ELF module¶
New in version 3.2.0.
The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in a ELF header. Let’s see some examples:
import "elf"
rule single_section
{
condition:
elf.number_of_sections == 1
}
rule elf_64
{
condition:
elf.machine == elf.EM_X86_64
}
Reference¶
- type¶
Integer with one of the following values:
- ET_NONE¶
No file type.
- ET_REL¶
Relocatable file.
- ET_EXEC¶
Executable file.
- ET_DYN¶
Shared object file.
- ET_CORE¶
Core file.
Example: elf.type == elf.ET_EXEC
- machine¶
Integer with one of the following values:
- EM_M32¶
- EM_SPARC¶
- EM_386¶
- EM_68K¶
- EM_88K¶
- EM_860¶
- EM_MIPS¶
- EM_ARM"
- EM_MIPS
- EM_X86_64¶
Example: elf.machine == elf.EM_X86_64
- entry_point¶
Entry point raw offset or virtual address depending if YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.
- number_of_sections¶
Number of sections in the ELF file.
- sections¶
An zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:
- name¶
Section’s name.
Example: elf.section[3].name == ”.bss”
- size¶
Section’s size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.
- offset¶
Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.
- type¶
Integer with one of the following value:
- SHT_NULL¶
This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.
- SHT_PROGBITS¶
The section holds information defined by the program, whose format and meaning are determined solely by the program.
- SHT_SYMTAB¶
The section hold a symbol table.
- SHT_STRTAB¶
The section holds a string table. An object file may have multiple string table sections.
- SHT_RELA¶
The section holds relocation entries.
- SHT_HASH¶
The section holds a symbol hash table.
- SHT_DYNAMIC¶
The section holds information for dynamic linking.
- SHT_NOTE¶
The section holds information that marks the file in some way.
- SHT_NOBITS¶
A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.
- SHT_REL¶
The section holds relocation entries.
- SHT_SHLIB¶
This section type is reserved but has unspecified semantics.
- SHT_DYNSYM¶
This section holds dynamic linking symbols.
- flags¶
Integer with sections’s flags as defined below:
- SHF_WRITE¶
The section contains data that should be writable during process execution.
- SHF_ALLOC¶
The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.
- SHF_EXECINSTR¶
The section contains executable machine instructions.
Example: elf.section[2].flags & elf.SHF_WRITE