COFF¶

Basic MS COFF object loader based on https://docs.microsoft.com/en-us/windows/win32/debug/pe-format

class cle.backends.coff.IMAGE_FILE_MACHINE[source]¶

Bases: IntEnum

Machine Types

I386 = 332¶

AMD64 = 34404¶

__new__(value)¶

class cle.backends.coff.CoffFileHeader[source]¶

Bases: Structure

COFF File Header

Characteristics¶: Structure/Union member

Machine¶: Structure/Union member

NumberOfSections¶: Structure/Union member

NumberOfSymbols¶: Structure/Union member

PointerToSymbolTable¶: Structure/Union member

SizeOfOptionalHeader¶: Structure/Union member

TimeDateStamp¶: Structure/Union member

class cle.backends.coff.IMAGE_SCN[source]¶

Bases: IntFlag

Section Flags (Characteristics field)

MEM_EXECUTE = 536870912¶

MEM_READ = 1073741824¶

MEM_WRITE = 2147483648¶

CNT_UNINITIALIZED_DATA = 128¶

__new__(value)¶

class cle.backends.coff.CoffSectionTableEntry[source]¶

Bases: Structure

COFF Section Header

Characteristics¶: Structure/Union member

Name¶: Structure/Union member

NumberOfLinenumbers¶: Structure/Union member

NumberOfRelocations¶: Structure/Union member

PointerToLinenumbers¶: Structure/Union member

PointerToRawData¶: Structure/Union member

PointerToRelocations¶: Structure/Union member

SizeOfRawData¶: Structure/Union member

VirtualAddress¶: Structure/Union member

VirtualSize¶: Structure/Union member

class cle.backends.coff.IMAGE_SYM_CLASS[source]¶

Bases: IntEnum

Symbol Storage Class

EXTERNAL = 2¶

STATIC = 3¶

LABEL = 6¶

FUNCTION = 101¶

__new__(value)¶

class cle.backends.coff.CoffSymbolTableEntry[source]¶

Bases: Structure

COFF Symbol Table Entry

Name¶: Structure/Union member

NumberOfAuxSymbols¶: Structure/Union member

SectionNumber¶: Structure/Union member

StorageClass¶: Structure/Union member

Type¶: Structure/Union member

Value¶: Structure/Union member

class cle.backends.coff.IMAGE_REL_I386[source]¶

Bases: IntEnum

i386 Relocation Types

DIR32 = 6¶

DIR32NB = 7¶

REL32 = 20¶

SECTION = 10¶

SECREL = 11¶

__new__(value)¶

class cle.backends.coff.IMAGE_REL_AMD64[source]¶

Bases: IntEnum

AMD64 Relocation Types

ADDR64 = 1¶

ADDR32NB = 3¶

REL32 = 4¶

SECTION = 10¶

SECREL = 11¶

__new__(value)¶

class cle.backends.coff.CoffRelocationTableEntry[source]¶

Bases: Structure

COFF Relocations

SymbolTableIndex¶: Structure/Union member

Type¶: Structure/Union member

VirtualAddress¶: Structure/Union member

class cle.backends.coff.CoffParser[source]¶

Bases: object

Parses COFF object files.

header: CoffFileHeader¶

sections: list[CoffSectionTableEntry]¶

relocations: list[list[CoffRelocationTableEntry]]¶

symbols: list[CoffSymbolTableEntry]¶

idx_to_symbol_name: dict[int, str]¶

symbol_name_to_idx: dict[str, int]¶

__init__(data: bytes)[source]¶

Parameters:: data (bytes)

data: bytes¶

get_symbol_name(symbol_idx: int, true_name: bool = False) → str[source]¶

Return type:

str

Parameters:

symbol_idx (int)
true_name (bool)

get_section_name(section_idx: int) → str[source]¶

Return type:: str
Parameters:: section_idx (int)

class cle.backends.coff.CoffSection[source]¶

Bases: Section

Section of the COFF object.

__init__(name: str, file_offset: int, file_size: int, virtual_addr: int, virtual_size: int, coff_sec: CoffSectionTableEntry)[source]¶

Parameters:

name (str) – The name of the section
offset (int) – The offset into the binary file this section begins
vaddr (int) – The address in virtual memory this section begins
size (int) – How large this section is
file_offset (int)
file_size (int)
virtual_addr (int)
virtual_size (int)
coff_sec (CoffSectionTableEntry)

property is_readable¶: Whether this section has read permissions

property is_writable¶: Whether this section has write permissions

property is_executable¶: Whether this section has execute permissions

property only_contains_uninitialized_data¶: Whether this section is initialized to zero after the executable is loaded.

class cle.backends.coff.CoffRelocation[source]¶

Bases: Relocation

Relocation for a COFF object.

PACK_FORMAT = '<i'¶

relocate()[source]¶

Applies this relocation. Will make changes to the memory object of the object it came from.

This implementation is a generic version that can be overridden in subclasses.

class cle.backends.coff.CoffRelocationREL32[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_*_REL32

property value¶

class cle.backends.coff.CoffRelocationDIR32[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_*_DIR32

property value¶

class cle.backends.coff.CoffRelocationDIR32NB[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_*_DIR32

property value¶

class cle.backends.coff.CoffRelocationADDR32NB[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_AMD64_ADDR32NB

PACK_FORMAT = '<I'¶

property value: int¶

class cle.backends.coff.CoffRelocationADDR64[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_AMD64_ADDR64

PACK_FORMAT = '<Q'¶

property value¶

class cle.backends.coff.CoffRelocationSECTION[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_*_SECTION

PACK_FORMAT = '<H'¶

property value¶

class cle.backends.coff.CoffRelocationSECREL[source]¶

Bases: CoffRelocation

Relocation for IMAGE_REL_*_SECREL

PACK_FORMAT = '<I'¶

property value¶

class cle.backends.coff.Coff[source]¶

Bases: Backend

COFF object loader.

is_default = True¶

__init__(*args, **kwargs)[source]¶

Parameters:

binary – The path to the binary to load
binary_stream – The open stream to this binary. The reference to this will be held until you call close.
is_main_bin – Whether this binary should be loaded as the main executable

classmethod is_compatible(stream)[source]¶: Determine quickly whether this backend can load an object from this stream

get_symbol(name: str, produce_extern_symbols: bool = False) → Symbol | None[source]¶

Stub function. Implement to find the symbol with name name.

Return type:

Symbol | None

Parameters:

name (str)
produce_extern_symbols (bool)