PE

Parser

lief.PE.parse(*args) lief.PE.Binary | None
lief.PE.parse(raw: list[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7c4d7a342970>) lief._lief.PE.Binary | None
lief.PE.parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7c4d7a342990>) lief._lief.PE.Binary | None

Overloaded function.

  1. parse(filename: str, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7c4d7a342950>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given file path and return a Binary object

  1. parse(raw: list[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7c4d7a342970>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given list of bytes and return a lief.PE.Binary object

  1. parse(obj: Union[io.IOBase | os.PathLike], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7c4d7a342990>) -> Optional[lief._lief.PE.Binary]

Parse the PE binary from the given parameter and return a lief.PE.Binary object

class lief.PE.ParserConfig(self)

This class is used to tweak the PE Parser (Parser)

all = <lief._lief.PE.ParserConfig object>
property parse_exports bool

Parse PE Exports Directory

property parse_imports bool

Parse PE Import Directory

property parse_reloc bool

Parse PE relocations

property parse_rsrc bool

Parse PE resources tree

property parse_signature bool

Parse PE Authenticode signature

Binary

class lief.PE.Binary(self, type: lief._lief.PE.PE_TYPE)

Class which represents a PE binary which is the main interface to manage and modify a PE executable.

This object can be instantiated through lief.parse() or lief.PE.parse() while the constructor of this object can be used to craft a binary from scratch (see: 02 - Create a PE from scratch)

class FORMATS
ELF = lief._lief.FORMATS.ELF
MACHO = lief._lief.FORMATS.MACHO
OAT = lief._lief.FORMATS.OAT
PE = lief._lief.FORMATS.PE
UNKNOWN = lief._lief.FORMATS.UNKNOWN
class VA_TYPES
AUTO = lief._lief.VA_TYPES.AUTO
RVA = lief._lief.VA_TYPES.RVA
VA = lief._lief.VA_TYPES.VA
property abstract lief.Binary

Return the abstract representation of the current binary (lief.Binary)

add_import_function(self, import_name: str, function_name: str) lief.PE.ImportEntry

Add a function to the given Import name

add_library(self, import_name: str) lief.PE.Import

Add an Import by name

add_relocation(self, relocation: lief.PE.Relocation) lief.PE.Relocation

Add a Relocation to the binary

add_section(self, section: lief.PE.Section, type: lief.PE.SECTION_TYPES) lief.PE.Section

Add a Section to the binary.

authentihash(self, algorithm: lief.PE.ALGORITHMS) bytes

Compute the authentihash according to the ALGORITHMS given in the first parameter

property authentihash_md5 bytes

Authentihash MD5 value

property authentihash_sha1 bytes

Authentihash SHA1 value

property authentihash_sha256 bytes

Authentihash SHA-256 value

property authentihash_sha512 bytes

Authentihash SHA-512 value

property concrete lief.ELF.Binary | lief.PE.Binary | lief.MachO.Binary

The concrete representation of the binary. Basically, this property cast a lief.Binary into a lief.PE.Binary, lief.ELF.Binary or lief.MachO.Binary.

See also: lief.Binary.abstract

property ctor_functions list[lief.Function]

Constructor functions that are called prior to any other functions

property data_directories lief.PE.Binary.it_data_directories

Return an iterator over the DataDirectory

data_directory(self, type: lief.PE.DataDirectory.TYPES) lief.PE.DataDirectory

Return the DataDirectory object from the given TYPES type

property debug lief.PE.Binary.it_debug

Return the Debug

property delay_imports lief.PE.Binary.it_delay_imports

Return an iterator over the DelayImport

property dos_header lief.PE.DosHeader

Return the DosHeader

property dos_stub memoryview

DOS stub content as a list of bytes

property entrypoint int

Binary’s entrypoint

property exception_functions list[lief.Function]

Function found in the Exception directory

property exported_functions list[lief.Function]

Return the binary’s exported Function

property format lief.Binary.FORMATS

File format (FORMATS) of the underlying binary.

property functions list[lief.Function]

All Function found in the binary

get_content_from_virtual_address(self, virtual_address: int, size: int, va_type: lief.Binary.VA_TYPES) memoryview

Return the content located at the provided virtual address. The virtual address is specified in the first argument and size to read (in bytes) in the second.

If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

get_delay_import(self, import_name: str) lief.PE.DelayImport

Return the DelayImport from the given name or None if not not found

get_export(self) lief.PE.Export

Return the Export object

get_function_address(self, function_name: str) int | lief.lief_errors

Return the address of the given function name

get_import(self, import_name: str) lief.PE.Import

Return the Import from the given name or None if not not found

get_section(self, section_name: str) lief.PE.Section

Return the Section object from the given name or None if not not found

get_symbol(self, symbol_name: str) lief.Symbol

Return the Symbol from the given name.

If the symbol can’t be found, it returns None.

property has_configuration bool

True if the current binary has LoadConfiguration

property has_debug bool

True if the current binary has a Debug object

has_delay_import(self, import_name: str) bool

True if the binary imports the given library name

property has_delay_imports bool

True if the current binary has delay imports (DelayImport)

property has_exceptions bool

True if the current binary uses Exceptions

property has_exports bool

True if the current binary has a Export object

has_import(self, import_name: str) bool

True if the binary imports the given library name

property has_imports bool

True if the current binary has imports (Import)

property has_nx bool

Check if the binary has NX protection (non executable stack)

property has_relocations bool

True if the current binary uses Relocation

property has_resources bool

True if the current binary has a Resources object

property has_rich_header bool

True if the current binary has a RichHeader object

property has_signatures bool

True if the binary is signed with the PE authenticode (Signature)

has_symbol(self, symbol_name: str) bool

Check if a Symbol with the given name exists

property has_tls bool

True if the current binary has a TLS object

property header lief.PE.Header

Return the Header

property imagebase int

Default image base (i.e. if the ASLR is not enabled)

property imported_functions list[lief.Function]

Return the binary’s imported Function (name)

property imports lief.PE.Binary.it_imports

Return an iterator over the Import libraries

property is_pie bool

Check if the binary is position independent

property is_reproducible_build bool

True if the binary was compiled with a reproducible build directive (Debug)

class it_const_signatures

Iterator over lief._lief.PE.Signature

class it_data_directories

Iterator over lief._lief.PE.DataDirectory

class it_debug

Iterator over lief._lief.PE.Debug

class it_delay_imports

Iterator over lief._lief.PE.DelayImport

class it_imports

Iterator over lief._lief.PE.Import

class it_relocations

Iterator over lief._lief.PE.Relocation

class it_section

Iterator over lief._lief.PE.Section

class it_sections

Iterator over lief._lief.Section

class it_symbols

Iterator over lief._lief.PE.Symbol

property libraries list[str | bytes]

Return binary’s imported libraries (name)

property load_configuration lief.PE.LoadConfiguration

Return the LoadConfiguration object or None if not present

offset_to_virtual_address(self, offset: int, slide: int) int | lief.lief_errors

Convert an offset into a virtual address.

property optional_header lief.PE.OptionalHeader

Return the OptionalHeader

property overlay memoryview

Return the overlay content as a list of bytes

property overlay_offset int

Return the original overlay offset

patch_address(*args) None

Overloaded function.

  1. patch_address(self, address: int, patch_value: list[int], va_type: lief._lief.Binary.VA_TYPES = lief._lief.VA_TYPES.AUTO) -> None

    Patch the address with the given list of bytes. The virtual address is specified in the first argument and the content in the second (as a list of bytes).

    If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

  2. patch_address(self, address: int, patch_value: int, size: int = 8, va_type: lief._lief.Binary.VA_TYPES = lief._lief.VA_TYPES.AUTO) -> None

    Patch the address with the given integer value. The virtual address is specified in the first argument, the integer in the second and the integer’s size of in third one.

    If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

predict_function_rva(self, library: str, function: str) int

Try to predict the RVA of the given function name in the given import library name

property relocations lief.PE.Binary.it_relocations

Return an iterator over the Relocation

remove(self, section: lief.PE.Section, clear: bool) None

Remove the Section given in first parameter

remove_all_libraries(self) None

Remove all imported libraries

remove_all_relocations(self) None
remove_library(self, import_name: str) None

Remove the Import from the given name

remove_section(self, name: str, clear: bool) None

Remove the section with the given name

property resources lief.PE.ResourceNode

Return the ResourceNode tree or None if not not present

property resources_manager lief.PE.ResourcesManager | lief.lief_errors

Return the ResourcesManager to manage resources

property rich_header lief.PE.RichHeader

RichHeader object (if present)

rva_to_offset(self, rva_address: int) int

Convert a relative virtual address to an offset

The conversion is performed by looking for the section that encompasses the provided RVA.

section_from_offset(self, offset: int) lief.PE.Section

Return the Section which encompasses the provided offset. It returns None if a section can’t be found.

section_from_rva(self, rva: int) lief.PE.Section

Return the Section which encompasses the provided relative virtual address. If a section can’t be found, it returns None.

property sections lief.PE.Binary.it_section

Return binary’s an iterator over the PE’s Section

property signatures lief.PE.Binary.it_const_signatures

Return an iterator over the Signature objects

property sizeof_headers int

Size of all the PE headers

property symbols list[lief.PE.Symbol]

Return binary’s Symbol

property tls lief.PE.TLS

TLS object (if present)

va_to_offset(self, va_address: int) int

Convert an absolute virtual address into an offset

See: rva_to_offset()

verify_signature(*args) lief.PE.Signature.VERIFICATION_FLAGS

Overloaded function.

  1. verify_signature(self, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = lief._lief.PE.VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS

    Verify the binary against the embedded signature(s) (if any)

    First off, it checks that the embedded signatures are correct (c.f. lief.PE.Signature.check()) and then it checks that the authentihash matches lief.PE.ContentInfo.digest

    One can tweak the verification process with the lief.PE.Signature.VERIFICATION_CHECKS flags

  2. verify_signature(self, signature: lief._lief.PE.Signature, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = lief._lief.PE.VERIFICATION_CHECKS.DEFAULT) -> lief._lief.PE.Signature.VERIFICATION_FLAGS

    Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:

    detached = lief.PE.Signature.parse("sig.pkcs7")
    binary.verify_signature(detached)
    
property virtual_size int

Return the binary’s virtual size.

