Python elftools.elf.elffile.ELFFile() Examples
The following are 30
code examples of elftools.elf.elffile.ELFFile().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
elftools.elf.elffile
, or try the search function
.
.
Example #1
| Source File: bin_write.py From multiverse with GNU Lesser General Public License v3.0 | 6 votes |
|
def add_tls_section(fname,contents):
# This does not require ELFManip because it must
# be called earlier on, before we actually rewrite the
# binary, because I need the new TLS offset.
# We could obviously create the ELFManip object now,
# but it won't be used again until we write it out at
# the end.
global tls_section_added
global tls_section_contents
tls_section_added = True
#Pad contents to 4-byte alignment
tls_section_contents = contents+('\0'*(4-len(contents)%4))
with open(fname) as f:
elf = ELFFile(f)
for s in elf.iter_segments():
#Assume only one TLS segment exists (will fail on an already modified binary)
if s.header['p_type'] == 'PT_TLS':
tls_section_offset = s.header['p_memsz']+len(tls_section_contents)
print 'old section is 0x%x (%x with padding)'%(s.header['p_memsz'], s.header['p_memsz']+(4-s.header['p_memsz']%4))
print 'new content is 0x%x (%x with padding)'%(len(contents), len(contents)+(4-len(contents)%4))
print 'overall 0x%x (%x with padding)'%(tls_section_offset, tls_section_offset+(4-tls_section_offset%4))
return tls_section_offset + (4-tls_section_offset%4)
return len(contents) + (4-len(contents)%4) #If there is no TLS segment
Example #2
| Source File: elf.py From DMCUProg with MIT License | 6 votes |
|
def __init__(self, elf, memory_map=None):
if isinstance(elf, six.string_types):
self._file = open(elf, 'rb')
self._owns_file = True
else:
self._file = elf
self._owns_file = False
self._elf = ELFFile(self._file)
self._memory_map = memory_map or MemoryMap()
self._symbol_decoder = None
self._address_decoder = None
self._extract_sections()
self._compute_regions()
## @brief Close the ELF file if it is owned by this instance.
Example #3
| Source File: binja.py From MARA_Framework with GNU Lesser General Public License v3.0 | 6 votes |
|
def do_symbols(self, *args):
"""
:= symbols
"""
# Locals
elf = None
try:
if self.target_library:
# Create a new ELFFile() instance
elf = ELFFile(self.target_library[0])
for section in elf.iter_sections():
# Once we find the symbol table, print each symbol
if isinstance(section, SymbolTableSection):
self.logger.binja_log("info", "Found symbol table (!)")
for i, symbol in enumerate(section.iter_symbols()):
self.logger.binja_log("info", symbol.name)
else:
self.logger.binja_log("info", "Target library not selected (!)")
except Exception as e:
BinjaError("function : {}".format(e))
Example #4
| Source File: decoder.py From DMCUProg with MIT License | 6 votes |
|
def __init__(self, elf):
assert isinstance(elf, ELFFile)
self.elffile = elf
if not self.elffile.has_dwarf_info():
raise Exception("No DWARF debug info available")
self.dwarfinfo = self.elffile.get_dwarf_info()
self.subprograms = None
self.function_tree = None
self.line_tree = None
# Build indices.
self._get_subprograms()
self._build_function_search_tree()
self._build_line_search_tree()
Example #5
| Source File: sandshrew.py From manticore with GNU Affero General Public License v3.0 | 6 votes |
|
def binary_symbols(binary):
"""
helper method for getting all binary symbols with SANDSHREW_ prepended.
We do this in order to provide the symbols Manticore should hook on to
perform main analysis.
:param binary: str for binary to instrospect.
