PE

class cle.backends.PE

Bases: Backend

Representation of a PE (i.e. Windows) binary.

is_default = True

__init__(*args, **kwargs)

Parameters:

• binary – The path to the binary to load

• binary_stream – The open stream to this binary. The reference to this will be held until you call close.

• is_main_bin – Whether this binary should be loaded as the main executable

property segments: Regions[Segment]

static is_compatible(stream)

Determine quickly whether this backend can load an object from this stream

classmethod check_magic_compatibility(stream)

Check if a stream of bytes contains the same magic number as the main object

classmethod check_compatibility(spec, obj)

Performs a minimal static load of spec and returns whether it’s compatible with other_obj

close()

get_symbol(name)

Look up the symbol with the given name. Symbols can be looked up by ordinal with the name "ordinal.%d" % num

addr_to_offset(addr: int) → int | None

Return type:

Optional[int]

Parameters:

addr (int) –

property arch: Arch

contains_addr(addr)

Is addr in one of the binary’s segments/sections we have loaded? (i.e. is it mapped into memory ?)

property entry

static extract_soname(path) → str | None

Extracts the shared object identifier from the path, or returns None if it cannot.

Return type:

Optional[str]

property finalizers: List[int]

Stub function. Like initializers, but with finalizers.

find_loadable_containing(addr)

find_section_containing(addr: int) → cle.backends.region.Section | None

Returns the section that contains addr or None.

Return type:

Optional[Section]

Parameters:

addr (int) –

find_segment_containing(addr: int) → cle.backends.region.Segment | None

Returns the segment that contains addr, or None.

Return type:

Optional[Segment]

Parameters:

addr (int) –

property image_base_delta

initial_register_values()

Deprecated

property initializers: List[int]

Stub function. Should be overridden by backends that can provide initializer functions that ought to be run before execution reaches the entry point. Addresses should be rebased.

property loader: Loader

property max_addr: int

This returns the highest virtual address contained in any loaded segment of the binary.

property min_addr: int

This returns the lowest virtual address contained in any loaded segment of the binary.

offset_to_addr(offset: int) → int | None

Return type:

Optional[int]

Parameters:

offset (int) –

rebase(new_base)

Rebase backend’s regions to the new base where they were mapped by the loader

relocate()

Apply all resolved relocations to memory.

The meaning of “resolved relocations” is somewhat subtle - there is a linking step which attempts to resolve each relocation, currently only present in the main internal loading function since the calculation of which objects should be available

property sections: Regions[Section]

set_arch(arch)

property symbols_by_addr

thread_registers(thread=None) → Dict[str, Any]

If this backend represents a dump of a running program, it may contain one or more thread contexts, i.e. register files. This method should return the register file for a given thread (as named in Backend.threads) as a dict mapping register names (as seen in archinfo) to numbers. If the thread is not specified, it should return the context for a “default” thread. If there are no threads, it should return an empty dict.

Return type:

Dict[str, Any]

property threads: List

If this backend represents a dump of a running program, it may contain one or more thread contexts, i.e. register files. This property should contain a list of names for these threads, which should be unique.

symbols: List[Symbol]

imports: typing.Dict[str, 'Relocation']

relocs: List[Relocation]

child_objects: List['Backend']

exception_handlings: List[ExceptionHandling]

function_hints: List[FunctionHint]

memory: Clemory

class cle.backends.pe.regions.PESection

Bases: Section

Represents a section for the PE format.

__init__(pe_section, remap_offset=0)

Parameters:

• name (str) – The name of the section

• offset (int) – The offset into the binary file this section begins

• vaddr (int) – The address in virtual memory this section begins

• size (int) – How large this section is

filesize: int

property is_readable

Whether this section has read permissions

property is_writable

Whether this section has write permissions

property is_executable

Whether this section has execute permissions

property only_contains_uninitialized_data

Whether this section is initialized to zero after the executable is loaded.

addr_to_offset(addr)

Convert a virtual memory address into a file offset

contains_addr(addr)

Does this region contain this virtual address?

contains_offset(offset)

Does this region contain this offset into the file?

property max_addr

The maximum virtual address of this region

property max_offset

The maximum file offset of this region

property min_addr

The minimum virtual address of this region

min_offset()

The minimum file offset of this region

offset_to_addr(offset)

Convert a file offset into a virtual memory address

vaddr: int

memsize: int

class cle.backends.pe.symbol.WinSymbol

Bases: Symbol

Represents a symbol for the PE format.

__init__(owner, name, addr, is_import, is_export, ordinal_number, forwarder)

Not documenting this since if you try calling it, you’re wrong.

is_import = False

is_export = False

is_forward = False

resolve_forwarder()

If this symbol is a forwarding export, return the symbol the forwarding refers to, or None if it cannot be found

is_common = False

is_extern = False

property is_function

Whether this symbol is a function

is_local = False

is_static = False

is_weak = False

property linked_addr

property owner_obj

property rebased_addr

The address of this symbol in the global memory space

resolve(obj)

property subtype: SymbolSubType

A subclass’ ABI-specific types

property type: SymbolType

The ABI-agnostic SymbolType. Must be overridden by derived types.

owner: Backend