This value should match sizeof_image

write(self, output_path: str) None

Build the binary and write the result to the given output file

xref(self, virtual_address: int) list[int]

Return all virtual addresses that use the address given in parameter


Dos Header

class lief.PE.DosHeader

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are not relevant, except addressof_new_exeheader

property addressof_new_exeheader int
property addressof_relocation_table int
property checksum int
copy(self) lief.PE.DosHeader

Duplicate the current instance of this object

create(arg: lief.PE.PE_TYPE) lief.PE.DosHeader = <nanobind.nb_func object>
property file_size_in_pages int
property header_size_in_paragraphs int
property initial_ip int
property initial_relative_cs int
property initial_relative_ss int
property initial_sp int
property magic int
property maximum_extra_paragraphs int
property minimum_extra_paragraphs int
property numberof_relocation int
property oem_id int
property oem_info int
property overlay_number int
property used_bytes_in_last_page int


Optional Header

class lief.PE.OptionalHeader

Class which represents the PE OptionalHeader structure.

class DLL_CHARACTERISTICS
APPCONTAINER = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.APPCONTAINER: 4096>
DYNAMIC_BASE = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.DYNAMIC_BASE: 64>
FORCE_INTEGRITY = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.FORCE_INTEGRITY: 128>
GUARD_CF = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.GUARD_CF: 16384>
HIGH_ENTROPY_VA = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.HIGH_ENTROPY_VA: 32>
NO_BIND = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.NO_BIND: 2048>
NO_ISOLATION = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.NO_ISOLATION: 512>
NO_SEH = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.NO_SEH: 1024>
NX_COMPAT = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.NX_COMPAT: 256>
TERMINAL_SERVER_AWARE = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.TERMINAL_SERVER_AWARE: 32768>
WDM_DRIVER = <lief._lief.PE.DLL_CHARACTERISTICS.lief._lief.PE.DLL_CHARACTERISTICS.WDM_DRIVER: 8192>
from_value(arg: int) lief.PE.OptionalHeader.DLL_CHARACTERISTICS = <nanobind.nb_func object>
property value int

The underlying integer value

class SUBSYSTEM
EFI_APPLICATION = lief._lief.PE.SUBSYSTEM.EFI_APPLICATION
EFI_BOOT_SERVICE_DRIVER = lief._lief.PE.SUBSYSTEM.EFI_BOOT_SERVICE_DRIVER
EFI_ROM = lief._lief.PE.SUBSYSTEM.EFI_ROM
EFI_RUNTIME_DRIVER = lief._lief.PE.SUBSYSTEM.EFI_RUNTIME_DRIVER
NATIVE = lief._lief.PE.SUBSYSTEM.NATIVE
NATIVE_WINDOWS = lief._lief.PE.SUBSYSTEM.NATIVE_WINDOWS
OS2_CUI = lief._lief.PE.SUBSYSTEM.OS2_CUI
POSIX_CUI = lief._lief.PE.SUBSYSTEM.POSIX_CUI
UNKNOWN = lief._lief.PE.SUBSYSTEM.UNKNOWN
WINDOWS_BOOT_APPLICATION = lief._lief.PE.SUBSYSTEM.WINDOWS_BOOT_APPLICATION
WINDOWS_CE_GUI = lief._lief.PE.SUBSYSTEM.WINDOWS_CE_GUI
WINDOWS_CUI = lief._lief.PE.SUBSYSTEM.WINDOWS_CUI
WINDOWS_GUI = lief._lief.PE.SUBSYSTEM.WINDOWS_GUI
XBOX = lief._lief.PE.SUBSYSTEM.XBOX
from_value(arg: int) lief.PE.OptionalHeader.SUBSYSTEM = <nanobind.nb_func object>
property value int

The underlying integer value

add(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) None

Add the given DLL_CHARACTERISTICS

property addressof_entrypoint int

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

property baseof_code int

Address relative to the imagebase where the binary’s code starts

property baseof_data int

Address relative to the imagebase where the binary’s data starts.

Warning

This value is not present for PE64 files

property checksum int

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

property computed_checksum int

The re-computed value of the checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF when parsing the PE binary.

copy(self) lief.PE.OptionalHeader

Duplicate the current instance of this object

create(type: lief.PE.PE_TYPE) lief.PE.OptionalHeader = <nanobind.nb_func object>
property dll_characteristics int

Some characteristics (DLL_CHARACTERISTICS) of the underlying binary like the support of the PIE.

The prefix dll comes from the official PE specifications but these characteristics are also used for executables

property dll_characteristics_lists list[lief.PE.OptionalHeader.DLL_CHARACTERISTICS]

dll_characteristics as a list of DLL_CHARACTERISTICS

property file_alignment int

The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K, inclusive. The default value is 512. If the section_alignment is less than the architecture’s page size, then file_alignment must match section_alignment.

has(self, characteristics: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) bool

True if the given DLL_CHARACTERISTICS is in the dll_characteristics

property imagebase int

The preferred base address when mapping the binary in memory

property loader_flags int

According to the PE specifications, this value is reserved and should be 0.

property magic lief.PE.PE_TYPE

Magic value (PE_TYPE) that identifies a PE32 from a PE64

property major_image_version int

The major version number of the image.

property major_linker_version int

The linker major version number

property major_operating_system_version int

The major version number of the required operating system.

property major_subsystem_version int

The major version number of the subsystem.

property minor_image_version int

The minor version number of the image.

property minor_linker_version int

The linker minor version number

property minor_operating_system_version int

The minor version number of the required operating system.

property minor_subsystem_version int

The minor version number of the subsystem

property numberof_rva_and_size int

The number of DataDirectory that follow this header

remove(self, characteristic: lief.PE.OptionalHeader.DLL_CHARACTERISTICS) None

Remove the given DLL_CHARACTERISTICS

property section_alignment int

The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture.

property sizeof_code int

The size of the code .text section or the sum of all the sections that contain code (ie. Section with the flag CNT_CODE)

property sizeof_headers int

The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment.

property sizeof_heap_commit int

The size of the local heap space to commit.

property sizeof_heap_reserve int

The size of the local heap space to reserve.

Only sizeof_heap_commit is available one page at a time until the reserve size is reached.

property sizeof_image int

The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of section_alignment and should match virtual_size.

property sizeof_initialized_data int

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag CNT_INITIALIZED_DATA

property sizeof_stack_commit int

The size of the stack to commit.

property sizeof_stack_reserve int

The size of the stack to reserve.

Only sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

property sizeof_uninitialized_data int

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag CNT_UNINITIALIZED_DATA

property subsystem lief.PE.OptionalHeader.SUBSYSTEM

Target subsystem (SUBSYSTEM) like Driver, XBox, Windows GUI, ..

property win32_version_value int

Reserved, must be zero.


Data Directory

class lief.PE.DataDirectory(self)

Class that represents a PE data directory entry

class TYPES
ARCHITECTURE = lief._lief.PE.TYPES.ARCHITECTURE
BASE_RELOCATION_TABLE = lief._lief.PE.TYPES.BASE_RELOCATION_TABLE
BOUND_IMPORT = lief._lief.PE.TYPES.BOUND_IMPORT
CERTIFICATE_TABLE = lief._lief.PE.TYPES.CERTIFICATE_TABLE
CLR_RUNTIME_HEADER = lief._lief.PE.TYPES.CLR_RUNTIME_HEADER
DEBUG = lief._lief.PE.TYPES.DEBUG
DELAY_IMPORT_DESCRIPTOR = lief._lief.PE.TYPES.DELAY_IMPORT_DESCRIPTOR
EXCEPTION_TABLE = lief._lief.PE.TYPES.EXCEPTION_TABLE
EXPORT_TABLE = lief._lief.PE.TYPES.EXPORT_TABLE
GLOBAL_PTR = lief._lief.PE.TYPES.GLOBAL_PTR
IAT = lief._lief.PE.TYPES.IAT
IMPORT_TABLE = lief._lief.PE.TYPES.IMPORT_TABLE
LOAD_CONFIG_TABLE = lief._lief.PE.TYPES.LOAD_CONFIG_TABLE
RESERVED = lief._lief.PE.TYPES.RESERVED
RESOURCE_TABLE = lief._lief.PE.TYPES.RESOURCE_TABLE
TLS_TABLE = lief._lief.PE.TYPES.TLS_TABLE
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
from_value(arg: int) lief.PE.DataDirectory.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

copy(self) lief.PE.DataDirectory

Duplicate the current instance of this object

property has_section bool

True if the current data directory is tied to a Section

property rva int

Relative virtual address of the content associated with the current data directory

property section lief.PE.Section

Section associated with the current data directory or None if not linked

property size int

Size in bytes of the content associated with the current data directory

property type lief.PE.DataDirectory.TYPES

Type (TYPES) of the current data directory


Section

class lief.PE.Section(self)
class lief.PE.Section(self, content: list[int], name: str = '', characteristics: int = 0)
class lief.PE.Section(self, name: str)

Class which represents a PE section.

It extends the base class lief.Section

Overloaded function.

  1. __init__(self, content: list[int], name: str = '', characteristics: int = 0) -> None

Constructor from content, name and characteristics

  1. __init__(self, name: str) -> None

Constructor from a name

class CHARACTERISTICS
ALIGN_1024BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_1024BYTES: 11534336>
ALIGN_128BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_128BYTES: 8388608>
ALIGN_16BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_16BYTES: 5242880>
ALIGN_1BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_1BYTES: 1048576>
ALIGN_2048BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_2048BYTES: 12582912>
ALIGN_256BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_256BYTES: 9437184>
ALIGN_2BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_2BYTES: 2097152>
ALIGN_32BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_32BYTES: 6291456>
ALIGN_4096BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_4096BYTES: 13631488>
ALIGN_4BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_4BYTES: 3145728>
ALIGN_512BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_512BYTES: 10485760>
ALIGN_64BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_64BYTES: 7340032>
ALIGN_8192BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_8192BYTES: 14680064>
ALIGN_8BYTES = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.ALIGN_8BYTES: 4194304>
CNT_CODE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.CNT_CODE: 32>
CNT_INITIALIZED_DATA = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.CNT_INITIALIZED_DATA: 64>
CNT_UNINITIALIZED_DATA = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.CNT_UNINITIALIZED_DATA: 128>
GPREL = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.GPREL: 32768>
LNK_COMDAT = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.LNK_COMDAT: 4096>
LNK_INFO = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.LNK_INFO: 512>
LNK_NRELOC_OVFL = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.LNK_NRELOC_OVFL: 16777216>
LNK_OTHER = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.LNK_OTHER: 256>
LNK_REMOVE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.LNK_REMOVE: 2048>
MEM_16BIT = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_16BIT: 131072>
MEM_DISCARDABLE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_DISCARDABLE: 33554432>
MEM_EXECUTE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_EXECUTE: 536870912>
MEM_LOCKED = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_LOCKED: 262144>
MEM_NOT_CACHED = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_NOT_CACHED: 67108864>
MEM_NOT_PAGED = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_NOT_PAGED: 134217728>
MEM_PRELOAD = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_PRELOAD: 524288>
MEM_PURGEABLE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_PURGEABLE: 65536>
MEM_READ = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_READ: 1073741824>
MEM_SHARED = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_SHARED: 268435456>
MEM_WRITE = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.MEM_WRITE: 2147483648>
TYPE_NO_PAD = <lief._lief.PE.CHARACTERISTICS.lief._lief.PE.CHARACTERISTICS.TYPE_NO_PAD: 8>
from_value(arg: int) lief.PE.Section.CHARACTERISTICS = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

The CHARACTERISTICS that describe the characteristics of the section

property characteristics_lists list[lief.PE.Section.CHARACTERISTICS]

characteristics as a list

property content memoryview

Section’s content

copy(self) lief.PE.Section

Duplicate the current instance of this object

property entropy float

Section’s entropy

property fullname bytes

Return the fullname of the section including the trailing bytes

has_characteristic(self, characteristic: lief.PE.Section.CHARACTERISTICS) bool

True if the section has the given CHARACTERISTICS

property name str | bytes

Section’s name

property numberof_line_numbers int

The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.

See: pointerto_line_numbers

property numberof_relocations int

The number of relocation entries for the section.

See: pointerto_relocation

property offset int

Section’s file offset

property padding bytes

Section padding content as bytes

property pointerto_line_numbers int

The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

property pointerto_raw_data int

The offset of the section data in the PE file. Alias of offset

property pointerto_relocation int

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by Relocation.

search(*args) int | None

Overloaded function.

  1. search(self, number: int, pos: int = 0, size: int = 0) -> Optional[int]

Look for integer within the current section

  1. search(self, str: str, pos: int = 0) -> Optional[int]

Look for string within the current section

  1. search(self, bytes: bytes, pos: int = 0) -> Optional[int]

Look for the given bytes within the current section

search_all(*args) list[int]

Overloaded function.

  1. search_all(self, number: int, size: int = 0) -> list[int]

Look for all integers within the current section

  1. search_all(self, str: str) -> list[int]

Look for all strings within the current section

property size int

Section’s size

property sizeof_raw_data int

Alias of size (size of the data in the section)

property virtual_address int

Section’s virtual address

property virtual_size int

The total size of the section when loaded into memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.


Import

class lief.PE.Import(self)
class lief.PE.Import(self, library_name: str)

Class that represents a PE import

Overloaded function.

  1. __init__(self) -> None

Default constructor

  1. __init__(self, library_name: str) -> None

Constructor from a library name

add_entry(*args) lief.PE.ImportEntry

Overloaded function.

  1. add_entry(self, entry: lief._lief.PE.ImportEntry) -> lief._lief.PE.ImportEntry

Add an ImportEntry (function) to the current import

  1. add_entry(self, function_name: str) -> lief._lief.PE.ImportEntry

Add an ImportEntry (function) to the current import

property directory lief.PE.DataDirectory

Return the DataDirectory associated with this import.

It should be the one at index lief.PE.DataDirectory.TYPES.IMPORT_TABLE. It can return None if the Import directory can’t be resolved.

property entries lief.PE.Import.it_entries

Iterator over the ImportEntry (functions)

property forwarder_chain int

The index of the first forwarder reference

get_entry(self, function_name: str) lief.PE.ImportEntry

Return the ImportEntry with the given name or None if not found

get_function_rva_from_iat(self, function_name: str) int | lief.lief_errors

Return the relative virtual address of the given function within the Import Address Table

property iat_directory lief.PE.DataDirectory

Return the DataDirectory associated with the IAT table.

It should be the one at index lief.PE.DataDirectory.TYPES.IAT. It can return None if the IAT directory can’t be resolved.

property import_address_table_rva int

The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning

This address could change when re-building the binary

property import_lookup_table_rva int

The RVA of the import lookup table. This table contains the name or the ordinal for all the imports.

class it_entries

Iterator over lief._lief.PE.ImportEntry

property name str | bytes

Library name (e.g. kernel32.dll)

property timedatestamp int

The stamp that is set to zero until the image is bound.

After the image is bound, this field is set to the time/data stamp of the DLL


Import Entry

class lief.PE.ImportEntry(self)
class lief.PE.ImportEntry(self, import_name: str)
class lief.PE.ImportEntry(self, data: int, name: str = '')
class lief.PE.ImportEntry(self, data: int, type: lief._lief.PE.PE_TYPE, name: str = '')
class lief.PE.ImportEntry(self, name: str, type: lief._lief.PE.PE_TYPE)

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

Overloaded function.

  1. __init__(self, import_name: str) -> None

Constructor from a name

  1. __init__(self, data: int, name: str = '') -> None

Constructor from a data and an optionally name

  1. __init__(self, data: int, type: lief._lief.PE.PE_TYPE, name: str = '') -> None

Constructor from a data, a type and an optional name

  1. __init__(self, name: str, type: lief._lief.PE.PE_TYPE) -> None

Constructor from a name, and a type

copy(self) lief.PE.ImportEntry

Duplicate the current instance of this object

property data int

Raw value

property hint int

Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_address int

Original address of the entry in the Import Address Table

property iat_value int

Value of the current entry in the Import Address Table. It should match the lookup table value.

property is_ordinal bool

True if it is an import by ordinal

property name str | bytes

Import name if not ordinal

property ordinal int

Ordinal value (if any). See: is_ordinal

property size int

Symbol’s size

property value int

Symbol’s value


Delay Import

class lief.PE.DelayImport(self, library_name: str)

Class that represents a PE delay import

Constructor from a library name

property attribute int

Reserved and should be zero according to the PE specifications

property biat int

RVA of the bound delay-load import address table or 0 if the table does not exist.

copy(self) lief.PE.DelayImport

Duplicate the current instance of this object

property entries lief.PE.DelayImport.it_entries

Iterator over the DelayImportEntry (functions)

property handle int

The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

property iat int

RVA of the delay-load import address table.

class it_entries

Iterator over lief._lief.PE.DelayImportEntry

property name str | bytes

Library name (e.g. kernel32.dll)

property names_table int

RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table

property timestamp int

The timestamp of the DLL to which this image has been bound.

property uiat int

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.


Delay Import Entry

class lief.PE.DelayImportEntry(self)

Class that represents an entry (i.e. a delay import) in the delay import table (DelayImport).

It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value

The meaning of lief.Symbol.value for this PE object is the address (as an RVA) in the IAT where the resolution should take place

copy(self) lief.PE.DelayImportEntry

Duplicate the current instance of this object

property data int

Raw value

property hint int

Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution

property iat_value int

Value of the current entry in the delay-loaded import address table. See: iat

property is_ordinal bool

True if it is an import by ordinal

property name str | bytes

Delay import name if not ordinal

property ordinal int

Ordinal value (if any). See: is_ordinal

property size int

Symbol’s size

property value int

Symbol’s value


TLS

class lief.PE.TLS(self)

Class which represents the PE Thread Local Storage. This PE structure is also used to implement binary/library constructors.

Default constructor

property addressof_callbacks int

The pointer to an array of TLS callback functions.

The array is null-terminated, so if no callback function is supported, this field points to 4 bytes set to zero.

See: callbacks

property addressof_index int

The location to receive the TLS index, which the loader assigns. This location is in an ordinary data section, so it can be given a symbolic name that is accessible to the program.

property addressof_raw_data tuple[int, int]

Tuple (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note

These addresses are not RVA. It is addresses for which there should be a base relocation in the .reloc section.

property callbacks list[int]

List of the callback associated with the current TLS.

These functions are called before any other functions of the PE binary.

property characteristics int

The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

copy(self) lief.PE.TLS

Duplicate the current instance of this object

property data_template memoryview

The data template content

property directory lief.PE.DataDirectory

DataDirectory associated with the TLS object (or None if not linked)

property has_data_directory bool

True if there is a DataDirectory associated with the TLS object

property has_section bool

True if there is a Section associated with the TLS object

property section lief.PE.Section

Section associated with the TLS object (or None if not linked)

property sizeof_zero_fill int

The size in bytes of the template, beyond the initialized data delimited by the addressof_raw_data fields. The total template size should be the same as the total size of TLS data in the image file. The zero fill is the amount of data that comes after the initialized nonzero data.


Symbol

class lief.PE.Symbol(self)
property base_type lief.PE.SYMBOL_BASE_TYPES
property complex_type lief.PE.SYMBOL_COMPLEX_TYPES
property has_section bool

True if symbols are located in a section

property name str
property numberof_aux_symbols int
property section lief.PE.Section
property section_number int
property size int

Symbol’s size

property storage_class lief.PE.SYMBOL_STORAGE_CLASS
property type int
property value int

Symbol’s value


Relocation

class lief.PE.Relocation(self)

Class which represents the Base Relocation Block Usually, we find this structure in the .reloc section

add_entry(self, new_entry: lief.PE.RelocationEntry) lief.PE.RelocationEntry

Add a new RelocationEntry

property block_size int

The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

copy(self) lief.PE.Relocation

Duplicate the current instance of this object

property entries lief.PE.Relocation.it_entries

Iterator over the RelocationEntry

class it_entries

Iterator over lief._lief.PE.RelocationEntry

property virtual_address int

The RVA for which the offset of the relocation entries (RelocationEntry) is added


Relocation Entry

class lief.PE.RelocationEntry(self)

Class which represents an entry of the PE relocation table.

It extends the lief.Relocation object to provide an uniform API across the file formats.

class BASE_TYPES
ABS = lief._lief.PE.BASE_TYPES.ABS
ARM_MOV32 = lief._lief.PE.BASE_TYPES.ARM_MOV32
ARM_MOV32A = lief._lief.PE.BASE_TYPES.ARM_MOV32A
ARM_MOV32T = lief._lief.PE.BASE_TYPES.ARM_MOV32T
DIR64 = lief._lief.PE.BASE_TYPES.DIR64
HIGH = lief._lief.PE.BASE_TYPES.HIGH
HIGH3ADJ = lief._lief.PE.BASE_TYPES.HIGH3ADJ
HIGHADJ = lief._lief.PE.BASE_TYPES.HIGHADJ
HIGHLOW = lief._lief.PE.BASE_TYPES.HIGHLOW
IA64_IMM64 = lief._lief.PE.BASE_TYPES.IA64_IMM64
LOW = lief._lief.PE.BASE_TYPES.LOW
MIPS_JMPADDR = lief._lief.PE.BASE_TYPES.MIPS_JMPADDR
MIPS_JMPADDR16 = lief._lief.PE.BASE_TYPES.MIPS_JMPADDR16
REL = lief._lief.PE.BASE_TYPES.REL
RISCV_HI20 = lief._lief.PE.BASE_TYPES.RISCV_HI20
RISCV_LOW12I = lief._lief.PE.BASE_TYPES.RISCV_LOW12I
RISCV_LOW12S = lief._lief.PE.BASE_TYPES.RISCV_LOW12S
SECTION = lief._lief.PE.BASE_TYPES.SECTION
THUMB_MOV32 = lief._lief.PE.BASE_TYPES.THUMB_MOV32
UNKNOWN = lief._lief.PE.BASE_TYPES.UNKNOWN
from_value(arg: int) lief.PE.RelocationEntry.BASE_TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property address int

Relocation’s address

property data int

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset (position)

property position int

Offset - relative to virtual_address - where the relocation occurs

property size int

Relocation’s size (in bits)

property type lief.PE.RelocationEntry.BASE_TYPES

Type of the relocation


Export

class lief.PE.Export(self)

Class which represents a PE Export

copy(self) lief.PE.Export

Duplicate the current instance of this object

property entries lief.PE.Export.it_entries

Iterator over the ExportEntry

property export_flags int

According to the PE specifications this value is reserved and should be set to 0

class it_entries

Iterator over lief._lief.PE.ExportEntry

property major_version int

The major version number (can be user-defined)

property minor_version int

The minor version number (can be user-defined)

property name str | bytes

The name of the library exported (e.g. KERNEL32.dll)

property ordinal_base int

The starting number for the exports. Usually this value is set to 1

property timestamp int

The time and date that the export data was created


Export Entry

class lief.PE.ExportEntry(self)

Class which represents a PE Export entry (cf. lief.PE.Export)

property address int
property forward_information lief.PE.ExportEntry.forward_information_t
class forward_information_t
property function str
property library str
property function_rva int
property is_extern bool
property is_forwarded bool
property name str | bytes
property ordinal int
property size int

Symbol’s size

property value int

Symbol’s value


Signature

class lief.PE.Signature
class VERIFICATION_CHECKS
DEFAULT = <lief._lief.PE.VERIFICATION_CHECKS.lief._lief.PE.VERIFICATION_CHECKS.DEFAULT: 1>
HASH_ONLY = <lief._lief.PE.VERIFICATION_CHECKS.lief._lief.PE.VERIFICATION_CHECKS.HASH_ONLY: 2>
LIFETIME_SIGNING = <lief._lief.PE.VERIFICATION_CHECKS.lief._lief.PE.VERIFICATION_CHECKS.LIFETIME_SIGNING: 4>
SKIP_CERT_TIME = <lief._lief.PE.VERIFICATION_CHECKS.lief._lief.PE.VERIFICATION_CHECKS.SKIP_CERT_TIME: 8>
from_value(arg: int) lief.PE.Signature.VERIFICATION_CHECKS = <nanobind.nb_func object>
property value int

The underlying integer value

class VERIFICATION_FLAGS
BAD_DIGEST = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BAD_DIGEST: 128>
BAD_SIGNATURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BAD_SIGNATURE: 256>
CERT_EXPIRED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.CERT_EXPIRED: 1024>
CERT_FUTURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.CERT_FUTURE: 2048>
CERT_NOT_FOUND = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.CERT_NOT_FOUND: 8>
CORRUPTED_AUTH_DATA = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.CORRUPTED_AUTH_DATA: 32>
CORRUPTED_CONTENT_INFO = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.CORRUPTED_CONTENT_INFO: 16>
INCONSISTENT_DIGEST_ALGORITHM = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.INCONSISTENT_DIGEST_ALGORITHM: 4>
INVALID_SIGNER = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.INVALID_SIGNER: 1>
MISSING_PKCS9_MESSAGE_DIGEST = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.MISSING_PKCS9_MESSAGE_DIGEST: 64>
NO_SIGNATURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.NO_SIGNATURE: 512>
OK = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.OK: 0>
UNSUPPORTED_ALGORITHM = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.UNSUPPORTED_ALGORITHM: 2>
from_value(arg: int) lief.PE.Signature.VERIFICATION_FLAGS = <nanobind.nb_func object>
property value int

The underlying integer value

property certificates lief.PE.Signature.it_const_crt

Return an iterator over x509 certificates

check(self, checks: lief.PE.Signature.VERIFICATION_CHECKS) lief.PE.Signature.VERIFICATION_FLAGS

Check the integrity of the signature and return a lief.PE.Signature.VERIFICATION_FLAGS

By default, it performs the following verifications:

  1. It must contain only one signer info (signers)

  2. lief.PE.Signature.digest_algorithm must match:

  3. The x509 certificate specified by lief.PE.SignerInfo.serial_number and lief.PE.SignerInfo.issuer must exist within lief.PE.Signature.certificates

  4. Given the x509 certificate, compare lief.PE.SignerInfo.encrypted_digest against either:

  5. If they are Authenticated attributes, check that a PKCS9_MESSAGE_DIGEST (lief.PE.PKCS9MessageDigest) attribute exists and that its value matches hash of ContentInfo

  6. Check the validity of the PKCS #9 counter signature if present

  7. If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING and lief.pe.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)

See: lief.PE.Signature.VERIFICATION_CHECKS to tweak the behavior

property content_info lief.PE.ContentInfo

Return the ContentInfo

property digest_algorithm lief.PE.ALGORITHMS

Return the algorithm (ALGORITHMS) used to sign the content of ContentInfo

find_crt(self, serialno: list[int]) lief.PE.x509

Find the x509 certificate according to its serial number

find_crt_issuer(*args) lief.PE.x509

Overloaded function.

  1. find_crt_issuer(self, issuer: str) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer

  1. find_crt_issuer(self, issuer: str, serialno: list[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its issuer AND its serial number

find_crt_subject(*args) lief.PE.x509

Overloaded function.

  1. find_crt_subject(self, subject: str) -> lief._lief.PE.x509

Find the x509 certificate according to its subject

  1. find_crt_subject(self, subject: str, serialno: list[int]) -> lief._lief.PE.x509

Find the x509 certificate according to its subject AND its serial number

class it_const_crt

Iterator over lief._lief.PE.x509

class it_const_signers_t

Iterator over lief._lief.PE.SignerInfo

parse(*args) lief.PE.Signature | None = <nanobind.nb_func object>
property raw_der memoryview

Return the raw original signature as a byte object

property signers lief.PE.Signature.it_const_signers_t

Return an iterator over the signers (SignerInfo)

property version int

Version of the signature. It should be 1


Signature Attribute

class lief.PE.Attribute

Interface over PKCS #7 attribute

class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature ContentType

class lief.PE.ContentType

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9) The internal structure is described in the: RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property oid str

OID as described in RFC #2985 (string object)

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature GenericType

class lief.PE.GenericType

Interface over an attribute for which the internal structure is not supported by LIEF

class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property oid str

OID of the original attribute

property raw_content memoryview

Original DER blob of the attribute

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature MsSpcNestedSignature

class lief.PE.MsSpcNestedSignature

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

With SignedData, the structure described in PKCS #7 RFC (See: lief.PE.Signature)

class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property signature lief.PE.Signature

Underlying Signature object

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature MsSpcStatementType

class lief.PE.MsSpcStatementType

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property oid str

According to the documentation:

The SpcStatementType MUST contain one Object Identifier with either
the value ``1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)`` or
``1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID)``.
property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature PKCS9AtSequenceNumber

class lief.PE.PKCS9AtSequenceNumber

Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

sequenceNumber ATTRIBUTE ::= {
  WITH SYNTAX SequenceNumber
  EQUALITY MATCHING RULE integerMat
  SINGLE VALUE TRUE
  ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property number int

Number as described in the RFC

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature PKCS9CounterSignature

class lief.PE.PKCS9CounterSignature

Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

counterSignature ATTRIBUTE ::= {
  WITH SYNTAX SignerInfo
  ID pkcs-9-at-counterSignature
}
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property signer lief.PE.SignerInfo

Return the SignerInfo as described in the RFC #2985

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature PKCS9MessageDigest

class lief.PE.PKCS9MessageDigest

Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

messageDigest ATTRIBUTE ::= {
  WITH SYNTAX MessageDigest
  EQUALITY MATCHING RULE octet
  SINGLE VALUE TRUE
  ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property digest bytes

Message digeset as a blob of bytes as described in the RFC

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature PKCS9SigningTime

class lief.PE.PKCS9SigningTime

Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property time list[int]

Time as a list [year, month, day, hour, min, sec]

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature SpcSpOpusInfo

class lief.PE.SpcSpOpusInfo

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12 The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcSpOpusInfo ::= SEQUENCE {
    programName  [0] EXPLICIT SpcString OPTIONAL,
    moreInfo     [1] EXPLICIT SpcLink OPTIONAL
}
class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property more_info str | bytes

Other information such as an URL

property program_name str | bytes

Program description provided by the publisher

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


Signature SpcIndirectData

class lief.PE.SpcIndirectData
property content_type str

OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID

copy(self) lief.PE.ContentInfo.Content | None

Duplicate the current instance of this object

property digest memoryview
property digest_algorithm lief.PE.ALGORITHMS

Digest used to hash the file. This should match digest_algorithm

property file str

Signature GenericType

class lief.PE.GenericType

Interface over an attribute for which the internal structure is not supported by LIEF

class TYPE
CONTENT_TYPE = lief._lief.PE.TYPE.CONTENT_TYPE
GENERIC_TYPE = lief._lief.PE.TYPE.GENERIC_TYPE
MS_COUNTER_SIGN = lief._lief.PE.TYPE.MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN = lief._lief.PE.TYPE.MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE = lief._lief.PE.TYPE.MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER = lief._lief.PE.TYPE.PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE = lief._lief.PE.TYPE.PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST = lief._lief.PE.TYPE.PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME = lief._lief.PE.TYPE.PKCS9_SIGNING_TIME
SPC_SP_OPUS_INFO = lief._lief.PE.TYPE.SPC_SP_OPUS_INFO
UNKNOWN = lief._lief.PE.TYPE.UNKNOWN
from_value(arg: int) lief.PE.Attribute.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property oid str

OID of the original attribute

property raw_content memoryview

Original DER blob of the attribute

property type lief.PE.Attribute.TYPE

Concrete type of the attribute


RsaInfo

class lief.PE.RsaInfo

Object representing a RSA key

property D bytes

RSA private exponent (in bytes)

property E bytes

RSA public exponent (in bytes)

property N bytes

RSA public modulus (in bytes)

property P bytes

First prime factor (in bytes)

property Q bytes

Second prime factor (in bytes)

property has_private_key bool

True if it embeds a private key

property has_public_key bool

True if it embeds a public key

property key_size int

Size of the public modulus in bits


x509

class lief.PE.x509

Interface over a x509 certificate

class KEY_TYPES
ECDSA = lief._lief.PE.KEY_TYPES.ECDSA
ECKEY = lief._lief.PE.KEY_TYPES.ECKEY
ECKEY_DH = lief._lief.PE.KEY_TYPES.ECKEY_DH
NONE = lief._lief.PE.KEY_TYPES.NONE
RSA = lief._lief.PE.KEY_TYPES.RSA
RSASSA_PSS = lief._lief.PE.KEY_TYPES.RSASSA_PSS
RSA_ALT = lief._lief.PE.KEY_TYPES.RSA_ALT
from_value(arg: int) lief.PE.x509.KEY_TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

class KEY_USAGE
CRL_SIGN = lief._lief.PE.KEY_USAGE.CRL_SIGN
DATA_ENCIPHERMENT = lief._lief.PE.KEY_USAGE.DATA_ENCIPHERMENT
DECIPHER_ONLY = lief._lief.PE.KEY_USAGE.DECIPHER_ONLY
DIGITAL_SIGNATURE = lief._lief.PE.KEY_USAGE.DIGITAL_SIGNATURE
ENCIPHER_ONLY = lief._lief.PE.KEY_USAGE.ENCIPHER_ONLY
KEY_AGREEMENT = lief._lief.PE.KEY_USAGE.KEY_AGREEMENT
KEY_CERT_SIGN = lief._lief.PE.KEY_USAGE.KEY_CERT_SIGN
KEY_ENCIPHERMENT = lief._lief.PE.KEY_USAGE.KEY_ENCIPHERMENT
NON_REPUDIATION = lief._lief.PE.KEY_USAGE.NON_REPUDIATION
from_value(arg: int) lief.PE.x509.KEY_USAGE = <nanobind.nb_func object>
property value int

The underlying integer value

class VERIFICATION_FLAGS
BADCERT_BAD_KEY = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_KEY: 65536>
BADCERT_BAD_MD = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_MD: 16384>
BADCERT_BAD_PK = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_BAD_PK: 32768>
BADCERT_CN_MISMATCH = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_CN_MISMATCH: 4>
BADCERT_EXPIRED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_EXPIRED: 1>
BADCERT_EXT_KEY_USAGE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_EXT_KEY_USAGE: 4096>
BADCERT_FUTURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_FUTURE: 512>
BADCERT_KEY_USAGE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_KEY_USAGE: 2048>
BADCERT_MISSING = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_MISSING: 64>
BADCERT_NOT_TRUSTED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_NOT_TRUSTED: 8>
BADCERT_NS_CERT_TYPE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_NS_CERT_TYPE: 8192>
BADCERT_OTHERNATURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_OTHERNATURE: 256>
BADCERT_REVOKED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_REVOKED: 2>
BADCERT_SKIP_VERIFY = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCERT_SKIP_VERIFY: 128>
BADCRL_BAD_KEY = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_KEY: 524288>
BADCRL_BAD_MD = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_MD: 131072>
BADCRL_BAD_PK = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_BAD_PK: 262144>
BADCRL_EXPIRED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_EXPIRED: 32>
BADCRL_FUTURE = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_FUTURE: 1024>
BADCRL_NOT_TRUSTED = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.BADCRL_NOT_TRUSTED: 16>
OK = <lief._lief.PE.VERIFICATION_FLAGS.lief._lief.PE.VERIFICATION_FLAGS.OK: 0>
from_value(arg: int) lief.PE.x509.VERIFICATION_FLAGS = <nanobind.nb_func object>
property value int