:rtype list: list of symbols from binary
"""
def substr_after(string, delim):
return string.partition(delim)[2]
with open(binary, "rb") as f:
elffile = ELFFile(f)
for section in elffile.iter_sections():
if not isinstance(section, SymbolTableSection):
continue
symbols = [sym.name for sym in section.iter_symbols() if sym]
return [
substr_after(name, PREPEND_SYM) for name in symbols if name.startswith(PREPEND_SYM)
]
Example #6
| Source File: elfparser.py From apkutils with MIT License | 6 votes |
|
def get_elf_files(apk_path):
files = list()
if zipfile.is_zipfile(apk_path):
try:
with zipfile.ZipFile(apk_path, mode="r") as zf:
for name in zf.namelist():
try:
data = zf.read(name)
mime = Magic(data).get_type()
if mime == 'elf':
elf_data = io.BytesIO(data)
elf_file = ELFFile(elf_data)
files.append((name, elf_data, elf_file))
except Exception as ex:
continue
except Exception as ex:
raise ex
return files
Example #7
| Source File: elf_executable.py From dispatch with MIT License | 6 votes |
|
def __init__(self, file_path):
super(ELFExecutable, self).__init__(file_path)
self.helper = ELFFile(self.binary)
self.architecture = self._identify_arch()
if self.architecture is None:
raise Exception('Architecture is not recognized')
logging.debug('Initialized {} {} with file \'{}\''.format(self.architecture, type(self).__name__, file_path))
self.pack_endianness = '<' if self.helper.little_endian else '>'
self.address_pack_type = 'I' if self.helper.elfclass == 32 else 'Q'
self.sections = [section_from_elf_section(s) for s in self.helper.iter_sections()]
self.executable_segment = [s for s in self.helper.iter_segments() if s['p_type'] == 'PT_LOAD' and s['p_flags'] & 0x1][0]
dyn = self.helper.get_section_by_name('.dynamic')
if dyn:
self.libraries = [t.needed for t in dyn.iter_tags() if t['d_tag'] == 'DT_NEEDED']
self.next_injection_offset = None
Example #8
| Source File: z3core.py From maldrolyzer with MIT License | 6 votes |
|
def recon(self):
z = ZipFile(self.filename)
bundle = False
if 'lib/armeabi-v7a/libmonodroid.so' in z.namelist() and 'lib/armeabi-v7a/libmonodroid_bundle_app.so' in z.namelist():
bundle = 'lib/armeabi-v7a/libmonodroid_bundle_app.so'
elif 'lib/armeabi/libmonodroid.so' in z.namelist() and 'lib/armeabi/libmonodroid_bundle_app.so' in z.namelist():
bundle = 'lib/armeabi/libmonodroid_bundle_app.so'
if not bundle:
return False
self.bundle = bundle
f = z.open(bundle)
f = StringIO(f.read())
elffile = ELFFile(f)
section = elffile.get_section_by_name('.dynsym')
for symbol in section.iter_symbols():
if symbol['st_shndx'] != 'SHN_UNDEF' and symbol.name == 'mono_mkbundle_init':
return True
return False
Example #9
| Source File: z3core.py From maldrolyzer with MIT License | 6 votes |
|
def extract(self):
c2 = []
z = ZipFile(self.filename)
data = z.open(self.bundle).read()
f = StringIO(data)
elffile = ELFFile(f)
section = elffile.get_section_by_name('.dynsym')
for symbol in section.iter_symbols():
if symbol['st_shndx'] != 'SHN_UNDEF' and symbol.name.startswith('assembly_data_'):
if symbol.name[14:] in self.WHITELISTED_DLL:
continue
dll_data = data[symbol['st_value']:symbol['st_value']+symbol['st_size']]
dll_data = gzip.GzipFile(fileobj=StringIO(dll_data)).read()
regexp = """rule find_url {
strings:
$url = /http:\/\/[A-Za-z0-9\.\/$\-_+!\*'(),]*/ wide
condition:
$url}"""
compiled = yara.compile(source = regexp)
s = compiled.match(data = dll_data)
for entry in s['main'][0]['strings']:
cc = dll_data[entry['offset']:entry['offset']+len(entry['data'])].decode('utf-16')
c2.append(cc)
return {'c2': c2}
Example #10
| Source File: emu_helper.py From writeups with GNU General Public License v3.0 | 6 votes |
|
def init_elf(self, filename):
if 'ELFFile' not in globals():
raise Exception('emu_helper: Please install pyelftools before loading ELF binaries')
self.elf = ELFFile(open(filename, 'rb'))
# loadable segments
segs = filter(lambda x: x.header.p_type == 'PT_LOAD', self.elf.iter_segments())
self.base = min(map(lambda x: x.header.p_vaddr, segs))
# FIXME
self.set_mode(UC_MODE_64)
self.mu = Uc(UC_ARCH_X86, self.mode)
mem_top = self.base
for seg in segs:
va = seg.header.p_vaddr
vbot = va & ~0xfff
vtop = (seg.header.p_vaddr + seg.header.p_memsz + 0xfff) & ~0xfff
print 'map 0x%08x .. 0x%08x' % (vbot, vtop)
self.mu.mem_map(vbot, vtop - vbot)
self.mu.mem_write(va, seg.data())
mem_top = max(mem_top, vtop)
self.shim_base = mem_top
self.stack_len = 0x10000
print 'shim_base at: 0x%08x' % self.shim_base
self.mu.mem_map(self.shim_base, self.shim_len + self.stack_len)
self.rsp0 = self.shim_base + self.shim_len + self.stack_len
self.init_stack()
Example #11
| Source File: binary.py From manticore with GNU Affero General Public License v3.0 | 6 votes |
|
def __init__(self, filename):
super().__init__(filename)
self.elf = ELFFile(open(filename, "rb"))
self.arch = {"x86": "i386", "x64": "amd64"}[self.elf.get_machine_arch()]
assert self.elf.header.e_type in ["ET_DYN", "ET_EXEC", "ET_CORE"]
# Get interpreter elf
self.interpreter = None
for elf_segment in self.elf.iter_segments():
if elf_segment.header.p_type != "PT_INTERP":
continue
self.interpreter = Elf(elf_segment.data()[:-1])
break
if self.interpreter is not None:
assert self.interpreter.arch == self.arch
assert self.interpreter.elf.header.e_type in ["ET_DYN", "ET_EXEC"]
Example #12
| Source File: parse_enclave.py From sgxfun with GNU General Public License v3.0 | 6 votes |
|
def find_ecalls_elf(self):
t_section = None
t_vaddr = None
elf = ELFFile(open(self.filename, 'rb'))
# find the symbols table(s)
for section in elf.iter_sections():
if section.header['sh_type'] == 'SHT_SYMTAB':
# find the g_ecall_table symbol
for symbol in section.iter_symbols():
if symbol.name == 'g_ecall_table':
t_section=symbol.entry['st_shndx']
t_vaddr=symbol.entry['st_value']
break
if t_section and t_vaddr:
break
if t_section and t_vaddr:
# we got it, go calculate the table address
section = elf.get_section(t_section)
# calculate the symbol offset from the section start
sym_offset = t_vaddr - section.header['sh_addr']
# return the physical address of the symbol
return section.header['sh_offset'] + sym_offset
return None
Example #13
| Source File: searching.py From osspolice with GNU General Public License v3.0 | 6 votes |
|
def get_dynamic_features(main, lib_path, feat_type='function'):
"""
Function to extract function/variable names from a shared library file.
"""
from elftools.elf.elffile import ELFFile
from elftools.common.exceptions import ELFError
count = 0
features = {}
try:
with open(lib_path, 'rb') as stream:
elffile = ELFFile(stream)
count += scan_section(main, features, feat_type, lib_path, elffile.get_section_by_name('.symtab'))
count += scan_section(main, features, feat_type, lib_path, elffile.get_section_by_name('.dynsym'))
return count, features
except Exception as e:
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
logger.error("[%s, %s, %s] Error extracting %ss: %s", exc_type, fname, exc_tb.tb_lineno, feat_type, str(e))
###########################################################
# Object extractor
###########################################################
Example #14
| Source File: dfs.py From fetchy with MIT License | 6 votes |
|
def _check_binary(self, directory, layer_tar, image_tar, fileobj):
fileobj.seek(0)
if fileobj.read(4) != b"\x7fELF":
fileobj.seek(0)
return
fileobj.seek(0)
elf = ELFFile(fileobj)
for section in [
section
for section in elf.iter_sections()
if isinstance(section, DynamicSection)
]:
for library in [
tag.needed for tag in section.iter_tags() if hasattr(tag, "needed")
]:
if not [
file
for file in (layer_tar.getnames() + image_tar.getnames())
if Path(file).name == library
]:
self._find_library(directory, library, image_tar)
fileobj.seek(0)
Example #15
| Source File: elf.py From DRTTView with MIT License | 6 votes |
|
def __init__(self, elf, memory_map=None):
if isinstance(elf, six.string_types):
self._file = open(elf, 'rb')
self._owns_file = True
else:
self._file = elf
self._owns_file = False
self._elf = ELFFile(self._file)
self._memory_map = memory_map or MemoryMap()
self._symbol_decoder = None
self._address_decoder = None
self._extract_sections()
self._compute_regions()
## @brief Close the ELF file if it is owned by this instance.
Example #16
| Source File: exploits.py From bintut with GNU General Public License v3.0 | 6 votes |
|
def get_func_address(self, name):
address = None
with open(self.path, 'rb') as stream:
elf = ELFFile(stream)
for section in elf.iter_sections():
if isinstance(section, SymbolTableSection):
for symbol in section.iter_symbols():
if symbol.name == name:
self.logger.debug('%s', symbol.entry)
address = symbol.entry['st_value']
break
if address:
break
else:
raise RuntimeError('Failed to find {}'.format(name))
return self.handle_address(address + self.libc.imageBase)
Example #17
| Source File: decoder.py From DRTTView with MIT License | 5 votes |
|
def __init__(self, elf):
assert isinstance(elf, ELFFile)
self.elffile = elf
self.symtab = self.elffile.get_section_by_name('.symtab')
self.symcount = self.symtab.num_symbols()
self.symbol_dict = {}
self.symbol_tree = None
# Build indices.
self._build_symbol_search_tree()
self._process_arm_type_symbols()
Example #18
| Source File: parse_symbol_tables.py From halucinator with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, filename):
self._elffile = ELFFile(filename)
self._dwarf = self._elffile.get_dwarf_info()
self._build_offset_lut()
Example #19
| Source File: data.py From scat with MIT License | 5 votes |
|
def parse(self, binary, libclang_path, srcdir = None, force=False, verbose=True):
if not force and os.path.exists(self.__path(".data")):
if verbose:
print "Already infered -- aborting"
return False
if verbose:
print(" * Checking dependencies")
self.deps = []
self.protos = dict()
with open(binary, 'rb') as f:
elf_file = ELFFile(f)
dynamic = elf_file.get_section_by_name('.dynamic')
for tag in dynamic.iter_tags('DT_NEEDED'):
if verbose:
print(" Found dependency {}".format(tag.needed))
self.deps.append(tag.needed)
for dep in self.deps:
dep_data = Data(self.dstdir, dep)
dep_data.load(False, verbose=verbose, main_pgm=False)
self.protos.update(dep_data.protos)
self.protos_without_libs = dict()
if srcdir != None:
if verbose:
print(" * Extracting data from source code")
extractor = ClangExtractor(libclang_path, srcdir)
self.protos_without_libs.update(extractor.extract())
if verbose:
print(" * Extracting data from binary debug informations")
extractor = DwarfExtractor()
# self.protos_without_libs.update(extractor.extract(binary))
self.protos.update(self.protos_without_libs)
return True
Example #20
| Source File: META_ELF.py From fsf with Apache License 2.0 | 5 votes |
|
def META_ELF(s, buff):
elffile = ELFFile(StringIO(buff))
META_ELF = { 'Arch' : elffile.get_machine_arch(),
'Debug Entries' : get_die_entries(elffile) }
META_ELF['Section Names'], META_ELF['Symbol Names'] = get_section_names(elffile)
return META_ELF
Example #21
| Source File: parse_enclave.py From sgxfun with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, filename):
# we need to pass a stream to ELFFile
self.filename = filename
try:
self.blob = open(filename, 'rb').read()
except IOError as e:
print('%s' % str(e))
sys.exit(1)
Example #22
| Source File: decoder.py From DMCUProg with MIT License | 5 votes |
|
def __init__(self, elf):
assert isinstance(elf, ELFFile)
self.elffile = elf
self.symtab = self.elffile.get_section_by_name('.symtab')
self.symcount = self.symtab.num_symbols()
self.symbol_dict = {}
self.symbol_tree = None
# Build indices.
self._build_symbol_search_tree()
self._process_arm_type_symbols()
Example #23
| Source File: strings_tool.py From apk_api_key_extractor with Apache License 2.0 | 5 votes |
|
def strings(file_name, sections=None, min_length=4):
"""
Finds all strings in a file; if it's an ELF file, you can specify where (in which section) to
look for the strings.
:param file_name: name of the file to be examined
:param sections: a list of strings which identify the ELF sections; should be used only with ELF files
:param min_length:
:return:
"""
pattern = '([\x20-\x7E]{' + str(min_length) + '}[\x20-\x7E]*)' # ASCII table from character space to tilde
pattern = pattern.encode()
regexp = re.compile(pattern)
if not sections:
with open(file_name, 'rb') as f, mmap(f.fileno(), 0, access=ACCESS_READ) as m:
for match in regexp.finditer(m):
yield str(match.group(0), 'utf-8')
else:
with open(file_name, 'rb') as f:
elffile = ELFFile(f)
for section in sections:
try:
sec = elffile.get_section_by_name(section)
except AttributeError:
# section not found
continue
# skip section if missing in elf file
if not sec:
continue
offset = sec['sh_offset']
size = sec['sh_size']
if offset is None or size is None:
continue
# round to allocation granularity for mmap
offset = max(offset - offset % ALLOCATIONGRANULARITY, 0)
with mmap(f.fileno(), size, access=ACCESS_READ, offset=offset) as m:
for match in regexp.finditer(m):
yield str(match.group(0), 'utf-8')
Example #24
| Source File: decoder.py From DRTTView with MIT License | 5 votes |
|
def __init__(self, elf):
assert isinstance(elf, ELFFile)
self.elffile = elf
if not self.elffile.has_dwarf_info():
raise Exception("No DWARF debug info available")
self.dwarfinfo = self.elffile.get_dwarf_info()
self.subprograms = None
self.function_tree = None
self.line_tree = None
# Build indices.
self._get_subprograms()
self._build_function_search_tree()
self._build_line_search_tree()
Example #25
| Source File: loader.py From retrowrite with MIT License | 5 votes |
|
def __init__(self, fname):
self.fd = open(fname, 'rb')
self.elffile = ELFFile(self.fd)
self.container = Container()
Example #26
| Source File: concrete.py From amphitrite with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, arguments, start_address=None, skip_library=True):
self.closed = True
self.running = False
self._string_variables = dict()
self._variables = []
if not isinstance(arguments, (list, tuple)):
arguments = [arguments]
self.args = arguments
self.path = self.args[0]
self.binary = os.path.split(self.path)[-1]
with open(self.path, 'rb') as f:
self.arch = ELFFile(f).get_machine_arch()
if self.arch not in ('x86', 'x64'):
raise RuntimeError('Architecture is not x86 or x64.')
print '[*] Starting Triton process'
listener = Listener(('localhost', 31313))
child = os.path.join(os.path.dirname(os.path.realpath(__file__)), 'child.py')
self.process = subprocess.Popen(['triton', child] + arguments,
stdin=subprocess.PIPE,
)
global started_child
started_child.append(self.process)
self.connection = listener.accept()
self.connection.send({'path': self.path,
'binary': self.binary,
'skip_library': skip_library,
'start_address': start_address,
'arch': self.arch})
if self.connection.recv() == 'triton ready.':
print '\r[+] Starting Triton process: Done'
self.closed = True
else:
self.connection.close()
raise RuntimeError('Failed to start Triton')
Example #27
| Source File: disassemble.py From binch with MIT License | 5 votes |
|
def loadELF(self, filename):
try:
elf = ELFFile(open(filename, 'rb'))
except:
raise Exception("[-] This file is not an ELF file: %s" % filename)
self.arch = elf.get_machine_arch()
self.entry = elf.header.e_entry
self.memory = self.load_code_segments(elf.iter_segments(), filename)
self.symtab, self.thumbtab, self.code_addrs = self.load_section_info(elf.iter_sections())
self.thumbtab.sort(key=lambda tup: tup[0])
self.code_addrs = sorted(self.code_addrs, key=lambda k: k['address'])
Example #28
| Source File: manticore.py From manticore with GNU Affero General Public License v3.0 | 5 votes |
|
def resolve(self, symbol):
"""
A helper method used to resolve a symbol name into a memory address when
injecting hooks for analysis.
:param symbol: function name to be resolved
:type symbol: string
:param line: if more functions present, optional line number can be included
:type line: int or None
"""
with open(self.binary_path, "rb") as f:
elffile = ELFFile(f)
# iterate over sections and identify symbol table section
for section in elffile.iter_sections():
if not isinstance(section, SymbolTableSection):
continue
# get list of symbols by name
symbols = section.get_symbol_by_name(symbol)
if not symbols:
continue
# return first indexed memory address for the symbol,
return symbols[0].entry["st_value"]
raise ValueError(f"The {self.binary_path} ELFfile does not contain symbol {symbol}")
Example #29
| Source File: binary.py From manticore with GNU Affero General Public License v3.0 | 5 votes |
|
def __init__(self, filename):
super().__init__(filename)
stream = self._cgc2elf(filename)
self.elf = ELFFile(stream)
self.arch = {"x86": "i386", "x64": "amd64"}[self.elf.get_machine_arch()]
assert "i386" == self.arch
assert self.elf.header.e_type in ["ET_EXEC"]
Example #30
| Source File: linux.py From manticore with GNU Affero General Public License v3.0 | 5 votes |
|
def _interp_total_size(interp):
"""
Compute total load size of interpreter.
:param ELFFile interp: interpreter ELF .so
:return: total load size of interpreter, not aligned
:rtype: int
"""
load_segs = [x for x in interp.iter_segments() if x.header.p_type == "PT_LOAD"]
last = load_segs[-1]
return last.header.p_vaddr + last.header.p_memsz
############################################################################
# Symbolic versions follows
