lief-project / lief Goto Github PK

I'm not sure I'm doing it right, but accessing the file information of a PE is a bit difficult:

pe = lief.parse("./2805/f325970fd24bb088f1befdae5788152329e26bf3")
string_info = lief.to_json(pe.resources_manager.version.string_file_info.langcode_items[0])
# and then, json.loads, and so on 

It would be very nice to be able to access all the data as a collections.abc.MutableMapping so we could read and write the attributes directly in a pythonic way.

I may be doing it wrong ;)

PEs without ResourcesManager will segfault:

In [1]: import lief                                                                                                                                 
                                                                                                                                                    
In [2]: a = lief.parse("/home/raphael/.viper/projects/troopers17/vt_samples/2122/1a09ce8a9210d2530d6ce1d59bfae2ac617ac89558cdcdcac15392d176e70c8d") 
                                                                                                                                                    
In [3]: a.resources_manager                                                                                                                         
Out[3]: <lief.PE.ResourcesManager at 0x7f4bf090c5a0>                                                                                                
                                                                                                                                                    
In [4]: a.resources_manager.<TAB>Segmentation fault (core dumped)                                                                                        

Printing/to_json also fails

Many thanks for your useful project. I have a question.

I am testing 'add_new_section' example(c++) included in LIEF0.7.0, and it works well for ELF AMD 64bit Binary. But not for ELF AMD 32bit Binary or ELF ARM 32/64bit Binary.

When I add a section to the executable file(ELF ARM 32bit) with 'add_new_section' and then run it, the following error message occurs.

CANNOT LINK EXECUTABLE: empty/missing DT_HASH in "./addsection_call_arm_a" (built with —hash-style=gnu?)

I want to add a new section to the 'ELF ARM 32bit Binary' and i hope it operates normally.
I think LIEF::ELF::BINARY::add_section() seems to have a problem, please check it.

Thank you.

hi, thank you for this lib, there is support for adding and changing resources? can you consider adding some example?

Hi,

I've encountered a small issue trying to edit the source code in visual studio.
Currently the generated solution doesn't group the source files under filters.
Also the header files are put under the "External Dependencies" section.
Here is an example of the currently generated tree:

But I think it would be better, for example to have something like this:

Thanks

Binaries with empty or unprintable section names raise a UnicodeDecodeError:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte

Examples:
https://github.com/viper-framework/pefile-tests/blob/master/tests/corkami/pocs/maxsecXP.exe
https://github.com/viper-framework/pefile-tests/blob/master/tests/corkami/pocs/maxvals.exe

The recommended fix is to use backslashreplace when decoding: https://docs.python.org/3/library/codecs.html#error-handlers

Some parameters (like “${CMAKE_CURRENT_LIST_DIR}/utils.cpp” and “${SOURCE_DIR}/src”) are passed to CMake commands in your build scripts without enclosing them by quotation marks. I see that these places will result in build difficulties if the contents of the used variables will contain special characters like semicolons.

I would recommend to apply advices from a wiki article.

LIEF.h no where to be seen in the repo.

Both following samples are using 8G+ of ram (and OOM killer steps in ;) ):
https://github.com/viper-framework/pefile-tests/blob/master/tests/corkami/pocs/65535sects.exe
https://github.com/viper-framework/pefile-tests/blob/master/tests/corkami/pocs/manyimportsW7.exe

The binaries are definitely crafted, but you probably want to handle such cases too.

Hi,

LIEF (Python interface) is blocked on many binaries during calling parse method and produce the following messages:
Unable to find the section associated with CERTIFICATE_TABLE
Unable to find the section associated with BASE_RELOCATION_TABLE

Sample:451774a07ed807c10a67f68201540928f8cba9c4a620f5fe1062ba2da56eb552

Then the process finishes after blocking for a few minutes:
"Process finished with exit code 137"

Debugging is not also possible.

Would you please let me know how I can fix it? Thanks!!

Many thanks for the library. I am now testing LIEF with the following piece of code

#include <LIEF/LIEF.h>
int main() {
  return 0;
}

gcc -c test_lief.c

but receive errors because the redefinition of enum types SECTION_TYPES, SECTION_FLAGS,... which are defined both in ELF/enums.h and MachO/enums.h.

Some structures and enums that are used by the public api aren't public, such as LIEF::ELF::SECTION_FLAGS which can be used with LIEF::ELF::Section::has_flag.

if I add the following include to my file the error goes away but this is less than ideal.

this problem seems to affect all three file formats from what I can tell. It's worth noting that this may just be a problem with my project however.

We should add the binary's endiness in the abstract layer as well as bitness (32 bits, 64 bits)

With the triton project, we used to have our own Elf parser.
As LIEF looks to be a good replacement for any file parsing, I tried to use lief instead of our own Parser but I had an issue with :
https://github.com/JonathanSalwan/Triton/blob/master/src/examples/python/ctf-writeups/hackover-ctf-2015-r150/rvs

Lief report this binary as corrupted (symboles not found) while we were able to parse and get symboles with out own parser. I have no idea of this issue as I don't know the Elf format but may be you can help us on it?

• http://www.ntcore.com/files/richsign.htm
• http://bytepointer.com/articles/the_microsoft_rich_header.htm

In order to use in an Xcode project - developer expects library to be packaged up into a framework bundle.
Especially something like the LIEF library, which comes with many header files and is written in c++.
I have found it very difficult to do it by just dropping the header files and .a file into my project, had to give up - due to the include search paths issue.

Couple things.
There are many header files existing in this project with the same name.
#include <> vs #include "" when you use it inside your own project.
Logging++ was missing

When I generated Xcode project using cmake, it included stripts trying to self-update using git. Not something you expect to happen in a building environment .

