elfexec

Imports

Imports # 

"bufio"
"debug/elf"
"encoding/binary"
"fmt"
"io"

Constants & Variables

maxNoteSize const # 

const maxNoteSize = *ast.BinaryExpr

noteTypeGNUBuildID const # 

const noteTypeGNUBuildID = 3

Structs

elfNote struct #

elfNote is the payload of a Note Section in an ELF file.

type elfNote struct {
Name string
Desc []byte
Type uint32
}

Functions

FindTextProgHeader function #

FindTextProgHeader finds the program segment header containing the .text section or nil if the segment cannot be found.

func FindTextProgHeader(f *elf.File) *elf.ProgHeader

GetBase function #

GetBase determines the base address to subtract from virtual address to get symbol table address. For an executable, the base is 0. Otherwise, it's a shared library, and the base is the address where the mapping starts. The kernel needs special handling.

func GetBase(fh *elf.FileHeader, loadSegment *elf.ProgHeader, stextOffset *uint64, start uint64, limit uint64, offset uint64) (uint64, error)

GetBuildID function #

GetBuildID returns the GNU build-ID for an ELF binary. If no build-ID was found but the binary was read without error, it returns (nil, nil).

func GetBuildID(f *elf.File) ([]byte, error)

HeaderForFileOffset function #

HeaderForFileOffset attempts to identify a unique program header that includes the given file offset. It returns an error if it cannot identify a unique header.

func HeaderForFileOffset(headers []*elf.ProgHeader, fileOffset uint64) (*elf.ProgHeader, error)

ProgramHeadersForMapping function #

ProgramHeadersForMapping returns the program segment headers that overlap the runtime mapping with file offset mapOff and memory size mapSz. We skip over segments zero file size because their file offset values are unreliable. Even if overlapping, a segment is not selected if its aligned file offset is greater than the mapping file offset, or if the mapping includes the last page of the segment, but not the full segment and the mapping includes additional pages after the segment end. The function returns a slice of pointers to the headers in the input slice, which are valid only while phdrs is not modified or discarded.

func ProgramHeadersForMapping(phdrs []elf.ProgHeader, mapOff uint64, mapSz uint64) []*elf.ProgHeader

kernelBase function #

kernelBase calculates the base for kernel mappings, which usually require special handling. For kernel mappings, tools (like perf) use the address of the kernel relocation symbol (_text or _stext) as the mmap start. Additionally, for obfuscation, ChromeOS profiles have the kernel image remapped to the 0-th page.

func kernelBase(loadSegment *elf.ProgHeader, stextOffset *uint64, start uint64, limit uint64, offset uint64) (uint64, bool)

parseNotes function #

parseNotes returns the notes from a SHT_NOTE section or PT_NOTE segment.

func parseNotes(reader io.Reader, alignment int, order binary.ByteOrder) ([]elfNote, error)

Generated with Arrow