Abstract¶

Parser¶

class Parser¶

Main interface to parse an executable regardless of its format.

Subclassed by LIEF::ELF::Parser, LIEF::MachO::BinaryParser, LIEF::MachO::Parser, LIEF::PE::Parser

Public Static Functions

static std::unique_ptr<Binary> parse(const std::string &filename)¶

Construct an LIEF::Binary from the given filename.

See also

LIEF::MachO::Parser::parse

Warning

If the target file is a FAT Mach-O, it will return the last one

static std::unique_ptr<Binary> parse(const std::vector<uint8_t> &raw)¶

Construct an LIEF::Binary from the given raw data.

See also

LIEF::MachO::Parser::parse

Warning

If the target file is a FAT Mach-O, it will return the last one

static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream)¶

Construct an LIEF::Binary from the given stream.

See also

LIEF::MachO::Parser::parse

Warning

If the target file is a FAT Mach-O, it will return the last one

Header¶

class Header : public LIEF::Object¶

Public Functions

Header()¶

Header(const Header&)¶

Header &operator=(const Header&)¶

~Header() override¶

ARCHITECTURES architecture() const¶

const std::set<MODES> &modes() const¶

OBJECT_TYPES object_type() const¶

uint64_t entrypoint() const¶

ENDIANNESS endianness() const¶

bool is_32() const¶

true if the binary target a 32-bits architecture

bool is_64() const¶

true if the binary target a 64-bits architecture

virtual void accept(Visitor &visitor) const override¶

Method so that the visitor can visit us.

void architecture(ARCHITECTURES arch)¶

void modes(const std::set<MODES> &m)¶

void object_type(OBJECT_TYPES type)¶

void entrypoint(uint64_t entrypoint)¶

void endianness(ENDIANNESS endianness)¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Header &hdr)¶

Binary¶

class Binary : public LIEF::Object¶

Abstract binary that exposes an uniform API for the different executable file formats.

Subclassed by LIEF::ELF::Binary, LIEF::MachO::Binary, LIEF::PE::Binary

Public Types

enum class VA_TYPES¶

Type of a virtual address.

Values:

enumerator AUTO = 0¶

Try to guess if it’s relative or not.

enumerator RVA = 1¶

Relative.

enumerator VA = 2¶

Absolute.

enum FORMATS¶

Values:

enumerator UNKNOWN = 0¶

enumerator ELF¶

enumerator PE¶

enumerator MACHO¶

enumerator OAT¶

using functions_t = std::vector<Function>¶

using sections_t = std::vector<Section*>¶

Internal container.

using it_sections = ref_iterator<sections_t>¶

Iterator that outputs LIEF::Section&.

using it_const_sections = const_ref_iterator<sections_t>¶

Iterator that outputs const LIEF::Section&.

using symbols_t = std::vector<Symbol*>¶

Internal container.

using it_symbols = ref_iterator<symbols_t>¶

Iterator that outputs LIEF::Symbol&.

using it_const_symbols = const_ref_iterator<symbols_t>¶

Iterator that outputs const LIEF::Symbol&.

using relocations_t = std::vector<Relocation*>¶

Internal container.

using it_relocations = ref_iterator<relocations_t>¶

Iterator that outputs LIEF::Relocation&.

using it_const_relocations = const_ref_iterator<relocations_t>¶

Iterator that outputs const LIEF::Relocation&.

Public Functions

Binary()¶

inline Binary(FORMATS fmt)¶

~Binary() override¶

Binary &operator=(const Binary&)¶

Binary(const Binary&)¶

inline FORMATS format() const¶

Executable format (ELF, PE, Mach-O) of the underlying binary.

Header header() const¶

Return the abstract header of the binary.

it_symbols symbols()¶

Return an iterator over the abstracted symbols in which the elements can be modified.

it_const_symbols symbols() const¶

Return an iterator over the abstracted symbols in which the elements can’t be modified.

bool has_symbol(const std::string &name) const¶

Check if a Symbol with the given name exists.

const Symbol *get_symbol(const std::string &name) const¶

Return the Symbol with the given name If the symbol does not exist, return a nullptr.

Symbol *get_symbol(const std::string &name)¶

it_sections sections()¶

Return an iterator over the binary’s sections (LIEF::Section)

it_const_sections sections() const¶

virtual void remove_section(const std::string &name, bool clear = false) = 0¶

Remove all the sections in the underlying binary.

it_relocations relocations()¶

Return an iterator over the binary relocation (LIEF::Relocation)

it_const_relocations relocations() const¶

virtual uint64_t entrypoint() const = 0¶

Binary’s entrypoint (if any)

inline uint64_t original_size() const¶

Binary’s original size.

functions_t exported_functions() const¶

Return the functions exported by the binary.

std::vector<std::string> imported_libraries() const¶

Return libraries which are imported by the binary.

functions_t imported_functions() const¶

Return functions imported by the binary.

virtual result<uint64_t> get_function_address(const std::string &func_name) const¶

Return the address of the given function name.

virtual void accept(Visitor &visitor) const override¶

Method so that a visitor can visit us.

std::vector<uint64_t> xref(uint64_t address) const¶

virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, VA_TYPES addr_type = VA_TYPES::AUTO) = 0¶

Patch the content at virtual address address with patch_value.

