This Python script generates ELF (Executable and Linkable Format) files for different types (executable, shared, and object) and versions (32-bit and 64-bit). It also parses these generated files to extract information about their headers and program segments.
Pratomo, B.A., Kosim, S.A., Studiawan, H., Prabowo, A.O. (2024). BarongTrace: A Malware Event Log Dataset for Linux. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 202. Springer, Cham. https://doi.org/10.1007/978-3-031-57916-5_5
Mohammed Rauf Ali Khan. A Utility-Based Sequential Approach for ELF Malware Analysis. Authorea. February 04, 2024. DOI: 10.22541/au.170708904.45762903/v1 https://www.authorea.com/users/723310/articles/708350-a-utility-based-sequential-approach-for-elf-malware-analysis
In-depth: ELF - The Extensible & Linkable Format YouTube https://www.youtube.com/watch?v=nC1U1LJQL8o
OSDev.org ELF Ref: https://wiki.osdev.org/ELF
Executable and Linkable Format Ref: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
Understanding the structure and characteristics of ELF binaries is crucial for malware analysts for several reasons:
- Detection and Classification: Knowing the different types of ELF files (executables, shared libraries, object files) helps in identifying and classifying malware samples.
- Behavior Analysis: ELF header and program header information can provide insights into the behavior of the binary, such as its entry point address and memory layout.
- Static Analysis: Analyzing ELF headers and segments statically can reveal important details about the binary's functionality, potential vulnerabilities, and malicious intent.
- Dynamic Analysis: Understanding ELF structure aids in setting up dynamic analysis environments to observe the behavior of malware during execution.
- Forensic Analysis: ELF header data can be used during forensic investigations to trace the origin and purpose of a malicious binary.
Malware authors may employ various techniques to obfuscate, evade detection, and thwart analysis of ELF binaries, including:
- Code Obfuscation: Techniques such as code packing, encryption, and polymorphism are used to obscure the binary's functionality and evade signature-based detection.
- Anti-Debugging: Malware may employ anti-debugging techniques to detect and thwart dynamic analysis attempts by monitoring debugger-related signals or system calls.
- Anti-Emulation: Some malware may detect virtualized or emulated environments and alter their behavior to avoid detection by sandboxing or emulation-based analysis tools.
- Rootkitting: Advanced malware may attempt to hide its presence and evade detection by modifying system calls, kernel data structures, or the ELF binary itself.
- Dynamic Loading: Malicious ELF binaries may dynamically load additional code or payloads at runtime to evade static analysis and detection by security tools.
Malware authors manipulate ELF binaries for various reasons, including:
- Stealth and Persistence: Modifying ELF binaries allows malware to remain undetected by security mechanisms and persistently execute on compromised systems.
- Payload Delivery: Malicious payloads can be injected into legitimate ELF binaries to deliver and execute additional malware components or payloads.
- Privilege Escalation: Manipulating ELF binaries can enable malware to escalate privileges, gain root access, and perform unauthorized actions on the system.
- Data Theft and Espionage: Malware may manipulate ELF binaries to exfiltrate sensitive data, such as login credentials, financial information, or intellectual property.
- Botnet Recruitment: Compromised ELF binaries can be used to recruit infected systems into botnets for carrying out coordinated attacks, distributed denial-of-service (DDoS) attacks, or cryptocurrency mining.
- ELF file created and saved as 'executable_32.bin'.
- ELF file created and saved as 'shared_32.bin'.
- ELF file created and saved as 'object_32.bin'.
- ELF file created and saved as 'executable_64.bin'.
- ELF file created and saved as 'shared_64.bin'.
- ELF file created and saved as 'object_64.bin'.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 1 | 1=ELF32 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 2 | 2=executable |
Machine | 3 | 3=386 |
Version | 0x1 | 1 |
Entry point address | 0x1000 | 4096 |
Program header offset | 52 | 52 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 52 | 52 |
Size of program headers | 32 | 32 |
Number of program headers | 1 | 1 |
Size of section headers | 40 | 40 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Flags | 0x7 | 7 | Segment flags (permissions) |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 32-bit executable ELF file.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 1 | 1=ELF32 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 3 | 3=shared |
Machine | 3 | 3=386 |
Version | 0x1 | 1 |
Entry point address | 0 | 0 |
Program header offset | 52 | 52 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 52 | 52 |
Size of program headers | 32 | 32 |
Number of program headers | 1 | 1 |
Size of section headers | 40 | 40 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Flags | 0x7 | 7 | Segment flags (permissions) |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 32-bit shared library ELF file.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 1 | 1=ELF32 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 1 | 1=object |
Machine | 3 | 3=386 |
Version | 0x1 | 1 |
Entry point address | 0 | 0 |
Program header offset | 0 | 0 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 52 | 52 |
Size of program headers | 32 | 32 |
Number of program headers | 0 | 0 |
Size of section headers | 40 | 40 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Flags | 0x7 | 7 | Segment flags (permissions) |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 32-bit object ELF file.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 2 | 2=ELF64 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 2 | 2=executable |
Machine | 62 | 62=x86_64 |
Version | 0x1 | 1 |
Entry point address | 0x1000 | 4096 |
Program header offset | 64 | 64 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 64 | 64 |
Size of program headers | 56 | 56 |
Number of program headers | 1 | 1 |
Size of section headers | 64 | 64 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Flags | 0x7 | 7 | Segment flags (permissions) |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 64-bit executable ELF file.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 2 | 2=ELF64 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 3 | 3=shared |
Machine | 62 | 62=x86_64 |
Version | 0x1 | 1 |
Entry point address | 0 | 0 |
Program header offset | 64 | 64 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 64 | 64 |
Size of program headers | 56 | 56 |
Number of program headers | 1 | 1 |
Size of section headers | 64 | 64 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Flags | 0x7 | 7 | Segment flags (permissions) |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 64-bit shared library ELF file.
Field | Value | Description |
---|---|---|
Magic | b'\x7fELF' | ELF Magic Number |
Class | 2 | 2=ELF64 |
Data | 1 | 1=Little Endian |
Version | 1 | 1=Current |
OS/ABI | 0 | 0=System V |
ABI Version | 0 | 0 |
Type | 1 | 1=object |
Machine | 62 | 62=x86_64 |
Version | 0x1 | 1 |
Entry point address | 0 | 0 |
Program header offset | 0 | 0 |
Section header offset | 0 | 0 |
Flags | 0 | 0 |
Size of this header | 64 | 64 |
Size of program headers | 56 | 56 |
Number of program headers | 0 | 0 |
Size of section headers | 64 | 64 |
Number of section headers | 0 | 0 |
Section header string table index | 0 | 0 |
Field | Value (Hex) | Value (Decimal) | Description |
---|---|---|---|
Type | 0x1 | 1 | Type of segment |
Flags | 0x7 | 7 | Segment flags (permissions) |
Offset | 0x0 | 0 | Offset in the file |
Virtual Address | 0x1000 | 4096 | Virtual address in memory |
Physical Address | 0x1000 | 4096 | Physical address in memory |
File Size | 0x1000 | 4096 | Size of the segment in file |
Memory Size | 0x1000 | 4096 | Size of the segment in memory |
Alignment | 0x1000 | 4096 | Alignment of the segment |
This is a 64-bit object ELF file.
This code is for education and research purposes only.