ELF module¶

New in version 3.2.0.

The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in an ELF header. Let's see some examples:

import "elf"

rule single_section
{
    condition:
        elf.number_of_sections == 1
}

rule elf_64
{
    condition:
        elf.machine == elf.EM_X86_64
}

Reference¶

type type¶

Integer with one of the following values:

type ET_NONE¶: No file type.

type ET_REL¶: Relocatable file.

type ET_EXEC¶: Executable file.

type ET_DYN¶: Shared object file.

type ET_CORE¶: Core file.

Example: elf.type == elf.ET_EXEC

type machine¶

Integer with one of the following values:

type EM_NONE¶

type EM_M32¶

type EM_SPARC¶

type EM_386¶

type EM_68K¶

type EM_88K¶

type EM_860¶

type EM_MIPS¶

type EM_MIPS_RS3_LE¶

type EM_PPC¶

type EM_PPC64¶

type EM_ARM¶

type EM_X86_64¶

type EM_AARCH64¶

Example: elf.machine == elf.EM_X86_64

type entry_point¶: Entry point raw offset or virtual address depending on whether YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

type number_of_sections¶: Number of sections in the ELF file.

type sections¶

A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name

Section's name.

Example: elf.sections[3].name == ".bss"

size: Section's size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.

offset: Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.

type

Integer with one of the following values:

type SHT_NULL¶: This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.

type SHT_PROGBITS¶: The section holds information defined by the program, whose format and meaning are determined solely by the program.

type SHT_SYMTAB¶: The section holds a symbol table.

type SHT_STRTAB¶: The section holds a string table. An object file may have multiple string table sections.

type SHT_RELA¶: The section holds relocation entries.

type SHT_HASH¶: The section holds a symbol hash table.

type SHT_DYNAMIC¶: The section holds information for dynamic linking.

type SHT_NOTE¶: The section holds information that marks the file in some way.

type SHT_NOBITS¶: A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.

type SHT_REL¶: The section holds relocation entries.

type SHT_SHLIB¶: This section type is reserved but has unspecified semantics.

type SHT_DYNSYM¶: This section holds dynamic linking symbols.

flags

Integer with section's flags as defined below:

type SHF_WRITE¶: The section contains data that should be writable during process execution.

type SHF_ALLOC¶: The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.

type SHF_EXECINSTR¶: The section contains executable machine instructions.

Example: elf.sections[2].flags & elf.SHF_WRITE

address: New in version 3.6.0.

The virtual address the section starts at.

type number_of_segments¶: New in version 3.4.0.

Number of segments in the ELF file.

type segments¶

New in version 3.4.0.

A zero-based array of segment objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:

alignment: Value to which the segments are aligned in memory and in the file.

file_size: Number of bytes in the file image of the segment. It may be zero.

flags

A combination of the following segment flags:

type PF_R¶: The segment is readable.

type PF_W¶: The segment is writable.

type PF_X¶: The segment is executable.

memory_size: In-memory segment size.

offset: Offset from the beginning of the file where the segment resides.

physical_address: On systems for which physical addressing is relevant, contains the segment's physical address.

type

Type of segment indicated by one of the following values:

type PT_NULL¶

type PT_LOAD¶

type PT_DYNAMIC¶

type PT_INTERP¶

type PT_NOTE¶

type PT_SHLIB¶

type PT_PHDR¶

type PT_LOPROC¶

type PT_HIPROC¶

type PT_GNU_STACK¶

virtual_address: Virtual address at which the segment resides in memory.

type dynamic_section_entries¶: New in version 3.6.0.

Number of entries in the dynamic section in the ELF file.

type dynamic¶

New in version 3.6.0.

A zero-based array of dynamic objects, one for each entry in found in the ELF's dynamic section. Individual dynamic objects can be accessed by using the [] operator. Each dynamic object has the following attributes:

type

Value that describes the type of dynamic section. Builtin values are:

type DT_NULL¶

type DT_NEEDED¶

type DT_PLTRELSZ¶

type DT_PLTGOT¶

type DT_HASH¶

type DT_STRTAB¶

type DT_SYMTAB¶

type DT_RELA¶

type DT_RELASZ¶

type DT_RELAENT¶

type DT_STRSZ¶

type DT_SYMENT¶

type DT_INIT¶

type DT_FINI¶

type DT_SONAME¶

type DT_RPATH¶

type DT_SYMBOLIC¶

type DT_REL¶

type DT_RELSZ¶

type DT_RELENT¶

type DT_PLTREL¶

type DT_DEBUG¶

type DT_TEXTREL¶

type DT_JMPREL¶

type DT_BIND_NOW¶

type DT_INIT_ARRAY¶

type DT_FINI_ARRAY¶

type DT_INIT_ARRAYSZ¶

type DT_FINI_ARRAYSZ¶

type DT_RUNPATH¶

type DT_FLAGS¶

type DT_ENCODING¶

value: A value associated with the given type. The type of value (address, size, etc.) is dependant on the type of dynamic entry.

type symtab_entries¶: New in version 3.6.0.

Number of entries in the symbol table found in the ELF file.

type symtab¶

New in version 3.6.0.

A zero-based array of symbol objects, one for each entry in found in the ELF's SYMBTAB. Individual symbol objects can be accessed by using the [] operator. Each symbol object has the following attributes:

name: The symbol's name.

value: A value associated with the symbol. Generally a virtual address.

size: The symbol's size.

type

The type of symbol. Built values are:

type STT_NOTYPE¶

type STT_OBJECT¶

type STT_FUNC¶

type STT_SECTION¶

type STT_FILE¶

type STT_COMMON¶

type STT_TLS¶

bind

The binding of the symbol. Builtin values are:

type STB_LOCAL¶

type STB_GLOBAL¶

type STB_WEAK¶

shndx: The section index which the symbol is associated with.

telfhash(): Function returning Telfhash - TLSH hash of the ELF export and import symbols.

Example: elf.telfhash() == "t166a00284751084526486df8b5df5b2fccb3f511dbc188c37156f5e714a11bc5d71014d"

import_md5(): Function returning Import Hash - MD5 hash of the ELF imported symbols.

Example: elf.import_md5() == "c3eca50cbb03400a6e91b9fe48da0c0c"