ELF


Introduction

import lief

# Using filepath
elf: lief.ELF.Binary = lief.ELF.parse("/bin/ls")

# Using a Path from pathlib
elf: lief.ELF.Binary = lief.ELF.parse(pathlib.Path(r"C:\Users\test.elf"))

# Using a io object
with open("/bin/ssh", 'rb') as f:
  elf: lief.ELF.Binary = lief.ELF.parse(f)

Note

In Python, you can also use lief.parse() which returns a lief.ELF.Binary object.

From this parsed ELF binary you can use all the API exposed by the object to inspect or modify the binary itself.
elf: lief.ELF.Binary = ...

print(elf.header.entrypoint)

for section in elf.sections:
    print(section.name, len(section.content))
elf: lief.ELF.Binary = ...

elf.add_library("libdemo.so")
elf.write("new.elf")
elf: lief.ELF.Binary = ...
new_elf: bytes = elf.write_to_bytes()

Adding a Section/Segment

The ELF format uses two tables to represent the different slices of the binary:

  1. The sections table

  2. The segments table

While the sections table offers a detailed view of the binary, it is primarily needed by the compiler and the linker. In particular, this table is not required for loading and executing an ELF file. The Android loader enforces the existence of a sections table and requires certain specific sections but from a loading perspective, this table is not used.

If you intend to modify an ELF file to load additional content into memory (such as code or data), it is recommended to add a instead of a section:
elf: lief.ELF.Binary = ...

segment = lief.ELF.Segment()
segment.type = lief.ELF.Segment.TYPES.LOAD
segment.content = list(b'Hello World')

new_segment: lief.ELF.Segment = elf.add(segment)

elf.write("new.elf")
You can also achieve this modification by creating a that will implicitly create an associated PT_LOAD segment:
elf: lief.ELF.Binary = ...

section = lief.ELF.Section(".lief_demo")
section.content = list(b'Hello World')

new_section: lief.ELF.Section = elf.add(section, loaded=True)

elf.write("new.elf")

As mentioned above, the segments table matters from a loading perspective over the sections table. Therefore, it makes more sense to explicitly add a new segment rather than adding a section that implicitly adds a segment.

On the other hand, for debugging purposes or specific tools, one might want to add a non-loaded section. In this case, the data of the section is inserted at the end of the binary right after all the data wrapped by the segments:

elf: lief.ELF.Binary = ...

section = lief.ELF.Section(".metadata")
section.content = list(b'version: 1.2.3')

# /!\ Note that loaded is set to False here
# ------------------------------------------
new_section: lief.ELF.Section = elf.add(section, loaded=False)

elf.write("new.elf")

Advance Parsing/Writing

parser_config = lief.ELF.ParserConfig()
parser_config.parse_overlay = False

elf: lief.ELF.Binary = lief.ELF.parse("my.elf", parser_config)

builder_config = lief.ELF.Builder.config_t()
builder_config.gnu_hash = False

elf.write("new.elf", builder_config)

DWARF Support

Note that this support is only available in the extended version of LIEF.

R[UN]PATH Modification

LIEF provides all the facilities to manipulate binary’s RPATH/RUNPATH.

DT_RPATH vs DT_RUNPATH

DT_RPATH and DT_RUNPATH are both dynamic tags that are used to specify runtime library search paths.

The DT_RPATH is now considered as legacy since it does not respect the precedence of the LD_LIBRARY_PATH environment variable. This means that if the LD_LIBRARY_PATH is set to a valid directory where the library can be found, it will be ignored in favor of the DT_RPATH value. Therefore, the DT_RUNPATH tag should be prefered DT_RPATH.

Please note that if both tags are present, the loader will use the DT_RUNPATH entry over the legacy DT_RPATH.

The RPATH/RUNPATH modifications supported by LIEF include:

Adding a new entry

elf: lief.ELF.Binary = ...

runpath = lief.ELF.DynamicEntryRunPath("$ORIGIN:/opt/lib64")

elf.add(runpath)

other_runpath = lief.ELF.DynamicEntryRunPath([
  '$ORIGIN', '/opt/lib64'
])

elf.add(other_runpath)

elf.write("updated.elf")

Changing an entry

elf: lief.ELF.Binary = ...

runpath = elf.get(lief.ELF.DynamicEntry.TAG.RUNPATH)
assert runpath is not None

runpath.runpath = "$ORIGIN:/opt/lib64"
runpath.append("lib-x86_64-gnu")

elf.write(output.as_path());

Removing entries

elf: lief.ELF.Binary = ...

