跳转到
样本内容:静态分析信息-ELF文件格式
ELF文件是UNIX系统实验室(USL)作为应用程序二进制接口(Application Binary Interface,ABI)而开发和发布的,也是Linux的主要可执行文件格式。 1999年,被86open项目选为x86架构上的类Unix操作系统的二进制文件标准格式,用来取代COFF。因其可扩展性与灵活性,也可应用在其它处理器、计算机系统架构的操作系统上。
一、基本信息
| 中文名 | 可执行与可连接格式 | 开发者 | Unix系统实验室 |
|---|---|---|---|
| 外文名 | Executable and Linkable Format | 常用扩展名 | o,so,elf,prx |
二、文件结构
ELF文件的内容概要,具体详情可参考LinuxBase的标准化文档。
1、文件头
(1)文件类型
标识文件编译的位数,是32位格式还是64位格式。
(2)数据存放规则
标识文件数据存储采用的是小尾模式还是大尾模式。
(3)文件头版本
原生和当前ELF版本时候设置为1。
(4)应用二进制接口(ABI)类型
标识目标操作系统的应用二进制接口类型。当标识“System V”则表示平台无关性。
常见的值为:System V、HP-UX、NetBSD、Linux、GNU Hurd、Solaris、AIX、IRIX、FreeBSD、Tru64、Novell Modesto、OpenBSD、OpenVMS、NonStop Kernel、AROS、Fenix OS、CloudABI、Stratus Technologies OpenVOS。
(5)文件版本
此属性进一步规定了ABI的版本,对它的详细解释依赖于具体的ABI类型。在Linux内核中(至少在2.6版本之后)已不再定义此属性,它已经被可执行的静态链接文件忽略。在此场景下,EI_PAD的偏移量和大小均为8。
在glibc 2.12+中,ABI类型为Linux时候,此属性用来标记动态链接器的ABI版本。
(6)目标系统架构
特殊要求的系统架构类型(ISA)。
常见的值为:No specific instruction set、AT&T WE 32100、SPARC、x86、Motorola 68000 (M68k)、Motorola 88000 (M88k)、Intel MCU、Intel 80860、MIPS、IBM_System/370、MIPS RS3000 Little-endian、Reserved for future use、Hewlett-Packard PA-RISC、Reserved for future use、Intel 80960、PowerPC、PowerPC (64-bit)、S390, including S390x、IBM SPU/SPC、Reserved for future use、NEC V800、Fujitsu FR20、TRW RH-32、Motorola RCE、ARM (up to ARMv7/Aarch32)、Digital Alpha、SuperH、SPARC Version 9、Siemens TriCore embedded processor、Argonaut RISC Core、Hitachi H8/300、Hitachi H8/300H、Hitachi H8S、Hitachi H8/500、IA-64 Stanford MIPS-X、Motorola ColdFire、Motorola M68HC12、Fujitsu MMA Multimedia Accelerator、Siemens PCP、Sony nCPU embedded RISC processor、Denso NDR1 microprocessor、Motorola Star*Core processor、Toyota ME16 processor、STMicroelectronics ST100 processor、Advanced Logic Corp. TinyJ embedded processor family、AMD x86-64、TMS320C6000 Family、MCST Elbrus e2k、ARM 64-bits (ARMv8/Aarch64)、RISC-V、Berkeley Packet Filter、WDC 65C816。
(7)目标文件类型
标识客体文件类型,常见值为:NONE、REL、EXEC、DYN、CORE、LOOS、HIOS、LOPROC、HIPROC。
(8)头表入口数量
标记头表入口数量。
(9)程序入口点
这是进程开始执行的入口点的内存地址。该字段的长度为 32 位或 64 位,具体取决于之前定义的格式。
2、其他内容
同PE文件一样,这里包括节列表、共享库、段列表、导入和导出函数列表、加壳情况、解释器等属性内容,用来说明ELF文件的静态详细信息。
三、完整样例结构
"elf_info": {
"shared_libraries": [
"libdl.so",
"liblog.so",
"libz.so",
"libc.so",
"libm.so",
"libstdc++.so"
],
"section_list": [
{
"name": "",
"virtual_address": 0,
"section_type": "NULL",
"flags": "",
"phisical_offset": 4808,
"size": 0
},
{
"name": ".note.android.ident",
"virtual_address": 308,
"section_type": "NOTE",
"flags": "A",
"phisical_offset": 308,
"size": 152
},
{
"name": ".note.gnu.build-id",
"virtual_address": 460,
"section_type": "NOTE",
"flags": "A",
"phisical_offset": 460,
"size": 36
},
{
"name": ".dynsym",
"virtual_address": 496,
