tessl/pypi-lief
Library to instrument executable formats including ELF, PE, Mach-O, and Android formats
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-lief@0.16.0index.mddocs/
LIEF
LIEF (Library to Instrument Executable Formats) is a comprehensive cross-platform library for parsing, modifying, and abstracting executable file formats. It provides unified APIs to analyze and manipulate ELF, PE, Mach-O, and Android formats (DEX, ART, OAT, VDEX), along with advanced features like disassembly, debug information extraction, and format conversion.
Package Information
- Package Name: lief
- Package Type: PyPI
- Language: Python (with C++ backend)
- Installation:
pip install lief
Core Imports
import lief
from typing import Union, Optional, Iterator, List, Sequence
import io
import osFor format-specific operations:
import lief.ELF
import lief.PE
import lief.MachO
import lief.Android
# Android-specific formats
import lief.DEX
import lief.ART
import lief.OAT
import lief.VDEXFor extended features:
import lief.assembly
import lief.dwarf
import lief.pdb
import lief.objc
import lief.dscBasic Usage
import lief
# Parse any supported binary format
binary = lief.parse("/path/to/binary")
if binary is None:
print("Unable to parse binary")
exit(1)
# Access common properties across all formats
print(f"Format: {binary.format}")
print(f"Architecture: {binary.header.architecture}")
print(f"Entry point: 0x{binary.entrypoint:x}")
print(f"Is PIE: {binary.is_pie}")
# Iterate through sections
for section in binary.sections:
print(f"Section: {section.name} - Size: {section.size}")
# Find symbols
if binary.has_symbol("main"):
main_symbol = binary.get_symbol("main")
print(f"Main function at: 0x{main_symbol.value:x}")
# Export to JSON for analysis
json_data = lief.to_json(binary)Architecture
LIEF provides a unified abstraction layer across different executable formats:
- Common Base Classes:
Binary,Header,Section,Symbolprovide consistent interfaces - Format-Specific Classes: ELF, PE, and Mach-O modules extend base classes with format-specific features
- Extended Features: Assembly engine, debug information parsers, and mobile format support
- Cross-Platform: Works on Linux, Windows, macOS, iOS, and Android
The library design enables both high-level analysis through common interfaces and deep format-specific manipulation through specialized modules.
Capabilities
Core Binary Operations
Foundation functionality for parsing, analyzing, and modifying executable files across all supported formats with unified interfaces.
def parse(file: Union[str, bytes, io.IOBase, os.PathLike]) -> Optional[Binary]
def is_elf(file: Union[str, Sequence[int]]) -> bool
def is_pe(file: Union[str, Sequence[int]]) -> bool
def is_macho(file: Union[str, Sequence[int]]) -> bool
def hash(obj: Union[Object, Sequence[int], bytes, str]) -> int
def to_json(obj: Object) -> str
def demangle(mangled: str) -> Optional[str]
def current_platform() -> PLATFORMS
# Binary Construction and Modification
class ELF:
class Builder:
def build(self) -> Optional[bytes]
def write(self, output: str) -> None
class PE:
class Builder:
def build(self) -> Optional[bytes]
def write(self, output: str) -> None
class MachO:
class Builder:
def build(self) -> Optional[bytes]
def write(self, output: str) -> NoneELF Format Support
Comprehensive support for ELF (Executable and Linkable Format) files including executables, shared libraries, object files, and core dumps with Linux-specific features.
def parse(file: Union[str, bytes, io.IOBase], config: ParserConfig = None) -> Optional[ELF.Binary]
class Binary(lief.Binary):
def add_section(self, section: Section) -> Section
def remove_section(self, name: str, clear: bool = False) -> None
def add_library(self, library: str) -> DynamicEntryLibrary
def remove_library(self, library: str) -> NonePE Format Support
Complete support for PE (Portable Executable) format used by Windows executables, DLLs, and system files with Windows-specific features like resources and code signing.
def parse(file: Union[str, bytes, io.IOBase], config: ParserConfig = None) -> Optional[PE.Binary]
def get_type(file: Union[str, Sequence[int]]) -> Union[PE_TYPE, lief_errors]
def get_imphash(binary: Binary, mode: IMPHASH_MODE = IMPHASH_MODE.DEFAULT) -> str
class Binary(lief.Binary):
def add_section(self, section: Section) -> Section
def remove_section(self, name: str, clear: bool = False) -> None
def add_library(self, library: str) -> ImportMach-O Format Support
Native support for Mach-O format used by macOS and iOS executables, frameworks, and universal binaries with Apple platform-specific features.
