PE

Binary

class LIEF::PE::Binary : public LIEF::Binary

Class which represents a PE binary This is the main interface to manage and modify a PE executable.

Public Types

using sections_t = std::vector<std::unique_ptr<Section>>

Internal container for storing PE’s Section.

using it_sections = ref_iterator<sections_t&, Section*>

Iterator that outputs Section& object.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>

Iterator that outputs const Section& object.

using data_directories_t = std::vector<std::unique_ptr<DataDirectory>>

Internal container for storing PE’s DataDirectory.

using it_data_directories = ref_iterator<data_directories_t&, DataDirectory*>

Iterator that outputs DataDirectory&.

using it_const_data_directories = const_ref_iterator<const data_directories_t&, const DataDirectory*>

Iterator that outputs const DataDirectory&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing PE’s Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator that outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator that outputs const Relocation&.

using imports_t = std::vector<Import>

Internal container for storing PE’s Import.

using it_imports = ref_iterator<imports_t&>

Iterator that output Import&.

using it_const_imports = const_ref_iterator<const imports_t&>

Iterator that outputs const Import&.

using delay_imports_t = std::vector<DelayImport>

Internal container for storing PE’s DelayImport.

using it_delay_imports = ref_iterator<delay_imports_t&>

Iterator that output DelayImport&.

using it_const_delay_imports = const_ref_iterator<const delay_imports_t&>

Iterator that outputs const DelayImport&.

using debug_entries_t = std::vector<Debug>

Internal container for storing Debug information.

using it_debug_entries = ref_iterator<debug_entries_t&>

Iterator that outputs Debug&.

using it_const_debug_entries = const_ref_iterator<const debug_entries_t&>

Iterator that outputs const Debug&.

using symbols_t = std::vector<Symbol>

Internal container for storing COFF Symbols.

using it_symbols = ref_iterator<symbols_t&>

Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&>

Iterator that outputs const Symbol&.

using strings_table_t = std::vector<std::string>

Internal container for storing strings.

using it_strings_table = ref_iterator<strings_table_t&>

Iterator that outputs std::string&.

using it_const_strings_table = const_ref_iterator<const strings_table_t&>

Iterator that outputs const std::string&.

using signatures_t = std::vector<Signature>

Internal container for storing PE’s authenticode Signature.

using it_signatures = ref_iterator<signatures_t&>

Iterator that outputs Signature&.

using it_const_signatures = const_ref_iterator<const signatures_t&>

Iterator that outputs const Signature&.

Public Functions

Binary(const std::string &name, PE_TYPE type)
virtual ~Binary() override
PE_TYPE type() const

Return PE32 or PE32+

uint64_t rva_to_offset(uint64_t RVA)

Convert a Relative Virtual Address into an offset.

The conversion is performed by looking for the section that encompasses the provided RVA.

uint64_t va_to_offset(uint64_t VA)

Convert the absolute virtual address into an offset.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override

Convert the given offset into a virtual address.

Parameters
  • offset[in] The offset to convert.

  • slide[in] If not 0, it will replace the default base address (if any)

virtual uint64_t imagebase() const override

Return binary’s imagebase. 0 if not relevant.

The value is the same as those returned by OptionalHeader::imagebase

Section *section_from_offset(uint64_t offset)

Find the section associated that encompasses the given offset.

If no section can be found, return a nullptr

const Section *section_from_offset(uint64_t offset) const
Section *section_from_rva(uint64_t virtual_address)

Find the section associated that encompasses the given RVA.

If no section can be found, return a nullptr

const Section *section_from_rva(uint64_t virtual_address) const
it_sections sections()

Return an iterator over the PE’s Section.

it_const_sections sections() const
DosHeader &dos_header()

Return a reference to the PE::DosHeader object.

const DosHeader &dos_header() const
Header &header()

Return a reference to the PE::Header object.

const Header &header() const
OptionalHeader &optional_header()

Return a reference to the OptionalHeader object.

const OptionalHeader &optional_header() const
uint64_t virtual_size() const

Compute the binary’s virtual size. It should match OptionalHeader::sizeof_image.

uint32_t sizeof_headers() const

Compute the size of all the headers.

TLS &tls()

Return a reference to the TLS object.

const TLS &tls() const
void tls(const TLS &tls)

Set a TLS object in the current Binary.

bool has_tls() const

Check if the current binary has a TLS object.

bool has_imports() const

Check if the current binary contains imports.

See also

Import

bool has_signatures() const

Check if the current binary contains signatures.

See also

signatures

bool has_exports() const

Check if the current binary has exports.

See also

Export

bool has_resources() const

Check if the current binary has resources.

bool has_exceptions() const

Check if the current binary has exceptions.

bool has_relocations() const

Check if the current binary has relocations.

See also

Relocation

bool has_debug() const

Check if the current binary has debugs.

bool has_configuration() const

Check if the current binary has a load configuration.

bool is_reproducible_build() const

Check if the current binary is reproducible build, replacing timestamps by a compile hash.

See also

Debug

it_const_signatures signatures() const

Return an iterator over the Signature object(s) if the binary is signed.

Signature::VERIFICATION_FLAGS verify_signature(Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary against the embedded signature(s) (if any) First, it checks that the embedded signatures are correct (c.f. Signature::check) and then, it checks that the authentihash matches ContentInfo::digest.

One can tweak the verification process with the Signature::VERIFICATION_CHECKS flags

Signature::VERIFICATION_FLAGS verify_signature(const Signature &sig, Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:

result<Signature> detached = LIEF::PE::SignatureParser::parse("sig.pkcs7")
if (detached) {
  binary->verify_signature(detached.value());
}

std::vector<uint8_t> authentihash(ALGORITHMS algo) const

Compute the authentihash according to the algorithm provided in the first parameter.

uint32_t predict_function_rva(const std::string &library, const std::string &function)

Try to predict the RVA of the function function in the import library library

Note

It should be used with: LIEF::PE::Builder::build_imports set to true

Warning

The value could be chang if imports change

Parameters
  • library[in] Library name in which the function is located

  • function[in] Function name

Returns

The address of the function (IAT) in the new import table

Export &get_export()

Return the Export object.

const Export &get_export() const
std::vector<Symbol> &symbols()

Return binary Symbols.

const std::vector<Symbol> &symbols() const
ResourceNode *resources()

Return resources as a tree or a nullptr if there is no resources.

const ResourceNode *resources() const
void set_resources(const ResourceDirectory &resource)

Set a new resource tree.

void set_resources(const ResourceData &resource)

Set a new resource tree.

result<ResourcesManager> resources_manager() const

Return the ResourcesManager (class to manage resources more easily than the tree one)

Section *get_section(const std::string &name)

Return binary’s section from its name. If the secion can’t be found, return a nullptr.

Parameters

name[in] Name of the Section

const Section *get_section(const std::string &name) const
const Section *import_section() const

Return the section associated with import table or a nullptr if the binary does not have an import table.

Section *import_section()
virtual void remove_section(const std::string &name, bool clear = false) override

Delete the section with the given name.

Parameters
  • name[in] Name of section to delete

  • clear[in] if true clear the section’s content with 0 before removing (default: false)

void remove(const Section &section, bool clear = false)

Remove the given section.

