1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
/* $OpenBSD: readelf.c,v 1.2 1998/07/10 15:05:26 mickey Exp $ */
#ifdef BUILTIN_ELF
#include <sys/types.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include "readelf.h"
#include "file.h"
static void
doshn(fd, off, num, size, buf)
int fd;
off_t off;
int num;
size_t size;
char *buf;
{
/*
* This works for both 32-bit and 64-bit ELF formats,
* because it looks only at the "sh_type" field, which is
* always 32 bits, and is preceded only by the "sh_name"
* field which is also always 32 bits, and because it uses
* the shdr size from the ELF header rather than using
* the size of an "Elf32_Shdr".
*/
Elf32_Shdr *sh = (Elf32_Shdr *) buf;
if (lseek(fd, off, SEEK_SET) == -1)
err(1, "lseek failed");
for ( ; num; num--) {
if (read(fd, buf, size) == -1)
err(1, "read failed");
if (sh->sh_type == SHT_SYMTAB) {
(void) printf (", not stripped");
return;
}
}
(void) printf (", stripped");
}
/*
* Look through the program headers of an executable image, searching
* for a PT_INTERP section; if one is found, it's dynamically linked,
* otherwise it's statically linked.
*/
static void
dophn_exec(fd, off, num, size, buf)
int fd;
off_t off;
int num;
size_t size;
char *buf;
{
/* I am not sure if this works for 64 bit elf formats */
Elf32_Phdr *ph = (Elf32_Phdr *) buf;
if (lseek(fd, off, SEEK_SET) == -1)
err(1, "lseek failed");
for ( ; num; num--) {
if (read(fd, buf, size) == -1)
err(1, "read failed");
if (ph->p_type == PT_INTERP) {
/*
* Has an interpreter - must be a dynamically-linked
* executable.
*/
printf(", dynamically linked");
return;
}
}
printf(", statically linked");
}
size_t prpsoffsets[] = {
100, /* SunOS 5.x */
32, /* Linux */
};
#define NOFFSETS (sizeof prpsoffsets / sizeof prpsoffsets[0])
/*
* Look through the program headers of an executable image, searching
* for a PT_NOTE section of type NT_PRPSINFO, with a name "CORE"; if one
* is found, try looking in various places in its contents for a 16-character
* string containing only printable characters - if found, that string
* should be the name of the program that dropped core.
* Note: right after that 16-character string is, at least in SunOS 5.x
* (and possibly other SVR4-flavored systems) and Linux, a longer string
* (80 characters, in 5.x, probably other SVR4-flavored systems, and Linux)
* containing the start of the command line for that program.
*/
static void
dophn_core(fd, off, num, size, buf)
int fd;
off_t off;
int num;
size_t size;
char *buf;
{
/*
* This doesn't work for 64-bit ELF, as the "p_offset" field is
* 64 bits in 64-bit ELF.
*/
/*
* This doesn't work for 64-bit ELF, as the "p_offset" field is
* 64 bits in 64-bit ELF.
*/
Elf32_Phdr *ph = (Elf32_Phdr *) buf;
Elf32_Nhdr *nh;
size_t offset, noffset, reloffset;
unsigned char c;
int i, j;
char nbuf[BUFSIZ];
int bufsize;
for ( ; num; num--) {
if (lseek(fd, off, SEEK_SET) == -1)
err(1, "lseek failed");
if (read(fd, buf, size) == -1)
err(1, "read failed");
off += size;
if (ph->p_type != PT_NOTE)
continue;
if (lseek(fd, ph->p_offset, SEEK_SET) == -1)
err(1, "lseek failed");
bufsize = read(fd, nbuf, BUFSIZ);
if (bufsize == -1)
err(1, "read failed");
offset = 0;
for (;;) {
if (offset >= bufsize)
break;
nh = (Elf32_Nhdr *)&nbuf[offset];
offset += sizeof *nh;
/*
* If this note isn't an NT_PRPSINFO note, it's
* not what we're looking for.
*/
if (nh->n_type != NT_PRPSINFO) {
offset += nh->n_namesz;
offset = ((offset + 3)/4)*4;
offset += nh->n_descsz;
offset = ((offset + 3)/4)*4;
continue;
}
/*
* Make sure this note has the name "CORE".
*/
if (offset + nh->n_namesz >= bufsize) {
/*
* We're past the end of the buffer.
*/
break;
}
if (nh->n_namesz != 5
|| strcmp(&nbuf[offset], "CORE") != 0)
continue;
offset += nh->n_namesz;
offset = ((offset + 3)/4)*4;
/*
* Extract the program name. We assume it to be
* 16 characters (that's what it is in SunOS 5.x
* and Linux).
*
* Unfortunately, it's at a different offset in
* SunOS 5.x and Linux, so try multiple offsets.
* If the characters aren't all printable, reject
* it.
*/
for (i = 0; i < NOFFSETS; i++) {
reloffset = prpsoffsets[i];
noffset = offset + reloffset;
for (j = 0; j < 16;
j++, noffset++, reloffset++) {
/*
* Make sure we're not past the end
* of the buffer; if we are, just
* give up.
*/
if (noffset >= bufsize)
return;
/*
* Make sure we're not past the
* end of the contents; if we
* are, this obviously isn't
* the right offset.
*/
if (reloffset >= nh->n_descsz)
goto tryanother;
c = nbuf[noffset];
if (c != '\0' && !isprint(c))
goto tryanother;
}
/*
* Well, that worked.
*/
printf(", from '%.16s'",
&nbuf[offset + prpsoffsets[i]]);
return;
tryanother:
;
}
offset += nh->n_descsz;
offset = ((offset + 3)/4)*4;
}
}
}
void
tryelf(fd, buf, nbytes)
int fd;
char *buf;
int nbytes;
{
union {
int32 l;
char c[sizeof (int32)];
} u;
/*
* ELF executables have multiple section headers in arbitrary
* file locations and thus file(1) cannot determine it from easily.
* Instead we traverse thru all section headers until a symbol table
* one is found or else the binary is stripped.
*/
if (buf[EI_MAG0] != ELFMAG0 || buf[EI_MAG1] != ELFMAG1
|| buf[EI_MAG2] != ELFMAG2 || buf[EI_MAG3] != ELFMAG3)
return;
if (buf[4] == ELFCLASS32) {
Elf32_Ehdr elfhdr;
if (nbytes <= sizeof (Elf32_Ehdr))
return;
u.l = 1;
(void) memcpy(&elfhdr, buf, sizeof elfhdr);
/*
* If the system byteorder does not equal the
* object byteorder then don't test.
* XXX - we could conceivably fix up the "dophn_XXX()" and
* "doshn()" routines to extract stuff in the right
* byte order....
*/
if ((u.c[sizeof(long) - 1] + 1) == elfhdr.e_ident[5]) {
if (elfhdr.e_type == ET_CORE)
dophn_core(fd, elfhdr.e_phoff, elfhdr.e_phnum,
elfhdr.e_phentsize, buf);
else {
if (elfhdr.e_type == ET_EXEC) {
dophn_exec(fd, elfhdr.e_phoff,
elfhdr.e_phnum,
elfhdr.e_phentsize, buf);
}
doshn(fd, elfhdr.e_shoff, elfhdr.e_shnum,
elfhdr.e_shentsize, buf);
}
}
return;
}
if (buf[4] == ELFCLASS64) {
Elf64_Ehdr elfhdr;
if (nbytes <= sizeof (Elf64_Ehdr))
return;
u.l = 1;
(void) memcpy(&elfhdr, buf, sizeof elfhdr);
/*
* If the system byteorder does not equal the
* object byteorder then don't test.
* XXX - we could conceivably fix up the "dophn_XXX()" and
* "doshn()" routines to extract stuff in the right
* byte order....
*/
if ((u.c[sizeof(long) - 1] + 1) == elfhdr.e_ident[5]) {
#ifdef notyet
if (elfhdr.e_type == ET_CORE)
dophn_core(fd, elfhdr.e_phoff, elfhdr.e_phnum,
elfhdr.e_phentsize, buf);
else
#endif
{
#ifdef notyet
if (elfhdr.e_type == ET_EXEC) {
dophn_exec(fd, elfhdr.e_phoff,
elfhdr.e_phnum,
elfhdr.e_phentsize, buf);
}
#endif
doshn(fd, elfhdr.e_shoff, elfhdr.e_shnum,
elfhdr.e_shentsize, buf);
}
}
return;
}
}
#endif
|