PE

Parser

class Parser : public LIEF::Parser

Main interface to parse PE binaries. In particular the static functions: Parser::parse should be used to get a LIEF::PE::Binary.

Public Functions

Parser &operator=(const Parser &copy) = delete
Parser(const Parser &copy) = delete

Public Static Functions

static bool is_valid_import_name(const std::string &name)

Check if the given name is a valid import.

This check verified that:

  1. The name is not too large or empty (cf. https://stackoverflow.com/a/23340781)

  2. All the characters are printable

static bool is_valid_dll_name(const std::string &name)

Check if the given name is a valid DLL name.

This check verifies that:

  1. The name of the DLL is at 4

  2. All the characters are printable

static std::unique_ptr<Binary> parse(const std::string &filename, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from the given filename.

static std::unique_ptr<Binary> parse(std::vector<uint8_t> data, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from a data buffer.

static std::unique_ptr<Binary> parse(std::unique_ptr<BinaryStream> stream, const ParserConfig &conf = ParserConfig::all())

Parse a PE binary from the given BinaryStream.

Public Static Attributes

static constexpr size_t MAX_DATA_SIZE = 3_GB

Maximum size of the data read.

static constexpr size_t MAX_TLS_CALLBACKS = 3000
static constexpr size_t MAX_DLL_NAME_SIZE = 255
static constexpr size_t MAX_PADDING_SIZE = 1_GB

Max size of the padding section.

struct ParserConfig

This structure is used to tweak the PE Parser (PE::Parser)

Public Members

bool parse_signature = true

Parse PE Authenticode signature.

bool parse_exports = true

Parse PE Exports Directory.

bool parse_imports = true

Parse PE Import Directory.

bool parse_rsrc = true

Parse PE resources tree.

bool parse_reloc = true

Parse PE relocations.

Public Static Functions

static inline ParserConfig all()

Binary

class Binary : public LIEF::Binary

Class which represents a PE binary This is the main interface to manage and modify a PE executable.

Public Types

using sections_t = std::vector<std::unique_ptr<Section>>

Internal container for storing PE’s Section.

using it_sections = ref_iterator<sections_t&, Section*>

Iterator that outputs Section& object.

using it_const_sections = const_ref_iterator<const sections_t&, const Section*>

Iterator that outputs const Section& object.

using data_directories_t = std::vector<std::unique_ptr<DataDirectory>>

Internal container for storing PE’s DataDirectory.

using it_data_directories = ref_iterator<data_directories_t&, DataDirectory*>

Iterator that outputs DataDirectory&.

using it_const_data_directories = const_ref_iterator<const data_directories_t&, const DataDirectory*>

Iterator that outputs const DataDirectory&.

using relocations_t = std::vector<std::unique_ptr<Relocation>>

Internal container for storing PE’s Relocation.

using it_relocations = ref_iterator<relocations_t&, Relocation*>

Iterator that outputs Relocation&.

using it_const_relocations = const_ref_iterator<const relocations_t&, const Relocation*>

Iterator that outputs const Relocation&.

using imports_t = std::vector<Import>

Internal container for storing PE’s Import.

using it_imports = ref_iterator<imports_t&>

Iterator that output Import&.

using it_const_imports = const_ref_iterator<const imports_t&>

Iterator that outputs const Import&.

using delay_imports_t = std::vector<DelayImport>

Internal container for storing PE’s DelayImport.

using it_delay_imports = ref_iterator<delay_imports_t&>

Iterator that output DelayImport&.

using it_const_delay_imports = const_ref_iterator<const delay_imports_t&>

Iterator that outputs const DelayImport&.

using debug_entries_t = std::vector<std::unique_ptr<Debug>>

Internal container for storing Debug information.

using it_debug_entries = ref_iterator<debug_entries_t&, Debug*>

Iterator that outputs Debug&.

using it_const_debug_entries = const_ref_iterator<const debug_entries_t&, const Debug*>

Iterator that outputs const Debug&.

using symbols_t = std::vector<Symbol>

Internal container for storing COFF Symbols.

using it_symbols = ref_iterator<symbols_t&>

Iterator that outputs Symbol&.

using it_const_symbols = const_ref_iterator<const symbols_t&>

Iterator that outputs const Symbol&.

using strings_table_t = std::vector<std::string>

Internal container for storing strings.

using it_strings_table = ref_iterator<strings_table_t&>

Iterator that outputs std::string&.

using it_const_strings_table = const_ref_iterator<const strings_table_t&>

Iterator that outputs const std::string&.

using signatures_t = std::vector<Signature>

Internal container for storing PE’s authenticode Signature.

using it_signatures = ref_iterator<signatures_t&>

Iterator that outputs Signature&.

using it_const_signatures = const_ref_iterator<const signatures_t&>

Iterator that outputs const Signature&.

Public Functions

Binary(PE_TYPE type)
~Binary() override
inline PE_TYPE type() const

Return PE32 or PE32+

uint64_t rva_to_offset(uint64_t RVA)

Convert a Relative Virtual Address into an offset.

The conversion is performed by looking for the section that encompasses the provided RVA.

uint64_t va_to_offset(uint64_t VA)

Convert the absolute virtual address into an offset.

virtual result<uint64_t> offset_to_virtual_address(uint64_t offset, uint64_t slide = 0) const override

Convert the given offset into a virtual address.

Parameters:
  • offset[in] The offset to convert.

  • slide[in] If not 0, it will replace the default base address (if any)

inline virtual uint64_t imagebase() const override

Return binary’s imagebase. 0 if not relevant.

The value is the same as those returned by OptionalHeader::imagebase

Section *section_from_offset(uint64_t offset)

Find the section associated that encompasses the given offset.

If no section can be found, return a nullptr

const Section *section_from_offset(uint64_t offset) const
Section *section_from_rva(uint64_t virtual_address)

Find the section associated that encompasses the given RVA.

If no section can be found, return a nullptr

const Section *section_from_rva(uint64_t virtual_address) const
inline it_sections sections()

Return an iterator over the PE’s Section.

inline it_const_sections sections() const
inline DosHeader &dos_header()

Return a reference to the PE::DosHeader object.

inline const DosHeader &dos_header() const
inline Header &header()

Return a reference to the PE::Header object.

inline const Header &header() const
inline OptionalHeader &optional_header()

Return a reference to the OptionalHeader object.

inline const OptionalHeader &optional_header() const
uint64_t virtual_size() const

Compute the binary’s virtual size. It should match OptionalHeader::sizeof_image.

uint32_t sizeof_headers() const

Compute the size of all the headers.

inline TLS *tls()

Return a reference to the TLS object.

inline const TLS *tls() const
void tls(const TLS &tls)

Set a TLS object in the current Binary.

inline bool has_tls() const

Check if the current binary has a TLS object.

inline bool has_imports() const

Check if the current binary contains imports.

See also

Import

inline bool has_signatures() const

Check if the current binary contains signatures.

See also

signatures

inline bool has_exports() const

Check if the current binary has exports.

See also

Export

inline bool has_resources() const

Check if the current binary has resources.

bool has_exceptions() const

Check if the current binary has exceptions.

inline bool has_relocations() const

Check if the current binary has relocations.

See also

Relocation

inline bool has_debug() const

Check if the current binary contains debug information.

inline bool has_configuration() const

Check if the current binary has a load configuration.

bool is_reproducible_build() const

Check if the current binary is reproducible build, replacing timestamps by a compile hash.

See also

Repro

inline it_const_signatures signatures() const

Return an iterator over the Signature object(s) if the binary is signed.

inline it_signatures signatures()
Signature::VERIFICATION_FLAGS verify_signature(Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary against the embedded signature(s) (if any) First, it checks that the embedded signatures are correct (c.f. Signature::check) and then, it checks that the authentihash matches ContentInfo::digest.

One can tweak the verification process with the Signature::VERIFICATION_CHECKS flags

Signature::VERIFICATION_FLAGS verify_signature(const Signature &sig, Signature::VERIFICATION_CHECKS checks = Signature::VERIFICATION_CHECKS::DEFAULT) const

Verify the binary with the Signature object provided in the first parameter It can be used to verify a detached signature:

result<Signature> detached = LIEF::PE::SignatureParser::parse("sig.pkcs7")
if (detached) {
  binary->verify_signature(detached.value());
}
std::vector<uint8_t> authentihash(ALGORITHMS algo) const

Compute the authentihash according to the algorithm provided in the first parameter.

uint32_t predict_function_rva(const std::string &library, const std::string &function)

Try to predict the RVA of the function function in the import library library

Note

It should be used with: LIEF::PE::Builder::build_imports set to true

Warning

The value could be chang if imports change

Parameters:
  • library[in] Library name in which the function is located

  • function[in] Function name

Returns:

The address of the function (IAT) in the new import table

inline Export *get_export()

Return the Export object.

inline const Export *get_export() const
std::vector<Symbol> &symbols()

Return binary Symbols.

const std::vector<Symbol> &symbols() const
inline ResourceNode *resources()

Return resources as a tree or a nullptr if there is no resources.

inline const ResourceNode *resources() const
void set_resources(const ResourceDirectory &resource)

Set a new resource tree.

void set_resources(const ResourceData &resource)

Set a new resource tree.

result<ResourcesManager> resources_manager() const

Return the ResourcesManager (class to manage resources more easily than the tree one)

Section *get_section(const std::string &name)

Return binary’s section from its name. If the secion can’t be found, return a nullptr.

Parameters:

name[in] Name of the Section

const Section *get_section(const std::string &name) const
const Section *import_section() const

Return the section associated with import table or a nullptr if the binary does not have an import table.

Section *import_section()
virtual void remove_section(const std::string &name, bool clear = false) override

Delete the section with the given name.

Parameters:
  • name[in] Name of section to delete

  • clear[in] if true clear the section’s content with 0 before removing (default: false)

void remove(const Section &section, bool clear = false)

Remove the given section.

Section *add_section(const Section &section, PE_SECTION_TYPES type = PE_SECTION_TYPES::UNKNOWN)

Add a section to the binary and return the section added.

inline it_relocations relocations()

Return an iterator over the PE’s Relocation.

inline it_const_relocations relocations() const
Relocation &add_relocation(const Relocation &relocation)

Add a PE::Relocation.

void remove_all_relocations()

Remove all the relocations.

inline it_data_directories data_directories()

Return an iterator over the DataDirectory present in the Binary.

inline it_const_data_directories data_directories() const
DataDirectory *data_directory(DataDirectory::TYPES type)

Return the DataDirectory with the given type (or index)

const DataDirectory *data_directory(DataDirectory::TYPES type) const
inline bool has(DataDirectory::TYPES type) const

Check if the current binary has the given DataDirectory::TYPES.

inline it_debug_entries debug()

Return an iterator over the Debug entries.

inline it_const_debug_entries debug() const
inline const LoadConfiguration *load_configuration() const

Retrun the LoadConfiguration object or a nullptr if the binary does not use the LoadConfiguration.

inline LoadConfiguration *load_configuration()
inline span<const uint8_t> overlay() const

Return the overlay content.

inline span<uint8_t> overlay()
inline uint64_t overlay_offset() const

Return the original overlay offset.

inline span<const uint8_t> dos_stub() const

Return the DOS stub content.

inline span<uint8_t> dos_stub()
void dos_stub(const std::vector<uint8_t> &content)

Update the DOS stub content.

inline RichHeader *rich_header()

Return a reference to the RichHeader object.

inline const RichHeader *rich_header() const
void rich_header(const RichHeader &rich_header)

Set a RichHeader object in the current Binary.

inline bool has_rich_header() const

Check if the current binary has a RichHeader object.

inline it_imports imports()

Return an iterator over the binary imports.

inline it_const_imports imports() const
Import *get_import(const std::string &import_name)

Returns the PE::Import from the given name. If it can’t be found, return a nullptr.

Parameters:

import_name[in] Name of the import

const Import *get_import(const std::string &import_name) const
inline bool has_import(const std::string &import_name) const

True if the binary imports the given library name

Parameters:

import_name[in] Name of the import

inline bool has_delay_imports() const

Check if the current binary contains delay imports.

See also

DelayImport

See also

has_import

inline it_delay_imports delay_imports()

Return an iterator over the binary’s delay imports.

inline it_const_delay_imports delay_imports() const
DelayImport *get_delay_import(const std::string &import_name)

Returns the PE::DelayImport from the given name. If it can’t be found, return a nullptr.

Parameters:

import_name[in] Name of the delay import

const DelayImport *get_delay_import(const std::string &import_name) const
inline bool has_delay_import(const std::string &import_name) const

True if the binary delay-imports the given library name

Parameters:

import_name[in] Name of the delay import

ImportEntry *add_import_function(const std::string &library, const std::string &function)

Add the function function of the library library. If the function fails, it returns a nullptr.

Parameters:
  • library[in] Library name of the function

  • function[in] Function’s name from the library to import

Import &add_library(const std::string &name)

Add an imported library (i.e. DLL) to the binary.

void remove_library(const std::string &name)

Remove the library with the given name

void remove_all_libraries()

Remove all libraries in the binary.

virtual void write(const std::string &filename) override

Reconstruct the binary object and write the raw PE in filename

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void write(std::ostream &os) override

Reconstruct the binary object and write the raw PE in os stream.

Rebuild a PE binary from the current Binary object. When rebuilding, import table and relocations are not rebuilt.

virtual void accept(Visitor &visitor) const override

Method so that a visitor can visit us.

virtual void patch_address(uint64_t address, const std::vector<uint8_t> &patch_value, LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the content at virtual address address with patch_value.

Parameters:
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual void patch_address(uint64_t address, uint64_t patch_value, size_t size = sizeof(uint64_t), LIEF::Binary::VA_TYPES addr_type = LIEF::Binary::VA_TYPES::AUTO) override

Patch the address with the given value.

Parameters:
  • address[in] Address to patch

  • patch_value[in] Patch to apply

  • size[in] Size of the value in bytes (1, 2, … 8)

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual span<const uint8_t> get_content_from_virtual_address(uint64_t virtual_address, uint64_t size, Binary::VA_TYPES addr_type = Binary::VA_TYPES::AUTO) const override

Return the content located at the provided virtual address.

Parameters:
  • virtual_address[in] Virtual address of the data to retrieve

  • size[in] Size in bytes of the data to retrieve

  • addr_type[in] Type of the Virtual address: VA or RVA. Default: Auto

virtual uint64_t entrypoint() const override

Return the binary’s entrypoint (It is the same value as OptionalHeader::addressof_entrypoint.

virtual bool is_pie() const override

Check if the binary is position independent.

virtual bool has_nx() const override

Check if the binary uses NX protection.

virtual LIEF::Binary::functions_t ctor_functions() const override

Return the list of the binary constructors.

In a PE file, we consider a constructors as a callback in the TLS object

LIEF::Binary::functions_t functions() const

All functions found in the binary

LIEF::Binary::functions_t exception_functions() const

Functions found in the Exception table directory.

virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LIEF::Binary *bin)

Dos Header

class DosHeader : public LIEF::Object

Class which represents the DosHeader, the first structure presents at the beginning of a PE file.

Most of the attributes of this structures are not relevant.

Public Types

using reserved_t = std::array<uint16_t, 4>
using reserved2_t = std::array<uint16_t, 10>

Public Functions

DosHeader(const details::pe_dos_header &header)
DosHeader(const DosHeader&)
DosHeader &operator=(const DosHeader&)
DosHeader(DosHeader&&)
DosHeader &operator=(DosHeader&&)
~DosHeader() override
inline uint16_t magic() const

Magic bytes identifying a DOS/PE binary.

inline uint16_t used_bytes_in_last_page() const
inline uint16_t file_size_in_pages() const
inline uint16_t numberof_relocation() const
inline uint16_t header_size_in_paragraphs() const
inline uint16_t minimum_extra_paragraphs() const
inline uint16_t maximum_extra_paragraphs() const
inline uint16_t initial_relative_ss() const
inline uint16_t initial_sp() const
inline uint16_t checksum() const
inline uint16_t initial_ip() const
inline uint16_t initial_relative_cs() const
inline uint16_t addressof_relocation_table() const
inline uint16_t overlay_number() const
inline const reserved_t &reserved() const
inline uint16_t oem_id() const
inline uint16_t oem_info() const
inline const reserved2_t &reserved2() const
inline uint32_t addressof_new_exeheader() const

Return the offset to the PE::Header structure.

inline void magic(uint16_t magic)
inline void used_bytes_in_last_page(uint16_t value)
inline void file_size_in_pages(uint16_t value)
inline void numberof_relocation(uint16_t value)
inline void header_size_in_paragraphs(uint16_t value)
inline void minimum_extra_paragraphs(uint16_t value)
inline void maximum_extra_paragraphs(uint16_t value)
inline void initial_relative_ss(uint16_t value)
inline void initial_sp(uint16_t value)
inline void checksum(uint16_t value)
inline void initial_ip(uint16_t value)
inline void initial_relative_cs(uint16_t value)
inline void addressof_relocation_table(uint16_t value)
inline void overlay_number(uint16_t value)
inline void reserved(const reserved_t &reserved)
inline void oem_id(uint16_t value)
inline void oem_info(uint16_t value)
inline void reserved2(const reserved2_t &reserved2)
inline void addressof_new_exeheader(uint32_t value)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static DosHeader create(PE_TYPE type)

Public Static Attributes

static constexpr uint16_t MAGIC = 0x5a4d

Friends

friend std::ostream &operator<<(std::ostream &os, const DosHeader &entry)


Optional Header

class OptionalHeader : public LIEF::Object

Class which represents the PE OptionalHeader structure.

Public Types

enum class DLL_CHARACTERISTICS : size_t

Values:

enumerator HIGH_ENTROPY_VA = 0x0020

ASLR with 64 bit address space.

enumerator DYNAMIC_BASE = 0x0040

DLL can be relocated at load time.

enumerator FORCE_INTEGRITY = 0x0080

Code integrity checks are enforced.

enumerator NX_COMPAT = 0x0100

Image is NX compatible.

enumerator NO_ISOLATION = 0x0200

Isolation aware, but do not isolate the image.

enumerator NO_SEH = 0x0400

Does not use structured exception handling (SEH). No SEH handler may be called in this image.

enumerator NO_BIND = 0x0800

Do not bind the image.

enumerator APPCONTAINER = 0x1000

Image should execute in an AppContainer.

enumerator WDM_DRIVER = 0x2000

A WDM driver.

enumerator GUARD_CF = 0x4000

Image supports Control Flow Guard.

enumerator TERMINAL_SERVER_AWARE = 0x8000

Terminal Server aware.

enum class SUBSYSTEM : size_t

Values:

enumerator UNKNOWN = 0

An unknown subsystem.

enumerator NATIVE = 1

Device drivers and native Windows processes.

enumerator WINDOWS_GUI = 2

The Windows GUI subsystem.

enumerator WINDOWS_CUI = 3

The Windows character subsystem.

enumerator OS2_CUI = 5

The OS/2 character subsytem.

enumerator POSIX_CUI = 7

The POSIX character subsystem.

enumerator NATIVE_WINDOWS = 8

Native Windows 9x driver.

enumerator WINDOWS_CE_GUI = 9

Windows CE.

enumerator EFI_APPLICATION = 10

An EFI application.

enumerator EFI_BOOT_SERVICE_DRIVER = 11

An EFI driver with boot services.

enumerator EFI_RUNTIME_DRIVER = 12

An EFI driver with run-time services.

enumerator EFI_ROM = 13

An EFI ROM image.

enumerator XBOX = 14

XBOX.

enumerator WINDOWS_BOOT_APPLICATION = 16

A BCD application.

