PE

Binary

class LIEF::PE::Binary : public LIEF::Binary

Class which represent a PE binary object.

Public Functions

Binary(const std::string &name, PE_TYPE type)
~Binary(void)
PE_TYPE type(void) const

Return PE32 or PE32+

uint64_t rva_to_offset(uint64_t RVA)

Convert Relative Virtual Addressto offset.

We try to get the get section wich hold the given RVA and convert it to offset. If the section does not exist, we assume that RVA = offset

uint64_t va_to_offset(uint64_t VA)

Convert Virtual address to offset.

Section &section_from_offset(uint64_t offset)

Find the section associated with the offset

const Section &section_from_offset(uint64_t offset) const
Section &section_from_rva(uint64_t virtual_address)

Find the section associated with the virtual address

const Section &section_from_rva(uint64_t virtual_address) const
it_sections sections(void)

Return binary’s sections.

it_const_sections sections(void) const
DosHeader &dos_header(void)

Return a reference to the PE::DosHeader object.

const DosHeader &dos_header(void) const
Header &header(void)

Return a reference to the PE::Header object.

const Header &header(void) const
OptionalHeader &optional_header(void)

Return a reference to the OptionalHeader object.

const OptionalHeader &optional_header(void) const
uint64_t virtual_size(void) const

Compute the binary’s virtual size. It should match with OptionalHeader::sizeof_image.

uint32_t sizeof_headers(void) const

Compute the size of all headers.

TLS &tls(void)

Return a reference to the TLS object.

const TLS &tls(void) const
void tls(const TLS &tls)

Set a TLS object in the current Binary.

bool has_tls(void) const

Check if the current binary has a TLS object.

bool has_imports(void) const

Check if the current binary has imports.

See

Import

bool has_signature(void) const

Check if the current binary is signed.

bool has_exports(void) const

Check if the current binary has exports.

See

Export

bool has_resources(void) const

Check if the current binary has resources.

bool has_exceptions(void) const

Check if the current binary has exceptions.

bool has_relocations(void) const

Check if the current binary has relocations.

See

Relocation

bool has_debug(void) const

Check if the current binary has debugs.

bool has_configuration(void) const

Check if the current binary has a load configuration.

bool is_reproducible_build(void) const

Check if the current binary has been built has reproducible, replacing timestamps by a compile hash.

See

Debug

const Signature &signature(void) const

Return the Signature object if the bianry is signed.

uint32_t predict_function_rva(const std::string &library, const std::string &function)

Try to predict the RVA of the function function in the import library library

Warning

The value could be chang if imports change

Note

It should be used with: LIEF::PE::Builder::build_imports set to true

Return

The address of the function (IAT) in the new import table

Parameters
  • [in] library: Library name in which the function is located

  • [in] function: Function name

Export &get_export(void)

Return the Export object.

const Export &get_export(void) const
std::vector<Symbol> &symbols(void)

Return binary Symbols.

const std::vector<Symbol> &symbols(void) const
ResourceNode &resources(void)

Return resources as a tree.

const ResourceNode &resources(void) const
void set_resources(const ResourceDirectory &resource)

Set a new resource tree.

void set_resources(const ResourceData &resource)

Set a new resource tree.

ResourcesManager resources_manager(void)

Return the ResourcesManager (class to manage resources more easily than the tree one)

const ResourcesManager resources_manager(void) const
Section &get_section(const std::string &name)

Return binary’s section from its name.

Parameters

const Section &get_section(const std::string &name) const
const Section &import_section(void) const

Return the section associated with import table.

Section &import_section(void)
void remove_section(const std::string &name, bool clear = false) override

Delete the section with the given name.

Parameters
  • [in] name: Name of section to delete

void remove(const Section &section, bool clear = false)

Remove the given section.

Section &add_section(const Section &section, PE_SECTION_TYPES type = PE_SECTION_TYPES::UNKNOWN)

Add a section to the binary and return the section added.

it_relocations relocations(void)
it_const_relocations relocations(void) const
Relocation &add_relocation(const Relocation &relocation)

Add a relocation .

void remove_all_relocations(void)

Remove all relocations.

it_data_directories data_directories(void)

Return data directories in the binary.

it_const_data_directories data_directories(void) const
DataDirectory &data_directory(DATA_DIRECTORY index)

Return the DataDirectory with the given type (or index)

const DataDirectory &data_directory(DATA_DIRECTORY index) const
bool has(DATA_DIRECTORY index) const
debug_entries_t &debug(void)

Return the debug_entries_t object.

const debug_entries_t &debug(void) const
const LoadConfiguration &load_configuration(void) const

Retrun the LoadConfiguration object.

LoadConfiguration &load_configuration(void)
const std::vector<uint8_t> &overlay(void) const

Return the overlay content.

std::vector<uint8_t> &overlay(void)
const std::vector<uint8_t> &dos_stub(void) const

Return the DOS stub content.

std::vector<uint8_t> &dos_stub(void)
void dos_stub(const std::vector<uint8_t> &content)

Update the DOS stub content.

RichHeader &rich_header(void)

Return a reference to the RichHeader object.

const RichHeader &rich_header(void) const
void rich_header(const RichHeader &rich_header)

Set a RichHeader object in the current Binary.

bool has_rich_header(void) const

Check if the current binary has a RichHeader object.

it_imports imports(void)

return binary’s imports

it_const_imports imports(void) const
Import &get_import(const std::string &import_name)

Returns the PE::Import from the given name.

Parameters
  • [in] import_name: Name of the import

const Import &get_import(const std::string &import_name) const
bool has_import(const std::string &import_name) const

True if the binary import the given library name

Parameters
  • [in] import_name: Name of the import

ImportEntry &add_import_function(const std::string &library, const std::string &function)

Add the function function of the library library.

Parameters
  • [in] library: library name of the function

  • [in] function: function’s name from the library to import

Import &add_library(const std::string &name)

add an imported library (i.e. DLL) to the binary

void remove_library(const std::string &name)

Remove the library with the given name

void remove_all_libraries(void)

Remove all libraries in the binary.

void hook_function(const std::string &function, uint64_t address)

Hook an imported function.

When using this function, LIEF::PE::Builder::build_imports and LIEF::PE::Builder::patch_imports should be set to true

Parameters
  • [in] function: Function name to hook

  • [in] address: Address of the hook

void hook_function(const std::string &library, const std::string &function, uint64_t address)

Hook an imported function.

When using this function, LIEF::PE::Builder::build_imports(true) and LIEF::PE::Builder::patch_imports should be set to true

Parameters
  • [in] library: Library name in which the function is located

  • [in] function: Function name to hook

  • [in] address: Address of the hook

void write(const std::string &filename) override

Reconstruct the binary object and write it in filename

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

void accept(Visitor &visitor) const override

Method so that a visitor can visit us.

void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters
  • [in] address: Address to patch

  • [in] patch_value: Patch to apply

  • [in] addr_type: Type of the Virtual address: VA or RVA. Default: Auto

void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters
  • [in] address: Address to patch

  • [in] patch_value: Patch to apply

  • [in] size: Size of the value in bytes (1, 2, … 8)

  • [in] addr_type: Type of the Virtual address: VA or RVA. Default: Auto

std::vector<uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) const override

Return the content located at virtual address.

Parameters
  • [in] virtual_address: Virtual address of the data to retrieve

  • [in] size: Size in bytes of the data to retrieve

  • [in] addr_type: Type of the Virtual address: VA or RVA. Default: Auto

uint64_t entrypoint(void) const override

Return the binary’s entrypoint.

bool is_pie(void) const override

Check if the binary is position independent.

bool has_nx(void) const override

Check if the binary uses NX protection.

LIEF::Binary::functions_t ctor_functions(void) const override

Constructor functions that are called prior any other functions.

LIEF::Binary::functions_t functions(void) const

All functions found in the binary

LIEF::Binary::functions_t exception_functions(void) const

Functions found in the Exception table directory.

bool operator==(const Binary &rhs) const
bool operator!=(const Binary &rhs) const
std::ostream &print(std::ostream &os) const override

Dos Header

class LIEF::PE::DosHeader : public LIEF::Object

Public Types

using reserved_t = std::array<uint16_t, 4>
using reserved2_t = std::array<uint16_t, 10>

