Carving ELF Files
The blog by Joren Vrancken delves into carving ELF files for digital forensics and reverse engineering. It explains analyzing headers to locate file boundaries, program loading, and data description. Computation examples are provided.
Read original article
The blog by Joren Vrancken discusses the process of carving ELF files, which is a common task in digital forensics and reverse engineering, especially when analyzing malware samples. The blog explains how to determine the beginning and end of an ELF executable by examining its headers. ELF files consist of an ELF file header, program headers table, section headers table, and data sections. The blog details the structure of these headers and tables, such as the ELF file header containing general information about the executable. It also explains the significance of the program headers table in loading the executable into memory and the section headers table in describing the data stored in the file. The blog provides insights into computing the size of an ELF file by identifying the end of each part within the file. Additionally, it includes an example computation using the '/bin/ls' executable to demonstrate the methodology of determining the size of an ELF file by analyzing its headers and sections.
Related
Hacking Amazon's Eero 6 (part 2)
The author describes extracting firmware data from an Amazon eero 6 device's eMMC flash chip. Despite challenges, they successfully read the chip in 4-bit transfer mode, dumped the firmware, and analyzed its 23 partitions.
At the Mountains of Madness
The blog discusses challenges in building executables for NixOS and Linux, focusing on ELF interpretation, glibc versions, and dynamic linking. It explores container use, NixOS dependency management, and proposes patchelf for cross-compatibility.
Weird things I learned while writing an x86 emulator
The article explores writing an x86 and amd64 emulator for Time Travel Debugging, emphasizing x86 encoding, prefixes, flag behaviors, shift instructions, segment overrides, FS and GS segments, TEB structures, CPU configuration, and segment handling nuances in 32-bit and 64-bit modes.
Linux Technical Debt: A Visual Explanation (Directory Entries/struct dirent)
The YouTube video discusses challenges with directory entry alignment in file systems, focusing on file name length, padding, and alignment. It suggests replacing elements for efficient data management, prioritizing data length, and using memory copy techniques for faster program execution.
A Linux kernel syscall implementation tracker
The website provides detailed information on Linux syscall tables, covering architecture, kernel version, JSON table, kernel config, analysis log, and source. Attributes include signature, number, name, symbol, and definition location. Powered by Systrack v, copyrighted by Marco Bonelli under GNU GPL v3.0 for 2023-2024.
5 commentsThe correct approach is to process the program headers and find the tail end of anything referenced in PT_LOAD as well as from DT_DYN items.
You can combine that with a section based approach; if the file has debug information it won't be covered by program headers and you'd end up cutting it off if going purely by program headers. However, this is technically optional while the program header based approach is really required.
Related
Hacking Amazon's Eero 6 (part 2)
The author describes extracting firmware data from an Amazon eero 6 device's eMMC flash chip. Despite challenges, they successfully read the chip in 4-bit transfer mode, dumped the firmware, and analyzed its 23 partitions.
At the Mountains of Madness
The blog discusses challenges in building executables for NixOS and Linux, focusing on ELF interpretation, glibc versions, and dynamic linking. It explores container use, NixOS dependency management, and proposes patchelf for cross-compatibility.
Weird things I learned while writing an x86 emulator
The article explores writing an x86 and amd64 emulator for Time Travel Debugging, emphasizing x86 encoding, prefixes, flag behaviors, shift instructions, segment overrides, FS and GS segments, TEB structures, CPU configuration, and segment handling nuances in 32-bit and 64-bit modes.
Linux Technical Debt: A Visual Explanation (Directory Entries/struct dirent)
The YouTube video discusses challenges with directory entry alignment in file systems, focusing on file name length, padding, and alignment. It suggests replacing elements for efficient data management, prioritizing data length, and using memory copy techniques for faster program execution.
A Linux kernel syscall implementation tracker
The website provides detailed information on Linux syscall tables, covering architecture, kernel version, JSON table, kernel config, analysis log, and source. Attributes include signature, number, name, symbol, and definition location. Powered by Systrack v, copyrighted by Marco Bonelli under GNU GPL v3.0 for 2023-2024.