Public Functions

OptionalHeader(const details::pe32_optional_header &header)
OptionalHeader(const details::pe64_optional_header &header)
~OptionalHeader() override
OptionalHeader &operator=(const OptionalHeader&)
OptionalHeader(const OptionalHeader&)
inline PE_TYPE magic() const

Magic bytes: either PE32 or PE32+ for 64-bits PE files.

inline uint8_t major_linker_version() const

The linker major version.

inline uint8_t minor_linker_version() const

The linker minor version.

inline uint32_t sizeof_code() const

The size of the code .text section or the sum of all the sections that contain code (ie. PE::Section with the flag Section::CHARACTERISTICS::CNT_CODE)

inline uint32_t sizeof_initialized_data() const

The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the initialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_INITIALIZED_DATA

inline uint32_t sizeof_uninitialized_data() const

The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections.

The sections associated with the uninitialized data are usually identified with the flag Section::CHARACTERISTICS::CNT_UNINITIALIZED_DATA

inline uint32_t addressof_entrypoint() const

The address of the entry point relative to the image base when the executable file is loaded into memory. For program images, this is the starting address. For device drivers, this is the address of the initialization function.

An entry point is optional for DLLs. When no entry point is present, this field must be zero.

inline uint32_t baseof_code() const

Address relative to the imagebase where the binary’s code starts.

inline uint32_t baseof_data() const

Address relative to the imagebase where the binary’s data starts.

Warning

This value is not present for PE64 files

inline uint64_t imagebase() const

The preferred base address when mapping the binary in memory.

inline uint32_t section_alignment() const

The alignment (in bytes) of sections when they are loaded into memory.

It must be greater than or equal to file_alignment and the default is the page size for the architecture.

inline uint32_t file_alignment() const

The section’s file alignment. This value must be a power of 2 between 512 and 64K. The default value is usually 512.

inline uint16_t major_operating_system_version() const

The major version number of the required operating system.

inline uint16_t minor_operating_system_version() const

The minor version number of the required operating system.

inline uint16_t major_image_version() const

The major version number of the image.

inline uint16_t minor_image_version() const

The minor version number of the image.

inline uint16_t major_subsystem_version() const

The major version number of the subsystem.

inline uint16_t minor_subsystem_version() const

The minor version number of the subsystem.

inline uint32_t win32_version_value() const

According to the official PE specifications, this value is reserved and should be 0.

inline uint32_t sizeof_image() const

The size (in bytes) of the image, including all headers, as the image is loaded in memory.

It must be a multiple of section_alignment and should match Binary::virtual_size

inline uint32_t sizeof_headers() const

Size of the DosHeader + PE Header + Section headers rounded up to a multiple of the file_alignment.

inline uint32_t checksum() const

The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL.

The following are checked for validation at load time all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process.

inline uint32_t computed_checksum() const

The re-computed value of the OptionalHeader::checksum. If both values do not match, it could mean that the binary has been modified after the compilation.

This value is computed by LIEF when parsing the PE binary.

inline SUBSYSTEM subsystem() const

Target subsystem like Driver, XBox, Windows GUI, …

inline uint32_t dll_characteristics() const

Some characteristics of the underlying binary like the support of the PIE. The prefix dll comes from the official PE specifications but these characteristics are also used for executables

inline uint64_t sizeof_stack_reserve() const

Size of the stack to reserve when loading the PE binary.

Only :attr:~lief.PE.OptionalHeader.sizeof_stack_commit is committed, the rest is made available one page at a time until the reserve size is reached.

inline uint64_t sizeof_stack_commit() const

Size of the stack to commit.

inline uint64_t sizeof_heap_reserve() const

Size of the heap to reserve when loading the PE binary.

inline uint64_t sizeof_heap_commit() const

Size of the heap to commit.

inline uint32_t loader_flags() const

According to the PE specifications, this value is reserved and should be 0.

inline uint32_t numberof_rva_and_size() const

The number of DataDirectory that follow this header.

bool has(DLL_CHARACTERISTICS c) const

Check if the given DLL_CHARACTERISTICS is included in the dll_characteristics.

std::vector<DLL_CHARACTERISTICS> dll_characteristics_list() const

Return the list of the dll_characteristics as an std::set of DLL_CHARACTERISTICS.

void add(DLL_CHARACTERISTICS c)

Add a DLL_CHARACTERISTICS to the current characteristics.

void remove(DLL_CHARACTERISTICS c)

Remove a DLL_CHARACTERISTICS from the current characteristics.

inline void magic(PE_TYPE magic)
inline void major_linker_version(uint8_t value)
inline void minor_linker_version(uint8_t value)
inline void sizeof_code(uint32_t value)
inline void sizeof_initialized_data(uint32_t value)
inline void sizeof_uninitialized_data(uint32_t value)
inline void addressof_entrypoint(uint32_t value)
inline void baseof_code(uint32_t value)
inline void baseof_data(uint32_t value)
inline void imagebase(uint64_t value)
inline void section_alignment(uint32_t value)
inline void file_alignment(uint32_t value)
inline void major_operating_system_version(uint16_t value)
inline void minor_operating_system_version(uint16_t value)
inline void major_image_version(uint16_t value)
inline void minor_image_version(uint16_t value)
inline void major_subsystem_version(uint16_t value)
inline void minor_subsystem_version(uint16_t value)
inline void win32_version_value(uint32_t value)
inline void sizeof_image(uint32_t value)
inline void sizeof_headers(uint32_t value)
inline void checksum(uint32_t value)
inline void subsystem(SUBSYSTEM value)
inline void dll_characteristics(uint32_t value)
inline void sizeof_stack_reserve(uint64_t value)
inline void sizeof_stack_commit(uint64_t value)
inline void sizeof_heap_reserve(uint64_t value)
inline void sizeof_heap_commit(uint64_t value)
inline void loader_flags(uint32_t value)
inline void numberof_rva_and_size(uint32_t value)
virtual void accept(Visitor &visitor) const override
OptionalHeader &operator+=(DLL_CHARACTERISTICS c)
OptionalHeader &operator-=(DLL_CHARACTERISTICS c)

Public Static Functions

static OptionalHeader create(PE_TYPE type)

Friends

friend std::ostream &operator<<(std::ostream &os, const OptionalHeader &entry)

Data Directory

class DataDirectory : public LIEF::Object

Class that represents a PE data directory entry.

Public Types

enum class TYPES : size_t

Values:

enumerator EXPORT_TABLE = 0
enumerator IMPORT_TABLE
enumerator RESOURCE_TABLE
enumerator EXCEPTION_TABLE
enumerator CERTIFICATE_TABLE
enumerator BASE_RELOCATION_TABLE
enumerator DEBUG
enumerator ARCHITECTURE
enumerator GLOBAL_PTR
enumerator TLS_TABLE
enumerator LOAD_CONFIG_TABLE
enumerator BOUND_IMPORT
enumerator IAT
enumerator DELAY_IMPORT_DESCRIPTOR
enumerator CLR_RUNTIME_HEADER
enumerator RESERVED
enumerator UNKNOWN

Public Functions

DataDirectory()
inline DataDirectory(TYPES type)
DataDirectory(const details::pe_data_directory &header, TYPES type)
DataDirectory(const DataDirectory &other)
DataDirectory &operator=(const DataDirectory &other)
DataDirectory(DataDirectory &&other)
DataDirectory &operator=(DataDirectory &&other)
~DataDirectory() override
inline uint32_t RVA() const

The relative virtual address of the content of this data directory.

inline uint32_t size() const

The size of the content.

inline bool has_section() const

Check if the content of this data directory is associated with a PE Cection.

inline Section *section()

Section associated with the DataDirectory.

inline const Section *section() const
inline TYPES type() const

Type of the data directory.

inline void size(uint32_t size)
inline void RVA(uint32_t rva)
virtual void accept(Visitor &visitor) const override

Public Static Attributes

static constexpr size_t DEFAULT_NB = 16

Friends

friend std::ostream &operator<<(std::ostream &os, const DataDirectory &entry)

Section

class Section : public LIEF::Section

Class which represents a PE section.

Public Types

enum class CHARACTERISTICS : size_t

Values:

enumerator TYPE_NO_PAD = 0x00000008
enumerator CNT_CODE = 0x00000020
enumerator CNT_INITIALIZED_DATA = 0x00000040
enumerator CNT_UNINITIALIZED_DATA = 0x00000080
enumerator LNK_OTHER = 0x00000100
enumerator LNK_INFO = 0x00000200
enumerator LNK_REMOVE = 0x00000800
enumerator LNK_COMDAT = 0x00001000
enumerator GPREL = 0x00008000
enumerator MEM_PURGEABLE = 0x00010000
enumerator MEM_16BIT = 0x00020000
enumerator MEM_LOCKED = 0x00040000
enumerator MEM_PRELOAD = 0x00080000
enumerator ALIGN_1BYTES = 0x00100000
enumerator ALIGN_2BYTES = 0x00200000
enumerator ALIGN_4BYTES = 0x00300000
enumerator ALIGN_8BYTES = 0x00400000
enumerator ALIGN_16BYTES = 0x00500000
enumerator ALIGN_32BYTES = 0x00600000
enumerator ALIGN_64BYTES = 0x00700000
enumerator ALIGN_128BYTES = 0x00800000
enumerator ALIGN_256BYTES = 0x00900000
enumerator ALIGN_512BYTES = 0x00A00000
enumerator ALIGN_1024BYTES = 0x00B00000
enumerator ALIGN_2048BYTES = 0x00C00000
enumerator ALIGN_4096BYTES = 0x00D00000
enumerator ALIGN_8192BYTES = 0x00E00000
enumerator LNK_NRELOC_OVFL = 0x01000000
enumerator MEM_DISCARDABLE = 0x02000000
enumerator MEM_NOT_CACHED = 0x04000000
enumerator MEM_NOT_PAGED = 0x08000000
enumerator MEM_SHARED = 0x10000000
enumerator MEM_EXECUTE = 0x20000000
enumerator MEM_READ = 0x40000000
enumerator MEM_WRITE = 0x80000000

Public Functions

Section(const details::pe_section &header)
Section()
Section(const std::vector<uint8_t> &data, const std::string &name = "", uint32_t characteristics = 0)
Section(const std::string &name)
Section &operator=(const Section&)
Section(const Section&)
~Section() override
uint32_t sizeof_raw_data() const

Return the size of the data in the section.

inline uint32_t virtual_size() const

Return the size of the data when mapped in memory.

If this value is greater than sizeof_raw_data, the section is zero-padded.

inline virtual span<const uint8_t> content() const override

The actual content of the section.

inline span<const uint8_t> padding() const

Content of the section’s padding area.

uint32_t pointerto_raw_data() const

The offset of the section data in the PE file.

inline uint32_t pointerto_relocation() const

The file pointer to the beginning of the COFF relocation entries for the section. This is set to zero for executable images or if there are no relocations.

For modern PE binaries, this value is usually set to 0 as the relocations are managed by PE::Relocation.

inline uint32_t pointerto_line_numbers() const

The file pointer to the beginning of line-number entries for the section. This is set to zero if there are no COFF line numbers. This value should be zero for an image because COFF debugging information is deprecated and modern debug information relies on the PDB files.

inline uint16_t numberof_relocations() const

No longer used in recent PE binaries produced by Visual Studio.

inline uint16_t numberof_line_numbers() const

No longer used in recent PE binaries produced by Visual Studio.

inline uint32_t characteristics() const

Characteristics of the section: it gives information about the permissions of the section when mapped. It can also provides information about the purpose of the section (contain code, BSS-like, …)

bool is_type(PE_SECTION_TYPES type) const

Deprecated do not use. It will likely change in a future release of LIEF.

const std::set<PE_SECTION_TYPES> &types() const

Deprecated do not use. It will likely change in a future release of LIEF.

inline bool has_characteristic(CHARACTERISTICS c) const

Check if the section has the given CHARACTERISTICS.

std::vector<CHARACTERISTICS> characteristics_list() const

List of the section characteristics as a std::set.

void clear(uint8_t c)

Fill the content of the section with the given char

virtual void content(const std::vector<uint8_t> &data) override

Change section content.

virtual void name(const std::string &name) override

Change the section’s name.

inline void virtual_size(uint32_t virtual_sz)
void pointerto_raw_data(uint32_t ptr)
inline void pointerto_relocation(uint32_t ptr)
inline void pointerto_line_numbers(uint32_t ptr)
inline void numberof_relocations(uint16_t nb)
inline void numberof_line_numbers(uint16_t nb)
void sizeof_raw_data(uint32_t sizeOfRawData)
inline void characteristics(uint32_t characteristics)
void type(PE_SECTION_TYPES type)
void add_type(PE_SECTION_TYPES type)
void remove_type(PE_SECTION_TYPES type)
inline void remove_characteristic(Section::CHARACTERISTICS characteristic)
inline void add_characteristic(Section::CHARACTERISTICS characteristic)
virtual void accept(Visitor &visitor) const override

Public Static Attributes

static constexpr size_t MAX_SECTION_NAME = 8

Friends

friend std::ostream &operator<<(std::ostream &os, const Section &section)

Import

class Import : public LIEF::Object

Class that represents a PE import.

Public Types

using entries_t = std::vector<ImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Import(const details::pe_import &import)
Import(std::string name)
Import()
~Import() override
Import(const Import &other)
Import(Import &&other)
Import &operator=(Import &&other)
Import &operator=(const Import &other)
uint32_t forwarder_chain() const

The index of the first forwarder reference.

uint32_t timedatestamp() const

The stamp that is set to zero until the image is bound. After the image is bound, this field is set to the time/data stamp of the DLL.

it_const_entries entries() const

Iterator over the PE::ImportEntry.

it_entries entries()
uint32_t import_address_table_rva() const

The RVA of the import address table (IAT). The content of this table is identical to the content of the Import Lookup Table (ILT) until the image is bound.

Warning

This address could change when re-building the binary

uint32_t import_lookup_table_rva() const

Return the relative virtual address of the import lookup table.

Warning

This address could change when re-building the binary

result<uint32_t> get_function_rva_from_iat(const std::string &function) const

Return the Function’s RVA from the import address table (IAT)

Warning

This address could change when re-building the binary

ImportEntry *get_entry(const std::string &name)

Return the imported function with the given name.

const ImportEntry *get_entry(const std::string &name) const
const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

void name(const std::string &name)

Change the current import name.

DataDirectory *directory()

Return the PE::DataDirectory associated with this import. It should be the one at index PE::DataDirectory::TYPES::IMPORT_TABLE.

If the data directory can’t be found, return a nullptr

const DataDirectory *directory() const
DataDirectory *iat_directory()

Return the PE::DataDirectory associated associated with the IAT. It should be the one at index PE::DataDirectory::TYPES::IAT.

If the data directory can’t be found, return a nullptr

const DataDirectory *iat_directory() const
ImportEntry &add_entry(const ImportEntry &entry)

Add a new import entry (i.e. an imported function)

ImportEntry &add_entry(const std::string &name)

Add a new import entry with the given name (i.e. an imported function)

void import_lookup_table_rva(uint32_t rva)
void import_address_table_rva(uint32_t rva)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Import &entry)

Import Entry

class ImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the import table (Import).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API

Public Functions

ImportEntry()
ImportEntry(uint64_t data, const std::string &name = "")
ImportEntry(uint64_t data, PE_TYPE type, const std::string &name)
ImportEntry(const std::string &name)
ImportEntry(const std::string &name, PE_TYPE type)
ImportEntry(const ImportEntry&)
ImportEntry &operator=(const ImportEntry&)
~ImportEntry() override
bool is_ordinal() const

True if it is an import by ordinal

uint16_t ordinal() const

The ordinal value.

uint64_t hint_name_rva() const

uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

uint64_t iat_value() const

Value of the current entry in the Import Address Table. It should match the lookup table value.

uint64_t data() const

Raw value.

uint64_t iat_address() const

Original address of the entry in the Import Address Table

void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ImportEntry &entry)

Delay Import

class DelayImport : public LIEF::Object

Class that represents a PE delayed import.

Public Types

using entries_t = std::vector<DelayImportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

DelayImport()
DelayImport(const details::delay_imports &import, PE_TYPE type)
DelayImport(std::string name)
~DelayImport() override
DelayImport(const DelayImport&)
DelayImport &operator=(const DelayImport&)
DelayImport(DelayImport&&)
DelayImport &operator=(DelayImport&&)
void swap(DelayImport &other)
uint32_t attribute() const

According to the official PE specifications, this value is reserved and should be set to 0.

void attribute(uint32_t hdl)
const std::string &name() const

Return the library’s name (e.g. kernel32.dll)

void name(std::string name)
uint32_t handle() const

The RVA of the module handle (in the .data section) It is used for storage by the routine that is supplied to manage delay-loading.

void handle(uint32_t hdl)
uint32_t iat() const

RVA of the delay-load import address table.

void iat(uint32_t iat)
uint32_t names_table() const

RVA of the delay-load import names table. The content of this table has the layout as the Import lookup table.

void names_table(uint32_t value)
uint32_t biat() const

RVA of the bound delay-load import address table or 0 if the table does not exist.

void biat(uint32_t value)
uint32_t uiat() const

RVA of the unload delay-load import address table or 0 if the table does not exist.

According to the PE specifications, this table is an exact copy of the delay import address table that can be used to to restore the original IAT the case of unloading.

void uiat(uint32_t value)
uint32_t timestamp() const

The timestamp of the DLL to which this image has been bound.

void timestamp(uint32_t value)
it_entries entries()

Iterator over the DelayImport’s entries (DelayImportEntry)

it_const_entries entries() const

Iterator over the DelayImport’s entries (DelayImportEntry)

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImport &entry)

Delay Import Entry

class DelayImportEntry : public LIEF::Symbol

Class that represents an entry (i.e. an import) in the delay import table (DelayImport).

It extends the LIEF::Symbol generic class that exposes the LIEF::Symbol::name and LIEF::Symbol::value API

The meaning of LIEF::Symbol::value for this PE object is the address (as an RVA) in the IAT where the resolution should take place

Public Functions

DelayImportEntry()
DelayImportEntry(uint64_t data, PE_TYPE type)
DelayImportEntry(const DelayImportEntry&)
DelayImportEntry &operator=(const DelayImportEntry&)
DelayImportEntry(DelayImportEntry&&)
DelayImportEntry &operator=(DelayImportEntry&&)
~DelayImportEntry() override
bool is_ordinal() const

True if it is an import by ordinal

uint16_t ordinal() const

The ordinal value.

uint64_t hint_name_rva() const

uint16_t hint() const

Index into the Export::entries that is used to speed-up the symbol resolution.

uint64_t iat_value() const

Value of the current entry in the Import Address Table.

uint64_t data() const

Raw value.

void data(uint64_t data)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const DelayImportEntry &entry)

TLS

class TLS : public LIEF::Object

Class which represents the PE Thread Local Storage.

This PE structure is also used to implement binary/library constructors.

Public Functions

TLS()
TLS(const details::pe32_tls &header)
TLS(const details::pe64_tls &header)
~TLS() override
TLS(const TLS &copy)
TLS &operator=(const TLS &copy)
TLS(TLS &&other)
TLS &operator=(TLS &&other)
inline const std::vector<uint64_t> &callbacks() const

List of the callback associated with the current TLS.

