ELF module¶

New in version 3.2.0.

The ELF module is very similar to the PE module, but for ELF files. This module exposes most of the fields present in a ELF header. Let’s see some examples:

import "elf"

rule single_section
{
    condition:
        elf.number_of_sections == 1
}

rule elf_64
{
    condition:
        elf.machine == elf.EM_X86_64
}

Reference¶

type¶

Integer with one of the following values:

ET_NONE¶: No file type.

ET_REL¶: Relocatable file.

ET_EXEC¶: Executable file.

ET_DYN¶: Shared object file.

ET_CORE¶: Core file.

Example: elf.type == elf.ET_EXEC

machine¶

Integer with one of the following values:

EM_M32¶

EM_SPARC¶

EM_386¶

EM_68K¶

EM_88K¶

EM_860¶

EM_MIPS¶

EM_MIPS_RS3_LE¶

EM_PPC¶

EM_PPC64¶

EM_ARM¶

EM_X86_64¶

EM_AARCH64¶

Example: elf.machine == elf.EM_X86_64

entry_point¶: Entry point raw offset or virtual address depending if YARA is scanning a file or process memory respectively. This is equivalent to the deprecated entrypoint keyword.

number_of_sections¶: Number of sections in the ELF file.

sections¶

A zero-based array of section objects, one for each section the ELF has. Individual sections can be accessed by using the [] operator. Each section object has the following attributes:

name¶

Section’s name.

Example: elf.section[3].name == ”.bss”

size¶: Section’s size in bytes. Unless the section type is SHT_NOBITS, the section occupies sh_size bytes in the file. A section of SHT_NOBITS may have a non-zero size, but it occupies no space in the file.

offset¶: Offset from the beginning of the file to the first byte in the section. One section type, SHT_NOBITS described below, occupies no space in the file, and its offset member locates the conceptual placement in the file.

type¶

Integer with one of the following value:

SHT_NULL¶: This value marks the section as inactive; it does not have an associated section. Other members of the section header have undefined values.

SHT_PROGBITS¶: The section holds information defined by the program, whose format and meaning are determined solely by the program.

SHT_SYMTAB¶: The section hold a symbol table.

SHT_STRTAB¶: The section holds a string table. An object file may have multiple string table sections.

SHT_RELA¶: The section holds relocation entries.

SHT_HASH¶: The section holds a symbol hash table.

SHT_DYNAMIC¶: The section holds information for dynamic linking.

SHT_NOTE¶: The section holds information that marks the file in some way.

SHT_NOBITS¶: A section of this type occupies no space in the file but otherwise resembles SHT_PROGBITS.

SHT_REL¶: The section holds relocation entries.

SHT_SHLIB¶: This section type is reserved but has unspecified semantics.

SHT_DYNSYM¶: This section holds dynamic linking symbols.

flags¶

Integer with sections’s flags as defined below:

SHF_WRITE¶: The section contains data that should be writable during process execution.

SHF_ALLOC¶: The section occupies memory during process execution. Some control sections do not reside in the memory image of an object file; this attribute is off for those sections.

SHF_EXECINSTR¶: The section contains executable machine instructions.

Example: elf.section[2].flags & elf.SHF_WRITE

number_of_segments¶: New in version 3.4.0.

Number of segments in the ELF file.

segments¶

New in version 3.4.0.

A zero-based array of segments objects, one for each segment the ELF has. Individual segments can be accessed by using the [] operator. Each segment object has the following attributes:

alignment¶: Value to which the segments are aligned in memory and in the file.

file_size¶: Number of bytes in the file image of the segment. It may be zero.

flags¶

A combination of the following segment flags:

PF_R¶: The segment is readable.

PF_W¶: The segment is writable.

PF_X¶: The segment is executable.

memory_size¶: On-memory segment size.

offset¶: Offset from the beginning of the file where the segment resides.

physical_address¶: On systems for which physical addressing is relevant, contains the segment’s physical address.

type

Type of segment indicated by one of the following values:

PT_NULL¶

PT_LOAD¶

PT_DYNAMIC¶

PT_INTERP¶

PT_NOTE¶

PT_SHLIB¶

PT_PHDR¶

PT_LOPROC¶

PT_HIPROC¶

PT_GNU_STACK¶

virtual_address¶: Virtual address at which the segment resides in memory.