Parameters:

• address – [in] Address to patch

• patch_value – [in] Patch to apply

• addr_type – [in] Specify if the address should be used as an absolute virtual address or a RVA

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), VA_TYPES addr_type = VA_TYPES::AUTO) = 0¶

Patch the address with the given value.

Parameters:

• address – [in] Address to patch

• patch_value – [in] Patch to apply

• size – [in] Size of the value in bytes (1, 2, … 8)

• addr_type – [in] Specify if the address should be used as an absolute virtual address or an RVA

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, VA_TYPES addr_type = VA_TYPES::AUTO) const = 0¶

Return the content located at the given virtual address.

inline void original_size(uint64_t size)¶

Change binary’s original size.

Warning

This function should be used carefully as some optimizations can be performed with this value

virtual bool is_pie() const = 0¶

Check if the binary is position independent.

virtual bool has_nx() const = 0¶

Check if the binary uses NX protection.

virtual uint64_t imagebase() const = 0¶

Default image base address if the ASLR is not enabled.

virtual functions_t ctor_functions() const = 0¶

Constructor functions that are called prior any other functions.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const = 0¶

Convert the given offset into a virtual address.

Parameters:

• offset – [in] The offset to convert.

• slide – [in] If not 0, it will replace the default base address (if any)

virtual std::ostream &print(std::ostream &os) const¶

virtual void write(const std::string &name) = 0¶

Build & transform the Binary object representation into a real executable.

virtual void write(std::ostream &os) = 0¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Binary &binary)¶

Section¶

class Section : public LIEF::Object¶

Class which represents an abstracted section.

Subclassed by LIEF::ELF::Section, LIEF::MachO::Section, LIEF::PE::Section

Public Functions

Section()¶

Section(std::string name)¶

~Section() override¶

Section &operator=(const Section&)¶

Section(const Section&)¶

virtual std::string name() const¶

section’s name

virtual const std::string &fullname() const¶

Return the complete section’s name which might trailing (0) bytes.

virtual span<const uint8_t> content() const¶

section’s content

virtual void size(uint64_t size)¶

Change the section size.

virtual uint64_t size() const¶

section’s size (size in the binary, not the virtual size)

virtual uint64_t offset() const¶

Offset in the binary.

virtual uint64_t virtual_address() const¶

Address where the section should be mapped.

virtual void virtual_address(uint64_t virtual_address)¶

virtual void name(const std::string &name)¶

Change the section’s name.

virtual void content(const std::vector<uint8_t> &data)¶

Change section content.

virtual void offset(uint64_t offset)¶

double entropy() const¶

Section’s entropy.

size_t search(uint64_t integer, size_t pos, size_t size) const¶

size_t search(const std::vector<uint8_t> &pattern, size_t pos = 0) const¶

size_t search(const std::string &pattern, size_t pos = 0) const¶

size_t search(uint64_t integer, size_t pos = 0) const¶

std::vector<size_t> search_all(uint64_t v, size_t size) const¶

std::vector<size_t> search_all(uint64_t v) const¶

std::vector<size_t> search_all(const std::string &v) const¶

virtual void accept(Visitor &visitor) const override¶

Method so that the visitor can visit us.

Public Static Attributes

static constexpr size_t npos = -1¶

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &entry)¶

Symbol¶

class Symbol : public LIEF::Object¶

This class represents a symbol in an executable format.

Subclassed by LIEF::ELF::Symbol, LIEF::Function, LIEF::MachO::Symbol, LIEF::PE::DelayImportEntry, LIEF::PE::ExportEntry, LIEF::PE::ImportEntry, LIEF::PE::Symbol

Public Functions

Symbol()¶

Symbol(std::string name)¶

Symbol(std::string name, uint64_t value)¶

Symbol(std::string name, uint64_t value, uint64_t size)¶

Symbol(const Symbol&)¶

Symbol &operator=(const Symbol&)¶

~Symbol() override¶

void swap(Symbol &other)¶

virtual const std::string &name() const¶

Return the symbol’s name.

virtual std::string &name()¶

virtual void name(const std::string &name)¶

Set symbol name.

virtual uint64_t value() const¶

virtual void value(uint64_t value)¶

virtual uint64_t size() const¶

This size of the symbol (when applicable)

virtual void size(uint64_t value)¶

virtual void accept(Visitor &visitor) const override¶

Method so that the visitor can visit us.

