dissector.c - Coloured ELF files dissector

原文链接:https://packetstormsecurity.com/files/download/125972/dissector.c

   1 /*
   2  * dissector.c - Coloured ELF files dissector
   3  * By Alejandro Hernandez <nitr0us>
   4  *
   5  * Supported archs: x86 / x86_64
   6  *
   7  * No security in mind (No boundary checkings)
   8  * If a malformed ELF is supplied, it'll definitely segfault
   9  *
  10  * $gcc dissector.c -o dissector -Wall
  11  *
  12  * Mexico
  13  */
  14 
  15 #include <stdio.h>
  16 #include <unistd.h>
  17 #include <string.h>
  18 #include <stdlib.h>
  19 #include <getopt.h>
  20 #include <fcntl.h>
  21 #include <sys/mman.h>
  22 #include <sys/stat.h>
  23 #include <elf.h>
  24 
  25 //#ifdef    COLOURS
  26 #define RED    "\033[31m"
  27 #define WHITE    "\033[01m"
  28 #define YELLOW    "\033[33m"
  29 #define RESET    "\033[00m"
  30 //#else
  31 //#define RED    ""
  32 //#define WHITE    ""
  33 //#define YELLOW    "\033[33m"
  34 //#define RESET    ""
  35 //#endif
  36 
  37 /*** 32 - 64 BITS COMPAT ***/
  38 #if defined(__i386__)        // x86
  39 #define Elf_Half Elf32_Half
  40 #define Elf_Word Elf32_Word
  41 #define Elf_Sword Elf32_Sword
  42 #define Elf_Xword Elf32_Xword
  43 #define Elf_Sxword Elf32_Sxword
  44 #define Elf_Addr Elf32_Addr
  45 #define Elf_Off Elf32_Off
  46 #define Elf_Section Elf32_Section
  47 #define Elf_Ehdr Elf32_Ehdr
  48 #define Elf_Shdr Elf32_Shdr
  49 #define Elf_Sym Elf32_Sym
  50 #define Elf_Rel Elf32_Rel
  51 #define Elf_Rela Elf32_Rela
  52 #define Elf_Phdr Elf32_Phdr
  53 #define Elf_Dyn Elf32_Dyn
  54 #define Elf_Nhdr Elf32_Nhdr
  55 
  56 #define ELF_ST_TYPE ELF32_ST_TYPE
  57 #define ELF_ST_BIND ELF32_ST_BIND
  58 #define ELF_ST_VISIBILITY ELF32_ST_VISIBILITY
  59 
  60 #define ELF_R_TYPE ELF32_R_TYPE
  61 #define ELF_R_SYM ELF32_R_SYM
  62 
  63 #define DEC "%d"
  64 #define HEX "%.8x"
  65 
  66 #define SPACE    ""
  67 
  68 #elif defined(__x86_64__)    // x86_64
  69 #define Elf_Half Elf64_Half
  70 #define Elf_Word Elf64_Word
  71 #define Elf_Sword Elf64_Sword
  72 #define Elf_Xword Elf64_Xword
  73 #define Elf_Sxword Elf64_Sxword
  74 #define Elf_Addr Elf64_Addr
  75 #define Elf_Off Elf64_Off
  76 #define Elf_Section Elf64_Section
  77 #define Elf_Ehdr Elf64_Ehdr
  78 #define Elf_Shdr Elf64_Shdr
  79 #define Elf_Sym Elf64_Sym
  80 #define Elf_Rel Elf64_Rel
  81 #define Elf_Rela Elf64_Rela
  82 #define Elf_Phdr Elf64_Phdr
  83 #define Elf_Dyn Elf64_Dyn
  84 #define Elf_Nhdr Elf64_Nhdr
  85 
  86 #define ELF_ST_TYPE ELF64_ST_TYPE
  87 #define ELF_ST_BIND ELF64_ST_BIND
  88 #define ELF_ST_VISIBILITY ELF64_ST_VISIBILITY
  89 
  90 #define ELF_R_TYPE ELF64_R_TYPE
  91 #define ELF_R_SYM ELF64_R_SYM
  92 
  93 #define DEC "%ld"
  94 #define HEX "%.16lx"
  95 
  96 #define SPACE    "        " // Used to align the view when printing 64 or 32 bit variables
  97 #else
  98 #error  "Unsupported arch"
  99 #endif
 100 /*** 32 - 64 BITS COMPAT ***/
 101 
 102 
 103 /* MODES */
 104 #define    HEADER    (1 << 0)
 105 #define    SECTION    (1 << 1)
 106 #define    PROGRAM    (1 << 2)
 107 #define    SYMBOL    (1 << 3)
 108 #define DYNAMIC (1 << 4)
 109 #define RELOC    (1 << 5)
 110 #define NOTES    (1 << 6)
 111 #define ALL    (HEADER + SECTION + PROGRAM + SYMBOL + DYNAMIC + RELOC + NOTES)
 112 
 113 /* PROTOTYPES */
 114 void usage(const char *);
 115 void banner();
 116 int  elf_identification(int);
 117 void elf_header(Elf_Ehdr);
 118 void sht(char *);
 119 void pht(char *);
 120 void symbols(char *);
 121 void dynamic(char *);
 122 void relocations(char *);
 123 void notes(char *);
 124 
 125 int    numeric = 0;
 126 int    shstrtab_offset = 0;
 127 
 128 int main(int argc, char **argv)
 129 {
 130     int        fd, opt, mode = 0;
 131     char        *elfptr;
 132     struct stat    statinfo;
 133     Elf_Ehdr    header;
 134     Elf_Shdr    shstrtab_section;
 135 
 136     if(argc < 3)
 137         usage(argv[0]);
 138 
 139     while((opt = getopt(argc, argv, "naHSPsDRhN")) != EOF)
 140         switch(opt){
 141                 case 'n':
 142                     numeric = 1;
 143                     break;
 144                 case 'a':
 145                     mode |= ALL;
 146                     break;
 147                 case 'H':
 148                     mode |= HEADER;
 149                     break;
 150                 case 'S':
 151                     mode |= SECTION;
 152                     break;
 153                 case 'P':
 154                     mode |= PROGRAM;
 155                     break;
 156                 case 's':
 157                     mode |= SYMBOL;
 158                     break;
 159                 case 'D':
 160                     mode |= DYNAMIC;
 161                     break;
 162                 case 'R':
 163                     mode |= RELOC;
 164                     break;
 165                 case 'N':
 166                     mode |= NOTES;
 167                     break;
 168                 case 'h':
 169                 default:
 170                     usage(argv[0]);
 171         }
 172 
 173     if(argv[optind] == NULL){
 174         fprintf(stderr, "Give me an ELF file\n");
 175         usage(argv[0]);
 176     }
 177 
 178     if((fd = open(argv[optind], O_RDONLY)) == -1){
 179         perror("open");
 180         exit(-1);
 181     }
 182 
 183     if(!elf_identification(fd)){
 184         fprintf(stderr, "This is not a supported ELF file\n");
 185         exit(-1);
 186     }
 187 
 188     if(fstat(fd, &statinfo) == -1){
 189         perror("stat");
 190         close(fd);
 191         exit(-1);
 192     }
 193 
 194     if((elfptr = (char *) mmap(NULL, statinfo.st_size, PROT_READ, MAP_SHARED, fd, 0)) == MAP_FAILED){
 195         perror("mmap");
 196         close(fd);
 197         exit(-1);
 198     }
 199 
 200     close(fd);
