While there are multiple platform dependent libraries such as pefile, pyelftools, pwntools in Python and objdump and similar tools. Now, there is LIEF, an open source cross platform library to parse, modify and abstract ELF, PE and MachO file formats.
Features of LIEF:
- Parsing: LIEF can parse ELF, PE, MachO and provides an user-friendly API to access to format internals. Along with standard format components like headers, sections, import table, load commands, symbols, etc. In fact PE Authenticode can also be parsed by this tool!
- Modify: It enables to modify some parts of ELF, PE and MachO file formats.
- Abstract: Three formats have common features like sections, symbols, entry point… LIEF factors them.
- API: This parser can be used in C, C++ and Python
- Code injection: LIEF provides APIs to inject code or data into a binary. This injection could be used to hook some functions or to redirect control flow.
In the LIEF architecture, each format implements at least the following classes:
- Parser: Parse the format and decompose it into a Binary class
- Binary: Modelize the format and provide an API to modify and explore it.
- Builder: Transform the binary object into a valid file.
To be compiled, this cross-platform library needs at least the following requirements:
C++11 compiler (GCC, Clang, MSVC..)
Python (for bindings)
It can even be installed an used in your Docker containers. What’s more? You can use this open source library to create simple PE (both 32bit & 64bit) files from scratch! Hooking imported functions in Executable and Linkable Format (ELF) files works by infecting the .got section.
What this tool from Quarkslab does is provides you a nice and easy to use cross-platform library to aide you in your reverse engineering, malware analysis, binary analysis projects, without the need to re-implement your own parser! You can use this library to interact with files on Windows systems, *NIX systems (such as Linux, Android), OSX systems and iOS systems.
LIEF 0.6.0 can be downloaded here.