How to use the lief.PE function in lief
To help you get started, we’ve selected a few lief examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
lief-project / LIEF / tests / pe / test_pe.py View on Github 
def test_pgo(self):
path = get_sample("PE/PE32_x86_binary_PGO-LTCG.exe")
sample = lief.parse(path)
debugs = sample.debug
self.assertEqual(len(debugs), 3)
debug_entry = debugs[2]
self.assertTrue(debug_entry.has_pogo)
pogo = debug_entry.pogo
self.assertEqual(pogo.signature, lief.PE.POGO_SIGNATURES.LCTG)
pogo_entries = pogo.entries
self.assertEqual(len(pogo_entries), 33)
self.assertEqual(pogo_entries[23].name, ".xdata$x")
self.assertEqual(pogo_entries[23].start_rva, 0x8200)
self.assertEqual(pogo_entries[23].size, 820)def test_winapp(self):
winapp = lief.parse(get_sample('PE/PE64_x86-64_binary_WinApp.exe'))
self.assertTrue(winapp.has_configuration)
lconf = winapp.load_configuration
self.assertEqual(lconf.version, lief.PE.WIN_VERSION.WIN10_0_15002)
self.assertEqual(lconf.characteristics, 0xF8)
self.assertEqual(lconf.timedatestamp, 0)
self.assertEqual(lconf.major_version, 0)
self.assertEqual(lconf.minor_version, 0)
self.assertEqual(lconf.global_flags_clear, 0)
self.assertEqual(lconf.global_flags_set, 0)
self.assertEqual(lconf.critical_section_default_timeout, 0)
self.assertEqual(lconf.decommit_free_block_threshold, 0)
self.assertEqual(lconf.decommit_total_free_threshold, 0)
self.assertEqual(lconf.lock_prefix_table, 0)
self.assertEqual(lconf.maximum_allocation_size, 0)
self.assertEqual(lconf.virtual_memory_threshold, 0)
self.assertEqual(lconf.process_affinity_mask, 0)
self.assertEqual(lconf.process_heap_flags, 0)
self.assertEqual(lconf.csd_version, 0)
self.assertEqual(lconf.reserved1, 0)def test(self, bytez):
for fe in self.raw_features:
print(fe.name)
v = fe(bytez)
assert len(v) == fe.dim, 'length of {} different than expecting!'
binary = lief.PE.parse(list(bytez))
for fe in self.parsed_features:
print(fe.name)
v = fe(binary)
assert len(v) == fe.dim, 'length of {} different than expecting!'print(format_str.format("Signature:", "".join(map(chr, header.signature))))
print(format_str.format("Machine:", str(header.machine)))
print(format_dec.format("Number of sections:", header.numberof_sections))
print(format_dec.format("Time Date stamp:", header.time_date_stamps))
print(format_dec.format("Pointer to symbols:", header.pointerto_symbol_table))
print(format_dec.format("Number of symbols:", header.numberof_symbols))
print(format_dec.format("Size of optional header:", header.sizeof_optional_header))
print(format_str.format("Characteristics:", char_str))
print("")
dll_char_str = " - ".join([str(chara).split(".")[-1] for chara in optional_header.dll_characteristics_lists])
subsystem_str = str(optional_header.subsystem).split(".")[-1]
print("== Optional Header ==")
magic = "PE32" if optional_header.magic == PE.PE_TYPE.PE32 else "PE64"
print(format_str.format("Magic:", magic))
print(format_dec.format("Major linker version:", optional_header.major_linker_version))
print(format_dec.format("Minor linker version:", optional_header.minor_linker_version))
print(format_dec.format("Size of code:", optional_header.sizeof_code))
print(format_dec.format("Size of initialized data:", optional_header.sizeof_initialized_data))
print(format_dec.format("Size of uninitialized data:", optional_header.sizeof_uninitialized_data))
print(format_hex.format("Entry point:", optional_header.addressof_entrypoint))
print(format_hex.format("Base of code:", optional_header.baseof_code))
if magic == "PE32":
print(format_hex.format("Base of data", optional_header.baseof_data))
print(format_hex.format("Image base:", optional_header.imagebase))
print(format_hex.format("Section alignment:", optional_header.section_alignment))
print(format_hex.format("File alignment:", optional_header.file_alignment))
print(format_dec.format("Major operating system version:", optional_header.major_operating_system_version))
print(format_dec.format("Minor operating system version:", optional_header.minor_operating_system_version))
print(format_dec.format("Major image version:", optional_header.major_image_version))def checkImphashes(self):
'''
Parses the xml/functions.xml file and checks the imphash of the binary
'''
imphash = lief.PE.get_imphash(self.peFile).lower()
root = ET.parse("xml/functions.xml").getroot()
for hash in root.find('imphashes').findall('imphash'):
if imphash == hash.text.lower():
print(constants.RED + "\tFound matching imphash (%s) for the file" % imphash + constants.RESET)print(format_hex.format("Hybrid metadata pointer:", config.hybrid_metadata_pointer))
if isinstance(config, lief.PE.LoadConfigurationV5):
print(format_hex.format("GRF failure routine:", config.guard_rf_failure_routine))
print(format_hex.format("GRF failure routine function pointer:", config.guard_rf_failure_routine_function_pointer))
print(format_hex.format("Dynamic value reloctable offset:", config.dynamic_value_reloctable_offset))
print(format_hex.format("Dynamic value reloctable section:", config.dynamic_value_reloctable_section))
if isinstance(config, lief.PE.LoadConfigurationV6):
print(format_hex.format("GRF verify stackpointer function pointer:", config.guard_rf_verify_stackpointer_function_pointer))
print(format_hex.format("Hotpatch table offset:", config.hotpatch_table_offset))
if isinstance(config, lief.PE.LoadConfigurationV7):
print(format_hex.format("Reserved 3:", config.reserved3))
print("")def _verify_pe(self):
expected_machine_type = {'x86': lief.PE.MACHINE_TYPES.I386,
'x86_64': lief.PE.MACHINE_TYPES.AMD64,
'armv6': lief.PE.MACHINE_TYPES.ARM,
'armv7': lief.PE.MACHINE_TYPES.ARM,
'armv7s': lief.PE.MACHINE_TYPES.ARM,
'armv7k': lief.PE.MACHINE_TYPES.ARM,
'armv7hf': lief.PE.MACHINE_TYPES.ARM,
'armv8': lief.PE.MACHINE_TYPES.ARM}.get(self._arch, None) # FIXME : ARM64
if self._binary.header.machine != expected_machine_type:
self._output.error('"%s" invalid machine type %s, expected %s'
% (self._filename, expected_machine_type, self._binary.header.machine))
if self._compiler == 'Visual Studio':
self._verify_runtime()
self._check_import("cygwin1.dll", self._subsystem == "cygwin")
self._check_import("msys-1.0.dll", self._subsystem == "msys")
self._check_import("msys-2.0.dll", self._subsystem == "msys2")print(format_hex.format(" " * 3 + "Catalog offset:", code_integrity.catalog_offset))
print(format_dec.format(" " * 3 + "Reserved:", code_integrity.reserved))
if isinstance(config, lief.PE.LoadConfigurationV3):
print(format_hex.format("Guard address taken iat entry table:", config.guard_address_taken_iat_entry_table))
print(format_hex.format("Guard address taken iat entry count:", config.guard_address_taken_iat_entry_count))
print(format_hex.format("Guard long jump target table:", config.guard_long_jump_target_table))
print(format_hex.format("Guard long jump target count:", config.guard_long_jump_target_count))
if isinstance(config, lief.PE.LoadConfigurationV4):
print(format_hex.format("Dynamic value relocation table:", config.dynamic_value_reloc_table))
print(format_hex.format("Hybrid metadata pointer:", config.hybrid_metadata_pointer))
if isinstance(config, lief.PE.LoadConfigurationV5):
print(format_hex.format("GRF failure routine:", config.guard_rf_failure_routine))
print(format_hex.format("GRF failure routine function pointer:", config.guard_rf_failure_routine_function_pointer))
print(format_hex.format("Dynamic value reloctable offset:", config.dynamic_value_reloctable_offset))
print(format_hex.format("Dynamic value reloctable section:", config.dynamic_value_reloctable_section))
if isinstance(config, lief.PE.LoadConfigurationV6):
print(format_hex.format("GRF verify stackpointer function pointer:", config.guard_rf_verify_stackpointer_function_pointer))
print(format_hex.format("Hotpatch table offset:", config.hotpatch_table_offset))
if isinstance(config, lief.PE.LoadConfigurationV7):
print(format_hex.format("Reserved 3:", config.reserved3))
print("")def dololi(arch, conf, out_file_name):
code_rva = int(conf["DEFAULT"].get("CODE_RVA"))
data_rva = int(conf["DEFAULT"].get("DATA_RVA"))
pe_type = get_pe_type(arch)
is_64bits = is_64_bits(pe_type)
pe_loader = lief.PE.Binary("dololi", pe_type)
code_cnt,\
reg_size,\
pack_fmt = ([], 8, "
Popular lief functions
- lief.ELF
- lief.ELF.ARCH
- lief.ELF.DYNAMIC_TAGS
- lief.ELF.MIPS_EFLAGS
- lief.ELF.OS_ABI
- lief.ELF.parse
- lief.ELF.SECTION_TYPES
- lief.ELF.SEGMENT_TYPES
- lief.Logger.set_level
- lief.MachO
- lief.MachO.LOAD_COMMAND_TYPES
- lief.MachO.SECTION_TYPES
- lief.parse
- lief.PE
- lief.PE.Builder
- lief.PE.parse
- lief.PE.RESOURCE_LANGS
- lief.PE.RESOURCE_SUBLANGS
- lief.PE.RESOURCE_TYPES
- lief.PE.Section