ELF hackery

JRR Tolkien fan alert: ELF's companion debugging format, an intimate friend, is called DWARF.

Executable and Linkable Format (ELF)


The spec. Same thing in PDF for bedside reading: 1 or 2

A simple guided tour to the "mess" behind a Hello World program: http://www.lisha.ufsc.br/teaching/os/exercise/hello.html

Cheating the ELF, the grugq


A useful and less painful introduction to dynamic linking and subverting thereof for exploitation purposes.

Shared library redirection via ELF PLT Infection, Silvio Cesare

Phrack 56:7

A classic article that explains the Procedure Linkage Table design and manipulation

A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux


This tutorial explains how to make the smallest possible ELF executable by manipulating the standard ELF headers, which it explains in detail.

Reverse Engineering Linux x86 Binaries, Sean Burford


A nice summary of basic reverse engineering techniques, both static an dynamic. Explains Gnu/Linux tools for process observation and debugging.

Playing with binary formats, Alessandro Rubini


An explanation of how files get loaded and executed, and the role of the Linux kernel in it. This goes well with Phrack papers on kernel hijacking and redirection, or the advanced buffer overflow techniques that use ELF structures.

Modern Day ELF Runtime infection via GOT poisoning, Ryan O'Neill


An in-depth up-to-date summary of the above and more, with sample code and many details filled in.

The ELF Virus Writing HOWTO, Alexander Bartolich


Linux-specific: http://virus.bartolich.at/virus-writing-HOWTO/_html/i386-redhat8.0-linux/index.html

In order to infect it and hide in it, and yet not break it, we must understand how it works really well. This article covers a number of practical finer points of ELF. This document has changed a lot between revisions, as to be practically unrecognizable.

The older version is more suitable for a start, and generally more fun.

Advanced Fare

The ERESI project developed advanced ELF tools for inspecting and modifying ELF executables and processes created from ELF executables. These tools can be used for in-process debugging.

Phrack articles:

Phrack 61:8The Cerberus ELF Interface
Phrack 63:9Embedded ELF Debugging : the middle head of Cerberus

The project page can be a little overwhelming.
Start with the presentations at http://www.eresi-project.org/wiki/EresiArticles and with using the elfsh.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License