LIEF: Library to Instrument Executable Formats Version 0.15.0
Loading...
Searching...
No Matches
Public Types | Public Member Functions | Static Public Member Functions | List of all members
LIEF::PE::OptionalHeader Class Reference

Class which represents the PE OptionalHeader structure. More...

#include <OptionalHeader.hpp>

Inheritance diagram for LIEF::PE::OptionalHeader:
Inheritance graph
[legend]
Collaboration diagram for LIEF::PE::OptionalHeader:
Collaboration graph
[legend]

Public Types

enum class  DLL_CHARACTERISTICS : size_t {
  HIGH_ENTROPY_VA = 0x0020 , DYNAMIC_BASE = 0x0040 , FORCE_INTEGRITY = 0x0080 , NX_COMPAT = 0x0100 ,
  NO_ISOLATION = 0x0200 , NO_SEH = 0x0400 , NO_BIND = 0x0800 , APPCONTAINER = 0x1000 ,
  WDM_DRIVER = 0x2000 , GUARD_CF = 0x4000 , TERMINAL_SERVER_AWARE = 0x8000
}
 
enum class  SUBSYSTEM : size_t {
  UNKNOWN = 0 , NATIVE = 1 , WINDOWS_GUI = 2 , WINDOWS_CUI = 3 ,
  OS2_CUI = 5 , POSIX_CUI = 7 , NATIVE_WINDOWS = 8 , WINDOWS_CE_GUI = 9 ,
  EFI_APPLICATION = 10 , EFI_BOOT_SERVICE_DRIVER = 11 , EFI_RUNTIME_DRIVER = 12 , EFI_ROM = 13 ,
  XBOX = 14 , WINDOWS_BOOT_APPLICATION = 16
}
 
- Public Types inherited from LIEF::Object
template<class T >
using output_t = add_pointer_t<decay_t<T>>
 
template<class T >
using output_const_t = add_pointer_t<add_const_t<decay_t<T>>>
 

Public Member Functions

 OptionalHeader (const details::pe32_optional_header &header)
 
 OptionalHeader (const details::pe64_optional_header &header)
 
OptionalHeaderoperator= (const OptionalHeader &)
 
 OptionalHeader (const OptionalHeader &)
 
PE_TYPE magic () const
 Magic bytes: either PE32 or PE32+ for 64-bits PE files.
 
uint8_t major_linker_version () const
 The linker major version.
 
uint8_t minor_linker_version () const
 The linker minor version.
 
uint32_t sizeof_code () const
 The size of the code .text section or the sum of all the sections that contain code (ie. PE::Section with the flag Section::CHARACTERISTICS::CNT_CODE)
 
uint32_t sizeof_initialized_data () const
 The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.
 
uint32_t sizeof_uninitialized_data () const
 The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.
 
uint32_t addressof_entrypoint () const
 The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.
 
uint32_t baseof_code () const
 Address relative to the imagebase where the binary's code starts.
 
uint32_t baseof_data () const
 Address relative to the imagebase where the binary's data starts.
 
uint64_t imagebase () const
 The preferred base address when mapping the binary in memory.
 
uint32_t section_alignment () const
 The alignment (in bytes) of sections when they are loaded into memory.
 
uint32_t file_alignment () const
 The section's file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.
 
uint16_t major_operating_system_version () const
 The major version number of the required operating system.
 
uint16_t minor_operating_system_version () const
 The minor version number of the required operating system.
 
uint16_t major_image_version () const
 The major version number of the image.
 
uint16_t minor_image_version () const
 The minor version number of the image.
 
uint16_t major_subsystem_version () const
 The major version number of the subsystem.
 
uint16_t minor_subsystem_version () const
 The minor version number of the subsystem.
 
uint32_t win32_version_value () const
 According to the official PE specifications, this value is reserved and should be 0.
 
uint32_t sizeof_image () const
 The size (in bytes) of the image, including all headers, as the image is loaded in memory.
 
uint32_t sizeof_headers () const
 Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.
 
uint32_t checksum () const
 The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.
 
uint32_t computed_checksum () const
 The re-computed value of the OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.
 
SUBSYSTEM subsystem () const
 Target subsystem like Driver, XBox, Windows GUI, ...
 
uint32_t dll_characteristics () const
 Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables
 
uint64_t sizeof_stack_reserve () const
 Size of the stack to reserve when loading the PE binary.
 
uint64_t sizeof_stack_commit () const
 Size of the stack to commit.
 
uint64_t sizeof_heap_reserve () const
 Size of the heap to reserve when loading the PE binary.
 
uint64_t sizeof_heap_commit () const
 Size of the heap to commit.
 
uint32_t loader_flags () const
 According to the PE specifications, this value is reserved and should be 0.
 
uint32_t numberof_rva_and_size () const
 The number of DataDirectory that follow this header.
 
bool has (DLL_CHARACTERISTICS c) const
 Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.
 
std::vector< DLL_CHARACTERISTICSdll_characteristics_list () const
 Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.
 
void add (DLL_CHARACTERISTICS c)
 Add a DLL_CHARACTERISTICS to the current characteristics.
 
void remove (DLL_CHARACTERISTICS c)
 Remove a DLL_CHARACTERISTICS from the current characteristics.
 