# Remove **all** DT_RUNPATH entries
elf.remove(lief.ELF.DynamicEntry.TAG.RUNPATH)

# Remove all entries that contain '$ORIGIN'
to_remove: list[lief.ELF.DynamicEntryRunPath] = []
for dt_entry in elf.dynamic_entries:
    if not isinstance(dt_entry, lief.ELF.DynamicEntryRunPath):
        continue

    if "$ORIGIN" in dt_entry.runpath:
        to_remove.append(dt_entry)

for entry in to_remove:
    elf.remove(dt_entry)

elf.write("updated.elf")

You can also check the lief-patchelf section for a command-line interface.

Symbol Versions

The ELF format supports symbol versioning, allowing multiple versions of the same function or variable to coexist within a single shared object.

During compilation, the linker selects the appropriate symbols and versions based on the libraries provided as input. For example, if the program uses the function printf and is linked with a version of libc.so that exposes printf@@GLIBC_2.40, the compiled executable will require at least that version of the libc to run.

This requirement regarding versioning can be problematic if we want to create an executable or library compatible with a wide range of Linux distributions.

The best way to ensure maximum compatibility is to provide the minimum supported version of the Glibc. For instance, if we aim to support Linux distributions with at least Glibc version 2.28 (released in 2018), we should specifically provide that version of libc.so:

$ ld --sysroot=/sysroot/glibc-2.28/ my_program.o -o my_program.elf
$ ld -L /sysroot/glibc-2.28/lib64/ my_program.o -o my_program.elf -lc

There are situations where we don’t have that control over the link step, and for which we want to change the versioning post-compilation. LIEF can be used in these situations to perform the following modifications on the symbol versions.

Remove the version for a specific symbol

In this example, we remove the version attached to the printf symbol by setting the versioning as global (the default setting for imported functions).

elf: lief.ELF.Binary = ...

sym = elf.get_dynamic_symbol("printf")

sym.symbol_version.as_global()

elf.write("updated.elf")

Remove all the versions for a specific library

In this example, we remove all the symbol versions associated with an imported library (libm.so.6):

elf: lief.ELF.Binary = ...

elf.remove_version_requirement("libm.so.6")

elf.write("updated.elf")
$ readelf -V input.elf

Version symbols section '.gnu.version' contains 48 entries:
 Addr: 00000000000009bc  Offset: 0x0009bc  Link: 6 (.dynsym)
  000:   0 (*local*)       2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  004:   2 (GLIBC_2.2.5)   0 (*local*)       4 (GLIBC_2.17)    3 (GLIBC_2.2.5)
  008:   2 (GLIBC_2.2.5)   5 (GLIBC_2.27)    2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  00c:   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   6 (GLIBC_2.4)     2 (GLIBC_2.2.5)
  010:   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  014:   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   0 (*local*)
  018:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  01c:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  020:   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  024:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  028:   3 (GLIBC_2.2.5)   0 (*local*)       3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  02c:   3 (GLIBC_2.2.5)   7 (GLIBC_2.29)    2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)

Version needs section '.gnu.version_r' contains 2 entries:
 Addr: 0000000000000a20  Offset: 0x000a20  Link: 7 (.dynstr)
  0x0000: Version: 1  File: libm.so.6  Cnt: 3
  0x0010:   Name: GLIBC_2.29  Flags: none  Version: 7
  0x0020:   Name: GLIBC_2.27  Flags: none  Version: 5
  0x0030:   Name: GLIBC_2.2.5  Flags: none  Version: 3
  0x0040: Version: 1  File: libc.so.6  Cnt: 3
  0x0050:   Name: GLIBC_2.4  Flags: none  Version: 6
  0x0060:   Name: GLIBC_2.17  Flags: none  Version: 4
  0x0070:   Name: GLIBC_2.2.5  Flags: none  Version: 2