The ELF shell

The ELF shell is an interactive, modular, and scriptable ELF (Executable & Linking Format) machine for static binary instrumentation of executable files, shared libraries and relocatable ELF objects. Its innovative features make it usable by reverse engineers and security analysts for embedded analysis using compiled C code extensions of binary programs. It features execution flow redirection that allows for dynamic analyzers generation and binary-level testing. ELFsh is compatible with kernel hardening patches : It can perform operational modifications on non-executable stack and heap based systems, and this for multiple architectures.

The main features of the ELF shell are :

  • Injection of new compiled C code into a binary executable or dynamic library file.
  • Function redirection for all kind of functions.
  • Relinking of dynamic or static binary files to add all sorts of dependences without moving the original address space.
  • Full access in read/write mode to the ELF data structures from the scripting language, including but not limited to:
    • The Global Offset Table (.got) section
    • The dynamic linking section (.dynamic)
    • The constructors (.ctors) and destructors (.dtors) array
    • The ELF GNU version tables (contributor needed for SUN/Solaris version tables format)
    • The ELF interpreter (.interp) section
    • ELF dynamic and static symbol tables (.dynsym and .symtab)
    • ELF relocation tables (.rel(a).*)
    • ELF Hash table (.hash)
    • All other sections in raw read/write mode using hexadecimal strings

Latest news

We report here the latest features of the ELF shell in static binary instrumentation and manipulation:

June 7 2007
ELFsh 0.78 is now available again in portable branch, for Linux, FreeBSD, NetBSD, and Solaris
March 24 2007
ELFsh 0.77 is available for Linux and FreeBSD (enhanced for INTEL, SPARC32, SPARC64, ALPHA and MIPS architectures)


Portability of elfsh

Some ELFsh features are more portable than others. The current state of portability is as follow:

Architecture INTEL SPARC32 SPARC64 MIPS32 ALPHA Others
Full access to ELF structures Yes Yes Yes Yes Yes Yes
Injection of C compiled code Yes Yes Yes WIP Yes No
Internal Function redirection Yes No No Yes Yes No
External Function redirection Yes Yes Yes Yes Yes No
Dynamic ELF file relinking Yes No No No No No
Static ELF file relinking Yes Yes Yes WIP Yes No

Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.

Dependencies

The ELF shell depends on other components from the ERESI framework :

  • libelfsh : the binary manipulation library, for ET_REL injection, EXTPLT partial relinking, and function redirection primitives.
  • libasm : the disassembly engine, for full disassembly of binary code with or without symbols.
  • librevm : the Reverse Engineering Vector Machine, for being a dedicated interpreter of the ERESI scripting language.
  • libaspect : the types specification library, which is somehow a lower-level component necessary for the interpreter.

Articles about elfsh

The ELF shell is the subject of three articles:

  • The Cerberus ELF Interface

This article introduced three new binary injection and redirection techniques. The ET_REL static injection technique allows to add compiled extensions of binary programs without additional external libraries dependencies. The ALTPLT static redirection is an extension of the PLT redirection that allows to redirect functions in a PaX-compatible way, making them pointing directly to compiled C routines instead of architecture-dependant manually written assembly code. Finally the DT_DEBUG to DT_NEEDED .dynamic entries translation has shown how to add libraries dependencies just by changing 4 bytes of content in a given binary file. All those techniques are the base of recent debugging and tracing facilities in the ERESI framework.

  • Reverse engineering des systemes ELF/INTEL

This article describes the early work on control flow analysis, binary injection, function redirection, staticaly performed ASLR (Address Space Layout Randomization), and semantic attributes for the INTEL architecture instruction set.

  • Interception de l'information sur le format ELF

This article deals with static binary modification techniques for runtime interception on the ELF format. It is somewhat a (very) condensed version of the previous article.