Skip to content
This repository has been archived by the owner on Apr 15, 2022. It is now read-only.


Repository files navigation


Spencer Powell - elfldr.c Carlos Guerra - database functionality Wayne Havey - Python/Yara

UCCS 2017 - Undergraduate Independent Study

Field: Cyber Security Advisor: Dr. Chow


Tool for interfacing with ELF files

The idea

Use the elfldr c program to interface with and extract information from a binary file (32bit currently), that information gets placed into a database where it can be accessed easily by python and used in conjunction with custom yara signatures to detect vulnerabilities within a binary without needing access to the source code.


Deserializer Usage

    Serializable *ser; /* Deserializer context */
    Elf32_Ehdr *eheader; /* Struct to hold data */
    size_t size; /* The size of the raw data you wish to deserialize */
    ser = (Serializable *) malloc(sizeof(Serializable));
    eheader = (Elf32_Ehdr) malloc(sizeof(Elf32_Ehdr);
    /* mmap the file */
    if(0 != smap(argv[1], ser))
        fprintf(stderr, "failed to map %s\n", argv[1]);
        return -1;
    /* set the endianness (defaults to little) */
    ser->order = LITTLE_ENDIAN;
    /* Prepare the struct */
    Element header_elements[] = {
        create_element(prg->order, *eheader, e_ident),
        create_element(prg->order, *eheader, e_type),
        create_element(prg->order, *eheader, e_machine),
        create_element(prg->order, *eheader, e_version),
        create_element(prg->order, *eheader, e_entry),
        create_element(prg->order, *eheader, e_phoff),
        create_element(prg->order, *eheader, e_shoff),
        create_element(prg->order, *eheader, e_flags),
        create_element(prg->order, *eheader, e_ehsize),
        create_element(prg->order, *eheader, e_phentsize),
        create_element(prg->order, *eheader, e_phnum),
        create_element(prg->order, *eheader, e_shentsize),
        create_element(prg->order, *eheader, e_shnum),
        create_element(prg->order, *eheader, e_shstrndx)
    deserialize(prg, header_elements, N_EHEADER);

usage: ./elfldr --file|-f --section|-s <section_name>


Python directory contains: - description: capstone module implemented to print assembly and other section info from binary usage: python2.7 info: this file can be modified to print info from every section see documentation on python capstone

- rules (directory)
    description: Repository of yara rules. Most are for malware detection, some CVE detection. 
    usage: use this repo in conjunction with script. ./ <file>
    info: any new rules written for vulnerability detection should be placed in here or the script should be modfied to point to the new rules repo.
    description: script to run yara rules on a specified file.
    usage: ./ <file>
    info: This script points to the rules directory and runs every yara rule contained within on the specified file.
          See yara command line usage for more information on tailoring this script.

- rules.yar
    description: Beginnings of a yara rule file tailored to elf analysis.
    usage: see yara usage command line usage.
    info: Yara has a builin api for accessing information for elf files.  


In the database directory you will find some screenshots and the database file itself. The database contains instruction information extracted from the binary and references to the column names.


No description, website, or topics provided.






No releases published


No packages published