elf – ELF file parsing

This module contains a parser for, and methods to extract information from ELF files.

class pwnypack.elf.ELF(f=None)

Bases: pwnypack.target.Target

A parser for ELF files. Upon parsing the ELF headers, it will not only fill the ELF specific fields but will also populate the inherited arch, bits and endian properties based on the values it encounters.

Parameters:f (str, file or None) – The (path to) the ELF file to parse.

Example

>>> from pwny import *
>>> e = ELF('my-executable')
>>> print(e.machine)
>>> print(e.program_headers)
>>> print(e.section_headers)
>>> print(e.symbols)

class DynamicSectionEntry(type_id, value)

Bases: object

Contains information about the entry in the .dynamic section.

Parameters:

• type_id (int) – The type id of the .dynamic section entry.
• value (int) – The value of the .dynamic section entry.

class Flags

Bases: enum.IntEnum

Flags when type is flags.

bind_now = None

Non-lazy binding required.

origin = None

$ORIGIN processing is required.

static_tls = None

Object uses static thread local storage.

symbolic = None

Symbol resolution is required.

textrel = None

Text relocations exist.

class ELF.DynamicSectionEntry.Flags_1

Bases: enum.IntEnum

Flags when type is flags_1.

confalt = None

Object is a configuration alternative.

direct = None

Direct bindings are enabled.

dispreldne = None

Displacement relocation has been completed.

disprelpnd = None

Displacement relocation is pending.

edited = None

Object has been modified since it was built.

endfiltee = None

Filtee terminates filter’s search.

global_ = None

Unused.

globaudit = None

Global auditing is enabled.

group = None

Object is a member of a group.

ignmuldef = None

Reserved for internal use.

initfirst = None

Objects’ initialization occurs first.

interpose = None

Object is an interposer.

loadfltr = None

Make sure filtees are loaded immediately.

nodeflib = None

Ignore the default library search path.

nodelete = None

Object cannot be removed from a process.

nodirect = None

Object contains non-direct bindings.

nodump = None

Object cannot be dumped.

nohdr = None

Reserved for internal use.

noksyms = None

Reserved for internal use.

noopen = None

Object cannot be used with dlopen.

noreloc = None

Reserved for internal use.

now = None

Perform complete relocation processing.

origin = None

$ORIGIN processing is required.

singleton = None

Singleton symbols exist.

symintpose = None

Individual symbol interposers exist.

class ELF.DynamicSectionEntry.Posflags_1

Bases: enum.IntEnum

Flags when type is ELF.DynamicSectionEntry.Type.posflags_1.

groupperm = None

Identify group dependency.

lazyload = None

Identify lazily loaded dependency.

class ELF.DynamicSectionEntry.Type

Bases: enum.IntEnum

Describes the dynamic section entry type.

audit = None

String table offset defining an audit library.

auxiliary = None

String table offset that names an auxiliary file.

bind_now = None

All relocations must be performed before code is executed.

checksum = None

A checksum of selected sections of the object.

config = None

String table offset to the path of the configuration file.

debug = None

Used for debugging.

depaudit = None

String table offset defining an audit library.

fini = None

The address of the termination function.

fini_array = None

Address of array of termination functions.

fini_arraysz = None

The size of the termination function array.

flags = None

Flags for this object.

flags_1 = None

Object-specific flags.

gnu_hash = None

Address of the GNU hash section.

hash = None

Address of symbol hash table within SYMTAB.

init = None

The address of the initialization function.

init_array = None

Address of array of initialization functions.

init_arraysz = None

The size of the initialization function array.

jmprel = None

Address of relocation entries that are only associated with the PLT.

max_postags = None

Number of dynamic array tags.

moveent = None

Size of move table entries.

movesz = None

Total size of move table.

movetab = None

Address of the move table.

needed = None

String table offset of the name of a needed dependency.

null = None

Marks the end of the dynamic section.

pltgot = None

Address of PLT/GOT.

pltpad = None

Address of the padding of the PLT.

pltpadsz = None

Size of padding of the PLT.

pltrel = None

Type of relocation entry in the PLT table. Either rel or rela.

pltrelsz = None

Total size of the relocation entries in the PLT.

posflags_1 = None

State flags applied to next dynamic section entry.

preinit_array = None

Address of array of pre-initialization functions.

preinit_arraysz = None

Size of pre-initialization function array.

rel = None

Similar to rela but with implicit addends.

