Overloaded function.
parse(filename: str, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7f981052f470>) -> LIEF::PE::Binary
Parse the PE binary from the given file path and return a Binary object
parse(raw: List[int], config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7f9811299830>) -> LIEF::PE::Binary
Parse the PE binary from the given list of bytes and return a lief.PE.Binary object
parse(io: object, config: lief._lief.PE.ParserConfig = <lief._lief.PE.ParserConfig object at 0x7f981048ec70>) -> object
Parse the PE binary from the given Python IO interface and return a lief.PE.Binary object
This class is used to tweak the PE Parser (Parser)
Parse PE Exports Directory
Parse PE Import Directory
Parse PE relocations
Parse PE resources tree
Parse PE Authenticode signature
Class which represents a PE binary which is the main interface to manage and modify a PE executable.
This object can be instantiated through lief.parse() or lief.PE.parse() while the constructor of this object can be used to craft a binary from scratch (see: 02 - Create a PE from scratch)
Members:
AUTO
VA
RVA
Return the abstract representation of the current binary (lief.Binary)
Warning
Getting this property modifies the __class__ attribute such as the current binary looks like a lief.Binary.
To get back to the original binary, one needs to access lief.Binary.concrete
Add a function to the given Import name
Add an Import by name
Add a Relocation to the binary
Add a Section to the binary.
Compute the authentihash according to the ALGORITHMS given in the first parameter
Authentihash MD5 value
Authentihash SHA1 value
Authentihash SHA-256 value
Authentihash SHA-512 value
The concrete representation of the binary. Basically, this property cast a lief.Binary into a lief.PE.Binary, lief.ELF.Binary or lief.MachO.Binary.
See also: lief.Binary.abstract
Constructor functions that are called prior to any other functions
Return an iterator over the DataDirectory
Return the DataDirectory object from the given DATA_DIRECTORY type
Return an iterator over the DelayImport
DOS stub content as a list of bytes
Binary’s entrypoint
File format EXE_FORMATS of the underlying binary.
Return the content located at the provided virtual address. The virtual address is specified in the first argument and size to read (in bytes) in the second.
If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.
Return the DelayImport from the given name or None if not not found
Return the Export object
Return the address of the given function name
Return the Import from the given name or None if not not found
Return the Section object from the given name or None if not not found
Return the Symbol from the given name.
If the symbol can’t be found, it returns None.
True if the current binary has LoadConfiguration
True if the binary imports the given library name
True if the current binary has delay imports (DelayImport)
True if the current binary uses Exceptions
True if the binary imports the given library name
Check if the binary has NX protection (non executable stack)
True if the current binary uses Relocation
True if the current binary has a Resources object
True if the current binary has a RichHeader object
Check if a Symbol with the given name exists
Default image base (i.e. if the ASLR is not enabled)
Check if the binary is position independent
True if the binary was compiled with a reproducible build directive (Debug)
Return binary’s imported libraries (name)
Return the LoadConfiguration object or None if not present
Convert an offset into a virtual address.
Return the OptionalHeader
Return the overlay content as a list of bytes
Overloaded function.
patch_address(self: lief._lief.Binary, address: int, patch_value: List[int], va_type: lief._lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None
patch_address(self: lief._lief.Binary, address: int, patch_value: int, size: int = 8, va_type: lief._lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None
Try to predict the RVA of the given function name in the given import library name
Return an iterator over the Relocation
Remove the Section given in first parameter
Remove all imported libraries
Remove the Import from the given name
Remove the section with the given name
Return the ResourceNode tree or None if not not present
Return the ResourcesManager to manage resources
RichHeader object (if present)
Convert a relative virtual address to an offset
The conversion is performed by looking for the section that encompasses the provided RVA.
Return the Section which encompasses the provided offset. It returns None if a section can’t be found.
Return the Section which encompasses the provided relative virtual address. If a section can’t be found, it returns None.
Size of all the PE headers
Convert an absolute virtual address into an offset
See: rva_to_offset()
Overloaded function.
verify_signature(self: lief._lief.PE.Binary, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = <VERIFICATION_CHECKS.DEFAULT: 1>) -> lief._lief.PE.Signature.VERIFICATION_FLAGS
Verify the binary against the embedded signature(s) (if any)
First off, it checks that the embedded signatures are correct (c.f.
lief.PE.Signature.check()) and then it checks that the authentihash matcheslief.PE.ContentInfo.digestOne can tweak the verification process with the
lief.PE.Signature.VERIFICATION_CHECKSflagsSee also
verify_signature(self: lief._lief.PE.Binary, signature: lief._lief.PE.Signature, checks: lief._lief.PE.Signature.VERIFICATION_CHECKS = <VERIFICATION_CHECKS.DEFAULT: 1>) -> lief._lief.PE.Signature.VERIFICATION_FLAGS
Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:
detached = lief.PE.Signature.parse("sig.pkcs7") binary.verify_signature(detached)
Return the binary’s virtual size.
This value should match sizeof_image
Build the binary and write the result to the given output file
Return all virtual addresses that use the address given in parameter
Class which represents the DosHeader, the first structure presents at the beginning of a PE file.
Most of the attributes of this structures are not relevant, except addressof_new_exeheader
Class that represents the PE header (which follows the lief.PE.DosHeader)
Add the given HEADER_CHARACTERISTICS to the header
The HEADER_CHARACTERISTICS that indicate the attributes of the file.
Return the HEADER_CHARACTERISTICS as a list
True if the header has the given HEADER_CHARACTERISTICS
The target machine architecture (MACHINE_TYPES)
Number of sections in the binary
The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.
This value should be zero for an image because COFF debugging information is deprecated.
The file offset of the COFF symbol table, or zero if no COFF symbol table is present.
This value should be zero for an image because COFF debugging information is deprecated.
Remove the given HEADER_CHARACTERISTICS from the header
Signature (or magic byte) of the header. It must be: PE\0\0
Size of the OptionalHeader AND the data directories which follows this header.
This value is equivalent to: sizeof(pe_optional_header) + NB_DATA_DIR * sizeof(data_directory)
This size should be either:
0xE0 (224) for a PE32 (32 bits)
0xF0 (240) for a PE32+ (64 bits)
The low 32 bits of the number of seconds since 00:00 January 1, 1970 that indicates when the file was created.
Class which represents the PE OptionalHeader structure..
Add the given DLL_CHARACTERISTICS
The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.
An entry point is optional for DLLs. When no entry point is present, this field must be zero.
Address relative to the imagebase where the binary’s code starts
Address relative to the imagebase where the binary’s data starts.
Warning
This value is not present for PE64 files
The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.
The re-computed value of the checksum. If both values do not match, it could mean that the binary has been modified after the compilation.
This value is computed by LIEF when parsing the PE binary.
Some characteristics (DLL_CHARACTERISTICS) of the underlying binary like the support of the PIE.
The prefix dll comes from the official PE specifications but these characteristics are also used for executables
dll_characteristics as a list of DLL_CHARACTERISTICS
The alignment factor (in bytes) that is used to align the raw data of sections in the image file. The value should be a power of 2 between 512 and 64K, inclusive. The default value is 512. If the section_alignment is less than the architecture’s page size, then file_alignment must match section_alignment.
True if the given DLL_CHARACTERISTICS is in the dll_characteristics
The preferred base address when mapping the binary in memory
According to the PE specifications, this value is reserved and should be 0.
The major version number of the image.
The linker major version number
The major version number of the required operating system.
The major version number of the subsystem.
The minor version number of the image.
The linker minor version number
The minor version number of the required operating system.
The minor version number of the subsystem
The number of DataDirectory that follow this header
Remove the given DLL_CHARACTERISTICS
The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture.
The size of the code .text section or the sum of all the sections that contain code (ie. Section with the flag CNT_CODE)
The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment.
The size of the local heap space to commit.
The size of the local heap space to reserve.
Only sizeof_heap_commit is available one page at a time until the reserve size is reached.
The size (in bytes) of the image, including all headers, as the image is loaded in memory. It must be a multiple of section_alignment and should match virtual_size.
