Published on January 17th, 2016 📆 | 7022 Views ⚑0
ELF Parser — Cross Platform ELF Analysis
ELF Parser attempts to move ELF malware analysis forward by quickly providing basic information and static analysis of the binary. The end goal of ELF Parser is to indicate to the analyst if it thinks the binary is malicious / dangerous and if so why.
Load Any Executable ELF
ELF Parser supports 32-bit, 64-bit, little endian, and big endian binaries.
Automatically Uncover Functionality
ELF Parser categorizes the binary’s capabilities by recognizing known functions and signatures.
View ELF Data Structures
ELF Parser displays various ELF structures such as the sections table, programs table, dynamic segment, and symbol tables.
Detect Known Malware
ELF Parser attempts to identify well known malware such as Kaiten, Elfknot, and BillGates.
How do I compile it?
ELF Parser can be compiled on Windows, OS X, or Linux (demangling and unit tests don’t work on Windows). Windows uses the VS 2010 project in the base directory for compilation whereas Linux/OS X uses CMake. Compiling on Linux goes like this:
cd ~/elfparser mkdir build cd build/ cmake .. make
Obviously, you will need to resolve any dependencies. Specifically, Boost is required and Qt is required for the GUI build.
ELF Parser has a number of compilation targets that can be configured by CMakeLists.txt. The targets are:
- Unit tests
- CLI build
- GUI build
- Visual Studios build
The user can pass in a single file (-f) or a directory (-d) of files:
./elfparser-cli --help options: --help A list of command line options --version Display version information -f [ --file ] arg The ELF file to examine -d [ --directory ] arg The directory to look through. -r [ --reasons ] Print the scoring reasons -c [ --capabilities ] Print the files observed capabilities -p [ --print ] Print the ELF files various parsed structures.