ELF
Supported formats
ELF
Description
The ELF (Executable and Linkable Format) is a common file format used for executables, object code, shared libraries, and core dumps on Unix-based systems, including Linux and some BSDs. It is a standard binary format used for program loading and linking, designed to be flexible and extensible, supporting multiple different processor architectures. This backend extracts information from ELF files for further inspection.
info
Available in Contextal Platform 1.0 and later.
Symbols
Object
ISSUES→ issues were faced while processing the executable. The possible detected issues are stored in the object's metadata entry$issuesand may include the following entries:EH_UNUSUAL_PHOFF,EH_UNUSUAL_SHENTSIZE,SH_INVALID_NULL_SECTION.
Example Metadata
{
"work_id": "VuRKSF6MIDB4ZO5SYVz6h7l4",
"org": "ctx",
"object_id": "ff7eb9d875117e199906f668515f0156bed389f745a7f9da59bc442fa2d50fc6",
"object_type": "ELF",
"object_subtype": null,
"recursion_level": 1,
"size": 17064,
"hashes": {
"md5": "0ee647202fc17ae1ff6ba094441a7cd5",
"sha1": "fc29e842710c1481e131e91f55fca56385f6dee5",
"sha512": "3b0fd2edf18cd9e2f9d396630ddff60f423e7ea22d9e4fb40df4d5ca44d22519c82ff17b3de6c1d177ae9e8dbb0b5dd6956204b2de63de663934f967ad3f1c3a",
"sha256": "ff7eb9d875117e199906f668515f0156bed389f745a7f9da59bc442fa2d50fc6"
},
"ctime": 1712925930.617994,
"relation_metadata": {},
"ok": {
"symbols": [],
"object_metadata": {
"_backend_version": "1.0.0",
"elf_header": {
"e_ehsize": 64,
"e_entry": 4368,
"e_flags": 0,
"e_ident": [ 127, 69, 76, 70, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0 ],
"e_machine": 62,
"e_machinestr": "AMD x86-64",
"e_phentsize": 56,
"e_phnum": 11,
"e_phoff": 64,
"e_shentsize": 64,
"e_shnum": 29,
"e_shoff": 15208,
"e_shstrndx": 28,
"e_type": 3,
"e_typestr": "Shared object",
"e_version": 1,
"ei_class": "64-bit",
"ei_data": "Little-endian",
"ei_osabi": "No extensions"
},
"program_headers": [
{
"p_align": 8,
"p_filesz": 616,
"p_flags": 4,
"p_flagsvec": [
"READ"
],
"p_memsz": 616,
"p_offset": 64,
"p_paddr": 64,
"p_type": 6,
"p_typestr": "Program header table",
"p_vaddr": 64
},
{
"p_align": 1,
"p_filesz": 28,
"p_flags": 4,
"p_flagsvec": [
"READ"
],
"p_memsz": 28,
"p_offset": 680,
"p_paddr": 680,
"p_type": 3,
"p_typestr": "Interpreter information",
"p_vaddr": 680
},
[...]
"section_headers": [
{
"sh_addr": 0,
"sh_addralign": 0,
"sh_entsize": 0,
"sh_flags": 0,
"sh_flagsvec": [],
"sh_info": 0,
"sh_link": 0,
"sh_name": 0,
"sh_namestr": "",
"sh_offset": 0,
"sh_size": 0,
"sh_type": 0,
"sh_typestr": "NULL"
},
{
"sh_addr": 680,
"sh_addralign": 1,
"sh_entsize": 0,
"sh_flags": 2,
"sh_flagsvec": [
"ALLOC"
],
"sh_info": 0,
"sh_link": 0,
"sh_name": 27,
"sh_namestr": ".interp",
"sh_offset": 680,
"sh_size": 28,
"sh_type": 1,
"sh_typestr": "PROGBITS"
},
{
"sh_addr": 708,
"sh_addralign": 4,
"sh_entsize": 0,
"sh_flags": 2,
"sh_flagsvec": [
"ALLOC"
],
"sh_info": 0,
"sh_link": 0,
"sh_name": 35,
"sh_namestr": ".note.ABI-tag",
"sh_offset": 708,
"sh_size": 32,
"sh_type": 7,
"sh_typestr": "NOTE"
},
[...]
Example Queries
object_type == "ELF"
&& @match_object_meta($elf_header.e_machine == 62)
- This query matches an
ELFobject with architecture requirement of AMD64.
Configuration Options
This backend doesn't use any dedicated options.