Malware Bible
  • The Indoctrination
    • The Beginning
      • Introduction to x86 Assembly
      • Introduction to Shellcode
      • Introduction to Python
      • Introduction to C
      • So You Want to Write Malware?
      • Introduction to Exploit Development
    • The Journey
      • Windows PE File Structure
      • ELF Structures
      • Android Package File Structure
      • iOS App Store File Structure
    • The Rituals
      • Start Writing Malware
      • Malware Obfuscation Techniques
      • Malware Evasion Techniques
    • The Scriptures
      • Yara Rules
      • Malcore
      • Radare2
      • IDAPro
      • Evasion Tactics
      • WinDBG
      • WinAPI
Powered by GitBook
On this page
  • THIS IS A WORK IN PROGRESS AND IS NOT PUBLICLY RELEASED YET
  • What will be covered?
  • What is an ELF file?
  • Breakdown of the ELF file
  • ELF sections
  • ELF file tables
  • In closing
  1. The Indoctrination
  2. The Journey

ELF Structures

PreviousWindows PE File StructureNextAndroid Package File Structure

Last updated 3 months ago

THIS IS A WORK IN PROGRESS AND IS NOT PUBLICLY RELEASED YET

Shameless plug

Malcore offers free threat intel in our Discord via their custom designed Discord bot. Join the Discord to discuss this course in further detail or to ask questions.

You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee


What will be covered?

What is an ELF file?

The executable and linkable format (ELF) is a standard file format for executables, object code, shared libraries, and core dumps. ELF format is widely used on Unix based operating systems. It is designed to be flexible and extensible.


Breakdown of the ELF file

To visualize the file format we have created a basic ascii representation of the file

───────────────────────────────────────────────────────────────────
 00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............ ─┐
 00000010: 0200 3e00 0100 0000 0000 0000 0000 0000  ..>.............  │── ELF Header
 00000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 00000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 00000040: 0100 0000 0000 0000 4000 0000 0000 0000  ........@....... ─┐
 00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │─ Program Header Table (PHT)
 00000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 00000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 00000080: 0100 0000 0000 0000 0000 0000 0000 0000  ................ ─┐
 00000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 000000A0: 2e74 6578 7400 0000 1200 0000 0100 0000  .text...........  │────── Sections
 000000B0: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 000000C0: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 000000D0: 2e64 6174 6100 0000 1200 0000 0000 0000  .data.......... ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 000000E0: 0300 0000 0000 0000 2e73 796d 7461 6200  .........symtab. ─┐
 000000F0: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │── Symbol Table
 00000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 00000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 00000120: 0300 0000 0000 0000 2e73 7472 7461 6200  .........strtab. ─┐
 00000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │── String Table
 00000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 00000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 00000160: 0400 0000 0000 0000 2e72 656c 6f63 2e64  .........reloc.d ─┐
 00000170: 6174 6100 0000 0000 0000 0000 0000 0000  ata.............. │── Relocation Section
 00000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │
 00000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────
───────────────────────────────────────────────────────────────────
 000001A0: 0500 0000 0000 0000 2e6e 6f74 6500 0000  .........note... ─┐
 000001B0: 0000 0000 0000 0000 0000 0000 0000 0000  ................  │── Note Section
 000001C0: 0000 0000 0000 0000 0000 0000 0000 0000  ................ ─┘
───────────────────────────────────────────────────────────────────

ELF header

The header is located at the beginning of the file:

Contained within this header are multiple pieces of information. This information provides essential data to tell the system what kind of ELf file this is.

  • e_ident

    • Contains the magic number to identify the file as an ELF, also holds info on the class/architecture (32 or 64), encoding, and ELF version

      • 16 bytes long

        • Magic number (7F 45 4C 46 -> .ELF)

        • Class (or architecture)

          • 0x02 == 64bit

          • 0x01 == 32bit

        • Data encoding

          • 0x01 == little endian

          • 0x02 == big endian

        • ELF version (usually 0x01)

        • Padding bytes

  • e_type

    • Specifies the file type, such as: relocatable, executable, shared object, or core.

    • Possible types:

Bytes
Description

0x00

System V

0x01

HP-UX

0x02

NetBSD

0x03

Linux

0x04

GNU Hurd

0x06

Solaris

0x07

AIX (Monterey)

0x08

IRIX

0x09

FreeBSD

0x0A

Tru64

0x0B

Novell Modesto

0x0C

OpenBSD

0x0D

OpenVMS

0x0E

NonStop Kernel

0x0F

AROS

0x10

FenixOS

0x11

Nuxi CloudABI

0x12

Stratus Technologies OpenVOS

  • e_machines

    • Indicates what class/architecture the ELF files is

    • Most common types:

e_machine Value

Constant

Description

0x00

EM_NONE

No machine

0x02

EM_M32

AT&T WE 32100

0x03

EM_SPARC

SPARC

0x07

EM_68K

Motorola 68000

0x08

EM_88K

Motorola 88000

0x14

EM_860

Intel 80860

0x16

EM_R3000

MIPS I Architecture (R3000)

0x28

EM_ARM

ARM

0x2A

EM_SUPERH

Hitachi SH

0x32

EM_IA_64

Intel Itanium

0x3E

EM_X86_64

AMD x86-64 (x64)

0xB7

EM_AARCH64

ARM 64-bit (AArch64)

0xF3

EM_RISCV

RISC-V

  • Other notable types:

e_machine Value

Constant

Description

0x13

EM_386

Intel 80386

0x15

EM_PARISC

HP/PA RISC

0x2B

EM_ECOG2

Cyan Technology eCOG2

0x42

EM_ALPHA

DEC Alpha

0x8C

EM_AVR

Atmel AVR

0xA2

EM_MSP430

Texas Instruments MSP430

0xA3

EM_BLACKFIN

Analog Devices Blackfin

0xDC

EM_TI_C6000

Texas Instruments TMS320C6000 DSP family

0xF7

EM_BPF

Berkeley Packet Filter

  • e_version

    • This indicates the version of ELF that is being used. There are really only two different version:

      • 0x00000000

        • EV_NONE

          • Invalid version

      • 0x00000001

        • EV_CURRENT

          • Current version (original version 1)

Program header

Section header


ELF sections

ELF file sections overview

Dynamic sections

Relocation sections

Note section

Core dump section


ELF file tables

Symbol table

String table


In closing

This course is given to you for free by The Perkins Cybersecurity Educational Fund: in collaboration with the Malcore team:

Please consider donating to Fund and registering for Malcore. You can also join the Malcore Discord server here:

https://perkinsfund.org/
https://m4lc.io/courses/register
The Perkins Cybersecurity Educational
https://m4lc.io/courses/discord
What is an ELF file?
Detailed breakdown
Header
Program header
Section header
ELF sections
Section overview
Dynamic sections
Relocation sections
Note section
Core dump section
Tables
Symbol table
String table
That's it
Header
e_ident
e_type
e_machine
e_version