Public Functions

DosHeader(const pe_dos_header *header)
DosHeader(void)
DosHeader(const DosHeader&)
DosHeader &operator=(const DosHeader&)
~DosHeader(void)
uint16_t magic(void) const
uint16_t used_bytes_in_the_last_page(void) const
uint16_t file_size_in_pages(void) const
uint16_t numberof_relocation(void) const
uint16_t header_size_in_paragraphs(void) const
uint16_t minimum_extra_paragraphs(void) const
uint16_t maximum_extra_paragraphs(void) const
uint16_t initial_relative_ss(void) const
uint16_t initial_sp(void) const
uint16_t checksum(void) const
uint16_t initial_ip(void) const
uint16_t initial_relative_cs(void) const
uint16_t addressof_relocation_table(void) const
uint16_t overlay_number(void) const
reserved_t reserved(void) const
uint16_t oem_id(void) const
uint16_t oem_info(void) const
reserved2_t reserved2(void) const
uint32_t addressof_new_exeheader(void) const
void magic(uint16_t magic)
void used_bytes_in_the_last_page(uint16_t usedBytesInTheLastPage)
void file_size_in_pages(uint16_t fileSizeInPages)
void numberof_relocation(uint16_t numberOfRelocation)
void header_size_in_paragraphs(uint16_t headerSizeInParagraphs)
void minimum_extra_paragraphs(uint16_t minimumExtraParagraphs)
void maximum_extra_paragraphs(uint16_t maximumExtraParagraphs)
void initial_relative_ss(uint16_t initialRelativeSS)
void initial_sp(uint16_t initialSP)
void checksum(uint16_t checksum)
void initial_ip(uint16_t initialIP)
void initial_relative_cs(uint16_t initialRelativeCS)
void addressof_relocation_table(uint16_t addressOfRelocationTable)
void overlay_number(uint16_t overlayNumber)
void reserved(const reserved_t &reserved)
void oem_id(uint16_t oEMid)
void oem_info(uint16_t oEMinfo)
void reserved2(const reserved2_t &reserved2)
void addressof_new_exeheader(uint32_t addressOfNewExeHeader)
void accept(Visitor &visitor) const override
bool operator==(const DosHeader &rhs) const
bool operator!=(const DosHeader &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DosHeader &entry)


Optional Header

class LIEF::PE::OptionalHeader : public LIEF::Object

Public Functions

OptionalHeader(void)
OptionalHeader(const pe32_optional_header *header)
OptionalHeader(const pe64_optional_header *header)
~OptionalHeader(void)
OptionalHeader &operator=(const OptionalHeader&)
OptionalHeader(const OptionalHeader&)
PE_TYPE magic(void) const
uint8_t major_linker_version(void) const
uint8_t minor_linker_version(void) const
uint32_t sizeof_code(void) const
uint32_t sizeof_initialized_data(void) const
uint32_t sizeof_uninitialized_data(void) const
uint32_t addressof_entrypoint(void) const
uint32_t baseof_code(void) const
uint32_t baseof_data(void) const
uint64_t imagebase(void) const
uint32_t section_alignment(void) const
uint32_t file_alignment(void) const
uint16_t major_operating_system_version(void) const
uint16_t minor_operating_system_version(void) const
uint16_t major_image_version(void) const
uint16_t minor_image_version(void) const
uint16_t major_subsystem_version(void) const
uint16_t minor_subsystem_version(void) const
uint32_t win32_version_value(void) const
uint32_t sizeof_image(void) const
uint32_t sizeof_headers(void) const
uint32_t checksum(void) const
SUBSYSTEM subsystem(void) const
uint32_t dll_characteristics(void) const
uint64_t sizeof_stack_reserve(void) const
uint64_t sizeof_stack_commit(void) const
uint64_t sizeof_heap_reserve(void) const
uint64_t sizeof_heap_commit(void) const
uint32_t loader_flags(void) const
uint32_t numberof_rva_and_size(void) const
bool has(DLL_CHARACTERISTICS c) const
std::set<DLL_CHARACTERISTICS> dll_characteristics_list(void) const
void add(DLL_CHARACTERISTICS c)
void remove(DLL_CHARACTERISTICS c)
void magic(PE_TYPE magic)
void major_linker_version(uint8_t majorLinkerVersion)
void minor_linker_version(uint8_t minorLinkerVersion)
void sizeof_code(uint32_t sizeOfCode)
void sizeof_initialized_data(uint32_t sizeOfInitializedData)
void sizeof_uninitialized_data(uint32_t sizeOfUninitializedData)
void addressof_entrypoint(uint32_t addressOfEntryPoint)
void baseof_code(uint32_t baseOfCode)
void baseof_data(uint32_t baseOfData)
void imagebase(uint64_t imageBase)
void section_alignment(uint32_t sectionAlignment)
void file_alignment(uint32_t fileAlignment)
void major_operating_system_version(uint16_t majorOperatingSystemVersion)
void minor_operating_system_version(uint16_t minorOperatingSystemVersion)
void major_image_version(uint16_t majorImageVersion)
void minor_image_version(uint16_t minorImageVersion)
void major_subsystem_version(uint16_t majorSubsystemVersion)
void minor_subsystem_version(uint16_t minorSubsystemVersion)
void win32_version_value(uint32_t win32VersionValue)
void sizeof_image(uint32_t sizeOfImage)
void sizeof_headers(uint32_t sizeOfHeaders)
void checksum(uint32_t checkSum)
void subsystem(SUBSYSTEM subsystem)
void dll_characteristics(uint32_t DLLCharacteristics)
void sizeof_stack_reserve(uint64_t sizeOfStackReserve)
void sizeof_stack_commit(uint64_t sizeOfStackCommit)
void sizeof_heap_reserve(uint64_t sizeOfHeapReserve)
void sizeof_heap_commit(uint64_t sizeOfHeapCommit)
void loader_flags(uint32_t loaderFlags)
void numberof_rva_and_size(uint32_t numberOfRvaAndSize)
void accept(Visitor &visitor) const override
OptionalHeader &operator+=(DLL_CHARACTERISTICS c)
OptionalHeader &operator-=(DLL_CHARACTERISTICS c)
bool operator==(const OptionalHeader &rhs) const
bool operator!=(const OptionalHeader &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const OptionalHeader &entry)

Data Directory

class LIEF::PE::DataDirectory : public LIEF::Object

Public Functions

DataDirectory(void)
DataDirectory(DATA_DIRECTORY type)
DataDirectory(const pe_data_directory *header, DATA_DIRECTORY type)
DataDirectory(const DataDirectory &other)
DataDirectory &operator=(DataDirectory other)
void swap(DataDirectory &other)
~DataDirectory(void)
uint32_t RVA(void) const
uint32_t size(void) const
Section &section(void)
const Section &section(void) const
DATA_DIRECTORY type(void) const
bool has_section(void) const
void size(uint32_t size)
void RVA(uint32_t rva)
void accept(Visitor &visitor) const override
bool operator==(const DataDirectory &rhs) const
bool operator!=(const DataDirectory &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DataDirectory &entry)

Section

class LIEF::PE::Section : public LIEF::Section

Public Functions

Section(const pe_section *header)
Section(void)
Section(const std::vector<uint8_t> &data, const std::string &name = "", uint32_t characteristics = 0)
Section(const std::string &name)
Section &operator=(const Section&)
Section(const Section&)
~Section(void)
uint32_t sizeof_raw_data(void) const

Return the size of the data in the section.

uint32_t virtual_size(void) const
std::vector<uint8_t> content(void) const override

section’s content

uint32_t pointerto_raw_data(void) const
uint32_t pointerto_relocation(void) const
uint32_t pointerto_line_numbers(void) const
uint16_t numberof_relocations(void) const
uint16_t numberof_line_numbers(void) const
uint32_t characteristics(void) const
bool is_type(PE_SECTION_TYPES type) const
const std::set<PE_SECTION_TYPES> &types(void) const
bool has_characteristic(SECTION_CHARACTERISTICS c) const
std::set<SECTION_CHARACTERISTICS> characteristics_list(void) const
void clear(uint8_t c)
void name(const std::string &name) override

Set the section’s name.

void content(const std::vector<uint8_t> &data) override

Set section content.

void virtual_size(uint32_t virtualSize)
void pointerto_raw_data(uint32_t pointerToRawData)
void pointerto_relocation(uint32_t pointerToRelocation)
void pointerto_line_numbers(uint32_t pointerToLineNumbers)
void numberof_relocations(uint16_t numberOfRelocations)
void numberof_line_numbers(uint16_t numberOfLineNumbers)
void sizeof_raw_data(uint32_t sizeOfRawData)
void characteristics(uint32_t characteristics)
void type(PE_SECTION_TYPES type)
void add_type(PE_SECTION_TYPES type)
void remove_type(PE_SECTION_TYPES type)
void add_characteristic(SECTION_CHARACTERISTICS characteristic)
void remove_characteristic(SECTION_CHARACTERISTICS characteristic)
void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const Section &rhs) const
bool operator!=(const Section &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

Import

class LIEF::PE::Import : public LIEF::Object

Public Functions

Import(const pe_import *import)
Import(const std::string &name)
Import(void)
~Import(void)
Import(const Import &other)
Import &operator=(Import other)
void swap(Import &other)
uint32_t forwarder_chain(void) const
uint32_t timedatestamp(void) const
it_import_entries entries(void)

Return a vector of Import entries .

it_const_import_entries entries(void) const
uint32_t import_address_table_rva(void) const

Return the relative virtual address of the import address table (IAT)

Warning

This address could be change when re-building the binary

uint32_t import_lookup_table_rva(void) const

Return the relative virtual address of the import lookup table.

Warning

This address could be change when re-building the binary

uint32_t get_function_rva_from_iat(const std::string &function) const

Return the Function’s RVA from the import address table (IAT)

Warning

This address could be change when re-building the binary

ImportEntry &get_entry(const std::string &name)

Return the imported function with the given name.

const ImportEntry &get_entry(const std::string &name) const
const std::string &name(void) const

Return the library’s name.

e.g. kernel32.dll

void name(const std::string &name)
DataDirectory &directory(void)

Return the Data directory associated. It should be the one at index PE::DATA_DIRECTORY::IMPORT_TABLE.

const DataDirectory &directory(void) const
DataDirectory &iat_directory(void)

Return the Data directory associated. It should be the one at index PE::DATA_DIRECTORY::IAT.

const DataDirectory &iat_directory(void) const
ImportEntry &add_entry(const ImportEntry &entry)

Add a function.

