ELF module

New in version 3.2.0.

The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in an ELF header. Let's see some examples:

import "elf"

rule single_section
{
    condition:
        elf.number_of_sections == 1
}

rule elf_64
{
    condition:
        elf.machine == elf.EM_X86_64
}

Reference

type

Integer with one of the following values:

ET_NONE

No file type.

ET_REL

Relocatable file.

ET_EXEC

Executable file.

ET_DYN

Shared object file.

ET_CORE

Core file.

Example: elf.type == elf.ET_EXEC

machine

Integer with one of the following values:

EM_NONE
EM_M32
EM_SPARC
EM_386
EM_68K
EM_88K
EM_860
EM_MIPS
EM_MIPS_RS3_LE
EM_PPC
EM_PPC64
EM_ARM
EM_X86_64
EM_AARCH64

Example: elf.machine == elf.EM_X86_64

entry_point

Entry point raw offset or virtual address depending on whether YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

number_of_sections

Number of sections in the ELF file.

sections

A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name

Section's name.

Example: elf.sections[3].name == ".bss"

size

Section's size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.

offset

Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.

type

Integer with one of the following values:

SHT_NULL

This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.

SHT_PROGBITS

The section holds information defined by the program, whose format and meaning are determined solely by the program.

SHT_SYMTAB

The section holds a symbol table.

SHT_STRTAB

The section holds a string table. An object file may have multiple string table sections.

SHT_RELA

The section holds relocation entries.

SHT_HASH

The section holds a symbol hash table.

SHT_DYNAMIC

The section holds information for dynamic linking.

SHT_NOTE

The section holds information that marks the file in some way.

SHT_NOBITS

A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.

SHT_REL

The section holds relocation entries.

SHT_SHLIB

This section type is reserved but has unspecified semantics.

SHT_DYNSYM

This section holds dynamic linking symbols.

flags

Integer with section's flags as defined below:

SHF_WRITE

The section contains data that should be writable during process execution.

SHF_ALLOC

The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.

SHF_EXECINSTR

The section contains executable machine instructions.

Example: elf.sections[2].flags & elf.SHF_WRITE

address

New in version 3.6.0.

The virtual address the section starts at.

number_of_segments

New in version 3.4.0.

Number of segments in the ELF file.

segments

New in version 3.4.0.

A zero-based array of segment objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:

alignment

Value to which the segments are aligned in memory and in the file.

file_size

Number of bytes in the file image of the segment. It may be zero.

flags

A combination of the following segment flags:

PF_R

The segment is readable.

PF_W

The segment is writable.

PF_X

The segment is executable.

memory_size

In-memory segment size.

offset

Offset from the beginning of the file where the segment resides.

physical_address

On systems for which physical addressing is relevant, contains the segment's physical address.

type

Type of segment indicated by one of the following values:

PT_NULL
PT_LOAD
PT_DYNAMIC
PT_INTERP
PT_NOTE
PT_SHLIB
PT_PHDR
PT_LOPROC
PT_HIPROC
PT_GNU_STACK
virtual_address

Virtual address at which the segment resides in memory.

dynamic_section_entries

New in version 3.6.0.

Number of entries in the dynamic section in the ELF file.

dynamic

New in version 3.6.0.

A zero-based array of dynamic objects, one for each entry in found in the ELF's dynamic section. Individual dynamic objects can be accessed by using the [] operator. Each dynamic object has the following attributes:

type

Value that describes the type of dynamic section. Builtin values are:

DT_NULL
DT_NEEDED
DT_PLTRELSZ
DT_PLTGOT
DT_HASH
DT_STRTAB
DT_SYMTAB
DT_RELA
DT_RELASZ
DT_RELAENT
DT_STRSZ
DT_SYMENT
DT_INIT
DT_FINI
DT_SONAME
DT_RPATH
DT_SYMBOLIC
DT_REL
DT_RELSZ
DT_RELENT
DT_PLTREL
DT_DEBUG
DT_TEXTREL
DT_JMPREL
DT_BIND_NOW
DT_INIT_ARRAY
DT_FINI_ARRAY
DT_INIT_ARRAYSZ
DT_FINI_ARRAYSZ
DT_RUNPATH
DT_FLAGS
DT_ENCODING
value

A value associated with the given type. The type of value (address, size, etc.) is dependant on the type of dynamic entry.

symtab_entries

New in version 3.6.0.

Number of entries in the symbol table found in the ELF file.

symtab

New in version 3.6.0.

A zero-based array of symbol objects, one for each entry in found in the ELF's SYMBTAB. Individual symbol objects can be accessed by using the [] operator. Each symbol object has the following attributes:

name

The symbol's name.

value

A value associated with the symbol. Generally a virtual address.

size

The symbol's size.

type

The type of symbol. Built values are:

STT_NOTYPE
STT_OBJECT
STT_FUNC
STT_SECTION
STT_FILE
STT_COMMON
STT_TLS
bind

The binding of the symbol. Builtin values are:

STB_LOCAL
STB_GLOBAL
STB_WEAK
shndx

The section index which the symbol is associated with.

telfhash()

Function returning Telfhash - TLSH hash of the ELF export and import symbols.

Example: elf.telfhash() == "t166a00284751084526486df8b5df5b2fccb3f511dbc188c37156f5e714a11bc5d71014d"
import_md5()

Function returning Import Hash - MD5 hash of the ELF imported symbols.

Example: elf.import_md5() == "c3eca50cbb03400a6e91b9fe48da0c0c"