// This is free and unencumbered software released into the public domain.
//
// Anyone is free to copy, modify, publish, use, compile, sell, or
// distribute this software, either in source code form or as a compiled
// binary, for any purpose, commercial or non-commercial, and by any
// means.
//
// In jurisdictions that recognize copyright laws, the author or authors
// of this software dedicate any and all copyright interest in the
// software to the public domain. We make this dedication for the benefit
// of the public at large and to the detriment of our heirs and
// successors. We intend this dedication to be an overt act of
// relinquishment in perpetuity of all present and future rights to this
// software under copyright law.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
// OTHER DEALINGS IN THE SOFTWARE.
//
// For more information, please refer to
//
// @author xamidev
// @brief Recon tool for ELF32/64
#include
#include
#include
#include
#include
#include
#define MAX_FILENAME 256
#define EI_NIDENT 16
#define MAX_HEADER_LEN 2048
#define PF_X 1
#define PT_GNU_STACK 0x6474e551
#define Elf32_Half uint16_t
#define Elf32_Word uint32_t
#define Elf32_Addr uint32_t
#define Elf32_Off uint32_t
#define Elf64_Half uint32_t
#define Elf64_Word uint64_t
#define Elf64_Addr uint64_t
#define Elf64_Off uint64_t
bool verbose = false;
bool pie = false;
bool nx = false;
struct Elf32_Ehdr
{
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shstrndx;
};
struct Elf32_Phdr
{
Elf32_Word p_type;
Elf32_Off p_offset;
Elf32_Addr p_vaddr;
Elf32_Addr p_paddr;
Elf32_Word p_filesz;
Elf32_Word p_memsz;
Elf32_Word p_flags;
Elf32_Word p_align;
};
struct Elf64_Ehdr
{
unsigned char e_ident[EI_NIDENT];
Elf64_Half e_type;
Elf64_Half e_machine;
Elf64_Word e_version;
Elf64_Addr e_entry;
Elf64_Off e_phoff;
Elf64_Off e_shoff;
Elf64_Word e_flags;
Elf64_Half e_ehsize;
Elf64_Half e_phentsize;
Elf64_Half e_phnum;
Elf64_Half e_shentsize;
Elf64_Half e_shnum;
Elf64_Half e_shstrndx;
};
int parse_elf_header32(struct Elf32_Ehdr* header, FILE* fp)
{
if (!fread(header, sizeof(struct Elf32_Ehdr), 1, fp))
{
return -EINVAL;
}
return 0;
}
int parse_elf_header64(struct Elf64_Ehdr* header, FILE* fp)
{
if (!fread(header, sizeof(struct Elf64_Ehdr), 1, fp))
{
return -EINVAL;
}
return 0;
}
int read_elf_magic(FILE* fp)
{
char buf[5] = {0};
fread(buf, 1, 4, fp);
if (memcmp(buf, "\177ELF", 4) == 0) return 1;
return 0;
}
void display_elf_common(unsigned char e_ident[EI_NIDENT])
{
// EI_DATA
switch(e_ident[5])
{
case 0x01:
printf("(little-endian) ");
break;
case 0x02:
printf("(big-endian) ");
break;
default:
printf("\nInvalid data encoding!\n");
exit(-EINVAL);
}
if (verbose)
{
// EI_VERSION
printf("version %d ", e_ident[6]);
}
}
void display_elf32(struct Elf32_Ehdr* header)
{
printf("32-bit ELF ");
display_elf_common(header->e_ident);
switch (header->e_type)
{
case 0x00:
printf("(no file type),");
break;
case 0x01:
printf("(relocatable file),");
break;
case 0x02:
printf("(executable file),");
break;
case 0x03: // (ET_DYN, prob means PIE)
printf("(shared object file),");
pie = true;
break;
case 0x04:
printf("(core file),");
break;
default:
printf("(unknown),");
break;
}
printf(" ");
switch (header->e_machine)
{
case 0x00:
printf("No architecture,");
break;
case 0x01:
printf("AT&T WE 32100,");
break;
case 0x02:
printf("SPARC,");
break;
case 0x03:
printf("i386,");
break;
case 0x04:
printf("Motorola 68000,");
break;
case 0x05:
printf("Motorola 88000,");
break;
case 0x07:
printf("Intel 80860,");
break;
case 0x08:
printf("MIPS RS3000,");
break;
case 0x09:
printf("MIPS RS4000,");
break;
default:
printf("Unknown architecture");
break;
}
if (verbose)
{
printf("\ne_version: %d\n", header->e_version);
printf("e_entry: 0x%08x\n", header->e_entry);
printf("e_phoff: 0x%08x\n", header->e_phoff);
printf("e_shoff: 0x%08x\n", header->e_shoff);
printf("e_flags: 0x%08x\n", header->e_flags);
printf("e_ehsize: 0x%08x\n", header->e_ehsize);
printf("e_phentsize: 0x%08x\n", header->e_phentsize);
printf("e_phnum: 0x%08x\n", header->e_phnum);
printf("e_shentsize: 0x%08x\n", header->e_shentsize);
printf("e_shnum: 0x%08x\n", header->e_shnum);
printf("e_shstrndx: 0x%08x\n", header->e_shstrndx);
}
}
void check_sec32(struct Elf32_Ehdr* header, FILE* fp)
{
fseek(fp, header->e_phoff, SEEK_SET);
/*
* Browse thru program header table (e_phnum items) from e_phoff (program header offset)
* if its stack and has executable bit then we know NX isnt there
*/
for (size_t i=0; i < header->e_phnum; i++)
{
struct Elf32_Phdr p_header;
fread (&p_header, 1, sizeof(struct Elf32_Phdr), fp);
if (p_header.p_type == PT_GNU_STACK)
{
if (p_header.p_flags & PF_X)
{
nx = false;
}
else
{
nx = true;
}
}
}
}
void display_elf64(struct Elf64_Ehdr* header)
{
printf("64-bit ELF ");
display_elf_common(header->e_ident);
}
unsigned char read_elf_obj_size(FILE* fp)
{
unsigned char local_elf_obj_size = 0;
fseek(fp, 4, SEEK_SET);
fread(&local_elf_obj_size, 1, 1, fp);
rewind(fp);
return local_elf_obj_size;
}
void display_sec_common()
{
printf(" %s, ", nx ? "\x1b[32mNX enabled\x1b[0m" : "\x1b[31mNX disabled\x1b[0m");
printf("%s, ", pie ? "\x1b[32mPIE enabled\x1b[0m" : "\x1b[31mPIE disabled\x1b[0m");
}
int main(int argc, char* argv[])
{
// Argument processing
if (argc < 2)
{
printf("Usage: %s [options]\n -v --verbose displays more information\n", argv[0]);
return -EINVAL;
}
for (int i=1; i