Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

detect ELF OS via libc sysdeps .symtab entries #1403

Closed
williballenthin opened this issue Mar 26, 2023 · 11 comments · Fixed by #1422
Closed

detect ELF OS via libc sysdeps .symtab entries #1403

williballenthin opened this issue Mar 26, 2023 · 11 comments · Fixed by #1422
Labels
enhancement New feature or request

Comments

@williballenthin
Copy link
Collaborator

Originally posted by @williballenthin in #1402 (comment)

there's a potential new hint: .symtab entries for libc resources related to linux:

    15: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS libc/sysdeps/linux/x86_64/crti.S
    33: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS libc/sysdeps/linux/x86_64/crtn.S
    34: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS libc/sysdeps/linux/x86_64/crt1.S
    48: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS libc/sysdeps/linux/x86_64/vfork.S

we should update our OS detection (here: https://github.com/mandiant/capa/blob/master/capa/features/extractors/elf.py) to use these entries to identify the underlying OS as linux.
@williballenthin williballenthin added the enhancement New feature or request label Mar 26, 2023
@williballenthin
Copy link
Collaborator Author

use UPX unpacked 0a1a8ca1ce27a04bf9618fe0f6bc94e6 as a test case

@ggold7046
Copy link
Contributor

Hi @williballenthin , this problem looks interesting to me , though not sure if I would be able to solve this. Could you tell me how to proceed on this ?

@williballenthin
Copy link
Collaborator Author

most of the details i have at the moment are in the above issue text (which means, there aren't many details fleshed out yet). so, you'll have to do most of the research to figure out how to make this work. i'd recommend using readelf to figure out which structures contain the above entries and then extending the elf.py parser to parse this data and apply the heuristics. unfortunately im not able to provide more guidance at this time.

@ggold7046
Copy link
Contributor

Correct me if I'm wrong. The readelf is used to inspect and display information about the ELF files. Could you please point me to that file ?

@ggold7046

This comment was marked as off-topic.

Sign in to view
@williballenthin
Copy link
Collaborator Author

readelf is a common linux utility, not part of capa

https://man7.org/linux/man-pages/man1/readelf.1.html

@ggold7046
Copy link
Contributor

i'd recommend using readelf to figure out which structures contain the above entries

I tried to convert the https://github.com/mandiant/capa/blob/master/capa/features/extractors/elf.py file using pyinstaller, and ran readelf. But couldn't find any libc/sysdeps/linux/x86_64/crti.S entry there.

@yelhamer
Copy link
Collaborator

Hi @williballenthin, I'd love to get assigned this enhancement, I think I know how to implement it.

@williballenthin
Copy link
Collaborator Author

williballenthin commented Mar 30, 2023 via email

This was referenced Apr 2, 2023
Merged
Merged
@ggold7046
Copy link
Contributor

Could anyone please make me understand how this problem was solved from start ? How did you find out the entries etc...etc.

@williballenthin
Copy link
Collaborator Author

have you read through the changes in https://github.com/mandiant/capa/pull/1422/files and do you understand what they do?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ELF OS detection: add support for guessing that's based on .symtab entries yelhamer/capa
3 participants
@williballenthin @yelhamer @ggold7046