ELF module¶
New in version 3.2.0.
The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in an ELF header. Let's see some examples:
import "elf"
rule single_section
{
condition:
elf.number_of_sections == 1
}
rule elf_64
{
condition:
elf.machine == elf.EM_X86_64
}
Reference¶
-
type
¶ Integer with one of the following values:
-
ET_NONE
¶ No file type.
-
ET_REL
¶ Relocatable file.
-
ET_EXEC
¶ Executable file.
-
ET_DYN
¶ Shared object file.
-
ET_CORE
¶ Core file.
Example: elf.type == elf.ET_EXEC
-
-
machine
¶ Integer with one of the following values:
-
EM_NONE
¶
-
EM_M32
¶
-
EM_SPARC
¶
-
EM_386
¶
-
EM_68K
¶
-
EM_88K
¶
-
EM_860
¶
-
EM_MIPS
¶
-
EM_MIPS_RS3_LE
¶
-
EM_PPC
¶
-
EM_PPC64
¶
-
EM_ARM
¶
-
EM_X86_64
¶
-
EM_AARCH64
¶
Example: elf.machine == elf.EM_X86_64
-
-
entry_point
¶ Entry point raw offset or virtual address depending on whether YARA is scanning a file or process memory respectively. This is equivalent to the deprecated
entrypoint
keyword.
-
number_of_sections
¶ Number of sections in the ELF file.
-
sections
¶ A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:
-
name
¶ Section's name.
Example: elf.sections[3].name == ".bss"
-
size
¶ Section's size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of
SHT_NOBITS
may have a non-zero size, but it occupies no space in the file.
-
offset
¶ Offset from the beginning of the file to the first byte in the section. One section type,
SHT_NOBITS
described below, occupies no space in the file, and itsoffset
member locates the conceptual placement in the file.
-
type
¶ Integer with one of the following values:
-
SHT_NULL
¶ This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.
-
SHT_PROGBITS
¶ The section holds information defined by the program, whose format and meaning are determined solely by the program.
-
SHT_SYMTAB
¶ The section holds a symbol table.
-
SHT_STRTAB
¶ The section holds a string table. An object file may have multiple string table sections.
-
SHT_RELA
¶ The section holds relocation entries.
-
SHT_HASH
¶ The section holds a symbol hash table.
-
SHT_DYNAMIC
¶ The section holds information for dynamic linking.
-
SHT_NOTE
¶ The section holds information that marks the file in some way.
-
SHT_NOBITS
¶ A section of this type occupies no space in the file but otherwise resembles
SHT_PROGBITS
.
-
SHT_REL
¶ The section holds relocation entries.
-
SHT_SHLIB
¶ This section type is reserved but has unspecified semantics.
-
SHT_DYNSYM
¶ This section holds dynamic linking symbols.
-
-
flags
¶ Integer with section's flags as defined below:
-
SHF_WRITE
¶ The section contains data that should be writable during process execution.
-
SHF_ALLOC
¶ The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.
-
SHF_EXECINSTR
¶ The section contains executable machine instructions.
Example: elf.sections[2].flags & elf.SHF_WRITE
-
-
address
¶ New in version 3.6.0.
The virtual address the section starts at.
-
-
number_of_segments
¶ New in version 3.4.0.
Number of segments in the ELF file.
-
segments
¶ New in version 3.4.0.
A zero-based array of segment objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:
-
alignment
¶ Value to which the segments are aligned in memory and in the file.
-
file_size
¶ Number of bytes in the file image of the segment. It may be zero.
-
flags
¶ A combination of the following segment flags:
-
PF_R
¶ The segment is readable.
-
PF_W
¶ The segment is writable.
-
PF_X
¶ The segment is executable.
-
-
memory_size
¶ In-memory segment size.
-
offset
¶ Offset from the beginning of the file where the segment resides.
-
physical_address
¶ On systems for which physical addressing is relevant, contains the segment's physical address.
-
type
Type of segment indicated by one of the following values:
-
PT_NULL
¶
-
PT_LOAD
¶
-
PT_DYNAMIC
¶
-
PT_INTERP
¶
-
PT_NOTE
¶
-
PT_SHLIB
¶
-
PT_PHDR
¶
-
PT_LOPROC
¶
-
PT_HIPROC
¶
-
PT_GNU_STACK
¶
-
-
virtual_address
¶ Virtual address at which the segment resides in memory.
-
-
dynamic_section_entries
¶ New in version 3.6.0.
Number of entries in the dynamic section in the ELF file.
-
dynamic
¶ New in version 3.6.0.
A zero-based array of dynamic objects, one for each entry in found in the ELF's dynamic section. Individual dynamic objects can be accessed by using the [] operator. Each dynamic object has the following attributes:
-
type
¶ Value that describes the type of dynamic section. Builtin values are:
-
DT_NULL
¶
-
DT_NEEDED
¶
-
DT_PLTRELSZ
¶
-
DT_PLTGOT
¶
-
DT_HASH
¶
-
DT_STRTAB
¶
-
DT_SYMTAB
¶
-
DT_RELA
¶
-
DT_RELASZ
¶
-
DT_RELAENT
¶
-
DT_STRSZ
¶
-
DT_SYMENT
¶
-
DT_INIT
¶
-
DT_FINI
¶
-
DT_SONAME
¶
-
DT_RPATH
¶
-
DT_SYMBOLIC
¶
-
DT_REL
¶
-
DT_RELSZ
¶
-
DT_RELENT
¶
-
DT_PLTREL
¶
-
DT_DEBUG
¶
-
DT_TEXTREL
¶
-
DT_JMPREL
¶
-
DT_BIND_NOW
¶
-
DT_INIT_ARRAY
¶
-
DT_FINI_ARRAY
¶
-
DT_INIT_ARRAYSZ
¶
-
DT_FINI_ARRAYSZ
¶
-
DT_RUNPATH
¶
-
DT_FLAGS
¶
-
DT_ENCODING
¶
-
-
value
¶ A value associated with the given type. The type of value (address, size, etc.) is dependant on the type of dynamic entry.
-
-
symtab_entries
¶ New in version 3.6.0.
Number of entries in the symbol table found in the ELF file.
-
symtab
¶ New in version 3.6.0.
A zero-based array of symbol objects, one for each entry in found in the ELF's SYMBTAB. Individual symbol objects can be accessed by using the [] operator. Each symbol object has the following attributes:
-
name
¶ The symbol's name.
-
value
¶ A value associated with the symbol. Generally a virtual address.
-
size
¶ The symbol's size.
-
type
¶ The type of symbol. Built values are:
-
STT_NOTYPE
¶
-
STT_OBJECT
¶
-
STT_FUNC
¶
-
STT_SECTION
¶
-
STT_FILE
¶
-
STT_COMMON
¶
-
STT_TLS
¶
-
-
shndx
¶ The section index which the symbol is associated with.
-
-
telfhash
()¶ Function returning Telfhash - TLSH hash of the ELF export and import symbols.
Example: elf.telfhash() == "t166a00284751084526486df8b5df5b2fccb3f511dbc188c37156f5e714a11bc5d71014d"
-
import_md5
()¶ Function returning Import Hash - MD5 hash of the ELF imported symbols.
Example: elf.import_md5() == "c3eca50cbb03400a6e91b9fe48da0c0c"