ELF


Introduction

import lief

# Using filepath
elf: lief.ELF.Binary | None = lief.ELF.parse("/bin/ls")

# Using a Path from pathlib
elf: lief.ELF.Binary | None = lief.ELF.parse(pathlib.Path(r"C:\Users\test.elf"))

# Using a io object
with open("/bin/ssh", "rb") as f:
    elf: lief.ELF.Binary | None = lief.ELF.parse(f)

Note

In Python, you can also use lief.parse(), which returns a lief.ELF.Binary object.

With the parsed ELF binary, you can use the API to inspect or modify the binary itself.
elf: lief.ELF.Binary

print(elf.header.entrypoint)

for section in elf.sections:
    print(section.name, len(section.content))
elf: lief.ELF.Binary

elf.add_library("libdemo.so")
elf.write("new.elf")
elf: lief.ELF.Binary

new_elf: bytes = elf.write_to_bytes()

Adding a Section/Segment

The ELF format uses two tables to represent different slices of the binary:

  1. The sections table

  2. The segments table

While the sections table offers a detailed view of the binary, it is primarily used by the compiler and the linker. In particular, this table is not required for loading and executing an ELF file. While the Android loader enforces the presence of a sections table and requires specific sections, this table is not used during the actual loading process.

To modify an ELF file to load additional content into memory (e.g., code or data), adding a is recommended over adding a section:
elf: lief.ELF.Binary

segment = lief.ELF.Segment()
segment.type = lief.ELF.Segment.TYPES.LOAD
segment.content = list(b"Hello World")

new_segment = elf.add(segment)

elf.write("new.elf")
Alternatively, you can create a , which will implicitly create an associated PT_LOAD segment:
elf: lief.ELF.Binary

section = lief.ELF.Section(".lief_demo")
section.content = list(b"Hello World")

new_section = elf.add(section, loaded=True)

elf.write("new.elf")

As mentioned above, the segments table is more critical than the sections table from a loading perspective. Therefore, it is more appropriate to explicitly add a new segment rather than adding a section that implicitly adds a segment.

On the other hand, for debugging purposes or specialized tools, you might want to add a non-loaded section. In this case, the section data is inserted at the end of the binary, immediately after the data wrapped by the segments:

elf: lief.ELF.Binary

section = lief.ELF.Section(".metadata")
section.content = list(b"version: 1.2.3")

# /!\ Note that loaded is set to False here
# ------------------------------------------
new_section = elf.add(section, loaded=False)

elf.write("new.elf")

Dump Analysis

LIEF has the support to process ELF memory dump with . This function translates the file offsets referenced by the ELF structures into their location inside the dump, using the base address passed as the second parameter:
# 0x7f9b98e00000 is the (absolute) address at which the dump was mapped
elf = lief.ELF.parse_from_dump("module.dump", 0x7F9B98E00000)
assert elf is not None

for segment in elf.segments:
    print(segment.type, hex(segment.virtual_address))

Note

The second parameter must be the (absolute) virtual address at which the dump was mapped. It is used to convert the virtual addresses found in the ELF structures back into an offset within the dump.

Warning

Parsing an ELF from a dump is subject to the same limitations as parsing it from memory: the segments (PT_LOAD) and the program headers are reliable, but the section header table is generally not mapped and the content of the dynamic table (dynamic entries, dynamic symbols and relocations) reflects its runtime state and may not be recoverable. Prefer working with the segments when analyzing a dump.

Producing a dump with the runtime API

Such a dump can be produced from a live process thanks to the LIEF runtime and, more precisely, the Module API. captures the memory of a loaded module (from its imagebase over its virtual size):
# Find the module to dump in the current process
mod = lief.runtime.module_from_name("libc.so.6")
assert mod is not None

# Dump the module's memory into a file (the raw bytes are also returned)
data: bytes = mod.dump("module.dump")

# and parse it back using the same imagebase:
elf = lief.ELF.parse_from_dump(data, mod.imagebase)

Advanced Parsing/Writing

parser_config = lief.ELF.ParserConfig()
parser_config.parse_overlay = False

elf = lief.ELF.parse("my.elf", parser_config)
assert isinstance(elf, lief.ELF.Binary)

builder_config = lief.ELF.Builder.config_t()
builder_config.gnu_hash = False

elf.write("new.elf", builder_config)

DWARF Support

Note that this support is only available in the Extended version of LIEF.

R[UN]PATH Modification

LIEF provides comprehensive facilities for manipulating a binary’s RPATH/RUNPATH.

DT_RPATH vs DT_RUNPATH

DT_RPATH and DT_RUNPATH are both dynamic tags used to specify runtime library search paths.

DT_RPATH is now considered legacy because it does not respect the precedence of the LD_LIBRARY_PATH environment variable. This means that if LD_LIBRARY_PATH is set to a valid directory where the library can be found, it will be ignored in favor of the DT_RPATH value. Therefore, the DT_RUNPATH tag should be preferred over DT_RPATH.

