Related pages on www.mikekohn.net: anal_pe, anal_elf, dump_fat, amiga_explorer

The ELF File Format

A long time ago I started a program to parse the ELF file format. I recently wanted to play with some stuff with ELF stuff so I put this together. I know there are other ELF dumping programs but this one differs in that you can point to a memory location that has an ELF loaded, something that was mmap'd and had a .so file copied into, and anal_elf can return the address of position independant functions so they can be called. It works so far as is, but if the function being called calls a function in another library it will crash.

Key Features (from the version below)

• BSD License
• Ability to parse elf out of memory
• Ability to return pointers to functions - for replacing dlopen()
• Ability to run on Windows so that libraries can be loaded and functions can be called (limited.. see below)

Loading an ELF On Windows

Currently this program only compiles on Unix due to the mmap stuff, although I do plan on fixing this when I get a chance. But just out of curiousity, I made some changes to anal_elf so it would compile on Windows temporarily so I could test the test_lib.c program to see if I could load a UNIX ELF library on Windows and call a function.

So I updated test_lib.c so instead of calling elf_open() it mallocs a chunk of memory the size of test32.so, dumps the entire library into a memory buffer, and calls elf_open_from_mem() on the buffer. Because I was running this on Windows XP with a CPU that doesn't support the NX bit, it's possible to run code out of malloc()'d RAM. Had this been done on a CPU with the NX bit and Windows supports NX, the memory would have to had been allocated using VirtualAlloc() or CreateFileMapping() with execute permissiong on the memory pages. So, after doing an elf_open_from_mem() I could find the address of my int add_nums(int,int) function using the same find_symbol_address() call and since the library was compiled as position independant code (-fPIC) I was able to call this function on Windows. Cool eh? :). The only thing left is to replace external libraries with Windows libraries. For example if printf() is on rh library import list, i could automatically replace it with a LoadLIbrary to msvcrt.dll's printf().

How To Use

So actually there are other ELF tools out there that are much more useful such as objdump and readelf, but I made this one mostly to learn stuff and I have a couple features these don't have. First of all (as I said above) anal_elf can be built into a library so that a .so file can be loaded into memory and functions can be called into the .so file from another program without using dlopen() giving the option to call into Linux .so libraries on Windows. Secondly I added a -modify option to the anal_elf program so that functions can be changed to just return some set value.

So after typing "make" in the anal_elf directory, 3 things will be built: anal_elf, test.so, and test32.so. The anal_elf program is just a simple program to parse out sections from an elf file and display them similar to objdump and readelf. So to test this, type:

./anal_elf test.so

A bunch of headers will come out of that. So really this isn't much more interesting than what objdump/readelf can do, but I have a command line option -modify. Knowing that test.so has a function defined as: int return10_32(); and that this function will simply return 10 when I call it, if I do:

./anal_elf -modify return10_32 9293 test.so

Then this function is changed to be simply: int return10_32() { return 9293; }. Interesting eh? :)

So lastly, anal_elf can be compiled as a library and used in other programs also. Typing "make lib" will create a libanal_elf.so that can be linked into other programs. I included a sample program called test_lib.c that demonstrates simply opening up a library, returning a pointer to a function, and calling that function.

Download

anal_elf-2010-03-27.tar.gz

Copyright 1997-2010 - Michael Kohn

This page was designed to work with all standard HTML compatible web browsers including Firefox, IE, Safari, and Links.