Class that represents the PE header (which follows the DosHeader) More...

#include <Header.hpp>

Inheritance diagram for LIEF::PE::Header:

Collaboration diagram for LIEF::PE::Header:

Public Types
enum class	MACHINE_TYPES { UNKNOWN = 0x0 , AM33 = 0x1D3 , AMD64 = 0x8664 , ARM = 0x1C0 , ARMNT = 0x1C4 , ARM64 = 0xAA64 , EBC = 0xEBC , I386 = 0x14C , IA64 = 0x200 , M32R = 0x9041 , MIPS16 = 0x266 , MIPSFPU = 0x366 , MIPSFPU16 = 0x466 , POWERPC = 0x1F0 , POWERPCFP = 0x1F1 , R4000 = 0x166 , RISCV32 = 0x5032 , RISCV64 = 0x5064 , RISCV128 = 0x5128 , SH3 = 0x1A2 , SH3DSP = 0x1A3 , SH4 = 0x1A6 , SH5 = 0x1A8 , THUMB = 0x1C2 , WCEMIPSV2 = 0x169 }

enum class	CHARACTERISTICS { NONE = 0x0000 , RELOCS_STRIPPED = 0x0001 , EXECUTABLE_IMAGE = 0x0002 , LINE_NUMS_STRIPPED = 0x0004 , LOCAL_SYMS_STRIPPED = 0x0008 , AGGRESSIVE_WS_TRIM = 0x0010 , LARGE_ADDRESS_AWARE = 0x0020 , BYTES_REVERSED_LO = 0x0080 , NEED_32BIT_MACHINE = 0x0100 , DEBUG_STRIPPED = 0x0200 , REMOVABLE_RUN_FROM_SWAP = 0x0400 , NET_RUN_FROM_SWAP = 0x0800 , SYSTEM = 0x1000 , DLL = 0x2000 , UP_SYSTEM_ONLY = 0x4000 , BYTES_REVERSED_HI = 0x8000 }

using	signature_t = std::array<uint8_t, 4>

Public Types inherited from LIEF::Object
template<class T >
using	output_t = add_pointer_t<decay_t<T>>

template<class T >
using	output_const_t = add_pointer_t<add_const_t<decay_t<T>>>

Public Member Functions
	Header (const details::pe_header &header)

Header &	operator= (const Header &)

	Header (const Header &)

const signature_t &	signature () const
	Signature (or magic byte) of the header. It must be: `PE\0\0`

MACHINE_TYPES	machine () const
	The targeted machine architecture like ARM, x86, AMD64, ...

uint16_t	numberof_sections () const
	The number of sections in the binary.

uint32_t	time_date_stamp () const
	The low 32 bits of the number of seconds since January 1, 1970. Basically, it indicates when the file was created.

uint32_t	pointerto_symbol_table () const
	The offset of the COFF symbol table.

uint32_t	numberof_symbols () const
	The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.

uint16_t	sizeof_optional_header () const
	Size of the OptionalHeader AND the data directories which follows this header.

uint32_t	characteristics () const
	Characteristics of the binary like whether it is a DLL or an executable.

bool	has_characteristic (CHARACTERISTICS c) const
	Check if the given CHARACTERISTICS is present.

std::vector< CHARACTERISTICS >	characteristics_list () const
	The list of the CHARACTERISTICS.

void	machine (MACHINE_TYPES type)

void	numberof_sections (uint16_t nb)

void	time_date_stamp (uint32_t timestamp)

void	pointerto_symbol_table (uint32_t ptr)

void	numberof_symbols (uint32_t nb)

void	sizeof_optional_header (uint16_t size)

void	characteristics (uint32_t characteristics)

void	signature (const signature_t &sig)

void	add_characteristic (CHARACTERISTICS c)

void	remove_characteristic (CHARACTERISTICS c)

void	accept (Visitor &visitor) const override

Public Member Functions inherited from LIEF::Object
	Object (const Object &other)

Object &	operator= (const Object &other)

template<class T >
output_t< T >	as ()

template<class T >
output_const_t< T >	as () const

virtual bool	operator== (const Object &other) const

virtual bool	operator!= (const Object &other) const

Static Public Member Functions
static Header	create (PE_TYPE type)