rela = None

Address of the relocation table.

relacount = None

Relative relocation count.

relaent = None

The size a relocation table entry.

relasz = None

The size of the relocation table.

relcount = None

Relative relocation count.

relent = None

Size of a rel relocation section entry.

relsz = None

Size of the rel relocation section.

rpath = None

String table offset of a library search path.

runpath = None

String table offset of a library search path.

soname = None

String table offset for the name of the shared object.

sparc_register = None

STT_SPARC_REGISTER symbol index within the symbol table.

strsz = None

The size of the string table.

strtab = None

Address of the string table.

sunw_auxiliary = None

String table offset for one or more per-symbol, auxiliary filtees.

sunw_cap = None

Address of the capabilities section.

sunw_capchain = None

Address of the array of capability family indices.

sunw_capchainent = None

Size of the capability family index entry size.

sunw_capchainsz = None

The size of the capability family index array.

sunw_capinfo = None

Address of capability requirement symbol association table.

sunw_filter = None

String table offset for one or more per-symbol, standard filtee

sunw_ldmach = None

Machine architecture of the link-editor that produced this binary.

sunw_rtldinf = None

Reserved for internal use by the runtime-linker.

sunw_sortent = None

Size of symbol sort entries.

sunw_strpad = None

Size of dynamic string table padding.

sunw_symsort = None

Address of symbol sort section.

sunw_symsortsz = None

Size of symbol sort section.

sunw_symsz = None

Combined size of regular and local symbol table.

sunw_symtab = None

Address of symbol table for local function symbols.

sunw_tlssort = None

Address of thread local symbol sort section.

sunw_tlssortsz = None

Size of thread local symbol sort section.

symbolic = None

Object contains symbolic bindings.

syment = None

The size of a symbol table entry.

syminent = None

Size of a sumbol info table entry.

syminfo = None

Address of the symbol info table.

syminsz = None

Size of the symbol info table.

symtab = None

Address of the symbol table.

textrel = None

One or more relocation entries resides in a read-only segement.

unknown = None

Unknown dynamic section entry type, check type_id.

used = None

Same as needed.

verdef = None

Address of the version definition table.

verdefnum = None

Number of entries in the version definition table.

verneed = None

Address of the version dependency table.

verneednum = None

Number of entries in the version dependency table.

ELF.DynamicSectionEntry.type = None

The resolved type of this entry (one of Type).

ELF.DynamicSectionEntry.type_id = None

The numerical type of this entry.

ELF.DynamicSectionEntry.value = None

The value of this entry.

class ELF.Machine

Bases: enum.IntEnum

The target machine architecture.

aarch64 = None

64-bit Advanced RISC Machines ARM

alpha = None

Digital Alpha

arc = None

Argonaut RISC Core, Argonaut Technologies Inc.

arc_a5 = None

ARC Cores Tangent-A5

arca = None

Arca RISC Microprocessor

arm = None

Advanced RISC Machines ARM

avr = None

Atmel AVR 8-bit microcontroller

blackfin = None

Analog Devices Blackfin (DSP) processor

coldfire = None

Motorola ColdFire

cr = None

National Semiconductor CompactRISC microprocessor

cris = None

Axis Communications 32-bit embedded processor

d10v = None

Mitsubishi D10V

d30v = None

Mitsubishi D30V

f2mc16 = None

Fujitsu F2MC16

firepath = None

Element 14 64-bit DSP Processor

fr20 = None

Fujitsu FR20

fr30 = None

Fujitsu FR30

fx66 = None

Siemens FX66 microcontroller

h8_300 = None

Hitachi H8/300

h8_300h = None

Hitachi H8/300H

h8_500 = None

Hitachi H8/500

h8s = None

Hitachi H8S

huany = None

Harvard University machine-independent object files

i386 = None

Intel 80386

i860 = None

Intel 80860

i960 = None

Intel 80960

ia64 = None

Intel IA-64 processor architecture

ip2k = None

Ubicom IP2xxx microcontroller family

javelin = None

Infineon Technologies 32-bit embedded processor

m32 = None

AT&T WE 32100

m32r = None

Mitsubishi M32R

m68hc05 = None

Motorola MC68HC05 Microcontroller

m68hc08 = None

Motorola MC68HC08 Microcontroller

m68hc11 = None

Motorola MC68HC11 Microcontroller

m68hc12 = None

Motorola M68HC12

m68hc16 = None

Motorola MC68HC16 Microcontroller

m68k = None

Motorola 68000

m88k = None

Motorola 88000

max = None

MAX Processor

me16 = None

Toyota ME16 processor

mips = None

MIPS I Architecture

mips_rs3_le = None

MIPS RS3000 Little-endian

mipsx = None

Stanford MIPS-X

mma = None

Fujitsu MMA Multimedia Accelerator

mmix = None

Donald Knuth’s educational 64-bit processor

mn10200 = None

Matsushita MN10200

mn10300 = None

Matsushita MN10300

msp430 = None

Texas Instruments embedded microcontroller msp430

ncpu = None

Sony nCPU embedded RISC processor

ndr1 = None

Denso NDR1 microprocessor

none = None

No machine

ns32k = None

National Semiconductor 32000 series

openrisc = None

OpenRISC 32-bit embedded processor

parisc = None

Hewlett-Packard PA-RISC

pcp = None

Siemens PCP

pdp10 = None

Digital Equipment Corp. PDP-10

pdp11 = None

Digital Equipment Corp. PDP-11

pdsp = None

Sony DSP Processor

pj = None

picoJava

ppc = None

PowerPC

ppc64 = None

64-bit PowerPC

prism = None

SiTera Prism

rce = None

Motorola RCE

rh32 = None

TRW RH-32

s370 = None

IBM System/370 Processor

s390 = None

IBM System/390 Processor

se_c33 = None

S1C33 Family of Seiko Epson processors

sep = None

Sharp embedded microprocessor

snp1k = None

Trebia SNP 1000 processor

sparc = None

SPARC

sparc32plus = None

Enhanced instruction set SPARC

sparcv9 = None

SPARC Version 9

st100 = None

STMicroelectronics ST100 processor

st19 = None

STMicroelectronics ST19 8-bit microcontroller

st200 = None

STMicroelectronics ST200 microcontroller

st7 = None

STMicroelectronics ST7 8-bit microcontroller

st9plus = None

STMicroelectronics ST9+ 8/16 bit microcontroller

starcore = None

Motorola Star*Core processor

superh = None

Hitachi SuperH

svx = None

Silicon Graphics SVx

tinyj = None

Advanced Logic Corp. TinyJ embedded processor family

tmm_gpp = None

Thompson Multimedia General Purpose Processor

tpc = None

Tenor Network TPC processor

tricore = None

Siemens TriCore embedded processor

unicore = None

Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University

unknown = None

Unknown architecture

v800 = None

NEC V800

v850 = None

NEC v850

vax = None

Digital VAX

videocore = None

Alphamosaic VideoCore processor

vpp550 = None

Fujitsu VPP500

x86_64 = None

AMD x86-64 architecture

xtensa = None

Tensilica Xtensa Architecture

zsp = None

LSI Logic 16-bit DSP Processor

class ELF.OSABI

Bases: enum.IntEnum

Describes the OS- or ABI-specific ELF extensions used by this file.

aix = None

AIX ABI

arch = None

Architecture specific ABI

arm = None

ARM ABI

aros = None

Amiga Research OS

freebsd = None

FreeBSD ABI

hp_ux = None

HP-UX ABI

irix = None

IRIX ABI

linux = None

Linux ABI

modesto = None

Novell Modesto

netbsd = None

NetBSD ABI

nsk = None

Hewlett-Packard Non-Stop Kernel

openbsd = None

OpenBSD ABI

openvms = None

OpenVMS ABI

solaris = None

Solaris ABI

system_v = None

SystemV ABI / No extensions

tru64 = None

Compaq TRU64 Unix

unknown = None

Unknown ABI

class ELF.ProgramHeader(elf, data)

Bases: object

Describes how the loader will load a part of a file. Called by the ELF class.

Parameters:

• elf (ELF) – The ELF instance owning this program header.
• data – The content of the program header entry.

class Flags

Bases: enum.IntEnum

The individual flags that make up ELF.ProgramHeader.flags.

r = None

Segment is readable

w = None

Segment is writable

x = None

Segment is executable

class ELF.ProgramHeader.Type

Bases: enum.IntEnum

The segment type.

dynamic = None

The element contains dynamic linking information

gnu_eh_frame = None

This element contains the exception handler unwind information

gnu_relro = None

This element contains the readonly relocations

gnu_stack = None

This element describes the access right of the stack

interp = None

The element contains the path of the interpreter

load = None

The element contains a loadable segment

note = None

The element contains auxiliary information

null = None

The element is unused

phdr = None

This element contains the program header table itself

shlib = None

This element type is reserved

unknown = None

Unknown type, check type_id for exact type

ELF.ProgramHeader.align = None

The alignment of the segment.

ELF.ProgramHeader.filesz = None

The size of the segment in the file.

ELF.ProgramHeader.flags = None

The flags for the segment (OR’ed values of Flags).

ELF.ProgramHeader.memsz = None

The size of the segment in memory.

ELF.ProgramHeader.offset = None

Where in the file the segment is located.

ELF.ProgramHeader.paddr = None

The physical address at which the segment is loaded.

ELF.ProgramHeader.type = None

The type of the segment (Type).

ELF.ProgramHeader.type_id = None

The numerical type describing the segment.

ELF.ProgramHeader.vaddr = None

The virtual address at which the segment is loaded.

class ELF.SectionHeader(elf, data)

Bases: object

Describes a section of an ELF file. Called by the ELF class.

Parameters:

• elf (ELF) – The ELF instance owning this section header.
• data – The content of the section header entry.

class Flags

Bases: enum.IntEnum

alloc = None

Section occupies memory during execution

exclude = None

Exclude section from linking

execinstr = None

Section contains executable code

group = None

Section is member of a group

info_link = None

Section’s info field contains SHT index

link_order = None

Preserve section order after combining

maskos = None

Mask for OS specific flags

maskproc = None

Mask for processor specific flags

merge = None

Section might be merged

ordered = None

Treat sh_link, sh_info specially

os_nonconforming = None

Non-standard OS-specific handling required

strings = None

Section contains NUL terminated strings

tls = None

Section holds thread-local data

write = None

Section is writable

class ELF.SectionHeader.Type

Bases: enum.IntEnum

Describes the section’s type

checksum = None

Checksum for DSO content

dynamic = None

Dynamic linking information

dynsym = None

Minimal symbol table for dynamic linking

fini_array = None

Array of termination functions

gnu_attributes = None

GNU extension – Object attributes

gnu_hash = None

GNU extension – GNU-style hash section

gnu_liblist = None

GNU extension – Pre-link library list

gnu_object_only = None

GNU extension

gnu_verdef = None

GNU extension – Version definition section

gnu_verneed = None

GNU extension – Version requirements section

gnu_versym = None

GNU extension – Version symbol table

group = None

Section group

hash = None

Symbol hash table

init_array = None

Array of initialisation functions

nobits = None

Occupies no file space, initialised to 0

note = None

Vendor or system specific notes

null = None

Inactive section header

num = None

Number of defined types

preinit_array = None

Array of initialisation functions

progbits = None

Program defined information

rel = None

Relocation entries without explicit addends

rela = None

Relocation entries with explicit addends

strtab = None

String table

sunw_comdat = None

SUN extension

sunw_move = None

SUN extension – Additional information for partially initialized data.

sunw_syminfo = None

SUN extension – Extra symbol information.

symtab = None

Full symbol table

symtab_shndx = None

Extended symbol section mapping table

unknown = None

Unknown section type

ELF.SectionHeader.addr = None

The memory address at which this section will be loaded

ELF.SectionHeader.addralign = None

Address alignment constraint

ELF.SectionHeader.content

The contents of this section.

ELF.SectionHeader.elf = None

The instance of ELF this symbol belongs to

ELF.SectionHeader.entsize = None

Size of the entries in this section

ELF.SectionHeader.flags = None

The flags for this section, see Flags

ELF.SectionHeader.info = None

Holds section type dependant extra information

ELF.SectionHeader.link = None

Holds a section type dependant section header table index link

ELF.SectionHeader.name = None

The name of this section

ELF.SectionHeader.name_index = None

The index into the string table for this section’s name

ELF.SectionHeader.offset = None

The offset in the file where this section resides

ELF.SectionHeader.size = None

The size of this section in the file

ELF.SectionHeader.type = None

The type of this section (one of Type

ELF.SectionHeader.type_id = None

The numeric identifier of the section type

class ELF.Symbol(elf, data, strs)

Bases: object

Contains information about symbols. Called by the ELF class.

Parameters:

• elf (ELF) – The ELF instance owning this symbol.
• data – The content of the symbol definition.
• strs – The content of the string section associated with the symbol table.

class Binding

Bases: enum.IntEnum

Describes a symbol’s binding.

global_ = None

Global symbol

local = None

Local symbol

weak = None

Weak symbol

class ELF.Symbol.SpecialSection

Bases: enum.IntEnum

Special section types.

abs = None

Symbol has an absolute value that will not change because of relocation

common = None

Symbol labels a common block that has not yet been allocated.

undef = None

Symbol is undefined and will be resolved by the runtime linker

class ELF.Symbol.Type

Bases: enum.IntEnum

Describes the symbol’s type.

common = None

The symbol labels an uninitialized common block

file = None

Contains the name of the source file

func = None

Symbol is a function or contains other executable code

notype = None

Symbol has no type

object = None

Symbol is an object

section = None

Symbol is associated with a section

tls = None

The symbol specifies a Thread-Local Storage entity

unknown = None

Symbol has an unknown type

class ELF.Symbol.Visibility

Bases: enum.IntEnum

Describes the symbol’s visibility.

default = None

Global and weak symbols are visible, local symbols are hidden

hidden = None

Symbol is invisible to other components

internal = None

Symbol is an internal symbol

protected = None

Symbol is visible but not preemptable

ELF.Symbol.content

The contents of a symbol.

Raises:TypeError – If the symbol isn’t defined until runtime.

ELF.Symbol.elf = None

The instance of ELF this symbol belongs to

ELF.Symbol.info = None

Describes the symbol’s type and binding (see type and

ELF.Symbol.name = None

The resolved name of this symbol

ELF.Symbol.name_index = None

The index of the symbol’s name in the string table

ELF.Symbol.other = None

Specifies the symbol’s visibility

ELF.Symbol.shndx = None

The section in which this symbol is defined (or one of the SpecialSection types)

ELF.Symbol.size = None

The size of the symbol

ELF.Symbol.type = None

The resolved type of this symbol (one of Type)

ELF.Symbol.type_id = None

The numerical type of this symbol

ELF.Symbol.value = None

The value of the symbol (type dependent)

ELF.Symbol.visibility = None

The visibility of this symbol (one of Visibility)

class ELF.Type

Bases: enum.IntEnum

Describes the object type.

core = None

Core file

executable = None

Executable file

none = None

No file type

os = None

OS specific

proc = None

Processor specific

relocatable = None

Relocatable file

shared = None

Shared object file

unknown = None

Unknown object type

ELF.abi_version = None

The specific ABI version of the OS / ABI.

ELF.dynamic_section_entries

A list of entries in the .dynamic section.

ELF.entry = None

The entry point address.

ELF.f = None

The ELF file.

ELF.flags = None

The flags. Currently, no flags are defined.

ELF.get_dynamic_section_entry(index)

Get a specific .dynamic section entry by index.

Parameters:symbol (int) – The index of the .dynamic section entry to return. Returns:The .dynamic section entry. Return type:ELF.DynamicSectionEntry Raises:KeyError – The requested entry does not exist.

ELF.get_program_header(index)

Return a specific program header by its index.

Parameters:index (int) – The program header index. Returns:The program header. Return type:ProgramHeader Raises:KeyError – The specified index does not exist.

ELF.get_section_header(section)

Get a specific section header by index or name.

Parameters:section (int or str) – The index or name of the section header to return. Returns:The section header. Return type:SectionHeader Raises:KeyError – The requested section header does not exist.

ELF.get_symbol(symbol)

Get a specific symbol by index or name.

Parameters:symbol (int or str) – The index or name of the symbol to return. Returns:The symbol. Return type:ELF.Symbol Raises:KeyError – The requested symbol does not exist.

ELF.hsize = None

The size of the header.

ELF.machine = None

The machine architecture (one of ELF.Machine).

ELF.osabi = None

The OSABI (one of ELF.OSABI).

ELF.parse_file(f)

Parse an ELF file and fill the class’ properties.

Parameters:f (file or str) – The (path to) the ELF file to read.

ELF.phentsize = None

The size of a program header.

ELF.phnum = None

The number of program headers.

ELF.phoff = None

The offset of the first program header in the file.

ELF.program_headers

A list of all program headers.

ELF.section_headers

Return the list of section headers.

ELF.shentsize = None

The size of a section header.

ELF.shnum = None

The number of section headers.

ELF.shoff = None

The offset of the first section header in the file.

ELF.shstrndx = None

The index of the section containing the section names.

ELF.symbols

Return a list of all symbols.

ELF.type = None

The object type (one of ELF.Type).