xamidev/helpelf
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3496b103e5be5f959e6f6b744e0a7521c1c9f97
helpelf/main.c

528 lines
12 KiB
C
Raw Blame History

// This is free and unencumbered software released into the public domain.
//
// Anyone is free to copy, modify, publish, use, compile, sell, or
// distribute this software, either in source code form or as a compiled
// binary, for any purpose, commercial or non-commercial, and by any
// means.
//
// In jurisdictions that recognize copyright laws, the author or authors
// of this software dedicate any and all copyright interest in the
// software to the public domain. We make this dedication for the benefit
// of the public at large and to the detriment of our heirs and
// successors. We intend this dedication to be an overt act of
// relinquishment in perpetuity of all present and future rights to this
// software under copyright law.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
// IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
// OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
// OTHER DEALINGS IN THE SOFTWARE.
//
// For more information, please refer to <https://unlicense.org/>
//
// @author xamidev <xamidev@riseup.net>
// @brief Recon tool for ELF32/64
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <stdint.h>
#include <string.h>
#include <stdbool.h>
// Data structures as per ELF specification:
// https://refspecs.linuxfoundation.org/elf/elf.pdf
// Only what we need (no elf.h)
#define MAX_FILENAME 256
#define EI_NIDENT 16
#define MAX_HEADER_LEN 2048
#define PF_X 1
#define PT_GNU_STACK 0x6474e551
#define SHT_DYNSYM 11
#define SHT_SYMTAB 2
#define PT_GNU_RELRO 0x6474e552
#define PT_DYNAMIC 2
#define DT_BIND_NOW 24
#define PT_INTERP 3
#define Elf32_Half uint16_t
#define Elf32_Word uint32_t
#define Elf32_Sword int32_t
#define Elf32_Addr uint32_t
#define Elf32_Off uint32_t
#define Elf64_Half uint32_t
#define Elf64_Word uint64_t
#define Elf64_Addr uint64_t
#define Elf64_Off uint64_t
bool verbose = false;
bool pie = false;
bool nx = false;
bool canary = false;
bool relro = false;
bool bind_now = false;
bool stripped = true;
bool interp = false;
struct Elf32_Ehdr
{
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shstrndx;
};
struct Elf32_Phdr
{
Elf32_Word p_type;
Elf32_Off p_offset;
Elf32_Addr p_vaddr;
Elf32_Addr p_paddr;
Elf32_Word p_filesz;
Elf32_Word p_memsz;
Elf32_Word p_flags;
Elf32_Word p_align;
};
struct Elf32_Shdr
{
Elf32_Word sh_name;
Elf32_Word sh_type;
Elf32_Word sh_flags;
Elf32_Addr sh_addr;
Elf32_Off sh_offset;
Elf32_Word sh_size;
Elf32_Word sh_link;
Elf32_Word sh_info;
Elf32_Word sh_addralign;
Elf32_Word sh_entsize;
};
struct Elf32_Sym
{
Elf32_Word st_name;
Elf32_Addr st_value;
Elf32_Word st_size;
unsigned char st_info;
unsigned char st_other;
Elf32_Half st_shndx;
};
struct Elf32_Dyn
{
Elf32_Sword d_tag;
union
{
Elf32_Word d_val;
Elf32_Addr d_ptr;
} d_un;
} Elf32_Dyn;
struct Elf64_Ehdr
{
unsigned char e_ident[EI_NIDENT];
Elf64_Half e_type;
Elf64_Half e_machine;
Elf64_Word e_version;
Elf64_Addr e_entry;
Elf64_Off e_phoff;
Elf64_Off e_shoff;
Elf64_Word e_flags;
Elf64_Half e_ehsize;
Elf64_Half e_phentsize;
Elf64_Half e_phnum;
Elf64_Half e_shentsize;
Elf64_Half e_shnum;
Elf64_Half e_shstrndx;
};
int parse_elf_header32(struct Elf32_Ehdr* header, FILE* fp)
{
if (!fread(header, sizeof(struct Elf32_Ehdr), 1, fp))
{
return -EINVAL;
}
return 0;
}
int parse_elf_header64(struct Elf64_Ehdr* header, FILE* fp)
{
if (!fread(header, sizeof(struct Elf64_Ehdr), 1, fp))
{
return -EINVAL;
}
return 0;
}
int read_elf_magic(FILE* fp)
{
char buf[5] = {0};
fread(buf, 1, 4, fp);
if (memcmp(buf, "\177ELF", 4) == 0) return 1;
return 0;
}
void display_elf_common(unsigned char e_ident[EI_NIDENT])
{
// EI_DATA
switch(e_ident[5])
{
case 0x01:
printf("(little-endian) ");
break;
case 0x02:
printf("(big-endian) ");
break;
default:
printf("\nInvalid data encoding!\n");
exit(-EINVAL);
}
if (verbose)
{
// EI_VERSION
printf("version %d ", e_ident[6]);
}
}
void check_dynamic32(struct Elf32_Ehdr* header, FILE* fp)
{
// Is dynamically linked? (has PT_INTERP program header?)
// read program headers
fseek(fp, header->e_phoff, SEEK_SET);
struct Elf32_Phdr *p_headers = malloc(header->e_phnum * sizeof(struct Elf32_Phdr));
fread(p_headers, sizeof(struct Elf32_Phdr), header->e_phnum, fp);
const char* interpstr = NULL;
for (int i=0; i<header->e_phnum; i++)
{
if (p_headers[i].p_type == PT_INTERP)
{
interp = true;
// Get interpreter path
interpstr = malloc(p_headers[i].p_filesz);
fseek(fp, p_headers[i].p_offset, SEEK_SET);
fread((char*)interpstr, 1, p_headers[i].p_filesz, fp);
break;
}
}
if (interp)
{
printf("dynamically linked (interpreter: %s), ", interpstr);
}
else
{
printf("statically linked, ");
}
}
void display_elf32(struct Elf32_Ehdr* header, FILE* fp)
{
printf("32-bit ELF ");
display_elf_common(header->e_ident);
if (verbose)
{
switch (header->e_type)
{
case 0x00:
printf("(no file type),");
break;
case 0x01:
printf("(relocatable file),");
break;
case 0x02:
printf("(executable file),");
break;
case 0x03: // (ET_DYN, prob means PIE)
printf("(shared object file),");
pie = true;
break;
case 0x04:
printf("(core file),");
break;
default:
printf("(unknown),");
break;
}
printf(" ");
} else if (header->e_type == 0x03)
{
pie = true;
}
switch (header->e_machine)
{
case 0x00:
printf("No architecture, ");
break;
case 0x01:
printf("AT&T WE 32100, ");
break;
case 0x02:
printf("SPARC, ");
break;
case 0x03:
printf("i386, ");
break;
case 0x04:
printf("Motorola 68000, ");
break;
case 0x05:
printf("Motorola 88000, ");
break;
case 0x07:
printf("Intel 80860, ");
break;
case 0x08:
printf("MIPS RS3000, ");
break;
case 0x09:
printf("MIPS RS4000, ");
break;
default:
printf("Unknown architecture, ");
break;
}
if (verbose)
{
check_dynamic32(header, fp);
}
}
void check_nx32(struct Elf32_Ehdr* header, FILE* fp)
{
}
void check_sec32(struct Elf32_Ehdr* header, FILE* fp)
{
/* NX:
* Browse thru program header table (e_phnum items) from e_phoff (program header offset)
* if its stack and has executable bit then we know NX isnt there
*/
fseek(fp, header->e_phoff, SEEK_SET);
for (size_t i=0; i<header->e_phnum; i++)
{
struct Elf32_Phdr p_header;
fread (&p_header, 1, sizeof(struct Elf32_Phdr), fp);
if (p_header.p_type == PT_GNU_STACK)
{
if (p_header.p_flags & PF_X)
{
nx = false;
}
else
{
nx = true;
}
}
}
/* Stack canary:
* Same for section header table (e_shnum items) from e_shoff (section header offset)
* find sections .dynsym or .symtab:
* and look for __stack_chk_fail (call for stack smashing)
*/
fseek(fp, header->e_shoff, SEEK_SET);
// Read section headers
struct Elf32_Shdr *s_headers = malloc(header->e_shnum * sizeof(struct Elf32_Shdr));
fread(s_headers, sizeof(struct Elf32_Shdr), header->e_shnum, fp);
// Find section name string table (at e_shstrndx) and read it
struct Elf32_Shdr s_header_str = s_headers[header->e_shstrndx];
char* s_header_strtab = malloc(s_header_str.sh_size);
fseek(fp, s_header_str.sh_offset, SEEK_SET);
fread(s_header_strtab, 1, s_header_str.sh_size, fp);
for (size_t i=0; i<header->e_shnum; i++)
{
// additional small check for stripping as we're already browsing section headers
if (s_headers[i].sh_type == SHT_SYMTAB && s_headers[i].sh_size > 0) stripped = false;
if (s_headers[i].sh_type == SHT_DYNSYM || s_headers[i].sh_type == SHT_SYMTAB)
{
// load symbol table
unsigned int nsyms = s_headers[i].sh_size / s_headers[i].sh_entsize;
struct Elf32_Sym *syms = malloc(s_headers[i].sh_size);
fseek(fp, s_headers[i].sh_offset, SEEK_SET);
