison based on the Relocation’s address
Comparaison based on the Relocation’s address
Comparaison based on the Relocation’s address
Comparaison based on the Relocation’s address
Friends
Class that represents a function in the binary.
Public Types
Flags used to characterize the semantic of the function.
Values:
The function acts as constructor.
Usually this flag is associated with functions that are located in the .init_array
, __mod_init_func
or .tls
sections
The function acts a destructor.
Usually this flag is associated with functions that are located in the .fini_array
or __mod_term_func
sections
The function is associated with Debug information.
Public Functions
Address of the current function. For functions that are set with the FLAGS::IMPORTED flag, this value is likely 0.