Section *add_section(const Section &section, PE_SECTION_TYPES type = PE_SECTION_TYPES::UNKNOWN)

Add a section to the binary and return the section added.

it_relocations relocations()

Return an iterator over the PE’s Relocation.

it_const_relocations relocations() const
Relocation &add_relocation(const Relocation &relocation)

Add a PE::Relocation.

void remove_all_relocations()

Remove all the relocations.

it_data_directories data_directories()

Return an iterator over the DataDirectory present in the Binary.

it_const_data_directories data_directories() const
DataDirectory &data_directory(DATA_DIRECTORY index)

Return the DataDirectory with the given type (or index)

const DataDirectory &data_directory(DATA_DIRECTORY index) const
bool has(DATA_DIRECTORY index) const

Check if the current binary has the given DATA_DIRECTORY.

debug_entries_t &debug()

Return the debug_entries_t object.

const debug_entries_t &debug() const
const LoadConfiguration *load_configuration() const

Retrun the LoadConfiguration object or a nullptr if the binary does not use the LoadConfiguration.

LoadConfiguration *load_configuration()
const std::vector<uint8_t> &overlay() const

Return the overlay content.

std::vector<uint8_t> &overlay()
const std::vector<uint8_t> &dos_stub() const

Return the DOS stub content.

std::vector<uint8_t> &dos_stub()
void dos_stub(const std::vector<uint8_t> &content)

Update the DOS stub content.

RichHeader &rich_header()

Return a reference to the RichHeader object.

const RichHeader &rich_header() const
void rich_header(const RichHeader &rich_header)

Set a RichHeader object in the current Binary.

bool has_rich_header() const

Check if the current binary has a RichHeader object.

it_imports imports()

Return an iterator over the binary imports.

it_const_imports imports() const
Import *get_import(const std::string &import_name)

Returns the PE::Import from the given name. If it can’t be found, return a nullptr.

Parameters

import_name[in] Name of the import

const Import *get_import(const std::string &import_name) const
bool has_import(const std::string &import_name) const

True if the binary imports the given library name

Parameters

import_name[in] Name of the import

bool has_delay_imports() const

Check if the current binary contains delay imports.

See also

DelayImport

See also

has_import

it_delay_imports delay_imports()

Return an iterator over the binary’s delay imports.

it_const_delay_imports delay_imports() const
DelayImport *get_delay_import(const std::string &import_name)

Returns the PE::DelayImport from the given name. If it can’t be found, return a nullptr.

Parameters

import_name[in] Name of the delay import

const DelayImport *get_delay_import(const std::string &import_name) const
bool has_delay_import(const std::string &import_name) const

True if the binary delay-imports the given library name

Parameters

import_name[in] Name of the delay import

ImportEntry *add_import_function(const std::string &library, const std::string &function)

Add the function function of the library library. If the function fails, it returns a nullptr.

Parameters
  • library[in] Library name of the function

  • function[in] Function’s name from the library to import

Import &add_library(const std::string &name)

Add an imported library (i.e. DLL) to the binary.

void remove_library(const std::string &name)

Remove the library with the given name

void remove_all_libraries()

Remove all libraries in the binary.

void hook_function(const std::string &function, uint64_t address)
void hook_function(const std::string &library, const std::string &function, uint64_t address)
virtual void write(const std::string &filename) override

Reconstruct the binary object and write the raw PE in filename

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void write(std::ostream &os) override

Reconstruct the binary object and write the raw PE in os stream.

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void accept(Visitor &visitor) const override

Method so that a visitor can visit us.

virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • size[in] Size of the value in bytes (1, 2, … 8)

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual std::vector<uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) const override

Return the content located at the provided virtual address.

Parameters
  • virtual_address[in] Virtual address of the data to retrieve

  • size[in] Size in bytes of the data to retrieve

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual uint64_t entrypoint() const override

Return the binary’s entrypoint (It is the same value as OptionalHeader::addressof_entrypoint.

virtual bool is_pie() const override

Check if the binary is position independent.

virtual bool has_nx() const override

Check if the binary uses NX protection.

virtual LIEF::Binary::functions_t ctor_functions() const override

Return the list of the binary constructors.

In a PE file, we consider a constructors as a callback in the TLS object

LIEF::Binary::functions_t functions() const

All functions found in the binary

LIEF::Binary::functions_t exception_functions() const

Functions found in the Exception table directory.

bool operator==(const Binary &rhs) const
bool operator!=(const Binary &rhs) const
virtual std::ostream &print(std::ostream &os) const override

Dos Header

class LIEF::PE::DosHeader : public LIEF::Object

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are not relevant.

Public Types

using reserved_t = std::array<uint16_t, 4>
using reserved2_t = std::array<uint16_t, 10>

Public Functions

DosHeader(const details::pe_dos_header &header)
DosHeader()
DosHeader(const DosHeader&)
DosHeader &operator=(const DosHeader&)
virtual ~DosHeader()
uint16_t magic() const

Magic bytes identifying a DOS/PE binary.

uint16_t used_bytes_in_the_last_page() const
uint16_t file_size_in_pages() const
uint16_t numberof_relocation() const
uint16_t header_size_in_paragraphs() const
uint16_t minimum_extra_paragraphs() const
uint16_t maximum_extra_paragraphs() const
uint16_t initial_relative_ss() const
uint16_t initial_sp() const
uint16_t checksum() const
uint16_t initial_ip() const
uint16_t initial_relative_cs() const
uint16_t addressof_relocation_table() const
uint16_t overlay_number() const
reserved_t reserved() const
uint16_t oem_id() const
uint16_t oem_info() const
reserved2_t reserved2() const
uint32_t addressof_new_exeheader() const

It returns the offset to the PE::Header structure.

void magic(uint16_t magic)
void used_bytes_in_the_last_page(uint16_t usedBytesInTheLastPage)
void file_size_in_pages(uint16_t fileSizeInPages)
void numberof_relocation(uint16_t numberOfRelocation)
void header_size_in_paragraphs(uint16_t headerSizeInParagraphs)
void minimum_extra_paragraphs(uint16_t minimumExtraParagraphs)
void maximum_extra_paragraphs(uint16_t maximumExtraParagraphs)
void initial_relative_ss(uint16_t initialRelativeSS)
void initial_sp(uint16_t initialSP)
void checksum(uint16_t checksum)
void initial_ip(uint16_t initialIP)
void initial_relative_cs(uint16_t initialRelativeCS)
void addressof_relocation_table(uint16_t addressOfRelocationTable)
void overlay_number(uint16_t overlayNumber)
void reserved(const reserved_t &reserved)
void oem_id(uint16_t oEMid)
void oem_info(uint16_t oEMinfo)
void reserved2(const reserved2_t &reserved2)
void addressof_new_exeheader(uint32_t addressOfNewExeHeader)
virtual void accept(Visitor &visitor) const override
bool operator==(const DosHeader &rhs) const
bool operator!=(const DosHeader &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DosHeader &entry)


Optional Header

class LIEF::PE::OptionalHeader : public LIEF::Object

Class which represents the PE OptionalHeader structure.

Public Functions

OptionalHeader()
OptionalHeader(const details::pe32_optional_header &header)
OptionalHeader(const details::pe64_optional_header &header)
virtual ~OptionalHeader()
OptionalHeader &operator=(const OptionalHeader&)
OptionalHeader(const OptionalHeader&)
PE_TYPE magic() const

Magic bytes (either PE32 or PE32+ for 64-bits PE files.

uint8_t major_linker_version() const

The linker major version.

uint8_t minor_linker_version() const

The linker minor version.

uint32_t sizeof_code() const

The size of the code .text section or the sum of all the sections that contain code (ie. PE::Section with the flag SECTION_CHARACTERISTICS::IMAGE_SCN_CNT_CODE)

uint32_t sizeof_initialized_data() const

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag SECTION_CHARACTERISTICS::IMAGE_SCN_CNT_INITIALIZED_DATA

uint32_t sizeof_uninitialized_data() const

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag SECTION_CHARACTERISTICS::IMAGE_SCN_CNT_UNINITIALIZED_DATA

uint32_t addressof_entrypoint() const

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

uint32_t baseof_code() const

Address relative to the imagebase where the binary’s code starts.

uint32_t baseof_data() const

Address relative to the imagebase where the binary’s data starts.