These functions are called before any other functions of the PE binary.

inline const std::pair<uint64_t, uint64_t> &addressof_raw_data() const

Pair (start address, end address) of the TLS template. The template is a block of data that is used to initialize TLS data. The system copies all of this data each time a thread is created, so it must not be corrupted.

Note

These addresses are not RVA. It is addresses for which there should be a rebase relocation in the .reloc section.

inline uint64_t addressof_index() const

The location to receive the TLS index, which the loader assigns. This location is in an ordinary data section, so it can be given a symbolic name that is accessible to the program.

inline uint64_t addressof_callbacks() const

The pointer to an array of TLS callback functions.

The array is null-terminated, so if no callback function is supported, this field points to 4 bytes set to zero.

inline uint32_t sizeof_zero_fill() const

The size in bytes of the template, beyond the initialized data delimited by the addressof_raw_data field. The total template size should be the same as the total size of TLS data in the image file. The zero fill is the amount of data that comes after the initialized nonzero data.

inline uint32_t characteristics() const

The four bits [23:20] describe alignment info. Possible values are those defined as IMAGE_SCN_ALIGN_*, which are also used to describe alignment of section in object files. The other 28 bits are reserved for future use.

inline span<const uint8_t> data_template() const

The data template content.

inline bool has_data_directory() const

True if there is a data directory associated with this entry.

inline DataDirectory *directory()

Return the DataDirectory associated with this object or a nullptr If it exists, its type should be DataDirectory::TYPES::TLS_TABLE.

inline const DataDirectory *directory() const
inline bool has_section() const

Check if there is a section associated with this entry.

inline Section *section()

The section associated with the entry (or a nullptr)

inline const Section *section() const
inline void callbacks(std::vector<uint64_t> callbacks)
inline void addressof_raw_data(std::pair<uint64_t, uint64_t> addresses)
inline void addressof_index(uint64_t addr_idx)
inline void addressof_callbacks(uint64_t addr)
inline void sizeof_zero_fill(uint32_t size)
inline void characteristics(uint32_t characteristics)
inline void data_template(std::vector<uint8_t> data_template)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const TLS &entry)

Debug

class Debug : public LIEF::Object

This class represents a generic entry in the debug data directory. For known types, this class is extended to provide a dedicated API (see: ! CodeCodeView)

Subclassed by LIEF::PE::CodeView, LIEF::PE::Pogo, LIEF::PE::Repro

Public Types

enum class TYPES

The entry types.

Values:

enumerator UNKNOWN = 0
enumerator COFF = 1

COFF debug information.

enumerator CODEVIEW = 2

CodeView debug information (pdb & cie)

enumerator FPO = 3

Frame pointer omission information.

enumerator MISC = 4

CodeView Debug Information.

enumerator EXCEPTION = 5

A copy of .pdata section.

enumerator FIXUP = 6

Reserved.

enumerator OMAP_TO_SRC = 7

The mapping from an RVA in image to an RVA in source image.

enumerator OMAP_FROM_SRC = 8

The mapping from an RVA in source image to an RVA in image.

enumerator BORLAND = 9

Reserved for Borland.

enumerator RESERVED10 = 10

Reserved.

enumerator CLSID = 11

Reserved.

enumerator VC_FEATURE = 12
enumerator POGO = 13

Profile Guided Optimization metadata.

enumerator ILTCG = 14
enumerator MPX = 15
enumerator REPRO = 16

PE determinism or reproducibility.

enumerator EX_DLLCHARACTERISTICS = 20

Public Functions

Debug()
inline Debug(TYPES type)
Debug(const details::pe_debug &debug_s)
Debug(const Debug &other)
Debug &operator=(const Debug &other)
~Debug() override
virtual std::unique_ptr<Debug> clone() const
inline uint32_t characteristics() const

Reserved should be 0.

inline uint32_t timestamp() const

The time and date that the debug data was created.

inline uint16_t major_version() const

The major version number of the debug data format.

inline uint16_t minor_version() const

The minor version number of the debug data format.

inline TYPES type() const

The format DEBUG_TYPES of the debugging information.

inline uint32_t sizeof_data() const

Size of the debug data.

inline uint32_t addressof_rawdata() const

Address of the debug data relative to the image base.

inline uint32_t pointerto_rawdata() const

File offset of the debug data.

inline void characteristics(uint32_t characteristics)
inline void timestamp(uint32_t timestamp)
inline void major_version(uint16_t major_version)
inline void minor_version(uint16_t minor_version)
inline void sizeof_data(uint32_t sizeof_data)
inline void addressof_rawdata(uint32_t addressof_rawdata)
inline void pointerto_rawdata(uint32_t pointerto_rawdata)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Debug &entry)

Code View

class CodeView : public LIEF::PE::Debug

Interface for the (Generic) Debug CodeView (IMAGE_DEBUG_TYPE_CODEVIEW)

Subclassed by LIEF::PE::CodeViewPDB

Public Types

enum class SIGNATURES

Code view signatures.

Values:

enumerator UNKNOWN = 0
enumerator PDB_70 = 0x53445352
enumerator PDB_20 = 0x3031424e
enumerator CV_50 = 0x3131424e
enumerator CV_41 = 0x3930424e

Public Functions

CodeView()
inline CodeView(SIGNATURES sig)
CodeView(const details::pe_debug &debug, SIGNATURES sig)
CodeView(const CodeView &other)
CodeView &operator=(const CodeView &other)
~CodeView() override
inline SIGNATURES signature() const

The signature that defines the underlying type of the payload.

inline virtual std::unique_ptr<Debug> clone() const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeView &entry)

Code View PDB

class CodeViewPDB : public LIEF::PE::CodeView

CodeView PDB specialization.

Public Types

using signature_t = std::array<uint8_t, 16>

Public Functions

CodeViewPDB()
CodeViewPDB(const details::pe_debug &debug_info, const details::pe_pdb_70 &pdb_70)
CodeViewPDB(const CodeViewPDB &other)
CodeViewPDB &operator=(const CodeViewPDB &other)
inline uint32_t age() const
inline const signature_t &signature() const
inline const std::string &filename() const
inline void age(uint32_t age)
inline void signature(const signature_t &sig)
inline void filename(std::string filename)
inline virtual std::unique_ptr<Debug> clone() const override
virtual void accept(Visitor &visitor) const override
~CodeViewPDB() override

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeViewPDB &entry)

Symbol

class Symbol : public LIEF::Symbol

Class that represents a PE symbol.

Public Functions

Symbol(const details::pe_symbol &header)
Symbol()
~Symbol() override
Symbol &operator=(Symbol other)
Symbol(const Symbol &other)
void swap(Symbol &other)
int16_t section_number() const
uint16_t type() const
SYMBOL_BASE_TYPES base_type() const
SYMBOL_COMPLEX_TYPES complex_type() const
SYMBOL_STORAGE_CLASS storage_class() const
uint8_t numberof_aux_symbols() const
std::wstring wname() const
Section *section()
const Section *section() const
bool has_section() const

True if symbols are located in a section

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Symbol &entry)

Relocation

class Relocation : public LIEF::Object

Class which represents the Base Relocation Block We usually find this structure in the .reloc section.

Public Types

using entries_t = std::vector<std::unique_ptr<RelocationEntry>>
using it_entries = ref_iterator<entries_t&, RelocationEntry*>
using it_const_entries = const_ref_iterator<const entries_t&, RelocationEntry*>

Public Functions

Relocation() = default
Relocation(const Relocation &other)
Relocation &operator=(Relocation other)
Relocation(const details::pe_base_relocation_block &header)
~Relocation() override = default
void swap(Relocation &other)
inline uint32_t virtual_address() const

The RVA for which the offset of the relocation entries (RelocationEntry) is added.

inline uint32_t block_size() const

The total number of bytes in the base relocation block. block_size = sizeof(BaseRelocationBlock) + nb_of_relocs * sizeof(uint16_t = RelocationEntry)

inline it_const_entries entries() const

Iterator over the RelocationEntry.

inline it_entries entries()
inline void virtual_address(uint32_t virtual_address)
inline void block_size(uint32_t block_size)
RelocationEntry &add_entry(const RelocationEntry &entry)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Relocation &relocation)

Relocation Entry

class RelocationEntry : public LIEF::Relocation

Class which represents an entry of the PE relocation table.

It extends the LIEF::Relocation object to provide an uniform API across the file formats

Public Types

enum class BASE_TYPES

Values:

enumerator UNKNOWN = -1
enumerator ABS = 0
enumerator HIGH = 1
enumerator LOW = 2
enumerator HIGHLOW = 3
enumerator HIGHADJ = 4
enumerator MIPS_JMPADDR = 5
enumerator ARM_MOV32A = 5 + 0x101
enumerator ARM_MOV32 = 5 + 0x102
enumerator RISCV_HI20 = 5 + 0x103
enumerator SECTION = 6
enumerator REL = 7
enumerator ARM_MOV32T = 7 + 0x201
enumerator THUMB_MOV32 = 7 + 0x202
enumerator RISCV_LOW12I = 7 + 0x203
enumerator RISCV_LOW12S = 8
enumerator IA64_IMM64 = 9
enumerator MIPS_JMPADDR16 = 9 + 0x300
enumerator DIR64 = 10
enumerator HIGH3ADJ = 11

Public Functions

RelocationEntry() = default
RelocationEntry(const RelocationEntry &other)
RelocationEntry &operator=(RelocationEntry other)
RelocationEntry(uint16_t position, BASE_TYPES type)
~RelocationEntry() override = default
void swap(RelocationEntry &other)
virtual uint64_t address() const override

The address of the relocation.

virtual void address(uint64_t address) override
virtual size_t size() const override

The size of the relocatable pointer.

virtual void size(size_t size) override
uint16_t data() const

Raw data of the relocation:

  • The high 4 bits store the relocation type

  • The low 12 bits store the relocation offset

inline uint16_t position() const

Offset relative to Relocation::virtual_address where the relocation occurs.

inline BASE_TYPES type() const

Type of the relocation.

void data(uint16_t data)
inline void position(uint16_t position)
inline void type(BASE_TYPES type)
virtual void accept(Visitor &visitor) const override

Method so that the visitor can visit us.

Public Static Functions

static inline RelocationEntry from_raw(Header::MACHINE_TYPES arch, uint16_t raw)

Friends

friend class PE::Relocation
friend std::ostream &operator<<(std::ostream &os, const RelocationEntry &entry)

Export

class Export : public LIEF::Object

Class which represents a PE Export.

Public Types

using entries_t = std::vector<ExportEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Export()
Export(const details::pe_export_directory_table &header)
Export(const Export&)
Export &operator=(const Export&)
~Export() override
inline uint32_t export_flags() const

According to the PE specifications this value is reserved and should be set to 0.

inline uint32_t timestamp() const

The time and date that the export data was created.

inline uint16_t major_version() const

The major version number (can be user-defined)

inline uint16_t minor_version() const

The minor version number (can be user-defined)

inline uint32_t ordinal_base() const

The starting number for the exports. Usually this value is set to 1.

inline const std::string &name() const

The name of the library exported (e.g. KERNEL32.dll)

inline it_entries entries()

Iterator over the ExportEntry.

inline it_const_entries entries() const
inline void export_flags(uint32_t flags)
inline void timestamp(uint32_t timestamp)
inline void major_version(uint16_t major_version)
inline void minor_version(uint16_t minor_version)
inline void ordinal_base(uint32_t ordinal_base)
inline void name(std::string name)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const Export &exp)

Export Entry

class ExportEntry : public LIEF::Symbol

Class which represents a PE Export entry (cf. PE::Export)

Public Functions

ExportEntry()
ExportEntry(uint32_t address, bool is_extern, uint16_t ordinal, uint32_t function_rva)
ExportEntry(const ExportEntry&)
ExportEntry &operator=(const ExportEntry&)
~ExportEntry() override
uint16_t ordinal() const
uint32_t address() const
bool is_extern() const
bool is_forwarded() const
forward_information_t forward_information() const
uint32_t function_rva() const
void ordinal(uint16_t ordinal)
void address(uint32_t address)
void is_extern(bool is_extern)
inline virtual uint64_t value() const override
inline virtual void value(uint64_t value) override
inline void set_forward_info(std::string lib, std::string function)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ExportEntry &exportEntry)
struct forward_information_t

Public Functions

operator bool() const

Public Members

std::string library
std::string function

Friends

friend std::ostream &operator<<(std::ostream &os, const forward_information_t &info)

Signature

class Signature : public LIEF::Object

Main interface for the PKCS #7 signature scheme.

Public Types

enum class VERIFICATION_FLAGS

Flags returned by the verification functions.

Values:

enumerator OK = 0
enumerator INVALID_SIGNER = 1 << 0
enumerator UNSUPPORTED_ALGORITHM = 1 << 1
enumerator INCONSISTENT_DIGEST_ALGORITHM = 1 << 2
enumerator CERT_NOT_FOUND = 1 << 3
enumerator CORRUPTED_CONTENT_INFO = 1 << 4
enumerator CORRUPTED_AUTH_DATA = 1 << 5
enumerator MISSING_PKCS9_MESSAGE_DIGEST = 1 << 6
enumerator BAD_DIGEST = 1 << 7
enumerator BAD_SIGNATURE = 1 << 8
enumerator NO_SIGNATURE = 1 << 9
enumerator CERT_EXPIRED = 1 << 10
enumerator CERT_FUTURE = 1 << 11
enum class VERIFICATION_CHECKS

Flags to tweak the verification process of the signature.

See Signature::check and LIEF::PE::Binary::verify_signature

Values:

enumerator DEFAULT = 1 << 0

Default behavior that tries to follow the Microsoft verification process as close as possible

enumerator HASH_ONLY = 1 << 1

Only check that Binary::authentihash matches ContentInfo::digest regardless of the signature’s validity

enumerator LIFETIME_SIGNING = 1 << 2

Same semantic as WTD_LIFETIME_SIGNING_FLAG

enumerator SKIP_CERT_TIME = 1 << 3

Skip the verification of the certificates time validities so that even though a certificate expired, it returns VERIFICATION_FLAGS::OK

using it_const_crt = const_ref_iterator<const std::vector<x509>&>

Iterator which outputs const x509& certificates.

using it_crt = ref_iterator<std::vector<x509>&>

Iterator which outputs x509& certificates.

using it_const_signers_t = const_ref_iterator<const std::vector<SignerInfo>&>

Iterator which outputs const SignerInfo&.

using it_signers_t = ref_iterator<std::vector<SignerInfo>&>

Iterator which outputs SignerInfo&.

Public Functions

Signature()
Signature(const Signature&)
Signature &operator=(const Signature&)
Signature(Signature&&)
Signature &operator=(Signature&&)
uint32_t version() const

Should be 1.

inline ALGORITHMS digest_algorithm() const

Algorithm used to digest the file.

It should match SignerInfo::digest_algorithm

const ContentInfo &content_info() const

Return the ContentInfo.

inline it_const_crt certificates() const

Return an iterator over x509 certificates.

inline it_crt certificates()
inline it_const_signers_t signers() const

Return an iterator over the signers (SignerInfo) defined in the PKCS #7 signature.

inline it_signers_t signers()
inline span<const uint8_t> raw_der() const

Return the raw original PKCS7 signature.

const x509 *find_crt(const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its serial number.

const x509 *find_crt_subject(const std::string &subject) const

Find x509 certificate according to its subject.

const x509 *find_crt_subject(const std::string &subject, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its subject AND serial number.

const x509 *find_crt_issuer(const std::string &issuer) const

Find x509 certificate according to its issuer.

const x509 *find_crt_issuer(const std::string &issuer, const std::vector<uint8_t> &serialno) const

Find x509 certificate according to its issuer AND serial number.

VERIFICATION_FLAGS check(VERIFICATION_CHECKS checks = VERIFICATION_CHECKS::DEFAULT) const

Check if this signature is valid according to the Authenticode/PKCS #7 verification scheme.

By default, it performs the following verifications:

  1. It must contain only one signer info

  2. Signature::digest_algorithm must match:

  3. The x509 certificate specified by SignerInfo::serial_number and SignerInfo::issuer must exist within Signature::certificates

  4. Given the x509 certificate, compare SignerInfo::encrypted_digest against either:

    • hash of authenticated attributes if present

    • hash of ContentInfo

  5. If authenticated attributes are present, check that a PKCS9_MESSAGE_DIGEST attribute exists and that its value matches hash of ContentInfo

  6. Check the validity of the PKCS #9 counter signature if present

  7. If the signature doesn’t embed a signing-time in the counter signature, check the certificate validity. (See LIEF::PE::Signature::VERIFICATION_CHECKS::LIFETIME_SIGNING and LIEF::PE::Signature::VERIFICATION_CHECKS::SKIP_CERT_TIME)

See: LIEF::PE::Signature::VERIFICATION_CHECKS to tweak the behavior

virtual void accept(Visitor &visitor) const override
~Signature() override

Public Static Functions

static inline std::vector<uint8_t> hash(const std::vector<uint8_t> &input, ALGORITHMS algo)

Hash the input given the algorithm.

static std::vector<uint8_t> hash(const uint8_t *buffer, size_t size, ALGORITHMS algo)
static std::string flag_to_string(VERIFICATION_FLAGS flag)

Convert a verification flag into a humman representation. e.g VERIFICATION_FLAGS.BAD_DIGEST | VERIFICATION_FLAGS.BAD_SIGNATURE | VERIFICATION_FLAGS.CERT_EXPIRED.

Friends

friend std::ostream &operator<<(std::ostream &os, const Signature &signature)

Signature Attribute

class Attribute : public LIEF::Object

Interface over PKCS #7 attribute.

Subclassed by LIEF::PE::ContentType, LIEF::PE::GenericType, LIEF::PE::MsSpcNestedSignature, LIEF::PE::MsSpcStatementType, LIEF::PE::PKCS9AtSequenceNumber, LIEF::PE::PKCS9CounterSignature, LIEF::PE::PKCS9MessageDigest, LIEF::PE::PKCS9SigningTime, LIEF::PE::SpcSpOpusInfo

Public Types

enum class TYPE

Values:

enumerator UNKNOWN = 0
enumerator CONTENT_TYPE
enumerator GENERIC_TYPE
enumerator SPC_SP_OPUS_INFO
enumerator MS_COUNTER_SIGN
enumerator MS_SPC_NESTED_SIGN
enumerator MS_SPC_STATEMENT_TYPE
enumerator PKCS9_AT_SEQUENCE_NUMBER
enumerator PKCS9_COUNTER_SIGNATURE
enumerator PKCS9_MESSAGE_DIGEST
enumerator PKCS9_SIGNING_TIME

Public Functions

Attribute() = delete
Attribute(const Attribute&) = default
Attribute &operator=(const Attribute&) = default
virtual std::unique_ptr<Attribute> clone() const = 0
inline virtual TYPE type() const

Concrete type of the attribute.

virtual std::string print() const = 0

Print information about the underlying attribute.

virtual void accept(Visitor &visitor) const override
~Attribute() override = default

Friends

friend std::ostream &operator<<(std::ostream &os, const Attribute &Attribute)

Signature ContentType

class ContentType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.3 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

ContentType ::= OBJECT IDENTIFIER

Public Functions

inline ContentType()
inline ContentType(oid_t oid)
ContentType(const ContentType&) = default
ContentType &operator=(const ContentType&) = default
inline const oid_t &oid() const

OID as described in RFC #2985.

virtual std::string print() const override

Print information about the attribute.

inline virtual std::unique_ptr<Attribute> clone() const override
virtual void accept(Visitor &visitor) const override
~ContentType() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature GenericType

class GenericType : public LIEF::PE::Attribute

Interface over an attribute for which the internal structure is not supported by LIEF.

Public Functions

inline GenericType()
inline GenericType(oid_t oid, std::vector<uint8_t> raw)
GenericType(const GenericType&) = default
GenericType &operator=(const GenericType&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const oid_t &oid() const

OID of the original attribute.

inline span<const uint8_t> raw_content() const

Original DER blob of the attribute.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~GenericType() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature MsSpcNestedSignature

class MsSpcNestedSignature : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.4.1

The internal structure is not documented but we can infer the following structure:

MsSpcNestedSignature ::= SET OF SignedData

SignedData is the structure described in PKCS #7 RFC (LIEF::PE::Signature)

Public Functions

MsSpcNestedSignature() = delete
inline MsSpcNestedSignature(Signature sig)
MsSpcNestedSignature(const MsSpcNestedSignature&) = default
MsSpcNestedSignature &operator=(const MsSpcNestedSignature&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const Signature &sig() const

Underlying Signature object.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~MsSpcNestedSignature() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature MsSpcStatementType

class MsSpcStatementType : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.11

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcStatementType ::= SEQUENCE of OBJECT IDENTIFIER

Public Functions

MsSpcStatementType() = delete
inline MsSpcStatementType(oid_t oid)
MsSpcStatementType(const MsSpcStatementType&) = default
MsSpcStatementType &operator=(const MsSpcStatementType&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const oid_t &oid() const

According to the documentation:

The SpcStatementType MUST contain one Object Identifier with either the value 1.3.6.1.4.1.311.2.1.21 (SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID) or 1.3.6.1.4.1.311.2.1.22 (SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID).

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~MsSpcStatementType() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature PKCS9AtSequenceNumber

class PKCS9AtSequenceNumber : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.25.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

sequenceNumber ATTRIBUTE ::= {
  WITH SYNTAX SequenceNumber
  EQUALITY MATCHING RULE integerMatch
  SINGLE VALUE TRUE
  ID pkcs-9-at-sequenceNumber
}

SequenceNumber ::= INTEGER (1..MAX)

Public Functions

PKCS9AtSequenceNumber() = delete
inline PKCS9AtSequenceNumber(uint32_t num)
PKCS9AtSequenceNumber(const PKCS9AtSequenceNumber&) = default
PKCS9AtSequenceNumber &operator=(const PKCS9AtSequenceNumber&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline uint32_t number() const

Number as described in the RFC.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~PKCS9AtSequenceNumber() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature PKCS9CounterSignature

class PKCS9CounterSignature : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.6 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

counterSignature ATTRIBUTE ::= {
  WITH SYNTAX SignerInfo
  ID pkcs-9-at-counterSignature
}

Public Functions

PKCS9CounterSignature() = delete
inline PKCS9CounterSignature(SignerInfo signer)
PKCS9CounterSignature(const PKCS9CounterSignature&) = default
PKCS9CounterSignature &operator=(const PKCS9CounterSignature&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const SignerInfo &signer() const

SignerInfo as described in the RFC #2985.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~PKCS9CounterSignature() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature PKCS9MessageDigest

class PKCS9MessageDigest : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.4 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

messageDigest ATTRIBUTE ::= {
  WITH SYNTAX MessageDigest
  EQUALITY MATCHING RULE octetStringMatch
  SINGLE VALUE TRUE
  ID pkcs-9-at-messageDigest
}

MessageDigest ::= OCTET STRING

Public Functions

PKCS9MessageDigest() = delete
inline PKCS9MessageDigest(std::vector<uint8_t> digest)
PKCS9MessageDigest(const PKCS9MessageDigest&) = default
PKCS9MessageDigest &operator=(const PKCS9MessageDigest&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline span<const uint8_t> digest() const

Message digeset as a blob of bytes as described in the RFC.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~PKCS9MessageDigest() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature PKCS9SigningTime

class PKCS9SigningTime : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.2.840.113549.1.9.5 (PKCS #9)

The internal structure is described in the RFC #2985: PKCS #9 - Selected Object Classes and Attribute Types Version 2.0

signingTime ATTRIBUTE ::= {
        WITH SYNTAX SigningTime
        EQUALITY MATCHING RULE signingTimeMatch
        SINGLE VALUE TRUE
        ID pkcs-9-at-signingTime
}

SigningTime ::= Time -- imported from ISO/IEC 9594-8

Public Types

using time_t = std::array<int32_t, 6>

Time as an array [year, month, day, hour, min, sec].

Public Functions

PKCS9SigningTime() = delete
inline PKCS9SigningTime(time_t time)
PKCS9SigningTime(const PKCS9SigningTime&) = default
PKCS9SigningTime &operator=(const PKCS9SigningTime&) = default
inline const time_t &time() const

Time as an array [year, month, day, hour, min, sec].

virtual std::string print() const override

Print information about the attribute.

inline virtual std::unique_ptr<Attribute> clone() const override
virtual void accept(Visitor &visitor) const override
~PKCS9SigningTime() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature SpcSpOpusInfo

class SpcSpOpusInfo : public LIEF::PE::Attribute

Interface over the structure described by the OID 1.3.6.1.4.1.311.2.1.12

The internal structure is described in the official document: Windows Authenticode Portable Executable Signature Format

SpcSpOpusInfo ::= SEQUENCE {
    programName  [0] EXPLICIT SpcString OPTIONAL,
    moreInfo     [1] EXPLICIT SpcLink OPTIONAL
}

Public Functions

inline SpcSpOpusInfo(std::string program_name, std::string more_info)
inline SpcSpOpusInfo()
SpcSpOpusInfo(const SpcSpOpusInfo&) = default
SpcSpOpusInfo &operator=(const SpcSpOpusInfo&) = default
inline virtual std::unique_ptr<Attribute> clone() const override
inline const std::string &program_name() const

Program description provided by the publisher.

inline const std::string &more_info() const

Other information such as an url.

virtual std::string print() const override

Print information about the attribute.

virtual void accept(Visitor &visitor) const override
~SpcSpOpusInfo() override = default

Public Static Functions

static inline bool classof(const Attribute *attr)

Signature SpcIndirectData

class SpcIndirectData : public LIEF::PE::ContentInfo::Content

Public Functions

SpcIndirectData()
SpcIndirectData(const SpcIndirectData&)
SpcIndirectData &operator=(const SpcIndirectData&)
inline virtual std::unique_ptr<Content> clone() const override
inline ALGORITHMS digest_algorithm() const

Digest used to hash the file.

It should match LIEF::PE::SignerInfo::digest_algorithm

inline span<const uint8_t> digest() const

PE’s authentihash.

inline const std::string &file() const
virtual void print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override
~SpcIndirectData() override

Public Static Functions

static bool classof(const ContentInfo::Content *content)

Friends

inline friend std::ostream &operator<<(std::ostream &os, const SpcIndirectData &content)

Signature GenericContent

class GenericContent : public LIEF::PE::ContentInfo::Content

Public Functions

GenericContent()
GenericContent(oid_t oid)
GenericContent(const GenericContent&)
GenericContent &operator=(const GenericContent&)
inline virtual std::unique_ptr<Content> clone() const override
inline const oid_t &oid() const
inline span<const uint8_t> raw() const
inline span<uint8_t> raw()
~GenericContent() override
virtual void print(std::ostream &os) const override
virtual void accept(Visitor &visitor) const override

Public Static Functions

static bool classof(const ContentInfo::Content *content)

Friends

inline friend std::ostream &operator<<(std::ostream &os, const GenericContent &content)

RsaInfo

class RsaInfo

Object that wraps a RSA key.

Public Types

using rsa_ctx_handle = void*
using bignum_wrapper_t = std::vector<uint8_t>

Container for BigInt.

Public Functions

RsaInfo(const RsaInfo &other)
RsaInfo(RsaInfo &&other)
RsaInfo &operator=(RsaInfo other)
bool has_public_key() const

True if it embeds a public key.

bool has_private_key() const

True if it embeds a private key.

bignum_wrapper_t N() const

RSA public modulus.

bignum_wrapper_t E() const

RSA public exponent.

bignum_wrapper_t D() const

RSA private exponent.

bignum_wrapper_t P() const

First prime factor.

bignum_wrapper_t Q() const

Second prime factor.

size_t key_size() const

Size of the public modulus (in bits)

void swap(RsaInfo &other)
operator bool() const
~RsaInfo()

Friends

friend std::ostream &operator<<(std::ostream &os, const RsaInfo &info)

x509

class x509 : public LIEF::Object

Interface over a x509 certificate.

Public Types

enum class KEY_TYPES

Public key scheme.

Values:

enumerator NONE = 0

Unknown scheme.

enumerator RSA

RSA Scheme.

enumerator ECKEY

Elliptic-curve scheme.

enumerator ECKEY_DH

Elliptic-curve Diffie-Hellman.

enumerator ECDSA

Elliptic-curve Digital Signature Algorithm.

enumerator RSA_ALT

RSA scheme with an alternative implementation for signing and decrypting.

enumerator RSASSA_PSS

RSA Probabilistic signature scheme.

enum class VERIFICATION_FLAGS

Mirror of mbedtls’s X509 Verify codes: MBEDTLS_X509_XX.

It must be sync with include/mbedtls/x509.h

Values:

enumerator OK = 0

The verification succeed

enumerator BADCERT_EXPIRED = 1 << 0

The certificate validity has expired.

enumerator BADCERT_REVOKED = 1 << 1

The certificate has been revoked (is on a CRL).

enumerator BADCERT_CN_MISMATCH = 1 << 2

The certificate Common Name (CN) does not match with the expected CN.

enumerator BADCERT_NOT_TRUSTED = 1 << 3

The certificate is not correctly signed by the trusted CA.

enumerator BADCRL_NOT_TRUSTED = 1 << 4

The CRL is not correctly signed by the trusted CA.

enumerator BADCRL_EXPIRED = 1 << 5

The CRL is expired.

enumerator BADCERT_MISSING = 1 << 6

Certificate was missing.

enumerator BADCERT_SKIP_VERIFY = 1 << 7

Certificate verification was skipped.

enumerator BADCERT_OTHER = 1 << 8

Other reason (can be used by verify callback)

enumerator BADCERT_FUTURE = 1 << 9

The certificate validity starts in the future.

enumerator BADCRL_FUTURE = 1 << 10

The CRL is from the future

enumerator BADCERT_KEY_USAGE = 1 << 11

Usage does not match the keyUsage extension.

enumerator BADCERT_EXT_KEY_USAGE = 1 << 12

Usage does not match the extendedKeyUsage extension.

enumerator BADCERT_NS_CERT_TYPE = 1 << 13

Usage does not match the nsCertType extension.

enumerator BADCERT_BAD_MD = 1 << 14

The certificate is signed with an unacceptable hash.

enumerator BADCERT_BAD_PK = 1 << 15

The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA).

enumerator BADCERT_BAD_KEY = 1 << 16

The certificate is signed with an unacceptable key (eg bad curve, RSA too short).

enumerator BADCRL_BAD_MD = 1 << 17

The CRL is signed with an unacceptable hash.

enumerator BADCRL_BAD_PK = 1 << 18

The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA).

enumerator BADCRL_BAD_KEY = 1 << 19

The CRL is signed with an unacceptable key (eg bad curve, RSA too short).

enum class KEY_USAGE

Key usage as defined in RFC #5280 - section-4.2.1.3

Values:

enumerator DIGITAL_SIGNATURE = 0

The key is used for digital signature

enumerator NON_REPUDIATION

The key is used for digital signature AND to protects against falsely denying some action

enumerator KEY_ENCIPHERMENT

The key is used for enciphering private or secret keys

enumerator DATA_ENCIPHERMENT

The key is used for directly enciphering raw user data without the use of an intermediate symmetric cipher

enumerator KEY_AGREEMENT

The Key is used for key agreement. (e.g. with Diffie-Hellman)

enumerator KEY_CERT_SIGN

The key is used for verifying signatures on public key certificates

enumerator CRL_SIGN

The key is used for verifying signatures on certificate revocation lists

enumerator ENCIPHER_ONLY

In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for enciphering data while performing key agreement

enumerator DECIPHER_ONLY

In association with KEY_AGREEMENT (otherwise the meaning is undefined), the key is only used for deciphering data while performing key agreement

using date_t = std::array<int32_t, 6>

Tuple (Year, Month, Day, Hour, Minute, Second)

using certificates_t = std::vector<x509>

Public Functions

x509(mbedtls_x509_crt *ca)
x509(const x509 &other)
x509 &operator=(x509 other)
void swap(x509 &other)
uint32_t version() const

X.509 version. (1=v1, 2=v2, 3=v3)

std::vector<uint8_t> serial_number() const

Unique id for certificate issued by a specific CA.

oid_t signature_algorithm() const

Signature algorithm (OID)

date_t valid_from() const

Start time of certificate validity.

date_t valid_to() const

End time of certificate validity.

std::string issuer() const

Issuer informations.

std::string subject() const

Subject informations.

bool check_signature(const std::vector<uint8_t> &hash, const std::vector<uint8_t> &signature, ALGORITHMS digest) const

Try to decrypt the given signature and check if it matches the given hash according to the hash algorithm provided.

std::vector<uint8_t> raw() const

The raw x509 bytes (DER encoded)

KEY_TYPES key_type() const

Return the underlying public-key scheme.

std::unique_ptr<RsaInfo> rsa_info() const

If the underlying public-key scheme is RSA, return the RSA information. Otherwise, return a nullptr

VERIFICATION_FLAGS verify(const x509 &ca) const

Verify that this certificate has been used to trust the given certificate.

VERIFICATION_FLAGS is_trusted_by(const std::vector<x509> &ca) const

Verify that this certificate is trusted by the given CA list.

std::vector<oid_t> certificate_policies() const

Policy information terms as OID (see RFC #5280)

std::vector<KEY_USAGE> key_usage() const

Purpose of the key contained in the certificate.

std::vector<oid_t> ext_key_usage() const

Indicates one or more purposes for which the certified public key may be used (OID types)

bool is_ca() const
std::vector<uint8_t> signature() const

The signature of the certificate.

virtual void accept(Visitor &visitor) const override
~x509() override

Public Static Functions

static certificates_t parse(const std::string &path)

Parse x509 certificate(s) from file path.

static certificates_t parse(const std::vector<uint8_t> &content)

Parse x509 certificate(s) from raw blob.

static bool check_time(const date_t &before, const date_t &after)

Return True if before is before than after. False otherwise.

static bool time_is_past(const date_t &to)

True if the given time is in the past according to the clock’s system.

static bool time_is_future(const date_t &from)

True if the given time is in the future according to the clock’s system.

Friends

friend std::ostream &operator<<(std::ostream &os, const x509 &x509_cert)

ContentInfo

class ContentInfo : public LIEF::Object

ContentInfo as described in the RFC2315 (https://tools.ietf.org/html/rfc2315#section-7)

ContentInfo ::= SEQUENCE {
  contentType ContentType,
  content     [0] EXPLICIT ANY DEFINED BY contentType OPTIONAL
}

ContentType ::= OBJECT IDENTIFIER

In the case of PE signature, ContentType must be set to SPC_INDIRECT_DATA_OBJID OID: 1.3.6.1.4.1.311.2.1.4 and content is defined by the structure: SpcIndirectDataContent

SpcIndirectDataContent ::= SEQUENCE {
 data          SpcAttributeTypeAndOptionalValue,
 messageDigest DigestInfo
}

SpcAttributeTypeAndOptionalValue ::= SEQUENCE {
 type  ObjectID,
 value [0] EXPLICIT ANY OPTIONAL
}

For PE signature, SpcAttributeTypeAndOptionalValue.type is set to SPC_PE_IMAGE_DATAOBJ (OID: 1.3.6.1.4.1.311.2.1.15) and the value is defined by SpcPeImageData

DigestInfo ::= SEQUENCE {
 digestAlgorithm  AlgorithmIdentifier,
 digest           OCTETSTRING
}

AlgorithmIdentifier ::= SEQUENCE {
 algorithm  ObjectID,
 parameters [0] EXPLICIT ANY OPTIONAL
}

Public Functions

ContentInfo()
ContentInfo(const ContentInfo &other)
ContentInfo(ContentInfo &&other)
ContentInfo &operator=(ContentInfo other)
void swap(ContentInfo &other)
inline oid_t content_type() const

Return the OID that describes the content wrapped by this object. It should match SPC_INDIRECT_DATA_OBJID (1.3.6.1.4.1.311.2.1.4)

inline Content &value()
inline const Content &value() const
std::vector<uint8_t> digest() const

Return the digest (authentihash) if the underlying content type is SPC_INDIRECT_DATA_OBJID Otherwise, return an empty vector.

ALGORITHMS digest_algorithm() const

Return the OID algorithm if the underlying content type is SPC_INDIRECT_DATA_OBJID Otherwise, return an empty oid.

virtual void accept(Visitor &visitor) const override
~ContentInfo() override

Friends

friend std::ostream &operator<<(std::ostream &os, const ContentInfo &content_info)
class Content : public LIEF::Object

Subclassed by LIEF::PE::GenericContent, LIEF::PE::SpcIndirectData

Public Functions

inline Content(oid_t oid)
inline const oid_t &content_type() const
virtual std::unique_ptr<Content> clone() const = 0
virtual void print(std::ostream &os) const = 0
~Content() override

Friends

inline friend std::ostream &operator<<(std::ostream &os, const Content &content)

SignerInfo

class SignerInfo : public LIEF::Object

SignerInfo as described in the RFC 2315

SignerInfo ::= SEQUENCE {
 version Version,
 issuerAndSerialNumber     IssuerAndSerialNumber,
 digestAlgorithm           DigestAlgorithmIdentifier,
 authenticatedAttributes   [0] IMPLICIT Attributes OPTIONAL,
 digestEncryptionAlgorithm DigestEncryptionAlgorithmIdentifier,
 encryptedDigest           EncryptedDigest,
 unauthenticatedAttributes [1] IMPLICIT Attributes OPTIONAL
}

EncryptedDigest ::= OCTET STRING

Public Types

using encrypted_digest_t = std::vector<uint8_t>
using attributes_t = std::vector<std::unique_ptr<Attribute>>

Internal container used to store both authenticated and unauthenticated attributes.

using it_const_attributes_t = const_ref_iterator<const attributes_t&, const Attribute*>

Iterator which outputs const Attribute&.

Public Functions

SignerInfo()
SignerInfo(const SignerInfo &other)
SignerInfo &operator=(SignerInfo other)
SignerInfo(SignerInfo&&)
SignerInfo &operator=(SignerInfo&&)
void swap(SignerInfo &other)
inline uint32_t version() const

Should be 1.

inline span<const uint8_t> serial_number() const

Return the serial number associated with the x509 certificate used by this signer.

inline const std::string &issuer() const

Return the x509::issuer used by this signer.

inline ALGORITHMS digest_algorithm() const

Algorithm (OID) used to hash the file.

This value should match LIEF::PE::ContentInfo::digest_algorithm and LIEF::PE::Signature::digest_algorithm

inline ALGORITHMS encryption_algorithm() const

Return the (public-key) algorithm used to encrypt the signature.

inline const encrypted_digest_t &encrypted_digest() const

Return the signature created by the signing certificate’s private key.

inline it_const_attributes_t authenticated_attributes() const

Iterator over LIEF::PE::Attribute for authenticated attributes.

inline it_const_attributes_t unauthenticated_attributes() const

Iterator over LIEF::PE::Attribute for unauthenticated attributes.

const Attribute *get_attribute(Attribute::TYPE type) const

Return the authenticated or un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.

It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.

const Attribute *get_auth_attribute(Attribute::TYPE type) const

Return the authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.

It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.

const Attribute *get_unauth_attribute(Attribute::TYPE type) const

Return the un-authenticated attribute matching the given PE::SIG_ATTRIBUTE_TYPES.

It returns the first entry that matches the given type. If it can’t be found, it returns a nullptr.

inline const x509 *cert() const

x509 certificate used by this signer. If it can’t be found, it returns a nullptr

inline x509 *cert()

x509 certificate used by this signer. If it can’t be found, it returns a nullptr

inline span<const uint8_t> raw_auth_data() const

Raw blob that is signed by the signer certificate.

virtual void accept(Visitor &visitor) const override
~SignerInfo() override

Friends

friend std::ostream &operator<<(std::ostream &os, const SignerInfo &signer_info)

Builder

class Builder

Class that is used to rebuild a raw PE binary from a PE::Binary object.

Public Functions

Builder() = delete
Builder(Binary &binary)
~Builder()
ok_error_t build()

Perform the build process.

Builder &build_imports(bool flag = true)

Rebuild the import table in new section.

Builder &patch_imports(bool flag = true)

Patch the original import table in order to redirect functions to the new import table.

This setting should be used with LIEF::PE::Builder::build_imports set to true

Builder &build_relocations(bool flag = true)

Rebuild the relocation table in another section.

Builder &build_tls(bool flag = true)

Rebuild TLS object in another section.

Builder &build_resources(bool flag)

Rebuid the resources in another section.

Builder &build_overlay(bool flag)

Rebuild the binary’s overlay.

Builder &build_dos_stub(bool flag)

Rebuild the DOS stub content.

const std::vector<uint8_t> &get_build()

Return the build result.

void write(const std::string &filename) const

Write the build result into the output file.

void write(std::ostream &os) const

Write the build result into the os stream.

ok_error_t build(const DosHeader &dos_header)
ok_error_t build(const Header &bHeader)
ok_error_t build(const OptionalHeader &optional_header)
ok_error_t build(const DataDirectory &data_directory)
ok_error_t build(const Section &section)

Public Static Functions

template<typename PE_T>
static std::vector<uint8_t> build_jmp(uint64_t from, uint64_t address)

Construct a jmp [address] @ from.

It is used when patching import table

template<typename PE_T>
static std::vector<uint8_t> build_jmp_hook(uint64_t from, uint64_t address)

Construct a jmp far address @ from.

It is used for hooking

Friends

friend std::ostream &operator<<(std::ostream &os, const Builder &b)

Resources Manager

class ResourcesManager : public LIEF::Object

The Resource Manager provides an enhanced API to manipulate the resource tree.

Public Types

enum class TYPE

The different types of resources Ref: From https://docs.microsoft.com/en-us/windows/win32/menurc/resource-types.

Values:

enumerator CURSOR = 1
enumerator BITMAP = 2
enumerator ICON = 3
enumerator MENU = 4
enumerator DIALOG = 5
enumerator STRING = 6
enumerator FONTDIR = 7
enumerator FONT = 8
enumerator ACCELERATOR = 9
enumerator RCDATA = 10
enumerator MESSAGETABLE = 11
enumerator GROUP_CURSOR = 12
enumerator GROUP_ICON = 14
enumerator VERSION = 16
enumerator DLGINCLUDE = 17
enumerator PLUGPLAY = 19
enumerator VXD = 20
enumerator ANICURSOR = 21
enumerator ANIICON = 22
enumerator HTML = 23
enumerator MANIFEST = 24
using dialogs_t = std::vector<ResourceDialog>
using it_const_dialogs = const_ref_iterator<dialogs_t>
using icons_t = std::vector<ResourceIcon>
using it_const_icons = const_ref_iterator<icons_t>
using strings_table_t = std::vector<ResourceStringTable>
using it_const_strings_table = const_ref_iterator<strings_table_t>
using accelerators_t = std::vector<ResourceAccelerator>
using it_const_accelerators = const_ref_iterator<accelerators_t>

Public Functions

ResourcesManager() = delete
inline ResourcesManager(ResourceNode &rsrc)
ResourcesManager(const ResourcesManager&) = default
ResourcesManager &operator=(const ResourcesManager&) = default
ResourcesManager(ResourcesManager&&) = default
ResourcesManager &operator=(ResourcesManager&&) = default
~ResourcesManager() override = default
ResourceNode *get_node_type(TYPE type)

Return the ResourceNode associated with the given KIND or a nullptr if not found;.

const ResourceNode *get_node_type(TYPE type) const
std::vector<TYPE> get_types() const

List of TYPE present in the resources.

inline bool has_type(TYPE type) const

true if the resource has the given LIEF::PE::KIND

inline bool has_manifest() const

true if resources contain the Manifest element

std::string manifest() const

Return the manifest as a std::string or an empty string if not found or corrupted.

void manifest(const std::string &manifest)

Update the manifest with the given string.

inline bool has_version() const

true if resources contain a LIEF::PE::ResourceVersion

result<ResourceVersion> version() const

Return the ResourceVersion if any.

inline bool has_icons() const

true if resources contain a LIEF::PE::ResourceIcon

it_const_icons icons() const

Return the list of the icons present in the resources.

void add_icon(const ResourceIcon &icon)

Add an icon to the resources.

void change_icon(const ResourceIcon &original, const ResourceIcon &newone)
inline bool has_dialogs() const

true if resources contain dialogs

it_const_dialogs dialogs() const

Return the list of the dialogs present in the resource.

inline bool has_string_table() const

true if the resources contain a LIEF::PE::ResourceStringTable

it_const_strings_table string_table() const

Return the list of the string table in the resource.

inline bool has_html() const

true if the resources contain html

std::vector<std::string> html() const

Return the list of the html resources.

inline bool has_accelerator() const

true if the resources contain LIEF::PE::ResourceAccelerator

it_const_accelerators accelerator() const

Return the list of the accelerator in the resource.

std::string print(uint32_t depth = 0) const

Print the resource tree to the given depth.

virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline constexpr uint32_t lang_from_id(size_t id)
static inline constexpr uint32_t sublang_from_id(size_t id)

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourcesManager &m)

Resource Node

class ResourceNode : public LIEF::Object

Class which represents a Node in the resource tree.

Subclassed by LIEF::PE::ResourceData, LIEF::PE::ResourceDirectory

Public Types

enum class TYPE

Enum that identifies the type of a node in the resource tree.

Values:

enumerator UNKNOWN = 0
enumerator DATA
enumerator DIRECTORY
using childs_t = std::vector<std::unique_ptr<ResourceNode>>
using it_childs = ref_iterator<childs_t&, ResourceNode*>
using it_const_childs = const_ref_iterator<const childs_t&, ResourceNode*>

Public Functions

ResourceNode(const ResourceNode &other)
ResourceNode &operator=(const ResourceNode &other)
ResourceNode(ResourceNode &&other)
ResourceNode &operator=(ResourceNode &&other)
void swap(ResourceNode &other)
~ResourceNode() override
virtual std::unique_ptr<ResourceNode> clone() const = 0
uint32_t id() const

Integer that identifies the Type, Name, or Language ID of the entry depending on its depth in the tree.

const std::u16string &name() const

Name of the entry.

it_childs childs()

Iterator on node’s children.

it_const_childs childs() const
bool has_name() const

True if the entry uses a name as ID

uint32_t depth() const

Current depth of the Node in the resource tree.

bool is_directory() const

True if the current entry is a ResourceDirectory.

It can be safely casted with:

const auto& dir_node = static_cast<const ResourceDirectory&>(node);
bool is_data() const

True if the current entry is a ResourceData.

It can be safely casted with:

const auto& data_node = static_cast<const ResourceData&>(node);
void id(uint32_t id)
void name(const std::string &name)
inline void name(std::u16string name)
ResourceNode &add_child(const ResourceDirectory &child)

Add a ResourceDirectory to the current node.

ResourceNode &add_child(const ResourceData &child)

Add a ResourceData to the current node.

void delete_child(uint32_t id)

Delete the node with the given id

void delete_child(const ResourceNode &node)

Delete the given node from the node’s children.

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceNode &node)

Resource Directory

class ResourceDirectory : public LIEF::PE::ResourceNode

Public Functions

ResourceDirectory()
ResourceDirectory(const details::pe_resource_directory_table &header)
ResourceDirectory(const ResourceDirectory &other)
ResourceDirectory &operator=(ResourceDirectory other)
void swap(ResourceDirectory &other)
~ResourceDirectory() override
inline virtual std::unique_ptr<ResourceNode> clone() const override
uint32_t characteristics() const

Resource characteristics. This field is reserved for future use. It is currently set to zero.

uint32_t time_date_stamp() const

The time that the resource data was created by the resource compiler.

uint16_t major_version() const

The major version number, set by the user.

uint16_t minor_version() const

The minor version number, set by the user.

uint16_t numberof_name_entries() const

The number of directory entries immediately following the table that use strings to identify Type, Name, or Language entries (depending on the level of the table).

uint16_t numberof_id_entries() const

The number of directory entries immediately following the Name entries that use numeric IDs for Type, Name, or Language entries.

void characteristics(uint32_t characteristics)
void time_date_stamp(uint32_t time_date_stamp)
void major_version(uint16_t major_version)
void minor_version(uint16_t minor_version)
void numberof_name_entries(uint16_t numberof_name_entries)
void numberof_id_entries(uint16_t numberof_id_entries)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const ResourceNode *node)

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDirectory &directory)

Resource Data

class ResourceData : public LIEF::PE::ResourceNode

Class which represents a Data Node in the PE resources tree.

Public Functions

ResourceData()
ResourceData(std::vector<uint8_t> content, uint32_t code_page)
ResourceData(const ResourceData &other)
ResourceData &operator=(ResourceData other)
void swap(ResourceData &other)
~ResourceData() override
inline virtual std::unique_ptr<ResourceNode> clone() const override
uint32_t code_page() const

Return the code page that is used to decode code point values within the resource data. Typically, the code page is the Unicode code page.

span<const uint8_t> content() const

Resource content.

span<uint8_t> content()
uint32_t reserved() const

Reserved value. Should be 0

uint32_t offset() const

Offset of the content within the resource.

Warning

This value may change when rebuilding resource table

void code_page(uint32_t code_page)
void content(const std::vector<uint8_t> &content)
void reserved(uint32_t value)
virtual void accept(Visitor &visitor) const override

Public Static Functions

static inline bool classof(const ResourceNode *node)

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceData &data)

Resource Icon

class ResourceIcon : public LIEF::Object

Public Functions

ResourceIcon()
ResourceIcon(const details::pe_resource_icon_group &header)
ResourceIcon(const details::pe_icon_header &header)
ResourceIcon(const ResourceIcon&)
ResourceIcon &operator=(const ResourceIcon&)
~ResourceIcon() override
uint32_t id() const

Id associated with the icon.

uint32_t lang() const

Language associated with the icon.

uint32_t sublang() const

Sub language associated with the icon.

uint8_t width() const

Width in pixels of the image.

uint8_t height() const

Height in pixels of the image.

uint8_t color_count() const

Number of colors in image (0 if >=8bpp)

uint8_t reserved() const

Reserved (must be 0)

uint16_t planes() const

Color Planes.

uint16_t bit_count() const

Bits per pixel.

uint32_t size() const

Size in bytes of the image.

span<const uint8_t> pixels() const

Pixels of the image (as bytes)

void id(uint32_t id)
void lang(uint32_t lang)
void sublang(uint32_t sublang)
void width(uint8_t width)
void height(uint8_t height)
void color_count(uint8_t color_count)
void reserved(uint8_t reserved)
void planes(uint16_t planes)
void bit_count(uint16_t bit_count)
void pixels(const std::vector<uint8_t> &pixels)
void save(const std::string &filename) const

Save the icon to the given filename.

Parameters:

filename[in] Path to file in which the icon will be saved

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceIcon &entry)

Resource Dialog

class ResourceDialog : public LIEF::Object

Representation of a dialog box.

Windows allows two kinds of dialog box:

  • Simple one

  • Extended one

ResourceDialog::is_extended determine the type of the Dialog

Public Types

using items_t = std::vector<ResourceDialogItem>
using it_items = ref_iterator<items_t&>
using it_const_items = const_ref_iterator<const items_t&>

Public Functions

ResourceDialog()
ResourceDialog(const details::pe_dialog_template_ext &header)
ResourceDialog(const details::pe_dialog_template &header)
ResourceDialog(const ResourceDialog&)
ResourceDialog &operator=(const ResourceDialog&)
~ResourceDialog() override
bool is_extended() const

true if the dialog is an extended one

uint32_t extended_style() const

The extended windows styles.

std::set<EXTENDED_WINDOW_STYLES> extended_style_list() const

Return list of LIEF::PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialog::extended_style value.

bool has_extended_style(EXTENDED_WINDOW_STYLES style) const
uint32_t style() const

The style of the dialog box. This member can be a combination of LIEF::PE::WINDOW_STYLES values and LIEF::PE::DIALOG_BOX_STYLES values.

std::set<WINDOW_STYLES> style_list() const

Return list of LIEF::PE::WINDOW_STYLES associated with the ResourceDialog::style value.

bool has_style(WINDOW_STYLES style) const
std::set<DIALOG_BOX_STYLES> dialogbox_style_list() const

Return list of LIEF::PE::DIALOG_BOX_STYLES associated with the ResourceDialog::style value.

bool has_dialogbox_style(DIALOG_BOX_STYLES style) const
int16_t x() const

The x-coordinate, in dialog box units, of the upper-left corner of the dialog box.

int16_t y() const

The y-coordinate, in dialog box units, of the upper-left corner of the dialog box.

int16_t cx() const

The width, in dialog box units, of the dialog box.

int16_t cy() const

The height, in dialog box units, of the dialog box.

it_const_items items() const

Iterator on the controls (ResourceDialogItem) that defines the Dialog (Button, Label…)

uint32_t lang() const

RESOURCE_LANGS associated with the Dialog.

uint32_t sub_lang() const

RESOURCE_SUBLANGS associated with the Dialog.

void lang(uint32_t lang)
void sub_lang(uint32_t sub_lang)
uint16_t version() const

The version number of the extended dialog box template. This member must be set to 1.

uint16_t signature() const

Indicates whether a template is an extended dialog box template:

  • 0xFFFF: Extended dialog box template

  • Other value: Standard dialog box template

uint32_t help_id() const

The help context identifier for the dialog box window.

uint16_t weight() const

The weight of the font.

uint16_t point_size() const

The point size of the font to use for the text in the dialog box and its controls.

bool is_italic() const

Indicates whether the font is italic. If this value is true, the font is italic.

uint8_t charset() const

The character to be used.

const std::u16string &title() const

The title of the dialog box.

const std::u16string &typeface() const

The name of the typeface for the font.

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDialog &dialog)

Resource Dialog Item

class ResourceDialogItem : public LIEF::Object

This class represents an item in the ResourceDialog.

Public Functions

ResourceDialogItem()
ResourceDialogItem(const details::pe_dialog_item_template_ext &header)
ResourceDialogItem(const details::pe_dialog_item_template &header)
ResourceDialogItem(const ResourceDialogItem&)
ResourceDialogItem &operator=(const ResourceDialogItem&)
~ResourceDialogItem() override
bool is_extended() const

True if the control is an extended one

uint32_t extended_style() const

The extended styles for a window.

std::set<EXTENDED_WINDOW_STYLES> extended_style_list() const

List of PE::EXTENDED_WINDOW_STYLES associated with the ResourceDialogItem::extended_style value.

bool has_extended_style(EXTENDED_WINDOW_STYLES style) const

Check if the DialogItem has the given PE::EXTENDED_WINDOW_STYLES.

uint32_t style() const

The style of the control.

std::set<WINDOW_STYLES> style_list() const
bool has_style(WINDOW_STYLES style) const
int16_t x() const

The x-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

int16_t y() const

The y-coordinate, in dialog box units, of the upper-left corner of the control. This coordinate is always relative to the upper-left corner of the dialog box’s client area.

int16_t cx() const

The width, in dialog box units, of the control.

int16_t cy() const

The height, in dialog box units, of the control.

uint32_t id() const

The control identifier.

uint32_t help_id() const

The help context identifier for the control.

const std::u16string &title() const

Initial text of the control.

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceDialogItem &dialog_item)

Resource Version

class ResourceVersion : public LIEF::Object

Representation of the data associated with the RT_VERSION entry.

See: VS_VERSIONINFO - https://docs.microsoft.com/en-us/windows/win32/menurc/vs-versioninfo

Public Functions

ResourceVersion(const ResourceVersion&)
ResourceVersion &operator=(const ResourceVersion&)
~ResourceVersion() override
uint16_t type() const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key() const

Signature of the structure: Must be the unicode string “VS_VERSION_INFO”.

bool has_fixed_file_info() const

true if the version contains a ResourceFixedFileInfo

bool has_string_file_info() const

true if the version contains a ResourceStringFileInfo

bool has_var_file_info() const

true if the version contains a ResourceVarFileInfo

const ResourceFixedFileInfo *fixed_file_info() const

Object that describes various information about the application’s version. This is an optional information and if it is not present, it returns a nullptr.

ResourceFixedFileInfo *fixed_file_info()
const ResourceStringFileInfo *string_file_info() const

Object that describes various information about the application’s version. The underlying structure is basically a dictionary (key/value)

This structure is not always present and if not, it returns a nullptr

ResourceStringFileInfo *string_file_info()
const ResourceVarFileInfo *var_file_info() const

Object that describes information about languages supported by the application This structure is not always present and if not, it returns a nullptr.

ResourceVarFileInfo *var_file_info()
void type(uint16_t type)
inline void key(std::u16string key)
void key(const std::string &key)
void fixed_file_info(const ResourceFixedFileInfo &fixed_file_info)
void remove_fixed_file_info()
void string_file_info(const ResourceStringFileInfo &string_file_info)
void remove_string_file_info()
void var_file_info(const ResourceVarFileInfo &var_file_info)
void remove_var_file_info()
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceVersion &version)

Resource Fixed File Info

class ResourceFixedFileInfo : public LIEF::Object

Representation of VS_FIXEDFILEINFO Structure.

Public Functions

ResourceFixedFileInfo()
ResourceFixedFileInfo(const details::pe_resource_fixed_file_info &header)
ResourceFixedFileInfo(const ResourceFixedFileInfo&)
ResourceFixedFileInfo &operator=(const ResourceFixedFileInfo&)
~ResourceFixedFileInfo() override
uint32_t signature() const

Must be set to 0xFEEF04BD

uint32_t struct_version() const

The binary version number of this structure.

The high-order word of this member contains the major version number, and the low-order word contains the minor version number.

uint32_t file_version_MS() const

The most significant 32 bits of the file’s binary version number.

This member is used with ResourceFixedFileInfo::file_version_LS to form a 64-bits value used for numeric comparisons.

uint32_t file_version_LS() const

The least significant 32 bits of the file’s binary version number.

This member is used with ResourceFixedFileInfo::file_version_MS to form a 64-bits value used for numeric comparisons.

uint32_t product_version_MS() const

The most significant 32 bits of the product with which this file was distributed.

This member is used with ResourceFixedFileInfo::product_version_LS to form a 64-bits value used for numeric comparisons.

uint32_t product_version_LS() const

The least significant 32 bits of the product with which this file was distributed.

This member is used with ResourceFixedFileInfo::product_version_MS to form a 64-bits value used for numeric comparisons.

uint32_t file_flags_mask() const

Contains a bitmask that specifies the valid bits in ResourceFixedFileInfo::file_flags.

A bit is valid only if it was defined when the file was created.

uint32_t file_flags() const

Contains a bitmask that specifies the Boolean attributes of the file (PE::FIXED_VERSION_FILE_FLAGS)

FIXED_VERSION_OS file_os() const

The operating system for which this file was designed (PE::FIXED_VERSION_OS).

FIXED_VERSION_FILE_TYPES file_type() const

The general type of file (PE::FIXED_VERSION_FILE_TYPES)

FIXED_VERSION_FILE_SUB_TYPES file_subtype() const

The function of the file (PE::FIXED_VERSION_FILE_SUB_TYPES)

uint32_t file_date_MS() const

The most significant 32 bits of the file’s 64-bit binary creation date and time stamp.

uint32_t file_date_LS() const

The least significant 32 bits of the file’s 64-bit binary creation date and time stamp.

void signature(uint32_t signature)
void struct_version(uint32_t struct_version)
void file_version_MS(uint32_t file_version_MS)
void file_version_LS(uint32_t file_version_LS)
void product_version_MS(uint32_t product_version_MS)
void product_version_LS(uint32_t product_version_LS)
void file_flags_mask(uint32_t file_flags_mask)
void file_flags(uint32_t file_flags)
void file_os(FIXED_VERSION_OS file_os)
void file_type(FIXED_VERSION_FILE_TYPES file_type)
void file_subtype(FIXED_VERSION_FILE_SUB_TYPES file_subtype)
void file_date_MS(uint32_t file_date_MS)
void file_date_LS(uint32_t file_date_LS)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceFixedFileInfo &fixed_info)

Resource Var File Info

class ResourceVarFileInfo : public LIEF::Object

This object describes information about languages supported by the application.

Public Functions

ResourceVarFileInfo()
ResourceVarFileInfo(uint16_t type, std::u16string key)
ResourceVarFileInfo(const ResourceVarFileInfo&)
ResourceVarFileInfo &operator=(const ResourceVarFileInfo&)
~ResourceVarFileInfo() override
uint16_t type() const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key() const

Signature of the structure: Must be the unicode string “VarFileInfo”.

const std::vector<uint32_t> &translations() const

List of languages that the application supports.

The least significant 16-bits must contain a Microsoft language identifier, and the most significant 16-bits must contain the PE::CODE_PAGES Either most or least 16-bits can be zero, indicating that the file is language or code page independent.

std::vector<uint32_t> &translations()
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void translations(const std::vector<uint32_t> &translations)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceVarFileInfo &entry)

Resource String File Info

class ResourceStringFileInfo : public LIEF::Object

Representation of the StringFileInfo structure.

It contains version information that can be displayed for a particular language and code page.

See: https://docs.microsoft.com/en-us/windows/win32/menurc/stringfileinfo

Public Functions

ResourceStringFileInfo()
ResourceStringFileInfo(uint16_t type, std::u16string key)
ResourceStringFileInfo(const ResourceStringFileInfo&)
ResourceStringFileInfo &operator=(const ResourceStringFileInfo&)
~ResourceStringFileInfo() override
uint16_t type() const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key() const

Signature of the structure: Must be the unicode string “StringFileInfo”.

const std::vector<LangCodeItem> &langcode_items() const

List of the LangCodeItem items.

Each LangCodeItem::key indicates the appropriate language and code page for displaying the key: value of LangCodeItem::items

std::vector<LangCodeItem> &langcode_items()
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void langcode_items(const std::vector<LangCodeItem> &items)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceStringFileInfo &string_file_info)

Lang code item

class LangCodeItem : public LIEF::Object

Class which represents the childs of the ResourceStringFileInfo.

Public Types

using items_t = std::unordered_map<std::u16string, std::u16string>

Public Functions

LangCodeItem()
LangCodeItem(uint16_t type, std::u16string key)
LangCodeItem(const LangCodeItem&)
LangCodeItem &operator=(const LangCodeItem&)
~LangCodeItem() override
uint16_t type() const

The type of data in the version resource.

  • 1 if it contains text data

  • 0 if it contains binary data

const std::u16string &key() const

A 8-digit hexadecimal number stored as an Unicode string.

  • The four most significant digits represent the language identifier.

  • The four least significant digits represent the code page for which the data is formatted.

CODE_PAGES code_page() const

Code page for which LangCodeItem::items are defined

uint32_t lang() const

Lang for which LangCodeItem::items are defined.

uint32_t sublang() const

Sublang for which LangCodeItem::items are defined.

const items_t &items() const
items_t &items()
void type(uint16_t type)
void key(const std::u16string &key)
void key(const std::string &key)
void code_page(CODE_PAGES code_page)
void lang(uint32_t lang)
void sublang(uint32_t lang)
void items(const items_t &items)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const LangCodeItem &item)

Resource String Table

class ResourceStringTable : public LIEF::Object

Public Functions

ResourceStringTable()
ResourceStringTable(int16_t length, std::u16string name)
ResourceStringTable(const ResourceStringTable&)
ResourceStringTable &operator=(const ResourceStringTable&)
~ResourceStringTable() override
virtual void accept(Visitor &visitor) const override
int16_t length() const

The size of the string, not including length field itself.

const std::u16string &name() const

The variable-length Unicode string data, word-aligned.

Friends

friend std::ostream &operator<<(std::ostream &os, const ResourceStringTable &string_table)

Rich Header

class RichHeader : public LIEF::Object

Class which represents the not-so-documented rich header.

This structure is usually located at the end of the Binary::dos_stub and contains information about the build environment. It is generated by the Microsoft linker link.exe and there are no options to disable or remove this information.

Public Types

using entries_t = std::vector<RichEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

RichHeader()
RichHeader(const RichHeader&)
RichHeader &operator=(const RichHeader&)
~RichHeader() override
inline uint32_t key() const

Key used to encode the header (xor operation)

inline it_entries entries()

Return an iterator over the PE::RichEntry within the header.

inline it_const_entries entries() const
inline void key(uint32_t key)
void add_entry(const RichEntry &entry)

Add a new PE::RichEntry.

void add_entry(uint16_t id, uint16_t build_id, uint32_t count)

Add a new entry given the id, build_id and count.

inline std::vector<uint8_t> raw() const

The raw structure of the Rich header without xor-encoding.

This function is equivalent as calling RichHeader::raw(uint32_t) with a xor_key set to 0

std::vector<uint8_t> raw(uint32_t xor_key) const

Given this rich header, this function re-computes the raw bytes of the structure with the provided xor-key.

You can access the decoded data’s structure with the xor_key set to 0

Parameters:

xor_key[in] The key to use for the xor-encoding (can be 0)

inline std::vector<uint8_t> hash(ALGORITHMS algo) const

Compute the hash of the decoded rich header structure with the given hash algorithm.

std::vector<uint8_t> hash(ALGORITHMS algo, uint32_t xor_key) const

Compute the hash of the rich header structure encoded with the provided key.

virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const RichHeader &rich_header)

Rich Entry

class RichEntry : public LIEF::Object

Class which represents an entry associated to the RichHeader.

Public Functions

RichEntry()
RichEntry(uint16_t id, uint16_t build_id, uint32_t count)
RichEntry(const RichEntry&)
RichEntry &operator=(const RichEntry&)
~RichEntry() override
uint16_t id() const

Entry type.

uint16_t build_id() const

Build number of the tool (if any)

uint32_t count() const

Occurrence count.

void id(uint16_t id)
void build_id(uint16_t build_id)
void count(uint32_t count)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const RichEntry &rich_entry)

Code Integrity

class CodeIntegrity : public LIEF::Object

Public Functions

CodeIntegrity() = default
CodeIntegrity(const details::pe_code_integrity &header)
~CodeIntegrity() override = default
CodeIntegrity &operator=(const CodeIntegrity&) = default
CodeIntegrity(const CodeIntegrity&) = default
inline uint16_t flags() const

Flags to indicate if CI information is available, etc.

inline uint16_t catalog() const

0xFFFF means not available

inline uint32_t catalog_offset() const
inline uint32_t reserved() const

Additional bitmask to be defined later.

inline void flags(uint16_t flags)
inline void catalog(uint16_t catalog)
inline void catalog_offset(uint32_t catalog_offset)
inline void reserved(uint32_t reserved)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const CodeIntegrity &entry)

Pogo

class Pogo : public LIEF::PE::Debug

This class represents a Profile Guided Optimization entry from the debug directory (IMAGE_DEBUG_TYPE_POGO).

Public Types

enum class SIGNATURES

Values:

enumerator UNKNOWN = 0x0fffffff
enumerator ZERO = 0x00000000
enumerator LCTG = 0x4C544347
enumerator PGI = 0x50474900
using entries_t = std::vector<PogoEntry>
using it_entries = ref_iterator<entries_t&>
using it_const_entries = const_ref_iterator<const entries_t&>

Public Functions

Pogo()
inline Pogo(SIGNATURES sig)
Pogo(const details::pe_debug &debug, SIGNATURES sig)
Pogo(const Pogo&)
Pogo &operator=(const Pogo&)
inline virtual std::unique_ptr<Debug> clone() const override
inline SIGNATURES signature() const
inline it_entries entries()

An iterator over the different POGO elements.

inline it_const_entries entries() const
inline void add(PogoEntry entry)
virtual void accept(Visitor &visitor) const override
~Pogo() override

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const Pogo &entry)

Pogo Entry

class PogoEntry : public LIEF::Object

Public Functions

PogoEntry()
PogoEntry(PogoEntry &&other)
PogoEntry &operator=(PogoEntry &&other)
PogoEntry(const PogoEntry&)
inline PogoEntry(uint32_t start_rva, uint32_t size, std::string name)
inline PogoEntry(uint32_t start_rva, uint32_t size)
PogoEntry &operator=(const PogoEntry&)
~PogoEntry() override
inline uint32_t start_rva() const
inline uint32_t size() const
inline const std::string &name() const
inline void start_rva(uint32_t start_rva)
inline void size(uint32_t size)
inline void name(std::string name)
virtual void accept(Visitor &visitor) const override

Friends

friend std::ostream &operator<<(std::ostream &os, const PogoEntry &entry)

Repro

class Repro : public LIEF::PE::Debug

This class represents a reproducible build entry from the debug directory. (IMAGE_DEBUG_TYPE_REPRO). This entry is usually generated with the undocumented /Brepro linker flag.

See: https://nikhilism.com/post/2020/windows-deterministic-builds/

Public Functions

inline Repro()
inline Repro(std::vector<uint8_t> hash)
inline Repro(const details::pe_debug &dbg, std::vector<uint8_t> hash)
Repro(const Repro &other)
Repro &operator=(const Repro &other)
inline span<const uint8_t> hash() const

The hash associated with the reproducible build.

inline span<uint8_t> hash()
inline void hash(std::vector<uint8_t> h)
inline virtual std::unique_ptr<Debug> clone() const override
virtual void accept(Visitor &visitor) const override
~Repro() override

Public Static Functions

static inline bool classof(const Debug *debug)

Friends

friend std::ostream &operator<<(std::ostream &os, const Repro &entry)

Load Configuration

class LoadConfiguration : public LIEF::Object

Class that represents the default PE’s LoadConfiguration

It’s the base class for any future versions of the structure

Subclassed by LIEF::PE::LoadConfigurationV0

Public Types

enum class VERSION

Values:

enumerator UNKNOWN = 0
enumerator SEH
enumerator WIN_8_1
enumerator WIN_10_0_9879
enumerator WIN_10_0_14286
enumerator WIN_10_0_14383
enumerator WIN_10_0_14901
enumerator WIN_10_0_15002
enumerator WIN_10_0_16237
enumerator WIN_10_0_18362
enumerator WIN_10_0_19534
enumerator WIN_10_0_MSVC_2019
enumerator WIN_10_0_MSVC_2019_16

Public Functions

LoadConfiguration() = default
template<class T>
LoadConfiguration(const details::load_configuration<T> &header)
LoadConfiguration &operator=(const LoadConfiguration&) = default
LoadConfiguration(const LoadConfiguration&) = default
inline virtual VERSION version() const

(SDK) Version of the structure

inline uint32_t characteristics() const

Characteristics of the structure It usually holds its size.

inline uint32_t size() const

Size of the current structure which is an alias for characteristics.

inline uint32_t timedatestamp() const

Date and time stamp value.

inline uint16_t major_version() const

Major Version.

inline uint16_t minor_version() const

Minor version.

inline uint32_t global_flags_clear() const

The global loader flags to clear for this process as the loader start the process.

inline uint32_t global_flags_set() const

The global loader flags to set for this process as the loader starts the process.

inline uint32_t critical_section_default_timeout() const

The default timeout value to use for this process’s critical sections that are abandoned.

inline uint64_t decommit_free_block_threshold() const

Memory that must be freed before it is returned to the system, in bytes.

inline uint64_t decommit_total_free_threshold() const

Total amount of free memory, in bytes.

inline uint64_t lock_prefix_table() const

The VA of a list of addresses where the LOCK prefix is used so that they can be replaced with NOP on single processor machines.

Warning

For x86 only

inline uint64_t maximum_allocation_size() const

Maximum allocation size, in bytes.

inline uint64_t virtual_memory_threshold() const

Maximum virtual memory size, in bytes.

inline uint64_t process_affinity_mask() const

Setting this field to a non-zero value is equivalent to calling SetProcessAffinityMask with this value during process startup (.exe only)

inline uint32_t process_heap_flags() const

Process heap flags that correspond to the first argument of the HeapCreate function. These flags apply to the process heap that is created during process startup.

inline uint16_t csd_version() const

The service pack version identifier.

inline uint16_t reserved1() const

Must be zero.

inline uint16_t dependent_load_flags() const

Alias for reserved1.

On recent the version of the structure, Microsoft renamed reserved1 to DependentLoadFlags

inline uint32_t editlist() const

Reserved for use by the system.

inline uint32_t security_cookie() const

A pointer to a cookie that is used by Visual C++ or GS implementation.

inline void characteristics(uint32_t characteristics)
inline void timedatestamp(uint32_t timedatestamp)
inline void major_version(uint16_t major_version)
inline void minor_version(uint16_t minor_version)
inline void global_flags_clear(uint32_t global_flags_clear)
inline void global_flags_set(uint32_t global_flags_set)
inline void critical_section_default_timeout(uint32_t critical_section_default_timeout)
inline void decommit_free_block_threshold(uint64_t decommit_free_block_threshold)
inline void decommit_total_free_threshold(uint64_t decommit_total_free_threshold)
inline void lock_prefix_table(uint64_t lock_prefix_table)
inline void maximum_allocation_size(uint64_t maximum_allocation_size)
inline void virtual_memory_threshold(uint64_t virtual_memory_threshold)
inline void process_affinity_mask(uint64_t process_affinity_mask)
inline void process_heap_flags(uint32_t process_heap_flagsid)
inline void csd_version(uint16_t csd_version)
inline void reserved1(uint16_t reserved1)
inline void dependent_load_flags(uint16_t flags)
inline void editlist(uint32_t editlist)
inline void security_cookie(uint32_t security_cookie)
~LoadConfiguration() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const

Public Static Functions

static inline bool classof(const LoadConfiguration*)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::UNKNOWN

Friends

friend std::ostream &operator<<(std::ostream &os, const LoadConfiguration &config)

Load Configuration V0

class LoadConfigurationV0 : public LIEF::PE::LoadConfiguration

LoadConfiguration enhanced with SEH.

Subclassed by LIEF::PE::LoadConfigurationV1

Public Functions

LoadConfigurationV0() = default
LoadConfigurationV0 &operator=(const LoadConfigurationV0&) = default
LoadConfigurationV0(const LoadConfigurationV0&) = default
template<class T>
LoadConfigurationV0(const details::load_configuration_v0<T> &header)
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t se_handler_table() const

The VA of the sorted table of RVAs of each valid, unique SE handler in the image.

inline uint64_t se_handler_count() const

The count of unique handlers in the table.

inline void se_handler_table(uint64_t se_handler_table)
inline void se_handler_count(uint64_t se_handler_count)
~LoadConfigurationV0() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::SEH

Load Configuration V1

class LoadConfigurationV1 : public LIEF::PE::LoadConfigurationV0

LoadConfiguration enhanced with Control Flow Guard.

This structure is available from Windows 8.1

Subclassed by LIEF::PE::LoadConfigurationV2

Public Types

enum class IMAGE_GUARD

Values:

enumerator NONE = 0x00000000
enumerator CF_INSTRUMENTED = 0x00000100

Module performs control flow integrity checks using system-supplied support

enumerator CFW_INSTRUMENTED = 0x00000200

Module performs control flow and write integrity checks

enumerator CF_FUNCTION_TABLE_PRESENT = 0x00000400

Module contains valid control flow target metadata

Module does not make use of the /GS security cookie

enumerator PROTECT_DELAYLOAD_IAT = 0x00001000

Module supports read only delay load IAT

enumerator DELAYLOAD_IAT_IN_ITS_OWN_SECTION = 0x00002000

Delayload import table in its own .didat section (with nothing else in it) that can be freely reprotected

enumerator CF_EXPORT_SUPPRESSION_INFO_PRESENT = 0x00004000

Module contains suppressed export information. This also infers that the address taken taken IAT table is also present in the load config.

enumerator CF_ENABLE_EXPORT_SUPPRESSION = 0x00008000

Module enables suppression of exports

enumerator CF_LONGJUMP_TABLE_PRESENT = 0x00010000

Module contains longjmp target information

enumerator RF_INSTRUMENTED = 0x00020000

Module contains return flow instrumentation and metadata

enumerator RF_ENABLE = 0x00040000

Module requests that the OS enable return flow protection

enumerator RF_STRICT = 0x00080000

Module requests that the OS enable return flow protection in strict mode

enumerator RETPOLINE_PRESENT = 0x00100000

Module was built with retpoline support

enumerator EH_CONTINUATION_TABLE_PRESENT = 0x00200000

Module contains EH continuation target information

Public Functions

LoadConfigurationV1() = default
template<class T>
LoadConfigurationV1(const details::load_configuration_v1<T> &header)
LoadConfigurationV1 &operator=(const LoadConfigurationV1&) = default
LoadConfigurationV1(const LoadConfigurationV1&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_cf_check_function_pointer() const

The VA where Control Flow Guard check-function pointer is stored.

inline uint64_t guard_cf_dispatch_function_pointer() const

The VA where Control Flow Guard dispatch-function pointer is stored.

inline uint64_t guard_cf_function_table() const

The VA of the sorted table of RVAs of each Control Flow Guard function in the image.

inline uint64_t guard_cf_function_count() const

The count of unique RVAs in the LoadConfigurationV1::guard_cf_function_table.

inline IMAGE_GUARD guard_flags() const

Control Flow Guard related flags.

bool has(IMAGE_GUARD flag) const

Check if the given flag is present in LoadConfigurationV1::guard_flags.

std::vector<IMAGE_GUARD> guard_cf_flags_list() const

LoadConfigurationV1::guard_flags as a list of LIEF::PE::GUARD_CF_FLAGS.

inline void guard_cf_check_function_pointer(uint64_t check_pointer)
inline void guard_cf_dispatch_function_pointer(uint64_t dispatch_pointer)
inline void guard_cf_function_table(uint64_t guard_cf_function_table)
inline void guard_cf_function_count(uint64_t guard_cf_function_count)
inline void guard_flags(IMAGE_GUARD flags)
~LoadConfigurationV1() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_8_1

Load Configuration V2

class LoadConfigurationV2 : public LIEF::PE::LoadConfigurationV1

LoadConfiguration enhanced with code integrity.