The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the initialized data are usually identified with the flag CNT_INITIALIZED_DATA
The size of the stack to commit.
The size of the stack to reserve.
Only sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.
The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.
The sections associated with the uninitialized data are usually identified with the flag CNT_UNINITIALIZED_DATA
Reserved, must be zero.
Class that represents a PE data directory entry
Relative virtual address of the content associated with the current data directory
Size in bytes of the content associated with the current data directory
Type (DATA_DIRECTORY) of the current data directory
Class which represents a PE section.
It extends the base class lief.Section
Overloaded function.
__init__(self: lief._lief.PE.Section) -> None
__init__(self: lief._lief.PE.Section, content: List[int], name: str = ‘’, characteristics: int = 0) -> None
Constructor from content, name and characteristics
__init__(self: lief._lief.PE.Section, name: str) -> None
Constructor from a name
The SECTION_CHARACTERISTICS that describe the characteristics of the section
characteristics as a list
Section’s content
Section’s entropy
Return the fullname of the section including the trailing bytes
True if the section has the given SECTION_CHARACTERISTICS
Section’s name
The number of line-number entries for the section. This value should be zero for an image because COFF debugging information is deprecated.
The number of relocation entries for the section.
See: pointerto_relocation
Section’s file offset
Section padding content as bytes
The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.
The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.
For modern PE binaries, this value is usually set to 0 as the relocations are managed by Relocation.
Overloaded function.
search(self: lief._lief.Section, number: int, pos: int = 0, size: int = 0) -> object
Look for integer within the current section
search(self: lief._lief.Section, str: str, pos: int = 0) -> object
Look for string within the current section
search(self: lief._lief.Section, bytes: bytes, pos: int = 0) -> object
Look for the given bytes within the current section
Overloaded function.
search_all(self: lief._lief.Section, number: int, size: int = 0) -> List[int]
Look for all integers within the current section
search_all(self: lief._lief.Section, str: str) -> List[int]
Look for all strings within the current section
Section’s size
Section’s virtual address
The total size of the section when loaded into memory.
If this value is greater than sizeof_raw_data, the section is zero-padded.
Class that represents a PE import
Overloaded function.
__init__(self: lief._lief.PE.Import) -> None
Default constructor
__init__(self: lief._lief.PE.Import, library_name: str) -> None
Constructor from a library name
Overloaded function.
add_entry(self: lief._lief.PE.Import, entry: LIEF::PE::ImportEntry) -> LIEF::PE::ImportEntry
Add an ImportEntry (function) to the current import
add_entry(self: lief._lief.PE.Import, function_name: str) -> LIEF::PE::ImportEntry
Add an ImportEntry (function) to the current import
Return the DataDirectory associated with this import.
It should be the one at index lief.PE.DATA_DIRECTORY.IMPORT_TABLE. It can return None if the Import directory can’t be resolved.
Iterator over the ImportEntry (functions)
The index of the first forwarder reference
Return the ImportEntry with the given name or None if not found
Return the relative virtual address of the given function within the Import Address Table
Return the DataDirectory associated with the IAT table.
It should be the one at index lief.PE.DATA_DIRECTORY.IAT. It can return None if the IAT directory can’t be resolved.
The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.
Warning
This address could change when re-building the binary
The RVA of the import lookup table. This table contains the name or the ordinal for all the imports.
Library name (e.g. kernel32.dll)
The stamp that is set to zero until the image is bound.
After the image is bound, this field is set to the time/data stamp of the DLL
Class that represents an entry (i.e. an import) in the import table (Import).
It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value
Overloaded function.
__init__(self: lief._lief.PE.ImportEntry) -> None
__init__(self: lief._lief.PE.ImportEntry, import_name: str) -> None
Constructor from a name
__init__(self: lief._lief.PE.ImportEntry, data: int, name: str = ‘’) -> None
Constructor from a data and an optionally name
__init__(self: lief._lief.PE.ImportEntry, data: int, type: lief._lief.PE.PE_TYPE, name: str = ‘’) -> None
Constructor from a data, a type and an optional name
__init__(self: lief._lief.PE.ImportEntry, name: str, type: lief._lief.PE.PE_TYPE) -> None
Constructor from a name, and a type
Raw value
Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution
Original address of the entry in the Import Address Table
Value of the current entry in the Import Address Table. It should match the lookup table value.
True if it is an import by ordinal
Import name if not ordinal
Ordinal value (if any). See: is_ordinal
Symbol’s size
Symbol’s value
Class that represents a PE delay import
Constructor from a library name
Reserved and should be zero according to the PE specifications
RVA of the bound delay-load import address table or 0 if the table does not exist.
Iterator over the DelayImportEntry (functions)
The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.
RVA of the delay-load import address table.
Library name (e.g. kernel32.dll)
RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table
The timestamp of the DLL to which this image has been bound.
RVA of the unload delay-load import address table or 0 if the table does not exist.
According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.
Class that represents an entry (i.e. a delay import) in the delay import table (DelayImport).
It extends the lief.Symbol generic class that provides the lief.Symbol.name and lief.Symbol.value
The meaning of lief.Symbol.value for this PE object is the address (as an RVA) in the IAT where the resolution should take place
Raw value
Index into the lief.PE.Export.entries that is used to speed-up the symbol resolution
Value of the current entry in the delay-loaded import address table. See: iat
True if it is an import by ordinal
Delay import name if not ordinal
Ordinal value (if any). See: is_ordinal
Symbol’s size
Symbol’s value
Class which represents the PE Thread Local Storage. This PE structure is also used to implement binary/library constructors.
Default constructor
The pointer to an array of TLS callback functions.
The array is null-terminated, so if no callback function is supported, this field points to 4 bytes set to zero.
See: callbacks
The location to receive the TLS index, which the loader assigns. This location is in an ordinary data section, so it can be given a symbolic name that is accessible to the program.
Tuple (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.
Note
These addresses are not RVA. It is addresses for which there should be a base relocation in the .reloc section.
List of the callback associated with the current TLS.
These functions are called before any other functions of the PE binary.
The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.
The data template content
DataDirectory associated with the TLS object (or None if not linked)
True if there is a DataDirectory associated with the TLS object
The size in bytes of the template, beyond the initialized data delimited by the addressof_raw_data fields. The total template size should be the same as the total size of TLS data in the image file. The zero fill is the amount of data that comes after the initialized nonzero data.
True if symbols are located in a section
Symbol’s size
Symbol’s value
Class which represents the Base Relocation Block Usually, we find this structure in the .reloc section
Add a new RelocationEntry
The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)
Iterator over the RelocationEntry
The RVA for which the offset of the relocation entries (RelocationEntry) is added
Class which represents an entry of the PE relocation table.
It extends the lief.Relocation object to provide an uniform API across the file formats
Relocation’s address
Raw data of the relocation:
Offset - relative to virtual_address - where the relocation occurs
Relocation’s size (in bits)
Type of the relocation (see: RELOCATIONS_BASE_TYPES)
Class which represents a PE Export
Iterator over the ExportEntry
According to the PE specifications this value is reserved and should be set to 0
The major version number (can be user-defined)
The minor version number (can be user-defined)
The name of the library exported (e.g. KERNEL32.dll)
The starting number for the exports. Usually this value is set to 1
The time and date that the export data was created
Class which represents a PE Export entry (cf. lief.PE.Export)
Symbol’s size
Symbol’s value
Flags to tweak the verification process of the signature See
lief.PE.Signature.check()andlief.PE.Binary.verify_signature()
Members:
DEFAULT : Default behavior that tries to follow the Microsoft verification process as close as possible
- HASH_ONLY
Only check that
lief.PE.Binary.authentihash()matcheslief.PE.ContentInfo.digestregardless of the signature’s validity- LIFETIME_SIGNING
Same semantic as WTD_LIFETIME_SIGNING_FLAG
- SKIP_CERT_TIME
Skip the verification of the certificates time validities so that even though a certificate expired, it returns
lief.PE.Signature.VERIFICATION_FLAGS.OK
Members:
OK
INVALID_SIGNER
UNSUPPORTED_ALGORITHM
INCONSISTENT_DIGEST_ALGORITHM
CERT_NOT_FOUND
CORRUPTED_CONTENT_INFO
CORRUPTED_AUTH_DATA
MISSING_PKCS9_MESSAGE_DIGEST
BAD_DIGEST
BAD_SIGNATURE
NO_SIGNATURE
CERT_EXPIRED
CERT_FUTURE
__str__(*args, **kwargs) Overloaded function.
__str__(self: lief._lief.PE.Signature.VERIFICATION_FLAGS) -> str
__str__(self: handle) -> str
Check the integrity of the signature and return a lief.PE.Signature.VERIFICATION_FLAGS
By default, it performs the following verifications:
It must contain only one signer info (signers)
lief.PE.Signature.digest_algorithm must match:
The x509 certificate specified by lief.PE.SignerInfo.serial_number and lief.PE.SignerInfo.issuer must exist within lief.PE.Signature.certificates
Given the x509 certificate, compare lief.PE.SignerInfo.encrypted_digest against either:
hash of authenticated attributes (authenticated_attributes) if present
hash of ContentInfo
If they are Authenticated attributes, check that a PKCS9_MESSAGE_DIGEST (lief.PE.PKCS9MessageDigest) attribute exists and that its value matches hash of ContentInfo
Check the validity of the PKCS #9 counter signature if present
If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See lief.PE.Signature.VERIFICATION_CHECKS.LIFETIME_SIGNING and lief.pe.Signature.VERIFICATION_CHECKS.SKIP_CERT_TIME)
See: lief.PE.Signature.VERIFICATION_CHECKS to tweak the behavior
Return the ContentInfo
Return the algorithm (ALGORITHMS) used to sign the content of ContentInfo
Find the x509 certificate according to its serial number
Overloaded function.
find_crt_issuer(self: lief._lief.PE.Signature, issuer: str) -> LIEF::PE::x509
Find the x509 certificate according to its issuer
find_crt_issuer(self: lief._lief.PE.Signature, issuer: str, serialno: List[int]) -> LIEF::PE::x509
Find the x509 certificate according to its issuer AND its serial number
Overloaded function.
find_crt_subject(self: lief._lief.PE.Signature, subject: str) -> LIEF::PE::x509
Find the x509 certificate according to its subject
find_crt_subject(self: lief._lief.PE.Signature, subject: str, serialno: List[int]) -> LIEF::PE::x509
Find the x509 certificate according to its subject AND its serial number
Overloaded function.
parse(path: str) -> object
Parse the DER PKCS #7 signature from the file path given in the first parameter
parse(raw: List[int], skip_header: bool = False) -> object
Parse the raw (DER) PKCS #7 signature given in the first parameter
Return the raw original signature as a byte object
Return an iterator over the signers (SignerInfo)
Version of the signature. It should be 1
Interface over PKCS #7 attribute
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9) The internal structure is described in the: RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
ContentType ::= OBJECT IDENTIFIER
OID as described in RFC #2985 (string object)
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over an attribute for which the internal structure is not supported by LIEF
OID of the original attribute
Original DER blob of the attribute
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1
The internal structure is not documented but we can infer the following structure:
MsSpcNestedSignature ::= SET OF SignedData
With SignedData, the structure described in PKCS #7 RFC (See: lief.PE.Signature)
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11
The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER
According to the documentation:
The SpcStatementType MUST contain one Object Identifier with either
the value ``1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID)`` or
``1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID)``.
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
sequenceNumber ATTRIBUTE ::= {
WITH SYNTAX SequenceNumber
EQUALITY MATCHING RULE integerMat
SINGLE VALUE TRUE
ID pkcs-9-at-sequenceNumber
}
SequenceNumber ::= INTEGER (1..MAX)
Number as described in the RFC
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
counterSignature ATTRIBUTE ::= {
WITH SYNTAX SignerInfo
ID pkcs-9-at-counterSignature
}
Return the SignerInfo as described in the RFC #2985
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
messageDigest ATTRIBUTE ::= {
WITH SYNTAX MessageDigest
EQUALITY MATCHING RULE octet
SINGLE VALUE TRUE
ID pkcs-9-at-messageDigest
}
MessageDigest ::= OCTET STRING
Message digeset as a blob of bytes as described in the RFC
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)
The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0
signingTime ATTRIBUTE ::= {
WITH SYNTAX SigningTime
EQUALITY MATCHING RULE signingTimeMatch
SINGLE VALUE TRUE
ID pkcs-9-at-signingTime
}
SigningTime ::= Time -- imported from ISO/IEC 9594-8
Time as a list [year, month, day, hour, min, sec]
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12 The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format
SpcSpOpusInfo ::= SEQUENCE {
programName [0] EXPLICIT SpcString OPTIONAL,
moreInfo [1] EXPLICIT SpcLink OPTIONAL
}
Other information such as an URL
Program description provided by the publisher
Concrete type (SIG_ATTRIBUTE_TYPES) of the attribute
Object representing a RSA key
RSA private exponent (in bytes)
RSA public exponent (in bytes)
RSA public modulus (in bytes)
First prime factor (in bytes)
Second prime factor (in bytes)
True if it embeds a private key
True if it embeds a public key
Size of the public modulus in bits
Interface over a x509 certificate
Public key scheme used by the x509 certificate
Members:
NONE : Unknown scheme
RSA : RSA scheme
ECKEY : Elliptic-curve scheme
ECKEY_DH : Elliptic-curve Diffie-Hellman
ECDSA : Elliptic-curve Digital Signature Algorithm
RSA_ALT : RSA scheme with an alternative implementation for signing and decrypting
RSASSA_PSS : RSA Probabilistic signature scheme
Key usage as defined in RFC #5280 - section-4.2.1.3
Members:
DIGITAL_SIGNATURE : The key is used for digital signature
NON_REPUDIATION : The key is used for digital signature AND to protects against falsely denying some action
KEY_ENCIPHERMENT : The key is used for enciphering private or secret keys
DATA_ENCIPHERMENT : The key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher
KEY_AGREEMENT : The Key is used for key agreement. (e.g. with Diffie-Hellman)
KEY_CERT_SIGN : The key is used for verifying signatures on public key certificates
CRL_SIGN : The key is used for verifying signatures on certificate revocation lists
ENCIPHER_ONLY : In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for enciphering data while performing key agreement
DECIPHER_ONLY : In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for deciphering data while performing key agreement
Verification flags associated with verify
Members:
OK : The verification succeed
BADCERT_EXPIRED : The certificate validity has expired
BADCERT_REVOKED : The certificate has been revoked (is on a CRL)
BADCERT_CN_MISMATCH : The certificate Common Name (CN) does not match with the expected CN.
BADCERT_NOT_TRUSTED : The certificate is not correctly signed by the trusted CA.
BADCRL_NOT_TRUSTED : The CRL is not correctly signed by the trusted CA.
BADCRL_EXPIRED : The CRL is expired.
BADCERT_MISSING : Certificate was missing.
BADCERT_SKIP_VERIFY : Certificate verification was skipped.
BADCERT_OTHERNATURE : Other reason
BADCERT_FUTURE : The certificate validity starts in the future.
BADCRL_FUTURE : The CRL is from the future
BADCERT_KEY_USAGE : Usage does not match the keyUsage extension.
BADCERT_EXT_KEY_USAGE : Usage does not match the extendedKeyUsage extension.
BADCERT_NS_CERT_TYPE : Usage does not match the nsCertType extension.
BADCERT_BAD_MD : The certificate is signed with an unacceptable hash.
BADCERT_BAD_PK : The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).
BADCERT_BAD_KEY : The certificate is signed with an unacceptable key (eg bad curve, RSA too short).
BADCRL_BAD_MD : The CRL is signed with an unacceptable hash.
BADCRL_BAD_PK : The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).
BADCRL_BAD_KEY : The CRL is signed with an unacceptable key (eg bad curve, RSA too short).
