ionicons-v5-d 0.15.1
Last updated on 23/07/2024, 08:39:38.

PE

Typedefs

typedef struct Pe_DataDirectory_t Pe_DataDirectory_t

Enums

enum LIEF_PE_DATA_DIRECTORY

Values:

enumerator LIEF_PE_DATA_DIR_EXPORT_TABLE = 0
enumerator LIEF_PE_DATA_DIR_IMPORT_TABLE
enumerator LIEF_PE_DATA_DIR_RESOURCE_TABLE
enumerator LIEF_PE_DATA_DIR_EXCEPTION_TABLE
enumerator LIEF_PE_DATA_DIR_CERTIFICATE_TABLE
enumerator LIEF_PE_DATA_DIR_BASE_RELOCATION_TABLE
enumerator LIEF_PE_DATA_DIR_DEBUG
enumerator LIEF_PE_DATA_DIR_ARCHITECTURE
enumerator LIEF_PE_DATA_DIR_GLOBAL_PTR
enumerator LIEF_PE_DATA_DIR_TLS_TABLE
enumerator LIEF_PE_DATA_DIR_LOAD_CONFIG_TABLE
enumerator LIEF_PE_DATA_DIR_BOUND_IMPORT
enumerator LIEF_PE_DATA_DIR_IAT
enumerator LIEF_PE_DATA_DIR_DELAY_IMPORT_DESCRIPTOR
enumerator LIEF_PE_DATA_DIR_CLR_RUNTIME_HEADER
enumerator LIEF_PE_DATA_DIR_RESERVED
enumerator LIEF_PE_DATA_DIR_NONE
struct Pe_DataDirectory_t

Public Members

uint32_t rva
uint32_t size

Typedefs

typedef struct Pe_Section_t Pe_Section_t

Enums

enum LIEF_PE_SECTION_CHARACTERISTICS

Values:

enumerator LIEF_PE_SECTION_CHARACTERISTICS_TYPE_NO_PAD = 0x00000008
enumerator LIEF_PE_SECTION_CHARACTERISTICS_CNT_CODE = 0x00000020
enumerator LIEF_PE_SECTION_CHARACTERISTICS_CNT_INITIALIZED_DATA = 0x00000040
enumerator LIEF_PE_SECTION_CHARACTERISTICS_CNT_UNINITIALIZED_DATA = 0x00000080
enumerator LIEF_PE_SECTION_CHARACTERISTICS_LNK_OTHER = 0x00000100
enumerator LIEF_PE_SECTION_CHARACTERISTICS_LNK_INFO = 0x00000200
enumerator LIEF_PE_SECTION_CHARACTERISTICS_LNK_REMOVE = 0x00000800
enumerator LIEF_PE_SECTION_CHARACTERISTICS_LNK_COMDAT = 0x00001000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_GPREL = 0x00008000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_PURGEABLE = 0x00010000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_16BIT = 0x00020000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_LOCKED = 0x00040000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_PRELOAD = 0x00080000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_1BYTES = 0x00100000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_2BYTES = 0x00200000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_4BYTES = 0x00300000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_8BYTES = 0x00400000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_16BYTES = 0x00500000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_32BYTES = 0x00600000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_64BYTES = 0x00700000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_128BYTES = 0x00800000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_256BYTES = 0x00900000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_512BYTES = 0x00A00000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_1024BYTES = 0x00B00000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_2048BYTES = 0x00C00000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_4096BYTES = 0x00D00000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_ALIGN_8192BYTES = 0x00E00000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_LNK_NRELOC_OVFL = 0x01000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_DISCARDABLE = 0x02000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_NOT_CACHED = 0x04000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_NOT_PAGED = 0x08000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_SHARED = 0x10000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_EXECUTE = 0x20000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_READ = 0x40000000
enumerator LIEF_PE_SECTION_CHARACTERISTICS_MEM_WRITE = 0x80000000
struct Pe_Section_t