Note that if both tags are present, the loader will use the DT_RUNPATH entry over the legacy DT_RPATH.

The RPATH/RUNPATH modifications supported by LIEF include:

Adding a new entry

elf: lief.ELF.Binary

runpath = lief.ELF.DynamicEntryRunPath("$ORIGIN:/opt/lib64")

elf.add(runpath)

other_runpath = lief.ELF.DynamicEntryRunPath(["$ORIGIN", "/opt/lib64"])

elf.add(other_runpath)

elf.write("updated.elf")

Changing an entry

elf: lief.ELF.Binary

runpath = elf.get(lief.ELF.DynamicEntry.TAG.RUNPATH)
assert runpath is not None

runpath.runpath = "$ORIGIN:/opt/lib64"
runpath.append("lib-x86_64-gnu")

elf.write("updated.elf")

Removing entries

elf: lief.ELF.Binary

# Remove **all** DT_RUNPATH entries
elf.remove(lief.ELF.DynamicEntry.TAG.RUNPATH)

# Remove all entries that contain '$ORIGIN'
to_remove: list[lief.ELF.DynamicEntryRunPath] = []
for dt_entry in elf.dynamic_entries:
    if not isinstance(dt_entry, lief.ELF.DynamicEntryRunPath):
        continue

    if "$ORIGIN" in dt_entry.runpath:
        to_remove.append(dt_entry)

for entry in to_remove:
    elf.remove(entry)

elf.write("updated.elf")

You can also check the lief-patchelf section for a command-line interface.

Symbol Versions

The ELF format supports symbol versioning, allowing multiple versions of the same function or variable to coexist within a single shared object.

During compilation, the linker selects the appropriate symbols and versions based on the libraries provided as input. For example, if a program uses the printf function and is linked with a version of libc.so that exposes printf@@GLIBC_2.40, the compiled executable will require at least that version of the libc to run.

These versioning requirements can be problematic when creating executables or libraries intended for a wide range of Linux distributions.

The best way to ensure maximum compatibility is to target the minimum supported version of Glibc. For instance, if you aim to support Linux distributions with at least Glibc version 2.28 (released in 2018), you should specifically provide that version of libc.so during linking:

$ ld --sysroot=/sysroot/glibc-2.28/ my_program.o -o my_program.elf
$ ld -L /sysroot/glibc-2.28/lib64/ my_program.o -o my_program.elf -lc

In situations where you lack control over the link step, you may want to change the versioning post-compilation. LIEF can be used in these situations to perform the following modifications on symbol versions.

Remove the version for a specific symbol

In this example, we remove the version attached to the printf symbol by setting the versioning as global (the default setting for imported functions).

elf: lief.ELF.Binary

sym = elf.get_dynamic_symbol("printf")
assert sym is not None and sym.symbol_version is not None

sym.symbol_version.as_global()

elf.write("updated.elf")

Remove all the versions for a specific library

In this example, we remove all the symbol versions associated with an imported library (libm.so.6):

elf: lief.ELF.Binary

elf.remove_version_requirement("libm.so.6")

elf.write("updated.elf")
$ readelf -V input.elf

Version symbols section '.gnu.version' contains 48 entries:
 Addr: 00000000000009bc  Offset: 0x0009bc  Link: 6 (.dynsym)
  000:   0 (*local*)       2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  004:   2 (GLIBC_2.2.5)   0 (*local*)       4 (GLIBC_2.17)    3 (GLIBC_2.2.5)
  008:   2 (GLIBC_2.2.5)   5 (GLIBC_2.27)    2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  00c:   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   6 (GLIBC_2.4)     2 (GLIBC_2.2.5)
  010:   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  014:   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   0 (*local*)
  018:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  01c:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  020:   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)
  024:   3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  028:   3 (GLIBC_2.2.5)   0 (*local*)       3 (GLIBC_2.2.5)   3 (GLIBC_2.2.5)
  02c:   3 (GLIBC_2.2.5)   7 (GLIBC_2.29)    2 (GLIBC_2.2.5)   2 (GLIBC_2.2.5)

Version needs section '.gnu.version_r' contains 2 entries:
 Addr: 0000000000000a20  Offset: 0x000a20  Link: 7 (.dynstr)
  0x0000: Version: 1  File: libm.so.6  Cnt: 3
  0x0010:   Name: GLIBC_2.29  Flags: none  Version: 7
  0x0020:   Name: GLIBC_2.27  Flags: none  Version: 5
  0x0030:   Name: GLIBC_2.2.5  Flags: none  Version: 3
  0x0040: Version: 1  File: libc.so.6  Cnt: 3
  0x0050:   Name: GLIBC_2.4  Flags: none  Version: 6
  0x0060:   Name: GLIBC_2.17  Flags: none  Version: 4
  0x0070:   Name: GLIBC_2.2.5  Flags: none  Version: 2