Avatar

LIEF - Release 0.11.0

ionicons-v5-kRomain Thomas January 19, 2021
Wave

Tl;DR

LIEF v0.11.0 is out. The main changelog is available here and packages can be downloaded on the official website.

Installation

As for the previous versions, release packages are available on the Github release page and Python packages can be installed from PyPI:

1$ pip install [--user] lief==0.11.0

Release Highlight

It has spent more than one year since the release of the version 0.10.1 but we are glad to announce that LIEF v0.11.0 is finally out!

This new version does not introduce a lot of new features but rather small improvements in the different formats. One of the main changes in terms of new functionalities is the refactoring of the PE Authenticode. We fixed parsing issues and we implemented verification functions so that we can now verify a PE signed binary through:

1import lief
2pe = lief.parse("signed.exe")
3assert pe.verify_signature() == lief.PE.Signature.VERIFICATION_FLAGS.OK

We also improved the computation of imphash so that it can generate the same value as pefile (and therefore, Virus Total)

1pe = lief.parse("example.exe")
2vt_imphash = lief.PE.get_imphash(pe, lief.PE.IMPHASH_MODE.PEFILE)
3lief_imphash = lief.PE.get_imphash(pe, lief.PE.IMPHASH_MODE.DEFAULT)

Regarding the contributions, Janusz Lisiecki fixed a performance issue in the ELF builder that moved from N2 computations to Nlog(N). His contribution raised a major weakness in LIEF: performances issue when re-building objects. We started to refactor the whole ELF builder to avoid recursive calls.

Adrien Guinet updated the bin2lib tutorial to support recent version of glibc which introduced the DF_1_PIE flag.

kohnakagawa and Clcanny also fixed various issues related to the ELF & PE formats.

Ninja on Windows & CI

We improved AppVeyor Windows CI to be more efficient on the compiler cache. It results in a decrease of 1-hour compilation time to ~20 minutes thanks to sccache and Ninja.

If Ninja is installed on Windows, one can now use the --ninja flag when calling setup.py:

1$ python.exe .\setup.py --ninja build install [--user]

Using Ninja on Windows requires to invoke the vcvarsall.bat script beforehand. This script can be tricky to locate depending on the MSVC versions. Thankfully, setuptools provides the msvc.msvc14_get_vc_env() helper to get the environment variables that need to populate the calling script. We use it in LIEF’s setup.py as follows:

 1...
 2env = os.environ
 3if platform.system() == "Windows":
 4    from setuptools import msvc
 5    if build_with_ninja:
 6        arch = 'x64' if is64 else 'x86'
 7        ninja_env = msvc.msvc14_get_vc_env(arch)
 8        env.update(ninja_env)
 9    else:
10      ...
11...

Regarding the CI, we added Android and iOS SDK packages as well as Python wheels for Linux AArch64 (manylinux2014 compliant).

The nightly builds are available on the gh-pages branch of the repository lief-project/packages:

  • The sdk directory contains a shared and a static version of LIEF library for iOS, macOS, Android, Windows, Linux, …
  • The lief directory contains the Python wheels for the supported platforms

What’s next

We have a few ideas of what would like to improve and introduce in the next releases of LIEF which includes:

  • Refactoring the ELF builder to address performances issues (see also #482)

  • Supporting OAT/VDEX/CDEX for Android 9, 10 and 11

  • Supporting Mach-O signature (as for PE Authenticode)

  • Supporting Android packed relocations (in the parser and in the builder)

  • Improving the C API to ease Rust bindings

  • Supporting DART snapshot formats to ease reverse-engineering of Flutter applications.

    Spoiler: we can process all the clusters of a snapshot for a fixed version of the DART runtime.

  • += Fixing issues

Although the roadmap mostly follows Quarkslab’s needs, the R&D time we have and the topic we enjoy to work on, we are open to the development of private or public features as it has been done for improving PE Authenticode.

Acknowledgment

Thank you to CERT Gouvernemental of Luxembourg that sponsored new functionalities in this release. Thanks also to Quarkslab for the time allocated to make this release.


Logo Quarkslab Logo CERT Gouvernemental Luxembourg
Avatar
Romain Thomas Posted on January 19, 2021