Policy information terms as list of OID (see RFC #5280)
Indicates one or more purposes for which the certified public key may be used (list of OID)
Verify this certificate against a list of root CA (list of x509 objects) It returns a set of flags defined by VERIFICATION_FLAGS
signer = binary.signatures[0].signers[0]
microsoft_ca_bundle lief.PE.x509.parse("bundle.pem")
print(signer.cert.is_trusted_by(microsoft_ca_bundle))
Issuer of the certificate
Overloaded function.
parse(path: str) -> List[lief._lief.PE.x509]
Parse x509 certificate(s) from a file path given in the first parameter. It returns a list of x509 objects
parse(raw: List[int]) -> List[lief._lief.PE.x509]
Parse x509 certificate(s) from a raw blob given in the first parameter. It returns a list of x509 objects
The raw bytes associated with this x509 cert (DER encoded)
If the underlying public-key scheme is RSA, return the RsaInfo associated with this certificate. Otherwise, return None
Unique id for certificate issued by a specific CA.
The signature of the certificate
Signature algorithm (OID)
Subject of the certificate
Start time of certificate validity
End time of certificate validity
Verify that this certificate has been used to trust the given x509 certificate
It returns a set of flags defined by VERIFICATION_FLAGS
ca = lief.PE.x509.parse("ca.crt")[0]
signer = lief.PE.x509.parse("signer.crt")[0]
print(ca.verify(signer)) # lief.PE.x509.VERIFICATION_FLAGS.OK
X.509 version. (1=v1, 2=v2, 3=v3)
ContentInfo as described in the RFC 2315
ContentInfo ::= SEQUENCE {
contentType ContentType,
content [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}
ContentType ::= OBJECT IDENTIFIER
In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent
SpcIndirectDataContent ::= SEQUENCE {
data SpcAttributeTypeAndOptionalValue,
messageDigest DigestInfo
}
SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
type ObjectID,
value [0] EXPLICIT ANY OPTIONAL
}
For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData
DigestInfo ::= SEQUENCE {
digestAlgorithm AlgorithmIdentifier,
digest OCTETSTRING
}
AlgorithmIdentifier ::= SEQUENCE {
algorithm ObjectID,
parameters [0] EXPLICIT ANY OPTIONAL
}
OID of the content type. This value should match SPC_INDIRECT_DATA_OBJID
The digest as bytes. It should match the binary authentihash()
Algorithm (ALGORITHMS) used to hash the file. This value should match SignerInfo.digest_algorithm and Signature.digest_algorithm
SignerInfo as described in the RFC 2315 #Section 9.2
SignerInfo ::= SEQUENCE {
version Version,
issuerAndSerialNumber IssuerAndSerialNumber,
digestAlgorithm DigestAlgorithmIdentifier,
authenticatedAttributes [0] IMPLICIT Attributes OPTIONAL,
digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
encryptedDigest EncryptedDigest,
unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}
EncryptedDigest ::= OCTET STRING
Algorithm (ALGORITHMS) used to hash the file. This value should match ContentInfo.digest_algorithm and Signature.digest_algorithm
Return the signature created by the signing certificate’s private key
Return algorithm (ALGORITHMS) used to encrypt the digest
Return the authenticated or un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None
Return the authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns None
Return the un-authenticated attribute matching the given lief.PE.SIG_ATTRIBUTE_TYPES It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr
The X509 issuer used to sign the signed-data (see: lief.PE.x509.issuer)
The X509 serial number used to sign the signed-data (see: lief.PE.x509.serial_number)
Return an iterator over the unauthenticated attributes (Attribute)
Should be 1
Class that is used to rebuild a raw PE binary from a PE::Binary object
Constructor that takes a Binary
Perform the build process
Rebuild the DOS stub
Rebuild the import table into another section
Rebuild the binary’s overlay
Rebuild the relocation table in another section
Rebuid the resources in another section
Rebuild TLS object in another section
Return the build result as a list of bytes
Patch the original import table in order to redirect functions to the new import table.
This setting should be used with build_imports set to True
Write the build result into the output file
Class which represents a Node in the resource tree. It is extended by lief.PE.ResourceData and lief.PE.ResourceNode
Add a ResourceData to the current node
Add a ResourceDirectory to the current node
Node’s childs
Overloaded function.
delete_child(self: lief._lief.PE.ResourceNode, node: lief._lief.PE.ResourceNode) -> None
Delete the given ResourceNode from childs
delete_child(self: lief._lief.PE.ResourceNode, id: int) -> None
Delete the ResourceNode with the given id from childs
Current depth of the entry in the resource tree
True if the current resource uses a name
Integer that identifies the Type, Name, or Language ID entry.
True if the current resource is a ResourceData
True if the current resource is a ResourceDirectory
Resource’s name
Default constructor
Add a ResourceData to the current node
Add a ResourceDirectory to the current node
Resource characteristics. This field is reserved for future use. It is currently set to zero.
Node’s childs
Overloaded function.
delete_child(self: lief._lief.PE.ResourceNode, node: lief._lief.PE.ResourceNode) -> None
Delete the given ResourceNode from childs
delete_child(self: lief._lief.PE.ResourceNode, id: int) -> None
Delete the ResourceNode with the given id from childs
Current depth of the entry in the resource tree
True if the current resource uses a name
Integer that identifies the Type, Name, or Language ID entry.
True if the current resource is a ResourceData
True if the current resource is a ResourceDirectory
The major version number, set by the user.
The minor version number, set by the user.
Resource’s name
The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.
The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table
The time that the resource data was created by the resource compiler.
Class which represents a Data Node in the PE resources tree
Overloaded function.
__init__(self: lief._lief.PE.ResourceData) -> None
Default constructor
__init__(self: lief._lief.PE.ResourceData, content: List[int], code_page: int) -> None
Add a ResourceData to the current node
Add a ResourceDirectory to the current node
Node’s childs
Return the code page that is used to decode code point values within the resource data. Typically, the code page is the Unicode code page.
Resource content
Overloaded function.
delete_child(self: lief._lief.PE.ResourceNode, node: lief._lief.PE.ResourceNode) -> None
Delete the given ResourceNode from childs
delete_child(self: lief._lief.PE.ResourceNode, id: int) -> None
Delete the ResourceNode with the given id from childs
Current depth of the entry in the resource tree
True if the current resource uses a name
Integer that identifies the Type, Name, or Language ID entry.
True if the current resource is a ResourceData
True if the current resource is a ResourceDirectory
Resource’s name
Offset of the content within the resource
Warning
This value can change when re-building the resource table
Reserved value. Should be 0
The Resource Manager provides an enhanced API to manipulate the resource tree
Return list of ResourceAccelerator present in the resource
Add an icon to the resources
Switch the given icons
Return the list of the ResourceDialog present in the resource
Return ResourceNode with the given RESOURCE_TYPES or None if not found.
True if resources contain ResourceAccelerator
true if the resources contain ResourceDialog
True if resources contain HTML resource
true if the resources contain ResourceIcon
True if the resources contain a Manifest element
True if resources contain ResourceStringTable
True if the resource has the given RESOURCE_TYPES
true if the resources contain a ResourceVersion
HTML resource as the list of string
Return the list of the ResourceIcon present in the resource
Return list of RESOURCE_LANGS present in the resources
Manifest as a string
Return list of ResourceStringTable present in the resource
Return list of RESOURCE_SUBLANGS present in the resources
Return list of RESOURCE_TYPES present in the resources
Return the ResourceVersion
Bits per pixel
Number of colors in image (0 if >=8bpp)
Height in pixels of the image
Id associated with the icon
Language (RESOURCE_LANGS) associated with the icon
Color Planes
Reserved (must be 0)
Save the icon to the given filepath
Sub language (RESOURCE_SUBLANGS) associated with the icon
Width in pixels of the image
Representation of a dialog box.
Windows allows two kinds of dialog box:
Simple one
Extended one
is_extended can be used to determine which one is implemented
The character set to be used
The width, in dialog box units, of the dialog box.
The height, in dialog box units, of the dialog box.
