PE

class cle.backends.PE[source]

Bases: Backend

Representation of a PE (i.e. Windows) binary.

Useful backend options:

  • debug_symbols: Provides the path to a PDB file which contains the binary’s debug symbols

  • debug_symbol_dirs: List of directories to search for PDB files (searched before symbol servers)

  • debug_symbol_path_str: A string indicating symbol search paths, which may be provided in the

    _NT_SYMBOL_PATH format.

  • download_debug_symbols: Whether to attempt downloading debug symbols from symbol servers (if provided) or

    not. Default to False.

  • download_debug_symbol_confirm: A callable that takes a URL string and returns True if downloading the debug

    symbol from the URL is allowed by the user, False otherwise.

  • download_debug_symbol_progress: A callable that takes two integer arguments: bytes downloaded and total bytes.

    This callable is called periodically to report download progress.

  • search_microsoft_symserver: Whether to include the Microsoft symbol server in symbol searches. Default to

    True. Requires download_debug_symbols to be True to have any effect.

is_default = True
__init__(*args, debug_symbols=None, debug_symbol_dirs=None, debug_symbol_path_str: str | None = None, download_debug_symbols: bool = False, download_debug_symbol_confirm: Callable[[str], bool] | None = None, download_debug_symbol_progress: Callable[[int, int | None], bool] | None = None, search_microsoft_symserver: bool = True, **kwargs)[source]
Parameters:

  • binary – The path to the binary to load

  • binary_stream – The open stream to this binary. The reference to this will be held until you call close.

  • is_main_bin – Whether this binary should be loaded as the main executable

  • debug_symbol_path_str (str | None)

  • download_debug_symbols (bool)

  • download_debug_symbol_confirm (Callable[[str], bool] | None)

  • download_debug_symbol_progress (Callable[[int, int | None], bool] | None)

  • search_microsoft_symserver (bool)

classmethod is_compatible(stream)[source]

Determine quickly whether this backend can load an object from this stream

classmethod check_magic_compatibility(stream)[source]

Check if a stream of bytes contains the same magic number as the main object

classmethod check_compatibility(spec, obj)[source]

Performs a minimal static load of spec and returns whether it’s compatible with other_obj

close()[source]
get_symbol(name)[source]

Look up the symbol with the given name. Symbols can be looked up by ordinal with the name "ordinal.%d" % num

load_symbols_from_pdb(pdb_path)[source]

Load available symbols from PDB at pdb_path

class cle.backends.pe.regions.PESection[source]

Bases: Section

Represents a section for the PE format.

__init__(pe_section, remap_offset=0, name: str | None = None)[source]
Parameters:

  • name (str | None) – The name of the section

  • offset (int) – The offset into the binary file this section begins

  • vaddr (int) – The address in virtual memory this section begins

  • size (int) – How large this section is

property is_readable

Whether this section has read permissions

property is_writable

Whether this section has write permissions

property is_executable

Whether this section has execute permissions

property only_contains_uninitialized_data

Whether this section is initialized to zero after the executable is loaded.

class cle.backends.pe.symbol.WinSymbol[source]

Bases: Symbol

Represents a symbol for the PE format.

__init__(owner, name, addr, is_import, is_export, ordinal_number, forwarder, symbol_type=SymbolType.TYPE_FUNCTION)[source]

Not documenting this since if you try calling it, you’re wrong.

resolve_forwarder()[source]

If this symbol is a forwarding export, return the symbol the forwarding refers to, or None if it cannot be found