ImportEntry &add_entry(const std::string &name)

Add a function from name.

void import_lookup_table_rva(uint32_t rva)
void import_address_table_rva(uint32_t rva)
void accept(Visitor &visitor) const override
bool operator==(const Import &rhs) const
bool operator!=(const Import &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Import &entry)

Import Entry

class LIEF::PE::ImportEntry : public LIEF::Object

Public Functions

ImportEntry(void)
ImportEntry(uint64_t data, const std::string &name = "")
ImportEntry(const std::string &name)
ImportEntry(const ImportEntry&)
ImportEntry &operator=(const ImportEntry&)
~ImportEntry(void)
bool is_ordinal(void) const

True if ordinal is used

uint16_t ordinal(void) const

ordinal value

uint64_t hint_name_rva(void) const

See

ImportEntry::data

uint16_t hint(void) const

Index into the Export::entries.

uint64_t iat_value(void) const

Value of the current entry in the Import Address Table. It should match the lookup table value.

const std::string &name(void) const

Import name if not ordinal.

uint64_t data(void) const

Raw value.

uint64_t iat_address(void) const

Original address of the entry in the Import Address Table

void name(const std::string &name)
void data(uint64_t data)
void accept(Visitor &visitor) const override
bool operator==(const ImportEntry &rhs) const
bool operator!=(const ImportEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ImportEntry &entry)

TLS

class LIEF::PE::TLS : public LIEF::Object

Public Functions

TLS(void)
TLS(const pe32_tls *header)
TLS(const pe64_tls *header)
~TLS(void)
TLS(const TLS &copy)
TLS &operator=(TLS copy)
void swap(TLS &other)
const std::vector<uint64_t> &callbacks(void) const
std::pair<uint64_t, uint64_t> addressof_raw_data(void) const
uint64_t addressof_index(void) const
uint64_t addressof_callbacks(void) const
uint32_t sizeof_zero_fill(void) const
uint32_t characteristics(void) const
const std::vector<uint8_t> &data_template(void) const
bool has_data_directory(void) const
DataDirectory &directory(void)
const DataDirectory &directory(void) const
bool has_section(void) const
Section &section(void)
const Section &section(void) const
void callbacks(const std::vector<uint64_t> &callbacks)
void addressof_raw_data(std::pair<uint64_t, uint64_t> VAOfRawData)
void addressof_index(uint64_t addressOfIndex)
void addressof_callbacks(uint64_t addressOfCallbacks)
void sizeof_zero_fill(uint32_t sizeOfZeroFill)
void characteristics(uint32_t characteristics)
void data_template(const std::vector<uint8_t> &dataTemplate)
void accept(Visitor &visitor) const override
bool operator==(const TLS &rhs) const
bool operator!=(const TLS &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const TLS &entry)

Debug

class LIEF::PE::Debug : public LIEF::Object

Public Functions

Debug(void)
Debug(const pe_debug *debug_s)
Debug(const Debug &copy)
Debug &operator=(Debug copy)
void swap(Debug &other)
~Debug(void)
uint32_t characteristics(void) const

Reserved should be 0.

uint32_t timestamp(void) const

The time and date that the debug data was created.

uint16_t major_version(void) const

The major version number of the debug data format.

uint16_t minor_version(void) const

The minor version number of the debug data format.

DEBUG_TYPES type(void) const

The format DEBUG_TYPES of the debugging information.

uint32_t sizeof_data(void) const

Size of the debug data.

uint32_t addressof_rawdata(void) const

Address of the debug data relative to the image base.

uint32_t pointerto_rawdata(void) const

File offset of the debug data.

bool has_code_view(void) const
const CodeView &code_view(void) const
CodeView &code_view(void)
bool has_pogo(void) const
const Pogo &pogo(void) const
Pogo &pogo(void)
void characteristics(uint32_t characteristics)
void timestamp(uint32_t timestamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void type(DEBUG_TYPES new_type)
void sizeof_data(uint32_t sizeof_data)
void addressof_rawdata(uint32_t addressof_rawdata)
void pointerto_rawdata(uint32_t pointerto_rawdata)
void accept(Visitor &visitor) const override
bool operator==(const Debug &rhs) const
bool operator!=(const Debug &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Debug &entry)

Code View

class LIEF::PE::CodeView : public LIEF::Object

Subclassed by LIEF::PE::CodeViewPDB

Public Functions

CodeView(void)
CodeView(CODE_VIEW_SIGNATURES cv_signature)
CodeView(const CodeView&)
CodeView &operator=(const CodeView&)
CodeView *clone(void) const = 0
CODE_VIEW_SIGNATURES cv_signature(void) const

The Code View signature.

void accept(Visitor &visitor) const override
bool operator==(const CodeView &rhs) const
bool operator!=(const CodeView &rhs) const
~CodeView(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeView &entry)

Code View PDB

class LIEF::PE::CodeViewPDB : public LIEF::PE::CodeView

Public Types

using signature_t = std::array<uint8_t, 16>

Public Functions

CodeViewPDB(void)
CodeViewPDB(CODE_VIEW_SIGNATURES cv_signature, signature_t sig, uint32_t age, const std::string &filename)
CodeViewPDB(const CodeViewPDB&)
CodeViewPDB &operator=(const CodeViewPDB&)
CodeViewPDB *clone(void) const override
signature_t signature(void) const
uint32_t age(void) const
const std::string &filename(void) const
void signature(uint32_t signature)
void signature(signature_t signature)
void age(uint32_t age)
void filename(const std::string &filename)
void accept(Visitor &visitor) const override
bool operator==(const CodeViewPDB &rhs) const
bool operator!=(const CodeViewPDB &rhs) const
~CodeViewPDB(void)

Public Static Functions

CodeViewPDB from_pdb70(signature_t sig, uint32_t age, const std::string &filename)
CodeViewPDB from_pdb20(uint32_t signature, uint32_t age, const std::string &filename)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeViewPDB &entry)

Symbol

class LIEF::PE::Symbol : public LIEF::Symbol

Public Functions

Symbol(const pe_symbol *header)
Symbol(void)
~Symbol(void)
Symbol &operator=(Symbol other)
Symbol(const Symbol &copy)
void swap(Symbol &other)
int16_t section_number(void) const
uint16_t type(void) const
SYMBOL_BASE_TYPES base_type(void) const
SYMBOL_COMPLEX_TYPES complex_type(void) const
SYMBOL_STORAGE_CLASS storage_class(void) const
uint8_t numberof_aux_symbols(void) const
std::wstring wname(void) const
Section &section(void)
const Section &section(void) const
bool has_section(void) const

True if symbols are located in a section

void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const Symbol &rhs) const
bool operator!=(const Symbol &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)

Relocation

class LIEF::PE::Relocation : public LIEF::Object

Public Functions

Relocation(void)
Relocation(const Relocation &other)
Relocation &operator=(Relocation other)
Relocation(const pe_base_relocation_block *header)
~Relocation(void)
void swap(Relocation &other)
uint32_t virtual_address(void) const
uint32_t block_size(void) const
it_const_relocation_entries entries(void) const
it_relocation_entries entries(void)
void virtual_address(uint32_t virtual_address)
void block_size(uint32_t block_size)
RelocationEntry &add_entry(const RelocationEntry &entry)
void accept(Visitor &visitor) const override
bool operator==(const Relocation &rhs) const
bool operator!=(const Relocation &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Entry

class LIEF::PE::RelocationEntry : public LIEF::Relocation

Public Functions

RelocationEntry(void)
RelocationEntry(const RelocationEntry &other)
RelocationEntry &operator=(RelocationEntry other)
RelocationEntry(uint16_t data)
RelocationEntry(uint16_t position, RELOCATIONS_BASE_TYPES type)
~RelocationEntry(void)
void swap(RelocationEntry &other)
uint64_t address(void) const override

Relocation’s Address.

void address(uint64_t address) override
size_t size(void) const override

Relocation size in bits

void size(size_t size) override
uint16_t data(void) const

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset

uint16_t position(void) const

Offset relative to Relocation::virtual_address where the relocation must occur.