Return list of DIALOG_BOX_STYLES associated with the style member
The extended windows styles (EXTENDED_WINDOW_STYLES)
Return list of EXTENDED_WINDOW_STYLES associated with the extended_style member
Check if the style member has the given DIALOG_BOX_STYLES
Check if the extended_style member has the given EXTENDED_WINDOW_STYLES
Check if the style member has the given WINDOW_STYLES
The help context identifier for the dialog box window
True if the dialog is an extended one
Iterator over the controls (ResourceDialogItem) that defines the Dialog (Button, Label…)
Primary RESOURCE_LANGS associated with the dialog
The point size of the font to use for the text in the dialog box and its controls.
Indicate whether a template is an extended dialog box template:
0xFFFF: Extended dialog box templateOther value: Standard dialog box template
The style of the dialog box. This member can be a combination of WINDOW_STYLES and DIALOG_BOX_STYLES
Return list of WINDOW_STYLES associated with the style member
Secondary RESOURCE_SUBLANGS associated with the dialog
The title of the dialog box
The name of the typeface for the font
The version number of the extended dialog box template. This member must be set to 1.
The weight of the font
The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.
The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.
This class represents an item in the lief.PE.ResourceDialog
The width, in dialog box units, of the control
The height, in dialog box units, of the control
The extended styles for the window
The help context identifier for the control
The control identifier
True if the control is an extended one
The style of the control. This member can be a combination of WINDOW_STYLES values and one or more of the control style values.
Initial text of the control
The x-coordinate, in dialog box units, of the upper-left corner of the control
The y-coordinate, in dialog box units, of the upper-left corner of the control
Class that represents the data associated with the RT_VERSION entry
See: VS_VERSIONINFO
ResourceFixedFileInfo associated with the version (if any). This object describes various information about the application’s version.
If not present, this property is set to None
True if the version contains a ResourceFixedFileInfo
True if the version contains a ResourceStringFileInfo
True if the version contains a ResourceVarFileInfo
Signature of the structure. Must be VS_VERSION_INFO
Remove the ResourceFixedFileInfo from the version
Remove the ResourceStringFileInfo from the version
Remove the ResourceVarFileInfo from the version
ResourceStringFileInfo associated with the version (if any) This object describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)
If the current ResourceVersion does not use ResourceStringFileInfo, it returns None.
1 if it contains text data
0 if it contains binary data
ResourceVarFileInfo associated with the version (if any) This object describes information about languages supported by the application.
If the current ResourceVersion does not use ResourceVarFileInfo, it returns None.
Representation of the VS_FIXEDFILEINFO structure
The least significant 32 bits of the file’s 64-bit binary creation date and time stamp
The most significant 32 bits of the file’s 64-bit binary creation date and time stamp
Contains a bitmask that specifies the Boolean attributes of the file (FIXED_VERSION_FILE_FLAGS)
Contains a bitmask that specifies the valid bits in file_flags. A bit is valid only if it was defined when the file was created.
The operating system for which this file was designed (FIXED_VERSION_OS)
The function of the file (FIXED_VERSION_FILE_SUB_TYPES)
The general type of file (FIXED_VERSION_FILE_TYPES)
The least significant 32 bits of the file’s binary version number
This member is used with file_version_MS to form a 64-bits value used for numeric comparisons.
The most significant 32 bits of the file’s binary version number
This member is used with file_version_LS to form a 64-bits value used for numeric comparisons.
The least significant 32 bits of the product with which this file was distributed
This member is used with product_version_MS to form a 64-bits value used for numeric comparisons.
The most significant 32 bits of the product with which this file was distributed
This member is used with product_version_LS to form a 64-bits value used for numeric comparisons.
Must be set to 0xFEEF04BD
The binary version number of this structure.
The high-order word of this member contains the major version number.
The low-order word contains the minor version number
This object describes information about languages supported by the application
Signature of the structure. Must be VarFileInfo
List of languages that the application supports
The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the CODE_PAGES Either most or least 16-bits can be zero, indicating that the file is language or code page independent.
The type of data in the version resource
1if it contains text data
0if it contains binary data
Representation of the StringFileInfo structure
See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo
Signature of the structure. Must be StringFileInfo
List of the LangCodeItem items
Each key indicates the appropriate language and code page for displaying the key: value of items
The type of data in the version resource:
1if it contains text data
0if it contains binary data
Class which represents the childs of the ResourceStringFileInfo
See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringtable
CODE_PAGES for which items are defined.
See: https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
A 8-digit hexadecimal number stored as an Unicode string
The four most significant digits represent the language identifier.
The four least significant digits represent the code page for which the data is formatted.
See:
Lang (RESOURCE_LANGS) for which items are defined
Sub-lang (RESOURCE_SUBLANGS) for which items are defined
The type of data in the version resource
1if it contains text data
0if it contains binary data
Class which represents the not-so-documented rich header
This structure is usually located at the end of the dos_stub and contains information about the build environment.
It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.
Overloaded function.
add_entry(self: lief._lief.PE.RichHeader, entry: LIEF::PE::RichEntry) -> None
Add a new RichEntry
add_entry(self: lief._lief.PE.RichHeader, id: int, build_id: int, count: int) -> None
Overloaded function.
hash(self: lief._lief.PE.RichHeader, algo: lief._lief.PE.ALGORITHMS) -> List[int]
Compute the hash of the decoded rich header structure with the given hash
ALGORITHMS
hash(self: lief._lief.PE.RichHeader, algo: lief._lief.PE.ALGORITHMS, xor_key: int) -> List[int]
Compute the hash of the rich header structure encoded with the provided key and the given hash
ALGORITHMS
Key used to encode the header (xor operation)
Overloaded function.
raw(self: lief._lief.PE.RichHeader) -> List[int]
The raw structure of the Rich header without xor-encoding.
This function is equivalent as calling the other raw function with a xor_key set to 0
raw(self: lief._lief.PE.RichHeader, xor_key: int) -> List[int]
Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.
You can access the decoded data’s structure with the xor_key set to 0
Class which represents an entry associated to the RichHeader
Overloaded function.
__init__(self: lief._lief.PE.RichEntry) -> None
__init__(self: lief._lief.PE.RichEntry, id: int, build_id: int, count: int) -> None
Contructor from id, build_id and count
Builder number of the tool (if any)
Occurrence count
Type of the entry
Address of the debug data relative to the image base
Reserved should be 0
Return an object which subclass CodeView representing the code view” The subclassed object can be one of:
If a code view is not present, it is set to None
Whether or not a code view is present
Whether or not a pogo is present
The major version number of the debug data format.
The minor version number of the debug data format.
Return an object which subclasses Pogo representing the pogo entry. It returns None if not present.
File offset of the debug data
Size of the debug data
The time and date that the debug data was created.
The format (DEBUG_TYPES) of the debugging information
Type of the code view (CODE_VIEW_SIGNATURES)
Type of the code view (CODE_VIEW_SIGNATURES)
Type of the pogo (POGO_SIGNATURES)
Class that represents the default PE’s LoadConfiguration It’s the base class for any future versions of the structure
Characteristics of the structure.
The default timeout value to use for is process’s critical sections that are abandoned.
The service pack version identifier.
Memory that must be freed before it is returned to the system, in bytes.
Total amount of free memory, in bytes
On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags. This is an alias for reserved1
Reserved for use by the system.
The global loader flags to clear for this process as the loader start the process.
The global loader flags to set for this process as the loader starts the process.
The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.
Major Version
Maximum allocation size, in bytes.
Minor version
Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)
Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.
Must be zero.
A pointer to a cookie that is used by Visual C++ or GS implementation.
Size of the structure which is an alias for characteristics
Date and time stamp value
(SDK) Version of the structure. (WIN_VERSION)
Maximum virtual memory size, in bytes.
Bases: LoadConfiguration
LoadConfiguration enhanced with SEH. It is associated with the WIN_VERSION: SEH
The count of unique handlers in the table.
The VA of the sorted table of RVAs of each valid, unique SE handler in the image.
Bases: LoadConfigurationV0
LoadConfigurationV0 enhanced with Control Flow Guard. It is associated with the WIN_VERSION set to WIN_8_1
The VA where Control Flow Guard check-function pointer is stored.
The VA where Control Flow Guard dispatch-function pointer is stored.
Return list of GUARD_CF_FLAGS present in guard_flags
The count of unique RVAs in the guard_cf_function_table
The VA of the sorted table of RVAs of each Control Flow Guard function in the image.