This is my main.cpp (no errors; so I assume it's not the source):

#include <iostream>
#include <LIEF/LIEF.hpp>

int main(int argc, const char** argv) {
	LIEF::PE::Binary* openedExe = LIEF::PE::Parser::parse("C:\\Windows\\explorer.exe");
	std::cout << *openedExe << std::endl;
	delete openedExe;
}

These are the error codes; MSDN didn't really provide potencial fixes.
Note: I translated the error messages manually, so they might not be a 1:1 translation.
They appear 7 times each, all in "iterators.hpp"

./include/LIEF/iterators.hpp(125): error C2065: "not": undeclared identifier
./include/LIEF/iterators.hpp(228): note: See reference to class Template instantiation "LIEF::ref_iterator", that is compiled.
./include/LIEF/iterators.hpp(125): error C2059: Syntax error: "std::is_pointer<_Uty>::value"
./include/LIEF/iterators.hpp(125): error C2975: "_Test": Invalid Templete argument for "std::enable_if", constant compile time expression expected.
./include/xtr1common(56): note: See declaration of "_Test"

I'm not sure it is something you want to do in lief directly, but it would be nice to compute the imhash for the PEs.

There is a sample code here: https://github.com/erocarrera/pefile/blob/8d60469de3b70109ac603c68c48fb3e7b84261e8/pefile.py#L3747

Does this library support CentOS? I've gotten the prebuilt packages to work without issue on OSX and Ubuntu but am having trouble getting them to work on CentOS 6 and 7. I get this error when trying to import from python:

ImportError: /lib64/libstdc++.so.6: version 'GLIBCXX_3.4.20' not found (required by ./lief.so)

I also had issues building from source on centos as it ships with gcc 4.8 and there are build dependencies for LIEF that rely on gcc 4.9. After compiling and building gcc 4.9.2 I was able to build LIEF successfully from source but I still get the issue noted above. Running ldd on lief.so I get the same error.

Any insights?

Thanks!

~Brian

Hi,

I forget to say it before but downloading the tgz file for python 2.7 (at least) and using python setup.py install do not work. I have to move lief.so by hand in the correct directory.

Some projects don't need the json api. Could be nice to have a cmake option such as:

$ cmake -DLIEF_JSON=off/on 

It would be very useful to be able to pass a bytestream (BytesIO) instead of a path to the lief.parse function.

Hi,
Thanks for making this available. Any chance to have Ruby API?

LIEF fails to parse resources on this this sample:
https://virustotal.com/en/file/60d15b094219e72a52012c246b9e7d72272003970dcb01742f152d4b1865a7d3/analysis/

Writing a simple script using python to list the exports and I get this error when dumping kernl32.dll exports:
UnicodeDecodeError: 'utf8' codec can't decode byte 0xba in position 0: invalid start byte

this occurs when using either the list from binary.exported_functions or the binary.get_export()/export.entries combination.

I tried adding a string.encode('utf-8') but that doesnt work. Not sure how these strings are being encoded for python.

Actually for FAT Mach-Ovirtual_address_to_offset return a relative offset of the current binary.
It could be useful to have the absolute one within the FAT binary

I got this error probably due to using ucs4 as default unicode encoding while compiling lief.so

`pip install osx_lief-0.6.0_py2.7.tar.gz

import lief
Traceback (most recent call last):
File "", line 1, in
ImportError: dlopen(/usr/local/lib/python2.7/site-packages/lief.so, 2): Symbol not found: _PyUnicodeUCS4_AsUTF8String
Referenced from: /usr/local/lib/python2.7/site-packages/lief.so
Expected in: flat namespace
in /usr/local/lib/python2.7/site-packages/lief.so`

Hello,
I tried installing the Python package on macOS 10.12.5, but got an error:

$ pip --version
pip 9.0.1 from /Library/Python/2.7/site-packages (python 2.7)

$ pip install osx_lief-0.6.1_py2.7.tar.gz
Processing ./osx_lief-0.6.1_py2.7.tar.gz
Building wheels for collected packages: lief
  Running setup.py bdist_wheel for lief ... error
  Complete output from command /usr/bin/python -u -c "import setuptools, tokenize;__file__='/private/var/folders/5z/wl83cz4x2blcfrfcw9s82cfr0000gn/T/pip-cKrzdw-build/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" bdist_wheel -d /var/folders/5z/wl83cz4x2blcfrfcw9s82cfr0000gn/T/tmpqQbF4jpip-wheel- --python-tag cp27:
  WARNING: '' not a valid package name; please use only.-separated package names in setup.py
  running bdist_wheel
  running build
  running build_py
  creating build
  creating build/lib
  copying __init__.py -> build/lib
  copying setup.py -> build/lib
  error: can't copy 'ief.so': doesn't exist or not a regular file

  ----------------------------------------
  Failed building wheel for lief

Am I doing something wrong? The lief.so file in the package does work fine when imported in Python.
Thanks!

LIEF fails to parse some PE signatures.

In the PE API, get_content_from_virtual_address takes a relative virtual address.

I was trying out the python2 version and print (binary) doesn't work due to ASCII encoding issues.
Seems like

import sys
reload(sys)
sys.setdefaultencoding('utf8')

can solve this (at least for me on MacOS X). Thus I opened a issue here so fellow users might find this useful

maybe it's better to add this to README (or python code) to warn py2 users?

Hey,

lief::ELF::Section::content and lief::ELF::Section::data are cool but return a list. Is it possible to get something like lief::ELF::Section::raw which returns raw bytes? Same with segments.

Binaries are available here: https://github.com/radare/radare2-regressions/tree/master/bins