ELF module

New in version 3.2.0.

The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in a ELF header. Let’s see some examples:

import "elf"

rule single_section
{
    condition:
        elf.number_of_sections == 1
}

rule elf_64
{
    condition:
        elf.machine == elf.EM_X86_64
}

Reference

type

Integer with one of the following values:

ET_NONE

No file type.

ET_REL

Relocatable file.

ET_EXEC

Executable file.

ET_DYN

Shared object file.

ET_CORE

Core file.

Example: elf.type == elf.ET_EXEC

machine

Integer with one of the following values:

EM_M32
EM_SPARC
EM_386
EM_68K
EM_88K
EM_860
EM_MIPS
EM_MIPS_RS3_LE
EM_PPC
EM_PPC64
EM_ARM
EM_X86_64
EM_AARCH64

Example: elf.machine == elf.EM_X86_64

entry_point

Entry point raw offset or virtual address depending if YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

number_of_sections

Number of sections in the ELF file.

sections

A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name

Section’s name.

Example: elf.section[3].name == ”.bss”

size

Section’s size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.

offset

Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.

type

Integer with one of the following value:

SHT_NULL

This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.

SHT_PROGBITS

The section holds information defined by the program, whose format and meaning are determined solely by the program.

SHT_SYMTAB

The section hold a symbol table.

SHT_STRTAB

The section holds a string table. An object file may have multiple string table sections.

SHT_RELA

The section holds relocation entries.

SHT_HASH

The section holds a symbol hash table.

SHT_DYNAMIC

The section holds information for dynamic linking.

SHT_NOTE

The section holds information that marks the file in some way.

SHT_NOBITS

A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.

SHT_REL

The section holds relocation entries.

SHT_SHLIB

This section type is reserved but has unspecified semantics.

SHT_DYNSYM

This section holds dynamic linking symbols.

flags

Integer with sections’s flags as defined below:

SHF_WRITE

The section contains data that should be writable during process execution.

SHF_ALLOC

The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.

SHF_EXECINSTR

The section contains executable machine instructions.

Example: elf.section[2].flags & elf.SHF_WRITE

number_of_segments

New in version 3.4.0.

Number of segments in the ELF file.

segments

New in version 3.4.0.

A zero-based array of segments objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:

alignment

Value to which the segments are aligned in memory and in the file.

file_size

Number of bytes in the file image of the segment. It may be zero.

flags

A combination of the following segment flags:

PF_R

The segment is readable.

PF_W

The segment is writable.

PF_X

The segment is executable.

memory_size

On-memory segment size.

offset

Offset from the beginning of the file where the segment resides.

physical_address

On systems for which physical addressing is relevant, contains the segment’s physical address.

type

Type of segment indicated by one of the following values:

PT_NULL
PT_LOAD
PT_DYNAMIC
PT_INTERP
PT_NOTE
PT_SHLIB
PT_PHDR
PT_LOPROC
PT_HIPROC
PT_GNU_STACK
virtual_address

Virtual address at which the segment resides in memory.