Control Flow Guard related flags.
Check if the given GUARD_CF_FLAGS is present in guard_flags
Bases: LoadConfigurationV1
LoadConfigurationV1 enhanced with code integrity. It is associated with the WIN_VERSION set to WIN10_0_9879
CodeIntegrity object
Bases: LoadConfigurationV2
LoadConfigurationV2 with Control Flow Guard improved.
It is associated with the WIN_VERSION set to WIN10_0_14286
Number of entries in the guard_address_taken_iat_entry_table
VA of a table associated with CFG’s IAT checks
Number of entries in the guard_address_taken_iat_entry_table
VA of a table associated with CFG’s long jump
Bases: LoadConfigurationV3
LoadConfigurationV3 enhanced with:
Kind of dynamic relocations
Hybrid Metadata Pointer
It is associated with the WIN_VERSION set to WIN10_0_14383
VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE
Bases: LoadConfigurationV4
LoadConfigurationV4 enhanced nhanced with Return Flow Guard.
It is associated with the WIN_VERSION set to WIN10_0_14901
Offset of dynamic relocation table relative to the relocation table
The section index of the dynamic value relocation table
VA of the failure routine
VA of the failure routine fptr
Must be zero
Bases: LoadConfigurationV5
LoadConfigurationV5 enhanced with Hotpatch and improved RFG.
It is associated with the WIN_VERSION set to WIN10_0_15002
VA of the Function verifying the stack pointer
Offset to the hotpatch table
Bases: LoadConfigurationV6
Bases: LoadConfigurationV7
Bases: LoadConfigurationV8
Bases: LoadConfigurationV9
Bases: LoadConfigurationV10
Overloaded function.
is_pe(file: str) -> bool
Check if the given file is a PE
is_pe(raw: List[int]) -> bool
Check if the given raw data is a PE
Overloaded function.
get_type(file: str) -> object
If the input file is a PE one, return the PE_TYPE If the function fails to determine the type, it returns a lief_errors
get_type(raw: List[int]) -> object
If the input raw data represent a PE file, return the PE_TYPE If the function fails to determine the type, it returns a lief_errors
Compute the hash of imported functions
Properties of the hash generated:
Order agnostic
Casse agnostic
Ordinal (in some extent) agnostic
If one needs the same output as Virus Total (i.e. pefile), you can use PEFILE as second parameter.
Warning
The algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation
Enum to define the behavior of get_imphash()
Members:
DEFAULT : Default implementation
LIEF : Same as DEFAULT
PEFILE : Use pefile algorithm
VT : Same as PEFILE since Virus Total is using pefile
Take an Import as entry and try to resolve its ordinal imports
The strict boolean parameter enables to throw a not_found exception if the ordinal can’t be resolved. Otherwise it skips the entry.
Members:
INVALID
UNKNOWN
AM33
AMD64
ARM
ARMNT
ARM64
EBC
I386
IA64
M32R
MIPS16
MIPSFPU
MIPSFPU16
POWERPC
POWERPCFP
R4000
SH3
SH3DSP
SH4
SH5
THUMB
WCEMIPSV2
Members:
RELOCS_STRIPPED
EXECUTABLE_IMAGE
LINE_NUMS_STRIPPED
LOCAL_SYMS_STRIPPED
AGGRESSIVE_WS_TRIM
LARGE_ADDRESS_AWARE
BYTES_REVERSED_LO
CHARA_32BIT_MACHINE
DEBUG_STRIPPED
REMOVABLE_RUN_FROM_SWAP
NET_RUN_FROM_SWAP
SYSTEM
DLL
UP_SYSTEM_ONLY
BYTES_REVERSED_HI
Members:
UNKNOWN
NATIVE
WINDOWS_GUI
WINDOWS_CUI
OS2_CUI
POSIX_CUI
NATIVE_WINDOWS
WINDOWS_CE_GUI
EFI_APPLICATION
EFI_BOOT_SERVICE_DRIVER
EFI_RUNTIME_DRIVER
EFI_ROM
XBOX
WINDOWS_BOOT_APPLICATION
Members:
EXPORT_TABLE
IMPORT_TABLE
RESOURCE_TABLE
EXCEPTION_TABLE
CERTIFICATE_TABLE
BASE_RELOCATION_TABLE
DEBUG
ARCHITECTURE
GLOBAL_PTR
TLS_TABLE
LOAD_CONFIG_TABLE
BOUND_IMPORT
IAT
DELAY_IMPORT_DESCRIPTOR
CLR_RUNTIME_HEADER
RESERVED
Members:
HIGH_ENTROPY_VA
DYNAMIC_BASE
FORCE_INTEGRITY
NX_COMPAT
NO_ISOLATION
NO_SEH
NO_BIND
APPCONTAINER
WDM_DRIVER
GUARD_CF
TERMINAL_SERVER_AWARE
Members:
TYPE_NO_PAD
CNT_CODE
CNT_INITIALIZED_DATA
CNT_UNINITIALIZED_DATA
LNK_OTHER
LNK_INFO
LNK_REMOVE
LNK_COMDAT
GPREL
MEM_PURGEABLE
MEM_16BIT
MEM_LOCKED
MEM_PRELOAD
ALIGN_1BYTES
ALIGN_2BYTES
ALIGN_4BYTES
ALIGN_8BYTES
ALIGN_16BYTES
ALIGN_32BYTES
ALIGN_64BYTES
ALIGN_128BYTES
ALIGN_256BYTES
ALIGN_512BYTES
ALIGN_1024BYTES
ALIGN_2048BYTES
ALIGN_4096BYTES
ALIGN_8192BYTES
LNK_NRELOC_OVFL
MEM_DISCARDABLE
MEM_NOT_CACHED
MEM_NOT_PAGED
MEM_SHARED
MEM_EXECUTE
MEM_READ
MEM_WRITE
Members:
TEXT
IDATA
DATA
BSS
RESOURCE
RELOCATION
EXPORT
UNKNOWN
Members:
NULL
VOID
CHAR
SHORT
INT
LONG
FLOAT
DOUBLE
STRUCT
UNION
ENUM
MOE
BYTE
WORD
UINT
DWORD
Members:
NULL
