Abstract

Parser

lief.parse(*args, **kwargs)

Overloaded function.

  1. parse(raw: bytes, name: str = ‘’) -> lief.Binary

Parse the given binary and return a Binary object

  1. parse(filepath: str) -> lief.Binary

Parse the given binary and return a Binary object

  1. parse(raw: List[int], name: str = ‘’) -> lief.Binary

Parse the given binary and return a Binary object

  1. parse(io: object, name: str = ‘’) -> lief.Binary


Binary

class lief.Binary
class VA_TYPES(self: lief.Binary.VA_TYPES, value: int) → None

Members:

AUTO

VA

RVA

AUTO = <VA_TYPES.AUTO: 0>
RVA = <VA_TYPES.RVA: 1>
VA = <VA_TYPES.VA: 2>
property name
property abstract

Return the Binary object

Warning

Getting this property modifies the __class__ attribute so that the current binary looks like a Binary.

Use the concrete to get back to the original binary.

property concrete

Return either lief.ELF.Binary, lief.PE.Binary, lief.MachO.Binary object

property ctor_functions

Constructor functions that are called prior any other functions

property entrypoint

Binary’s entrypoint

property exported_functions

Return binary’s exported Function

property format

File format EXE_FORMATS of the underlying binary.

get_content_from_virtual_address(self: lief.Binary, virtual_address: int, size: int, va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) → List[int]

Return the content located at virtual address.

Virtual address is specified in the first argument and size to read (in bytes) in the second. If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default it is set to AUTO

get_function_address(self: lief.Binary, function_name: str) → int

Return the address of the given function name

get_symbol(self: lief.Binary, symbol_name: str) → LIEF::Symbol

Return the Symbol with the given name

property has_nx

Check if the binary uses NX protection

has_symbol(self: lief.Binary, symbol_name: str) → bool

Check if a Symbol with the given name exists

property header

Binary’s header

property imported_functions

Return binary’s imported Function (name)

property is_pie

Check if the binary is position independent

property libraries

Return binary’s imported libraries (name)

property name

Binary’s name

patch_address(*args, **kwargs)

Overloaded function.

  1. patch_address(self: lief.Binary, address: int, patch_value: List[int], va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None

Virtual address is specified in the first argument and the content in the second (as a list of bytes). If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default it is set to AUTO

  1. patch_address(self: lief.Binary, address: int, patch_value: int, size: int = 8, va_type: lief.Binary.VA_TYPES = <VA_TYPES.AUTO: 0>) -> None

Virtual address is specified in the first argument, integer in the second and sizeof the integer in third one. If the underlying binary is a PE, one can specify if the virtual address is a RVA or a VA. By default it is set to AUTO

property relocations

Return an iterator over abstract Relocation

remove_section(self: lief.Binary, name: str, clear: bool = False) → None

Remove the section with the given name

property sections

Return a list in read only of binary’s abstract Section

property symbols

Return a list in read only of binary’s abstract Symbol

xref(self: lief.Binary, virtual_address: int) → List[int]

Return all virtual addresses that use the address given in parameter


class lief.Header(self: lief.Header) → None
property architecture

Target architecture (ARCHITECTURES)

property endianness

Binary endianness See: ENDIANNESS

property entrypoint

Binary entrypoint

property is_32

True if the binary target a 32-bits architecture

property is_64

True if the binary target a 64-bits architecture

property modes

Target MODES (32-bits, 64-bits…)

property object_type

Type of the binary (executable, library…) See: OBJECT_TYPES


Section

class lief.Section(*args, **kwargs)

Overloaded function.

  1. __init__(self: lief.Section) -> None

Default constructor

  1. __init__(self: lief.Section, name: str) -> None

Constructor from section name

property content

Section’s content

property entropy

Section’s entropy

property name

Section’s name

property offset

Section’s offset

search(*args, **kwargs)

Overloaded function.

  1. search(self: lief.Section, number: int, pos: int = 0, size: int = 0) -> int

Look for integer within the current section

  1. search(self: lief.Section, str: str, pos: int = 0) -> int

Look for string within the current section

search_all(*args, **kwargs)

Overloaded function.

  1. search_all(self: lief.Section, number: int, size: int = 0) -> List[int]

Look for all integers within the current section

  1. search_all(self: lief.Section, str: str) -> List[int]

Look for all strings within the current section

property size

Section’s size

property virtual_address

Section’s virtual address


Symbol

class lief.Symbol(self: lief.Symbol) → None
property name

Symbol’s name

property size

Symbol’s size

property value

Symbol’s value


Relocation

class lief.Relocation(*args, **kwargs)

Overloaded function.

  1. __init__(self: lief.Relocation) -> None

Default constructor

  1. __init__(self: lief.Relocation, address: int, size: int) -> None

Constructor from address and size

property address

Relocation’s address

property size

Relocation’s size (in bits)


Function

class lief.Function(*args, **kwargs)

Overloaded function.

  1. __init__(self: lief.Function) -> None

  2. __init__(self: lief.Function, arg0: str) -> None

  3. __init__(self: lief.Function, arg0: int) -> None

  4. __init__(self: lief.Function, arg0: str, arg1: int) -> None

class FLAGS(self: lief.Function.FLAGS, value: int) → None

Members:

IMPORTED

EXPORTED

CONSTRUCTOR

DESTRUCTOR

DEBUG

CONSTRUCTOR = <FLAGS.CONSTRUCTOR: 1>
DEBUG = <FLAGS.DEBUG: 3>
DESTRUCTOR = <FLAGS.DESTRUCTOR: 2>
EXPORTED = <FLAGS.EXPORTED: 4>
IMPORTED = <FLAGS.IMPORTED: 5>
property name
property address

Function’s address

property name

Symbol’s name

property size

Symbol’s size

property value

Symbol’s value

Enums

Executable formats

class lief.EXE_FORMATS(self: lief.EXE_FORMATS, value: int) → None

Members:

UNKNOWN

ELF

PE

MACHO

ELF = <EXE_FORMATS.ELF: 1>
MACHO = <EXE_FORMATS.MACHO: 3>
PE = <EXE_FORMATS.PE: 2>
UNKNOWN = <EXE_FORMATS.UNKNOWN: 0>
property name

Object types

class lief.OBJECT_TYPES(self: lief.OBJECT_TYPES, value: int) → None

Members:

NONE

EXECUTABLE

LIBRARY

OBJECT

EXECUTABLE = <OBJECT_TYPES.EXECUTABLE: 1>
LIBRARY = <OBJECT_TYPES.LIBRARY: 2>
NONE = <OBJECT_TYPES.NONE: 0>
OBJECT = <OBJECT_TYPES.OBJECT: 3>
property name

Architectures

class lief.ARCHITECTURES(self: lief.ARCHITECTURES, value: int) → None

Members:

NONE

ARM

ARM64

MIPS

X86

PPC

SPARC

SYSZ

XCODE

INTEL

ARM = <ARCHITECTURES.ARM: 1>
ARM64 = <ARCHITECTURES.ARM64: 2>
INTEL = <ARCHITECTURES.INTEL: 9>
MIPS = <ARCHITECTURES.MIPS: 3>
NONE = <ARCHITECTURES.NONE: 0>
PPC = <ARCHITECTURES.PPC: 5>
SPARC = <ARCHITECTURES.SPARC: 6>
SYSZ = <ARCHITECTURES.SYSZ: 7>
X86 = <ARCHITECTURES.X86: 4>
XCODE = <ARCHITECTURES.XCODE: 8>
property name

Modes

class lief.MODES(self: lief.MODES, value: int) → None

Members:

NONE

M16

M32

M64

ARM

THUMB

MCLASS

UNDEFINED

MIPS3

MIPS32R6

MIPSGP64

V7

V8

V9

MIPS32

MIPS64

ARM = <MODES.ARM: 4>
M16 = <MODES.M16: 1>
M32 = <MODES.M32: 2>
M64 = <MODES.M64: 3>
MCLASS = <MODES.MCLASS: 6>
MIPS3 = <MODES.MIPS3: 8>
MIPS32 = <MODES.MIPS32: 14>
MIPS32R6 = <MODES.MIPS32R6: 9>
MIPS64 = <MODES.MIPS64: 15>
MIPSGP64 = <MODES.MIPSGP64: 10>
NONE = <MODES.NONE: 0>
THUMB = <MODES.THUMB: 5>
UNDEFINED = <MODES.UNDEFINED: 7>
V7 = <MODES.V7: 11>
V8 = <MODES.V8: 12>
V9 = <MODES.V9: 13>
property name

Endianness

class lief.ENDIANNESS(self: lief.ENDIANNESS, value: int) → None

Members:

NONE

BIG

LITTLE

BIG = <ENDIANNESS.BIG: 1>
LITTLE = <ENDIANNESS.LITTLE: 2>
NONE = <ENDIANNESS.NONE: 0>
property name