Navigation

Elf Package

Warning

The documentation for Elf hasn’t been touched yet! If you want to contribute (or have ideas for better documentation), feel free to send me a pull request or email me.

Elf Package

Kenshoto’s Elf parser

This package will let you use programatic ninja-fu when trying to parse Elf binaries. The API is based around several objects representing constructs in the Elf binary format. The Elf object itself contains parsed metadata and lists of things like section headers and relocation entries. Additionally, most of the objects implement repr() in some form or another which allows you a bunch of readelf-like functionality.

Eventually this API will allow you to modify Elf binaries and spit them back out in working order (not complete, you may notice some of the initial code).

Send bug reports to Invisigoth or Metr0.

class Elf.Elf(fd, inmem=False)[source]

Bases: vstruct.defs.elf.Elf32, vstruct.defs.elf.Elf64

addSymbol(symbol)[source]
getBaseAddress()[source]

For prelinked and main-exe elf binaries, return the value for the loaded base address...

getDynSyms()[source]

Return a list of dynamic symbol objects.

getDynamics()[source]

Return a list of the dynamics.

getPheaders()[source]

Return a list of the program headers for this elf

getRelocTypeName(rtype)[source]

Because relocation type names are decided based on the arch, only the Elf knows for sure...

getRelocs()[source]

Get the list of relocations.

getSection(secname)[source]
getSectionBytes(secname)[source]
getSections()[source]

Return the array of sections for this Elf

getStrtabString(offset, section='.strtab')[source]
getSymbols()[source]
isPreLinked()[source]

Returns True if the Elf binary is prelinked.

isSharedObject()[source]

Returns true if the given Elf binary is a dynamically shared object.

lookupSymbolAddr(address)[source]

lookup symbols from this elf binary by address. This returns the name for the given symbol or None for not found

lookupSymbolName(name)[source]

Lookup symbol entries in this elf binary by name. The result is a long representing the address for the given symbol. Or None if it’s not found.

readAtOffset(off, size)[source]

Read from the given file offset.

readAtRva(rva, size)[source]

Calculate the file offset for the given RVA and read from it...

rvaToOffset(rva)[source]

Convert an RVA for this ELF binary to a file offset.

verbrepr()[source]
class Elf.Elf32Dynamic[source]

Bases: Elf.ElfDynamic, vstruct.defs.elf.Elf32Dynamic

class Elf.Elf32Pheader[source]

Bases: Elf.ElfPheader, vstruct.defs.elf.Elf32Pheader

class Elf.Elf32Reloc(r_types)[source]

Bases: Elf.ElfReloc, vstruct.defs.elf.Elf32Reloc

getSymTabIndex()[source]
class Elf.Elf32Reloca(r_types)[source]

Bases: Elf.ElfReloc, vstruct.defs.elf.Elf32Reloca

getSymTabIndex()[source]
class Elf.Elf32Section[source]

Bases: Elf.ElfSection, vstruct.defs.elf.Elf32Section

class Elf.Elf32Symbol[source]

Bases: Elf.ElfSymbol, vstruct.defs.elf.Elf32Symbol

class Elf.Elf64Dynamic[source]

Bases: Elf.ElfDynamic, vstruct.defs.elf.Elf64Dynamic

class Elf.Elf64Pheader[source]

Bases: Elf.ElfPheader, vstruct.defs.elf.Elf64Pheader

class Elf.Elf64Reloc(r_types)[source]

Bases: Elf.ElfReloc, vstruct.defs.elf.Elf64Reloc

getSymTabIndex()[source]
class Elf.Elf64Reloca(r_types)[source]

Bases: Elf.ElfReloc, vstruct.defs.elf.Elf64Reloca

getSymTabIndex()[source]
class Elf.Elf64Section[source]

Bases: Elf.ElfSection, vstruct.defs.elf.Elf64Section

class Elf.Elf64Symbol[source]

Bases: Elf.ElfSymbol, vstruct.defs.elf.Elf64Symbol

class Elf.ElfDynamic(bytes=None)[source]
getName()[source]
getTypeName()[source]
has_string = [1, 14]

An object to represent an Elf dynamic entry. (linker/loader directives)

setName(name)[source]
class Elf.ElfPheader[source]
getTypeName()[source]
class Elf.ElfReloc(r_types)[source]

Elf relocation entries consist mostly of “fixup” address which are taken care of by the loader at runtime. Things like GOT entries, PLT jmp codes etc all have an Elf relocation entry.

getName()[source]
getType()[source]
getTypeName()[source]
setName(name)[source]
class Elf.ElfSection[source]
getName()[source]
setName(name)[source]
class Elf.ElfSymbol[source]
getInfoBind()[source]
getInfoType()[source]
getName()[source]
setName(name)[source]
Elf.elfFromBytes(fbytes)

Returns a Elf class for a string of bytes. Basically just passes your bytes into a StringIO() and hands that off to Elf.Elf

Parameters:fbytes (str.) – The bytestring comprising the Elf.
Returns:Elf.Elf instance of the specified Elf.
Return type:Elf.Elf
Elf.elfFromFileName(fname)

Returns an Elf class for a specified file path. Makes sure to open the file in “rb” mode to read binary.

Parameters:fname (str.) – The filename of our Elf.
Returns:Elf.Elf instance of the specified Elf.
Return type:Elf.Elf
Elf.elfFromMemoryObject(memobj, baseaddr)

Returns a Elf class for a string of bytes. Basically just passes your bytes into a StringIO() and hands that off to Elf.Elf

Example:

>>> # Import vtrace and Elf
>>> import vtrace, Elf
>>> # Initilize our vtrace.Trace object
>>> trace = vtrace.getTrace()
>>> trace.execute('/path/to/program')
>>> # Get our library bases
>>> libBase = trace.getMeta("LibraryBases")
>>> # Get the first address of our first entry (not realistic)
>>> base = libBase.items()[0][1]
>>> # Create our Elf.Elf()
>>> p = Elf.peFromMemoryObject(trace, base)
Parameters:
  • memobj (vtrace.Trace) – Our memory object (trace object)
  • baseaddr (long) – Base address for our Elf
Returns:

Elf.Elf instance of the specified Elf (with inmem=True).
Return type:

Elf.Elf
Elf.getRelocSymTabIndex(val)[source]
Elf.getRelocType(val)[source]

elf_lookup Module

ELF static definitions

Table Of Contents

This Page

Navigation

© Copyright 2012, @invisig0th. Created using Sphinx 1.1.3.