RELOCATIONS_BASE_TYPES type(void) const

Type of the relocation.

void data(uint16_t data)
void position(uint16_t position)
void type(RELOCATIONS_BASE_TYPES type)
void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const RelocationEntry &rhs) const
bool operator!=(const RelocationEntry &rhs) const

Friends

friend class PE::Relocation
friend std::ostream &operator<<(std::ostream &os, const RelocationEntry &entry)

Export

class LIEF::PE::Export : public LIEF::Object

Public Functions

Export(void)
Export(const pe_export_directory_table *header)
Export(const Export&)
Export &operator=(const Export&)
~Export(void)
uint32_t export_flags(void) const
uint32_t timestamp(void) const
uint16_t major_version(void) const
uint16_t minor_version(void) const
uint32_t ordinal_base(void) const
const std::string &name(void) const
it_export_entries entries(void)
it_const_export_entries entries(void) const
void export_flags(uint32_t flags)
void timestamp(uint32_t timestamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void ordinal_base(uint32_t ordinal_base)
void name(const std::string &name)
void accept(Visitor &visitor) const override
bool operator==(const Export &rhs) const
bool operator!=(const Export &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Export &exp)

Export Entry

class LIEF::PE::ExportEntry : public LIEF::Object

Public Functions

ExportEntry(void)
ExportEntry(const ExportEntry&)
ExportEntry &operator=(const ExportEntry&)
~ExportEntry(void)
const std::string &name(void) const
uint16_t ordinal(void) const
uint32_t address(void) const
bool is_extern(void) const
bool is_forwarded(void) const
forward_information_t forward_information(void) const
uint32_t function_rva(void) const
void name(const std::string &name)
void ordinal(uint16_t ordinal)
void address(uint32_t address)
void is_extern(bool is_extern)
void accept(Visitor &visitor) const override
bool operator==(const ExportEntry &rhs) const
bool operator!=(const ExportEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportEntry &exportEntry)
struct forward_information_t

Public Functions

operator bool() const

Public Members

std::string library
std::string function

Friends

friend std::ostream &operator<<(std::ostream &os, const forward_information_t &info)

Signature

class LIEF::PE::Signature : public LIEF::Object

Public Functions

Signature(void)
Signature(const Signature&)
Signature &operator=(const Signature&)
uint32_t version(void) const

Should be 1.

const oid_t &digest_algorithm(void) const

Return the algorithm (OID) used to sign the content of ContentInfo.

const ContentInfo &content_info(void) const

Return the ContentInfo.

it_const_crt certificates(void) const

Return an iterator over x509 certificates.

const SignerInfo &signer_info(void) const

Return the SignerInfo object.

const std::vector<uint8_t> &original_signature(void) const

Return the raw original signature.

void accept(Visitor &visitor) const override
~Signature(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const Signature &signature)

AuthenticatedAttributes

class LIEF::PE::AuthenticatedAttributes : public LIEF::Object

Public Functions

AuthenticatedAttributes(void)
AuthenticatedAttributes(const AuthenticatedAttributes&)
AuthenticatedAttributes &operator=(const AuthenticatedAttributes&)
const oid_t &content_type(void) const

Should return the messageDigest OID.

const std::vector<uint8_t> &message_digest(void) const

Return an hash of the signed attributes.

const std::u16string &program_name(void) const

Return the program description (if any)

const std::string &more_info(void) const

Return an URL to website with more information about the signer.

const std::vector<uint8_t> &raw(void) const

Return the raw bytes associated with the AuthenticatedAttributes.

void accept(Visitor &visitor) const override
~AuthenticatedAttributes(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const AuthenticatedAttributes &authenticated_attributes)

x509

class LIEF::PE::x509 : public LIEF::Object

Public Types

using date_t = std::array<int32_t, 6>

Tuple (Year, Month, Day, Hour, Minute, Second)

Public Functions

x509(mbedtls_x509_crt *ca)
x509(const x509 &other)
x509 &operator=(x509 other)
void swap(x509 &other)
uint32_t version(void) const

X.509 version. (1=v1, 2=v2, 3=v3)

std::vector<uint8_t> serial_number(void) const

Unique id for certificate issued by a specific CA.

oid_t signature_algorithm(void) const

Signature algorithm (OID)

x509::date_t valid_from(void) const

Start time of certificate validity.

x509::date_t valid_to(void) const

End time of certificate validity.

std::string issuer(void) const

Issuer informations.

std::string subject(void) const

Subject informations.

std::vector<uint8_t> raw(void) const

The raw x509 bytes (DER encoded)

void accept(Visitor &visitor) const override
~x509(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const x509 &x509_cert)

ContentInfo

class LIEF::PE::ContentInfo : public LIEF::Object

Public Functions

ContentInfo(void)
ContentInfo(const ContentInfo&)
ContentInfo &operator=(const ContentInfo&)
const oid_t &content_type(void) const

OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID

const oid_t &type(void) const
const oid_t &digest_algorithm(void) const

Algorithm (OID) used to hash the file. This value should match SignerInfo::digest_algorithm and Signature::digest_algorithm.

const std::vector<uint8_t> &digest(void) const

The digest.

const std::vector<uint8_t> &raw(void) const

Return the raw bytes associated with the ContentInfo.

void accept(Visitor &visitor) const override
~ContentInfo(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const ContentInfo &content_info)

SignerInfo

class LIEF::PE::SignerInfo : public LIEF::Object

Public Functions

SignerInfo(void)
SignerInfo(const SignerInfo&)
SignerInfo &operator=(const SignerInfo&)
uint32_t version(void) const

Should be 1.

const issuer_t &issuer(void) const

Issuer and serial number.

const oid_t &digest_algorithm(void) const

Algorithm (OID) used to hash the file. This value should match ContentInfo::digest_algorithm and Signature::digest_algorithm.

const AuthenticatedAttributes &authenticated_attributes(void) const

Return the AuthenticatedAttributes object.

const oid_t &signature_algorithm(void) const

Return the signature algorithm (OID)

const std::vector<uint8_t> &encrypted_digest(void) const

Return the signature created by the signing certificate’s private key.

void accept(Visitor &visitor) const override
~SignerInfo(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const SignerInfo &signer_info)

Builder

class LIEF::PE::Builder

Class which reconstruct a PE binary from a PE::Binary object.

Public Functions

Builder(void) = delete
Builder(Binary *pe_binary)
~Builder(void)
void build(void)

Perform the build process.

Builder &build_imports(bool flag = true)

Rebuild the import table in another section.

Builder &patch_imports(bool flag = true)

Patch the original import table in order to redirect functions to the new import table.

This setting should be used with LIEF::PE::Builder::build_imports set to true

Builder &build_relocations(bool flag = true)

Rebuild the relocation table in another section.

Builder &build_tls(bool flag = true)

Rebuild TLS object in another section.

Builder &build_resources(bool flag)

Rebuid the resources in another section.

Builder &build_overlay(bool flag)

Rebuild the binary’s overlay.

Builder &build_dos_stub(bool flag)

Rebuild the DOS stub content.

const std::vector<uint8_t> &get_build(void)

Return the build result.

void write(const std::string &filename) const

Write the build result into the output file.

Builder &operator<<(const DosHeader &dos_header)
Builder &operator<<(const Header &bHeader)
Builder &operator<<(const OptionalHeader &optional_header)
Builder &operator<<(const DataDirectory &data_directory)
Builder &operator<<(const Section &section)

Public Static Functions

template<typename PE_T>
std::vector<uint8_t> build_jmp(uint64_t from, uint64_t address)

Construct a jmp [address] @ from.

It is used when patching import table

template<typename PE_T>
std::vector<uint8_t> build_jmp_hook(uint64_t from, uint64_t address)

Construct a jmp far address @ from.

It is used for hooking

Friends

friend std::ostream &operator<<(std::ostream &os, const Builder &b)

Resources Manager

class LIEF::PE::ResourcesManager : public LIEF::Object

The Resource Manager provides an enhanced API to manipulate the resource tree.

Public Functions

ResourcesManager(void) = delete
ResourcesManager(ResourceNode *rsrc)
ResourcesManager(const ResourcesManager&)
ResourcesManager &operator=(const ResourcesManager&)
~ResourcesManager(void)
ResourceNode &get_node_type(RESOURCE_TYPES type)

Return node with the given LIEF::PE::RESOURCE_TYPES.

const ResourceNode &get_node_type(RESOURCE_TYPES type) const
std::set<RESOURCE_TYPES> get_types_available(void) const

Return list of LIEF::PE::RESOURCE_TYPES present in the resources.

std::set<RESOURCE_LANGS> get_langs_available(void) const

Return list of LIEF::PE::RESOURCE_LANGS present in the resources.

std::set<RESOURCE_SUBLANGS> get_sublangs_available(void) const

Return list of LIEF::PE::RESOURCE_SUBLANGS present in the resources.

bool has_type(RESOURCE_TYPES type) const

true if the resource has the given LIEF::PE::RESOURCE_TYPES

bool has_manifest(void) const

true if resources contain Manifest element

std::string manifest(void) const

Return the manifest as a std::string.

void manifest(const std::string &manifest)

Update the manifest with the given string.

bool has_version(void) const

true if resources contain LIEF::PE::ResourceVersion

ResourceVersion version(void) const

Return ResourceVersion if any.

bool has_icons(void) const

true if resources contain LIEF::PE::ResourceIcon

std::vector<ResourceIcon> icons(void) const

Return the list of the icons present in the resource.

void add_icon(const ResourceIcon &icon)

Add an icon to the resources.

void change_icon(const ResourceIcon &original, const ResourceIcon &newone)
bool has_dialogs(void) const

true if resources contain dialogs

std::vector<ResourceDialog> dialogs(void) const

Return the list of the dialogs present in the resource.

std::string print(uint32_t depth = 0) const

Print the resource tree to the given depth.

void accept(Visitor &visitor) const override
bool operator==(const ResourcesManager &rhs) const
bool operator!=(const ResourcesManager &rhs) const

Public Static Functions

RESOURCE_SUBLANGS sub_lang(RESOURCE_LANGS lang, size_t index)
RESOURCE_LANGS lang_from_id(size_t id)
RESOURCE_SUBLANGS sublang_from_id(size_t id)

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourcesManager &m)

Resource Node

class LIEF::PE::ResourceNode : public LIEF::Object

Subclassed by LIEF::PE::ResourceData, LIEF::PE::ResourceDirectory

Public Functions

ResourceNode(const ResourceNode &other)
void swap(ResourceNode &other)
~ResourceNode(void)
ResourceNode *clone(void) const = 0
uint32_t id(void) const

Integer that identifies the Type, Name, or Language ID entry.

const std::u16string &name(void) const

Name of the entry.

it_childs childs(void)

Iterator on node’s childs.

it_const_childs childs(void) const
bool has_name(void) const

True if the entry uses name as ID

uint32_t depth(void) const

Current depth of the entry in the resource tree.

bool is_directory(void) const

True if the current entry is a ResourceDirectory

bool is_data(void) const

True if the current entry is a ResourceData

void id(uint32_t id)
void name(const std::string &name)
void name(const std::u16string &name)
ResourceNode &add_child(const ResourceDirectory &child)

Add a ResourceDirectory to the current node.

