Abstract

Parser

lief.parse(*args, **kwargs)

Overloaded function.

  1. parse(raw: bytes, name: str = ‘’) -> lief.Binary

    Parse a binary supported by LIEF from the given bytes and return either:

    depending on the given binary format.

  2. parse(filepath: str) -> lief.Binary

    Parse a binary from the given file path and return either:

    depending on the given binary format.

  3. parse(raw: List[int], name: str = ‘’) -> lief.Binary

    Parse a binary supported by LIEF from the given list of bytes and return either:

    depending on the given binary format.

  4. parse(io: object, name: str = ‘’) -> lief.Binary

    Parse a binary supported by LIEF from the given Python IO interface and return either:

    depending on the given binary format.


Binary

class lief.Binary

File format abstract representation.

This object represents the abstraction of an executable file format. It enables to access common features (like the entrypoint) regardless of the concrete format (e.g. lief.ELF.Binary.entrypoint)

class VA_TYPES(self: lief.Binary.VA_TYPES, value: int) None

Members:

AUTO

VA

RVA

AUTO = <VA_TYPES.AUTO: 0>
RVA = <VA_TYPES.RVA: 1>
VA = <VA_TYPES.VA: 2>
property name
property value
property abstract

Return the abstract representation of the current binary (lief.Binary)

Warning

Getting this property modifies the __class__ attribute such as the current binary looks like a lief.Binary.

To get back to the original binary, one needs to access lief.Binary.concrete

property concrete

The concrete representation of the binary. Basically, this property cast a lief.Binary into a lief.PE.Binary, lief.ELF.Binary or lief.MachO.Binary.

See also: lief.Binary.abstract

property ctor_functions

Constructor functions that are called prior to any other functions

property entrypoint

Binary’s entrypoint

property exported_functions

Return the binary’s exported Function

property format

File format EXE_FORMATS of the underlying binary.

get_content_from_virtual_address(self: lief.Binary, virtual_address: int, size: int, va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) List[int]

Return the content located at the provided virtual address. The virtual address is specified in the first argument and size to read (in bytes) in the second.

If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

get_function_address(self: lief.Binary, function_name: str) int

Return the address of the given function name

get_symbol(self: lief.Binary, symbol_name: str) LIEF::Symbol

Return the Symbol from the given name.

If the symbol can’t be found, it returns None.

property has_nx

Check if the binary has NX protection (non executable stack)

has_symbol(self: lief.Binary, symbol_name: str) bool

Check if a Symbol with the given name exists

property header

Binary’s abstract header (Header)

property imagebase

Default image base (i.e. if the ASLR is not enabled)

property imported_functions

Return the binary’s imported Function (name)

property is_pie

Check if the binary is position independent

class it_relocations
class it_sections
class it_symbols
property libraries

Return binary’s imported libraries (name)

property name

Binary’s name

offset_to_virtual_address(self: lief.Binary, offset: int, slide: int = 0) int

Convert an offset into a virtual address.

patch_address(*args, **kwargs)

Overloaded function.

  1. patch_address(self: lief.Binary, address: int, patch_value: List[int], va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None

    Patch the address with the given list of bytes. The virtual address is specified in the first argument and the content in the second (as a list of bytes).

    If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

  2. patch_address(self: lief.Binary, address: int, patch_value: int, size: int = 8, va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None

    Patch the address with the given integer value. The virtual address is specified in the first argument, the integer in the second and the integer’s size of in third one.

    If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default, it is set to AUTO.

property relocations

Return an iterator over abstract Relocation

remove_section(self: lief.Binary, name: str, clear: bool = False) None

Remove the section with the given name

property sections

Return an iterator over the binary’s abstract sections (Section)

property symbols

Return an iterator over the binary’s abstract Symbol

xref(self: lief.Binary, virtual_address: int) List[int]

Return all virtual addresses that use the address given in parameter



Section

class lief.Section(*args, **kwargs)

Class which represents an abstracted section

Overloaded function.

  1. __init__(self: lief.Section) -> None

Default constructor

  1. __init__(self: lief.Section, name: str) -> None

Constructor from section name

property content

Section’s content

property entropy

Section’s entropy

property fullname

Return the fullname of the section including the trailing bytes

property name

Section’s name

property offset

Section’s file offset

search(*args, **kwargs)

Overloaded function.

  1. search(self: lief.Section, number: int, pos: int = 0, size: int = 0) -> int

Look for integer within the current section

  1. search(self: lief.Section, str: str, pos: int = 0) -> int

Look for string within the current section

search_all(*args, **kwargs)

Overloaded function.

  1. search_all(self: lief.Section, number: int, size: int = 0) -> List[int]

Look for all integers within the current section

  1. search_all(self: lief.Section, str: str) -> List[int]

Look for all strings within the current section

property size

Section’s size

property virtual_address

Section’s virtual address


Symbol

class lief.Symbol(self: lief.Symbol) None

This class represents a symbol in an executable format.

property name

Symbol’s name

property size

Symbol’s size

property value

Symbol’s value


Relocation

class lief.Relocation(*args, **kwargs)

Class which represents an abstracted Relocation

Overloaded function.

  1. __init__(self: lief.Relocation) -> None

Default constructor

  1. __init__(self: lief.Relocation, address: int, size: int) -> None

Constructor from an address and a size

property address

Relocation’s address

property size

Relocation’s size (in bits)


Function

class lief.Function(*args, **kwargs)

Class which represents a Function in an executable file format.

Overloaded function.

  1. __init__(self: lief.Function) -> None

  2. __init__(self: lief.Function, arg0: str) -> None

  3. __init__(self: lief.Function, arg0: int) -> None

  4. __init__(self: lief.Function, arg0: str, arg1: int) -> None

class FLAGS(self: lief.Function.FLAGS, value: int) None

Members:

IMPORTED

EXPORTED

CONSTRUCTOR

DESTRUCTOR

DEBUG

CONSTRUCTOR = <FLAGS.CONSTRUCTOR: 1>
DEBUG = <FLAGS.DEBUG: 3>
DESTRUCTOR = <FLAGS.DESTRUCTOR: 2>
EXPORTED = <FLAGS.EXPORTED: 4>
IMPORTED = <FLAGS.IMPORTED: 5>
property name
property value
add(self: lief.Function, flag: lief.Function.FLAGS) lief.Function

Add the given FLAGS

property address

Function’s address

property flags

Function flags as a list of FLAGS

property name

Symbol’s name

property size

Symbol’s size

property value

Symbol’s value

Enums

Executable formats

class lief.EXE_FORMATS(self: lief.EXE_FORMATS, value: int) None

Members:

UNKNOWN

ELF

PE

MACHO

ELF = <EXE_FORMATS.ELF: 1>
MACHO = <EXE_FORMATS.MACHO: 3>
PE = <EXE_FORMATS.PE: 2>
UNKNOWN = <EXE_FORMATS.UNKNOWN: 0>
property name
property value

Object types

class lief.OBJECT_TYPES(self: lief.OBJECT_TYPES, value: int) None

Members:

NONE

EXECUTABLE

LIBRARY

OBJECT

EXECUTABLE = <OBJECT_TYPES.EXECUTABLE: 1>
LIBRARY = <OBJECT_TYPES.LIBRARY: 2>
NONE = <OBJECT_TYPES.NONE: 0>
OBJECT = <OBJECT_TYPES.OBJECT: 3>
property name
property value

Architectures

class lief.ARCHITECTURES(self: lief.ARCHITECTURES, value: int) None

Members:

NONE

ARM

ARM64

MIPS

X86

PPC

SPARC

SYSZ

XCORE

INTEL

RISCV

ARM = <ARCHITECTURES.ARM: 1>
ARM64 = <ARCHITECTURES.ARM64: 2>
INTEL = <ARCHITECTURES.INTEL: 9>
MIPS = <ARCHITECTURES.MIPS: 3>
NONE = <ARCHITECTURES.NONE: 0>
PPC = <ARCHITECTURES.PPC: 5>
RISCV = <ARCHITECTURES.RISCV: 10>
SPARC = <ARCHITECTURES.SPARC: 6>
SYSZ = <ARCHITECTURES.SYSZ: 7>
X86 = <ARCHITECTURES.X86: 4>
XCORE = <ARCHITECTURES.XCORE: 8>
property name
property value

Modes

class lief.MODES(self: lief.MODES, value: int) None

Members:

NONE

M16

M32

M64

ARM

THUMB

MCLASS

UNDEFINED

MIPS3

MIPS32R6

MIPSGP64

V7

V8

V9

MIPS32

MIPS64

ARM = <MODES.ARM: 4>
M16 = <MODES.M16: 1>
M32 = <MODES.M32: 2>
M64 = <MODES.M64: 3>
MCLASS = <MODES.MCLASS: 6>
MIPS3 = <MODES.MIPS3: 8>
MIPS32 = <MODES.MIPS32: 14>
MIPS32R6 = <MODES.MIPS32R6: 9>
MIPS64 = <MODES.MIPS64: 15>
MIPSGP64 = <MODES.MIPSGP64: 10>
NONE = <MODES.NONE: 0>
THUMB = <MODES.THUMB: 5>
UNDEFINED = <MODES.UNDEFINED: 7>
V7 = <MODES.V7: 11>
V8 = <MODES.V8: 12>
V9 = <MODES.V9: 13>
property name
property value

Endianness

class lief.ENDIANNESS(self: lief.ENDIANNESS, value: int) None

Members:

NONE

BIG

LITTLE

BIG = <ENDIANNESS.BIG: 1>
LITTLE = <ENDIANNESS.LITTLE: 2>
NONE = <ENDIANNESS.NONE: 0>
property name
property value