def __init__(self, pathToFile=None, data=None, verbose=False):
self.elfHdr = None
self.__data = None
if data:
print "--> Building ELF from data."
self.__data = elfutils.ReadData(data)
self.__parse__(self.__data)
elif pathToFile:
print "--> Building ELF from file."
if os.path.exists(pathToFile):
self.__data = elfutils.readFile(pathToFile)
if self.validate(self.__data[:16]):
self.__data = elfutils.ReadData(self.__data)
self.__parse__(self.__data)
else:
raise elfexceptions.UnknownFormatException(
"It seems that the file is not a valid ELF.")
else:
raise elfexceptions.PathNotValidException(
"The specified path does not exists.")
else:
raise elfexceptions.PathOrDataNotSpecifiedException(
"Path nor data were specified!.")
def parse(readDataInstance, noSections, sectionOff, sectionSize, elfclass):
#print "sectionSize: %x" % sectionSize
ShdrTable = Elf_ShdrTable()
for i in range(noSections):
rd = elfutils.ReadData(
readDataInstance.readAt(sectionOff, sectionSize))
if elfclass == elfconstants.ELF_FILE_CLASS["ELFCLASS32"]:
entry = Elf32_Shdr.parse(rd)
elif elfclass == elfconstants.ELF_FILE_CLASS["ELFCLASS64"]:
entry = Elf64_Shdr.parse(rd)
else:
raise elfexceptions.UnknownFormatException(
"Unknown file class.")
off = entry.sh_offset.value
size = entry.sh_size.value
#print "[%d] sectionOff: %x - off: %x - size: %x" % (i, sectionOff, off, size)
if off and size:
# SHT_NOBITS sections contains only un-initialized data. This sections
# does not occupy space on disk. Are filled with zeros when the ELF is loaded into memory.
if entry.sh_type.value != elfconstants.ELF_SECTION_TYPES[
"SHT_NOBITS"]:
entry.sectionRawData = readDataInstance.readAt(off, size)
ShdrTable.append(entry)
sectionOff += sectionSize
return ShdrTable
def parse(readDataInstance, noEntries, entryOff, entrySize, elfclass):
PhdrTable = Elf_PhdrTable()
for i in range(noEntries):
rd = elfutils.ReadData(readDataInstance.readAt(
entryOff, entrySize))
if elfclass == elfconstants.ELF_FILE_CLASS["ELFCLASS32"]:
entry = Elf32_Phdr.parse(rd)
elif elfclass == elfconstants.ELF_FILE_CLASS["ELFCLASS64"]:
entry = Elf64_Phdr.parse(rd)
else:
raise elfexceptions.UnknownFormatException(
"Unknown file class.")
off = entry.p_offset.value
size = entry.p_filesz.value
if off and size:
entry.segmentRawData = readDataInstance.readAt(off, size)
PhdrTable.append(entry)
entryOff += entrySize
return PhdrTable
def parse(readDataInstance):
elf64_ehdr = Elf64_Ehdr()
elf64_ehdr.e_ident = elfdatatypes.Array.parse(
elfutils.ReadData(readDataInstance.read(16)),
elfdatatypes.TYPE_BYTE, 16)
elf64_ehdr.e_type = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_machine = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_version = elfdatatypes.Elf64_Word(
readDataInstance.readElf64Word())
elf64_ehdr.e_entry = elfdatatypes.Elf64_Addr(
readDataInstance.readElf64Addr())
elf64_ehdr.e_phoff = elfdatatypes.Elf64_Off(
readDataInstance.readElf64Off())
elf64_ehdr.e_shoff = elfdatatypes.Elf64_Off(
readDataInstance.readElf64Off())
elf64_ehdr.e_flags = elfdatatypes.Elf64_Word(
readDataInstance.readElf64Word())
elf64_ehdr.e_ehsize = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_phentsize = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_phnum = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_shentsize = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_shnum = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
elf64_ehdr.e_shstrndx = elfdatatypes.Elf64_Half(
readDataInstance.readElf64Half())
return elf64_ehdr
def getSymbolTable(self):
dynsymSection = self.getSectionByType(
elfconstants.ELF_SECTION_TYPES["SHT_DYNSYM"])
return Elf_SymbolTable.parse(
elfutils.ReadData(dynsymSection.sectionRawData),
self.getType().value)
def validate(self, data):
rd = elfdatatypes.Array.parse(elfutils.ReadData(data),
elfdatatypes.TYPE_BYTE, 16)
if rd[0] == elfconstants.ELF_MAGICS["ELFMAG0"] and rd[1] == elfconstants.ELF_MAGICS["ELFMAG1"]\
and rd[2] == elfconstants.ELF_MAGICS["ELFMAG2"] and rd[3] == elfconstants.ELF_MAGICS["ELFMAG3"]:
return True
return False
def __parse__(self, readDataInstance):
data = elfdatatypes.Array.parse(
elfutils.ReadData(readDataInstance.read(16)),
elfdatatypes.TYPE_BYTE, 16)
elfClass = data[elfconstants.ELF_IDENT_TYPES["EI_CLASS"]]
dataEncoding = data[elfconstants.ELF_IDENT_TYPES["EI_DATA"]]
readDataInstance.setOffset(0)
if elfClass == elfconstants.ELF_FILE_CLASS["ELFCLASS32"]:
print "--> File is ELF32."
self.elfHdr = Elf32_Ehdr.parse(readDataInstance)
elif elfClass == elfconstants.ELF_FILE_CLASS["ELFCLASS64"]:
print "--> File is ELF64."
self.elfHdr = Elf64_Ehdr.parse(readDataInstance)
else:
raise elfexceptions.UnknownFormatException("Unknown ELF class.")
if dataEncoding == elfconstants.ELF_DATA_ENCODING_TYPES["ELFDATA2LSB"]:
print "--> Data: LSB."
elif dataEncoding == elfconstants.ELF_DATA_ENCODING_TYPES[
"ELFDATAMSB"]:
print "--> Data: MSB."
else:
raise UnknownDataEncodingException(
"Unknown data encoding for ELF.")
# start parsing elf program headers
if self.elfHdr.e_phnum.value > 0:
if self.elfHdr.e_phoff.value:
off = self.elfHdr.e_phoff.value
size = self.elfHdr.e_phentsize.value
noEntries = self.elfHdr.e_phnum.value
# build the program header table
self.PhdrTable = Elf_PhdrTable.parse(readDataInstance,
noEntries, off, size,
elfClass)
# continue parsing elf section headers
if self.elfHdr.e_shnum.value > 0:
if self.elfHdr.e_shoff.value:
off = self.elfHdr.e_shoff.value
size = self.elfHdr.e_shentsize.value
noSections = self.elfHdr.e_shnum.value
# build the section header table
self.ShdrTable = Elf_ShdrTable.parse(readDataInstance,
noSections, off, size,
elfClass)
sectionNameStringTableIdx = self.elfHdr.e_shstrndx.value
if sectionNameStringTableIdx != elfconstants.ELF_SHN_SPECIAL["SHN_UNDEF"]\
and sectionNameStringTableIdx < self.elfHdr.e_shnum.value:
sectionNameStringTableEntry = self.ShdrTable[
sectionNameStringTableIdx]
for entry in self.ShdrTable:
idx = entry.sh_name.value
rd = elfutils.ReadData(
sectionNameStringTableEntry.sectionRawData)
rd.setOffset(idx)
entry.sectionName = rd.readString()