ResourceNode &add_child(const ResourceData &child)

Add a ResourceData to the current node.

void delete_child(uint32_t id)

Delete the node with the given id

void delete_child(const ResourceNode &node)

Delete the given node from childs.

void sort_by_id(void)

Sort resource childs by ID.

void accept(Visitor &visitor) const override
bool operator==(const ResourceNode &rhs) const
bool operator!=(const ResourceNode &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceNode &node)

Resource Directory

class LIEF::PE::ResourceDirectory : public LIEF::PE::ResourceNode

Public Functions

ResourceDirectory(void)
ResourceDirectory(const pe_resource_directory_table *header)
ResourceDirectory(const ResourceDirectory &other)
ResourceDirectory &operator=(ResourceDirectory other)
void swap(ResourceDirectory &other)
~ResourceDirectory(void)
ResourceDirectory *clone(void) const override
uint32_t characteristics(void) const

Resource flags. This field is reserved for future use. It is currently set to zero.

uint32_t time_date_stamp(void) const

The time that the resource data was created by the resource compiler.

uint16_t major_version(void) const

The major version number, set by the user.

uint16_t minor_version(void) const

The minor version number, set by the user.

uint16_t numberof_name_entries(void) const

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).

uint16_t numberof_id_entries(void) const

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

void characteristics(uint32_t characteristics)
void time_date_stamp(uint32_t time_date_stamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void numberof_name_entries(uint16_t numberof_name_entries)
void numberof_id_entries(uint16_t numberof_id_entries)
void accept(Visitor &visitor) const override
bool operator==(const ResourceDirectory &rhs) const
bool operator!=(const ResourceDirectory &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDirectory &directory)

Resource Data

class LIEF::PE::ResourceData : public LIEF::PE::ResourceNode

Public Functions

ResourceData(void)
ResourceData(const std::vector<uint8_t> &content, uint32_t code_page)
ResourceData(const ResourceData &other)
ResourceData &operator=(ResourceData other)
void swap(ResourceData &other)
~ResourceData(void)
ResourceData *clone(void) const override
uint32_t code_page(void) const

The code page that is used to decode code point values within the resource data. Typically, the code page would be the Unicode code page.

const std::vector<uint8_t> &content(void) const

Resource content.

uint32_t reserved(void) const

Reserved value. Should be 0

uint32_t offset(void) const

Offset of the content within the resource.

Warning

This value may change when rebuilding resource table

void code_page(uint32_t code_page)
void content(const std::vector<uint8_t> &content)
void reserved(uint32_t value)
void accept(Visitor &visitor) const override
bool operator==(const ResourceData &rhs) const
bool operator!=(const ResourceData &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceData &data)

Resource Icon

class LIEF::PE::ResourceIcon : public LIEF::Object

Public Functions

ResourceIcon(void)
ResourceIcon(const pe_resource_icon_group *header)
ResourceIcon(const pe_icon_header *header)
ResourceIcon(const std::string &iconpath)
ResourceIcon(const ResourceIcon&)
ResourceIcon &operator=(const ResourceIcon&)
~ResourceIcon(void)
uint32_t id(void) const

Id associated with the icon.

RESOURCE_LANGS lang(void) const

Language associated with the icon.

RESOURCE_SUBLANGS sublang(void) const

Sub language associated with the icon.

uint8_t width(void) const

Width in pixels of the image.

uint8_t height(void) const

Height in pixels of the image.

uint8_t color_count(void) const

Number of colors in image (0 if >=8bpp)

uint8_t reserved(void) const

Reserved (must be 0)

uint16_t planes(void) const

Color Planes.

uint16_t bit_count(void) const

Bits per pixel.

uint32_t size(void) const

Size in bytes of the image.

const std::vector<uint8_t> &pixels(void) const

Pixels of the image (as bytes)

void id(uint32_t id)
void lang(RESOURCE_LANGS lang)
void sublang(RESOURCE_SUBLANGS sublang)
void width(uint8_t width)
void height(uint8_t height)
void color_count(uint8_t color_count)
void reserved(uint8_t reserved)
void planes(uint16_t planes)
void bit_count(uint16_t bit_count)
void pixels(const std::vector<uint8_t> &pixels)
void save(const std::string &filename) const

Save the icon to the given filename.

Parameters
  • [in] filename: Path to file in which the icon will be saved

void accept(Visitor &visitor) const override
bool operator==(const ResourceIcon &rhs) const
bool operator!=(const ResourceIcon &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceIcon &entry)

Resource Dialog

class LIEF::PE::ResourceDialog : public LIEF::Object

Representation of a dialog box.

Windows allows two kinds of dialog box:

  • Simple one

  • Extended one

ResourceDialog::is_extended checks the type of the Dialog

Public Functions

ResourceDialog(void)
ResourceDialog(const pe_dialog_template_ext *header)
ResourceDialog(const pe_dialog_template *header)
ResourceDialog(const ResourceDialog&)
ResourceDialog &operator=(const ResourceDialog&)
~ResourceDialog(void)
bool is_extended(void) const

true if the dialog is an extended one

uint32_t extended_style(void) const

The extended windows styles.

std::set<EXTENDED_WINDOW_STYLES> extended_style_list(void) const

Return list of LIEF::PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialog::extended_style value.

bool has_extended_style(EXTENDED_WINDOW_STYLES style) const
uint32_t style(void) const

The style of the dialog box. This member can be a combination of LIEF::PE::WINDOW_STYLES values and LIEF::PE::DIALOG_BOX_STYLES values.

std::set<WINDOW_STYLES> style_list(void) const

Return list of LIEF::PE::WINDOW_STYLES associated with the ResourceDialog::style value.

bool has_style(WINDOW_STYLES style) const
std::set<DIALOG_BOX_STYLES> dialogbox_style_list(void) const

Return list of LIEF::PE::DIALOG_BOX_STYLES associated with the ResourceDialog::style value.

bool has_dialogbox_style(DIALOG_BOX_STYLES style) const
int16_t x(void) const

The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.

int16_t y(void) const

The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.

int16_t cx(void) const

The width, in dialog box units, of the dialog box.

int16_t cy(void) const

The height, in dialog box units, of the dialog box.

it_const_dialog_items items(void) const

Iterator on the controls (ResourceDialogItem) that define the Dialog (Button, Label…)

RESOURCE_LANGS lang(void) const

RESOURCE_LANGS associated with the Dialog.

RESOURCE_SUBLANGS sub_lang(void) const

RESOURCE_SUBLANGS associated with the Dialog.

void lang(RESOURCE_LANGS lang)
void sub_lang(RESOURCE_SUBLANGS sub_lang)
uint16_t version(void) const

The version number of the extended dialog box template. This member must be set to 1.

uint16_t signature(void) const

Indicates whether a template is an extended dialog box template:

  • 0xFFFF: Extended dialog box template

  • Other value: Standard dialog box template

See

ResourceDialog::is_extended

uint32_t help_id(void) const

The help context identifier for the dialog box window.

uint16_t weight(void) const

The weight of the font.

uint16_t point_size(void) const

The point size of the font to use for the text in the dialog box and its controls.

bool is_italic(void) const

Indicates whether the font is italic. If this value is true, the font is italic.

uint8_t charset(void) const

The character set to be used.

const std::u16string &title(void) const

The title of the dialog box.

const std::u16string &typeface(void) const

The name of the typeface for the font.

void accept(Visitor &visitor) const override
bool operator==(const ResourceDialog &rhs) const
bool operator!=(const ResourceDialog &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDialog &dialog)

Resource Dialog Item

class LIEF::PE::ResourceDialogItem : public LIEF::Object

Public Functions

ResourceDialogItem(void)
ResourceDialogItem(const pe_dialog_item_template_ext *header)
ResourceDialogItem(const pe_dialog_item_template *header)
ResourceDialogItem(const ResourceDialogItem&)
ResourceDialogItem &operator=(const ResourceDialogItem&)
~ResourceDialogItem(void)
bool is_extended(void) const

True if the control is an extended one

uint32_t extended_style(void) const

The extended styles for a window.

std::set<EXTENDED_WINDOW_STYLES> extended_style_list(void) const

List of PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialogItem::extended_style value.

bool has_extended_style(EXTENDED_WINDOW_STYLES style) const

Check if the DialogItem has the given PE::EXTENDED_WINDOW_STYLES.

uint32_t style(void) const

The style of the control.

std::set<WINDOW_STYLES> style_list(void) const
bool has_style(WINDOW_STYLES style) const
int16_t x(void) const

The x-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

int16_t y(void) const

The y-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

int16_t cx(void) const

The width, in dialog box units, of the control.

int16_t cy(void) const

The height, in dialog box units, of the control.

uint32_t id(void) const

The control identifier.

uint32_t help_id(void) const

The help context identifier for the control.

const std::u16string &title(void) const

Initial text of the control.

void accept(Visitor &visitor) const override
bool operator==(const ResourceDialogItem &rhs) const
bool operator!=(const ResourceDialogItem &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDialogItem &dialog_item)

Resource Version

class LIEF::PE::ResourceVersion : public LIEF::Object

Modelization of the data associated with the RT_VERSION entry.

See: VS_VERSIONINFO - https://msdn.microsoft.com/en-us/library/windows/desktop/ms647001(v=vs.85).aspx

Public Functions

ResourceVersion(const ResourceVersion&)
ResourceVersion &operator=(const ResourceVersion&)
~ResourceVersion(void)
uint16_t type(void) const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key(void) const

Signature of the structure: Must be the unicode string “VS_VERSION_INFO”.

bool has_fixed_file_info(void) const

true if the version contains a ResourceFixedFileInfo

bool has_string_file_info(void) const

true if the version contains a ResourceStringFileInfo

bool has_var_file_info(void) const

true if the version contains a ResourceVarFileInfo

const ResourceFixedFileInfo &fixed_file_info(void) const

Object that describes various information about the application’s version.

ResourceFixedFileInfo &fixed_file_info(void)
const ResourceStringFileInfo &string_file_info(void) const

Object that describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)

ResourceStringFileInfo &string_file_info(void)
const ResourceVarFileInfo &var_file_info(void) const

Object that describes information about languages supported by the application.

ResourceVarFileInfo &var_file_info(void)
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void fixed_file_info(const ResourceFixedFileInfo &fixed_file_info)
void remove_fixed_file_info(void)
void string_file_info(const ResourceStringFileInfo &string_file_info)
void remove_string_file_info(void)
void var_file_info(const ResourceVarFileInfo &var_file_info)
void remove_var_file_info(void)
void accept(Visitor &visitor) const override
bool operator==(const ResourceVersion &rhs) const
bool operator!=(const ResourceVersion &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceVersion &version)

Resource Fixed File Info

class LIEF::PE::ResourceFixedFileInfo : public LIEF::Object

Modelization of the Structure.

Public Functions

ResourceFixedFileInfo(void)
ResourceFixedFileInfo(const pe_resource_fixed_file_info *header)
ResourceFixedFileInfo(const ResourceFixedFileInfo&)
ResourceFixedFileInfo &operator=(const ResourceFixedFileInfo&)
~ResourceFixedFileInfo(void)
uint32_t signature(void) const

Contains the value 0xFEEF04BD

uint32_t struct_version(void) const

The binary version number of this structure.

The high-order word of this member contains the major version number, and the low-order word contains the minor version number.

uint32_t file_version_MS(void) const

The most significant 32 bits of the file’s binary version number.

This member is used with ResourceFixedFileInfo::file_version_LS to form a 64-bits value used for numeric comparisons.

uint32_t file_version_LS(void) const

The least significant 32 bits of the file’s binary version number.

This member is used with ResourceFixedFileInfo::file_version_MS to form a 64-bits value used for numeric comparisons.

uint32_t product_version_MS(void) const

The most significant 32 bits of the product with which this file was distributed.

This member is used with ResourceFixedFileInfo::product_version_LS to form a 64-bits value used for numeric comparisons.

uint32_t product_version_LS(void) const

The least significant 32 bits of the product with which this file was distributed.

This member is used with ResourceFixedFileInfo::product_version_MS to form a 64-bits value used for numeric comparisons.

uint32_t file_flags_mask(void) const

Contains a bitmask that specifies the valid bits in ResourceFixedFileInfo::file_flags.

A bit is valid only if it was defined when the file was created.

uint32_t file_flags(void) const

Contains a bitmask that specifies the Boolean attributes of the file (PE::FIXED_VERSION_FILE_FLAGS)

FIXED_VERSION_OS file_os(void) const

The operating system for which this file was designed (PE::FIXED_VERSION_OS).

FIXED_VERSION_FILE_TYPES file_type(void) const

The general type of file (PE::FIXED_VERSION_FILE_TYPES)

FIXED_VERSION_FILE_SUB_TYPES file_subtype(void) const

The function of the file (PE::FIXED_VERSION_FILE_SUB_TYPES)

uint32_t file_date_MS(void) const

The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.

uint32_t file_date_LS(void) const

The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.

void signature(uint32_t signature)
void struct_version(uint32_t struct_version)
void file_version_MS(uint32_t file_version_MS)
void file_version_LS(uint32_t file_version_LS)
void product_version_MS(uint32_t product_version_MS)
void product_version_LS(uint32_t product_version_LS)
void file_flags_mask(uint32_t file_flags_mask)
void file_flags(uint32_t file_flags)
void file_os(FIXED_VERSION_OS file_os)
void file_type(FIXED_VERSION_FILE_TYPES file_type)
void file_subtype(FIXED_VERSION_FILE_SUB_TYPES file_subtype)
void file_date_MS(uint32_t file_date_MS)
void file_date_LS(uint32_t file_date_LS)
void accept(Visitor &visitor) const override
bool operator==(const ResourceFixedFileInfo &rhs) const
bool operator!=(const ResourceFixedFileInfo &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceFixedFileInfo &fixed_info)

Resource Var File Info

class LIEF::PE::ResourceVarFileInfo : public LIEF::Object

This object describes information about languages supported by the application.

See

LIEF::PE::ResourceVersion

Public Functions

ResourceVarFileInfo(const ResourceVarFileInfo&)
ResourceVarFileInfo &operator=(const ResourceVarFileInfo&)
~ResourceVarFileInfo(void)
uint16_t type(void) const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key(void) const

Signature of the structure: Must be the unicode string “VarFileInfo”.

const std::vector<uint32_t> &translations(void) const

List of languages that the application supports.

The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the code page Either most or least 16-bits can be zero, indicating that the file is language or code page independent.

std::vector<uint32_t> &translations(void)
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void translations(const std::vector<uint32_t> &translations)
void accept(Visitor &visitor) const override
bool operator==(const ResourceVarFileInfo &rhs) const
bool operator!=(const ResourceVarFileInfo &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceVarFileInfo &entry)

Resource String File Info

class LIEF::PE::ResourceStringFileInfo : public LIEF::Object

Modelization of the StringFileInfostructure.

It contains version information that can be displayed for a particular language and code page.

See: https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms646989(v=vs.85).aspx

Public Functions

ResourceStringFileInfo(const ResourceStringFileInfo&)
ResourceStringFileInfo &operator=(const ResourceStringFileInfo&)
~ResourceStringFileInfo(void)
uint16_t type(void) const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key(void) const

Signature of the structure: Must be the unicode string “StringFileInfo”.

const std::vector<LangCodeItem> &langcode_items(void) const

List of the LangCodeItem items.

Each LangCodeItem::key indicates the appropriate language and code page for displaying the key: value of LangCodeItem::items

std::vector<LangCodeItem> &langcode_items(void)
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void langcode_items(const std::vector<LangCodeItem> &items)
void accept(Visitor &visitor) const override
bool operator==(const ResourceStringFileInfo &rhs) const
bool operator!=(const ResourceStringFileInfo &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceStringFileInfo &string_file_info)

Lang code item

class LIEF::PE::LangCodeItem : public LIEF::Object

It’s basically a map of key/value.

see:

https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms646992(v=vs.85).aspx
See

LIEF::PE::ResourceStringFileInfo

Public Functions

LangCodeItem(void)
LangCodeItem(const LangCodeItem&)
LangCodeItem &operator=(const LangCodeItem&)
~LangCodeItem(void)
uint16_t type(void) const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key(void) const

A 8-digit hexadecimal number stored as an Unicode string.

  • The four most significant digits represent the language identifier.

  • The four least significant digits represent the code page for which the data is formatted.

See

LangCodeItem::code_page, LangCodeItem::lang, LangCodeItem::sublang

CODE_PAGES code_page(void) const

Code page for which items are defined

RESOURCE_LANGS lang(void) const

Lang for which items are defined.