fread(syms, s_headers[i].sh_size, 1, fp);
// load string table
struct Elf32_Shdr str_header = s_headers[s_headers[i].sh_link];
char* strtab = malloc(str_header.sh_size);
fseek(fp, str_header.sh_offset, SEEK_SET);
fread(strtab, 1, str_header.sh_size, fp);
// iterate through symbols, check for __stack_chk_fail
for (size_t j=0; j<nsyms; j++)
{
const char* name = strtab + syms[j].st_name;
if (strcmp(name, "__stack_chk_fail") == 0)
{
canary = true;
}
}
}
}
/* RELRO:
* Segment type PT_GNU_RELRO should be present
*/
// Read program headers
fseek(fp, header->e_phoff, SEEK_SET);
struct Elf32_Phdr *p_headers = malloc(header->e_phnum * sizeof(struct Elf32_Phdr));
fread (p_headers, sizeof(struct Elf32_Phdr), header->e_phnum, fp);
Elf32_Off dyn_off = 0;
Elf32_Word dyn_size = 0;
for (int i=0; i<header->e_phnum; i++)
{
if (p_headers[i].p_type == PT_GNU_RELRO)
{
relro = true;
}
if (p_headers[i].p_type == PT_DYNAMIC)
{
dyn_off = p_headers[i].p_offset;
dyn_size = p_headers[i].p_filesz;
}
}
if (dyn_off && dyn_size)
{
int n = dyn_size / sizeof(struct Elf32_Dyn);
struct Elf32_Dyn *dyns = malloc(dyn_size);
fseek(fp, dyn_off, SEEK_SET);
fread(dyns, sizeof(struct Elf32_Dyn), n, fp);
for (int i=0; i<n; i++)
{
// Has full RELRO?
if (dyns[i].d_tag == DT_BIND_NOW)
{
bind_now = true;
break;
}
}
}
}
void display_elf64(struct Elf64_Ehdr* header)
{
printf("64-bit ELF ");
display_elf_common(header->e_ident);
}
unsigned char read_elf_obj_size(FILE* fp)
{
unsigned char local_elf_obj_size = 0;
fseek(fp, 4, SEEK_SET);
fread(&local_elf_obj_size, 1, 1, fp);
rewind(fp);
return local_elf_obj_size;
}
void display_sec_common()
{
printf("%s, ", nx ? "\x1b[32mNX enabled\x1b[0m" : "\x1b[31mNX disabled\x1b[0m");
printf("%s, ", pie ? "\x1b[32mPIE enabled\x1b[0m" : "\x1b[31mPIE disabled\x1b[0m");
printf("%s, ", canary ? "\x1b[32mStack canary enabled\x1b[0m" : "\x1b[31mStack canary disabled\x1b[0m");
printf("%s, ", relro && bind_now ? "\x1b[32mFull RELRO\x1b[0m" : relro ? "\x1b[33mPartial RELRO\x1b[0m" : "\x1b[31mNo RELRO\x1b[0m");
printf("%s\n", stripped ? "\x1b[32mStripped\x1b[0m" : "\x1b[31mNot stripped\x1b[0m");
}
int main(int argc, char* argv[])
{
// Argument processing
if (argc < 2)
{
printf("Usage: %s <file> [options]\n -v --verbose displays more information\n", argv[0]);
return -EINVAL;
}
for (int i=1; i<argc; i++)
{
if (strncmp(argv[i], "-v", 2) == 0) verbose = true;
}
char* filename = argv[1];
if (!filename)
{
printf("Error parsing filename.\n");
return -EINVAL;
}
FILE* elf_file = fopen(filename, "rb");
if (!elf_file)
{
printf("Couldn't open file '%s'\n", filename);
return -ENOENT;
}
int is_elf = read_elf_magic(elf_file);
if (!is_elf)
{
printf("Not a valid ELF file.\n");
return -EINVAL;
}
printf("%s: ", filename);
// ELF32 or ELF64?
unsigned char elf_obj_size = read_elf_obj_size(elf_file);
switch(elf_obj_size)
{
case 0x01:
struct Elf32_Ehdr elf32_header = {0};
if (parse_elf_header32(&elf32_header, elf_file))
{
printf("Failed to parse 32-bit ELF header\n");
return -EINVAL;
}
display_elf32(&elf32_header, elf_file);
check_sec32(&elf32_header, elf_file);
break;
case 0x02:
struct Elf64_Ehdr elf64_header = {0};
if (parse_elf_header64(&elf64_header, elf_file))
{
printf("Failed to parse 64-bit ELF header\n");
return -EINVAL;
}
display_elf64(&elf64_header);
break;
default:
printf("Invalid ELF object size\n");
return -EINVAL;
}
display_sec_common();
return EXIT_SUCCESS;
}
Reference in New Issue View Git Blame Copy Permalink