elfmaster/libelfmaster elfmaster/libelfmaster

  • Stars
    star
    403
  • Rank 107,140 (Top 3 %)
  • Language
    C
  • Created about 8 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
elfmaster/libelfmaster
github

elfmaster

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Secure ELF parsing/loading library for forensics reconstruction of malware, and robust reverse engineering tools

libelfmaster

Update as of 11/17/18 -- I have a local branch with many new fixes that will be finished and committed by the end of December, been very busy.

Secure ELF parsing library

libelfmaster is a C library for loading and parsing ELF objects of any type. The goal of this project was to create an API that is innovative in its ability to be user-friendly, secure, and provide a variety of creative and useful ways to access an ELF object. Not only that, but this library was largley created for designing reverse engineering applications. This library is capable of loading binaries with corrupted section headers and it will forensically reconstruct section headers and symbol tables using state-of-the-art techniques, such as PT_GNU_EH_FRAME reconstruction for .symtab functions. This library is also capable of seamlessly loading both 32bit and 64bit ELF objects, vs. having to compile two seperate libs for each architecture. The downfall obviously being that this won't compile on 32bit machines. I am now a guide on this project, as I put it into the hands of the security and reverse engineering community. I am currently using it to build https://github.com/elfmaster/elf.arcana which is advancing the state of Linux/UNIX binary forensics and HIDS. As I build Arcana, more edge cases come up.

Future Goals

  1. Userland debugging (non-ptrace) API similar to eresi e2dbg
  2. ELF patching, and injection. i.e. relocatable code injection + function hijacking etc.
  3. Dwarf VM bytecode injection similar to Sergey Bratus and James Oakley's Katana project
  4. Continuous advancement of forensically reconstructing all edge cases of broken binaries
  5. Explicit support for FreeBSD
  6. Explicit support for sparc, mips, arm, etc. Currently it implicitly supports many of the features
  7. A regression test suite
  8. Better Support for core-files, i.e. forensics reconstruction
  9. API Documentation

Current status

Work in progress. Not fully fuzzed or tested. Needs adept ELF hackers and reverse engineers with a strong C skills. Has undergone several iterations of fuzzing done with AFL. Currently I am fixing and patching the code and a new alpha release tag will be committed pushed soon (By mid October 2018) Thank you to all who have contributed their fuzzing efforts. I will create a proper area to name those who should be listed as contributors (Perhaps an Authors file).

Rules of development

NetBSD coding style, submit a PR for review.

API Documentation

The best documentation is to read the code in libelfmaster/examples. elfparse.c is a simple version of readelf, but does not utilize every API function so make sure to look at all examples. This API needs someone to document it.

More Repositories

1

ftrace

POSIX Function tracing
C
323
star
2

skeksi_virus

Devestating and awesome Linux X86_64 ELF Virus
C
221
star
3

ecfs

extended core file snapshot format
C
219
star
4

maya

Highly advanced Linux anti-exploitation and anti-tamper binary protector for ELF.
C
151
star
5

dsym_obfuscate

Obfuscates dynamic symbol table
C
134
star
6

saruman

ELF anti-forensics exec, for injecting full dynamic executables into process image (With thread injection)
C
126
star
7

kdress

Transform vmlinuz into a fully debuggable vmlinux that can be used with /proc/kcore
C
121
star
8

binflow

This is the new ftrace (https://github.com/elfmaster/ftrace) - Much faster, better resolution but not complete yet! :)
C++
107
star
9

dt_infect

ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD
C
106
star
10

sherlocked

Universal script packer-- transforms any type of script into a protected ELF executable, encrypted with anti-debugging.
Objective-C
102
star
11

linker_preloading_virus

An example of hijacking the dynamic linker with a custom interpreter who loads and executes modular viruses
C
58
star
12

taskverse

A tool like /bin/ps but uses /proc/kcore for walking the tasklist; this finds hidden processes
C
56
star
13

libelfmaster_examples

Simple ELF tools written to demonstrate libelfmaster capabilities.
C
37
star
14

kprobe_rootkit

Linux kernel rootkit using kprobes (From http://phrack.org/issues/67/6.html)
C
35
star
15

ecfs_exec

Be able to execute memory snapshots so they can start running where they left off.
C
34
star
16

static_binary_mitigations

relros.c applies RELRO to static binaries, and static_to_dyn.c applies ASLR to static binaries.
C
32
star
17

shiva

Shiva is a programmable dynamic linker for loading ELF microprograms
Roff
29
star
18

davinci

Transforms any file into a protected ELF executable
C
26
star
19

scop_virus_paper

ELF Virus infection techniques that work with SCOP (Secure code partitioned) executables
C
14
star
20

fork_trace

C++
10
star
21

avu32

anti virus 32bit. my first attempt (in 2008) to write prototype for detecting/disinfecting unix ELF viruses
C
8
star
22

canaryism

Canaryism will tell you which functions are protected with gcc stack canaries
C
6
star
23

packt_book

C
6
star
24

interpx_documentation

4
star
25

shiva_blogposts

Multiple blogposts are maintained here.
3
star
26

shiva_presentations

2
star
27

unix_virus_anniversary

2
star
28

veriexec.linux

Veriexec implementation for Linux
C
2
star
29

poetry

Transcribing my poetry from 19yrs ago
1
star