void magic (PE_TYPE magic)
 
void major_linker_version (uint8_t value)
 
void minor_linker_version (uint8_t value)
 
void sizeof_code (uint32_t value)
 
void sizeof_initialized_data (uint32_t value)
 
void sizeof_uninitialized_data (uint32_t value)
 
void addressof_entrypoint (uint32_t value)
 
void baseof_code (uint32_t value)
 
void baseof_data (uint32_t value)
 
void imagebase (uint64_t value)
 
void section_alignment (uint32_t value)
 
void file_alignment (uint32_t value)
 
void major_operating_system_version (uint16_t value)
 
void minor_operating_system_version (uint16_t value)
 
void major_image_version (uint16_t value)
 
void minor_image_version (uint16_t value)
 
void major_subsystem_version (uint16_t value)
 
void minor_subsystem_version (uint16_t value)
 
void win32_version_value (uint32_t value)
 
void sizeof_image (uint32_t value)
 
void sizeof_headers (uint32_t value)
 
void checksum (uint32_t value)
 
void subsystem (SUBSYSTEM value)
 
void dll_characteristics (uint32_t value)
 
void sizeof_stack_reserve (uint64_t value)
 
void sizeof_stack_commit (uint64_t value)
 
void sizeof_heap_reserve (uint64_t value)
 
void sizeof_heap_commit (uint64_t value)
 
void loader_flags (uint32_t value)
 
void numberof_rva_and_size (uint32_t value)
 
void accept (Visitor &visitor) const override
 
OptionalHeaderoperator+= (DLL_CHARACTERISTICS c)
 
OptionalHeaderoperator-= (DLL_CHARACTERISTICS c)
 
- Public Member Functions inherited from LIEF::Object
 Object (const Object &other)
 
Objectoperator= (const Object &other)
 
template<class T >
output_t< T > as ()
 
template<class T >
output_const_t< T > as () const
 
virtual bool operator== (const Object &other) const
 
virtual bool operator!= (const Object &other) const
 

Static Public Member Functions

static OptionalHeader create (PE_TYPE type)
 

Detailed Description

Class which represents the PE OptionalHeader structure.

Member Enumeration Documentation

◆ DLL_CHARACTERISTICS

Enumerator
HIGH_ENTROPY_VA 

ASLR with 64 bit address space.

DYNAMIC_BASE 

DLL can be relocated at load time.

FORCE_INTEGRITY 

Code integrity checks are enforced.

NX_COMPAT 

Image is NX compatible.

NO_ISOLATION 

Isolation aware, but do not isolate the image.

NO_SEH 

Does not use structured exception handling (SEH). No SEH handler may be called in this image.

NO_BIND 

Do not bind the image.

APPCONTAINER 

Image should execute in an AppContainer.

WDM_DRIVER 

A WDM driver.

GUARD_CF 

Image supports Control Flow Guard.

TERMINAL_SERVER_AWARE 

Terminal Server aware.

◆ SUBSYSTEM

enum class LIEF::PE::OptionalHeader::SUBSYSTEM : size_t
strong
Enumerator
UNKNOWN 

An unknown subsystem.

NATIVE 

Device drivers and native Windows processes.

WINDOWS_GUI 

The Windows GUI subsystem.

WINDOWS_CUI 

The Windows character subsystem.

OS2_CUI 

The OS/2 character subsytem.

POSIX_CUI 

The POSIX character subsystem.

NATIVE_WINDOWS 

Native Windows 9x driver.

WINDOWS_CE_GUI 

Windows CE.

EFI_APPLICATION 

An EFI application.

EFI_BOOT_SERVICE_DRIVER 

An EFI driver with boot services.

EFI_RUNTIME_DRIVER 

An EFI driver with run-time services.

EFI_ROM 

An EFI ROM image.

XBOX 

XBOX.

WINDOWS_BOOT_APPLICATION 

A BCD application.

Member Function Documentation

◆ accept()

void LIEF::PE::OptionalHeader::accept ( Visitor & visitor) const
overridevirtual

Implements LIEF::Object.

◆ addressof_entrypoint()

uint32_t LIEF::PE::OptionalHeader::addressof_entrypoint ( ) const
inline

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

◆ baseof_data()

uint32_t LIEF::PE::OptionalHeader::baseof_data ( ) const
inline

Address relative to the imagebase where the binary's data starts.

Warning
This value is not present for PE64 files

◆ checksum()

uint32_t LIEF::PE::OptionalHeader::checksum ( ) const
inline

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.

The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

◆ computed_checksum()

uint32_t LIEF::PE::OptionalHeader::computed_checksum ( ) const
inline

The re-computed value of the OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF when parsing the PE binary.

◆ section_alignment()

uint32_t LIEF::PE::OptionalHeader::section_alignment ( ) const
inline

The alignment (in bytes) of sections when they are loaded into memory.

It must be greater than or equal to file_alignment and the default is the page size for the architecture.

◆ sizeof_image()

uint32_t LIEF::PE::OptionalHeader::sizeof_image ( ) const
inline

The size (in bytes) of the image, including all headers, as the image is loaded in memory.

It must be a multiple of section_alignment and should match Binary::virtual_size

◆ sizeof_initialized_data()

uint32_t LIEF::PE::OptionalHeader::sizeof_initialized_data ( ) const
inline

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_INITIALIZED_DATA

◆ sizeof_stack_reserve()

uint64_t LIEF::PE::OptionalHeader::sizeof_stack_reserve ( ) const
inline

Size of the stack to reserve when loading the PE binary.

Only :attr:~lief.PE.OptionalHeader.sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

◆ sizeof_uninitialized_data()

uint32_t LIEF::PE::OptionalHeader::sizeof_uninitialized_data ( ) const
inline

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_UNINITIALIZED_DATA


The documentation for this class was generated from the following file: