New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
detect OS from ELF file #724
Comments
The https://en.wikipedia.org/wiki/Executable_and_Linkable_Format |
The Linux standard requires that executables should have a NOTE section that indicates its meant for Linux and the earliest compatible kernel version:
https://refspecs.linuxfoundation.org/LSB_1.2.0/gLSB/noteabitag.html i dont know if this applies to libraries, too. |
OpenBSD also uses a similar NOTE system: |
Dynamically linked ELF files have an INTERP section that points to their dynamic linker. This path likely contains one of a small set of values correlated with the OS, such as unscientific collection of interpreters (from 100 each of freebsd, hp-ux, linux, netbsd, openbsd, and openvms identified by mime on VT):
|
VT search: |
@schrodyn i'd love your insight here |
https://www.freebsd.org/cgi/man.cgi?query=elf&sektion=5&apropos=0&manpath=FreeBSD+13.0-stable The FreeBSD man page for elf(5) documents its note types. I'll get more information later, afk currently. |
added implementation of heuristics above here: https://github.com/fireeye/capa/blob/baaa8ba2c10b2dd27554223e5469ce712c5c1902/scripts/detect-elf-os.py prefers in order:
|
|
In support of the discussions in #701, we want to extract the OS associated with each file. For PE files, we can pretty much assume they're for Windows. For ELF files, we should try to determine if they're targeting Linux, *BSD, Solaris, etc. How can we do this well?
To be direct, I don't have a lot of experience with this. So, I'll document my research in this thread and would welcome feedback from anyone with insight.
The text was updated successfully, but these errors were encountered: