LIEF: Library to Instrument Executable Formats Version 1.0.0
Loading...
Searching...
No Matches
PE/Parser.hpp
Go to the documentation of this file.
1/* Copyright 2017 - 2026 R. Thomas
2 * Copyright 2017 - 2026 Quarkslab
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16#ifndef LIEF_PE_PARSER_H
17#define LIEF_PE_PARSER_H
18
19#include <string>
20#include <vector>
21#include <map>
22
23#include "LIEF/visibility.h"
24#include "LIEF/utils.hpp"
25#include "LIEF/errors.hpp"
26
28#include "LIEF/PE/enums.hpp"
30#include "LIEF/COFF/String.hpp"
31
32namespace LIEF {
33class BinaryStream;
34class SpanStream;
35
36namespace PE {
37class Debug;
38class ResourceNode;
39class Binary;
40class DelayImport;
41class Section;
42class ExceptionInfo;
44class RelocationEntry;
45
46namespace details {
47struct pe_debug;
48struct pe_section;
49}
50
54 public:
56 static constexpr size_t MAX_DATA_SIZE = 3_GB;
57
58 static constexpr size_t MAX_TLS_CALLBACKS = 3000;
59
60 // Bounds the import thunk loop to prevent hangs on malformed IATs
61 static constexpr size_t MAX_IMPORT_ENTRIES = 0x10000;
62
63 // Bounds peek_string_at to prevent multi-megabyte reads on invalid RVAs
64 // According to https://stackoverflow.com/a/23340781
65 static constexpr size_t MAX_IMPORT_NAME_SIZE = 0x1000;
66
67 // According to https://stackoverflow.com/a/265782/87207
68 static constexpr size_t MAX_DLL_NAME_SIZE = 255;
69
71 static constexpr size_t MAX_PADDING_SIZE = 1_GB;
72
73 public:
80 static bool is_valid_import_name(const std::string& name);
81
87 static bool is_valid_dll_name(const std::string& name);
88
89 public:
91 static std::unique_ptr<Binary>
92 parse(const std::string& filename,
94
96 static std::unique_ptr<Binary>
97 parse(std::vector<uint8_t> data,
99
100 static std::unique_ptr<Binary>
101 parse(const uint8_t* buffer, size_t size,
103
105 static std::unique_ptr<Binary>
106 parse(std::unique_ptr<BinaryStream> stream,
108
110 static std::unique_ptr<Binary>
111 parse_from_memory(uintptr_t address,
113
115 static std::unique_ptr<Binary>
116 parse_from_memory(uintptr_t address, size_t size,
118
128 static std::unique_ptr<Binary>
129 parse_from_dump(const std::string& filepath, uint64_t addr,
131
134 static std::unique_ptr<Binary>
137
140 static std::unique_ptr<Binary>
141 parse_from_dump(std::unique_ptr<BinaryStream> stream, uint64_t addr,
143
144 Parser& operator=(const Parser& copy) = delete;
145 Parser(const Parser& copy) = delete;
146
147 COFF::String* find_coff_string(uint32_t offset) const;
148
149 ExceptionInfo* find_exception_info(uint32_t rva) const {
150 auto it = memoize_exception_info_.find(rva);
151 return it == memoize_exception_info_.end() ? nullptr : it->second;
152 }
153
154 const Binary& bin() const {
155 return *binary_;
156 }
157
159 return *binary_;
160 }
161
163 return *stream_;
164 }
165
166 const ParserConfig& config() const {
167 return config_;
168 }
169
172
173 void add_non_resolved(ExceptionInfo& info, uint32_t target) {
174 unresolved_chains_.emplace_back(&info, target);
175 }
176
177 std::unique_ptr<SpanStream> stream_from_rva(uint32_t rva, size_t size = 0);
178
179 void record_relocation(uint32_t rva, span<const uint8_t> data);
180 ok_error_t record_delta_relocation(uint32_t rva, int64_t delta, size_t size);
181
182 private:
183 struct relocation_t {
184 uint64_t size = 0;
185 uint64_t value = 0;
186 };
187 Parser(const std::string& file);
188 Parser(std::vector<uint8_t> data);
189 Parser(std::unique_ptr<BinaryStream> stream);
190
191 ~Parser() override;
192 Parser();
193
194 ok_error_t init(const ParserConfig& config);
195
196 template<typename PE_T>
197 ok_error_t parse();
198
199 ok_error_t parse_exports();
200 ok_error_t parse_sections();
201
202 ok_error_t read_section_content(const details::pe_section& raw_sec,
203 uint32_t index, Section& section);
204
205 template<typename PE_T>
206 ok_error_t parse_headers();
207
208 ok_error_t parse_configuration();
209
210 template<typename PE_T>
211 ok_error_t parse_data_directories();
212
213 template<typename PE_T>
214 ok_error_t parse_import_table();
215
216 template<typename PE_T>
217 ok_error_t parse_delay_imports();
218
219 template<typename PE_T>
220 ok_error_t parse_delay_names_table(DelayImport& import, uint32_t names_offset,
221 uint32_t iat_offset);
222
223 ok_error_t parse_export_table();
224 ok_error_t parse_debug();
225
226 ok_error_t parse_exceptions();
227
228 std::unique_ptr<Debug> parse_code_view(const details::pe_debug& debug_info,
229 Section* sec, span<uint8_t> payload);
230 std::unique_ptr<Debug> parse_pogo(const details::pe_debug& debug_info,
231 Section* sec, span<uint8_t> payload);
232 std::unique_ptr<Debug> parse_repro(const details::pe_debug& debug_info,
233 Section* sec, span<uint8_t> payload);
234
235 template<typename PE_T>
236 ok_error_t parse_tls();
237
238 template<typename PE_T>
239 ok_error_t parse_load_config();
240
241 template<typename PE_T>
242 ok_error_t process_load_config(LoadConfiguration& config);
243
244 template<typename PE_T>
245 ok_error_t parse_nested_relocated();
246
247 ok_error_t parse_relocations();
248 ok_error_t parse_resources();
249 ok_error_t parse_string_table();
250 ok_error_t parse_symbols();
251 ok_error_t parse_signature();
252 ok_error_t parse_overlay();
253 ok_error_t parse_dos_stub();
254 ok_error_t parse_rich_header();
255 ok_error_t parse_chpe_exceptions();
256
257 template<typename PE_T>
258 ok_error_t undo_relocations();
259
260 template<typename PE_T>
261 ok_error_t fix_iat();
262
263 template<typename PE_T>
264 ok_error_t fix_tls();
265
266 template<typename PE_T>
267 ok_error_t fix_load_config();
268
270 std::unique_ptr<Binary> binary_;
271 std::unique_ptr<BinaryStream> stream_;
272 std::map<uint32_t, size_t> memoize_coff_str_;
273 std::map<uint32_t, ExceptionInfo*> memoize_exception_info_;
274 std::map<uint32_t, relocation_t> dyn_hdr_relocs_;
275 std::vector<std::pair<ExceptionInfo*, uint32_t>> unresolved_chains_;
276 ParserConfig config_;
277};
278
279
280}
281}
282#endif
Class that is used to a read stream of data from different sources.
Definition BinaryStream.hpp:35
This class represents a string located in the COFF string table.
Definition String.hpp:34
Class which represents a PE binary This is the main interface to manage and modify a PE executable.
Definition PE/Binary.hpp:57
This class represents a generic entry in the debug data directory. For known types,...
Definition debug/Debug.hpp:40
Class that represents a PE delayed import.
Definition DelayImport.hpp:37
This class is the base class for any exception or runtime function entry.
Definition ExceptionInfo.hpp:33
This class represents the load configuration data associated with the IMAGE_LOAD_CONFIG_DIRECTORY.
Definition LoadConfiguration.hpp:47
Main interface to parse PE binaries. In particular, the static Parser::parse functions should be used...
Definition PE/Parser.hpp:53
static std::unique_ptr< Binary > parse_from_dump(BinaryStream &stream, uint64_t addr, const ParserConfig &config=ParserConfig::default_conf())
Same as parse_from_dump(const std::string&, uint64_t, const ParserConfig&) but the dump is wrapped in...
static std::unique_ptr< Binary > parse_from_dump(const std::string &filepath, uint64_t addr, const ParserConfig &config=ParserConfig::default_conf())
Parse a PE binary from a memory dump located on disk.
static constexpr size_t MAX_IMPORT_ENTRIES
Definition PE/Parser.hpp:61
static constexpr size_t MAX_DLL_NAME_SIZE
Definition PE/Parser.hpp:68
static bool is_valid_import_name(const std::string &name)
Check if the given name is a valid import.
static constexpr size_t MAX_IMPORT_NAME_SIZE
Definition PE/Parser.hpp:65
static bool is_valid_dll_name(const std::string &name)
Check if the given name is a valid DLL name.
static std::unique_ptr< Binary > parse_from_memory(uintptr_t address, const ParserConfig &config=ParserConfig::default_conf())
Parse the PE binary at the given memory address.
void memoize(ExceptionInfo &info)
static std::unique_ptr< Binary > parse(std::unique_ptr< BinaryStream > stream, const ParserConfig &conf=ParserConfig::default_conf())
Parse a PE binary from the given BinaryStream.
Binary & bin()
Definition PE/Parser.hpp:158
const Binary & bin() const
Definition PE/Parser.hpp:154
static std::unique_ptr< Binary > parse(const uint8_t *buffer, size_t size, const ParserConfig &conf=ParserConfig::default_conf())
COFF::String * find_coff_string(uint32_t offset) const
ExceptionInfo * find_exception_info(uint32_t rva) const
Definition PE/Parser.hpp:149
static std::unique_ptr< Binary > parse(const std::string &filename, const ParserConfig &conf=ParserConfig::default_conf())
Parse a PE binary from the given filename.
std::unique_ptr< SpanStream > stream_from_rva(uint32_t rva, size_t size=0)
Parser(const Parser &copy)=delete
void memoize(COFF::String str)
BinaryStream & stream()
Definition PE/Parser.hpp:162
void record_relocation(uint32_t rva, span< const uint8_t > data)
static constexpr size_t MAX_DATA_SIZE
Maximum size of the data read.
Definition PE/Parser.hpp:56
static std::unique_ptr< Binary > parse_from_dump(std::unique_ptr< BinaryStream > stream, uint64_t addr, const ParserConfig &config=ParserConfig::default_conf())
Same as parse_from_dump(const std::string&, uint64_t, const ParserConfig&) but the dump is wrapped in...
const ParserConfig & config() const
Definition PE/Parser.hpp:166
static std::unique_ptr< Binary > parse_from_memory(uintptr_t address, size_t size, const ParserConfig &config=ParserConfig::default_conf())
Parse the PE binary at the given memory address and with the given size.
void add_non_resolved(ExceptionInfo &info, uint32_t target)
Definition PE/Parser.hpp:173
static constexpr size_t MAX_PADDING_SIZE
Max size of the padding section.
Definition PE/Parser.hpp:71
Parser & operator=(const Parser &copy)=delete
static std::unique_ptr< Binary > parse(std::vector< uint8_t > data, const ParserConfig &conf=ParserConfig::default_conf())
Parse a PE binary from a data buffer.
ok_error_t record_delta_relocation(uint32_t rva, int64_t delta, size_t size)
static constexpr size_t MAX_TLS_CALLBACKS
Definition PE/Parser.hpp:58
Class which represents an entry of the PE relocation table.
Definition RelocationEntry.hpp:37
Class which represents a Node in the resource tree.
Definition ResourceNode.hpp:46
Class which represents a PE section.
Definition PE/Section.hpp:47
Main interface to parse an executable regardless of its format.
Definition Abstract/Parser.hpp:31
Definition SpanStream.hpp:32
Opaque structure that is used by LIEF to avoid writing result<void> f(...). Instead,...
Definition errors.hpp:119
Definition DataDirectory.hpp:37
Namespace related to the LIEF's PE module.
Definition Abstract/Header.hpp:32
PE_TYPE
Definition PE/enums.hpp:22
@ PE32_PLUS
64 bits
Definition PE/enums.hpp:24
LIEF namespace.
Definition Abstract/Binary.hpp:41
tcb::span< ElementType, Extent > span
Definition span.hpp:22
This structure is used to configure the behavior of the PE Parser (PE::Parser).
Definition PE/ParserConfig.hpp:27
static const ParserConfig & default_conf()
Returns the default configuration for the PE Parser.
Definition PE/ParserConfig.hpp:29
#define LIEF_API
Definition visibility.h:45