POINTER
FUNCTION
ARRAY
COMPLEX_TYPE_SHIFT
Members:
END_OF_FUNCTION
NULL
AUTOMATIC
EXTERNAL
STATIC
REGISTER
EXTERNAL_DEF
LABEL
UNDEFINED_LABEL
MEMBER_OF_STRUCT
UNION_TAG
TYPE_DEFINITION
UDEFINED_STATIC
ENUM_TAG
MEMBER_OF_ENUM
REGISTER_PARAM
BIT_FIELD
BLOCK
FUNCTION
END_OF_STRUCT
FILE
SECTION
WEAK_EXTERNAL
CLR_TOKEN
Members:
ABSOLUTE
HIGH
LOW
HIGHLOW
HIGHADJ
MIPS_JMPADDR
ARM_MOV32A
ARM_MOV32
RISCV_HI20
ARM_MOV32T
THUMB_MOV32
RISCV_LOW12I
RISCV_LOW12S
SECTION
REL
MIPS_JMPADDR16
IA64_IMM64
DIR64
HIGH3ADJ
Members:
UNKNOWN
COFF
CODEVIEW
FPO
MISC
EXCEPTION
FIXUP
OMAP_TO_SRC
OMAP_FROM_SRC
BORLAND
CLSID
VC_FEATURE
POGO
ILTCG
MPX
REPRO
EX_DLLCHARACTERISTICS
Members:
CURSOR
BITMAP
ICON
MENU
DIALOG
STRING
FONTDIR
FONT
ACCELERATOR
RCDATA
MESSAGETABLE
GROUP_CURSOR
GROUP_ICON
VERSION
DLGINCLUDE
PLUGPLAY
VXD
ANICURSOR
ANIICON
HTML
MANIFEST
Members:
NEUTRAL
INVARIANT
AFRIKAANS
ALBANIAN
ARABIC
ARMENIAN
ASSAMESE
AZERI
BASQUE
BELARUSIAN
BANGLA
BULGARIAN
CATALAN
CHINESE
CROATIAN
BOSNIAN
CZECH
DANISH
DIVEHI
DUTCH
ENGLISH
ESTONIAN
FAEROESE
FARSI
FINNISH
FRENCH
GALICIAN
GEORGIAN
GERMAN
GREEK
GUJARATI
HEBREW
HINDI
HUNGARIAN
ICELANDIC
INDONESIAN
ITALIAN
JAPANESE
KANNADA
KASHMIRI
KAZAK
KONKANI
KOREAN
KYRGYZ
LATVIAN
LITHUANIAN
MACEDONIAN
MALAY
MALAYALAM
MANIPURI
MARATHI
MONGOLIAN
NEPALI
NORWEGIAN
ORIYA
POLISH
PORTUGUESE
PUNJABI
ROMANIAN
RUSSIAN
SANSKRIT
SERBIAN
SINDHI
SLOVAK
SLOVENIAN
SPANISH
SWAHILI
SWEDISH
SYRIAC
TAMIL
TATAR
TELUGU
THAI
TURKISH
UKRAINIAN
URDU
UZBEK
VIETNAMESE
GAELIC
MALTESE
MAORI
RHAETO_ROMANCE
SAMI
SORBIAN
SUTU
TSONGA
TSWANA
VENDA
XHOSA
ZULU
ESPERANTO
WALON
CORNISH
WELSH
BRETON
INUKTITUT
IRISH
LOWER_SORBIAN
PULAR
QUECHUA
TAMAZIGHT
TIGRINYA
VALENCIAN
Members:
AFRIKAANS_SOUTH_AFRICA
ALBANIAN_ALBANIA
ALSATIAN_FRANCE
AMHARIC_ETHIOPIA
ARABIC_ALGERIA
ARABIC_BAHRAIN
ARABIC_EGYPT
ARABIC_IRAQ
ARABIC_JORDAN
ARABIC_KUWAIT
ARABIC_LEBANON
ARABIC_LIBYA
ARABIC_MOROCCO
ARABIC_OMAN
ARABIC_QATAR
ARABIC_SAUDI_ARABIA
ARABIC_SYRIA
ARABIC_TUNISIA
ARABIC_UAE
ARABIC_YEMEN
ARMENIAN_ARMENIA
ASSAMESE_INDIA
AZERI_CYRILLIC
AZERI_LATIN
BASHKIR_RUSSIA
BASQUE_BASQUE
BELARUSIAN_BELARUS
BANGLA_BANGLADESH
BANGLA_INDIA
BOSNIAN_BOSNIA_HERZEGOVINA_CYRILLIC
BOSNIAN_BOSNIA_HERZEGOVINA_LATIN
BRETON_FRANCE
BULGARIAN_BULGARIA
CATALAN_CATALAN
CHINESE_HONGKONG
CHINESE_MACAU
CHINESE_SIMPLIFIED
CHINESE_SINGAPORE
CHINESE_TRADITIONAL
CORSICAN_FRANCE
CROATIAN_BOSNIA_HERZEGOVINA_LATIN
CROATIAN_CROATIA
CUSTOM_DEFAULT
CUSTOM_UNSPECIFIED
CZECH_CZECH_REPUBLIC
DANISH_DENMARK
DARI_AFGHANISTAN
DEFAULT
DIVEHI_MALDIVES
DUTCH_BELGIAN
DUTCH
ENGLISH_AUS
ENGLISH_BELIZE
ENGLISH_CAN
ENGLISH_CARIBBEAN
ENGLISH_EIRE
ENGLISH_INDIA
ENGLISH_JAMAICA
ENGLISH_MALAYSIA
ENGLISH_NZ
ENGLISH_PHILIPPINES
ENGLISH_SINGAPORE
ENGLISH_SOUTH_AFRICA
ENGLISH_TRINIDAD
ENGLISH_UK
ENGLISH_US
ENGLISH_ZIMBABWE
ENGLISH_IRELAND
ESTONIAN_ESTONIA
FAEROESE_FAROE_ISLANDS
FILIPINO_PHILIPPINES
FINNISH_FINLAND
FRENCH_BELGIAN
FRENCH_CANADIAN
FRENCH_LUXEMBOURG
FRENCH_MONACO
FRENCH_SWISS
FRENCH
FRISIAN_NETHERLANDS
GALICIAN_GALICIAN
GEORGIAN_GEORGIA
GERMAN_AUSTRIAN
GERMAN_LIECHTENSTEIN
GERMAN_LUXEMBOURG
GERMAN_SWISS
GERMAN
GREEK_GREECE
GREENLANDIC_GREENLAND
GUJARATI_INDIA
HAUSA_NIGERIA_LATIN
HEBREW_ISRAEL
HINDI_INDIA
HUNGARIAN_HUNGARY
ICELANDIC_ICELAND
IGBO_NIGERIA
INDONESIAN_INDONESIA
INUKTITUT_CANADA_LATIN
INUKTITUT_CANADA
IRISH_IRELAND
ITALIAN_SWISS
ITALIAN
JAPANESE_JAPAN
KANNADA_INDIA
KASHMIRI_INDIA
KASHMIRI_SASIA
KAZAK_KAZAKHSTAN
KHMER_CAMBODIA
KICHE_GUATEMALA
KINYARWANDA_RWANDA
KONKANI_INDIA
KOREAN
KYRGYZ_KYRGYZSTAN
LAO_LAO
LATVIAN_LATVIA
LITHUANIAN_CLASSIC
LITHUANIAN
LOWER_SORBIAN_GERMANY
LUXEMBOURGISH_LUXEMBOURG
MACEDONIAN_MACEDONIA
MALAY_BRUNEI_DARUSSALAM
MALAY_MALAYSIA
MALAYALAM_INDIA
MALTESE_MALTA
MAORI_NEW_ZEALAND
MAPUDUNGUN_CHILE
MARATHI_INDIA
MOHAWK_MOHAWK
MONGOLIAN_CYRILLIC_MONGOLIA
MONGOLIAN_PRC
NEPALI_INDIA
NEPALI_NEPAL
NEUTRAL
NORWEGIAN_BOKMAL
NORWEGIAN_NYNORSK
OCCITAN_FRANCE
ORIYA_INDIA
PASHTO_AFGHANISTAN
PERSIAN_IRAN
POLISH_POLAND
PORTUGUESE_BRAZILIAN
PORTUGUESE
PUNJABI_INDIA
QUECHUA_BOLIVIA
QUECHUA_ECUADOR
QUECHUA_PERU
ROMANIAN_ROMANIA
ROMANSH_SWITZERLAND
RUSSIAN_RUSSIA
SAMI_INARI_FINLAND
SAMI_LULE_NORWAY
SAMI_LULE_SWEDEN
SAMI_NORTHERN_FINLAND
SAMI_NORTHERN_NORWAY
SAMI_NORTHERN_SWEDEN
SAMI_SKOLT_FINLAND
SAMI_SOUTHERN_NORWAY
SAMI_SOUTHERN_SWEDEN
SANSKRIT_INDIA
SERBIAN_BOSNIA_HERZEGOVINA_CYRILLIC
SERBIAN_BOSNIA_HERZEGOVINA_LATIN
SERBIAN_CROATIA
SERBIAN_CYRILLIC
