COFF#

Basic MS COFF object loader based on https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

class cle.backends.coff.IMAGE_FILE_MACHINE[source]#

Bases: IntEnum

Machine Types

I386 = 332#
AMD64 = 34404#
class cle.backends.coff.CoffFileHeader[source]#

Bases: Structure

COFF File Header

Characteristics#

Structure/Union member

Machine#

Structure/Union member

NumberOfSections#

Structure/Union member

NumberOfSymbols#

Structure/Union member

PointerToSymbolTable#

Structure/Union member

SizeOfOptionalHeader#

Structure/Union member

TimeDateStamp#

Structure/Union member

class cle.backends.coff.IMAGE_SCN[source]#

Bases: IntFlag

Section Flags (Characteristics field)

MEM_EXECUTE = 536870912#
MEM_READ = 1073741824#
MEM_WRITE = 2147483648#
CNT_UNINITIALIZED_DATA = 128#
class cle.backends.coff.CoffSectionTableEntry[source]#

Bases: Structure

COFF Section Header

Characteristics#

Structure/Union member

Name#

Structure/Union member

NumberOfLinenumbers#

Structure/Union member

NumberOfRelocations#

Structure/Union member

PointerToLinenumbers#

Structure/Union member

PointerToRawData#

Structure/Union member

PointerToRelocations#

Structure/Union member

SizeOfRawData#

Structure/Union member

VirtualAddress#

Structure/Union member

VirtualSize#

Structure/Union member

class cle.backends.coff.IMAGE_SYM_CLASS[source]#

Bases: IntEnum

Symbol Storage Class

EXTERNAL = 2#
STATIC = 3#
LABEL = 6#
FUNCTION = 101#
class cle.backends.coff.CoffSymbolTableEntry[source]#

Bases: Structure

COFF Symbol Table Entry

Name#

Structure/Union member

NumberOfAuxSymbols#

Structure/Union member

SectionNumber#

Structure/Union member

StorageClass#

Structure/Union member

Type#

Structure/Union member

Value#

Structure/Union member

class cle.backends.coff.IMAGE_REL_I386[source]#

Bases: IntEnum

i386 Relocation Types

DIR32 = 6#
DIR32NB = 7#
REL32 = 20#
SECTION = 10#
SECREL = 11#
class cle.backends.coff.IMAGE_REL_AMD64[source]#

Bases: IntEnum

AMD64 Relocation Types

ADDR64 = 1#
ADDR32NB = 3#
REL32 = 4#
SECTION = 10#
SECREL = 11#
class cle.backends.coff.CoffRelocationTableEntry[source]#

Bases: Structure

COFF Relocations

SymbolTableIndex#

Structure/Union member

Type#

Structure/Union member

VirtualAddress#

Structure/Union member

class cle.backends.coff.CoffParser[source]#

Bases: object

Parses COFF object files.

header: CoffFileHeader#
sections: List[CoffSectionTableEntry]#
relocations: List[List[CoffRelocationTableEntry]]#
symbols: List[CoffSymbolTableEntry]#
idx_to_symbol_name: Dict[int, str]#
symbol_name_to_idx: Dict[str, int]#
__init__(data: bytes)[source]#
Parameters:

data (bytes) –

data: bytes#
get_symbol_name(symbol_idx: int, true_name: bool = False) str[source]#
Return type:

str

Parameters:

  • symbol_idx (int) –

  • true_name (bool) –

get_section_name(section_idx: int) str[source]#
Return type:

str

Parameters:

section_idx (int) –

class cle.backends.coff.CoffSection[source]#

Bases: Section

Section of the COFF object.

__init__(name: str, file_offset: int, file_size: int, virtual_addr: int, virtual_size: int, coff_sec: CoffSectionTableEntry)[source]#
Parameters:

  • name (str) – The name of the section

  • offset (int) – The offset into the binary file this section begins

  • vaddr (int) – The address in virtual memory this section begins

  • size (int) – How large this section is

  • file_offset (int) –

  • file_size (int) –

  • virtual_addr (int) –

  • virtual_size (int) –

  • coff_sec (CoffSectionTableEntry) –

filesize: int#
property is_readable#

Whether this section has read permissions

property is_writable#

Whether this section has write permissions

property is_executable#

Whether this section has execute permissions

property only_contains_uninitialized_data#

Whether this section is initialized to zero after the executable is loaded.

vaddr: int#
memsize: int#
class cle.backends.coff.CoffRelocation[source]#

Bases: Relocation

Relocation for a COFF object.

relocate()[source]#

Applies this relocation. Will make changes to the memory object of the object it came from.

This implementation is a generic version that can be overridden in subclasses.

class cle.backends.coff.CoffRelocationREL32[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_*_REL32

property value#
class cle.backends.coff.CoffRelocationDIR32[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_*_DIR32

property value#
class cle.backends.coff.CoffRelocationDIR32NB[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_*_DIR32

property value#
class cle.backends.coff.CoffRelocationADDR32NB[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_AMD64_ADDR32NB

property value#
class cle.backends.coff.CoffRelocationADDR64[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_AMD64_ADDR64

property value#
class cle.backends.coff.CoffRelocationSECTION[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_*_SECTION

property value#
class cle.backends.coff.CoffRelocationSECREL[source]#

Bases: CoffRelocation

Relocation for IMAGE_REL_*_SECREL

property value#
class cle.backends.coff.Coff[source]#

Bases: Backend

COFF object loader.

is_default = True#
__init__(*args, **kwargs)[source]#
Parameters:

  • binary – The path to the binary to load

  • binary_stream – The open stream to this binary. The reference to this will be held until you call close.

  • is_main_bin – Whether this binary should be loaded as the main executable

static is_compatible(stream)[source]#

Determine quickly whether this backend can load an object from this stream

imports: typing.Dict[str, 'Relocation']#
relocs: List[Relocation]#
child_objects: List['Backend']#
exception_handlings: List[ExceptionHandling]#
function_hints: List[FunctionHint]#
memory: Clemory#
cached_content: Optional[bytes]#
get_symbol(name: str, produce_extern_symbols: bool = False) Symbol | None[source]#

Stub function. Implement to find the symbol with name name.

Return type:

Optional[Symbol]

Parameters:

  • name (str) –

  • produce_extern_symbols (bool) –