Warning

This value is not present for PE64 files

uint64_t imagebase() const

The preferred base address when mapping the binary in memory.

uint32_t section_alignment() const

The alignment (in bytes) of sections when they are loaded into memory.

It must be greater than or equal to file_alignment and the default is the page size for the architecture.

uint32_t file_alignment() const

The section’s file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.

uint16_t major_operating_system_version() const

The major version number of the required operating system.

uint16_t minor_operating_system_version() const

The minor version number of the required operating system.

uint16_t major_image_version() const

The major version number of the image.

uint16_t minor_image_version() const

The minor version number of the image.

uint16_t major_subsystem_version() const

The major version number of the subsystem.

uint16_t minor_subsystem_version() const

The minor version number of the subsystem.

uint32_t win32_version_value() const

According to the official PE specifications, this value is reserved and should be 0.

uint32_t sizeof_image() const

The size (in bytes) of the image, including all headers, as the image is loaded in memory.

It must be a multiple of section_alignment and should match Binary::virtual_size

uint32_t sizeof_headers() const

Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.

uint32_t checksum() const

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.

The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

inline uint32_t computed_checksum() const

The re-computed value of the OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF when parsing the PE binary.

SUBSYSTEM subsystem() const

Target subsystem like Driver, XBox, Windows GUI, …

uint32_t dll_characteristics() const

Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables

uint64_t sizeof_stack_reserve() const

Size of the stack to reserve when loading the PE binary.

Only :attr:~lief.PE.OptionalHeader.sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

uint64_t sizeof_stack_commit() const

Size of the stack to commit.

uint64_t sizeof_heap_reserve() const

Size of the heap to reserve when loading the PE binary.

uint64_t sizeof_heap_commit() const

Size of the heap to commit.

uint32_t loader_flags() const

According to the PE specifications, this value is reserved and should be 0.

uint32_t numberof_rva_and_size() const

The number of DataDirectory that follow this header.

bool has(DLL_CHARACTERISTICS c) const

Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.

std::set<DLL_CHARACTERISTICS> dll_characteristics_list() const

Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.

void add(DLL_CHARACTERISTICS c)

Add a DLL_CHARACTERISTICS to the current characteristics.

void remove(DLL_CHARACTERISTICS c)

Remove a DLL_CHARACTERISTICS from the current characteristics.

void magic(PE_TYPE magic)
void major_linker_version(uint8_t majorLinkerVersion)
void minor_linker_version(uint8_t minorLinkerVersion)
void sizeof_code(uint32_t sizeOfCode)
void sizeof_initialized_data(uint32_t sizeOfInitializedData)
void sizeof_uninitialized_data(uint32_t sizeOfUninitializedData)
void addressof_entrypoint(uint32_t addressOfEntryPoint)
void baseof_code(uint32_t baseOfCode)
void baseof_data(uint32_t baseOfData)
void imagebase(uint64_t imageBase)
void section_alignment(uint32_t sectionAlignment)
void file_alignment(uint32_t fileAlignment)
void major_operating_system_version(uint16_t majorOperatingSystemVersion)
void minor_operating_system_version(uint16_t minorOperatingSystemVersion)
void major_image_version(uint16_t majorImageVersion)
void minor_image_version(uint16_t minorImageVersion)
void major_subsystem_version(uint16_t majorSubsystemVersion)
void minor_subsystem_version(uint16_t minorSubsystemVersion)
void win32_version_value(uint32_t win32VersionValue)
void sizeof_image(uint32_t sizeOfImage)
void sizeof_headers(uint32_t sizeOfHeaders)
void checksum(uint32_t checkSum)
void subsystem(SUBSYSTEM subsystem)
void dll_characteristics(uint32_t DLLCharacteristics)
void sizeof_stack_reserve(uint64_t sizeOfStackReserve)
void sizeof_stack_commit(uint64_t sizeOfStackCommit)
void sizeof_heap_reserve(uint64_t sizeOfHeapReserve)
void sizeof_heap_commit(uint64_t sizeOfHeapCommit)
void loader_flags(uint32_t loaderFlags)
void numberof_rva_and_size(uint32_t numberOfRvaAndSize)
virtual void accept(Visitor &visitor) const override
OptionalHeader &operator+=(DLL_CHARACTERISTICS c)
OptionalHeader &operator-=(DLL_CHARACTERISTICS c)
bool operator==(const OptionalHeader &rhs) const
bool operator!=(const OptionalHeader &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const OptionalHeader &entry)

Data Directory

class LIEF::PE::DataDirectory : public LIEF::Object

Class that represents a PE data directory entry.

Public Functions

DataDirectory()
DataDirectory(DATA_DIRECTORY type)
DataDirectory(const details::pe_data_directory &header, DATA_DIRECTORY type)
DataDirectory(const DataDirectory &other)
DataDirectory &operator=(DataDirectory other)
void swap(DataDirectory &other)
virtual ~DataDirectory()
uint32_t RVA() const

The relative virtual address of the content of this data directory.

uint32_t size() const

The size of the content.

bool has_section() const

Check if the content of this data directory is associated with a PE Cection.

Section *section()

Section associated with the DataDirectory.

const Section *section() const
DATA_DIRECTORY type() const

Type of the data directory.

void size(uint32_t size)
void RVA(uint32_t rva)
virtual void accept(Visitor &visitor) const override
bool operator==(const DataDirectory &rhs) const
bool operator!=(const DataDirectory &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DataDirectory &entry)

Section

class LIEF::PE::Section : public LIEF::Section

Class which represents a PE section.

Public Functions

Section(const details::pe_section &header)
Section()
Section(const std::vector<uint8_t> &data, const std::string &name = "", uint32_t characteristics = 0)
Section(const std::string &name)
Section &operator=(const Section&)
Section(const Section&)
virtual ~Section() override
uint32_t sizeof_raw_data() const

Return the size of the data in the section.

uint32_t virtual_size() const

Return the size of the data when mapped in memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.

virtual span<const uint8_t> content() const override

The actual content of the section.

inline const std::vector<uint8_t> &padding() const

Content of the section’s padding area.

uint32_t pointerto_raw_data() const

The offset of the section data in the PE file.

uint32_t pointerto_relocation() const

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by PE::Relocation.

uint32_t pointerto_line_numbers() const

The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

uint16_t numberof_relocations() const

No longer used in recent PE binaries produced by Visual Studio.

uint16_t numberof_line_numbers() const

No longer used in recent PE binaries produced by Visual Studio.

uint32_t characteristics() const

Characteristics of the section: it gives information about the permissions of the section when mapped. It can also provides information about the purpose of the section (contain code, BSS-like, …)

bool is_type(PE_SECTION_TYPES type) const

Deprecated do not use. It will likely change in a future release of LIEF.

const std::set<PE_SECTION_TYPES> &types() const

Deprecated do not use. It will likely change in a future release of LIEF.

bool has_characteristic(SECTION_CHARACTERISTICS c) const

Check if the section has the given SECTION_CHARACTERISTICS.

std::set<SECTION_CHARACTERISTICS> characteristics_list() const

List of the section characteristics as a std::set.

void clear(uint8_t c)

Fill the content of the section with the given char

virtual void name(const std::string &name) override

Change the section’s name.

virtual void content(const std::vector<uint8_t> &data) override

Change section content.

void virtual_size(uint32_t virtualSize)
void pointerto_raw_data(uint32_t pointerToRawData)
void pointerto_relocation(uint32_t pointerToRelocation)
void pointerto_line_numbers(uint32_t pointerToLineNumbers)
void numberof_relocations(uint16_t numberOfRelocations)
void numberof_line_numbers(uint16_t numberOfLineNumbers)
void sizeof_raw_data(uint32_t sizeOfRawData)
void characteristics(uint32_t characteristics)
void type(PE_SECTION_TYPES type)
void add_type(PE_SECTION_TYPES type)
void remove_type(PE_SECTION_TYPES type)
void add_characteristic(SECTION_CHARACTERISTICS characteristic)
void remove_characteristic(SECTION_CHARACTERISTICS characteristic)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const Section &rhs) const
bool operator!=(const Section &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

Import

class LIEF::PE::Import : public LIEF::Object

Class that represents a PE import.

Public Types

using entries_t = std::vector<ImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Import(const details::pe_import &import)
Import(std::string name)
Import()
virtual ~Import()
Import(const Import &other)
Import &operator=(Import other)
void swap(Import &other)
uint32_t forwarder_chain() const

The index of the first forwarder reference.

uint32_t timedatestamp() const

The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.

it_const_entries entries() const

Iterator over the PE::ImportEntry.

it_entries entries()
uint32_t import_address_table_rva() const

The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning

This address could change when re-building the binary

uint32_t import_lookup_table_rva() const

Return the relative virtual address of the import lookup table.

Warning

This address could change when re-building the binary

result<uint32_t> get_function_rva_from_iat(const std::string &function) const

Return the Function’s RVA from the import address table (IAT)

Warning

This address could change when re-building the binary

ImportEntry *get_entry(const std::string &name)

Return the imported function with the given name.

const ImportEntry *get_entry(const std::string &name) const
const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

void name(const std::string &name)

Change the current import name.

DataDirectory *directory()

Return the PE::DataDirectory associated with this import. It should be the one at index PE::DATA_DIRECTORY::IMPORT_TABLE.

If the data directory can’t be found, return a nullptr

const DataDirectory *directory() const
DataDirectory *iat_directory()

Return the PE::DataDirectory associated associated with the IAT. It should be the one at index PE::DATA_DIRECTORY::IAT.

If the data directory can’t be found, return a nullptr

const DataDirectory *iat_directory() const
ImportEntry &add_entry(const ImportEntry &entry)

Add a new import entry (i.e. an imported function)

ImportEntry &add_entry(const std::string &name)

Add a new import entry with the given name (i.e. an imported function)

void import_lookup_table_rva(uint32_t rva)
void import_address_table_rva(uint32_t rva)
virtual void accept(Visitor &visitor) const override
bool operator==(const Import &rhs) const
bool operator!=(const Import &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Import &entry)

Import Entry

class LIEF::PE::ImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API

Public Functions

ImportEntry()
ImportEntry(uint64_t data, const std::string &name = "")
ImportEntry(const std::string &name)
ImportEntry(const ImportEntry&)
ImportEntry &operator=(const ImportEntry&)
virtual ~ImportEntry()
bool is_ordinal() const

True if it is an import by ordinal

uint16_t ordinal() const

The ordinal value.

uint64_t hint_name_rva() const

uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

uint64_t iat_value() const

Value of the current entry in the Import Address Table. It should match the lookup table value.

uint64_t data() const

Raw value.

uint64_t iat_address() const

Original address of the entry in the Import Address Table

void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const ImportEntry &rhs) const
bool operator!=(const ImportEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ImportEntry &entry)

Delay Import

class LIEF::PE::DelayImport : public LIEF::Object

Class that represents a PE delayed import.

Public Types

using entries_t = std::vector<DelayImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

DelayImport()
DelayImport(const details::delay_imports &import, PE_TYPE type)
DelayImport(std::string name)
~DelayImport() override
DelayImport(const DelayImport&)
DelayImport &operator=(const DelayImport&)
DelayImport(DelayImport&&)
DelayImport &operator=(DelayImport&&)
void swap(DelayImport &other)
uint32_t attribute() const

According to the official PE specifications, this value is reserved and should be set to 0.

void attribute(uint32_t hdl)
const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

void name(std::string name)
uint32_t handle() const

The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

void handle(uint32_t hdl)
uint32_t iat() const

RVA of the delay-load import address table.

void iat(uint32_t iat)
uint32_t names_table() const

RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table.

void names_table(uint32_t value)
uint32_t biat() const

RVA of the bound delay-load import address table or 0 if the table does not exist.

void biat(uint32_t value)
uint32_t uiat() const

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.

void uiat(uint32_t value)
uint32_t timestamp() const

The timestamp of the DLL to which this image has been bound.

void timestamp(uint32_t value)
it_entries entries()

Iterator over the DelayImport’s entries (DelayImportEntry)

it_const_entries entries() const

Iterator over the DelayImport’s entries (DelayImportEntry)

virtual void accept(Visitor &visitor) const override
bool operator==(const DelayImport &rhs) const
bool operator!=(const DelayImport &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImport &entry)

Delay Import Entry

class LIEF::PE::DelayImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the delay import table (DelayImport).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API

The meaning of LIEF::Symbol::value for this PE object is the address (as an RVA) in the IAT where the resolution should take place

Public Functions

DelayImportEntry()
DelayImportEntry(uint64_t data, PE_TYPE type)
DelayImportEntry(const DelayImportEntry&)
DelayImportEntry &operator=(const DelayImportEntry&)
DelayImportEntry(DelayImportEntry&&)
DelayImportEntry &operator=(DelayImportEntry&&)
~DelayImportEntry() override
bool is_ordinal() const

True if it is an import by ordinal

uint16_t ordinal() const

The ordinal value.

uint64_t hint_name_rva() const

uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

uint64_t iat_value() const

Value of the current entry in the Import Address Table.

uint64_t data() const

Raw value.

void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const DelayImportEntry &rhs) const
bool operator!=(const DelayImportEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImportEntry &entry)

TLS

class LIEF::PE::TLS : public LIEF::Object

Class which represents the PE Thread Local Storage.

This PE structure is also used to implement binary/library constructors.

Public Functions

TLS()
TLS(const details::pe32_tls &header)
TLS(const details::pe64_tls &header)
virtual ~TLS()
TLS(const TLS &copy)
TLS &operator=(TLS copy)
void swap(TLS &other)
const std::vector<uint64_t> &callbacks() const

List of the callback associated with the current TLS.

These functions are called before any other functions of the PE binary.

std::pair<uint64_t, uint64_t> addressof_raw_data() const

Pair (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note

These addresses are not RVA. It is addresses for which there should be a base relocation in the .reloc section.

uint64_t addressof_index() const

The location to receive the TLS index, which the loader assigns. This location is in an ordinary data section, so it can be given a symbolic name that is accessible to the program.

uint64_t addressof_callbacks() const

The pointer to an array of TLS callback functions.

The array is null-terminated, so if no callback function is supported, this field points to 4 bytes set to zero.

uint32_t sizeof_zero_fill() const

The size in bytes of the template, beyond the initialized data delimited by the addressof_raw_data field. The total template size should be the same as the total size of TLS data in the image file. The zero fill is the amount of data that comes after the initialized nonzero data.

uint32_t characteristics() const

The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

const std::vector<uint8_t> &data_template() const

The data template content.

bool has_data_directory() const

True if there is a data directory associated with this entry.

DataDirectory *directory()

Return the DataDirectory associated with this object or a nullptr If it exists, its type should be DATA_DIRECTORY::TLS_TABLE.

const DataDirectory *directory() const
bool has_section() const

Check if there is a section associated with this entry.

Section *section()

The section associated with the entry (or a nullptr)

const Section *section() const
void callbacks(const std::vector<uint64_t> &callbacks)
void addressof_raw_data(std::pair<uint64_t, uint64_t> VAOfRawData)
void addressof_index(uint64_t addressOfIndex)
void addressof_callbacks(uint64_t addressOfCallbacks)
void sizeof_zero_fill(uint32_t sizeOfZeroFill)
void characteristics(uint32_t characteristics)
void data_template(const std::vector<uint8_t> &dataTemplate)
virtual void accept(Visitor &visitor) const override
bool operator==(const TLS &rhs) const
bool operator!=(const TLS &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const TLS &entry)

Debug

class LIEF::PE::Debug : public LIEF::Object

Public Functions

Debug()
Debug(const details::pe_debug &debug_s)
Debug(const Debug &copy)
Debug &operator=(Debug copy)
void swap(Debug &other)
virtual ~Debug()
uint32_t characteristics() const

Reserved should be 0.

uint32_t timestamp() const

The time and date that the debug data was created.

uint16_t major_version() const

The major version number of the debug data format.

uint16_t minor_version() const

The minor version number of the debug data format.

DEBUG_TYPES type() const

The format DEBUG_TYPES of the debugging information.

uint32_t sizeof_data() const

Size of the debug data.

uint32_t addressof_rawdata() const

Address of the debug data relative to the image base.

uint32_t pointerto_rawdata() const

File offset of the debug data.

bool has_code_view() const
const CodeView *code_view() const
CodeView *code_view()
bool has_pogo() const
const Pogo *pogo() const
Pogo *pogo()
void characteristics(uint32_t characteristics)
void timestamp(uint32_t timestamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void type(DEBUG_TYPES new_type)
void sizeof_data(uint32_t sizeof_data)
void addressof_rawdata(uint32_t addressof_rawdata)
void pointerto_rawdata(uint32_t pointerto_rawdata)
virtual void accept(Visitor &visitor) const override
bool operator==(const Debug &rhs) const
bool operator!=(const Debug &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Debug &entry)

Code View

class LIEF::PE::CodeView : public LIEF::Object

Subclassed by LIEF::PE::CodeViewPDB

Public Functions

CodeView()
CodeView(CODE_VIEW_SIGNATURES cv_signature)
CodeView(const CodeView&)
CodeView &operator=(const CodeView&)
virtual CodeView *clone() const = 0
CODE_VIEW_SIGNATURES cv_signature() const

The Code View signature.

virtual void accept(Visitor &visitor) const override
bool operator==(const CodeView &rhs) const
bool operator!=(const CodeView &rhs) const
virtual ~CodeView()

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeView &entry)

Code View PDB

class LIEF::PE::CodeViewPDB : public LIEF::PE::CodeView

Public Types

using signature_t = std::array<uint8_t, 16>

Public Functions

CodeViewPDB()
CodeViewPDB(CODE_VIEW_SIGNATURES cv_signature, signature_t sig, uint32_t age, std::string filename)
CodeViewPDB(const CodeViewPDB&)
CodeViewPDB &operator=(const CodeViewPDB&)
virtual CodeViewPDB *clone() const override
signature_t signature() const
uint32_t age() const
const std::string &filename() const
void signature(uint32_t signature)
void signature(signature_t signature)
void age(uint32_t age)
void filename(const std::string &filename)
virtual void accept(Visitor &visitor) const override
bool operator==(const CodeViewPDB &rhs) const
bool operator!=(const CodeViewPDB &rhs) const
virtual ~CodeViewPDB()

Public Static Functions

static CodeViewPDB from_pdb70(signature_t sig, uint32_t age, const std::string &filename)
static CodeViewPDB from_pdb20(uint32_t signature, uint32_t age, const std::string &filename)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeViewPDB &entry)

Symbol

class LIEF::PE::Symbol : public LIEF::Symbol

Class that represents a PE symbol.

Public Functions

Symbol(const details::pe_symbol &header)
Symbol()
virtual ~Symbol() override
Symbol &operator=(Symbol other)
Symbol(const Symbol &other)
void swap(Symbol &other)
int16_t section_number() const
uint16_t type() const
SYMBOL_BASE_TYPES base_type() const
SYMBOL_COMPLEX_TYPES complex_type() const
SYMBOL_STORAGE_CLASS storage_class() const
uint8_t numberof_aux_symbols() const
std::wstring wname() const
Section *section()
const Section *section() const
bool has_section() const

True if symbols are located in a section

virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const Symbol &rhs) const
bool operator!=(const Symbol &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)

Relocation

class LIEF::PE::Relocation : public LIEF::Object

Class which represents the Base Relocation Block Usually, we find this structure in the .reloc section.

Public Types

using entries_t = std::vector<std::unique_ptr<RelocationEntry>>
using it_entries = ref_iterator<entries_t&, RelocationEntry*>
using it_const_entries = const_ref_iterator<const entries_t&, RelocationEntry*>

Public Functions

Relocation()
Relocation(const Relocation &other)
Relocation &operator=(Relocation other)
Relocation(const details::pe_base_relocation_block &header)
virtual ~Relocation()
void swap(Relocation &other)
uint32_t virtual_address() const

The RVA for which the offset of the relocation entries (RelocationEntry) is added.

uint32_t block_size() const

The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

it_const_entries entries() const

Iterator over the RelocationEntry.

it_entries entries()
void virtual_address(uint32_t virtual_address)
void block_size(uint32_t block_size)
RelocationEntry &add_entry(const RelocationEntry &entry)
virtual void accept(Visitor &visitor) const override
bool operator==(const Relocation &rhs) const
bool operator!=(const Relocation &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Entry

class LIEF::PE::RelocationEntry : public LIEF::Relocation

Class which represents an entry of the PE relocation table.

It extends the LIEF::Relocation object to provide an uniform API across the file formats

Public Functions

RelocationEntry()
RelocationEntry(const RelocationEntry &other)
RelocationEntry &operator=(RelocationEntry other)
RelocationEntry(uint16_t data)
RelocationEntry(uint16_t position, RELOCATIONS_BASE_TYPES type)
virtual ~RelocationEntry()
void swap(RelocationEntry &other)
virtual uint64_t address() const override

The address of the relocation.

virtual void address(uint64_t address) override
virtual size_t size() const override

The size of the relocatable pointer.

virtual void size(size_t size) override
uint16_t data() const

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset

uint16_t position() const

Offset relative to Relocation::virtual_address where the relocation occurs.

RELOCATIONS_BASE_TYPES type() const

Type of the relocation.

void data(uint16_t data)
void position(uint16_t position)
void type(RELOCATIONS_BASE_TYPES type)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const RelocationEntry &rhs) const
bool operator!=(const RelocationEntry &rhs) const

Friends

friend class PE::Relocation
friend std::ostream &operator<<(std::ostream &os, const RelocationEntry &entry)

Export

class LIEF::PE::Export : public LIEF::Object

Class which represents a PE Export.

Public Types

using entries_t = std::vector<ExportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Export()
Export(const details::pe_export_directory_table &header)
Export(const Export&)
Export &operator=(const Export&)
virtual ~Export()
uint32_t export_flags() const

According to the PE specifications this value is reserved and should be set to 0.

uint32_t timestamp() const

The time and date that the export data was created.

uint16_t major_version() const

The major version number (can be user-defined)

uint16_t minor_version() const

The minor version number (can be user-defined)

uint32_t ordinal_base() const

The starting number for the exports. Usually this value is set to 1.

const std::string &name() const

The name of the library exported (e.g. KERNEL32.dll)

it_entries entries()

Iterator over the ExportEntry.

it_const_entries entries() const
void export_flags(uint32_t flags)
void timestamp(uint32_t timestamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void ordinal_base(uint32_t ordinal_base)
void name(const std::string &name)
virtual void accept(Visitor &visitor) const override
bool operator==(const Export &rhs) const
bool operator!=(const Export &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const Export &exp)

Export Entry

class LIEF::PE::ExportEntry : public LIEF::Symbol

Class which represents a PE Export entry (cf. PE::Export)

Public Functions

ExportEntry()
ExportEntry(uint32_t address, bool is_extern, uint16_t ordinal, uint32_t function_rva)
ExportEntry(const ExportEntry&)
ExportEntry &operator=(const ExportEntry&)
virtual ~ExportEntry()
uint16_t ordinal() const
uint32_t address() const
bool is_extern() const
bool is_forwarded() const
forward_information_t forward_information() const
uint32_t function_rva() const
void ordinal(uint16_t ordinal)
void address(uint32_t address)
void is_extern(bool is_extern)
inline virtual uint64_t value() const override
inline virtual void value(uint64_t value) override
inline void set_forward_info(std::string lib, std::string function)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

bool operator==(const ExportEntry &rhs) const
bool operator!=(const ExportEntry &rhs) const

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportEntry &exportEntry)
struct forward_information_t

Public Functions

operator bool() const

Public Members

std::string library
std::string function

Friends

friend std::ostream &operator<<(std::ostream &os, const forward_information_t &info)

Signature

class LIEF::PE::Signature : public LIEF::Object

Main interface for the PKCS #7 signature scheme.

Public Types

enum class VERIFICATION_FLAGS

Flags returned by the verification functions.

Values:

enumerator OK = 0
enumerator INVALID_SIGNER = 1 << 0
enumerator UNSUPPORTED_ALGORITHM = 1 << 1
enumerator INCONSISTENT_DIGEST_ALGORITHM = 1 << 2
enumerator CERT_NOT_FOUND = 1 << 3
enumerator CORRUPTED_CONTENT_INFO = 1 << 4
enumerator CORRUPTED_AUTH_DATA = 1 << 5
enumerator MISSING_PKCS9_MESSAGE_DIGEST = 1 << 6
enumerator BAD_DIGEST = 1 << 7
enumerator BAD_SIGNATURE = 1 << 8
enumerator NO_SIGNATURE = 1 << 9
enumerator CERT_EXPIRED = 1 << 10
enumerator CERT_FUTURE = 1 << 11
enum class VERIFICATION_CHECKS

Flags to tweak the verification process of the signature.

See Signature::check and LIEF::PE::Binary::verify_signature

Values:

enumerator DEFAULT = 1 << 0

Default behavior that tries to follow the Microsoft verification process as close as possible

enumerator HASH_ONLY = 1 << 1

Only check that Binary::authentihash matches ContentInfo::digest regardless of the signature’s validity

enumerator LIFETIME_SIGNING = 1 << 2

Same semantic as WTD_LIFETIME_SIGNING_FLAG

enumerator SKIP_CERT_TIME = 1 << 3

Skip the verification of the certificates time validities so that even though a certificate expired, it returns VERIFICATION_FLAGS::OK

using it_const_crt = const_ref_iterator<const std::vector<x509>&>

Iterator which outputs const x509& certificates.

using it_const_signers_t = const_ref_iterator<const std::vector<SignerInfo>&>

Iterator which outputs const SignerInfo&.

Public Functions

Signature()
Signature(const Signature&)
Signature &operator=(const Signature&)
Signature(Signature&&)
Signature &operator=(Signature&&)
uint32_t version() const

Should be 1.

inline ALGORITHMS digest_algorithm() const

Algorithm used to digest the file.

It should match SignerInfo::digest_algorithm

const ContentInfo &content_info() const

Return the ContentInfo.

it_const_crt certificates() const

Return an iterator over x509 certificates.

it_const_signers_t signers() const

Return an iterator over the signers (SignerInfo) defined in the PKCS #7 signature.

const std::vector<uint8_t> &raw_der() const

Return the raw original PKCS7 signature.

const x509 *find_crt(const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its serial number.

const x509 *find_crt_subject(const std::string &subject) const

Find x509 certificate according to its subject.

const x509 *find_crt_subject(const std::string &subject, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its subject AND serial number.

const x509 *find_crt_issuer(const std::string &issuer) const

Find x509 certificate according to its issuer.

const x509 *find_crt_issuer(const std::string &issuer, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its issuer AND serial number.

VERIFICATION_FLAGS check(VERIFICATION_CHECKS checks = VERIFICATION_CHECKS::DEFAULT) const

Check if this signature is valid according to the Authenticode/PKCS #7 verification scheme.

By default, it performs the following verifications:

  1. It must contain only one signer info

  2. Signature::digest_algorithm must match:

  3. The x509 certificate specified by SignerInfo::serial_number and SignerInfo::issuer must exist within Signature::certificates

  4. Given the x509 certificate, compare SignerInfo::encrypted_digest against either:

    • hash of authenticated attributes if present

    • hash of ContentInfo

  5. If authenticated attributes are present, check that a PKCS9_MESSAGE_DIGEST attribute exists and that its value matches hash of ContentInfo

  6. Check the validity of the PKCS #9 counter signature if present

  7. If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See LIEF::PE::Signature::VERIFICATION_CHECKS::LIFETIME_SIGNING and LIEF::PE::Signature::VERIFICATION_CHECKS::SKIP_CERT_TIME)

See: LIEF::PE::Signature::VERIFICATION_CHECKS to tweak the behavior

virtual void accept(Visitor &visitor) const override
virtual ~Signature()

Public Static Functions

static std::vector<uint8_t> hash(const std::vector<uint8_t> &input, ALGORITHMS algo)

Hash the input given the algorithm.

static std::string flag_to_string(VERIFICATION_FLAGS flag)

Convert a verification flag into a humman representation. e.g VERIFICATION_FLAGS.BAD_DIGEST | VERIFICATION_FLAGS.BAD_SIGNATURE | VERIFICATION_FLAGS.CERT_EXPIRED.

Friends

friend std::ostream &operator<<(std::ostream &os, const Signature &signature)

Signature Attribute

class LIEF::PE::Attribute : public LIEF::Object

Interface over PKCS #7 attribute.

Subclassed by LIEF::PE::ContentType, LIEF::PE::GenericType, LIEF::PE::MsSpcNestedSignature, LIEF::PE::MsSpcStatementType, LIEF::PE::PKCS9AtSequenceNumber, LIEF::PE::PKCS9CounterSignature, LIEF::PE::PKCS9MessageDigest, LIEF::PE::PKCS9SigningTime, LIEF::PE::SpcSpOpusInfo

Public Functions

Attribute()
Attribute(const Attribute&)
Attribute &operator=(const Attribute&)
virtual std::unique_ptr<Attribute> clone() const = 0
inline virtual SIG_ATTRIBUTE_TYPES type() const

Concrete type of the attribute.

virtual std::string print() const = 0

Print information about the underlying attribute.

virtual void accept(Visitor &visitor) const override
virtual ~Attribute()

Friends

friend std::ostream &operator<<(std::ostream &os, const Attribute &Attribute)

Signature ContentType

class LIEF::PE::ContentType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER

Public Functions

ContentType()
ContentType(oid_t oid)
ContentType(const ContentType&)
ContentType &operator=(const ContentType&)
inline const oid_t &oid() const

OID as described in RFC #2985.

virtual std::string print() const override

Print information about the attribute.

virtual std::unique_ptr<Attribute> clone() const override
virtual void accept(Visitor &visitor) const override
virtual ~ContentType()

Signature GenericType

class LIEF::PE::GenericType : public LIEF::PE::Attribute

Interface over an attribute for which the internal structure is not supported by LIEF.

