def __init__(self, **kwargs):
super(Elf64CoreDump, self).__init__(**kwargs)
# Check the file for sanity.
self.check_file()
self.offset = 0
self.fname = ''
self._metadata = {}
# Now parse the ELF file.
elf_profile = elf.ELFProfile(session=self.session)
self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0)
self.as_assert(self.elf64_hdr.e_type == "ET_CORE",
"Elf file is not a core file.")
self.name = "%s|%s" % (self.__class__.__name__, self.base.name)
# Iterate over all the program headers and map the runs.
for segment in self.elf64_hdr.e_phoff:
if segment.p_type == "PT_LOAD":
# Some load segments are empty.
if (segment.p_filesz == 0
or segment.p_filesz != segment.p_memsz):
continue
# Add the run to the memory map.
virtual_address = int(segment.p_paddr) or int(segment.p_vaddr)
self.add_run(
virtual_address, # Virtual Addr
int(segment.p_offset), # File Addr
int(segment.p_memsz)) # Run end.
elif segment.p_type == PT_PMEM_METADATA:
self.LoadMetadata(segment.p_offset)
def _get_elf_header(self):
if self.plugin_args.binary_path:
address_space = standard.FileAddressSpace(
session=self.session, filename=self.plugin_args.binary_path)
else:
address_space = self.session.GetParameter("default_address_space")
if address_space == None:
address_space = self.session.GetParameter("physical_address_space")
return elf.ELFProfile(session=self.session).elf64_hdr(
vm=address_space, offset=self.plugin_args.header_offset)
def WriteElfFile(address_space, outfd, session=None):
"""Convert the address_space to an ELF Core dump file.
The Core dump will be written to outfd which is expected to have a .write()
method.
"""
runs = list(address_space.get_mappings())
elf_profile = elf.ELFProfile(session=session)
elf64_pheader = elf_profile.elf64_phdr()
elf64_pheader.p_type = "PT_LOAD"
elf64_pheader.p_align = 0x1000
elf64_pheader.p_flags = "PF_R"
elf64_header = elf_profile.elf64_hdr()
elf64_header.e_ident = elf64_header.e_ident.signature
elf64_header.e_type = 'ET_CORE'
elf64_header.e_phoff = elf64_header.obj_end
elf64_header.e_ehsize = elf64_header.obj_size
elf64_header.e_phentsize = elf64_pheader.obj_size
elf64_header.e_phnum = len(runs)
elf64_header.e_shnum = 0 # We don't have any sections.
# Where we start writing data.
file_offset = (
elf64_header.obj_size +
# One Phdr for each run.
len(runs) * elf64_pheader.obj_size)
outfd.write(elf64_header.GetData())
for run in runs:
elf64_pheader.p_paddr = run.start
elf64_pheader.p_memsz = run.length
elf64_pheader.p_offset = file_offset
elf64_pheader.p_filesz = run.length
outfd.write(elf64_pheader.GetData())
file_offset += run.length
# Now just copy all the runs
total_data = 0
for run in runs:
offset = run.start
length = run.length
while length > 0:
data = address_space.read(offset, min(10000000, length))
session.report_progress("Writing %sMb", total_data // 1024 // 1024)
outfd.write(data)
length -= len(data)
offset += len(data)
total_data += len(data)
def __init__(self, **kwargs):
super(Elf64CoreDump, self).__init__(**kwargs)
# Check the file for sanity.
self.check_file()
self.offset = 0
self.fname = ''
self._metadata = {}
# Now parse the ELF file.
elf_profile = elf.ELFProfile(session=self.session)
self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0)
self.as_assert(self.elf64_hdr.e_type == "ET_CORE",
"Elf file is not a core file.")
self.name = "%s|%s" % (self.__class__.__name__, self.base.name)
# Iterate over all the program headers and map the runs.
for segment in self.elf64_hdr.e_phoff:
if segment.p_type == "PT_LOAD":
# Some load segments are empty.
if (segment.p_filesz == 0
or segment.p_filesz != segment.p_memsz):
continue
# Add the run to the memory map.
virtual_address = int(segment.p_paddr) or int(segment.p_vaddr)
self.add_run(
virtual_address, # Virtual Addr
int(segment.p_offset), # File Addr
int(segment.p_memsz)) # Run end.
elif segment.p_type == PT_PMEM_METADATA:
self.LoadMetadata(segment.p_offset)
# NOTE: Deprecated! This will be removed soon. If you want to store
# metadata use AFF4 format.
# Search for the pmem footer signature.
footer = self.base.read(self.base.end() - 10000, 10000)
if "...\n" in footer[-6:]:
header_offset = footer.rfind("# PMEM")
if header_offset > 0:
self.LoadMetadata(self.base.end() - 10000 + header_offset)
def __init__(self, **kwargs):
super(XenElf64CoreDump, self).__init__(**kwargs)
self.check_file()
self.offset = 0
self.fname = ''
self._metadata = {}
# Now parse the ELF file.
self.elf_profile = elf.ELFProfile(session=self.session)
self.elf64_hdr = self.elf_profile.elf64_hdr(vm=self.base, offset=0)
self.as_assert(self.elf64_hdr.e_type == "ET_CORE",
"Elf file is not a core file.")
xen_note = self.elf64_hdr.section_by_name(".note.Xen")
self.as_assert(xen_note, "Image does not contain Xen note.")
self.name = "%s|%s" % (self.__class__.__name__, self.base.name)
self.runs = self.build_runs()
def __init__(self, **kwargs):
super(Elf64CoreDump, self).__init__(**kwargs)
# Check the file for sanity.
self.check_file()
self.offset = 0
self.fname = ''
self.metadata = {}
# Now parse the ELF file.
elf_profile = elf.ELFProfile(session=self.session)
self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0)
self.as_assert(self.elf64_hdr.e_type == "ET_CORE",
"Elf file is not a core file.")
# Iterate over all the section headers and map the runs.
for section in self.elf64_hdr.e_phoff:
if section.p_type == "PT_LOAD":
# Some load sections are empty.
if (section.p_filesz == 0
or section.p_filesz != section.p_memsz):
continue
# Add the run to the memory map.
self.runs.insert((
int(section.p_paddr), # Virtual Addr
int(section.p_offset), # File Addr
int(section.p_memsz))) # Length
elif section.p_type == PT_PMEM_METADATA:
# Allow the file to be extended if users want to append
# metadata to the file.
to_read = max(1000000, int(section.p_filesz))
data = self.base.read(section.p_offset, to_read)
data = data.split("\x00")[0]
if data:
self.LoadMetadata(data)
aux.vna_name = template.vna_name
def remove_symbol_versions(hdr):
versyms = hdr.section_by_name(".gnu.version")
sym_table = versyms.get_section()
# Just remove all versions from all symbols.
for i, other_ref in enumerate(sym_table):
sym_table[i] = 0
if __name__ == "__main__":
argument_parser = argparse.ArgumentParser()
argument_parser.add_argument(
'binary',
default=None,
help="Path to the ELF binary."
)
args = argument_parser.parse_args()
print ("***Modifying file %s **" % args.binary)
vm = standard.WritableAddressSpace(
filename=args.binary, session=session.Session(), mode="r+b")
profile = elf.ELFProfile(session=session)
hdr = profile.elf64_hdr(vm=vm, offset=0)
fix_version_needed(hdr)
remove_symbol_versions(hdr)
