Related pages on www.mikekohn.net: anal_pe, magic_elf, dump_fat, amiga_recovery dump_d64

The ELF File Format

A long time ago I started a program to parse the ELF file format. I recently wanted to play with some stuff with ELF stuff so I put this together. I know there are other ELF dumping programs but this one differs in that you can point to a memory location that has an ELF loaded, something that was mmap'd and had a .so file copied into, and magic_elf can return the address of position independant functions so they can be called. It works so far as is, but if the function being called calls a function in another library it will crash.

Key Features (from the version below)

• BSD License
• Ability to parse elf out of memory
• Ability to return pointers to functions - for replacing dlopen()
• Ability to run on Windows so that libraries can be loaded and functions can be called (limited.. see below)
• Ability to modify a function to just return a set value.
• Ability to print to the screen the value of a string symbol.

Loading an ELF On Windows

Currently this program only compiles on Unix due to the mmap stuff, although I do plan on fixing this when I get a chance. But just out of curiousity, I made some changes to magic_elf so it would compile on Windows temporarily so I could test the test_lib.c program to see if I could load a UNIX ELF library on Windows and call a function.

So I updated test_lib.c so instead of calling elf_open() it mallocs a chunk of memory the size of test32.so, dumps the entire library into a memory buffer, and calls elf_open_from_mem() on the buffer. Because I was running this on Windows XP with a CPU that doesn't support the NX bit, it's possible to run code out of malloc()'d RAM. Had this been done on a CPU with the NX bit and Windows supports NX, the memory would have to had been allocated using VirtualAlloc() or CreateFileMapping() with execute permission on the memory pages. So, after doing an elf_open_from_mem() I could find the address of my int add_nums(int,int) function using the same find_symbol_address() call and since the library was compiled as position independant code (-fPIC) I was able to call this function on Windows. Cool eh? :). The only thing left is to replace external libraries with Windows libraries. For example if printf() is on rh library import list, i could automatically replace it with a LoadLibrary to msvcrt.dll's printf().

How To Use

So actually there are other ELF tools out there that are much more useful such as objdump and readelf, but I made this one mostly to learn stuff and I have a couple features these don't have. First of all (as I said above) magic_elf can be built into a library so that a .so file can be loaded into memory and functions can be called into the .so file from another program without using dlopen() giving the option to call into Linux .so libraries on Windows. Secondly I added a -modify option to the magic_elf program so that functions can be changed to just return some set value.

So after typing "make" in the magic_elf directory, 3 things will be built: magic_elf, test.so, and test32.so. The magic_elf program is just a simple program to parse out sections from an elf file and display them similar to objdump and readelf. So to test this, type:

./magic_elf test.so

A bunch of headers will come out of that. So really this isn't much more interesting than what objdump/readelf can do, but I have a command line option -modify. Knowing that test.so has a function defined as: int return10_32(); and that this function will simply return 10 when I call it, if I do:

./magic_elf -modify return10_32 9293 test.so

Then this function is changed to be simply: int return10_32() { return 9293; }. Interesting eh? :)

As of October 15, 2011 I added a feature that if your library or standard executable has something like: char *version = "10.1"; for example, magic_elf can find these symbols and display their value to the screen with:

./magic_elf -show version test.so

.. after typing that magic_elf will show: version="10.1"

So lastly, magic_elf can be compiled as a library and used in other programs also. Typing "make lib" will create a libmagic_elf.so that can be linked into other programs. I included a sample program called test_lib.c that demonstrates simply opening up a library, returning a pointer to a function, and calling that function.

Download

magic_elf-2011-10-30.tar.gz

Copyright 1997-2012 - Michael Kohn