The underlying integer value

property certificate_policies list[str]

Policy information terms as list of OID (see RFC #5280)

property ext_key_usage list[str]

Indicates one or more purposes for which the certified public key may be used (list of OID)

property is_ca bool
is_trusted_by(self, ca_list: list[lief.PE.x509]) lief.PE.x509.VERIFICATION_FLAGS

Verify this certificate against a list of root CA (list of x509 objects) It returns a set of flags defined by VERIFICATION_FLAGS

Example:
signer = binary.signatures[0].signers[0]
microsoft_ca_bundle = lief.PE.x509.parse("bundle.pem")
print(signer.cert.is_trusted_by(microsoft_ca_bundle))
property issuer str | bytes

Issuer of the certificate

property key_type lief.PE.x509.KEY_TYPES

Return the underlying public-key scheme (KEY_TYPES)

property key_usage list[lief.PE.x509.KEY_USAGE]

Purpose of the key contained in the certificate (see KEY_USAGE)

parse(*args) list[lief.PE.x509] = <nanobind.nb_func object>
property raw bytes

The raw bytes associated with this x509 cert (DER encoded)

property rsa_info lief.PE.RsaInfo | None

If the underlying public-key scheme is RSA, return the RsaInfo associated with this certificate. Otherwise, return None

property serial_number bytes

Unique id for certificate issued by a specific CA.

property signature bytes

The signature of the certificate

property signature_algorithm str

Signature algorithm (OID)

property subject str | bytes

Subject of the certificate

property valid_from list[int]

Start time of certificate validity

property valid_to list[int]

End time of certificate validity

verify(self, ca: lief.PE.x509) lief.PE.x509.VERIFICATION_FLAGS

Verify that this certificate has been used to trust the given x509 certificate

It returns a set of flags defined by VERIFICATION_FLAGS

Example:
ca     = lief.PE.x509.parse("ca.crt")[0]
signer = lief.PE.x509.parse("signer.crt")[0]
print(ca.verify(signer))  # lief.PE.x509.VERIFICATION_FLAGS.OK
property version int

X.509 version. (1=v1, 2=v2, 3=v3)


ContentInfo

class lief.PE.ContentInfo

ContentInfo as described in the RFC 2315

ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER

In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent

SpcIndirectDataContent ::= SEQUENCE {
 data          SpcAttributeTypeAndOptionalValue,
 messageDigest DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
 type  ObjectID,
 value [0] EXPLICIT ANY OPTIONAL
}

For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData

DigestInfo ::= SEQUENCE {
 digestAlgorithm  AlgorithmIdentifier,
 digest           OCTETSTRING
}

AlgorithmIdentifier ::= SEQUENCE {
 algorithm  ObjectID,
 parameters [0] EXPLICIT ANY OPTIONAL
}
class Content
property content_type str

OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID

copy(self) lief.PE.ContentInfo.Content | None

Duplicate the current instance of this object

property content_type str

An alias for content_type

copy(self) lief.PE.ContentInfo

Duplicate the current instance of this object

property digest bytes

Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID. Return an empty vector otherwise.

property digest_algorithm lief.PE.ALGORITHMS

Return the hash algorithm used to generate the digest

property value lief.PE.ContentInfo.Content

SignerInfo

class lief.PE.SignerInfo

SignerInfo as described in the RFC 2315 #Section 9.2

SignerInfo ::= SEQUENCE {
 version                   Version,
 issuerAndSerialNumber     IssuerAndSerialNumber,
 digestAlgorithm           DigestAlgorithmIdentifier,
 authenticatedAttributes   [0] IMPLICIT Attributes OPTIONAL,
 digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
 encryptedDigest           EncryptedDigest,
 unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}

EncryptedDigest ::= OCTET STRING
property authenticated_attributes lief.PE.SignerInfo.it_const_attributes_t

Return an iterator over the authenticated attributes (Attribute)

property cert lief.PE.x509

x509 certificate used by this signer. If it can’t be found, it returns None

property digest_algorithm lief.PE.ALGORITHMS

Algorithm (ALGORITHMS) used to hash the file. This value should match ContentInfo.digest_algorithm and Signature.digest_algorithm

property encrypted_digest bytes

Return the signature created by the signing certificate’s private key

property encryption_algorithm lief.PE.ALGORITHMS

Return algorithm (ALGORITHMS) used to encrypt the digest

get_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the authenticated or un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_auth_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None

get_unauth_attribute(self, type: lief.PE.Attribute.TYPE) lief.PE.Attribute

Return the un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr

property issuer str | bytes

The X509 issuer used to sign the signed-data (see: lief.PE.x509.issuer)

class it_const_attributes_t

Iterator over lief._lief.PE.Attribute

property serial_number bytes

The X509 serial number used to sign the signed-data (see: lief.PE.x509.serial_number)

property unauthenticated_attributes lief.PE.SignerInfo.it_const_attributes_t

Return an iterator over the unauthenticated attributes (Attribute)

property version int

Should be 1


Builder

class lief.PE.Builder(self, pe_binary: lief._lief.PE.Binary)

Class that is used to rebuild a raw PE binary from a PE::Binary object

Constructor that takes a Binary

build(self) lief.ok_t | lief.lief_errors

Perform the build process

build_dos_stub(self, enable: bool) lief.PE.Builder

Rebuild the DOS stub

build_imports(self, enable: bool) lief.PE.Builder

Rebuild the import table into another section

build_overlay(self, enable: bool) lief.PE.Builder

Rebuild the binary’s overlay

build_relocations(self, enable: bool) lief.PE.Builder

Rebuild the relocation table in another section

build_resources(self, enable: bool) lief.PE.Builder

Rebuid the resources in another section

build_tls(self, enable: bool) lief.PE.Builder

Rebuild TLS object in another section

get_build(self) list[int]

Return the build result as a list of bytes

patch_imports(self, enable: bool) lief.PE.Builder

Patch the original import table in order to redirect functions to the new import table.

This setting should be used with build_imports set to True

write(self, output: str) None

Write the build result into the output file


Resource Node

class lief.PE.ResourceNode

Class which represents a Node in the resource tree. It is extended by lief.PE.ResourceData and lief.PE.ResourceNode

add_data_node(self, resource_data: lief.PE.ResourceData) lief.PE.ResourceNode

Add a ResourceData to the current node

add_directory_node(self, resource_directory: lief.PE.ResourceDirectory) lief.PE.ResourceNode

Add a ResourceDirectory to the current node

property childs lief.PE.ResourceNode.it_childs

Node’s childs

copy(self) lief.PE.ResourceNode | None

Duplicate the current instance of this object

delete_child(*args) None

Overloaded function.

  1. delete_child(self, node: lief._lief.PE.ResourceNode) -> None

Delete the given ResourceNode from childs

  1. delete_child(self, id: int) -> None

Delete the ResourceNode with the given id from childs

property depth int

Current depth of the entry in the resource tree

property has_name bool

True if the current resource uses a name

property id int

Integer that identifies the Type, Name, or Language ID entry.

property is_data bool

True if the current resource is a ResourceData

property is_directory bool

True if the current resource is a ResourceDirectory

class it_childs

Iterator over lief._lief.PE.ResourceNode

property name str | bytes

Resource’s name


Resource Directory

class lief.PE.ResourceDirectory(self)

Default constructor

add_data_node(self, resource_data: lief.PE.ResourceData) lief.PE.ResourceNode

Add a ResourceData to the current node

add_directory_node(self, resource_directory: lief.PE.ResourceDirectory) lief.PE.ResourceNode

Add a ResourceDirectory to the current node

property characteristics int

Resource characteristics. This field is reserved for future use. It is currently set to zero.

property childs lief.PE.ResourceNode.it_childs

Node’s childs

copy(self) lief.PE.ResourceNode | None

Duplicate the current instance of this object

delete_child(*args) None

Overloaded function.

  1. delete_child(self, node: lief._lief.PE.ResourceNode) -> None

Delete the given ResourceNode from childs

  1. delete_child(self, id: int) -> None

Delete the ResourceNode with the given id from childs

property depth int

Current depth of the entry in the resource tree

property has_name bool

True if the current resource uses a name

property id int

Integer that identifies the Type, Name, or Language ID entry.

property is_data bool

True if the current resource is a ResourceData

property is_directory bool

True if the current resource is a ResourceDirectory

class it_childs

Iterator over lief._lief.PE.ResourceNode

property major_version int

The major version number, set by the user.

property minor_version int

The minor version number, set by the user.

property name str | bytes

Resource’s name

property numberof_id_entries int

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

property numberof_name_entries int

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table

property time_date_stamp int

The time that the resource data was created by the resource compiler.


Resource Data

class lief.PE.ResourceData(self)
class lief.PE.ResourceData(self, content: list[int], code_page: int)

Class which represents a Data Node in the PE resources tree

Default constructor

add_data_node(self, resource_data: lief.PE.ResourceData) lief.PE.ResourceNode

Add a ResourceData to the current node

add_directory_node(self, resource_directory: lief.PE.ResourceDirectory) lief.PE.ResourceNode

Add a ResourceDirectory to the current node

property childs lief.PE.ResourceNode.it_childs

Node’s childs

property code_page int

Return the code page that is used to decode code point values within the resource data. Typically, the code page is the Unicode code page.

property content memoryview

Resource content

copy(self) lief.PE.ResourceNode | None

Duplicate the current instance of this object

delete_child(*args) None

Overloaded function.