Detailed Description

Class that represents the PE header (which follows the DosHeader)

Member Enumeration Documentation

◆ CHARACTERISTICS

enum class LIEF::PE::Header::CHARACTERISTICS

strong

Enumerator
RELOCS_STRIPPED	The file does not contain base relocations and must be loaded at its preferred base. If this cannot be done, the loader will error.
EXECUTABLE_IMAGE	The file is valid and can be run.
LINE_NUMS_STRIPPED	COFF line numbers have been stripped. This is deprecated and should be 0
LOCAL_SYMS_STRIPPED	COFF symbol table entries for local symbols have been removed. This is deprecated and should be 0.
AGGRESSIVE_WS_TRIM	Aggressively trim working set. This is deprecated and must be 0.
LARGE_ADDRESS_AWARE	Image can handle > 2GiB addresses.
BYTES_REVERSED_LO	Little endian: the LSB precedes the MSB in memory. This is deprecated and should be 0.
NEED_32BIT_MACHINE	Machine is based on a 32bit word architecture.
DEBUG_STRIPPED	Debugging info has been removed.
REMOVABLE_RUN_FROM_SWAP	If the image is on removable media, fully load it and copy it to swap.
NET_RUN_FROM_SWAP	If the image is on network media, fully load it and copy it to swap.
SYSTEM	The image file is a system file, not a user program.
DLL	The image file is a DLL.
UP_SYSTEM_ONLY	This file should only be run on a uniprocessor machine.
BYTES_REVERSED_HI	Big endian: the MSB precedes the LSB in memory. This is deprecated

◆ MACHINE_TYPES

enum class LIEF::PE::Header::MACHINE_TYPES

strong

Enumerator
AM33	Matsushita AM33
AMD64	AMD x64
ARM	ARM little endian
ARMNT	ARMv7 Thumb mode only
ARM64	ARMv8 in 64-bits mode
EBC	EFI byte code
I386	Intel 386 or later
IA64	Intel Itanium processor family
M32R	Mitsubishi M32R little endian
MIPS16	MIPS16
MIPSFPU	MIPS with FPU
MIPSFPU16	MIPS16 with FPU
POWERPC	Power PC little endian
POWERPCFP	Power PC with floating point
R4000	MIPS with little endian
RISCV32	RISC-V 32-bit address space
RISCV64	RISC-V 64-bit address space
RISCV128	RISC-V 128-bit address space
SH3	Hitachi SH3
SH3DSP	Hitachi SH3 DSP
SH4	Hitachi SH4
SH5	Hitachi SH5
THUMB	ARM or Thumb
WCEMIPSV2	MIPS little-endian WCE v2

Member Function Documentation

◆ accept()

void LIEF::PE::Header::accept ( Visitor & visitor ) const

overridevirtual

Implements LIEF::Object.

◆ numberof_symbols()

uint32_t LIEF::PE::Header::numberof_symbols ( ) const

inline

The number of entries in the symbol table. This data can be used to locate the string table which immediately follows the symbol table.

This value should be zero for an image because COFF debugging information is deprecated.

◆ pointerto_symbol_table()

uint32_t LIEF::PE::Header::pointerto_symbol_table ( ) const

inline

The offset of the COFF symbol table.

This value should be zero for an image because COFF debugging information is deprecated.

◆ sizeof_optional_header()

uint16_t LIEF::PE::Header::sizeof_optional_header ( ) const

inline

Size of the OptionalHeader AND the data directories which follows this header.

This value is equivalent to: sizeof(pe_optional_header) + NB_DATA_DIR * sizeof(data_directory)

This size should be either:

0xE0 (224) for a PE32 (32 bits)
0xF0 (240) for a PE32+ (64 bits)

The documentation for this class was generated from the following file:

PE/Header.hpp

Public Types

Public Member Functions

Static Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ CHARACTERISTICS

◆ MACHINE_TYPES

Member Function Documentation

◆ accept()

◆ numberof_symbols()

◆ pointerto_symbol_table()

◆ sizeof_optional_header()