Public Members

const char *name
uint64_t virtual_address
uint64_t size
uint64_t offset
uint32_t virtual_size
uint32_t pointerto_relocation
uint32_t pointerto_line_numbers
uint32_t characteristics
uint8_t *content
uint64_t content_size
double entropy

Typedefs

typedef struct Pe_OptionalHeader_t Pe_OptionalHeader_t

Enums

enum LIEF_PE_DLL_CHARACTERISTICS

Values:

enumerator LIEF_PE_DLL_CHARACTERISTICS_HIGH_ENTROPY_VA = 0x0020

ASLR with 64 bit address space.

enumerator LIEF_PE_DLL_CHARACTERISTICS_DYNAMIC_BASE = 0x0040

DLL can be relocated at load time.

enumerator LIEF_PE_DLL_CHARACTERISTICS_FORCE_INTEGRITY = 0x0080

Code integrity checks are enforced.

enumerator LIEF_PE_DLL_CHARACTERISTICS_NX_COMPAT = 0x0100

Image is NX compatible.

enumerator LIEF_PE_DLL_CHARACTERISTICS_NO_ISOLATION = 0x0200

Isolation aware, but do not isolate the image.

enumerator LIEF_PE_DLL_CHARACTERISTICS_NO_SEH = 0x0400

Does not use structured exception handling (SEH). No SEH handler may be called in this image.

enumerator LIEF_PE_DLL_CHARACTERISTICS_NO_BIND = 0x0800

Do not bind the image.

enumerator LIEF_PE_DLL_CHARACTERISTICS_APPCONTAINER = 0x1000

Image should execute in an AppContainer.

enumerator LIEF_PE_DLL_CHARACTERISTICS_WDM_DRIVER = 0x2000

A WDM driver.

enumerator LIEF_PE_DLL_CHARACTERISTICS_GUARD_CF = 0x4000

Image supports Control Flow Guard.

enumerator LIEF_PE_DLL_CHARACTERISTICS_TERMINAL_SERVER_AWARE = 0x8000

Terminal Server aware.

enum LIEF_PE_SUBSYSTEM

Values:

enumerator LIEF_PE_SUBSYSTEM_UNKNOWN = 0

An unknown subsystem.

enumerator LIEF_PE_SUBSYSTEM_NATIVE = 1

Device drivers and native Windows processes

enumerator LIEF_PE_SUBSYSTEM_WINDOWS_GUI = 2

The Windows GUI subsystem.

enumerator LIEF_PE_SUBSYSTEM_WINDOWS_CUI = 3

The Windows character subsystem.

enumerator LIEF_PE_SUBSYSTEM_OS2_CUI = 5

The OS/2 character subsytem.

enumerator LIEF_PE_SUBSYSTEM_POSIX_CUI = 7

The POSIX character subsystem.

enumerator LIEF_PE_SUBSYSTEM_NATIVE_WINDOWS = 8

Native Windows 9x driver.

enumerator LIEF_PE_SUBSYSTEM_WINDOWS_CE_GUI = 9

Windows CE.

enumerator LIEF_PE_SUBSYSTEM_EFI_APPLICATION = 10

An EFI application.

enumerator LIEF_PE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER = 11

An EFI driver with boot services.

enumerator LIEF_PE_SUBSYSTEM_EFI_RUNTIME_DRIVER = 12

An EFI driver with run-time services.

enumerator LIEF_PE_SUBSYSTEM_EFI_ROM = 13

An EFI ROM image.

enumerator LIEF_PE_SUBSYSTEM_XBOX = 14

XBOX.

enumerator LIEF_PE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION = 16

A BCD application.

Functions

const char *lief_pe_subsytem_str(enum LIEF_PE_SUBSYSTEM e)
struct Pe_OptionalHeader_t

Public Members

enum LIEF_PE_PE_TYPES magic
uint8_t major_linker_version
uint8_t minor_linker_version
uint32_t sizeof_code
uint32_t sizeof_initialized_data
uint32_t sizeof_uninitialized_data
uint32_t addressof_entrypoint
uint32_t baseof_code
uint32_t baseof_data
uint64_t imagebase
uint32_t section_alignment
uint32_t file_alignment
uint16_t major_operating_system_version
uint16_t minor_operating_system_version
uint16_t major_image_version
uint16_t minor_image_version
uint16_t major_subsystem_version
uint16_t minor_subsystem_version
uint32_t win32_version_value
uint32_t sizeof_image
uint32_t sizeof_headers
uint32_t checksum
enum LIEF_PE_SUBSYSTEM subsystem
uint32_t dll_characteristics
uint64_t sizeof_stack_reserve
uint64_t sizeof_stack_commit
uint64_t sizeof_heap_reserve
uint64_t sizeof_heap_commit
uint32_t loader_flags
uint32_t numberof_rva_and_size

Typedefs

typedef struct Pe_ImportEntry_t Pe_ImportEntry_t
struct Pe_ImportEntry_t

Public Members

bool is_ordinal
const char *name
uint16_t ordinal
uint64_t hint_name_rva
uint16_t hint
uint64_t iat_value
uint64_t data
uint64_t iat_address

Typedefs

typedef struct Pe_Import_t Pe_Import_t
struct Pe_Import_t

Public Members

const char *name
uint32_t forwarder_chain
uint32_t timedatestamp
Pe_ImportEntry_t **entries
uint32_t import_address_table_rva
uint32_t import_lookup_table_rva

Typedefs

typedef struct Pe_Header_t Pe_Header_t

Enums

enum LIEF_PE_MACHINE_TYPES

Values:

enumerator LIEF_PE_MACHINE_UNKNOWN = 0x0
enumerator LIEF_PE_MACHINE_AM33 = 0x1D3

Matsushita AM33

enumerator LIEF_PE_MACHINE_AMD64 = 0x8664

AMD x64

enumerator LIEF_PE_MACHINE_ARM = 0x1C0

ARM little endian

enumerator LIEF_PE_MACHINE_ARMNT = 0x1C4

ARMv7 Thumb mode only

enumerator LIEF_PE_MACHINE_ARM64 = 0xAA64

ARMv8 in 64-bits mode

enumerator LIEF_PE_MACHINE_EBC = 0xEBC

EFI byte code

enumerator LIEF_PE_MACHINE_I386 = 0x14C

Intel 386 or later

enumerator LIEF_PE_MACHINE_IA64 = 0x200

Intel Itanium processor family

enumerator LIEF_PE_MACHINE_M32R = 0x9041

Mitsubishi M32R little endian

enumerator LIEF_PE_MACHINE_MIPS16 = 0x266

MIPS16

enumerator LIEF_PE_MACHINE_MIPSFPU = 0x366

MIPS with FPU

enumerator LIEF_PE_MACHINE_MIPSFPU16 = 0x466

MIPS16 with FPU

enumerator LIEF_PE_MACHINE_POWERPC = 0x1F0

Power PC little endian

enumerator LIEF_PE_MACHINE_POWERPCFP = 0x1F1

Power PC with floating point

enumerator LIEF_PE_MACHINE_R4000 = 0x166

MIPS with little endian

enumerator LIEF_PE_MACHINE_RISCV32 = 0x5032

RISC-V 32-bit address space

enumerator LIEF_PE_MACHINE_RISCV64 = 0x5064

RISC-V 64-bit address space

enumerator LIEF_PE_MACHINE_RISCV128 = 0x5128

RISC-V 128-bit address space

enumerator LIEF_PE_MACHINE_SH3 = 0x1A2

Hitachi SH3

enumerator LIEF_PE_MACHINE_SH3DSP = 0x1A3

Hitachi SH3 DSP

enumerator LIEF_PE_MACHINE_SH4 = 0x1A6

Hitachi SH4

enumerator LIEF_PE_MACHINE_SH5 = 0x1A8

Hitachi SH5

enumerator LIEF_PE_MACHINE_THUMB = 0x1C2

ARM or Thumb

enumerator LIEF_PE_MACHINE_WCEMIPSV2 = 0x169

MIPS little-endian WCE v2

enum LIEF_PE_HEADER_CHARACTERISTICS

Values:

enumerator LIEF_PE_HEADER_CHARACTERISTICS_INVALID = 0x0000
enumerator LIEF_PE_HEADER_CHARACTERISTICS_RELOCS_STRIPPED = 0x0001