Subclassed by LIEF::PE::LoadConfigurationV3

Public Functions

LoadConfigurationV2() = default
LoadConfigurationV2 &operator=(const LoadConfigurationV2&) = default
LoadConfigurationV2(const LoadConfigurationV2&) = default
template<class T>
LoadConfigurationV2(const details::load_configuration_v2<T> &header)
inline virtual VERSION version() const override

(SDK) Version of the structure

inline const CodeIntegrity &code_integrity() const

CodeIntegrity associated with.

inline CodeIntegrity &code_integrity()
~LoadConfigurationV2() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_9879

Load Configuration V3

class LoadConfigurationV3 : public LIEF::PE::LoadConfigurationV2

LoadConfiguration with Control Flow Guard improved.

Subclassed by LIEF::PE::LoadConfigurationV4

Public Functions

LoadConfigurationV3() = default
template<class T>
LoadConfigurationV3(const details::load_configuration_v3<T> &header)
LoadConfigurationV3 &operator=(const LoadConfigurationV3&) = default
LoadConfigurationV3(const LoadConfigurationV3&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_address_taken_iat_entry_table() const

VA of a table associated with CFG’s IAT checks.

inline uint64_t guard_address_taken_iat_entry_count() const

Number of entries in the LoadConfigurationV3::guard_address_taken_iat_entry_table.

inline uint64_t guard_long_jump_target_table() const

VA of a table associated with CFG’s long jump

inline uint64_t guard_long_jump_target_count() const

Number of entries in the LoadConfigurationV3::guard_long_jump_target_table.

inline void guard_address_taken_iat_entry_table(uint64_t value)
inline void guard_address_taken_iat_entry_count(uint64_t value)
inline void guard_long_jump_target_table(uint64_t value)
inline void guard_long_jump_target_count(uint64_t value)
~LoadConfigurationV3() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_14286

Load Configuration V4

class LoadConfigurationV4 : public LIEF::PE::LoadConfigurationV3

Load Configuration enhanced with.

  • Kind of dynamic relocations

  • Hybrid Metadata Pointer

Subclassed by LIEF::PE::LoadConfigurationV5

Public Functions

LoadConfigurationV4() = default
template<class T>
LoadConfigurationV4(const details::load_configuration_v4<T> &header)
LoadConfigurationV4 &operator=(const LoadConfigurationV4&) = default
LoadConfigurationV4(const LoadConfigurationV4&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t dynamic_value_reloc_table() const

VA of pointing to a IMAGE_DYNAMIC_RELOCATION_TABLE

inline uint64_t hybrid_metadata_pointer() const
inline void dynamic_value_reloc_table(uint64_t value)
inline void hybrid_metadata_pointer(uint64_t value)
~LoadConfigurationV4() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_14383

Load Configuration V5

class LoadConfigurationV5 : public LIEF::PE::LoadConfigurationV4

Load Configuration enhanced with Return Flow Guard.

Subclassed by LIEF::PE::LoadConfigurationV6

Public Functions

LoadConfigurationV5() = default
template<class T>
LoadConfigurationV5(const details::load_configuration_v5<T> &header)
LoadConfigurationV5 &operator=(const LoadConfigurationV5&) = default
LoadConfigurationV5(const LoadConfigurationV5&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_rf_failure_routine() const

VA of the failure routine.

inline uint64_t guard_rf_failure_routine_function_pointer() const

VA of the failure routine fptr.

inline uint32_t dynamic_value_reloctable_offset() const

Offset of dynamic relocation table relative to the relocation table.

inline uint16_t dynamic_value_reloctable_section() const

The section index of the dynamic value relocation table.

inline uint16_t reserved2() const

Must be zero.

inline void guard_rf_failure_routine(uint64_t value)
inline void guard_rf_failure_routine_function_pointer(uint64_t value)
inline void dynamic_value_reloctable_offset(uint32_t value)
inline void dynamic_value_reloctable_section(uint16_t value)
inline void reserved2(uint16_t value)
~LoadConfigurationV5() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_14901

Load Configuration V6

class LoadConfigurationV6 : public LIEF::PE::LoadConfigurationV5

Load Configuration enhanced with Hotpatch and improved RFG.

Subclassed by LIEF::PE::LoadConfigurationV7

Public Functions

LoadConfigurationV6() = default
template<class T>
LoadConfigurationV6(const details::load_configuration_v6<T> &header)
LoadConfigurationV6 &operator=(const LoadConfigurationV6&) = default
LoadConfigurationV6(const LoadConfigurationV6&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_rf_verify_stackpointer_function_pointer() const

VA of the Function verifying the stack pointer.

inline uint32_t hotpatch_table_offset() const

Offset to the hotpatch table.

inline void guard_rf_verify_stackpointer_function_pointer(uint64_t value)
inline void hotpatch_table_offset(uint32_t value)
~LoadConfigurationV6() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_15002

Load Configuration V7

class LoadConfigurationV7 : public LIEF::PE::LoadConfigurationV6

Subclassed by LIEF::PE::LoadConfigurationV8

Public Functions

LoadConfigurationV7() = default
template<class T>
LoadConfigurationV7(const details::load_configuration_v7<T> &header)
LoadConfigurationV7 &operator=(const LoadConfigurationV7&) = default
LoadConfigurationV7(const LoadConfigurationV7&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint32_t reserved3() const
inline uint64_t addressof_unicode_string() const
inline void reserved3(uint32_t value)
inline void addressof_unicode_string(uint64_t value)
~LoadConfigurationV7() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_16237

Load Configuration V8

class LoadConfigurationV8 : public LIEF::PE::LoadConfigurationV7

Subclassed by LIEF::PE::LoadConfigurationV9

Public Functions

LoadConfigurationV8() = default
template<class T>
LoadConfigurationV8(const details::load_configuration_v8<T> &header)
LoadConfigurationV8 &operator=(const LoadConfigurationV8&) = default
LoadConfigurationV8(const LoadConfigurationV8&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t volatile_metadata_pointer() const
inline void volatile_metadata_pointer(uint64_t value)
~LoadConfigurationV8() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_18362

Load Configuration V9

class LoadConfigurationV9 : public LIEF::PE::LoadConfigurationV8

Subclassed by LIEF::PE::LoadConfigurationV10

Public Functions

LoadConfigurationV9() = default
template<class T>
LoadConfigurationV9(const details::load_configuration_v9<T> &header)
LoadConfigurationV9 &operator=(const LoadConfigurationV9&) = default
LoadConfigurationV9(const LoadConfigurationV9&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_eh_continuation_table() const
inline uint64_t guard_eh_continuation_count() const
inline void guard_eh_continuation_table(uint64_t value)
inline void guard_eh_continuation_count(uint64_t value)
~LoadConfigurationV9() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_19534

Load Configuration V10

class LoadConfigurationV10 : public LIEF::PE::LoadConfigurationV9

Subclassed by LIEF::PE::LoadConfigurationV11

Public Functions

LoadConfigurationV10() = default
template<class T>
LoadConfigurationV10(const details::load_configuration_v10<T> &header)
LoadConfigurationV10 &operator=(const LoadConfigurationV10&) = default
LoadConfigurationV10(const LoadConfigurationV10&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t guard_xfg_check_function_pointer() const
inline uint64_t guard_xfg_dispatch_function_pointer() const
inline uint64_t guard_xfg_table_dispatch_function_pointer() const
inline void guard_xfg_check_function_pointer(uint64_t value)
inline void guard_xfg_dispatch_function_pointer(uint64_t value)
inline void guard_xfg_table_dispatch_function_pointer(uint64_t value)
~LoadConfigurationV10() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_MSVC_2019

Load Configuration V11

class LoadConfigurationV11 : public LIEF::PE::LoadConfigurationV10

Public Functions

LoadConfigurationV11() = default
template<class T>
LoadConfigurationV11(const details::load_configuration_v11<T> &header)
LoadConfigurationV11 &operator=(const LoadConfigurationV11&) = default
LoadConfigurationV11(const LoadConfigurationV11&) = default
inline virtual VERSION version() const override

(SDK) Version of the structure

inline uint64_t cast_guard_os_determined_failure_mode() const
inline void cast_guard_os_determined_failure_mode(uint64_t value)
~LoadConfigurationV11() override = default
virtual void accept(Visitor &visitor) const override
virtual std::ostream &print(std::ostream &os) const override

Public Static Functions

static inline bool classof(const LoadConfiguration *config)

Public Static Attributes

static constexpr VERSION WIN_VERSION = VERSION::WIN_10_0_MSVC_2019_16

Utilities

result<PE_TYPE> LIEF::PE::get_type(const std::string &file)

if the input file is a PE one, return PE32 or PE32+

result<PE_TYPE> LIEF::PE::get_type(const std::vector<uint8_t> &raw)

Return PE32 or PE32+

bool LIEF::PE::is_pe(const std::string &file)

check if the file is a PE file

bool LIEF::PE::is_pe(const std::vector<uint8_t> &raw)

check if the raw data is a PE file

std::string LIEF::PE::get_imphash(const Binary &binary, IMPHASH_MODE mode = IMPHASH_MODE::DEFAULT)

Compute the hash of imported functions.

By default, it generates an hash with the following properties:

  • Order agnostic

  • Casse agnostic

  • Ordinal (in some extent) agnostic

If one needs the same output as Virus Total (i.e. pefile), you can pass IMPHASH_MODE::PEFILE as second parameter.

Warning

The default algorithm used to compute the imphash value has some variations compared to Yara, pefile, VT implementation

enum class LIEF::PE::IMPHASH_MODE

Enum to define the behavior of LIEF::PE::get_imphash.

Values:

enumerator DEFAULT = 0

Default implementation

enumerator LIEF = DEFAULT

Same as IMPHASH_MODE::DEFAULT

enumerator PEFILE

Use pefile algorithm

enumerator VT = PEFILE

Same as IMPHASH_MODE::PEFILE since Virus Total is using pefile

result<Import> LIEF::PE::resolve_ordinals(const Import &import, bool strict = false, bool use_std = false)

Take a PE::Import as entry and try to resolve imports by ordinal.

The strict boolean parameter enables to throw an LIEF::not_found exception if the ordinal can’t be resolved. Otherwise it skips the entry.

Parameters:
  • import[in] Import to resolve

  • strict[in] If set to true, throw an exception if the import can’t be resolved

  • use_std[in] If true, it will use the pefile look-up table for resolving imports

Returns:

The PE::import resolved with PE::ImportEntry::name set

const char *LIEF::PE::oid_to_string(const oid_t &oid)

Convert an OID to a human-readable string.


Enums

enum LIEF::PE::SYMBOL_STORAGE_CLASS

Storage class tells where and what the symbol represents.

Values:

enumerator IMAGE_SYM_CLASS_INVALID = 0xFF
enumerator IMAGE_SYM_CLASS_END_OF_FUNCTION = -1

Physical end of function.

enumerator IMAGE_SYM_CLASS_NULL = 0

No symbol.

enumerator IMAGE_SYM_CLASS_AUTOMATIC = 1

Stack variable.

enumerator IMAGE_SYM_CLASS_EXTERNAL = 2

External symbol.

enumerator IMAGE_SYM_CLASS_STATIC = 3

Static.

enumerator IMAGE_SYM_CLASS_REGISTER = 4

Register variable.

enumerator IMAGE_SYM_CLASS_EXTERNAL_DEF = 5

External definition.

enumerator IMAGE_SYM_CLASS_LABEL = 6

Label.

enumerator IMAGE_SYM_CLASS_UNDEFINED_LABEL = 7

Undefined label.

enumerator IMAGE_SYM_CLASS_MEMBER_OF_STRUCT = 8

Member of structure.

enumerator IMAGE_SYM_CLASS_ARGUMENT = 9

Function argument.

enumerator IMAGE_SYM_CLASS_STRUCT_TAG = 10

Structure tag.

enumerator IMAGE_SYM_CLASS_MEMBER_OF_UNION = 11

Member of union.

enumerator IMAGE_SYM_CLASS_UNION_TAG = 12

Union tag.

enumerator IMAGE_SYM_CLASS_TYPE_DEFINITION = 13

Type definition.

enumerator IMAGE_SYM_CLASS_UNDEFINED_STATIC = 14

Undefined static.

enumerator IMAGE_SYM_CLASS_ENUM_TAG = 15

Enumeration tag.

enumerator IMAGE_SYM_CLASS_MEMBER_OF_ENUM = 16

Member of enumeration.

enumerator IMAGE_SYM_CLASS_REGISTER_PARAM = 17

Register parameter.

enumerator IMAGE_SYM_CLASS_BIT_FIELD = 18

Bit field “.bb” or “.eb” - beginning or end of block.

enumerator IMAGE_SYM_CLASS_BLOCK = 100

“.bf” or “.ef” - beginning or end of function

enumerator IMAGE_SYM_CLASS_FUNCTION = 101
enumerator IMAGE_SYM_CLASS_END_OF_STRUCT = 102

End of structure.

enumerator IMAGE_SYM_CLASS_FILE = 103

File name line number, reformatted as symbol.

enumerator IMAGE_SYM_CLASS_SECTION = 104
enumerator IMAGE_SYM_CLASS_WEAK_EXTERNAL = 105

Duplicate tag external symbol in dmert public lib.

enumerator IMAGE_SYM_CLASS_CLR_TOKEN = 107
enum class LIEF::PE::SYMBOL_BASE_TYPES : size_t

Values:

enumerator IMAGE_SYM_TYPE_NULL = 0

No type information or unknown base type.

enumerator IMAGE_SYM_TYPE_VOID = 1

Used with void pointers and functions.

enumerator IMAGE_SYM_TYPE_CHAR = 2

A character (signed byte).

enumerator IMAGE_SYM_TYPE_SHORT = 3

A 2-byte signed integer.

enumerator IMAGE_SYM_TYPE_INT = 4

A natural integer type on the target.

enumerator IMAGE_SYM_TYPE_LONG = 5

A 4-byte signed integer.

enumerator IMAGE_SYM_TYPE_FLOAT = 6

A 4-byte floating-point number.

enumerator IMAGE_SYM_TYPE_DOUBLE = 7

An 8-byte floating-point number.

enumerator IMAGE_SYM_TYPE_STRUCT = 8

A structure.

enumerator IMAGE_SYM_TYPE_UNION = 9

An union.

enumerator IMAGE_SYM_TYPE_ENUM = 10

An enumerated type.

enumerator IMAGE_SYM_TYPE_MOE = 11

A member of enumeration (a specific value).

enumerator IMAGE_SYM_TYPE_BYTE = 12

A byte; unsigned 1-byte integer.

enumerator IMAGE_SYM_TYPE_WORD = 13

A word; unsigned 2-byte integer.

enumerator IMAGE_SYM_TYPE_UINT = 14

An unsigned integer of natural size.

enumerator IMAGE_SYM_TYPE_DWORD = 15

An unsigned 4-byte integer.

enum class LIEF::PE::SYMBOL_COMPLEX_TYPES : size_t

Values:

enumerator IMAGE_SYM_DTYPE_NULL = 0

No complex type; simple scalar variable.

enumerator IMAGE_SYM_DTYPE_POINTER = 1

A pointer to base type.

enumerator IMAGE_SYM_DTYPE_FUNCTION = 2

A function that returns a base type.

enumerator IMAGE_SYM_DTYPE_ARRAY = 3

An array of base type.

enumerator SCT_COMPLEX_TYPE_SHIFT = 4

Type is formed as (base + (derived << SCT_COMPLEX_TYPE_SHIFT))

enum class LIEF::PE::RELOCATIONS_I386 : size_t

Values:

enumerator IMAGE_REL_I386_ABSOLUTE = 0x0000
enumerator IMAGE_REL_I386_DIR16 = 0x0001
enumerator IMAGE_REL_I386_REL16 = 0x0002
enumerator IMAGE_REL_I386_DIR32 = 0x0006
enumerator IMAGE_REL_I386_DIR32NB = 0x0007
enumerator IMAGE_REL_I386_SEG12 = 0x0009
enumerator IMAGE_REL_I386_SECTION = 0x000A
enumerator IMAGE_REL_I386_SECREL = 0x000B
enumerator IMAGE_REL_I386_TOKEN = 0x000C
enumerator IMAGE_REL_I386_SECREL7 = 0x000D
enumerator IMAGE_REL_I386_REL32 = 0x0014
enum class LIEF::PE::RELOCATIONS_AMD64 : size_t

Values:

enumerator IMAGE_REL_AMD64_ABSOLUTE = 0x0000
enumerator IMAGE_REL_AMD64_ADDR64 = 0x0001
enumerator IMAGE_REL_AMD64_ADDR32 = 0x0002
enumerator IMAGE_REL_AMD64_ADDR32NB = 0x0003
enumerator IMAGE_REL_AMD64_REL32 = 0x0004
enumerator IMAGE_REL_AMD64_REL32_1 = 0x0005
enumerator IMAGE_REL_AMD64_REL32_2 = 0x0006
enumerator IMAGE_REL_AMD64_REL32_3 = 0x0007
enumerator IMAGE_REL_AMD64_REL32_4 = 0x0008
enumerator IMAGE_REL_AMD64_REL32_5 = 0x0009
enumerator IMAGE_REL_AMD64_SECTION = 0x000A
enumerator IMAGE_REL_AMD64_SECREL = 0x000B
enumerator IMAGE_REL_AMD64_SECREL7 = 0x000C
enumerator IMAGE_REL_AMD64_TOKEN = 0x000D
enumerator IMAGE_REL_AMD64_SREL32 = 0x000E
enumerator IMAGE_REL_AMD64_PAIR = 0x000F
enumerator IMAGE_REL_AMD64_SSPAN32 = 0x0010
enum class LIEF::PE::RELOCATIONS_ARM : size_t

Values:

enumerator IMAGE_REL_ARM_ABSOLUTE = 0x0000
enumerator IMAGE_REL_ARM_ADDR32 = 0x0001
enumerator IMAGE_REL_ARM_ADDR32NB = 0x0002
enumerator IMAGE_REL_ARM_BRANCH24 = 0x0003
enumerator IMAGE_REL_ARM_BRANCH11 = 0x0004
enumerator IMAGE_REL_ARM_TOKEN = 0x0005
enumerator IMAGE_REL_ARM_BLX24 = 0x0008
enumerator IMAGE_REL_ARM_BLX11 = 0x0009
enumerator IMAGE_REL_ARM_SECTION = 0x000E
enumerator IMAGE_REL_ARM_SECREL = 0x000F
enumerator IMAGE_REL_ARM_MOV32A = 0x0010
enumerator IMAGE_REL_ARM_MOV32T = 0x0011
enumerator IMAGE_REL_ARM_BRANCH20T = 0x0012
enumerator IMAGE_REL_ARM_BRANCH24T = 0x0014
enumerator IMAGE_REL_ARM_BLX23T = 0x0015
enum class LIEF::PE::CODE_PAGES : size_t

Code page from https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers.

