ELF module¶

New in version 3.2.0.

The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in a ELF header. Let’s see some examples:

import "elf"

rule single_section
{
    condition:
        elf.number_of_sections == 1
}

rule elf_64
{
    condition:
        elf.machine == elf.EM_X86_64
}

Reference¶

type¶

Integer with one of the following values:

ET_NONE¶: No file type.

ET_REL¶: Relocatable file.

ET_EXEC¶: Executable file.

ET_DYN¶: Shared object file.

ET_CORE¶: Core file.

Example: elf.type == elf.ET_EXEC

machine¶

Integer with one of the following values:

EM_M32¶

EM_SPARC¶

EM_386¶

EM_68K¶

EM_88K¶

EM_860¶

EM_MIPS¶

EM_ARM"

EM_MIPS

EM_X86_64¶

Example: elf.machine == elf.EM_X86_64

entry_point¶: Entry point raw offset or virtual address depending if YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

number_of_sections¶: Number of sections in the ELF file.

sections¶

An zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name¶

Section’s name.

Example: elf.section[3].name == ”.bss”

size¶: Section’s size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.

offset¶: Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.

type¶

Integer with one of the following value:

SHT_NULL¶: This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.

SHT_PROGBITS¶: The section holds information defined by the program, whose format and meaning are determined solely by the program.

SHT_SYMTAB¶: The section hold a symbol table.

SHT_STRTAB¶: The section holds a string table. An object file may have multiple string table sections.

SHT_RELA¶: The section holds relocation entries.

SHT_HASH¶: The section holds a symbol hash table.

SHT_DYNAMIC¶: The section holds information for dynamic linking.

SHT_NOTE¶: The section holds information that marks the file in some way.

SHT_NOBITS¶: A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.

SHT_REL¶: The section holds relocation entries.

SHT_SHLIB¶: This section type is reserved but has unspecified semantics.

SHT_DYNSYM¶: This section holds dynamic linking symbols.

flags¶

Integer with sections’s flags as defined below:

SHF_WRITE¶: The section contains data that should be writable during process execution.

SHF_ALLOC¶: The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.

SHF_EXECINSTR¶: The section contains executable machine instructions.

Example: elf.section[2].flags & elf.SHF_WRITE