RESOURCE_SUBLANGS sublang(void) const

Sublang for which items are defined.

const std::map<std::u16string, std::u16string> &items(void) const
std::map<std::u16string, std::u16string> &items(void)
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void code_page(CODE_PAGES code_page)
void lang(RESOURCE_LANGS lang)
void sublang(RESOURCE_SUBLANGS lang)
void items(const std::map<std::u16string, std::u16string> &items)
void accept(Visitor &visitor) const override
bool operator==(const LangCodeItem &rhs) const
bool operator!=(const LangCodeItem &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const LangCodeItem &item)

Rich Header

class LIEF::PE::RichHeader : public LIEF::Object

Public Functions

RichHeader(void)
RichHeader(const RichHeader&)
RichHeader &operator=(const RichHeader&)
~RichHeader(void)
uint32_t key(void) const

Key used to encode the header (xor operation)

it_rich_entries entries(void)

Return an iterator on the PE::RichEntry within the header.

it_const_rich_entries entries(void) const
void key(uint32_t key)
void add_entry(const RichEntry &entry)

Add a new PE::RichEntry.

void add_entry(uint16_t id, uint16_t build_id, uint32_t count)
void accept(Visitor &visitor) const override
bool operator==(const RichHeader &rhs) const
bool operator!=(const RichHeader &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const RichHeader &rich_header)

Rich Entry

class LIEF::PE::RichEntry : public LIEF::Object

Public Functions

RichEntry(void)
RichEntry(uint16_t id, uint16_t build_id, uint32_t count)
RichEntry(const RichEntry&)
RichEntry &operator=(const RichEntry&)
~RichEntry(void)
uint16_t id(void) const

Entry type.

uint16_t build_id(void) const

Builder number of the tool (if any)

uint32_t count(void) const

Occurrence count.

void id(uint16_t id)
void build_id(uint16_t build_id)
void count(uint32_t count)
void accept(Visitor &visitor) const override
bool operator==(const RichEntry &rhs) const
bool operator!=(const RichEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const RichEntry &rich_entry)

Code Integrity

class LIEF::PE::CodeIntegrity : public LIEF::Object

Public Functions

CodeIntegrity(void)
CodeIntegrity(const pe_code_integrity *header)
~CodeIntegrity(void)
CodeIntegrity &operator=(const CodeIntegrity&)
CodeIntegrity(const CodeIntegrity&)
uint16_t flags(void) const

Flags to indicate if CI information is available, etc.

uint16_t catalog(void) const

0xFFFF means not available

uint32_t catalog_offset(void) const
uint32_t reserved(void) const

Additional bitmask to be defined later.

void flags(uint16_t flags)
void catalog(uint16_t catalog)
void catalog_offset(uint32_t catalog_offset)
void reserved(uint32_t reserved)
void accept(Visitor &visitor) const override
bool operator==(const CodeIntegrity &rhs) const
bool operator!=(const CodeIntegrity &rhs) const

Public Static Attributes

constexpr size_t PRINT_WIDTH = 20

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeIntegrity &entry)

Pogo

class LIEF::PE::Pogo : public LIEF::Object

Public Functions

Pogo(void)
Pogo(POGO_SIGNATURES signature, const std::vector<PogoEntry> &entries)
Pogo(const Pogo&)
Pogo &operator=(const Pogo&)
Pogo *clone(void) const
POGO_SIGNATURES signature() const
it_pogo_entries entries(void)
it_const_pogo_entries entries(void) const
void signature(POGO_SIGNATURES signature)
void accept(Visitor &visitor) const override
bool operator==(const Pogo &rhs) const
bool operator!=(const Pogo &rhs) const
~Pogo(void)

Friends

friend std::ostream &operator<<(std::ostream &os, const Pogo &entry)

Pogo Entry

class LIEF::PE::PogoEntry : public LIEF::Object

Public Functions

PogoEntry(void)
PogoEntry(const PogoEntry&)
PogoEntry(uint32_t start_rva, uint32_t size, const std::string &name)
PogoEntry &operator=(const PogoEntry&)
~PogoEntry(void)
uint32_t start_rva() const
uint32_t size() const
const std::string &name() const
void start_rva(uint32_t start_rva)
void size(uint32_t size)
void name(const std::string &name)
void accept(Visitor &visitor) const override
bool operator==(const PogoEntry &rhs) const
bool operator!=(const PogoEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const PogoEntry &entry)

Load Configuration

class LIEF::PE::LoadConfiguration : public LIEF::Object

Class modeling the default PE’s LoadConfiguration

It’s the base class for any future version of the structure

Subclassed by LIEF::PE::LoadConfigurationV0

Public Functions

LoadConfiguration(void)
template<class T>
LoadConfiguration(const load_configuration<T> *header)
LoadConfiguration &operator=(const LoadConfiguration&)
LoadConfiguration(const LoadConfiguration&)
WIN_VERSION version(void) const

(SDK) Version of the structure

uint32_t characteristics(void) const

Characteristics of the structure It usually holds its size.

See

LoadConfiguration::version

uint32_t timedatestamp(void) const

Date and time stamp value.

uint16_t major_version(void) const

Major Version.

uint16_t minor_version(void) const

Minor version.

uint32_t global_flags_clear(void) const

The global loader flags to clear for this process as the loader start the process.

uint32_t global_flags_set(void) const

The global loader flags to set for this process as the loader starts the process.

uint32_t critical_section_default_timeout(void) const

The default timeout value to use for this process’s critical sections that are abandoned.

uint64_t decommit_free_block_threshold(void) const

Memory that must be freed before it is returned to the system, in bytes.

uint64_t decommit_total_free_threshold(void) const

Total amount of free memory, in bytes.

uint64_t lock_prefix_table(void) const

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

Warning

For x86 only

uint64_t maximum_allocation_size(void) const

Maximum allocation size, in bytes.

uint64_t virtual_memory_threshold(void) const

Maximum virtual memory size, in bytes.

uint64_t process_affinity_mask(void) const

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

uint32_t process_heap_flags(void) const

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

uint16_t csd_version(void) const

The service pack version identifier.

uint16_t reserved1(void) const

Must be zero.

uint32_t editlist(void) const

Reserved for use by the system.

uint32_t security_cookie(void) const

A pointer to a cookie that is used by Visual C++ or GS implementation.

void characteristics(uint32_t characteristics)
void timedatestamp(uint32_t timedatestamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void global_flags_clear(uint32_t global_flags_clear)
void global_flags_set(uint32_t global_flags_set)
void critical_section_default_timeout(uint32_t critical_section_default_timeout)
void decommit_free_block_threshold(uint64_t decommit_free_block_threshold)
void decommit_total_free_threshold(uint64_t decommit_total_free_threshold)
void lock_prefix_table(uint64_t lock_prefix_table)
void maximum_allocation_size(uint64_t maximum_allocation_size)
void virtual_memory_threshold(uint64_t virtual_memory_threshold)
void process_affinity_mask(uint64_t process_affinity_mask)
void process_heap_flags(uint32_t process_heap_flagsid)
void csd_version(uint16_t csd_version)
void reserved1(uint16_t reserved1)
void editlist(uint32_t editlist)
void security_cookie(uint32_t security_cookie)
~LoadConfiguration(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfiguration &rhs) const
bool operator!=(const LoadConfiguration &rhs) const
std::ostream &print(std::ostream &os) const

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN_UNKNOWN
constexpr size_t PRINT_WIDTH = 45

Friends

friend std::ostream &operator<<(std::ostream &os, const LoadConfiguration &config)

Load Configuration V0

class LIEF::PE::LoadConfigurationV0 : public LIEF::PE::LoadConfiguration

LoadConfiguration enhanced with SEH.

Subclassed by LIEF::PE::LoadConfigurationV1

Public Functions

LoadConfigurationV0(void)
LoadConfigurationV0 &operator=(const LoadConfigurationV0&)
LoadConfigurationV0(const LoadConfigurationV0&)
template<class T>
LoadConfigurationV0(const load_configuration_v0<T> *header)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t se_handler_table(void) const

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

uint64_t se_handler_count(void) const

The count of unique handlers in the table.

void se_handler_table(uint64_t se_handler_table)
void se_handler_count(uint64_t se_handler_count)
~LoadConfigurationV0(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV0 &rhs) const
bool operator!=(const LoadConfigurationV0 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN_SEH

Load Configuration V1

class LIEF::PE::LoadConfigurationV1 : public LIEF::PE::LoadConfigurationV0

LoadConfiguration enhanced with Control Flow Guard.

This structure is available from Windows 8.1

Subclassed by LIEF::PE::LoadConfigurationV2

Public Functions

LoadConfigurationV1(void)
template<class T>
LoadConfigurationV1(const load_configuration_v1<T> *header)
LoadConfigurationV1 &operator=(const LoadConfigurationV1&)
LoadConfigurationV1(const LoadConfigurationV1&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t guard_cf_check_function_pointer(void) const

The VA where Control Flow Guard check-function pointer is stored.

uint64_t guard_cf_dispatch_function_pointer(void) const

The VA where Control Flow Guard dispatch-function pointer is stored.

uint64_t guard_cf_function_table(void) const

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

uint64_t guard_cf_function_count(void) const

The count of unique RVAs in the LoadConfigurationV1::guard_cf_function_table.

GUARD_CF_FLAGS guard_flags(void) const

Control Flow Guard related flags.

bool has(GUARD_CF_FLAGS flag) const

Check if the given flag is present in LoadConfigurationV1::guard_flags.

guard_cf_flags_list_t guard_cf_flags_list(void) const

LoadConfigurationV1::guard_flags as a list of LIEF::PE::GUARD_CF_FLAGS.

void guard_cf_check_function_pointer(uint64_t guard_cf_check_function_pointer)
void guard_cf_dispatch_function_pointer(uint64_t guard_cf_dispatch_function_pointer)
void guard_cf_function_table(uint64_t guard_cf_function_table)
void guard_cf_function_count(uint64_t guard_cf_function_count)
void guard_flags(GUARD_CF_FLAGS guard_flags)
~LoadConfigurationV1(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV1 &rhs) const
bool operator!=(const LoadConfigurationV1 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN8_1

Load Configuration V2

class LIEF::PE::LoadConfigurationV2 : public LIEF::PE::LoadConfigurationV1

LoadConfiguration enhanced with code integrity.

