def __init__(self, **kwargs): super(Elf64CoreDump, self).__init__(**kwargs) # Check the file for sanity. self.check_file() self.offset = 0 self.fname = '' self._metadata = {} # Now parse the ELF file. elf_profile = elf.ELFProfile(session=self.session) self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0) self.as_assert(self.elf64_hdr.e_type == "ET_CORE", "Elf file is not a core file.") self.name = "%s|%s" % (self.__class__.__name__, self.base.name) # Iterate over all the program headers and map the runs. for segment in self.elf64_hdr.e_phoff: if segment.p_type == "PT_LOAD": # Some load segments are empty. if (segment.p_filesz == 0 or segment.p_filesz != segment.p_memsz): continue # Add the run to the memory map. virtual_address = int(segment.p_paddr) or int(segment.p_vaddr) self.add_run( virtual_address, # Virtual Addr int(segment.p_offset), # File Addr int(segment.p_memsz)) # Run end. elif segment.p_type == PT_PMEM_METADATA: self.LoadMetadata(segment.p_offset)
def _get_elf_header(self): if self.plugin_args.binary_path: address_space = standard.FileAddressSpace( session=self.session, filename=self.plugin_args.binary_path) else: address_space = self.session.GetParameter("default_address_space") if address_space == None: address_space = self.session.GetParameter("physical_address_space") return elf.ELFProfile(session=self.session).elf64_hdr( vm=address_space, offset=self.plugin_args.header_offset)
def WriteElfFile(address_space, outfd, session=None): """Convert the address_space to an ELF Core dump file. The Core dump will be written to outfd which is expected to have a .write() method. """ runs = list(address_space.get_mappings()) elf_profile = elf.ELFProfile(session=session) elf64_pheader = elf_profile.elf64_phdr() elf64_pheader.p_type = "PT_LOAD" elf64_pheader.p_align = 0x1000 elf64_pheader.p_flags = "PF_R" elf64_header = elf_profile.elf64_hdr() elf64_header.e_ident = elf64_header.e_ident.signature elf64_header.e_type = 'ET_CORE' elf64_header.e_phoff = elf64_header.obj_end elf64_header.e_ehsize = elf64_header.obj_size elf64_header.e_phentsize = elf64_pheader.obj_size elf64_header.e_phnum = len(runs) elf64_header.e_shnum = 0 # We don't have any sections. # Where we start writing data. file_offset = ( elf64_header.obj_size + # One Phdr for each run. len(runs) * elf64_pheader.obj_size) outfd.write(elf64_header.GetData()) for run in runs: elf64_pheader.p_paddr = run.start elf64_pheader.p_memsz = run.length elf64_pheader.p_offset = file_offset elf64_pheader.p_filesz = run.length outfd.write(elf64_pheader.GetData()) file_offset += run.length # Now just copy all the runs total_data = 0 for run in runs: offset = run.start length = run.length while length > 0: data = address_space.read(offset, min(10000000, length)) session.report_progress("Writing %sMb", total_data // 1024 // 1024) outfd.write(data) length -= len(data) offset += len(data) total_data += len(data)
def __init__(self, **kwargs): super(Elf64CoreDump, self).__init__(**kwargs) # Check the file for sanity. self.check_file() self.offset = 0 self.fname = '' self._metadata = {} # Now parse the ELF file. elf_profile = elf.ELFProfile(session=self.session) self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0) self.as_assert(self.elf64_hdr.e_type == "ET_CORE", "Elf file is not a core file.") self.name = "%s|%s" % (self.__class__.__name__, self.base.name) # Iterate over all the program headers and map the runs. for segment in self.elf64_hdr.e_phoff: if segment.p_type == "PT_LOAD": # Some load segments are empty. if (segment.p_filesz == 0 or segment.p_filesz != segment.p_memsz): continue # Add the run to the memory map. virtual_address = int(segment.p_paddr) or int(segment.p_vaddr) self.add_run( virtual_address, # Virtual Addr int(segment.p_offset), # File Addr int(segment.p_memsz)) # Run end. elif segment.p_type == PT_PMEM_METADATA: self.LoadMetadata(segment.p_offset) # NOTE: Deprecated! This will be removed soon. If you want to store # metadata use AFF4 format. # Search for the pmem footer signature. footer = self.base.read(self.base.end() - 10000, 10000) if "...\n" in footer[-6:]: header_offset = footer.rfind("# PMEM") if header_offset > 0: self.LoadMetadata(self.base.end() - 10000 + header_offset)
def __init__(self, **kwargs): super(XenElf64CoreDump, self).__init__(**kwargs) self.check_file() self.offset = 0 self.fname = '' self._metadata = {} # Now parse the ELF file. self.elf_profile = elf.ELFProfile(session=self.session) self.elf64_hdr = self.elf_profile.elf64_hdr(vm=self.base, offset=0) self.as_assert(self.elf64_hdr.e_type == "ET_CORE", "Elf file is not a core file.") xen_note = self.elf64_hdr.section_by_name(".note.Xen") self.as_assert(xen_note, "Image does not contain Xen note.") self.name = "%s|%s" % (self.__class__.__name__, self.base.name) self.runs = self.build_runs()
def __init__(self, **kwargs): super(Elf64CoreDump, self).__init__(**kwargs) # Check the file for sanity. self.check_file() self.offset = 0 self.fname = '' self.metadata = {} # Now parse the ELF file. elf_profile = elf.ELFProfile(session=self.session) self.elf64_hdr = elf_profile.elf64_hdr(vm=self.base, offset=0) self.as_assert(self.elf64_hdr.e_type == "ET_CORE", "Elf file is not a core file.") # Iterate over all the section headers and map the runs. for section in self.elf64_hdr.e_phoff: if section.p_type == "PT_LOAD": # Some load sections are empty. if (section.p_filesz == 0 or section.p_filesz != section.p_memsz): continue # Add the run to the memory map. self.runs.insert(( int(section.p_paddr), # Virtual Addr int(section.p_offset), # File Addr int(section.p_memsz))) # Length elif section.p_type == PT_PMEM_METADATA: # Allow the file to be extended if users want to append # metadata to the file. to_read = max(1000000, int(section.p_filesz)) data = self.base.read(section.p_offset, to_read) data = data.split("\x00")[0] if data: self.LoadMetadata(data)
aux.vna_name = template.vna_name def remove_symbol_versions(hdr): versyms = hdr.section_by_name(".gnu.version") sym_table = versyms.get_section() # Just remove all versions from all symbols. for i, other_ref in enumerate(sym_table): sym_table[i] = 0 if __name__ == "__main__": argument_parser = argparse.ArgumentParser() argument_parser.add_argument( 'binary', default=None, help="Path to the ELF binary." ) args = argument_parser.parse_args() print ("***Modifying file %s **" % args.binary) vm = standard.WritableAddressSpace( filename=args.binary, session=session.Session(), mode="r+b") profile = elf.ELFProfile(session=session) hdr = profile.elf64_hdr(vm=vm, offset=0) fix_version_needed(hdr) remove_symbol_versions(hdr)