 201 
 202     header = *(Elf_Ehdr *) elfptr;
 203     shstrtab_section = *(Elf_Shdr *) (elfptr + header.e_shoff + header.e_shstrndx * sizeof(Elf_Shdr));
 204     if(shstrtab_section.sh_size > 0)
 205         shstrtab_offset  = shstrtab_section.sh_offset;
 206 
 207     if(mode & HEADER){
 208         printf("\n%sELF HEADER:%s\n", RED, RESET);
 209         elf_header(header);
 210     }
 211 
 212     if(mode & SECTION){
 213         printf("\n%sSECTION HEADER TABLE:%s\n", RED, RESET);
 214         if(header.e_shoff == 0)
 215             printf("[%sNO SECTION HEADER TABLE FOUND%s]\n", WHITE, RESET);
 216         else
 217             sht(elfptr);
 218     }
 219 
 220     if(mode & PROGRAM){
 221         printf("\n%sPROGRAM HEADER TABLE:%s\n", RED, RESET);
 222         pht(elfptr);
 223     }
 224 
 225     if(mode & SYMBOL){
 226         printf("\n%sSYMBOL TABLE:%s\n", RED, RESET);
 227         symbols(elfptr);
 228     }
 229 
 230     if(mode & DYNAMIC){
 231         printf("\n%sDYNAMIC INFORMATION:%s\n", RED, RESET);
 232         dynamic(elfptr);
 233     }
 234 
 235     if(mode & RELOC){
 236         printf("\n%sRELOCATIONS:%s\n", RED, RESET);
 237         relocations(elfptr);
 238     }
 239 
 240     if(mode & NOTES){
 241         printf("\n%sNOTES:%s\n", RED, RESET);
 242         notes(elfptr);
 243     }
 244 
 245     munmap(elfptr, statinfo.st_size);
 246     return 0;
 247 }
 248 
 249 void usage(const char *self)
 250 {
 251     banner();
 252 
 253     fprintf(stderr, "Usage: %s [-n] <options> <elf_file>\n", self);
 254     fprintf(stderr, "\tOptions:\n");
 255     fprintf(stderr, "\t-n\tPrint everything in numeric values\n");
 256     fprintf(stderr, "\t-a\tAll(-HSPsdr)\n");
 257     fprintf(stderr, "\t-H\tELF header\n");
 258     fprintf(stderr, "\t-S\tSection headers\n");
 259     fprintf(stderr, "\t-P\tProgram headers\n");
 260     fprintf(stderr, "\t-s\tSymbol Table\n");
 261     fprintf(stderr, "\t-D\tDynamic information\n");
 262     fprintf(stderr, "\t-R\tRelocations\n");
 263     fprintf(stderr, "\t-N\tNotes\n");
 264     fprintf(stderr, "\t-h\tThis help\n");
 265     exit(0);
 266 }
 267 
 268 void banner()
 269 {
 270     printf("%s######################################################%s\n", RED, RESET);
 271     printf("%s##%s%s         ELF ( x86 / x86_64 ) Dissector           %s%s##%s\n", RED, RESET, YELLOW, RESET, RED, RESET);
 272     printf("%s##%s%s                  by nitr0us                      %s%s##%s\n", RED, RESET, YELLOW, RESET, RED, RESET);
 273     printf("%s######################################################%s\n\n", RED, RESET);
 274 }
 275 
 276 int elf_identification(int fd)
 277 {
 278     Elf_Ehdr    header;
 279 
 280     if(read(fd, &header, sizeof(header)) == -1){
 281         perror("elf_identification: read");
 282         return 0;
 283     }
 284 
 285     /* magic number verification */
 286     if(header.e_ident[EI_MAG0] != ELFMAG0 ||
 287             header.e_ident[EI_MAG1] != ELFMAG1 ||
 288             header.e_ident[EI_MAG2] != ELFMAG2 ||
 289             header.e_ident[EI_MAG3] != ELFMAG3){
 290         fprintf(stderr, "elf_identification: Invalid MAGIC Number\n");
 291         return 0;
 292     }
 293 
 294     return 1;
 295 }
 296 
 297 void elf_header(Elf_Ehdr hdr)
 298 {
 299     int        k;
 300 
 301     printf("%se_ident:%s\t\t", WHITE, RESET);
 302     for(k = 0; k < EI_NIDENT; k++)
 303         printf("%.2x ", hdr.e_ident[k]);
 304 
 305     printf("\n%se_ident[EI_CLASS]:%s\t", WHITE, RESET);
 306     if(numeric)
 307         printf("0x%.2x", hdr.e_ident[EI_CLASS]);
 308     else
 309         switch(hdr.e_ident[EI_CLASS]){
 310             case ELFCLASSNONE:
 311                 printf("ELFCLASSNONE");
 312                 break;
 313             case ELFCLASS32:
 314                 printf("ELFCLASS32");
 315                 break;
 316             case ELFCLASS64:
 317                 printf("ELFCLASS64");
 318                 break;
 319             default:
 320                 printf("%sINVALID CLASS%s (0x%x)", RED, RESET, hdr.e_ident[EI_CLASS]);
 321         }
 322 
 323     printf("\n%se_ident[EI_DATA]:%s\t", WHITE, RESET);
 324     if(numeric)
 325         printf("0x%.2x", hdr.e_ident[EI_DATA]);
 326     else
 327         switch(hdr.e_ident[EI_DATA]){
 328             case ELFDATANONE:
 329                 printf("ELFDATANONE");
 330                 break;
 331             case ELFDATA2LSB:
 332                 printf("ELFDATA2LSB");
 333                 break;
 334             case ELFDATA2MSB:
 335                 printf("ELFDATA2MSB");
 336                 break;
 337             default:
 338                 printf("%sINVALID DATA%s (0x%x)", RED, RESET, hdr.e_ident[EI_DATA]);
 339         }
 340 
 341     printf("\n%se_ident[EI_VERSION]:%s\t", WHITE, RESET);
 342     if(numeric)
 343         printf("0x%.2x", hdr.e_ident[EI_VERSION]);
 344     else{
 345         if(hdr.e_ident[EI_VERSION] == EV_CURRENT)
 346             printf("EV_CURRENT");
 347         else
 348             printf("%sINVALID VERSION%s (0x%x)", RED, RESET, hdr.e_ident[EI_VERSION]);
 349     }
 350 
 351     printf("\n%se_ident[EI_OSABI]:%s\t", WHITE, RESET);
 352     if(numeric)
 353         printf("0x%.2x", hdr.e_ident[EI_OSABI]);
 354     else
 355         switch(hdr.e_ident[EI_OSABI]){
 356             case ELFOSABI_SYSV:
 357                 printf("ELFOSABI_SYSV");
 358                 break;
 359             case ELFOSABI_NETBSD:
 360                 printf("ELFOSABI_NETBSD");
 361                 break;
 362             case ELFOSABI_OPENBSD:
 363                 printf("ELFOSABI_OPENBSD");
 364                 break;
 365             case ELFOSABI_FREEBSD:
 366                 printf("ELFOSABI_FREEBSD");
 367                 break;
 368             case ELFOSABI_LINUX:
 369                 printf("ELFOSABI_LINUX");
 370                 break;
 371             case ELFOSABI_SOLARIS:
 372                 printf("ELFOSABI_SOLARIS");
 373                 break;
 374             default:
 375                 printf("%s0x%x%s", RED, hdr.e_ident[EI_OSABI], RESET);
 376         }
 377 
 378     printf("\n%se_ident[EI_ABIVERSION]:%s\t0x%.2x", WHITE, RESET, hdr.e_ident[EI_ABIVERSION]);
 379 
 380     printf("\n%se_type:%s\t\t\t", WHITE, RESET);
 381     if(numeric)
 382         printf("0x%x", hdr.e_type);
 383     else
 384         switch(hdr.e_type){
 385             case ET_NONE:
 386                 printf("ET_NONE");
 387                 break;
 388             case ET_REL:
 389                 printf("ET_REL");
 390                 break;
 391             case ET_EXEC:
 392                 printf("ET_EXEC");
 393                 break;
 394             case ET_DYN:
 395                 printf("ET_DYN");
 396                 break;
 397             case ET_CORE:
 398                 printf("ET_CORE");
 399                 break;
 400             default:
 401                 printf("%s0x%x%s", RED, hdr.e_type, RESET);
 402         }
 403 
 404     printf("\n%se_machine:%s\t\t", WHITE, RESET);
 405     if(numeric)
 406         printf("0x%x", hdr.e_machine);
 407     else
 408         switch(hdr.e_machine){
 409             case EM_NONE:
 410                 printf("EM_NONE");
 411                 break;
 412             case EM_SPARC:
 413                 printf("EM_SPARC");
 414                 break;
 415             case EM_386:
 416                 printf("EM_386");
 417                 break;
 418             case EM_MIPS:
 419                 printf("EM_MIPS");
 420                 break;
 421             case EM_PARISC:
 422                 printf("EM_PARISC");
 423                 break;
 424             case EM_PPC:
 425                 printf("EM_PPC");
 426                 break;
 427             case EM_SPARCV9:
 428                 printf("EM_SPARCV9");
 429                 break;
 430             case EM_X86_64:
 431                 printf("EM_X86_649");
 432                 break;
 433             default:
 434                 printf("%s0x%x%s", RED, hdr.e_machine, RESET);
 435         }
 436 
 437     printf("\n%se_version:%s\t\t", WHITE, RESET);
 438     if(numeric)
 439         printf("0x%x", hdr.e_version);
 440     else
 441         switch(hdr.e_version){
 442             case EV_NONE:
 443                 printf("EV_NONE");
 444                 break;
 445             case EV_CURRENT:
 446                 printf("EV_CURRENT");
 447                 break;
 448             default:
 449                 printf("%s0x%x%s", RED, hdr.e_version, RESET);
 450         }
 451 
 452     printf("\n%se_entry:%s\t\t0x"HEX, WHITE, RESET, hdr.e_entry);
 453     printf("\n%se_phoff:%s\t\t0x"HEX"\t("DEC")", WHITE, RESET, hdr.e_phoff, hdr.e_phoff);
 454     printf("\n%se_shoff:%s\t\t0x"HEX"\t("DEC")", WHITE, RESET, hdr.e_shoff, hdr.e_shoff);
 455     printf("\n%se_flags:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_flags, hdr.e_flags);
 456     printf("\n%se_ehsize:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_ehsize, hdr.e_ehsize);
 457     printf("\n%se_phentsize:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_phentsize, hdr.e_phentsize);
 458     printf("\n%se_phnum:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_phnum, hdr.e_phnum);
 459     printf("\n%se_shentsize:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_shentsize, hdr.e_shentsize);
 460     printf("\n%se_shnum:%s\t\t0x%x\t(%d)", WHITE, RESET, hdr.e_shnum, hdr.e_shnum);
 461     printf("\n%se_shstrndx:%s\t\t0x%x\t(%d)\n", WHITE, RESET, hdr.e_shstrndx, hdr.e_shstrndx);
 462 }
 463 
 464 void sht(char *mem)
 465 {
 466     int        k;
 467     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
 468     Elf_Shdr    *sections = (Elf_Shdr *) (mem + hdr.e_shoff);
 469 
 470     printf("%s[NR] sh_name              sh_type          sh_flags    sh_addr    sh_offset sh_size  sh_link sh_info sh_addralign sh_entsize%s\n", WHITE, RESET);
 471 
 472     for(k = 0; k < hdr.e_shnum; k++, sections++){
 473         printf("[%2d] ", k);
 474 
 475         if(numeric)
 476             printf("0x%-18.8x ", sections->sh_name);
 477         else{
 478             if(shstrtab_offset == 0)
 479                 printf("0x%-15.8x ", sections->sh_name);
 480             else
 481                 printf("%-20s ", mem + shstrtab_offset + sections->sh_name);
 482         }
 483 
 484         if(numeric)
 485             printf("0x%-12.8x ", sections->sh_type);
 486         else
 487             switch(sections->sh_type){
 488                 case SHT_NULL:
 489                     printf("%-14s ", "SHT_NULL");
 490                     break;
 491                 case SHT_PROGBITS:
 492                     printf("%-14s ", "SHT_PROGBITS");
 493                     break;
 494                 case SHT_SYMTAB:
 495                     printf("%-14s ", "SHT_SYMTAB");
 496                     break;
 497                 case SHT_STRTAB:
 498                     printf("%-14s ", "SHT_STRTAB");
 499                     break;
 500                 case SHT_RELA:
 501                     printf("%-14s ", "SHT_RELA");
 502                     break;
 503                 case SHT_HASH:
 504                     printf("%-14s ", "SHT_HASH");
 505                     break;
 506                 case SHT_DYNAMIC:
 507                     printf("%-14s ", "SHT_DYNAMIC");
 508                     break;
 509                 case SHT_NOTE:
 510                     printf("%-14s ", "SHT_NOTE");
 511                     break;
 512                 case SHT_GNU_HASH:
 513                     printf("%-14s ", "SHT_GNU_HASH");
 514                     break;
 515                 case SHT_NOBITS:
 516                     printf("%-14s ", "SHT_NOBITS");
 517                     break;
 518                 case SHT_REL:
 519                     printf("%-14s ", "SHT_REL");
 520                     break;
 521                 case SHT_SHLIB:
 522                     printf("%-14s ", "SHT_SHLIB");
 523                     break;
 524                 case SHT_DYNSYM:
 525                     printf("%-14s ", "SHT_DYNSYM");
 526                     break;
 527                 case SHT_INIT_ARRAY:
 528                     printf("%-14s ", "SHT_INIT_ARRAY");
 529                     break;
 530                 case SHT_FINI_ARRAY:
 531                     printf("%-14s ", "SHT_FINI_ARRAY");
 532                     break;
 533                 case SHT_GNU_verdef:
 534                     printf("%-14s ", "SHT_VERDEF");
 535                     break;
 536                 case SHT_GNU_verneed:
 537                     printf("%-14s ", "SHT_VERNEED");
 538                     break;
 539                 case SHT_GNU_versym:
 540                     printf("%-14s ", "SHT_VERSYM");
 541                     break;
 542                 default:
 543                     printf("%s0x%-12.8x%s ", RED, sections->sh_type, RESET);
 544             }
 545 
 546         if(numeric)
 547             printf("  0x%.8x  ", (unsigned int) sections->sh_flags);
 548         else
 549             printf("   %c %c %c      ", /* Needs to be improved. Seen more flags than only those three */
 550                     (sections->sh_type & SHF_WRITE) ? 'W' : ' ',
 551                     (sections->sh_type & SHF_ALLOC) ? 'A' : ' ',
 552                     (sections->sh_type & SHF_EXECINSTR) ? 'X' : ' ');
 553 
 554         printf("0x%.8x ", (unsigned int) sections->sh_addr);
 555         printf("0x%.7x ", (unsigned int) sections->sh_offset);
 556         printf("0x%.6x   ", (unsigned int) sections->sh_size);
 557         printf("0x%.2x  ", sections->sh_link);
 558         printf("0x%.4x  ", sections->sh_info);
 559         printf("0x%.8x   ", (unsigned int) sections->sh_addralign);
 560         printf("0x%.4x\n", (unsigned int) sections->sh_entsize);
 561     }
 562 }
 563 
 564 void pht(char *mem)
 565 {
 566     int        k;
 567     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
 568     Elf_Phdr    *phdrs = (Elf_Phdr *) (mem + hdr.e_phoff);
 569 
 570     printf("%s[NR] p_type           p_offset    p_vaddr"SPACE"     p_paddr"SPACE"     p_filesz    p_memsz     p_flags  p_align%s\n", WHITE, RESET);
 571 
 572     for(k = 0; k < hdr.e_phnum; k++, phdrs++){
 573         printf("[%2d] ", k);
 574 
 575         if(numeric)
 576             printf("0x%-14.8x ", phdrs->p_type);
 577         else
 578             switch(phdrs->p_type){
 579                 case PT_NULL:
 580                     printf("%-17s", "PT_NULL");
 581                     break;
 582                 case PT_LOAD:
 583                     printf("%-17s", "PT_LOAD");
 584                     break;
 585                 case PT_DYNAMIC:
 586                     printf("%-17s", "PT_DYNAMIC");
 587                     break;
 588                 case PT_INTERP:
 589                     printf("%-17s", "PT_INTERP");
 590                     break;
 591                 case PT_NOTE:
 592                     printf("%-17s", "PT_NOTE");
 593                     break;
 594                 case PT_SHLIB:
 595                     printf("%-17s", "PT_SHLIB");
 596                     break;
 597                 case PT_TLS:
 598                     printf("%-17s", "PT_TLS");
 599                     break;
 600                 case PT_PHDR:
 601                     printf("%-17s", "PT_PHDR");
 602                     break;
 603                 case PT_GNU_EH_FRAME:
 604                     printf("%-17s", "PT_GNU_EH_FRAME");
 605                     break;
 606                 case PT_GNU_STACK:
 607                     printf("%-17s", "PT_GNU_STACK");
 608                     break;
 609                 case PT_GNU_RELRO:
 610                     printf("%-17s", "PT_GNU_RELRO");
 611                     break;
 612                 default:
 613                     printf("%s0x%-14.8x%s ", RED, phdrs->p_type, RESET);
 614             }
 615 
 616         printf("0x%.8x  ", (unsigned int) phdrs->p_offset);
 617         printf("0x"HEX"  ", phdrs->p_vaddr);
 618         printf("0x"HEX"  ", phdrs->p_paddr);
 619         printf("0x%.8x  ", (unsigned int) phdrs->p_filesz);
 620         printf("0x%.8x  ", (unsigned int) phdrs->p_memsz);
 621 
 622         if(numeric)
 623             printf("0x%.4x   ", phdrs->p_flags);
 624         else
 625             printf(" %c %c %c   ",
 626                     (phdrs->p_type & PF_X) ? 'X' : ' ',
 627                     (phdrs->p_type & PF_W) ? 'W' : ' ',
 628                     (phdrs->p_type & PF_R) ? 'R' : ' ');
 629 
 630         printf("0x%.8x\n", (unsigned int) phdrs->p_align);
 631 
 632         if(phdrs->p_type == PT_INTERP)
 633             printf("[Interpreter: %s%s%s]\n", WHITE, mem + phdrs->p_offset, RESET);
 634     }
 635 }
 636 
 637 void symbols(char *mem)
 638 {
 639     int        k, l, flag = 0, strtab_off;
 640     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
 641     Elf_Shdr    *shdr = (Elf_Shdr *) (mem + hdr.e_shoff), *shdr_table, stringtable;
 642     Elf_Sym        *sym;
 643 
 644     shdr_table = shdr;
 645 
 646     for(k = 0; k < hdr.e_shnum; k++, shdr++){
 647         if(shdr->sh_type != SHT_SYMTAB && shdr->sh_type != SHT_DYNSYM)
 648             continue;
 649 
 650         flag = 1;
 651 
 652         printf("Found symbol table [%s%s%s] with %s"DEC"%s entries:\n", YELLOW, mem + shstrtab_offset + shdr->sh_name, RESET, YELLOW, shdr->sh_size / shdr->sh_entsize, RESET);
 653 
 654         sym = (Elf_Sym *) (mem + shdr->sh_offset);
 655         stringtable = *(Elf_Shdr *) (mem + hdr.e_shoff + (shdr->sh_link * sizeof(Elf_Shdr)));
 656         strtab_off  = stringtable.sh_offset;
 657 
 658         printf("%s[ NR ] st_value"SPACE"   st_size     TYPE        BINDING    VISIBILITY     st_shndx    st_name%s\n", WHITE, RESET);
 659 
 660         for(l = 0; l < shdr->sh_size / shdr->sh_entsize; l++, sym++){
 661             printf("[%4d] ", l);
 662 
 663             printf("0x"HEX" ", sym->st_value);
 664             printf("0x%.5x  ", (unsigned int) sym->st_size);
 665 
 666             if(numeric)
 667                 printf("   0x%.2x ", sym->st_info);
 668             else
 669                 switch(ELF_ST_TYPE(sym->st_info)){
 670                     case STT_NOTYPE:
 671                         printf("%-12s  ", "STT_NOTYPE");
 672                         break;
 673                     case STT_OBJECT:
 674                         printf("%-12s  ", "STT_OBJECT");
 675                         break;
 676                     case STT_FUNC:
 677                         printf("%-12s  ", "STT_FUNC");
 678                         break;
 679                     case STT_SECTION:
 680                         printf("%-12s  ", "STT_SECTION");
 681                         break;
 682                     case STT_FILE:
 683                         printf("%-12s  ", "STT_FILE");
 684                         break;
 685                     case STT_COMMON:
 686                         printf("%-12s  ", "STT_COMMON");
 687                         break;
 688                     case STT_TLS:
 689                         printf("%-12s  ", "STT_TLS");
 690                         break;
 691                     case STT_NUM:
 692                         printf("%-12s  ", "STT_NUM");
 693                         break;
 694                     default:
 695                         printf("   %s0x%.2x%s       ", RED, sym->st_info, RESET);
 696                 }
 697 
 698             if(numeric)
 699                 printf("        0x%.2x ", sym->st_info);
 700             else
 701                 switch(ELF_ST_BIND(sym->st_info)){
 702                     case STB_LOCAL:
 703                         printf("%-11s ", "STB_LOCAL");
 704                         break;
 705                     case STB_GLOBAL:
 706                         printf("%-11s ", "STB_GLOBAL");
 707                         break;
 708                     case STB_WEAK:
 709                         printf("%-11s ", "STB_WEAK");
 710                         break;
 711                     case STB_NUM:
 712                         printf("%-11s ", "STB_NUM");
 713                         break;
 714                     default:
 715                         printf("  %s0x%.2x%s       ", RED, sym->st_info, RESET);
 716                 }
 717 
 718             if(numeric)
 719                 printf("        0x%.2x        ", sym->st_other);
 720             else
 721                 switch(ELF_ST_VISIBILITY(sym->st_other)){
 722                     case STV_DEFAULT:
 723                         printf("%-14s ", "STV_DEFAULT");
 724                         break;
 725                     case STV_INTERNAL:
 726                         printf("%-14s ", "STV_INTERNAL");
 727                         break;
 728                     case STV_HIDDEN:
 729                         printf("%-14s ", "STV_HIDDEN");
 730                         break;
 731                     case STV_PROTECTED:
 732                         printf("%-14s ", "STV_PROTECTED");
 733                         break;
 734                     default:
 735                         printf("   %s0x%.2x%s        ", RED, sym->st_other, RESET);    
 736                 }
 737 
 738             if(numeric)
 739                 printf(" 0x%.4x     ", sym->st_shndx);
 740             else
 741                 switch(sym->st_shndx){
 742                     case SHN_UNDEF:
 743                         printf("%-11s ", "SHN_UNDEF");
 744                         break;
 745                     case SHN_ABS:
 746                         printf("%-11s ", "SHN_ABS");
 747                         break;
 748                     case SHN_COMMON:
 749                         printf("%-11s ", "SHN_COMMON");
 750                         break;
 751                     default:
 752                         printf("  0x%.2x      ", sym->st_shndx);
 753                 }
 754 
 755             if(numeric)
 756                 printf("0x%.4x\n", sym->st_name);
 757             else{
 758                 if(ELF_ST_TYPE(sym->st_info) == STT_SECTION)
 759                     printf("%s\n", mem + shstrtab_offset + shdr_table[sym->st_shndx].sh_name);
 760                 else
 761                     printf("%s\n", mem + strtab_off + sym->st_name);
 762             }
 763         }
 764 
 765         putchar('\n');
 766     }
 767 
 768     if(!flag)
 769         printf("[%sNO SYMBOL TABLE FOUND%s]\n", WHITE, RESET);
 770 }
 771 
 772 void dynamic(char *mem)
 773 {
 774     int        k, l, flag = 0, strtab_offset;
 775     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
 776     Elf_Shdr    *shdr = (Elf_Shdr *) (mem + hdr.e_shoff), stringtable;
 777     Elf_Dyn        *dyn;
 778 
 779     for(k = 0; k < hdr.e_shnum; k++, shdr++){
 780         if(shdr->sh_type != SHT_DYNAMIC)
 781             continue;
 782 
 783         flag = 1;
 784 
 785         printf("Found Dynamic Section [%s%s%s] with %s"DEC"%s entries:\n", YELLOW, mem + shstrtab_offset + shdr->sh_name, RESET, YELLOW, shdr->sh_size / shdr->sh_entsize, RESET);
 786 
 787         dyn = (Elf_Dyn *) (mem + shdr->sh_offset);
 788         stringtable = *(Elf_Shdr *) (mem + hdr.e_shoff + (shdr->sh_link * sizeof(Elf_Shdr)));
 789         strtab_offset  = stringtable.sh_offset;
 790 
 791         printf("%s[ NR ]  d_tag"SPACE"       TYPE                 NAME/VALUE%s\n", WHITE, RESET);
 792 
 793         for(l = 0; l < shdr->sh_size / shdr->sh_entsize; l++, dyn++){
 794             printf("[%4d]  ", l);
 795 
 796             printf("0x"HEX"  ", dyn->d_tag);
 797 
 798             if(numeric)
 799                 printf("0x%.8x           ", (unsigned int) dyn->d_tag);
 800             else
 801                 switch(dyn->d_tag){
 802                     case DT_NULL:
 803                         printf("%-20s ", "DT_NULL");
 804                         break;
 805                     case DT_NEEDED:
 806                         printf("%-20s ", "DT_NEEDED");
 807                         break;
 808                     case DT_PLTRELSZ:
 809                         printf("%-20s ", "DT_PLTRELSZ");
 810                         break;
 811                     case DT_PLTGOT:
 812                         printf("%-20s ", "DT_PLTGOT");
 813                         break;
 814                     case DT_HASH:
 815                         printf("%-20s ", "DT_HASH");
 816                         break;
 817                     case DT_GNU_HASH:
 818                         printf("%-20s ", "DT_GNU_HASH");
 819                         break;
 820                     case DT_STRTAB:
 821                         printf("%-20s ", "DT_STRTAB");
 822                         break;
 823                     case DT_SYMTAB:
 824                         printf("%-20s ", "DT_SYMTAB");
 825                         break;
 826                     case DT_STRSZ:
 827                         printf("%-20s ", "DT_STRSZ");
 828                         break;
 829                     case DT_SYMENT:
 830                         printf("%-20s ", "DT_SYMENT");
 831                         break;
 832                     case DT_INIT:
 833                         printf("%-20s ", "DT_INIT");
 834                         break;
 835                     case DT_FINI:
 836                         printf("%-20s ", "DT_FINI");
 837                         break;
 838                     case DT_SONAME:
 839                         printf("%-20s ", "DT_SONAME");
 840                         break;
 841                     case DT_RPATH:
 842                         printf("%-20s ", "DT_RPATH");
 843                         break;
 844                     case DT_SYMBOLIC:
 845                         printf("%-20s ", "DT_SYMBOLIC");
 846                         break;
 847                     case DT_REL:
 848                         printf("%-20s ", "DT_REL");
 849                         break;
 850                     case DT_RELSZ:
 851                         printf("%-20s ", "DT_RELSZ");
 852                         break;
 853                     case DT_RELENT:
 854                         printf("%-20s ", "DT_RELENT");
 855                         break;
 856                     case DT_PLTREL:
 857                         printf("%-20s ", "DT_PLTREL");
 858                         break;
 859                     case DT_DEBUG:
 860                         printf("%-20s ", "DT_DEBUG");
 861                         break;
 862                     case DT_TEXTREL:
 863                         printf("%-20s ", "DT_TEXTREL");
 864                         break;
 865                     case DT_JMPREL:
 866                         printf("%-20s ", "DT_JMPREL");
 867                         break;
 868                     case DT_BIND_NOW:
 869                         printf("%-20s ", "DT_BIND_NOW");
 870                         break;
 871                     case DT_INIT_ARRAY:
 872                         printf("%-20s ", "DT_INIT_ARRAY");
 873                         break;
 874                     case DT_FINI_ARRAY:
 875                         printf("%-20s ", "DT_FINI_ARRAY");
 876                         break;
 877                     case DT_INIT_ARRAYSZ:
 878                         printf("%-20s ", "DT_INIT_ARRAYSZ");
 879                         break;
 880                     case DT_FINI_ARRAYSZ:
 881                         printf("%-20s ", "DT_FINI_ARRAYSZ");
 882                         break;
 883                     case DT_VERSYM:
 884                         printf("%-20s ", "DT_VERSYM");
 885                         break;
 886                     case DT_RELCOUNT:
 887                         printf("%-20s ", "DT_RELCOUNT");
 888                         break;
 889                     case DT_VERDEF:
 890                         printf("%-20s ", "DT_VERDEF");
 891                         break;
 892                     case DT_VERDEFNUM:
 893                         printf("%-20s ", "DT_VERDEFNUM");
 894                         break;
 895                     case DT_VERNEED:
 896                         printf("%-20s ", "DT_VERNEED");
 897                         break;
 898                     case DT_VERNEEDNUM:
 899                         printf("%-20s ", "DT_VERNEEDNUM");
 900                         break;
 901                     default:
 902                         printf("%s0x%.8x%s           ", RED, (unsigned int) dyn->d_tag, RESET);
 903                 }
 904 
 905             switch(dyn->d_tag){
 906                 case DT_NEEDED:
 907                 case DT_SONAME:
 908                 case DT_RPATH:
 909                     printf("%s\n", mem + strtab_offset + dyn->d_un.d_val);
 910                     break;
 911                 case DT_PLTGOT:
 912                 case DT_HASH:
 913                 case DT_STRTAB:
 914                 case DT_SYMTAB:
 915                 case DT_INIT:
 916                 case DT_FINI:
 917                 case DT_INIT_ARRAY:
 918                 case DT_FINI_ARRAY:
 919                 case DT_REL:
 920                 case DT_JMPREL:
 921                 case DT_VERSYM:
 922                 case DT_VERNEED:
 923                 case DT_GNU_HASH:
 924                     printf("0x"HEX"\n", dyn->d_un.d_ptr);
 925                     break;
 926                 case DT_PLTRELSZ:
 927                 case DT_STRSZ:
 928                 case DT_SYMENT:
 929                 case DT_RELSZ:
 930                 case DT_RELENT:
 931                 case DT_INIT_ARRAYSZ:
 932                 case DT_FINI_ARRAYSZ:
 933                     printf(HEX" bytes\n", dyn->d_un.d_val);
 934                     break;
 935                 case DT_PLTREL:
 936                     printf("%s\n", (dyn->d_un.d_val == DT_REL) ? "DT_REL" : "DT_RELA");
 937                     break;
 938                 case DT_VERNEEDNUM:
 939                 case DT_DEBUG:
 940                     printf("0x"HEX"\n", dyn->d_un.d_val);
 941                     break;
 942                 default:
 943                     putchar('\n');
 944             }
 945 
 946             if(dyn->d_tag == DT_NULL)    /* End of _DYNAMIC[] */
 947                 break;
 948         }
 949 
 950     }
 951 
 952     if(!flag)
 953         printf("[%sNO DYNAMIC SECTION FOUND%s]\n", WHITE, RESET);
 954 }
 955 
 956 void relocations(char *mem)
 957 {
 958     int        k, l, symndx = 0, flag = 0, symstrtab_offset;
 959     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
 960     Elf_Shdr    *shdr = (Elf_Shdr *) (mem + hdr.e_shoff), *shdr_table, symtab_section, stringtable;
 961     Elf_Sym        *sym;
 962     Elf_Rel        *rel;
 963     Elf_Rela    *rela;
 964 
 965     shdr_table = shdr;
 966 
 967     for(k = 0; k < hdr.e_shnum; k++, shdr++){
 968         if(shdr->sh_type != SHT_REL && shdr->sh_type != SHT_RELA)
 969             continue;
 970 
 971         flag = 1;
 972 
 973         printf("Found Relocation Section [%s%s%s] with %s"DEC" %s%s entries:\n", YELLOW, mem + shstrtab_offset + shdr->sh_name, RESET, YELLOW, shdr->sh_size / shdr->sh_entsize, shdr->sh_type == SHT_REL ? "SHT_REL" : "SHT_RELA", RESET);
 974 
 975         if(shdr->sh_type == SHT_REL)
 976             rel =  (Elf_Rel *)  (mem + shdr->sh_offset);
 977         else
 978             rela = (Elf_Rela *) (mem + shdr->sh_offset);
 979 
 980         symtab_section = shdr_table[shdr->sh_link];
 981         stringtable = *(Elf_Shdr *) (mem + hdr.e_shoff + (symtab_section.sh_link * sizeof(Elf_Shdr)));
 982         symstrtab_offset  = stringtable.sh_offset;
 983         sym = (Elf_Sym *) (mem + symtab_section.sh_offset);
 984 
 985         printf("%s[ NR ] r_offset"SPACE"   r_info      TYPE             SYM[ndx]  SYMBOL NAME + r_addend%s\n", WHITE, RESET);
 986 
 987         for(l = 0; l < shdr->sh_size / shdr->sh_entsize; l++){
 988             printf("[%4d] ", l);
 989 
 990             printf("0x"HEX" ", shdr->sh_type == SHT_REL ? rel->r_offset : rela->r_offset);
 991             printf("0x%.8x  ", shdr->sh_type == SHT_REL ? (unsigned int) rel->r_info : (unsigned int) rela->r_info);
 992 
 993             if(numeric)
 994                 printf("0x%.8x     ", shdr->sh_type == SHT_REL ? (unsigned int) rel->r_info : (unsigned int) rela->r_info);
 995             else
 996                 switch(ELF_R_TYPE(shdr->sh_type == SHT_REL ? rel->r_info : rela->r_info)){
 997                     case R_386_NONE:
 998                         printf("%-14s ", "R_386_NONE");
 999                         break;
1000                     case R_386_32:
1001                         printf("%-14s ", "R_386_32");
1002                         break;
1003                     case R_386_PC32:
1004                         printf("%-14s ", "R_386_PC32");
1005                         break;
1006                     case R_386_GOT32:
1007                         printf("%-14s ", "R_386_GOT32");
1008                         break;
1009                     case R_386_PLT32:
1010                         printf("%-14s ", "R_386_PLT32");
1011                         break;
1012                     case R_386_COPY:
1013                         printf("%-14s ", "R_386_COPY");
1014                         break;
1015                     case R_386_GLOB_DAT:
1016                         printf("%-14s ", "R_386_GLOB_DAT");
1017                         break;
1018                     case R_386_JMP_SLOT:
1019                         printf("%-14s ", "R_386_JMP_SLOT");
1020                         break;
1021                     case R_386_RELATIVE:
1022                         printf("%-14s ", "R_386_RELATIVE");
1023                         break;
1024                     case R_386_GOTOFF:
1025                         printf("%-14s ", "R_386_GOTOFF");
1026                         break;
1027                     case R_386_GOTPC:
1028                         printf("%-14s ", "R_386_GOTPC");
1029                         break;
1030                     default:
1031                         printf("%s0x%.8x%s     ", RED, shdr->sh_type == SHT_REL ? (unsigned int) rel->r_info : (unsigned int) rela->r_info, RESET);
1032                 }
1033 
1034             symndx = ELF_R_SYM(shdr->sh_type == SHT_REL ? rel->r_info : rela->r_info);
1035             printf("    %.4d    ", symndx);
1036 
1037             if(ELF_ST_TYPE(sym[symndx].st_info) == STT_SECTION)
1038                 printf("%s", mem + shstrtab_offset + shdr_table[sym[symndx].st_shndx].sh_name);
1039             else
1040                 printf("%s", mem + symstrtab_offset + sym[symndx].st_name);
1041 
1042             if(shdr->sh_type == SHT_REL){
1043                 putchar('\n');
1044                 rel++;
1045             } else {
1046                 printf(" + 0x%x\n", (unsigned int) rela->r_addend);
1047                 rela++;
1048             }
1049         }
1050 
1051         putchar('\n');
1052     }
1053 
1054     if(!flag)
1055         printf("[%sNO RELOCATIONS FOUND%s]\n", WHITE, RESET);
1056 }
1057 
1058 /* 
1059  * It doesn't loop through the notes.