"section_type": "DYNSYM",
"flags": "A",
"phisical_offset": 496,
"size": 1360
},
{
"name": ".dynstr",
"virtual_address": 1856,
"section_type": "STRTAB",
"flags": "A",
"phisical_offset": 1856,
"size": 1081
},
{
"name": ".gnu.hash",
"virtual_address": 2940,
"section_type": "GNU_HASH",
"flags": "A",
"phisical_offset": 2940,
"size": 252
},
{
"name": ".hash",
"virtual_address": 3192,
"section_type": "HASH",
"flags": "A",
"phisical_offset": 3192,
"size": 616
},
{
"name": ".gnu.version",
"virtual_address": 3808,
"section_type": "VERSYM",
"flags": "A",
"phisical_offset": 3808,
"size": 170
},
{
"name": ".gnu.version_d",
"virtual_address": 3980,
"section_type": "VERDEF",
"flags": "A",
"phisical_offset": 3980,
"size": 28
},
{
"name": ".gnu.version_r",
"virtual_address": 4008,
"section_type": "VERNEED",
"flags": "A",
"phisical_offset": 4008,
"size": 64
},
{
"name": ".rel.dyn",
"virtual_address": 4072,
"section_type": "REL",
"flags": "A",
"phisical_offset": 4072,
"size": 224
},
{
"name": ".rel.plt",
"virtual_address": 4296,
"section_type": "REL",
"flags": "AI",
"phisical_offset": 4296,
"size": 512
},
{
"name": ".plt",
"virtual_address": 8904,
"section_type": "PROGBITS",
"flags": "AX",
"phisical_offset": 4808,
"size": 788
},
{
"name": ".text",
"virtual_address": 9696,
"section_type": "PROGBITS",
"flags": "AX",
"phisical_offset": 5600,
"size": 9588
},
{
"name": ".ARM.exidx",
"virtual_address": 19284,
"section_type": "ARM_EXIDX",
"flags": "AL",
"phisical_offset": 15188,
"size": 608
},
{
"name": ".ARM.extab",
"virtual_address": 19892,
"section_type": "PROGBITS",
"flags": "A",
"phisical_offset": 15796,
"size": 648
},
{
"name": ".rodata",
"virtual_address": 20544,
"section_type": "PROGBITS",
"flags": "A",
"phisical_offset": 16448,
"size": 104736
},
{
"name": ".data.rel.ro",
"virtual_address": 130392,
"section_type": "PROGBITS",
"flags": "WA",
"phisical_offset": 122200,
"size": 76
},
{
"name": ".fini_array",
"virtual_address": 130468,
"section_type": "FINI_ARRAY",
"flags": "WA",
"phisical_offset": 122276,
"size": 8
},
{
"name": ".dynamic",
"virtual_address": 130476,
"section_type": "DYNAMIC",
"flags": "WA",
"phisical_offset": 19884,
"size": 296
},
{
"name": ".got",
"virtual_address": 130772,
"section_type": "PROGBITS",
"flags": "WA",
"phisical_offset": 122580,
"size": 300
},
{
"name": ".data",
"virtual_address": 131072,
"section_type": "PROGBITS",
"flags": "WA",
"phisical_offset": 122880,
"size": 328
},
{
"name": ".bss",
"virtual_address": 131400,
"section_type": "NOBITS",
"flags": "WA",
"phisical_offset": 123208,
"size": 1
},
{
"name": ".comment",
"virtual_address": 4096,
"section_type": "PROGBITS",
"flags": "MS",
"phisical_offset": 123208,