Values:

enumerator CP_IBM037 = 37

IBM EBCDIC US-Canada

enumerator CP_IBM437 = 437

OEM United States

enumerator CP_IBM500 = 500

IBM EBCDIC International

enumerator CP_ASMO_708 = 708

Arabic (ASMO 708)

enumerator CP_DOS_720 = 720

Arabic (Transparent ASMO); Arabic (DOS)

enumerator CP_IBM737 = 737

OEM Greek (formerly 437G); Greek (DOS)

enumerator CP_IBM775 = 775

OEM Baltic; Baltic (DOS)

enumerator CP_IBM850 = 850

OEM Multilingual Latin 1; Western European (DOS)

enumerator CP_IBM852 = 852

OEM Latin 2; Central European (DOS)

enumerator CP_IBM855 = 855

OEM Cyrillic (primarily Russian)

enumerator CP_IBM857 = 857

OEM Turkish; Turkish (DOS)

enumerator CP_IBM00858 = 858

OEM Multilingual Latin 1 + Euro symbol

enumerator CP_IBM860 = 860

OEM Portuguese; Portuguese (DOS)

enumerator CP_IBM861 = 861

OEM Icelandic; Icelandic (DOS)

enumerator CP_DOS_862 = 862

OEM Hebrew; Hebrew (DOS)

enumerator CP_IBM863 = 863

OEM French Canadian; French Canadian (DOS)

enumerator CP_IBM864 = 864

OEM Arabic; Arabic (864)

enumerator CP_IBM865 = 865

OEM Nordic; Nordic (DOS)

enumerator CP_CP866 = 866

OEM Russian; Cyrillic (DOS)

enumerator CP_IBM869 = 869

OEM Modern Greek; Greek, Modern (DOS)

enumerator CP_IBM870 = 870

IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2

enumerator CP_WINDOWS_874 = 874

ANSI/OEM Thai (same as 28605, ISO 8859-15); Thai (Windows)

enumerator CP_CP875 = 875

IBM EBCDIC Greek Modern

enumerator CP_SHIFT_JIS = 932

ANSI/OEM Japanese; Japanese (Shift-JIS)

enumerator CP_GB2312 = 936

ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312)

enumerator CP_KS_C_5601_1987 = 949

ANSI/OEM Korean (Unified Hangul Code)

enumerator CP_BIG5 = 950

ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5)

enumerator CP_IBM1026 = 1026

IBM EBCDIC Turkish (Latin 5)

enumerator CP_IBM01047 = 1047

IBM EBCDIC Latin 1/Open System

enumerator CP_IBM01140 = 1140

IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro)

enumerator CP_IBM01141 = 1141

IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro)

enumerator CP_IBM01142 = 1142

IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro)

enumerator CP_IBM01143 = 1143

IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro)

enumerator CP_IBM01144 = 1144

IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro)

enumerator CP_IBM01145 = 1145

IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro)

enumerator CP_IBM01146 = 1146

IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro)

enumerator CP_IBM01147 = 1147

IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro)

enumerator CP_IBM01148 = 1148

IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro)

enumerator CP_IBM01149 = 1149

IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro)

enumerator CP_UTF_16 = 1200

Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications

enumerator CP_UNICODEFFFE = 1201

Unicode UTF-16, big endian byte order; available only to managed applications

enumerator CP_WINDOWS_1250 = 1250

ANSI Central European; Central European (Windows)

enumerator CP_WINDOWS_1251 = 1251

ANSI Cyrillic; Cyrillic (Windows)

enumerator CP_WINDOWS_1252 = 1252

ANSI Latin 1; Western European (Windows)

enumerator CP_WINDOWS_1253 = 1253

ANSI Greek; Greek (Windows)

enumerator CP_WINDOWS_1254 = 1254

ANSI Turkish; Turkish (Windows)

enumerator CP_WINDOWS_1255 = 1255

ANSI Hebrew; Hebrew (Windows)

enumerator CP_WINDOWS_1256 = 1256

ANSI Arabic; Arabic (Windows)

enumerator CP_WINDOWS_1257 = 1257

ANSI Baltic; Baltic (Windows)

enumerator CP_WINDOWS_1258 = 1258

ANSI/OEM Vietnamese; Vietnamese (Windows)

enumerator CP_JOHAB = 1361

Korean (Johab)

enumerator CP_MACINTOSH = 10000

MAC Roman; Western European (Mac)

enumerator CP_X_MAC_JAPANESE = 10001

Japanese (Mac)

enumerator CP_X_MAC_CHINESETRAD = 10002

MAC Traditional Chinese (Big5); Chinese Traditional (Mac)

enumerator CP_X_MAC_KOREAN = 10003

Korean (Mac)

enumerator CP_X_MAC_ARABIC = 10004

Arabic (Mac)

enumerator CP_X_MAC_HEBREW = 10005

Hebrew (Mac)

enumerator CP_X_MAC_GREEK = 10006

Greek (Mac)

enumerator CP_X_MAC_CYRILLIC = 10007

Cyrillic (Mac)

enumerator CP_X_MAC_CHINESESIMP = 10008

MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac)

enumerator CP_X_MAC_ROMANIAN = 10010

Romanian (Mac)

enumerator CP_X_MAC_UKRAINIAN = 10017

Ukrainian (Mac)

enumerator CP_X_MAC_THAI = 10021

Thai (Mac)

enumerator CP_X_MAC_CE = 10029

MAC Latin 2; Central European (Mac)

enumerator CP_X_MAC_ICELANDIC = 10079

Icelandic (Mac)

enumerator CP_X_MAC_TURKISH = 10081

Turkish (Mac)

enumerator CP_X_MAC_CROATIAN = 10082

Croatian (Mac)

enumerator CP_UTF_32 = 12000

Unicode UTF-32, little endian byte order; available only to managed applications

enumerator CP_UTF_32BE = 12001

Unicode UTF-32, big endian byte order; available only to managed applications

enumerator CP_X_CHINESE_CNS = 20000

CNS Taiwan; Chinese Traditional (CNS)

enumerator CP_X_CP20001 = 20001

TCA Taiwan

enumerator CP_X_CHINESE_ETEN = 20002

Eten Taiwan; Chinese Traditional (Eten)

enumerator CP_X_CP20003 = 20003

IBM5550 Taiwan

enumerator CP_X_CP20004 = 20004

TeleText Taiwan

enumerator CP_X_CP20005 = 20005

Wang Taiwan

enumerator CP_X_IA5 = 20105

IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5)

enumerator CP_X_IA5_GERMAN = 20106

IA5 German (7-bit)

enumerator CP_X_IA5_SWEDISH = 20107

IA5 Swedish (7-bit)

enumerator CP_X_IA5_NORWEGIAN = 20108

IA5 Norwegian (7-bit)

enumerator CP_US_ASCII = 20127

US-ASCII (7-bit)

enumerator CP_X_CP20261 = 20261

T.61

enumerator CP_X_CP20269 = 20269

ISO 6937 Non-Spacing Accent

enumerator CP_IBM273 = 20273

IBM EBCDIC Germany

enumerator CP_IBM277 = 20277

IBM EBCDIC Denmark-Norway

enumerator CP_IBM278 = 20278

IBM EBCDIC Finland-Sweden

enumerator CP_IBM280 = 20280

IBM EBCDIC Italy

enumerator CP_IBM284 = 20284

IBM EBCDIC Latin America-Spain

enumerator CP_IBM285 = 20285

IBM EBCDIC United Kingdom

enumerator CP_IBM290 = 20290

IBM EBCDIC Japanese Katakana Extended

enumerator CP_IBM297 = 20297

IBM EBCDIC France

enumerator CP_IBM420 = 20420

IBM EBCDIC Arabic

enumerator CP_IBM423 = 20423

IBM EBCDIC Greek

enumerator CP_IBM424 = 20424

IBM EBCDIC Hebrew

enumerator CP_X_EBCDIC_KOREANEXTENDED = 20833

IBM EBCDIC Korean Extended

enumerator CP_IBM_THAI = 20838

IBM EBCDIC Thai

enumerator CP_KOI8_R = 20866

Russian (KOI8-R); Cyrillic (KOI8-R)

enumerator CP_IBM871 = 20871

IBM EBCDIC Icelandic

enumerator CP_IBM880 = 20880

IBM EBCDIC Cyrillic Russian

enumerator CP_IBM905 = 20905

IBM EBCDIC Turkish

enumerator CP_IBM00924 = 20924

IBM EBCDIC Latin 1/Open System (1047 + Euro symbol)

enumerator CP_EUC_JP_JIS = 20932

Japanese (JIS 0208-1990 and 0121-1990)

enumerator CP_X_CP20936 = 20936

Simplified Chinese (GB2312); Chinese Simplified (GB2312-80)

enumerator CP_X_CP20949 = 20949

Korean Wansung

enumerator CP_CP1025 = 21025

IBM EBCDIC Cyrillic Serbian-Bulgarian

enumerator CP_KOI8_U = 21866

Ukrainian (KOI8-U); Cyrillic (KOI8-U)

enumerator CP_ISO_8859_1 = 28591

ISO 8859-1 Latin 1; Western European (ISO)

enumerator CP_ISO_8859_2 = 28592

ISO 8859-2 Central European; Central European (ISO)

enumerator CP_ISO_8859_3 = 28593

ISO 8859-3 Latin 3

enumerator CP_ISO_8859_4 = 28594

ISO 8859-4 Baltic

enumerator CP_ISO_8859_5 = 28595

ISO 8859-5 Cyrillic

enumerator CP_ISO_8859_6 = 28596

ISO 8859-6 Arabic

enumerator CP_ISO_8859_7 = 28597

ISO 8859-7 Greek

enumerator CP_ISO_8859_8 = 28598

ISO 8859-8 Hebrew; Hebrew (ISO-Visual)

enumerator CP_ISO_8859_9 = 28599

ISO 8859-9 Turkish

enumerator CP_ISO_8859_13 = 28603

ISO 8859-13 Estonian

enumerator CP_ISO_8859_15 = 28605

ISO 8859-15 Latin 9

enumerator CP_X_EUROPA = 29001

Europa 3

enumerator CP_ISO_8859_8_I = 38598

ISO 8859-8 Hebrew; Hebrew (ISO-Logical)

enumerator CP_ISO_2022_JP = 50220

ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS)

enumerator CP_CSISO2022JP = 50221

ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana)

enumerator CP_ISO_2022_JP_JIS = 50222

ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI)

enumerator CP_ISO_2022_KR = 50225

ISO 2022 Korean

enumerator CP_X_CP50227 = 50227

ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022)

enumerator CP_EUC_JP = 51932

EUC Japanese

enumerator CP_EUC_CN = 51936

EUC Simplified Chinese; Chinese Simplified (EUC)

enumerator CP_EUC_KR = 51949

EUC Korean

enumerator CP_HZ_GB_2312 = 52936

HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ)

enumerator CP_GB18030 = 54936

Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030)

enumerator CP_X_ISCII_DE = 57002

ISCII Devanagari

enumerator CP_X_ISCII_BE = 57003

ISCII Bengali

enumerator CP_X_ISCII_TA = 57004

ISCII Tamil

enumerator CP_X_ISCII_TE = 57005

ISCII Telugu

enumerator CP_X_ISCII_AS = 57006

ISCII Assamese

enumerator CP_X_ISCII_OR = 57007

ISCII Oriya

enumerator CP_X_ISCII_KA = 57008

ISCII Kannada

enumerator CP_X_ISCII_MA = 57009

ISCII Malayalam

enumerator CP_X_ISCII_GU = 57010

ISCII Gujarati

enumerator CP_X_ISCII_PA = 57011

ISCII Punjabi

enumerator CP_UTF_7 = 65000

Unicode (UTF-7)

enumerator CP_UTF_8 = 65001

Unicode (UTF-8)

enum class LIEF::PE::WINDOW_STYLES : size_t

From: https://docs.microsoft.com/en-us/windows/win32/winmsg/window-styles.

Values:

enumerator WS_OVERLAPPED = 0x00000000L
enumerator WS_POPUP = 0x80000000L
enumerator WS_CHILD = 0x40000000L
enumerator WS_MINIMIZE = 0x20000000L
enumerator WS_VISIBLE = 0x10000000L
enumerator WS_DISABLED = 0x08000000L
enumerator WS_CLIPSIBLINGS = 0x04000000L
enumerator WS_CLIPCHILDREN = 0x02000000L
enumerator WS_MAXIMIZE = 0x01000000L
enumerator WS_CAPTION = 0x00C00000L
enumerator WS_BORDER = 0x00800000L
enumerator WS_DLGFRAME = 0x00400000L
enumerator WS_VSCROLL = 0x00200000L
enumerator WS_HSCROLL = 0x00100000L
enumerator WS_SYSMENU = 0x00080000L
enumerator WS_THICKFRAME = 0x00040000L
enumerator WS_GROUP = 0x00020000L
enumerator WS_TABSTOP = 0x00010000L
enumerator WS_MINIMIZEBOX = 0x00020000L
enumerator WS_MAXIMIZEBOX = 0x00010000L
enum class LIEF::PE::EXTENDED_WINDOW_STYLES : size_t

From https://docs.microsoft.com/en-us/windows/win32/winmsg/extended-window-styles.

Values:

enumerator WS_EX_DLGMODALFRAME = 0x00000001L
enumerator WS_EX_NOPARENTNOTIFY = 0x00000004L
enumerator WS_EX_TOPMOST = 0x00000008L
enumerator WS_EX_ACCEPTFILES = 0x00000010L
enumerator WS_EX_TRANSPARENT = 0x00000020L
enumerator WS_EX_MDICHILD = 0x00000040L
enumerator WS_EX_TOOLWINDOW = 0x00000080L
enumerator WS_EX_WINDOWEDGE = 0x00000100L
enumerator WS_EX_CLIENTEDGE = 0x00000200L
enumerator WS_EX_CONTEXTHELP = 0x00000400L
enumerator WS_EX_RIGHT = 0x00001000L
enumerator WS_EX_LEFT = 0x00000000L
enumerator WS_EX_RTLREADING = 0x00002000L
enumerator WS_EX_LTRREADING = 0x00000000L
enumerator WS_EX_LEFTSCROLLBAR = 0x00004000L
enumerator WS_EX_RIGHTSCROLLBAR = 0x00000000L
enumerator WS_EX_CONTROLPARENT = 0x00010000L
enumerator WS_EX_STATICEDGE = 0x00020000L
enumerator WS_EX_APPWINDOW = 0x00040000L
enum class LIEF::PE::DIALOG_BOX_STYLES : size_t

From https://docs.microsoft.com/en-us/windows/win32/dlgbox/dialog-box-styles.

Values:

enumerator DS_ABSALIGN = 0x0001L
enumerator DS_SYSMODAL = 0x0002L
enumerator DS_LOCALEDIT = 0x0020L
enumerator DS_SETFONT = 0x0040L
enumerator DS_MODALFRAME = 0x0080L
enumerator DS_NOIDLEMSG = 0x0100L
enumerator DS_SETFOREGROUND = 0x0200L
enumerator DS_3DLOOK = 0x0004L
enumerator DS_FIXEDSYS = 0x0008L
enumerator DS_NOFAILCREATE = 0x0010L
enumerator DS_CONTROL = 0x0400L
enumerator DS_CENTER = 0x0800L
enumerator DS_CENTERMOUSE = 0x1000L
enumerator DS_CONTEXTHELP = 0x2000L
enumerator DS_SHELLFONT = 0x0040L | 0x0008L
enum class LIEF::PE::FIXED_VERSION_OS : size_t

Values:

enumerator VOS_UNKNOWN = 0x00000000L
enumerator VOS_DOS = 0x00010000L
enumerator VOS_NT = 0x00040000L
enumerator VOS__WINDOWS16 = 0x00000001L
enumerator VOS__WINDOWS32 = 0x00000004L
enumerator VOS_OS216 = 0x00020000L
enumerator VOS_OS232 = 0x00030000L
enumerator VOS__PM16 = 0x00000002L
enumerator VOS__PM32 = 0x00000003L
enumerator VOS_DOS_WINDOWS16 = 0x00010000L | 0x00000001L
enumerator VOS_DOS_WINDOWS32 = 0x00010000L | 0x00000004L
enumerator VOS_NT_WINDOWS32 = 0x00040000L | 0x00000004L
enumerator VOS_OS216_PM16 = 0x00020000L | 0x00000002L
enumerator VOS_OS232_PM32 = 0x00030000L | 0x00000003L
enum class LIEF::PE::FIXED_VERSION_FILE_FLAGS : size_t

Values:

enumerator VS_FF_DEBUG = 0x00000001L
enumerator VS_FF_INFOINFERRED = 0x00000010L
enumerator VS_FF_PATCHED = 0x00000004L
enumerator VS_FF_PRERELEASE = 0x00000002L
enumerator VS_FF_PRIVATEBUILD = 0x00000008L
enumerator VS_FF_SPECIALBUILD = 0x00000020L
enum class LIEF::PE::FIXED_VERSION_FILE_TYPES : size_t

Values:

enumerator VFT_APP = 0x00000001L
enumerator VFT_DLL = 0x00000002L
enumerator VFT_DRV = 0x00000003L
enumerator VFT_FONT = 0x00000004L
enumerator VFT_STATIC_LIB = 0x00000007L
enumerator VFT_UNKNOWN = 0x00000000L
enumerator VFT_VXD = 0x00000005L
enum class LIEF::PE::FIXED_VERSION_FILE_SUB_TYPES : size_t

Values:

enumerator VFT2_DRV_COMM = 0x0000000AL
enumerator VFT2_DRV_DISPLAY = 0x00000004L
enumerator VFT2_DRV_INSTALLABLE = 0x00000008L
enumerator VFT2_DRV_KEYBOARD = 0x00000002L
enumerator VFT2_DRV_LANGUAGE = 0x00000003L
enumerator VFT2_DRV_MOUSE = 0x00000005L
enumerator VFT2_DRV_NETWORK = 0x00000006L
enumerator VFT2_DRV_PRINTER = 0x00000001L
enumerator VFT2_DRV_SOUND = 0x00000009L
enumerator VFT2_DRV_SYSTEM = 0x00000007L
enumerator VFT2_DRV_VERSIONED_PRINTER = 0x0000000CL
enumerator VFT2_FONT_RASTER = 0x00000001L
enumerator VFT2_FONT_TRUETYPE = 0x00000003L
enumerator VFT2_FONT_VECTOR = 0x00000002L
enumerator VFT2_UNKNOWN = 0x00000000L
enum class LIEF::PE::ALGORITHMS : uint32_t

Cryptography algorithms.

Values:

enumerator UNKNOWN = 0
enumerator SHA_512
enumerator SHA_384
enumerator SHA_256
enumerator SHA_1
enumerator MD5
enumerator MD4
enumerator MD2
enumerator RSA
enumerator EC
enumerator MD5_RSA
enumerator SHA1_DSA
enumerator SHA1_RSA
enumerator SHA_256_RSA
enumerator SHA_384_RSA
enumerator SHA_512_RSA
enumerator SHA1_ECDSA
enumerator SHA_256_ECDSA
enumerator SHA_384_ECDSA
enumerator SHA_512_ECDSA