项目作者: jacob-baines

项目描述 :
Cross Platform ELF analysis
高级语言: C++
项目地址: git://github.com/jacob-baines/elfparser.git
创建时间: 2015-10-01T21:44:32Z
项目社区:https://github.com/jacob-baines/elfparser

开源协议:Other

下载


ELF Parser

What problem are you trying to solve?

I was looking for ELF based malware on https://malwr.com and couldn’t help but notice how little analysis gets done on them. More surprising, to me, is that even well known malware like Kaiten gets flagged by very few AV (https://malwr.com/analysis/NThiZTU0MWUwZGI2NDAzYWI5YWU2ZjkzNTJmYTNjZTY/). ELF Parser attempts to move ELF malware analysis forward by quickly providing basic information and static analysis of the binary. The end goal of ELF Parser is to indicate to the analyst if it thinks the binary is malicious / dangerous and if so why.

Website

www.elfparser.com

How do I compile it?

ELF Parser can be compiled on Windows, OS X, or Linux (demangling and unit tests don’t work on Windows). Windows uses the VS 2010 project in the base directory for compilation whereas Linux/OS X uses CMake. Compiling on Linux goes like this:

  1. cd ~/elfparser
  2. mkdir build
  3. cd build/
  4. cmake ..
  5. make

Obviously, you will need to resolve any dependencies. Specifically, Boost is required and Qt is required for the GUI build.

Compile Targets

ELF Parser has a number of compilation targets that can be configured by CMakeLists.txt. The targets are:

  • Unit tests
  • CLI build
  • GUI build
  • Visual Studios build

CLI Usage

The user can pass in a single file (-f) or a directory (-d) of files:

  1. ./elfparser-cli --help
  2. options:
  3. --help A list of command line options
  4. --version Display version information
  5. -f [ --file ] arg The ELF file to examine
  6. -d [ --directory ] arg The directory to look through.
  7. -r [ --reasons ] Print the scoring reasons
  8. -c [ --capabilities ] Print the files observed capabilities
  9. -p [ --print ] Print the ELF files various parsed structures.

Example Output

  1. /elfparser-cli -f /bin/ls -c -r
  2. /bin/ls - Score: 6
  3. ---- Scoring Reasons ----
  4. 4 -> Process manipulation functions
  5. 2 -> Environment variable manipulation
  6. ---- Detected Capabilities ----
  7. File Functions
  8. fclose() found
  9. Process Manipulation
  10. raise() found
  11. Environment Variables
  12. getenv() found
  1. ./elfparser-cli -f ~/Desktop/malwr.BillGates -r -c
  2. /home/charlie/Desktop/malwr.BillGates - Score: 241
  3. ---- Scoring Reasons ----
  4. 8 -> Network functions
  5. 24 -> Process manipulation functions
  6. 8 -> Information gathering
  7. 8 -> Environment variable manipulation
  8. 3 -> Syslog manipulation functions
  9. 20 -> Shell commands
  10. 50 -> Packed
  11. 60 -> Hard coded IPv4 addresses
  12. 10 -> Anti debug techniques
  13. 50 -> Dropper functionaltiy
  14. ---- Detected Capabilities ----
  15. File Functions
  16. fclose() found
  17. feof() found
  18. fopen() found
  19. funlockfile() found
  20. unlink() found
  21. Network Functions
  22. accept() found
  23. bind() found
  24. connect() found
  25. inet_addr() found
  26. listen() found
  27. recv() found
  28. sendto() found
  29. socket() found
  30. Process Manipulation
  31. clone() found
  32. daemon() found
  33. execve() found
  34. fork() found
  35. kill() found
  36. raise() found
  37. Random Functions
  38. rand() found
  39. random_r() found
  40. srand() found
  41. srandom_r() found
  42. Information Gathering
  43. Examines /proc/cpuinfo
  44. Examines /proc/meminfo
  45. Examines /proc/stat
  46. access() found
  47. fstat() found
  48. getpagesize() found
  49. phys_pages_info() found
  50. uname() found
  51. Environment Variables
  52. clearenv() found
  53. getenv() found
  54. setenv() found
  55. unsetenv() found
  56. System Log
  57. closelog() found
  58. openlog() found
  59. vsyslog() found
  60. Shell
  61. chmod 0755 %s
  62. system() found
  63. Packed
  64. UPX copyright string found
  65. UPX signature found
  66. IP Addresses
  67. 1.0.0.0
  68. 1.0.0.1
  69. 10.0.0.0
  70. 10.255.255.255
  71. 127.0.0.0
  72. 127.0.0.1
  73. 127.255.255.255
  74. 172.16.0.0
  75. 172.31.255.255
  76. 192.168.0.0
  77. 192.168.255.255
  78. 254.255.255.254
  79. 255.0.0.0
  80. 8.8.4.4
  81. 8.8.8.8
  82. Anti-Debug
  83. Fake dynamic symbol table in sections
  84. Dropper
  85. Embedded ELF binary found at file offset 0xb7730 (751408)

Shortcomings

This tool has a number of shortcomings. From the standpoint of a programmer I’m unhappy with all of the hardcoded values (ie, detection of BillGates, examination of symbols). If anyone has a better design I’m all ears!

Report Bugs

Please report any issues, bugs, or feature requests on Github or contact me at admin@elfparser.com. Feel free to submit pull requests or email patches.

Source License

GPLv3. See the LICENSE file.