ELFsh - The ELF shell

elfsh [OPTION...]

ELFsh is an interactive and scriptable ELF machine to play with executable files, shared libraries and relocatable ELF32 objects. It is useful for daily binary manipulations such as on-the-fly patching, code analysis, or embedded code injection in research fields such as reverse engineering, security auditing and intrusion detection.

-f

input file

-w

output file

The following commands can be used on either the commandline when preceded by a - or on the ELFsh command prompt :

info

Print the extra details help screen

help

Print the help screen

fixup

Insert BSS section in corefile

findrel

Dump absolute relocations list

shtrm

Mark the Section Header Table (sht) as removed

quit

Quit the shell without saving

exit

Quit the shell without saving

e elf

Print the ELF header

i interp

Print the .interp section

p pht

Print the Program Header Table (PHT)

g got [Regex]

Print the symbols in the Global Offset Table (GOT) matching Regex

s sht [Regex]

Print the sections in the Section Header Table (SHT) matching Regex

r rel [Regex]

Print the relocation entries matching Regex

n notes [Regex]

Print the Notes sections entries matching Regex

d dyn [Regex]

Print the .dynamic section entries matching Regex

ds dynsym [Regex]

Print dynamic symtab (.dynsym) entries matching Regex

st sym [Regex]

Print the symtab (.symtab) entries matching Regex

stab [Regex]

Print raw stab (.stabs) entries matching Regex

ct ctors [Regex]

Print .ctors section entries matching Regex

dt dtors [Regex]

Print .dtors section entries matching Regex

D disasm [Regex[:rva[%size]]]

Disassemble size bytes of the objects matching Regex starting at offset rva

X hexa [Regex[:rva[%size]]]

Dump size bytes of the objects matching Regex starting at offset rva

reladd DestinationfileID SourceFileID

Inject the ELF relocatable object SourceFileID into the ELF executable object DestinationFileID

OP DestinationObjectPath OperandObjectPath

Perform arithemetic operation OP (add/sub/mul/div/mod) on DestinationObjectPath using operand OperandObjectPath

set DestinationObjectPath SourceObjectPath

Set the value of object DestinationObjectPath to SourceObjectPath

get SourceObjectPath

Get the value of object SourceObjectPath

append SectionName SourceObjectPath

Append the data of object SourceObjectPath to section SectionName

extend SectionName length

Extend section SectionName with length zero bytes

write DestinationObjectPath SourceObjectPath

Copy data from SourceObjectPath to DestinationObjectPath

print [ObjectPath1 ObjectPath2 ... ObjectPathN]

Print the values of objects ObjectPath1 ObjectPath2 ... ObjectPathN

redir func (func2 | addr)

Redirect calls to function func having a .plt entry to func2 or address addr.

a all regex

Set a global regular expression. All commands which take a regular expression as a parameter will default to use this global regular expression.

s sort (a|s)

Sort output by address or size

quiet | verbose

Toggle the verbosity flag

The following commands can only be used on the ELFsh commandline :

load filename

Load input file filename

save filename

Dump output file filename

unload (filename | fileID)

Unload file filename or fileID without saving

switch (filename | fileID)

Change the current file to work on to filename or fileID

modload filename

Load the ELFsh module filename

list

List the loaded files and their ID

This section explains how to access different objects in an ELF file. For most commands the object can also be a decimal or hexadecimal number. In this case the ObjectPath is the number.

ELF Header

filename.hdr.field

ELF header fields are : Magic number File class Object file type Architecture Object file version Entry point virtual address Program header table file offset Section header table file offset Processor-specific Flags Size of the ELF header in bytes Size of the program headers Size of the section headers Number of program headers Number of section headers Section header string table index PAX use paging based non-executable pages PAX emulate trampolines PAX restrict mmap PAX randomize mmap PAX randomly map executable address PAX use segmentation based non-executable pages

got/ctors/dtors tables

(filename | fileID).(got|ctors|dtors)[index]

Program segment header table

(filename | fileID).pht[index].field

Program segment header table entry fields are : Segment type Segment file offset Segment physical address Segment virtual address Segment size in file Segment size in memory Segment flags Segment alignment

Symbol/Dynamic symbol tables

(filename | fileID).(symtab|dynsym)[index].field

Symbol/Dynamic symbol table entry fields are : Symbol name Symbol value Symbol size Symbol binding Symbol type Symbol visibility

Dynamic table

(filename | fileID).dynamic[index].field

dynamic table entry fields are : Integer or address value Dynamic entry type

Section header table

(filename | fileID).sht[index].field

Section header table entry fields are : Section type Section Offset in ELF file Section Address Section Size in bytes Link to another section Additional Info Section Alignment Entry size if section holds table Occupies memory during execution Writeable Executable Contains nul-terminated strings Might be merged Preserve order after combining OS specific

Relocation table

(filename | fileID).rel[indextable][indexentry].field

relocation entry fields are : Type Relocation symbol index Address

Section table

(filename | fileID).section[sectionindex].field

section fields are : Section name Section Raw data. To access use following path format :

The ELFsh was written by the ELFsh crew <elfsh@devhell.org>.

This manual page was created by Peter De Schrijver <p2@mind.be> for the Debian GNU/Linux system (but may be used by others).

readelf(1), objdump(1), objcopy(1)