SERBIAN_LATIN
SINDHI_AFGHANISTAN
SINDHI_INDIA
SINDHI_PAKISTAN
SINHALESE_SRI_LANKA
SLOVAK_SLOVAKIA
SLOVENIAN_SLOVENIA
SOTHO_NORTHERN_SOUTH_AFRICA
SPANISH_ARGENTINA
SPANISH_BOLIVIA
SPANISH_CHILE
SPANISH_COLOMBIA
SPANISH_COSTA_RICA
SPANISH_DOMINICAN_REPUBLIC
SPANISH_ECUADOR
SPANISH_EL_SALVADOR
SPANISH_GUATEMALA
SPANISH_HONDURAS
SPANISH_MEXICAN
SPANISH_MODERN
SPANISH_NICARAGUA
SPANISH_PANAMA
SPANISH_PARAGUAY
SPANISH_PERU
SPANISH_PUERTO_RICO
SPANISH_URUGUAY
SPANISH_US
SPANISH_VENEZUELA
SPANISH
SWAHILI_KENYA
SWEDISH_FINLAND
SWEDISH
SYRIAC_SYRIA
SYS_DEFAULT
TAJIK_TAJIKISTAN
TAMAZIGHT_ALGERIA_LATIN
TAMIL_INDIA
TATAR_RUSSIA
TELUGU_INDIA
THAI_THAILAND
TIBETAN_PRC
TIGRIGNA_ERITREA
TSWANA_SOUTH_AFRICA
TURKISH_TURKEY
TURKMEN_TURKMENISTAN
UI_CUSTOM_DEFAULT
UIGHUR_PRC
UKRAINIAN_UKRAINE
UPPER_SORBIAN_GERMANY
URDU_INDIA
URDU_PAKISTAN
UZBEK_CYRILLIC
UZBEK_LATIN
VIETNAMESE_VIETNAM
WELSH_UNITED_KINGDOM
WOLOF_SENEGAL
XHOSA_SOUTH_AFRICA
YAKUT_RUSSIA
YI_PRC
YORUBA_NIGERIA
ZULU_SOUTH_AFRICA
PULAR_SENEGAL
PUNJABI_PAKISTAN
TSWANA_BOTSWANA
TAMIL_SRI_LANKA
TIGRINYA_ETHIOPIA
TIGRINYA_ERITREA
VALENCIAN_VALENCIA
Members:
IBM037
IBM437
IBM500
ASMO_708
DOS_720
IBM737
IBM775
IBM850
IBM852
IBM855
IBM857
IBM00858
IBM860
IBM861
DOS_862
IBM863
IBM864
IBM865
CP866
IBM869
IBM870
WINDOWS_874
CP875
SHIFT_JIS
GB2312
KS_C_5601_1987
BIG5
IBM1026
IBM01047
IBM01140
IBM01141
IBM01142
IBM01143
IBM01144
IBM01145
IBM01146
IBM01147
IBM01148
IBM01149
UTF_16
UNICODEFFFE
WINDOWS_1250
WINDOWS_1251
WINDOWS_1252
WINDOWS_1253
WINDOWS_1254
WINDOWS_1255
WINDOWS_1256
WINDOWS_1257
WINDOWS_1258
JOHAB
MACINTOSH
X_MAC_JAPANESE
X_MAC_CHINESETRAD
X_MAC_KOREAN
X_MAC_ARABIC
X_MAC_HEBREW
X_MAC_GREEK
X_MAC_CYRILLIC
X_MAC_CHINESESIMP
X_MAC_ROMANIAN
X_MAC_UKRAINIAN
X_MAC_THAI
X_MAC_CE
X_MAC_ICELANDIC
X_MAC_TURKISH
X_MAC_CROATIAN
UTF_32
UTF_32BE
X_CHINESE_CNS
X_CP20001
X_CHINESE_ETEN
X_CP20003
X_CP20004
X_CP20005
X_IA5
X_IA5_GERMAN
X_IA5_SWEDISH
X_IA5_NORWEGIAN
US_ASCII
X_CP20261
X_CP20269
IBM273
IBM277
IBM278
IBM280
IBM284
IBM285
IBM290
IBM297
IBM420
IBM423
IBM424
X_EBCDIC_KOREANEXTENDED
IBM_THAI
KOI8_R
IBM871
IBM880
IBM905
IBM00924
EUC_JP_JIS
X_CP20936
X_CP20949
CP1025
KOI8_U
ISO_8859_1
ISO_8859_2
ISO_8859_3
ISO_8859_4
ISO_8859_5
ISO_8859_6
ISO_8859_7
ISO_8859_8
ISO_8859_9
ISO_8859_13
ISO_8859_15
X_EUROPA
ISO_8859_8_I
ISO_2022_JP
CSISO2022JP
ISO_2022_JP_JIS
ISO_2022_KR
X_CP50227
EUC_JP
EUC_CN
EUC_KR
HZ_GB_2312
GB18030
X_ISCII_DE
X_ISCII_BE
X_ISCII_TA
X_ISCII_TE
X_ISCII_AS
X_ISCII_OR
X_ISCII_KA
X_ISCII_MA
X_ISCII_GU
X_ISCII_PA
UTF_7
UTF_8
Members:
OVERLAPPED
POPUP
CHILD
MINIMIZE
VISIBLE
DISABLED
CLIPSIBLINGS
CLIPCHILDREN
MAXIMIZE
CAPTION
BORDER
DLGFRAME
VSCROLL
HSCROLL
SYSMENU
THICKFRAME
GROUP
TABSTOP
MINIMIZEBOX
MAXIMIZEBOX
Members:
DLGMODALFRAME
NOPARENTNOTIFY
TOPMOST
ACCEPTFILES
TRANSPARENT
MDICHILD
TOOLWINDOW
WINDOWEDGE
CLIENTEDGE
CONTEXTHELP
RIGHT
LEFT
RTLREADING
LTRREADING
LEFTSCROLLBAR
RIGHTSCROLLBAR
CONTROLPARENT
STATICEDGE
APPWINDOW
Members:
ABSALIGN
SYSMODAL
LOCALEDIT
SETFONT
MODALFRAME
NOIDLEMSG
SETFOREGROUND
D3DLOOK
FIXEDSYS
NOFAILCREATE
CONTROL
CENTER
CENTERMOUSE
CONTEXTHELP
SHELLFONT
Members:
UNKNOWN
DOS
NT
WINDOWS16
WINDOWS32
OS216
OS232
PM16
PM32
DOS_WINDOWS16
DOS_WINDOWS32
NT_WINDOWS32
OS216_PM16
OS232_PM32
Members:
DEBUG
INFOINFERRED
PATCHED
PRERELEASE
PRIVATEBUILD
SPECIALBUILD
Members:
APP
DLL
DRV
FONT
STATIC_LIB
UNKNOWN
VXD
Members:
DRV_COMM
DRV_DISPLAY
DRV_INSTALLABLE
DRV_KEYBOARD
DRV_LANGUAGE
DRV_MOUSE
DRV_NETWORK
DRV_PRINTER
DRV_SOUND
DRV_SYSTEM
DRV_VERSIONED_PRINTER
FONT_RASTER
FONT_TRUETYPE
FONT_VECTOR
UNKNOWN
Members:
UNKNOWN
SEH
WIN_8_1
WIN10_0_9879
WIN10_0_14286
WIN10_0_14383
WIN10_0_14901
WIN10_0_15002
WIN10_0_16237
WIN10_0_18362
WIN10_0_19534
WIN10_0_MSVC_2019
WIN10_0_MSVC_2019_16
Members:
GCF_NONE
GCF_INSTRUMENTED
GCF_W_INSTRUMENTED
GCF_FUNCTION_TABLE_PRESENT
GCF_EXPORT_SUPPRESSION_INFO_PRESENT
GCF_ENABLE_EXPORT_SUPPRESSION
GCF_LONGJUMP_TABLE_PRESENT
GRF_INSTRUMENTED
GRF_ENABLE
GRF_STRICT
Members:
UNKNOWN
PDB_70
PDB_20
CV_50
CV_41
Members:
UNKNOWN
SHA_512
SHA_384
SHA_256
SHA_1
MD5
MD4
MD2
RSA
EC
MD5_RSA
SHA1_DSA
SHA1_RSA
SHA_256_RSA
SHA_384_RSA
SHA_512_RSA
SHA1_ECDSA
SHA_256_ECDSA
SHA_384_ECDSA
SHA_512_ECDSA
Members:
UNKNOWN
CONTENT_TYPE
GENERIC_TYPE
SPC_SP_OPUS_INFO
MS_COUNTER_SIGN
MS_SPC_NESTED_SIGN
MS_SPC_STATEMENT_TYPE
PKCS9_AT_SEQUENCE_NUMBER
PKCS9_COUNTER_SIGNATURE
PKCS9_MESSAGE_DIGEST
PKCS9_SIGNING_TIME