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)¶

Relocation¶

class Relocation : public LIEF::Object¶

Class which represents an abstracted Relocation.

Subclassed by LIEF::ELF::Relocation, LIEF::MachO::Relocation, LIEF::PE::RelocationEntry

Public Functions

Relocation()¶

Relocation(uint64_t address, uint8_t size)¶

Constructor from a relocation’s address and size.

~Relocation() override¶

Relocation &operator=(const Relocation&)¶

Relocation(const Relocation&)¶

void swap(Relocation &other)¶

virtual uint64_t address() const¶

Relocation’s address.

virtual size_t size() const¶

Relocation size in bits

virtual void address(uint64_t address)¶

virtual void size(size_t size)¶

virtual void accept(Visitor &visitor) const override¶

Method so that the visitor can visit us.

virtual bool operator<(const Relocation &rhs) const¶

Comparaison based on the Relocation’s address

virtual bool operator<=(const Relocation &rhs) const¶

Comparaison based on the Relocation’s address

virtual bool operator>(const Relocation &rhs) const¶

Comparaison based on the Relocation’s address

virtual bool operator>=(const Relocation &rhs) const¶

Comparaison based on the Relocation’s address

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &entry)¶

Function¶

class Function : public LIEF::Symbol¶

Class that represents a function in the binary.

Public Types

enum class FLAGS¶

Flags used to characterize the semantic of the function.

Values:

enumerator NONE = 0¶

enumerator CONSTRUCTOR¶

The function acts as constructor.

Usually this flag is associated with functions that are located in the .init_array, __mod_init_func or .tls sections

enumerator DESTRUCTOR¶

The function acts a destructor.

Usually this flag is associated with functions that are located in the .fini_array or __mod_term_func sections

enumerator DEBUG¶

The function is associated with Debug information.

enumerator EXPORTED¶

The function is exported by the binary and the address() method returns its virtual address in the binary.

enumerator IMPORTED¶

The function is imported by the binary and the address() should return 0.

using flags_list_t = std::vector<FLAGS>¶

using flags_t = std::set<FLAGS>¶

Public Functions

Function()¶

Function(const std::string &name)¶

Function(uint64_t address)¶

Function(const std::string &name, uint64_t address)¶

Function(const std::string &name, uint64_t address, const flags_list_t &flags)¶

Function(const Function&)¶

Function &operator=(const Function&)¶

~Function() override¶

flags_list_t flags() const¶

List of FLAGS.

Function &add(FLAGS f)¶

Add a flag to the current function.

uint64_t address() const¶

Address of the current function. For functions that are set with the FLAGS::IMPORTED flag, this value is likely 0.

void address(uint64_t address)¶

virtual void accept(Visitor &visitor) const override¶

Method so that the visitor can visit us.

Friends

friend std::ostream &operator<<(std::ostream &os, const Function &entry)¶

Enums¶

enum LIEF::OBJECT_TYPES¶

Values:

enumerator TYPE_NONE = 0¶

enumerator TYPE_EXECUTABLE = 1¶

enumerator TYPE_LIBRARY = 2¶

enumerator TYPE_OBJECT = 3¶

enum LIEF::ARCHITECTURES¶

Values:

enumerator ARCH_NONE = 0¶

enumerator ARCH_ARM = 1¶

enumerator ARCH_ARM64 = 2¶

enumerator ARCH_MIPS = 3¶

enumerator ARCH_X86 = 4¶

enumerator ARCH_PPC = 5¶

enumerator ARCH_SPARC = 6¶

enumerator ARCH_SYSZ = 7¶

enumerator ARCH_XCORE = 8¶

enumerator ARCH_INTEL = 9¶

enumerator ARCH_RISCV = 10¶

enumerator ARCH_LOONGARCH = 11¶

enum LIEF::MODES¶

Values:

enumerator MODE_NONE = 0¶

enumerator MODE_16 = 1¶

enumerator MODE_32 = 2¶

enumerator MODE_64 = 3¶

enumerator MODE_ARM = 4¶

enumerator MODE_THUMB = 5¶

enumerator MODE_MCLASS = 6¶

enumerator MODE_MICRO = 7¶

enumerator MODE_MIPS3 = 8¶

enumerator MODE_MIPS32R6 = 9¶

enumerator MODE_MIPSGP64 = 10¶

enumerator MODE_V7 = 11¶

enumerator MODE_V8 = 12¶

enumerator MODE_V9 = 13¶

enumerator MODE_MIPS32 = 14¶

enumerator MODE_MIPS64 = 15¶

enum LIEF::ENDIANNESS¶

Values:

enumerator ENDIAN_NONE = 0¶

enumerator ENDIAN_BIG = 1¶

enumerator ENDIAN_LITTLE = 2¶