Questions tagged [elf]
the Executable and Linkable Format is the main executable and object format for Linux, Solaris, *BSD, and many other OSes...
27
questions
143
votes
2
answers
131k
views
What is PLT/GOT?
From time to time, when disassembling x86 binaries, I stumble on
reference to PLT and GOT, especially when calling procedures from a
dynamic library.
For example, when running a program in gdb:
(gdb)...
- 19.2k
28
votes
1
answer
112k
views
Reversing ELF 64-bit LSB executable, x86-64 ,gdb
I'm a newbie and just got into RE.
I got a ELF 64-bit LSB executable, x86-64. I'm trying to reverse it.
First I tried to set a break point on line 1 using
gdb ./filename
break 1
The gdb says
No ...
- 433
11
votes
3
answers
7k
views
What are the available libraries to statically modify ELF executables?
I would like to be able to rewrite or reorganize an ELF binary program directly from the executable format (not at compile-time).
The only library I know to do this is elfesteem (used in Miasm). But,...
- 19.2k
31
votes
4
answers
44k
views
Cross debugging for ARM / MIPS ELF with QEMU/toolchain
as i'm new about cross-debugging and cross-compilation i need some help because i feel so confused. I have a MIPS elf file, [myelf][1] .You can see bellow the output of file myelf:
myelf: ELF 32-bit ...
- 485
29
votes
1
answer
27k
views
What symbol tables stay after a strip In ELF format?
I am currently looking at the ELF format, and especially at stripped ELF executable program files.
I know that, when stripped, the symbol table is removed, but some information are always needed to ...
- 19.2k
20
votes
4
answers
27k
views
Set a breakpoint on GDB entry point for stripped PIE binaries without disabling ASLR
Given a position-independent, statically-linked, stripped binary, there does not appear to be a way in GDB to set a breakpoint at the entry point without disabling ASLR.
break start and similar ...
- 2,357
2
votes
3
answers
7k
views
Where can I get Linux malware samples?
There have been numerous sites stated in this wonderful post that one could retrieve malware samples. However, I am having a difficult time (sorry D:) locating Linux-specific malware from those sites ...
- 117
18
votes
4
answers
16k
views
How to generate the call graph of a binary file?
I have a non-stripped ELF binary for which I want to create a call graph as a dot file. Is there such a tool which generates the call graph?
EDIT: Is there away in addition to the conventional call ...
- 677
3
votes
1
answer
5k
views
IDA Pro debugging: follow child process
I'm reverse engineering a malware that creates a number of child processes and I'm trying to do dynamic analysis of the ELF binary with IDA Pro and IDA's Local Linux Debugger, but I can't get IDA to ...
- 31
3
votes
1
answer
2k
views
ELF binary injection
I am currently working on an ELF-injector and my approach is standard: find code cave (long enough sequence of 0's), rewrite it with the instructions I want to execute and then jump back to the start ...
62
votes
7
answers
17k
views
Visualizing ELF binaries
I recently saw an older talk by Sergey Bratus and Greg Conti by the name of Voyage of the Reverser: A Visual Study of Binary Species.
Are there any opensource/free tools that one could use to see ...
user1743
7
votes
2
answers
14k
views
Fixing corrupt ELF header field "e_shnum" for use in GDB
If the ELF header which usually can be read using readelf has been manually manipulated, let's say by increasing the value for the "Size of section headers" the binary still can be executed and works ...
- 125
7
votes
1
answer
12k
views
How to export a working elf binary from Ghidra?
When patching a program and then using the export binary function, it turns the elf headers are corrupt.
Is there any way to work around this problem?
- 71
7
votes
2
answers
3k
views
Writing ELF headers in Radare?
Reading Keith Makan's, "Introduction to the ELF Format : The ELF Header", he modifies e_entry,
The e_entry field lists the offset in the file where the program should start executing.Normally it ...
- 1,789
7
votes
2
answers
4k
views
How to recover information stored in .ctors section?
Test is on x86, 32-bit Linux. I am using g++ 4.6.3 and objdump 2.22
Here is a simple C++ code I am working on:
#include <iostream>
using namespace std;
main()
{
cout << "Hello ...
- 2,485