How to use the lief.PE function in lief

To help you get started, we’ve selected a few lief examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github lief-project / LIEF / tests / pe / test_pe.py View on Github external
def test_pgo(self):
        path   = get_sample("PE/PE32_x86_binary_PGO-LTCG.exe")
        sample = lief.parse(path)

        debugs = sample.debug
        self.assertEqual(len(debugs), 3)

        debug_entry = debugs[2]

        self.assertTrue(debug_entry.has_pogo)
        pogo = debug_entry.pogo
        self.assertEqual(pogo.signature, lief.PE.POGO_SIGNATURES.LCTG)

        pogo_entries = pogo.entries
        self.assertEqual(len(pogo_entries), 33)

        self.assertEqual(pogo_entries[23].name,      ".xdata$x")
        self.assertEqual(pogo_entries[23].start_rva, 0x8200)
        self.assertEqual(pogo_entries[23].size,      820)
github lief-project / LIEF / tests / pe / test_loadconfig.py View on Github external
def test_winapp(self):
        winapp = lief.parse(get_sample('PE/PE64_x86-64_binary_WinApp.exe'))
        self.assertTrue(winapp.has_configuration)

        lconf = winapp.load_configuration

        self.assertEqual(lconf.version, lief.PE.WIN_VERSION.WIN10_0_15002)
        self.assertEqual(lconf.characteristics, 0xF8)
        self.assertEqual(lconf.timedatestamp, 0)
        self.assertEqual(lconf.major_version, 0)
        self.assertEqual(lconf.minor_version, 0)
        self.assertEqual(lconf.global_flags_clear, 0)
        self.assertEqual(lconf.global_flags_set, 0)
        self.assertEqual(lconf.critical_section_default_timeout, 0)
        self.assertEqual(lconf.decommit_free_block_threshold, 0)
        self.assertEqual(lconf.decommit_total_free_threshold, 0)
        self.assertEqual(lconf.lock_prefix_table, 0)
        self.assertEqual(lconf.maximum_allocation_size, 0)
        self.assertEqual(lconf.virtual_memory_threshold, 0)
        self.assertEqual(lconf.process_affinity_mask, 0)
        self.assertEqual(lconf.process_heap_flags, 0)
        self.assertEqual(lconf.csd_version, 0)
        self.assertEqual(lconf.reserved1, 0)
github endgameinc / gym-malware / gym_malware / envs / utils / pefeatures.py View on Github external
def test(self, bytez):
        for fe in self.raw_features:
            print(fe.name)
            v = fe(bytez)
            assert len(v) == fe.dim, 'length of {} different than expecting!'

        binary = lief.PE.parse(list(bytez))
        for fe in self.parsed_features:
            print(fe.name)
            v = fe(binary)
            assert len(v) == fe.dim, 'length of {} different than expecting!'
github lief-project / LIEF / examples / python / pe_reader.py View on Github external
print(format_str.format("Signature:",               "".join(map(chr, header.signature))))
    print(format_str.format("Machine:",                 str(header.machine)))
    print(format_dec.format("Number of sections:",      header.numberof_sections))
    print(format_dec.format("Time Date stamp:",         header.time_date_stamps))
    print(format_dec.format("Pointer to symbols:",      header.pointerto_symbol_table))
    print(format_dec.format("Number of symbols:",       header.numberof_symbols))
    print(format_dec.format("Size of optional header:", header.sizeof_optional_header))
    print(format_str.format("Characteristics:",         char_str))
    print("")


    dll_char_str = " - ".join([str(chara).split(".")[-1] for chara in optional_header.dll_characteristics_lists])
    subsystem_str = str(optional_header.subsystem).split(".")[-1]
    print("== Optional Header ==")
    magic = "PE32" if optional_header.magic == PE.PE_TYPE.PE32 else "PE64"
    print(format_str.format("Magic:", magic))
    print(format_dec.format("Major linker version:",           optional_header.major_linker_version))
    print(format_dec.format("Minor linker version:",           optional_header.minor_linker_version))
    print(format_dec.format("Size of code:",                   optional_header.sizeof_code))
    print(format_dec.format("Size of initialized data:",       optional_header.sizeof_initialized_data))
    print(format_dec.format("Size of uninitialized data:",     optional_header.sizeof_uninitialized_data))
    print(format_hex.format("Entry point:",                    optional_header.addressof_entrypoint))
    print(format_hex.format("Base of code:",                   optional_header.baseof_code))
    if magic == "PE32":
        print(format_hex.format("Base of data",                optional_header.baseof_data))
    print(format_hex.format("Image base:",                     optional_header.imagebase))
    print(format_hex.format("Section alignment:",              optional_header.section_alignment))
    print(format_hex.format("File alignment:",                 optional_header.file_alignment))
    print(format_dec.format("Major operating system version:", optional_header.major_operating_system_version))
    print(format_dec.format("Minor operating system version:", optional_header.minor_operating_system_version))
    print(format_dec.format("Major image version:",            optional_header.major_image_version))
github KuechA / pestudio-cli / PeAnalyzer.py View on Github external
def checkImphashes(self):
		'''
		Parses the xml/functions.xml file and checks the imphash of the binary
		'''
		imphash = lief.PE.get_imphash(self.peFile).lower()
		root = ET.parse("xml/functions.xml").getroot()
		for hash in root.find('imphashes').findall('imphash'):
			if imphash == hash.text.lower():
				print(constants.RED + "\tFound matching imphash (%s) for the file" % imphash + constants.RESET)
github lief-project / LIEF / examples / python / pe_reader.py View on Github external
print(format_hex.format("Hybrid metadata pointer:",        config.hybrid_metadata_pointer))


    if isinstance(config, lief.PE.LoadConfigurationV5):
        print(format_hex.format("GRF failure routine:",                  config.guard_rf_failure_routine))
        print(format_hex.format("GRF failure routine function pointer:", config.guard_rf_failure_routine_function_pointer))
        print(format_hex.format("Dynamic value reloctable offset:",      config.dynamic_value_reloctable_offset))
        print(format_hex.format("Dynamic value reloctable section:",     config.dynamic_value_reloctable_section))


    if isinstance(config, lief.PE.LoadConfigurationV6):
        print(format_hex.format("GRF verify stackpointer function pointer:", config.guard_rf_verify_stackpointer_function_pointer))
        print(format_hex.format("Hotpatch table offset:",                    config.hotpatch_table_offset))


    if isinstance(config, lief.PE.LoadConfigurationV7):
        print(format_hex.format("Reserved 3:", config.reserved3))

    print("")
github conan-io / hooks / hooks / binary_linter.py View on Github external
def _verify_pe(self):
        expected_machine_type = {'x86': lief.PE.MACHINE_TYPES.I386,
                                 'x86_64': lief.PE.MACHINE_TYPES.AMD64,
                                 'armv6': lief.PE.MACHINE_TYPES.ARM,
                                 'armv7': lief.PE.MACHINE_TYPES.ARM,
                                 'armv7s': lief.PE.MACHINE_TYPES.ARM,
                                 'armv7k': lief.PE.MACHINE_TYPES.ARM,
                                 'armv7hf': lief.PE.MACHINE_TYPES.ARM,
                                 'armv8': lief.PE.MACHINE_TYPES.ARM}.get(self._arch, None)  # FIXME : ARM64

        if self._binary.header.machine != expected_machine_type:
            self._output.error('"%s" invalid machine type %s, expected %s'
                               % (self._filename, expected_machine_type, self._binary.header.machine))

        if self._compiler == 'Visual Studio':
            self._verify_runtime()
        self._check_import("cygwin1.dll", self._subsystem == "cygwin")
        self._check_import("msys-1.0.dll", self._subsystem == "msys")
        self._check_import("msys-2.0.dll", self._subsystem == "msys2")
github lief-project / LIEF / examples / python / pe_reader.py View on Github external
print(format_hex.format(" " * 3 + "Catalog offset:", code_integrity.catalog_offset))
        print(format_dec.format(" " * 3 + "Reserved:",       code_integrity.reserved))

    if isinstance(config, lief.PE.LoadConfigurationV3):
        print(format_hex.format("Guard address taken iat entry table:", config.guard_address_taken_iat_entry_table))
        print(format_hex.format("Guard address taken iat entry count:", config.guard_address_taken_iat_entry_count))
        print(format_hex.format("Guard long jump target table:",        config.guard_long_jump_target_table))
        print(format_hex.format("Guard long jump target count:",        config.guard_long_jump_target_count))


    if isinstance(config, lief.PE.LoadConfigurationV4):
        print(format_hex.format("Dynamic value relocation table:", config.dynamic_value_reloc_table))
        print(format_hex.format("Hybrid metadata pointer:",        config.hybrid_metadata_pointer))


    if isinstance(config, lief.PE.LoadConfigurationV5):
        print(format_hex.format("GRF failure routine:",                  config.guard_rf_failure_routine))
        print(format_hex.format("GRF failure routine function pointer:", config.guard_rf_failure_routine_function_pointer))
        print(format_hex.format("Dynamic value reloctable offset:",      config.dynamic_value_reloctable_offset))
        print(format_hex.format("Dynamic value reloctable section:",     config.dynamic_value_reloctable_section))


    if isinstance(config, lief.PE.LoadConfigurationV6):
        print(format_hex.format("GRF verify stackpointer function pointer:", config.guard_rf_verify_stackpointer_function_pointer))
        print(format_hex.format("Hotpatch table offset:",                    config.hotpatch_table_offset))


    if isinstance(config, lief.PE.LoadConfigurationV7):
        print(format_hex.format("Reserved 3:", config.reserved3))

    print("")
github 0xcpu / RElieve / dololi / dololi.py View on Github external
def dololi(arch, conf, out_file_name):    
    code_rva  = int(conf["DEFAULT"].get("CODE_RVA"))
    data_rva  = int(conf["DEFAULT"].get("DATA_RVA"))
    pe_type   = get_pe_type(arch)
    is_64bits = is_64_bits(pe_type)
    pe_loader = lief.PE.Binary("dololi", pe_type)
    code_cnt,\
    reg_size,\
    pack_fmt = ([], 8, "