  1. delete_child(self, node: lief._lief.PE.ResourceNode) -> None

Delete the given ResourceNode from childs

  1. delete_child(self, id: int) -> None

Delete the ResourceNode with the given id from childs

property depth int

Current depth of the entry in the resource tree

property has_name bool

True if the current resource uses a name

property id int

Integer that identifies the Type, Name, or Language ID entry.

property is_data bool

True if the current resource is a ResourceData

property is_directory bool

True if the current resource is a ResourceDirectory

class it_childs

Iterator over lief._lief.PE.ResourceNode

property name str | bytes

Resource’s name

property offset int

Offset of the content within the resource

Warning

This value can change when re-building the resource table

property reserved int

Reserved value. Should be 0


Resources Manager

class lief.PE.ResourcesManager(self, arg: lief._lief.PE.ResourceNode, /)

The Resource Manager provides an enhanced API to manipulate the resource tree

class TYPE
ACCELERATOR = lief._lief.PE.TYPE.ACCELERATOR
ANICURSOR = lief._lief.PE.TYPE.ANICURSOR
ANIICON = lief._lief.PE.TYPE.ANIICON
BITMAP = lief._lief.PE.TYPE.BITMAP
CURSOR = lief._lief.PE.TYPE.CURSOR
DIALOG = lief._lief.PE.TYPE.DIALOG
DLGINCLUDE = lief._lief.PE.TYPE.DLGINCLUDE
FONT = lief._lief.PE.TYPE.FONT
FONTDIR = lief._lief.PE.TYPE.FONTDIR
GROUP_CURSOR = lief._lief.PE.TYPE.GROUP_CURSOR
GROUP_ICON = lief._lief.PE.TYPE.GROUP_ICON
HTML = lief._lief.PE.TYPE.HTML
ICON = lief._lief.PE.TYPE.ICON
MANIFEST = lief._lief.PE.TYPE.MANIFEST
MENU = lief._lief.PE.TYPE.MENU
MESSAGETABLE = lief._lief.PE.TYPE.MESSAGETABLE
PLUGPLAY = lief._lief.PE.TYPE.PLUGPLAY
RCDATA = lief._lief.PE.TYPE.RCDATA
STRING = lief._lief.PE.TYPE.STRING
VERSION = lief._lief.PE.TYPE.VERSION
VXD = lief._lief.PE.TYPE.VXD
from_value(arg: int) lief.PE.ResourcesManager.TYPE = <nanobind.nb_func object>
property value int

The underlying integer value

property accelerator lief.PE.ResourcesManager.it_const_accelerators

Return list of ResourceAccelerator present in the resource

add_icon(self, icon: lief.PE.ResourceIcon) None

Add an icon to the resources

change_icon(self, old_one: lief.PE.ResourceIcon, new_one: lief.PE.ResourceIcon) None

Switch the given icons

property dialogs lief.PE.ResourcesManager.it_const_dialogs

Return the list of the ResourceDialog present in the resource

get_node_type(self, type: lief.PE.ResourcesManager.TYPE) lief.PE.ResourceNode

Return ResourceNode with the given TYPE or None if not found.

property has_accelerator bool

True if resources contain ResourceAccelerator

property has_dialogs bool

true if the resources contain ResourceDialog

property has_html bool

True if resources contain HTML resource

property has_icons bool

true if the resources contain ResourceIcon

property has_manifest bool

True if the resources contain a Manifest element

property has_string_table bool

True if resources contain ResourceStringTable

has_type(self, type: lief.PE.ResourcesManager.TYPE) bool

True if the resource has the given TYPE

property has_version bool

true if the resources contain a ResourceVersion

property html list[str]

HTML resource as the list of string

property icons lief.PE.ResourcesManager.it_const_icons

Return the list of the ResourceIcon present in the resource

class it_const_accelerators

Iterator over lief._lief.PE.ResourceAccelerator

class it_const_dialogs

Iterator over lief._lief.PE.ResourceDialog

class it_const_icons

Iterator over lief._lief.PE.ResourceIcon

class it_const_strings_table

Iterator over lief._lief.PE.ResourceStringTable

property manifest str | bytes

Manifest as a string

property string_table lief.PE.ResourcesManager.it_const_strings_table

Return list of ResourceStringTable present in the resource

property types list[lief.PE.ResourcesManager.TYPE]

Return list of TYPE present in the resources

property version lief.PE.ResourceVersion | lief.lief_errors

Return the ResourceVersion


Resource Icon

class lief.PE.ResourceIcon
property bit_count int

Bits per pixel

property color_count int

Number of colors in image (0 if >=8bpp)

property height int

Height in pixels of the image

property id int

Id associated with the icon

property lang int

Language associated with the icon

property pixels memoryview
property planes int

Color Planes

property reserved int

Reserved (must be 0)

save(self, filepath: str) None

Save the icon to the given filepath

property sublang int

Sublanguage associated with the icon

property width int

Width in pixels of the image


Resource Dialog

class lief.PE.ResourceDialog

Representation of a dialog box.

Windows allows two kinds of dialog box:

  • Simple one

  • Extended one

is_extended can be used to determine which one is implemented

property charset int

The character set to be used

property cx int

The width, in dialog box units, of the dialog box.

property cy int

The height, in dialog box units, of the dialog box.

property dialogbox_style_list set[lief.PE.DIALOG_BOX_STYLES]

Return list of DIALOG_BOX_STYLES associated with the style member

property extended_style int

The extended windows styles (EXTENDED_WINDOW_STYLES)

property extended_style_list set[lief.PE.DIALOG_BOX_STYLES]

Return list of EXTENDED_WINDOW_STYLES associated with the extended_style member

has_dialogbox_style(self, style: lief.PE.DIALOG_BOX_STYLES) bool

Check if the style member has the given DIALOG_BOX_STYLES

has_extended_style(self, style: lief.PE.EXTENDED_WINDOW_STYLES) bool

Check if the extended_style member has the given EXTENDED_WINDOW_STYLES

has_style(self, style: lief.PE.WINDOW_STYLES) bool

Check if the style member has the given WINDOW_STYLES

property help_id int

The help context identifier for the dialog box window

property is_extended bool

True if the dialog is an extended one

class it_const_items

Iterator over lief._lief.PE.ResourceDialogItem

property items lief.PE.ResourceDialog.it_const_items

Iterator over the controls (ResourceDialogItem) that defines the Dialog (Button, Label…)

property lang int

Primary language associated with the dialog

property point_size int

The point size of the font to use for the text in the dialog box and its controls.

property signature int

Indicate whether a template is an extended dialog box template:

  • 0xFFFF: Extended dialog box template

  • Other value: Standard dialog box template

property style int

The style of the dialog box. This member can be a combination of WINDOW_STYLES and DIALOG_BOX_STYLES

property style_list set[lief.PE.WINDOW_STYLES]

Return list of WINDOW_STYLES associated with the style member

property sub_lang int

Secondary language associated with the dialog

property title str

The title of the dialog box

property typeface str

The name of the typeface for the font

property version int

The version number of the extended dialog box template. This member must be set to 1.

property weight int

The weight of the font

property x int

The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.

property y int

The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.


Resource Dialog Item

class lief.PE.ResourceDialogItem

This class represents an item in the lief.PE.ResourceDialog

property cx int

The width, in dialog box units, of the control

property cy int

The height, in dialog box units, of the control

property extended_style int

The extended styles for the window

property help_id int

The help context identifier for the control

property id int

The control identifier

property is_extended bool

True if the control is an extended one

property style int

The style of the control. This member can be a combination of WINDOW_STYLES values and one or more of the control style values.

property title str

Initial text of the control

property x int

The x-coordinate, in dialog box units, of the upper-left corner of the control

property y int

The y-coordinate, in dialog box units, of the upper-left corner of the control


Resource Version

class lief.PE.ResourceVersion

Class that represents the data associated with the RT_VERSION entry

See: VS_VERSIONINFO

property fixed_file_info lief.PE.ResourceFixedFileInfo

ResourceFixedFileInfo associated with the version (if any). This object describes various information about the application’s version.

If not present, this property is set to None

property has_fixed_file_info bool

True if the version contains a ResourceFixedFileInfo

property has_string_file_info bool

True if the version contains a ResourceStringFileInfo

property has_var_file_info bool

True if the version contains a ResourceVarFileInfo

property key str

Signature of the structure. Must be VS_VERSION_INFO

remove_fixed_file_info(self) None

Remove the ResourceFixedFileInfo from the version

remove_string_file_info(self) None

Remove the ResourceStringFileInfo from the version

remove_var_file_info(self) None

Remove the ResourceVarFileInfo from the version

property string_file_info lief.PE.ResourceStringFileInfo

ResourceStringFileInfo associated with the version (if any) This object describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)

If the current ResourceVersion does not use ResourceStringFileInfo, it returns None.

property type int

The type of data in the version resource * 1 if it contains text data * 0 if it contains binary data

property var_file_info lief.PE.ResourceVarFileInfo

ResourceVarFileInfo associated with the version (if any) This object describes information about languages supported by the application.

If the current ResourceVersion does not use ResourceVarFileInfo, it returns None.


Resource Fixed File Info

class lief.PE.ResourceFixedFileInfo

Representation of the VS_FIXEDFILEINFO structure

property file_date_LS int

The least significant 32 bits of the file’s 64-bit binary creation date and time stamp

property file_date_MS int

The most significant 32 bits of the file’s 64-bit binary creation date and time stamp

property file_flags int

Contains a bitmask that specifies the Boolean attributes of the file (FIXED_VERSION_FILE_FLAGS)

property file_flags_mask int

Contains a bitmask that specifies the valid bits in file_flags. A bit is valid only if it was defined when the file was created.

property file_os lief.PE.FIXED_VERSION_OS

The operating system for which this file was designed (FIXED_VERSION_OS)

property file_subtype lief.PE.FIXED_VERSION_FILE_SUB_TYPES

The function of the file (FIXED_VERSION_FILE_SUB_TYPES)

property file_type lief.PE.FIXED_VERSION_FILE_TYPES

The general type of file (FIXED_VERSION_FILE_TYPES)

property file_version_LS int

The least significant 32 bits of the file’s binary version number

This member is used with file_version_MS to form a 64-bits value used for numeric comparisons.

property file_version_MS int

The most significant 32 bits of the file’s binary version number

This member is used with file_version_LS to form a 64-bits value used for numeric comparisons.

property product_version_LS int

The least significant 32 bits of the product with which this file was distributed

This member is used with product_version_MS to form a 64-bits value used for numeric comparisons.

property product_version_MS int

The most significant 32 bits of the product with which this file was distributed

This member is used with product_version_LS to form a 64-bits value used for numeric comparisons.

property signature int

Must be set to 0xFEEF04BD

property struct_version int

The binary version number of this structure.

  • The high-order word of this member contains the major version number.

  • The low-order word contains the minor version number


Resource Var File Info

class lief.PE.ResourceVarFileInfo

This object describes information about languages supported by the application

property key str

Signature of the structure. Must be VarFileInfo

property translations list[int]

List of languages that the application supports

The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the CODE_PAGES Either most or least 16-bits can be zero, indicating that the file is language or code page independent.

property type int

The type of data in the version resource

  • 1 if it contains text data

  • 0 if it contains binary data


Resource String File Info

class lief.PE.ResourceStringFileInfo

Representation of the StringFileInfo structure

See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo

property key str

Signature of the structure. Must be StringFileInfo

property langcode_items list[lief.PE.LangCodeItem]

List of the LangCodeItem items

Each key indicates the appropriate language and code page for displaying the key: value of items

property type int

The type of data in the version resource:

  • 1 if it contains text data

  • 0 if it contains binary data


Lang code item

class lief.PE.LangCodeItem

Class which represents the childs of the ResourceStringFileInfo

See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringtable

property code_page lief.PE.CODE_PAGES

CODE_PAGES for which items are defined.

See: https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers

property items dict
property key str

A 8-digit hexadecimal number stored as an Unicode string

  • The four most significant digits represent the language identifier.

  • The four least significant digits represent the code page for which the data is formatted.

See:

property lang int

Language for which items are defined

property sublang int

Sublanguage for which items are defined

property type int

The type of data in the version resource

  • 1 if it contains text data

  • 0 if it contains binary data


Resource String Table

class lief.PE.ResourceStringTable
property length int

The size of the string, not including length field itself.

property name str

The variable-length Unicode string data, word-aligned.


Rich Header

class lief.PE.RichHeader(self)

Class which represents the not-so-documented rich header

This structure is usually located at the end of the dos_stub and contains information about the build environment.

It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.

add_entry(*args) None

Overloaded function.

  1. add_entry(self, entry: lief._lief.PE.RichEntry) -> None

Add a new RichEntry

  1. add_entry(self, id: int, build_id: int, count: int) -> None

Add a new RichEntry given its id, build_id, count

copy(self) lief.PE.RichHeader

Duplicate the current instance of this object

property entries lief.PE.RichHeader.it_entries

Return an iterator over the RichEntry within the header

hash(*args) list[int]

Overloaded function.

  1. hash(self, algo: lief._lief.PE.ALGORITHMS) -> list[int]

    Compute the hash of the decoded rich header structure with the given hash ALGORITHMS

  2. hash(self, algo: lief._lief.PE.ALGORITHMS, xor_key: int) -> list[int]

    Compute the hash of the rich header structure encoded with the provided key and the given hash ALGORITHMS

class it_entries

Iterator over lief._lief.PE.RichEntry

property key int

Key used to encode the header (xor operation)

raw(*args) list[int]

Overloaded function.

  1. raw(self) -> list[int]

    The raw structure of the Rich header without xor-encoding.

    This function is equivalent as calling the other raw function with a xor_key set to 0

  2. raw(self, xor_key: int) -> list[int]

    Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.

    You can access the decoded data’s structure with the xor_key set to 0


Rich Entry

class lief.PE.RichEntry(self)
class lief.PE.RichEntry(self, id: int, build_id: int, count: int)

Class which represents an entry associated to the RichHeader

Contructor from id, build_id and count

property build_id int

Builder number of the tool (if any)

copy(self) lief.PE.RichEntry

Duplicate the current instance of this object

property count int

Occurrence count

property id int

Type of the entry


Debug

class lief.PE.Debug(self)

This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: ! CodeCodeView)

class TYPES
BORLAND = lief._lief.PE.TYPES.BORLAND
CLSID = lief._lief.PE.TYPES.CLSID
CODEVIEW = lief._lief.PE.TYPES.CODEVIEW
COFF = lief._lief.PE.TYPES.COFF
EXCEPTION = lief._lief.PE.TYPES.EXCEPTION
EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS
FIXUP = lief._lief.PE.TYPES.FIXUP
FPO = lief._lief.PE.TYPES.FPO
ILTCG = lief._lief.PE.TYPES.ILTCG
MISC = lief._lief.PE.TYPES.MISC
MPX = lief._lief.PE.TYPES.MPX
OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC
OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC
POGO = lief._lief.PE.TYPES.POGO
REPRO = lief._lief.PE.TYPES.REPRO
RESERVED = lief._lief.PE.TYPES.RESERVED
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property addressof_rawdata int

Address of the debug data relative to the image base

property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property pointerto_rawdata int

File offset of the debug data

property sizeof_data int

Size of the debug data

property timestamp int

The time and date that the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information


Code View

class lief.PE.CodeView(self)
class lief.PE.CodeView(self, arg: lief._lief.PE.CodeView.SIGNATURES, /)
class SIGNATURES
CV_41 = lief._lief.PE.SIGNATURES.CV_41
CV_50 = lief._lief.PE.SIGNATURES.CV_50
PDB_20 = lief._lief.PE.SIGNATURES.PDB_20
PDB_70 = lief._lief.PE.SIGNATURES.PDB_70
UNKNOWN = lief._lief.PE.SIGNATURES.UNKNOWN
from_value(arg: int) lief.PE.CodeView.SIGNATURES = <nanobind.nb_func object>
property value int

The underlying integer value

class TYPES
BORLAND = lief._lief.PE.TYPES.BORLAND
CLSID = lief._lief.PE.TYPES.CLSID
CODEVIEW = lief._lief.PE.TYPES.CODEVIEW
COFF = lief._lief.PE.TYPES.COFF
EXCEPTION = lief._lief.PE.TYPES.EXCEPTION
EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS
FIXUP = lief._lief.PE.TYPES.FIXUP
FPO = lief._lief.PE.TYPES.FPO
ILTCG = lief._lief.PE.TYPES.ILTCG
MISC = lief._lief.PE.TYPES.MISC
MPX = lief._lief.PE.TYPES.MPX
OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC
OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC
POGO = lief._lief.PE.TYPES.POGO
REPRO = lief._lief.PE.TYPES.REPRO
RESERVED = lief._lief.PE.TYPES.RESERVED
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property addressof_rawdata int

Address of the debug data relative to the image base

property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property cv_signature lief.PE.CodeView.SIGNATURES

Type of the code view (SIGNATURES)

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property pointerto_rawdata int

File offset of the debug data

property sizeof_data int

Size of the debug data

property timestamp int

The time and date that the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information


Code View PDB

class lief.PE.CodeViewPDB(self)

CodeView PDB specialization

class SIGNATURES
CV_41 = lief._lief.PE.SIGNATURES.CV_41
CV_50 = lief._lief.PE.SIGNATURES.CV_50
PDB_20 = lief._lief.PE.SIGNATURES.PDB_20
PDB_70 = lief._lief.PE.SIGNATURES.PDB_70
UNKNOWN = lief._lief.PE.SIGNATURES.UNKNOWN
from_value(arg: int) lief.PE.CodeView.SIGNATURES = <nanobind.nb_func object>
property value int

The underlying integer value

class TYPES
BORLAND = lief._lief.PE.TYPES.BORLAND
CLSID = lief._lief.PE.TYPES.CLSID
CODEVIEW = lief._lief.PE.TYPES.CODEVIEW
COFF = lief._lief.PE.TYPES.COFF
EXCEPTION = lief._lief.PE.TYPES.EXCEPTION
EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS
FIXUP = lief._lief.PE.TYPES.FIXUP
FPO = lief._lief.PE.TYPES.FPO
ILTCG = lief._lief.PE.TYPES.ILTCG
MISC = lief._lief.PE.TYPES.MISC
MPX = lief._lief.PE.TYPES.MPX
OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC
OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC
POGO = lief._lief.PE.TYPES.POGO
REPRO = lief._lief.PE.TYPES.REPRO
RESERVED = lief._lief.PE.TYPES.RESERVED
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property addressof_rawdata int

Address of the debug data relative to the image base

property age int
property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property cv_signature lief.PE.CodeView.SIGNATURES

Type of the code view (SIGNATURES)

property filename str

Original pdb path

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property parent lief.PE.CodeView

Return a reference to the parent lief.PE.CodeView

property pointerto_rawdata int

File offset of the debug data

property signature list[int]
property sizeof_data int

Size of the debug data

property timestamp int

The time and date that the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information


Code Integrity

class lief.PE.CodeIntegrity(self)
property catalog int

0xFFFF means not available

property catalog_offset int
property flags int

Flags to indicate if CI information is available, etc.

property reserved int

Additional bitmask to be defined later


Pogo

class lief.PE.Pogo(self)
class SIGNATURES
LCTG = lief._lief.PE.SIGNATURES.LCTG
PGI = lief._lief.PE.SIGNATURES.PGI
UNKNOWN = lief._lief.PE.SIGNATURES.UNKNOWN
ZERO = lief._lief.PE.SIGNATURES.ZERO
from_value(arg: int) lief.PE.Pogo.SIGNATURES = <nanobind.nb_func object>
property value int

The underlying integer value

class TYPES
BORLAND = lief._lief.PE.TYPES.BORLAND
CLSID = lief._lief.PE.TYPES.CLSID
CODEVIEW = lief._lief.PE.TYPES.CODEVIEW
COFF = lief._lief.PE.TYPES.COFF
EXCEPTION = lief._lief.PE.TYPES.EXCEPTION
EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS
FIXUP = lief._lief.PE.TYPES.FIXUP
FPO = lief._lief.PE.TYPES.FPO
ILTCG = lief._lief.PE.TYPES.ILTCG
MISC = lief._lief.PE.TYPES.MISC
MPX = lief._lief.PE.TYPES.MPX
OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC
OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC
POGO = lief._lief.PE.TYPES.POGO
REPRO = lief._lief.PE.TYPES.REPRO
RESERVED = lief._lief.PE.TYPES.RESERVED
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property addressof_rawdata int

Address of the debug data relative to the image base

property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property entries lief.PE.Pogo.it_entries
class it_entries

Iterator over lief._lief.PE.PogoEntry

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property pointerto_rawdata int

File offset of the debug data

property signature lief.PE.Pogo.SIGNATURES

Type of the pogo (SIGNATURES)

property sizeof_data int

Size of the debug data

property timestamp int

The time and date that the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information


Pogo Entry

class lief.PE.PogoEntry(self)
copy(self) lief.PE.PogoEntry

Duplicate the current instance of this object

property name str | bytes
property size int
property start_rva int

Repro

class lief.PE.Repro

This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.

See: https://nikhilism.com/post/2020/windows-deterministic-builds/

class TYPES
BORLAND = lief._lief.PE.TYPES.BORLAND
CLSID = lief._lief.PE.TYPES.CLSID
CODEVIEW = lief._lief.PE.TYPES.CODEVIEW
COFF = lief._lief.PE.TYPES.COFF
EXCEPTION = lief._lief.PE.TYPES.EXCEPTION
EX_DLLCHARACTERISTICS = lief._lief.PE.TYPES.EX_DLLCHARACTERISTICS
FIXUP = lief._lief.PE.TYPES.FIXUP
FPO = lief._lief.PE.TYPES.FPO
ILTCG = lief._lief.PE.TYPES.ILTCG
MISC = lief._lief.PE.TYPES.MISC
MPX = lief._lief.PE.TYPES.MPX
OMAP_FROM_SRC = lief._lief.PE.TYPES.OMAP_FROM_SRC
OMAP_TO_SRC = lief._lief.PE.TYPES.OMAP_TO_SRC
POGO = lief._lief.PE.TYPES.POGO
REPRO = lief._lief.PE.TYPES.REPRO
RESERVED = lief._lief.PE.TYPES.RESERVED
UNKNOWN = lief._lief.PE.TYPES.UNKNOWN
VC_FEATURE = lief._lief.PE.TYPES.VC_FEATURE
from_value(arg: int) lief.PE.Debug.TYPES = <nanobind.nb_func object>
property value int

The underlying integer value

property addressof_rawdata int

Address of the debug data relative to the image base

property characteristics int

Reserved should be 0

copy(self) lief.PE.Debug | None

Duplicate the current instance of this object

property hash memoryview

The hash associated with the reproducible build

property major_version int

The major version number of the debug data format.

property minor_version int

The minor version number of the debug data format.

property pointerto_rawdata int

File offset of the debug data

property sizeof_data int

Size of the debug data

property timestamp int

The time and date that the debug data was created.

property type lief.PE.Debug.TYPES

The format (TYPES) of the debugging information


Load Configuration

class lief.PE.LoadConfiguration(self)

Class that represents the default PE’s LoadConfiguration It’s the base class for any future versions of the structure

class VERSION
SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

copy(self) lief.PE.LoadConfiguration

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V0

class lief.PE.LoadConfigurationV0(self)

Bases: LoadConfiguration

LoadConfiguration enhanced with SEH. It is associated with the WIN_VERSION: SEH

class VERSION

Bases: object

SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

copy(self) lief.PE.LoadConfigurationV0

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

property se_handler_count int

The count of unique handlers in the table.

property se_handler_table int

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V1

class lief.PE.LoadConfigurationV1(self)

Bases: LoadConfigurationV0

LoadConfigurationV0 enhanced with Control Flow Guard. It is associated with the WIN_VERSION set to WIN_8_1

class IMAGE_GUARD

Bases: object

CFW_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>
CF_ENABLE_EXPORT_SUPPRESSION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>
CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>
CF_FUNCTION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>
CF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>
CF_LONGJUMP_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>
EH_CONTINUATION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>
NONE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.NONE: 0>
PROTECT_DELAYLOAD_IAT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>
RETPOLINE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>
RF_ENABLE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>
RF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>
RF_STRICT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_STRICT: 524288>
from_value(arg: int) lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>
property value int

The underlying integer value

class VERSION

Bases: object

SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

copy(self) lief.PE.LoadConfigurationV1

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property guard_cf_check_function_pointer int

The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer int

The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list list[lief.PE.LoadConfigurationV1.IMAGE_GUARD]

Return list of GUARD_CF_FLAGS present in guard_flags

property guard_cf_function_count int

The count of unique RVAs in the guard_cf_function_table

property guard_cf_function_table int

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_flags lief.PE.LoadConfigurationV1.IMAGE_GUARD

Control Flow Guard related flags.

has(self, flag: lief.PE.LoadConfigurationV1.IMAGE_GUARD) bool

Check if the given GUARD_CF_FLAGS is present in guard_flags

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

property se_handler_count int

The count of unique handlers in the table.

property se_handler_table int

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V2

class lief.PE.LoadConfigurationV2(self)

Bases: LoadConfigurationV1

LoadConfigurationV1 enhanced with code integrity. It is associated with the WIN_VERSION set to WIN10_0_9879

class IMAGE_GUARD

Bases: object

CFW_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>
CF_ENABLE_EXPORT_SUPPRESSION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>
CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>
CF_FUNCTION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>
CF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>
CF_LONGJUMP_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>
EH_CONTINUATION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>
NONE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.NONE: 0>
PROTECT_DELAYLOAD_IAT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>
RETPOLINE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>
RF_ENABLE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>
RF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>
RF_STRICT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_STRICT: 524288>
from_value(arg: int) lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>
property value int

The underlying integer value

class VERSION

Bases: object

SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

property code_integrity lief.PE.CodeIntegrity

CodeIntegrity object

copy(self) lief.PE.LoadConfigurationV2

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property guard_cf_check_function_pointer int

The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer int

The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list list[lief.PE.LoadConfigurationV1.IMAGE_GUARD]

Return list of GUARD_CF_FLAGS present in guard_flags

property guard_cf_function_count int

The count of unique RVAs in the guard_cf_function_table

property guard_cf_function_table int

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_flags lief.PE.LoadConfigurationV1.IMAGE_GUARD

Control Flow Guard related flags.

has(self, flag: lief.PE.LoadConfigurationV1.IMAGE_GUARD) bool

Check if the given GUARD_CF_FLAGS is present in guard_flags

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

property se_handler_count int

The count of unique handlers in the table.

property se_handler_table int

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V3

class lief.PE.LoadConfigurationV3(self)

Bases: LoadConfigurationV2

LoadConfigurationV2 with Control Flow Guard improved.

It is associated with the WIN_VERSION set to WIN10_0_14286

class IMAGE_GUARD

Bases: object

CFW_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>
CF_ENABLE_EXPORT_SUPPRESSION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>
CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>
CF_FUNCTION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>
CF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>
CF_LONGJUMP_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>
EH_CONTINUATION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>
NONE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.NONE: 0>
PROTECT_DELAYLOAD_IAT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>
RETPOLINE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>
RF_ENABLE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>
RF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>
RF_STRICT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_STRICT: 524288>
from_value(arg: int) lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>
property value int

The underlying integer value

class VERSION

Bases: object

SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

property code_integrity lief.PE.CodeIntegrity

CodeIntegrity object

copy(self) lief.PE.LoadConfigurationV3

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property guard_address_taken_iat_entry_count int

Number of entries in the guard_address_taken_iat_entry_table

property guard_address_taken_iat_entry_table int

VA of a table associated with CFG’s IAT checks

property guard_cf_check_function_pointer int

The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer int

The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list list[lief.PE.LoadConfigurationV1.IMAGE_GUARD]

Return list of GUARD_CF_FLAGS present in guard_flags

property guard_cf_function_count int

The count of unique RVAs in the guard_cf_function_table

property guard_cf_function_table int

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_flags lief.PE.LoadConfigurationV1.IMAGE_GUARD

Control Flow Guard related flags.

property guard_long_jump_target_count int

Number of entries in the guard_address_taken_iat_entry_table

property guard_long_jump_target_table int

VA of a table associated with CFG’s long jump

has(self, flag: lief.PE.LoadConfigurationV1.IMAGE_GUARD) bool

Check if the given GUARD_CF_FLAGS is present in guard_flags

property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

property se_handler_count int

The count of unique handlers in the table.

property se_handler_table int

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V4

class lief.PE.LoadConfigurationV4(self)

Bases: LoadConfigurationV3

LoadConfigurationV3 enhanced with:

  • Kind of dynamic relocations

  • Hybrid Metadata Pointer

It is associated with the WIN_VERSION set to WIN10_0_14383

class IMAGE_GUARD

Bases: object

CFW_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>
CF_ENABLE_EXPORT_SUPPRESSION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>
CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>
CF_FUNCTION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>
CF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>
CF_LONGJUMP_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>
EH_CONTINUATION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>
NONE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.NONE: 0>
PROTECT_DELAYLOAD_IAT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>
RETPOLINE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>
RF_ENABLE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>
RF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>
RF_STRICT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_STRICT: 524288>
from_value(arg: int) lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>
property value int

The underlying integer value

class VERSION

Bases: object

SEH = lief._lief.PE.VERSION.SEH
UNKNOWN = lief._lief.PE.VERSION.UNKNOWN
WIN_10_0_14286 = lief._lief.PE.VERSION.WIN_10_0_14286
WIN_10_0_14383 = lief._lief.PE.VERSION.WIN_10_0_14383
WIN_10_0_14901 = lief._lief.PE.VERSION.WIN_10_0_14901
WIN_10_0_15002 = lief._lief.PE.VERSION.WIN_10_0_15002
WIN_10_0_16237 = lief._lief.PE.VERSION.WIN_10_0_16237
WIN_10_0_18362 = lief._lief.PE.VERSION.WIN_10_0_18362
WIN_10_0_19534 = lief._lief.PE.VERSION.WIN_10_0_19534
WIN_10_0_9879 = lief._lief.PE.VERSION.WIN_10_0_9879
WIN_10_0_MSVC_2019 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019
WIN_10_0_MSVC_2019_16 = lief._lief.PE.VERSION.WIN_10_0_MSVC_2019_16
WIN_8_1 = lief._lief.PE.VERSION.WIN_8_1
from_value(arg: int) lief.PE.LoadConfiguration.VERSION = <nanobind.nb_func object>
property value int

The underlying integer value

property characteristics int

Characteristics of the structure.

property code_integrity lief.PE.CodeIntegrity

CodeIntegrity object

copy(self) lief.PE.LoadConfigurationV4

Duplicate the current instance of this object

property critical_section_default_timeout int

The default timeout value to use for is process’s critical sections that are abandoned.

property csd_version int

The service pack version identifier.

property decommit_free_block_threshold int

Memory that must be freed before it is returned to the system, in bytes.

property decommit_total_free_threshold int

Total amount of free memory, in bytes

property dependent_load_flags int

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1

property dynamic_value_reloc_table int

VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE

property editlist int

Reserved for use by the system.

property global_flags_clear int

The global loader flags to clear for this process as the loader start the process.

property global_flags_set int

The global loader flags to set for this process as the loader starts the process.

property guard_address_taken_iat_entry_count int

Number of entries in the guard_address_taken_iat_entry_table

property guard_address_taken_iat_entry_table int

VA of a table associated with CFG’s IAT checks

property guard_cf_check_function_pointer int

The VA where Control Flow Guard check-function pointer is stored.

property guard_cf_dispatch_function_pointer int

The VA where Control Flow Guard dispatch-function pointer is stored.

property guard_cf_flags_list list[lief.PE.LoadConfigurationV1.IMAGE_GUARD]

Return list of GUARD_CF_FLAGS present in guard_flags

property guard_cf_function_count int

The count of unique RVAs in the guard_cf_function_table

property guard_cf_function_table int

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

property guard_flags lief.PE.LoadConfigurationV1.IMAGE_GUARD

Control Flow Guard related flags.

property guard_long_jump_target_count int

Number of entries in the guard_address_taken_iat_entry_table

property guard_long_jump_target_table int

VA of a table associated with CFG’s long jump

has(self, flag: lief.PE.LoadConfigurationV1.IMAGE_GUARD) bool

Check if the given GUARD_CF_FLAGS is present in guard_flags

property hybrid_metadata_pointer int
property lock_prefix_table int

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

property major_version int

Major Version

property maximum_allocation_size int

Maximum allocation size, in bytes.

property minor_version int

Minor version

property process_affinity_mask int

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

property process_heap_flags int

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

property reserved1 int

Must be zero.

property se_handler_count int

The count of unique handlers in the table.

property se_handler_table int

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

A pointer to a cookie that is used by Visual C++ or GS implementation.

property size int

Size of the structure which is an alias for characteristics

property timedatestamp int

Date and time stamp value

property version lief.PE.LoadConfiguration.VERSION

(SDK) Version of the structure. (WIN_VERSION)

property virtual_memory_threshold int

Maximum virtual memory size, in bytes.

Load Configuration V5

class lief.PE.LoadConfigurationV5(self)

Bases: LoadConfigurationV4

LoadConfigurationV4 enhanced nhanced with Return Flow Guard.

It is associated with the WIN_VERSION set to WIN10_0_14901

class IMAGE_GUARD

Bases: object

CFW_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CFW_INSTRUMENTED: 512>
CF_ENABLE_EXPORT_SUPPRESSION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_ENABLE_EXPORT_SUPPRESSION: 32768>
CF_EXPORT_SUPPRESSION_INFO_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_EXPORT_SUPPRESSION_INFO_PRESENT: 16384>
CF_FUNCTION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_FUNCTION_TABLE_PRESENT: 1024>
CF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_INSTRUMENTED: 256>
CF_LONGJUMP_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.CF_LONGJUMP_TABLE_PRESENT: 65536>
DELAYLOAD_IAT_IN_ITS_OWN_SECTION = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.DELAYLOAD_IAT_IN_ITS_OWN_SECTION: 8192>
EH_CONTINUATION_TABLE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.EH_CONTINUATION_TABLE_PRESENT: 2097152>
NONE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.NONE: 0>
PROTECT_DELAYLOAD_IAT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.PROTECT_DELAYLOAD_IAT: 4096>
RETPOLINE_PRESENT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RETPOLINE_PRESENT: 1048576>
RF_ENABLE = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_ENABLE: 262144>
RF_INSTRUMENTED = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_INSTRUMENTED: 131072>
RF_STRICT = <lief._lief.PE.IMAGE_GUARD.lief._lief.PE.IMAGE_GUARD.RF_STRICT: 524288>
from_value(arg: int) lief.PE.LoadConfigurationV1.IMAGE_GUARD = <nanobind.nb_func object>
property value int

The underlying integer value

class VERSION