ELF module¶
New in version 3.2.0.
The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in a ELF header. Let’s see some examples:
import "elf"
rule single_section
{
condition:
elf.number_of_sections == 1
}
rule elf_64
{
condition:
elf.machine == elf.EM_X86_64
}
Reference¶
-
type
¶ Integer with one of the following values:
-
ET_NONE
¶ No file type.
-
ET_REL
¶ Relocatable file.
-
ET_EXEC
¶ Executable file.
-
ET_DYN
¶ Shared object file.
-
ET_CORE
¶ Core file.
Example: elf.type == elf.ET_EXEC
-
-
machine
¶ Integer with one of the following values:
-
EM_M32
¶
-
EM_SPARC
¶
-
EM_386
¶
-
EM_68K
¶
-
EM_88K
¶
-
EM_860
¶
-
EM_MIPS
¶
-
EM_MIPS_RS3_LE
¶
-
EM_PPC
¶
-
EM_PPC64
¶
-
EM_ARM
¶
-
EM_X86_64
¶
-
EM_AARCH64
¶
Example: elf.machine == elf.EM_X86_64
-
-
entry_point
¶ Entry point raw offset or virtual address depending if YARA is scanning a file or process memory respectively. This is equivalent to the deprecated
entrypoint
keyword.
-
number_of_sections
¶ Number of sections in the ELF file.
-
sections
¶ A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:
-
name
¶ Section’s name.
Example: elf.section[3].name == ”.bss”
-
size
¶ Section’s size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of
SHT_NOBITS
may have a non-zero size, but it occupies no space in the file.
-
offset
¶ Offset from the beginning of the file to the first byte in the section. One section type,
SHT_NOBITS
described below, occupies no space in the file, and itsoffset
member locates the conceptual placement in the file.
-
type
¶ Integer with one of the following value:
-
SHT_NULL
¶ This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.
-
SHT_PROGBITS
¶ The section holds information defined by the program, whose format and meaning are determined solely by the program.
-
SHT_SYMTAB
¶ The section hold a symbol table.
-
SHT_STRTAB
¶ The section holds a string table. An object file may have multiple string table sections.
-
SHT_RELA
¶ The section holds relocation entries.
-
SHT_HASH
¶ The section holds a symbol hash table.
-
SHT_DYNAMIC
¶ The section holds information for dynamic linking.
-
SHT_NOTE
¶ The section holds information that marks the file in some way.
-
SHT_NOBITS
¶ A section of this type occupies no space in the file but otherwise resembles
SHT_PROGBITS
.
-
SHT_REL
¶ The section holds relocation entries.
-
SHT_SHLIB
¶ This section type is reserved but has unspecified semantics.
-
SHT_DYNSYM
¶ This section holds dynamic linking symbols.
-
-
flags
¶ Integer with sections’s flags as defined below:
-
SHF_WRITE
¶ The section contains data that should be writable during process execution.
-
SHF_ALLOC
¶ The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.
-
SHF_EXECINSTR
¶ The section contains executable machine instructions.
Example: elf.section[2].flags & elf.SHF_WRITE
-
-
-
number_of_segments
¶ New in version 3.4.0.
Number of segments in the ELF file.
-
segments
¶ New in version 3.4.0.
A zero-based array of segments objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:
-
alignment
¶ Value to which the segments are aligned in memory and in the file.
-
file_size
¶ Number of bytes in the file image of the segment. It may be zero.
-
flags
¶ A combination of the following segment flags:
-
PF_R
¶ The segment is readable.
-
PF_W
¶ The segment is writable.
-
PF_X
¶ The segment is executable.
-
-
memory_size
¶ On-memory segment size.
-
offset
¶ Offset from the beginning of the file where the segment resides.
-
physical_address
¶ On systems for which physical addressing is relevant, contains the segment’s physical address.
-
type
Type of segment indicated by one of the following values:
-
PT_NULL
¶
-
PT_LOAD
¶
-
PT_DYNAMIC
¶
-
PT_INTERP
¶
-
PT_NOTE
¶
-
PT_SHLIB
¶
-
PT_PHDR
¶
-
PT_LOPROC
¶
-
PT_HIPROC
¶
-
PT_GNU_STACK
¶
-
-
virtual_address
¶ Virtual address at which the segment resides in memory.
-