1060  * It just parses the 1st entry found in every SHT_NOTE section found.
1061  */
1062 void notes(char *mem)
1063 {
1064     int        k, l, flag = 0, *abi;
1065     Elf_Ehdr    hdr = *(Elf_Ehdr *) mem;
1066     Elf_Shdr    *shdr = (Elf_Shdr *) (mem + hdr.e_shoff);
1067     Elf_Nhdr    *note;
1068     char        *note_name;
1069 
1070     for(k = 0; k < hdr.e_shnum; k++, shdr++){
1071         if(shdr->sh_type != SHT_NOTE)
1072             continue;
1073 
1074         flag = 1;
1075 
1076         printf("Found Note Section [%s%s%s] with %s"DEC"%s bytes:\n", YELLOW, mem + shstrtab_offset + shdr->sh_name, RESET, YELLOW, shdr->sh_size, RESET);
1077 
1078         note = (Elf_Nhdr *) (mem + shdr->sh_offset);
1079 
1080         printf("%s[ NR ] n_namesz      n_descsz      n_type%s\n", WHITE, RESET);
1081 
1082         printf("[%4d] ", 0);
1083 
1084         printf("0x%.8x    ", note->n_namesz);
1085         printf("0x%.8x    ", note->n_descsz);
1086 
1087         if(numeric)
1088             printf("0x%.8x\n", note->n_type);
1089 
1090         switch(note->n_type){
1091             case NT_GNU_ABI_TAG:
1092                 note_name = (char *) (void *) note + sizeof(*note);
1093                 printf("%s", numeric ? "" : strcmp(note_name, ELF_NOTE_GNU) == 0 ? "NT_GNU_ABI_TAG\n" : "NT_VERSION\n");
1094 
1095                 printf("\tName:\t%s\n", note_name);
1096 
1097                 if(strcmp(note_name, ELF_NOTE_GNU))
1098                     break;
1099 
1100                 abi = (int *) ((void *) note + sizeof(*note) + note->n_namesz);
1101 
1102                 putchar('\t');
1103 
1104                 if(numeric){
1105                     printf("OS:\t0x%.8x\n", *(abi++));
1106                     printf("\tABI:\tMajor: 0x%.8x   ",  *(abi++));
1107                     printf("Minor: 0x%.8x   ",  *(abi++));
1108                     printf("Subminor: 0x%.8x\n", *(abi));
1109                 } else {
1110                     switch(*abi){
1111                         case ELF_NOTE_OS_LINUX:
1112                             printf("OS:\tELF_NOTE_OS_LINUX\n");
1113                             break;
1114                         case ELF_NOTE_OS_GNU:
1115                             printf("OS:\tELF_NOTE_OS_GNU\n");
1116                             break;
1117                         case ELF_NOTE_OS_SOLARIS2:
1118                             printf("OS:\tELF_NOTE_OS_SOLARIS2\n");
1119                             break;
1120                         case ELF_NOTE_OS_FREEBSD:
1121                             printf("OS:\tELF_NOTE_OS_FREEBSD\n");
1122                             break;
1123                         default:
1124                             printf("OS:\t%s0x%.8x%s\n", RED, *abi, RESET);
1125                     }
1126 
1127                     printf("\tABI:\t%d.", *(++abi));
1128                     printf("%d.", *(++abi));
1129                     printf("%d\n",*(++abi));
1130                 }
1131                 break;
1132             case NT_GNU_HWCAP:
1133                 printf("%s", numeric ? "" : "NT_GNU_HWCAP\n");
1134                 break;
1135             case NT_GNU_BUILD_ID:
1136                 printf("%s", numeric ? "" : "NT_GNU_BUILD_ID\n");
1137                 printf("\tName:\t%s\n", (char *) ((void *) note + sizeof(*note)));
1138 
1139                 printf("\tBuildID: ");
1140 
1141                 char *desc = (char *) (void *) note + sizeof(*note) + note->n_namesz;
1142 
1143                 for(l = 0; l < note->n_descsz; l++)
1144                     printf("%.2x", (*(desc++) & 0xff));
1145 
1146                 putchar('\n');
1147 
1148                 break;
1149             case NT_GNU_GOLD_VERSION:
1150                 printf("%s", numeric ? "" : "NT_GNU_GOLD_VERSION\n");
1151                 break;
1152             default:
1153                 printf("%s0x%.8x%s\n", RED, note->n_type, RESET);
1154         }
1155 
1156         putchar('\n');
1157     }
1158 
1159     if(!flag)
1160         printf("[%sNO NOTES FOUND%s]\n", WHITE, RESET);
1161 }

代码不难,话不多说了。功能正常。

posted @ 2021-09-11 15:45  叕叒双又  阅读(565)  评论(0编辑  收藏  举报