Abstract¶

Parser¶

lief.parse(*args) → lief.Binary | None¶

lief.parse(filepath: str) → lief._lief.Binary | None

lief.parse(obj: io.IOBase | os.PathLike) → lief._lief.Binary | None

Overloaded function.

1. parse(raw: bytes) -> Optional[lief._lief.Binary]

   Parse a binary supported by LIEF from the given bytes and return either:

   • lief.ELF.Binary

   • lief.PE.Binary

   • lief.MachO.Binary

   depending on the given binary format.

2. parse(filepath: str) -> Optional[lief._lief.Binary]

   Parse a binary from the given file path and return either:

   • lief.ELF.Binary

   • lief.PE.Binary

   • lief.MachO.Binary

   depending on the given binary format.

3. parse(obj: Union[io.IOBase | os.PathLike]) -> Optional[lief._lief.Binary]

   Parse a binary supported by LIEF from the given Python object and return either:

   • lief.ELF.Binary

   • lief.PE.Binary

   • lief.MachO.Binary

   depending on the given binary format.

Binary¶

class lief.Binary¶

Bases: Object

File format abstract representation.

This object represents the abstraction of an executable file format. It enables to access common features (like the entrypoint) regardless of the concrete format (e.g. lief.ELF.Binary.entrypoint)

class FORMATS¶

Bases: object

ELF = lief._lief.FORMATS.ELF¶

MACHO = lief._lief.FORMATS.MACHO¶

OAT = lief._lief.FORMATS.OAT¶

PE = lief._lief.FORMATS.PE¶

UNKNOWN = lief._lief.FORMATS.UNKNOWN¶

class VA_TYPES¶

Bases: object

AUTO = lief._lief.VA_TYPES.AUTO¶

RVA = lief._lief.VA_TYPES.RVA¶

VA = lief._lief.VA_TYPES.VA¶

property abstract → lief.Binary¶

Return the abstract representation of the current binary (lief.Binary)

property concrete → lief.ELF.Binary | lief.PE.Binary | lief.MachO.Binary¶

The concrete representation of the binary. Basically, this property cast a lief.Binary into a lief.PE.Binary, lief.ELF.Binary or lief.MachO.Binary.

See also: lief.Binary.abstract

property ctor_functions → list[lief.Function]¶

Constructor functions that are called prior to any other functions

property entrypoint → int¶

Binary’s entrypoint

property exported_functions → list[lief.Function]¶

Return the binary’s exported Function

property format → lief.Binary.FORMATS¶

File format (FORMATS) of the underlying binary.

get_content_from_virtual_address(self, virtual_address: int, size: int, va_type: lief.Binary.VA_TYPES) → memoryview¶

Return the content located at the provided virtual address. The virtual address is specified in the first argument and size to read (in bytes) in the second.

If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

get_function_address(self, function_name: str) → int | lief.lief_errors¶

Return the address of the given function name

get_symbol(self, symbol_name: str) → lief.Symbol¶

Return the Symbol from the given name.

If the symbol can’t be found, it returns None.

property has_nx → bool¶

Check if the binary has NX protection (non executable stack)

has_symbol(self, symbol_name: str) → bool¶

Check if a Symbol with the given name exists

property header → lief.Header¶

Binary’s abstract header (Header)

property imagebase → int¶

Default image base (i.e. if the ASLR is not enabled)

property imported_functions → list[lief.Function]¶

Return the binary’s imported Function (name)

property is_pie → bool¶

Check if the binary is position independent

class it_relocations¶

Bases: object

Iterator over lief._lief.Relocation

class it_sections¶

Bases: object

Iterator over lief._lief.Section

class it_symbols¶

Bases: object

Iterator over lief._lief.Symbol

property libraries → list[str | bytes]¶

Return binary’s imported libraries (name)

offset_to_virtual_address(self, offset: int, slide: int) → int | lief.lief_errors¶

Convert an offset into a virtual address.

patch_address(*args) → None¶

Overloaded function.

1. patch_address(self, address: int, patch_value: list[int], va_type: lief._lief.Binary.VA_TYPES = lief._lief.VA_TYPES.AUTO) -> None

   Patch the address with the given list of bytes. The virtual address is specified in the first argument and the content in the second (as a list of bytes).

   If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

2. patch_address(self, address: int, patch_value: int, size: int = 8, va_type: lief._lief.Binary.VA_TYPES = lief._lief.VA_TYPES.AUTO) -> None

   Patch the address with the given integer value. The virtual address is specified in the first argument, the integer in the second and the integer’s size of in third one.

   If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

property relocations → lief.Binary.it_relocations¶

Return an iterator over abstract Relocation

remove_section(self, name: str, clear: bool) → None¶

Remove the section with the given name

property sections → lief.Binary.it_sections¶

Return an iterator over the binary’s abstract sections (Section)

property symbols → lief.Binary.it_symbols¶

Return an iterator over the binary’s abstract Symbol

xref(self, virtual_address: int) → list[int]¶

Return all virtual addresses that use the address given in parameter

Header¶

class lief.Header(self)¶

Bases: Object

Class which represents an abstracted Header

property architecture → lief.ARCHITECTURES¶

Target architecture (ARCHITECTURES)

property endianness → lief.ENDIANNESS¶

Binary endianness See: ENDIANNESS

property entrypoint → int¶

Binary entrypoint

property is_32 → bool¶

True if the binary targets a 32-bits architecture

property is_64 → bool¶

True if the binary targets a 64-bits architecture

property modes → set[lief.MODES]¶

Target MODES (32-bits, 64-bits…)

property object_type → lief.OBJECT_TYPES¶

Type of the binary (executable, library…) See: OBJECT_TYPES

Section¶

class lief.Section¶

Bases: Object

Class which represents an abstracted section

property content → memoryview¶

Section’s content

property entropy → float¶

Section’s entropy

property fullname → bytes¶

Return the fullname of the section including the trailing bytes

property name → str | bytes¶

Section’s name

property offset → int¶

Section’s file offset

search(*args) → int | None¶

Overloaded function.

1. search(self, number: int, pos: int = 0, size: int = 0) -> Optional[int]

Look for integer within the current section

2. search(self, str: str, pos: int = 0) -> Optional[int]

Look for string within the current section

3. search(self, bytes: bytes, pos: int = 0) -> Optional[int]

Look for the given bytes within the current section

search_all(*args) → list[int]¶

Overloaded function.

1. search_all(self, number: int, size: int = 0) -> list[int]

Look for all integers within the current section

2. search_all(self, str: str) -> list[int]

Look for all strings within the current section

property size → int¶

Section’s size

property virtual_address → int¶

Section’s virtual address

Symbol¶

class lief.Symbol¶

Bases: Object

This class represents a symbol in an executable format.

property name → str | bytes¶

Symbol’s name

property size → int¶

Symbol’s size

property value → int¶

Symbol’s value

Relocation¶

class lief.Relocation¶

Bases: Object

Class which represents an abstracted Relocation

property address → int¶

Relocation’s address

property size → int¶

Relocation’s size (in bits)

Function¶

class lief.Function(self)¶

class lief.Function(self, arg: str, /)

class lief.Function(self, arg: int, /)

class lief.Function(self, arg0: str, arg1: int, /)

Bases: Symbol

Class which represents a Function in an executable file format.

class FLAGS¶

Bases: object

CONSTRUCTOR = lief._lief.FLAGS.CONSTRUCTOR¶

DEBUG = lief._lief.FLAGS.DEBUG¶

DESTRUCTOR = lief._lief.FLAGS.DESTRUCTOR¶

EXPORTED = lief._lief.FLAGS.EXPORTED¶

IMPORTED = lief._lief.FLAGS.IMPORTED¶

add(self, flag: lief.Function.FLAGS) → lief.Function¶

Add the given FLAGS

property address → int¶

Function’s address

property flags → list[lief.Function.FLAGS]¶

Function flags as a list of FLAGS

Enums¶