"size": 182
},
{
"name": ".note.gnu.gold-version",
"virtual_address": 4096,
"section_type": "NOTE",
"flags": "",
"phisical_offset": 5888,
"size": 28
},
{
"name": ".ARM.attributes",
"virtual_address": 4096,
"section_type": "ARM_ATTRIBUTES",
"flags": "",
"phisical_offset": 123420,
"size": 54
},
{
"name": ".shstrtab",
"virtual_address": 4096,
"section_type": "STRTAB",
"flags": "",
"phisical_offset": 5916,
"size": 271
}
],
"header": {
"hdr_version": "1 (current)",
"type": "DYN (Shared object file)",
"num_prog_headers": 8,
"obj_version": "0x1",
"machine": "ARM",
"num_section_headers": 27,
"os_abi": "UNIX - System V",
"abi_version": 0,
"entrypoint": 4488577,
"data": "2's complement, little endian",
"class": "ELF32"
},
"segment_list": [
{
"segment_type": "PHDR",
"resources": []
},
{
"segment_type": "LOAD",
"resources": [
".note.android.ident",
".note.gnu.build-id",
".dynsym",
".dynstr",
".gnu.hash",
".hash",
".gnu.version",
".gnu.version_d",
".gnu.version_r",
".rel.dyn",
".rel.plt",
".plt",
".note.gnu.gold-version",
".shstrtab"
]
},
{
"segment_type": "LOAD",
"resources": [
".dynamic",
".bss"
]
},
{
"segment_type": "DYNAMIC",
"resources": [
".dynamic"
]
},
{
"segment_type": "NOTE",
"resources": [
".note.android.ident",
".note.gnu.build-id"
]
},
{
"segment_type": "GNU_STACK",
"resources": []
},
{
"segment_type": "ARM_EXIDX",
"resources": []
},
{
"segment_type": "GNU_RELRO",
"resources": [
".dynamic"
]
}
],
"export_list": [
{
"type": "FUNC",
"name": "unw_set_reg"
},
{
"type": "FUNC",
"name": "unw_step"
},
{
"type": "FUNC",
"name": "unw_get_proc_name"
},
{
"type": "FUNC",
"name": "unw_is_signal_frame"
},
{
"type": "FUNC",
"name": "__aeabi_unwind_cpp_pr0"
},
{
"type": "FUNC",
"name": "_Unwind_RaiseException"
},
{
"type": "FUNC",
"name": "unw_get_proc_info"
},
{
"type": "FUNC",
"name": "__aeabi_unwind_cpp_pr1"
},
{
"type": "FUNC",
"name": "decode_eht_entry"
},
{
"type": "NOTYPE",
"name": "__bss_start"
},
{
"type": "FUNC",
"name": "__aeabi_unwind_cpp_pr2"
},
{
"type": "FUNC",
"name": "unw_init_local"
},
{
"type": "NOTYPE",
"name": "_end"
},
{
"type": "FUNC",
"name": "unw_get_fpreg"
},
{
"type": "FUNC",
"name": "JNI_OnLoad"
},
{
"type": "NOTYPE",
"name": "_edata"
},
{
"type": "FUNC",
"name": "_Unwind_GetRegionStart"
},
{
"type": "FUNC",
"name": "_Unwind_VRS_Interpret"
},
{
"type": "FUNC",
"name": "unw_get_reg"
},
{
"type": "FUNC",
"name": "_Unwind_VRS_Pop"
},
{
"type": "FUNC",
"name": "_Unwind_VRS_Set"
},
{
"type": "FUNC",
"name": "unw_resume"
},
{
"type": "FUNC",
"name": "unw_save_vfp_as_X"
},
{
"type": "FUNC",
"name": "unw_regname"
},
{
"type": "FUNC",
"name": "_Unwind_DeleteException"
},
{
"type": "FUNC",
"name": "__gnu_unwind_frame"
},
{
"type": "FUNC",
"name": "_Unwind_Complete"
},
{
"type": "FUNC",
"name": "unw_getcontext"
},
{
"type": "FUNC",
"name": "unw_set_fpreg"
},
{
"type": "FUNC",
"name": "unw_is_fpreg"
},
{
"type": "FUNC",
"name": "_Unwind_GetLanguageSpecificData"
},
{
"type": "FUNC",
"name": "_Unwind_Resume"
},
{
"type": "FUNC",
"name": "_Unwind_VRS_Get"
},
{
"type": "OBJECT",
"name": "unw_local_addr_space"
}
],
"import_list": [
{
"type": "FUNC",
"name": "raise"
},
{
"type": "FUNC",
"name": "__cxa_atexit"
},
{
"type": "FUNC",
"name": "__cxa_finalize"
},
{
"type": "FUNC",
"name": "__aeabi_memclr"
},
{
"type": "FUNC",
"name": "__aeabi_memcpy8"
},
{
"type": "FUNC",
"name": "__stack_chk_fail"
},
{
"type": "OBJECT",
"name": "__stack_chk_guard"
},
{
"type": "FUNC",
"name": "dladdr"
},
{
"type": "FUNC",
"name": "close"
},
{
"type": "FUNC",
"name": "dlopen"
},
{
"type": "FUNC",
"name": "dlsym"
},
{
"type": "FUNC",
"name": "exit"
},
{
"type": "FUNC",
"name": "fclose"
},
{
"type": "FUNC",
"name": "fgets"
},
{
"type": "FUNC",
"name": "fopen"
},
{
"type": "FUNC",
"name": "fread"
},
{
"type": "FUNC",
"name": "free"
},
{
"type": "FUNC",
"name": "fseek"
},
{
"type": "FUNC",
"name": "fstat"
},
{
"type": "FUNC",
"name": "ftell"
},
{
"type": "FUNC",
"name": "getpid"
},
{
"type": "FUNC",
"name": "inflate"
},
{
"type": "FUNC",
"name": "inflateEnd"
},
{
"type": "FUNC",
"name": "inflateInit_"
},
{
"type": "FUNC",
"name": "lrand48"
},
{
"type": "FUNC",
"name": "malloc"
},
{
"type": "FUNC",
"name": "mmap"
},
{
"type": "FUNC",
"name": "mprotect"
},
{
"type": "FUNC",
"name": "munmap"
},
{
"type": "FUNC",
"name": "open"
},
{
"type": "FUNC",
"name": "printf"
},
{
"type": "FUNC",
"name": "pthread_create"
},
{
"type": "FUNC",
"name": "pthread_join"
},
{
"type": "FUNC",
"name": "snprintf"
},
{
"type": "FUNC",
"name": "srand48"
},
{
"type": "FUNC",
"name": "sscanf"
},
{
"type": "FUNC",
"name": "strcat"
},
{
"type": "FUNC",
"name": "strcmp"
},
{
"type": "FUNC",
"name": "strlen"
},
{
"type": "FUNC",
"name": "strncmp"
},
{
"type": "FUNC",
"name": "strstr"
},
{
"type": "FUNC",
"name": "strtoul"
},
{
"type": "FUNC",
"name": "sysconf"
},
{
"type": "FUNC",
"name": "time"
},
{
"type": "OBJECT",
"name": "__sF"
},
{
"type": "FUNC",
"name": "abort"
},
{
"type": "FUNC",
"name": "fflush"
},
{
"type": "FUNC",
"name": "fprintf"
},
{
"type": "FUNC",
"name": "__aeabi_memcpy"
},
{
"type": "FUNC",
"name": "__gnu_Unwind_Find_exidx"
}
],
"packers": [
"upx",
"FIX3"
],
"entry": "be76324",
"interpreter": "gcc+ comp",
"note": [
"Android:16.r21d.6528147",
"NT_GNU_BUILD_ID:10e0fdccde8e3ac31841a0f4f64b131191189444"
],
"target_os": "Android",
"verneed": [
"libc.so:LIBC",
"libdl.so:LIBC"
]
}