The file does not contain base relocations and must be loaded at its preferred base. If this cannot be done, the loader will error.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_EXECUTABLE_IMAGE = 0x0002

The file is valid and can be run.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_LINE_NUMS_STRIPPED = 0x0004

COFF line numbers have been stripped. This is deprecated and should be 0

enumerator LIEF_PE_HEADER_CHARACTERISTICS_LOCAL_SYMS_STRIPPED = 0x0008

COFF symbol table entries for local symbols have been removed. This is deprecated and should be 0.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_AGGRESSIVE_WS_TRIM = 0x0010

Aggressively trim working set. This is deprecated and must be 0.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_LARGE_ADDRESS_AWARE = 0x0020

Image can handle > 2GiB addresses.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_BYTES_REVERSED_LO = 0x0080

Little endian: the LSB precedes the MSB in memory. This is deprecated and should be 0.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_32BIT_MACHINE = 0x0100

Machine is based on a 32bit word architecture.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_DEBUG_STRIPPED = 0x0200

Debugging info has been removed.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_REMOVABLE_RUN_FROM_SWAP = 0x0400

If the image is on removable media, fully load it and copy it to swap.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_NET_RUN_FROM_SWAP = 0x0800

If the image is on network media, fully load it and copy it to swap.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_SYSTEM = 0x1000

The image file is a system file, not a user program.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_DLL = 0x2000

The image file is a DLL.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_UP_SYSTEM_ONLY = 0x4000

This file should only be run on a uniprocessor machine.

enumerator LIEF_PE_HEADER_CHARACTERISTICS_BYTES_REVERSED_HI = 0x8000

Big endian: the MSB precedes the LSB in memory. This is deprecated

Functions

const char *lief_pe_header_machine_str(enum LIEF_PE_MACHINE_TYPES e)
const char *lief_pe_header_characteristics_str(enum LIEF_PE_HEADER_CHARACTERISTICS e)
struct Pe_Header_t

Public Members

uint8_t signature[4]
enum LIEF_PE_MACHINE_TYPES machine
uint16_t numberof_sections
uint32_t time_date_stamp
uint32_t pointerto_symbol_table
uint32_t numberof_symbols
uint16_t sizeof_optional_header
uint16_t characteristics

Typedefs

typedef struct Pe_DosHeader_t Pe_DosHeader_t
struct Pe_DosHeader_t

Public Members

uint16_t magic
uint16_t used_bytes_in_last_page
uint16_t file_size_in_pages
uint16_t numberof_relocation
uint16_t header_size_in_paragraphs
uint16_t minimum_extra_paragraphs
uint16_t maximum_extra_paragraphs
uint16_t initial_relative_ss
uint16_t initial_sp
uint16_t checksum
uint16_t initial_ip
uint16_t initial_relative_cs
uint16_t addressof_relocation_table
uint16_t overlay_number
uint16_t reserved[4]
uint16_t oem_id
uint16_t oem_info
uint16_t reserved2[10]
uint32_t addressof_new_exeheader

Typedefs

typedef struct Pe_Binary_t Pe_Binary_t

Functions

Pe_Binary_t *pe_parse(const char *file)

Wrapper on LIEF::PE::Parser::parse

void pe_binary_destroy(Pe_Binary_t *binary)
struct Pe_Binary_t
#include <Binary.h>

LIEF::PE::Binary C Handler.

Public Members

void *handler
Pe_DosHeader_t dos_header
Pe_Header_t header
Pe_OptionalHeader_t optional_header
Pe_DataDirectory_t **data_directories
Pe_Section_t **sections
Pe_Import_t **imports

Functions

const char *PE_TYPES_to_string(enum LIEF_PE_PE_TYPES e)

Defines

_LIEF_EN(N)
_LIEF_EN_2(N, TYPE)
_LIEF_EI(X)