CONTENTS
Home
Projects
Electronics
Graphics
Java
Java Mobile
Other Stuff
Resume
Music
Links To Friends
Pictures
About Mike
Contact
anal_elf (ELF File Format Analyzer)
Related pages on www.mikekohn.net: anal_pe, anal_elf, dump_fat, amiga_explorer
The ELF File Format
A long time ago I started a program to parse the ELF file format. I
recently wanted to play with some stuff with ELF stuff so I put this
together. I know there are other ELF dumping programs but this one
differs in that you can point to a memory location that has an ELF
loaded, something that was mmap'd and had a .so file copied into,
and anal_elf can return the address of position independant functions
so they can be called. It works so far as is, but if the function
being called calls a function in another library it will crash.
Key Features (from the version below)
- BSD License
- Ability to parse elf out of memory
- Ability to return pointers to functions - for replacing dlopen()
- Ability to run on Windows so that libraries can be loaded and functions can be called (limited.. see below)
Loading an ELF On Windows
Currently this program only compiles on Unix due to the mmap stuff,
although I do plan on fixing this when I get a chance.
But just out of curiousity, I made some changes to anal_elf so it would
compile on Windows temporarily so I could test the test_lib.c program to
see if I could load a UNIX ELF library on Windows and call a function.
So I updated test_lib.c so instead of calling elf_open() it mallocs a chunk of memory the size of test32.so, dumps the entire library into a memory buffer, and calls elf_open_from_mem() on the buffer. Because I was running this on Windows XP with a CPU that doesn't support the NX bit, it's possible to run code out of malloc()'d RAM. Had this been done on a CPU with the NX bit and Windows supports NX, the memory would have to had been allocated using VirtualAlloc() or CreateFileMapping() with execute permissiong on the memory pages. So, after doing an elf_open_from_mem() I could find the address of my int add_nums(int,int) function using the same find_symbol_address() call and since the library was compiled as position independant code (-fPIC) I was able to call this function on Windows. Cool eh? :). The only thing left is to replace external libraries with Windows libraries. For example if printf() is on rh library import list, i could automatically replace it with a LoadLIbrary to msvcrt.dll's printf().
How To Use
Coming soon...
Download
Copyright 1997-2010 - Michael Kohn
This page was designed to work with all standard HTML compatible web browsers including Firefox, IE, Safari, and Links.