Public Functions

GenericType()
GenericType(oid_t oid, std::vector<uint8_t> raw)
GenericType(const GenericType&)
GenericType &operator=(const GenericType&)
virtual std::unique_ptr<Attribute> clone() const override
inline const oid_t &oid() const

OID of the original attribute.

inline const std::vector<uint8_t> &raw_content() const

Original DER blob of the attribute.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~GenericType()

Signature MsSpcNestedSignature

class LIEF::PE::MsSpcNestedSignature : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

SignedData is the structure described in PKCS #7 RFC (LIEF::PE::Signature)

Public Functions

MsSpcNestedSignature()
MsSpcNestedSignature(Signature sig)
MsSpcNestedSignature(const MsSpcNestedSignature&)
MsSpcNestedSignature &operator=(const MsSpcNestedSignature&)
virtual std::unique_ptr<Attribute> clone() const override
inline const Signature &sig() const

Underlying Signature object.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~MsSpcNestedSignature()

Signature MsSpcStatementType

class LIEF::PE::MsSpcStatementType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER

Public Functions

MsSpcStatementType()
MsSpcStatementType(oid_t oid)
MsSpcStatementType(const MsSpcStatementType&)
MsSpcStatementType &operator=(const MsSpcStatementType&)
virtual std::unique_ptr<Attribute> clone() const override
inline const oid_t &oid() const

According to the documentation:

The SpcStatementType MUST contain one Object Identifier with either the value 1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID) or 1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID).

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~MsSpcStatementType()

Signature PKCS9AtSequenceNumber

class LIEF::PE::PKCS9AtSequenceNumber : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

sequenceNumber ATTRIBUTE ::= {
  WITH SYNTAX SequenceNumber
  EQUALITY MATCHING RULE integerMatch
  SINGLE VALUE TRUE
  ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)

Public Functions

PKCS9AtSequenceNumber()
PKCS9AtSequenceNumber(uint32_t num)
PKCS9AtSequenceNumber(const PKCS9AtSequenceNumber&)
PKCS9AtSequenceNumber &operator=(const PKCS9AtSequenceNumber&)
virtual std::unique_ptr<Attribute> clone() const override
inline uint32_t number() const

Number as described in the RFC.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~PKCS9AtSequenceNumber()

Signature PKCS9CounterSignature

class LIEF::PE::PKCS9CounterSignature : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

counterSignature ATTRIBUTE ::= {
  WITH SYNTAX SignerInfo
  ID pkcs-9-at-counterSignature
}

Public Functions

PKCS9CounterSignature()
PKCS9CounterSignature(SignerInfo signer)
PKCS9CounterSignature(const PKCS9CounterSignature&)
PKCS9CounterSignature &operator=(const PKCS9CounterSignature&)
virtual std::unique_ptr<Attribute> clone() const override
inline const SignerInfo &signer() const

SignerInfo as described in the RFC #2985.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~PKCS9CounterSignature()

Signature PKCS9MessageDigest

class LIEF::PE::PKCS9MessageDigest : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

messageDigest ATTRIBUTE ::= {
  WITH SYNTAX MessageDigest
  EQUALITY MATCHING RULE octetStringMatch
  SINGLE VALUE TRUE
  ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING

Public Functions

PKCS9MessageDigest()
PKCS9MessageDigest(std::vector<uint8_t> digest)
PKCS9MessageDigest(const PKCS9MessageDigest&)
PKCS9MessageDigest &operator=(const PKCS9MessageDigest&)
virtual std::unique_ptr<Attribute> clone() const override
inline const std::vector<uint8_t> &digest() const

Message digeset as a blob of bytes as described in the RFC.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~PKCS9MessageDigest()

Signature PKCS9SigningTime

class LIEF::PE::PKCS9SigningTime : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8

Public Types

using time_t = std::array<int32_t, 6>

Time as an array [year, month, day, hour, min, sec].

Public Functions

PKCS9SigningTime()
PKCS9SigningTime(time_t time)
PKCS9SigningTime(const PKCS9SigningTime&)
PKCS9SigningTime &operator=(const PKCS9SigningTime&)
inline const time_t &time() const

Time as an array [year, month, day, hour, min, sec].

virtual std::string print() const override

Print information about the attribute.

virtual std::unique_ptr<Attribute> clone() const override
virtual void accept(Visitor &visitor) const override
virtual ~PKCS9SigningTime()

Signature SpcSpOpusInfo

class LIEF::PE::SpcSpOpusInfo : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcSpOpusInfo ::= SEQUENCE {
    programName  [0] EXPLICIT SpcString OPTIONAL,
    moreInfo     [1] EXPLICIT SpcLink OPTIONAL
}

Public Functions

SpcSpOpusInfo()
SpcSpOpusInfo(std::string program_name, std::string more_info)
SpcSpOpusInfo(const SpcSpOpusInfo&)
SpcSpOpusInfo &operator=(const SpcSpOpusInfo&)
virtual std::unique_ptr<Attribute> clone() const override
inline const std::string &program_name() const

Program description provided by the publisher.

inline const std::string &more_info() const

Other information such as an url.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
virtual ~SpcSpOpusInfo()

RsaInfo

class LIEF::PE::RsaInfo

Object that wraps a RSA key.

Public Types

using rsa_ctx_handle = void*
using bignum_wrapper_t = std::vector<uint8_t>

Container for BigInt.

Public Functions

RsaInfo(const RsaInfo &other)
RsaInfo(RsaInfo &&other)
RsaInfo &operator=(RsaInfo other)
bool has_public_key() const

True if it embeds a public key.

bool has_private_key() const

True if it embeds a private key.

bignum_wrapper_t N() const

RSA public modulus.

bignum_wrapper_t E() const

RSA public exponent.

bignum_wrapper_t D() const

RSA private exponent.

bignum_wrapper_t P() const

First prime factor.

bignum_wrapper_t Q() const

Second prime factor.

size_t key_size() const

Size of the public modulus (in bits)

void swap(RsaInfo &other)
operator bool() const
~RsaInfo()

Friends

friend std::ostream &operator<<(std::ostream &os, const RsaInfo &info)

x509

class LIEF::PE::x509 : public LIEF::Object

Interface over a x509 certificate.

Public Types

enum class KEY_TYPES

Public key scheme.

Values:

enumerator NONE = 0

Unknown scheme.

enumerator RSA

RSA Scheme.

enumerator ECKEY

Elliptic-curve scheme.

enumerator ECKEY_DH

Elliptic-curve Diffie-Hellman.

enumerator ECDSA

Elliptic-curve Digital Signature Algorithm.

enumerator RSA_ALT

RSA scheme with an alternative implementation for signing and decrypting.

enumerator RSASSA_PSS

RSA Probabilistic signature scheme.

enum class VERIFICATION_FLAGS

Mirror of mbedtls’s X509 Verify codes: MBEDTLS_X509_XX.

It must be sync with include/mbedtls/x509.h

Values:

enumerator OK = 0

The verification succeed

enumerator BADCERT_EXPIRED = 1 << 0

The certificate validity has expired.

enumerator BADCERT_REVOKED = 1 << 1

The certificate has been revoked (is on a CRL).

enumerator BADCERT_CN_MISMATCH = 1 << 2

The certificate Common Name (CN) does not match with the expected CN.

enumerator BADCERT_NOT_TRUSTED = 1 << 3

The certificate is not correctly signed by the trusted CA.

enumerator BADCRL_NOT_TRUSTED = 1 << 4

The CRL is not correctly signed by the trusted CA.

enumerator BADCRL_EXPIRED = 1 << 5

The CRL is expired.

enumerator BADCERT_MISSING = 1 << 6

Certificate was missing.

enumerator BADCERT_SKIP_VERIFY = 1 << 7

Certificate verification was skipped.

enumerator BADCERT_OTHER = 1 << 8

Other reason (can be used by verify callback)

enumerator BADCERT_FUTURE = 1 << 9

The certificate validity starts in the future.

enumerator BADCRL_FUTURE = 1 << 10

The CRL is from the future

enumerator BADCERT_KEY_USAGE = 1 << 11

Usage does not match the keyUsage extension.

enumerator BADCERT_EXT_KEY_USAGE = 1 << 12

Usage does not match the extendedKeyUsage extension.

enumerator BADCERT_NS_CERT_TYPE = 1 << 13

Usage does not match the nsCertType extension.

enumerator BADCERT_BAD_MD = 1 << 14

The certificate is signed with an unacceptable hash.

enumerator BADCERT_BAD_PK = 1 << 15

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

enumerator BADCERT_BAD_KEY = 1 << 16

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

enumerator BADCRL_BAD_MD = 1 << 17

The CRL is signed with an unacceptable hash.

enumerator BADCRL_BAD_PK = 1 << 18

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

enumerator BADCRL_BAD_KEY = 1 << 19

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

enum class KEY_USAGE

Key usage as defined in RFC #5280 - section-4.2.1.3

Values:

enumerator DIGITAL_SIGNATURE = 0

The key is used for digital signature

enumerator NON_REPUDIATION

The key is used for digital signature AND to protects against falsely denying some action

enumerator KEY_ENCIPHERMENT

The key is used for enciphering private or secret keys

enumerator DATA_ENCIPHERMENT

The key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher

enumerator KEY_AGREEMENT

The Key is used for key agreement. (e.g. with Diffie-Hellman)

enumerator KEY_CERT_SIGN

The key is used for verifying signatures on public key certificates

enumerator CRL_SIGN

The key is used for verifying signatures on certificate revocation lists

enumerator ENCIPHER_ONLY

In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for enciphering data while performing key agreement

enumerator DECIPHER_ONLY

In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for deciphering data while performing key agreement

using date_t = std::array<int32_t, 6>

Tuple (Year, Month, Day, Hour, Minute, Second)

using certificates_t = std::vector<x509>

Public Functions

x509(mbedtls_x509_crt *ca)
x509(const x509 &other)
x509 &operator=(x509 other)
void swap(x509 &other)
uint32_t version() const

X.509 version. (1=v1, 2=v2, 3=v3)

std::vector<uint8_t> serial_number() const

Unique id for certificate issued by a specific CA.

oid_t signature_algorithm() const

Signature algorithm (OID)

date_t valid_from() const

Start time of certificate validity.

date_t valid_to() const

End time of certificate validity.

std::string issuer() const

Issuer informations.

std::string subject() const

Subject informations.

bool check_signature(const std::vector<uint8_t> &hash, const std::vector<uint8_t> &signature, ALGORITHMS digest) const

Try to decrypt the given signature and check if it matches the given hash according to the hash algorithm provided.

std::vector<uint8_t> raw() const

The raw x509 bytes (DER encoded)

KEY_TYPES key_type() const

Return the underlying public-key scheme.

std::unique_ptr<RsaInfo> rsa_info() const

If the underlying public-key scheme is RSA, return the RSA information. Otherwise, return a nullptr

VERIFICATION_FLAGS verify(const x509 &ca) const

Verify that this certificate has been used to trust the given certificate.

VERIFICATION_FLAGS is_trusted_by(const std::vector<x509> &ca) const

Verify that this certificate is trusted by the given CA list.

std::vector<oid_t> certificate_policies() const

Policy information terms as OID (see RFC #5280)

std::vector<KEY_USAGE> key_usage() const

Purpose of the key contained in the certificate.

std::vector<oid_t> ext_key_usage() const

Indicates one or more purposes for which the certified public key may be used (OID types)

bool is_ca() const
std::vector<uint8_t> signature() const

The signature of the certificate.

virtual void accept(Visitor &visitor) const override
virtual ~x509()

Public Static Functions

static certificates_t parse(const std::string &path)

Parse x509 certificate(s) from file path.

static certificates_t parse(const std::vector<uint8_t> &content)

Parse x509 certificate(s) from raw blob.

static bool check_time(const date_t &before, const date_t &after)

Return True if before is before than after. False otherwise.

static bool time_is_past(const date_t &to)

True if the given time is in the past according to the clock’s system.

static bool time_is_future(const date_t &from)

True if the given time is in the future according to the clock’s system.

Friends

friend std::ostream &operator<<(std::ostream &os, const x509 &x509_cert)

ContentInfo

class LIEF::PE::ContentInfo : public LIEF::Object

ContentInfo as described in the RFC2315 (https://tools.ietf.org/html/rfc2315#section-7)

ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER

In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent

SpcIndirectDataContent ::= SEQUENCE {
 data          SpcAttributeTypeAndOptionalValue,
 messageDigest DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
 type  ObjectID,
 value [0] EXPLICIT ANY OPTIONAL
}

For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData

DigestInfo ::= SEQUENCE {
 digestAlgorithm  AlgorithmIdentifier,
 digest           OCTETSTRING
}

AlgorithmIdentifier ::= SEQUENCE {
 algorithm  ObjectID,
 parameters [0] EXPLICIT ANY OPTIONAL
}

Public Functions

ContentInfo()
ContentInfo(const ContentInfo&)
ContentInfo &operator=(const ContentInfo&)
inline oid_t content_type() const

Return the OID that describes the content wrapped by this object. It should match SPC_INDIRECT_DATA_OBJID (1.3.6.1.4.1.311.2.1.4)

inline ALGORITHMS digest_algorithm() const

Digest used to hash the file.

It should match LIEF::PE::SignerInfo::digest_algorithm

inline const std::vector<uint8_t> &digest() const

PE’s authentihash.

inline const std::string &file() const
virtual void accept(Visitor &visitor) const override
virtual ~ContentInfo()

Friends

friend std::ostream &operator<<(std::ostream &os, const ContentInfo &content_info)

SignerInfo

class LIEF::PE::SignerInfo : public LIEF::Object

SignerInfo as described in the RFC 2315

SignerInfo ::= SEQUENCE {
 version Version,
 issuerAndSerialNumber     IssuerAndSerialNumber,
 digestAlgorithm           DigestAlgorithmIdentifier,
 authenticatedAttributes   [0] IMPLICIT Attributes OPTIONAL,
 digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
 encryptedDigest           EncryptedDigest,
 unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}

EncryptedDigest ::= OCTET STRING

Public Types

using encrypted_digest_t = std::vector<uint8_t>
using attributes_t = std::vector<std::unique_ptr<Attribute>>

Internal container used to store both authenticated and unauthenticated attributes.

using it_const_attributes_t = const_ref_iterator<const attributes_t&, const Attribute*>

Iterator which outputs const Attribute&.

Public Functions