Subclassed by LIEF::PE::LoadConfigurationV3

Public Functions

LoadConfigurationV2(void)
LoadConfigurationV2 &operator=(const LoadConfigurationV2&)
LoadConfigurationV2(const LoadConfigurationV2&)
template<class T>
LoadConfigurationV2(const load_configuration_v2<T> *header)
WIN_VERSION version(void) const override

(SDK) Version of the structure

const CodeIntegrity &code_integrity(void) const

CodeIntegrity associated with.

CodeIntegrity &code_integrity(void)
~LoadConfigurationV2(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV2 &rhs) const
bool operator!=(const LoadConfigurationV2 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_9879

Load Configuration V3

class LIEF::PE::LoadConfigurationV3 : public LIEF::PE::LoadConfigurationV2

LoadConfiguration with Control Flow Guard improved.

Subclassed by LIEF::PE::LoadConfigurationV4

Public Functions

LoadConfigurationV3(void)
template<class T>
LoadConfigurationV3(const load_configuration_v3<T> *header)
LoadConfigurationV3 &operator=(const LoadConfigurationV3&)
LoadConfigurationV3(const LoadConfigurationV3&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t guard_address_taken_iat_entry_table(void) const

VA of a table associated with CFG’s IAT checks.

uint64_t guard_address_taken_iat_entry_count(void) const

Number of entries in the LoadConfigurationV3::guard_address_taken_iat_entry_table.

uint64_t guard_long_jump_target_table(void) const

VA of a table associated with CFG’s long jump

uint64_t guard_long_jump_target_count(void) const

Number of entries in the LoadConfigurationV3::guard_long_jump_target_table.

void guard_address_taken_iat_entry_table(uint64_t value)
void guard_address_taken_iat_entry_count(uint64_t value)
void guard_long_jump_target_table(uint64_t value)
void guard_long_jump_target_count(uint64_t value)
~LoadConfigurationV3(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV3 &rhs) const
bool operator!=(const LoadConfigurationV3 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_14286

Load Configuration V4

class LIEF::PE::LoadConfigurationV4 : public LIEF::PE::LoadConfigurationV3

Load Configuration enhanced with.

  • Kind of dynamic relocations

  • Hybrid Metadata Pointer

Subclassed by LIEF::PE::LoadConfigurationV5

Public Functions

LoadConfigurationV4(void)
template<class T>
LoadConfigurationV4(const load_configuration_v4<T> *header)
LoadConfigurationV4 &operator=(const LoadConfigurationV4&)
LoadConfigurationV4(const LoadConfigurationV4&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t dynamic_value_reloc_table(void) const

VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE

uint64_t hybrid_metadata_pointer(void) const
void dynamic_value_reloc_table(uint64_t value)
void hybrid_metadata_pointer(uint64_t value)
~LoadConfigurationV4(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV4 &rhs) const
bool operator!=(const LoadConfigurationV4 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_14383

Load Configuration V5

class LIEF::PE::LoadConfigurationV5 : public LIEF::PE::LoadConfigurationV4

Load Configuration enhanced with Return Flow Guard.

Subclassed by LIEF::PE::LoadConfigurationV6

Public Functions

LoadConfigurationV5(void)
template<class T>
LoadConfigurationV5(const load_configuration_v5<T> *header)
LoadConfigurationV5 &operator=(const LoadConfigurationV5&)
LoadConfigurationV5(const LoadConfigurationV5&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t guard_rf_failure_routine(void) const

VA of the failure routine.

uint64_t guard_rf_failure_routine_function_pointer(void) const

VA of the failure routine fptr.

uint32_t dynamic_value_reloctable_offset(void) const

Offset of dynamic relocation table relative to the relocation table.

uint16_t dynamic_value_reloctable_section(void) const

The section index of the dynamic value relocation table.

uint16_t reserved2(void) const

Must be zero.

void guard_rf_failure_routine(uint64_t value)
void guard_rf_failure_routine_function_pointer(uint64_t value)
void dynamic_value_reloctable_offset(uint32_t value)
void dynamic_value_reloctable_section(uint16_t value)
void reserved2(uint16_t value)
~LoadConfigurationV5(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV5 &rhs) const
bool operator!=(const LoadConfigurationV5 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_14901

Load Configuration V6

class LIEF::PE::LoadConfigurationV6 : public LIEF::PE::LoadConfigurationV5

Load Configuration enhanced with Hotpatch and improved RFG.

Subclassed by LIEF::PE::LoadConfigurationV7

Public Functions

LoadConfigurationV6(void)
template<class T>
LoadConfigurationV6(const load_configuration_v6<T> *header)
LoadConfigurationV6 &operator=(const LoadConfigurationV6&)
LoadConfigurationV6(const LoadConfigurationV6&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint64_t guard_rf_verify_stackpointer_function_pointer(void) const

VA of the Function verifying the stack pointer.

uint32_t hotpatch_table_offset(void) const

Offset to the hotpatch table.

void guard_rf_verify_stackpointer_function_pointer(uint64_t value)
void hotpatch_table_offset(uint32_t value)
~LoadConfigurationV6(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV6 &rhs) const
bool operator!=(const LoadConfigurationV6 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_15002

Load Configuration V7

class LIEF::PE::LoadConfigurationV7 : public LIEF::PE::LoadConfigurationV6

Public Functions

LoadConfigurationV7(void)
template<class T>
LoadConfigurationV7(const load_configuration_v7<T> *header)
LoadConfigurationV7 &operator=(const LoadConfigurationV7&)
LoadConfigurationV7(const LoadConfigurationV7&)
WIN_VERSION version(void) const override

(SDK) Version of the structure

uint32_t reserved3(void) const
uint64_t addressof_unicode_string(void) const
void reserved3(uint32_t value)
void addressof_unicode_string(uint64_t value)
~LoadConfigurationV7(void)
void accept(Visitor &visitor) const override
bool operator==(const LoadConfigurationV7 &rhs) const
bool operator!=(const LoadConfigurationV7 &rhs) const
std::ostream &print(std::ostream &os) const override

Public Static Attributes

constexpr WIN_VERSION VERSION = WIN_VERSION::WIN10_0_16237

Utilities

Warning

doxygenfunction: Unable to resolve multiple matches for function “LIEF::PE::get_type” with arguments (const std::string &) in doxygen xml output for project “lief” from directory: /tmp/LIEF/LIEF/build/doc/doxygen/xml. Potential matches:

- PE_TYPE get_type(const std::string &file)
- PE_TYPE get_type(const std::vector<uint8_t> &raw)

Warning

doxygenfunction: Unable to resolve multiple matches for function “LIEF::PE::get_type” with arguments (const std::vector< uint8_t > &) in doxygen xml output for project “lief” from directory: /tmp/LIEF/LIEF/build/doc/doxygen/xml. Potential matches:

- PE_TYPE get_type(const std::string &file)
- PE_TYPE get_type(const std::vector<uint8_t> &raw)

Warning

doxygenfunction: Unable to resolve multiple matches for function “LIEF::PE::is_pe” with arguments (const std::string &) in doxygen xml output for project “lief” from directory: /tmp/LIEF/LIEF/build/doc/doxygen/xml. Potential matches:

- bool is_pe(const std::string &file)
- bool is_pe(const std::vector<uint8_t> &raw)

Warning

doxygenfunction: Unable to resolve multiple matches for function “LIEF::PE::is_pe” with arguments (const std::vector< uint8_t > &) in doxygen xml output for project “lief” from directory: /tmp/LIEF/LIEF/build/doc/doxygen/xml. Potential matches:

- bool is_pe(const std::string &file)
- bool is_pe(const std::vector<uint8_t> &raw)
std::string PE::LIEF::get_imphash(const Binary &binary)

Compute the hash of imported functions.

Properties of the hash generated:

  • Order agnostic

  • Casse agnostic

  • Ordinal (in some extent) agnostic

Warning

The algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation

See

https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

Import PE::LIEF::resolve_ordinals(const Import &import, bool strict = false)

Take a PE::Import as entry and try to resolve imports by ordinal.

The strict boolean parameter enables to throw an LIEF::not_found exception if the ordinal can’t be resolved. Otherwise it skips the entry.

Parameters
  • [in] import: Import to resolve

  • [in] strict: If set to true, throw an exception if the import can’t be resolved

  • Import: The import resolved: PE::ImportEntry::name is set

const char *PE::LIEF::oid_to_string(const oid_t &oid)

Convert an OID to a human-readable string.


Enums

enum PE::LIEF::MACHINE_TYPES

Values:

enumerator MT_Invalid = 0xffff
enumerator IMAGE_FILE_MACHINE_UNKNOWN = 0x0
enumerator IMAGE_FILE_MACHINE_AM33 = 0x1D3

Matsushita AM33