The ELF shell library : libelfsh
The ELF shell library is the binary manipulation library of the ELF shell. It contains primitives for static on-disk modifications and consultation of binary programs linked within the Executable & Linking Format (ELF) 32bits or 64bits.
The main features of the ELF shell library are :
- Full API for all ELF structures.
- ET_REL injection into ET_EXEC/ET_DYN ELF files.
- ALTGOT redirection technique, for external functions redirections on RISC architectures.
- ALTPLT redirection technique, for external functions redirections.
- CFLOW redirection technique, for internal functions redirections.
- EXTPLT partial relinking technique, for adding unknown extern symbols to the program.
- EXTSTATIC static file relinking technique.
- Partial SHT reconstruction technique.
- PaX protection attributes access in RW mode.
- Core files manipulation.
Latest news for libelfsh
| June 23 2007 | Added NetBSD compatibility for SHT reconstruction |
| June 10 2007 | Added sanity checks for binaries with corrupted symbol tables |
Portability of libelfsh
Some libelfsh features are more portable than others. The current state of portability is as follow:
| Architecture | INTEL | SPARC32 | SPARC64 | MIPS32 | ALPHA | Others |
| Full API for all ELF structures | Yes | Yes | Yes | Yes | Yes | Yes |
| ET_REL injection into ET_EXEC/ET_DYN | Yes | Yes | Yes | WIP | Yes | No |
| CFLOW redirection | Yes | No | No | Yes | Yes | No |
| ALTPLT redirection | Yes | Yes | Yes | Yes | Yes | No |
| EXTPLT technique | Yes | No | No | No | No | No |
| EXTSTATIC technique | Yes | Yes | Yes | WIP | Yes | No |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
Dependencies
The ELF shell library depends on other components from the ERESI framework :
- libasm : the disassembly library (useful to know the exact size of INTEL instructions when rencoding opcodes).
- libaspect : the types specification library, for exporting its vectors, hash table and profiling API.
Articles featuring libelfsh
Because libelfsh is the core part of the ELF shell, it is the subject of the same three articles (all of 2003) :
- The Cerberus ELF Interface
This article introduced three new binary injection and redirection techniques. The ET_REL static injection technique allows to add compiled extensions of binary programs without additional external libraries dependencies. The ALTPLT static redirection is an extension of the PLT redirection that allows to redirect functions in a PaX-compatible way, making them pointing directly to compiled C routines instead of architecture-dependant manually written assembly code. Finally the DT_DEBUG to DT_NEEDED .dynamic entries translation has shown how to add libraries dependencies just by changing 4 bytes of content in a given binary file. All those techniques are the base of recent debugging and tracing facilities in the ERESI framework.
- Reverse engineering des systemes ELF/INTEL
This french article describes the early work on control flow analysis, binary injection, function redirection, staticaly performed ASLR (Address Space Layout Randomization), and semantic attributes for the INTEL architecture instruction set.
- Interception de l'information sur le format ELF
This french article deals with static binary modification techniques for runtime interception on the ELF format. It is somewhat a (very) condensed version of the previous article.
