This is an Elf-anomaly tool that prints a list of checks to report the presence/absence of anomalies such as : no symbols information, overlapping headers/segments, unusual entropy of a section, strange segment permissions, weird entry point, different interpreter, _start_ that does not call __libc_start_main, ...
-
Check if section headers are available or not
-
Check if symbols have been stripped or not
-
Check if start_libc is called
-
Check if entry point is _start
-
Check if entry point is in .text or .code section
-
Check interpreters
-
Check if some segments are overlapping on memory
-
Check if some segments are overlapping on disk
-
Check segments' permissions
-
Check if program header points outside the file or not
-
Check if there are some headers overlapping
-
Check if some segments are overlapping with some headers
-
Check the number of functions in the import table
-
Check if there are some sections with high entropy or not
-
Check that size on memory is not higher than on disk
-
Check string table's presence
Work with python3 and lief.
- To install the lief library :
$ pip install setuptools --upgrade $ pip install lief
- use:
$ python elfad.py [-w] [-p] [-e] [-f]
- options :
-w to print only anomalies (by default print result of each test)
-p to print only checks related to packer detection
-e to change the value of entropy threshold, default value is 6
-f : to change the value of threshold to consider that there are too few fucntions, default value is 10
NB : -p -w : it prints only the anomalies for the packer signs
It uses mainly the information that can be read in the headers thanks to the lief library and the readelf command.
The authors of this program are Justine DELOMENIE and Paul FOURNIER. It was done in a project for the Forensics Eurecom course.