def parse(file: Union[str, bytes, io.IOBase], config: ParserConfig = None) -> Optional[FatBinary]
def parse_from_memory(address: int, config: ParserConfig = None) -> Optional[FatBinary]
def is_fat(file: str) -> bool
def is_64(file: str) -> bool
class FatBinary:
def take(self, arch: Header.CPU_TYPE) -> Optional[Binary]
def add(self, binary: Binary) -> NoneAndroid Format Support
Specialized support for Android application formats including DEX bytecode, ART runtime files, OAT optimized executables, and VDEX verification data.
def is_dex(file: Union[str, Sequence[int]]) -> bool
def is_art(file: Union[str, Sequence[int]]) -> bool
def is_oat(file: Union[str, Sequence[int], ELF.Binary]) -> bool
def is_vdex(file: Union[str, Sequence[int]]) -> bool
def code_name(version: ANDROID_VERSIONS) -> str
def version_string(version: ANDROID_VERSIONS) -> strAssembly and Disassembly
Integrated disassembly and assembly engine supporting multiple architectures for code analysis and binary modification.
class Instruction:
address: int
size: int
mnemonic: str
raw: bytes
def to_string(self, with_address: bool = True) -> str
def disassemble(self, address: int, size: int = None) -> Iterator[Optional[Instruction]]
def disassemble_from_bytes(self, buffer: bytes, address: int = 0) -> Iterator[Optional[Instruction]]
def assemble(self, address: int, assembly: str) -> bytesDebug Information
Advanced debug information parsing for DWARF and PDB formats enabling source-level analysis and debugging support.
class DebugInfo:
format: FORMAT # DWARF or PDB
class DWARF:
def find_function(self, name: str) -> Optional[Function]
def find_variable(self, name: str) -> Optional[Variable]
class PDB:
def functions(self) -> Iterator[Function]
def public_symbols(self) -> Iterator[PublicSymbol]Extended Features
Advanced platform-specific features including Objective-C metadata analysis and macOS/iOS shared cache support for comprehensive Apple ecosystem analysis.
# Objective-C Metadata
class ObjC:
class Metadata:
classes: Iterator[Class]
protocols: Iterator[Protocol]
class Class:
name: str
super_class: Optional[Class]
methods: Iterator[Method]
# Dyld Shared Cache
class DyldSharedCache:
def dylibs(self) -> Iterator[Dylib]
def mapping_info(self) -> Iterator[MappingInfo]
def find_lib_from_name(self, name: str) -> Optional[Dylib]Types
class Binary:
format: FORMATS
header: Header
sections: Iterator[Section]
symbols: Iterator[Symbol]
relocations: Iterator[Relocation]
entrypoint: int
libraries: List[Union[str, bytes]]
exported_functions: List[Function]
imported_functions: List[Function]
is_pie: bool
has_nx: bool
imagebase: int
original_size: int
debug_info: DebugInfo
class Header:
architecture: ARCHITECTURES
modes: MODES
entrypoint: int
object_type: OBJECT_TYPES
endianness: ENDIANNESS
is_32: bool
is_64: bool
class Section:
name: Union[str, bytes]
fullname: bytes
size: int
offset: int
virtual_address: int
content: memoryview
entropy: float
class Symbol:
name: Union[str, bytes]
value: int
size: int
class Function(Symbol):
address: int
flags: FLAGS
class FORMATS(enum.Enum):
UNKNOWN = 0
ELF = 1
PE = 2
MACHO = 3
OAT = 4
class PLATFORMS(enum.Enum):
UNKNOWN = 0
LINUX = 1
ANDROID = 2
WINDOWS = 3
IOS = 4
OSX = 5
class lief_errors(enum.Enum):
read_error = 1
not_found = 2
not_implemented = 3
not_supported = 4
corrupted = 5
conversion_error = 6
read_out_of_bound = 7
file_error = 9
file_format_error = 10
parsing_error = 11
build_error = 12
data_too_large = 13
require_extended_version = 14