Skip to content

Restoring external symbol calls in IDA when ELF sections are deleted

Some time ago I wrote ZwoELF, an ELF parsing and manipulation library for Python, to learn about the ELF format. I used it for the hack.lu 2013 CTF challenge ELF to manipulate the binary file after it was compiled and linked. While writing ZwoELF I soon realized that almost every analysis tool rely on the sections of the ELF binary (like IDA, readelf and even strings). The problem with this is, the sections are optional and are not needed to execute the binary file. This means the sections can be missing or even be totally misleading. So I wrote ZwoELF with the intention to ignore the sections of an ELF binary and still try to get the same results (the example script "readElf.py" gets the same information that "readelf" of the "elfutils" packet gets but without using the sections).

Since almost all ELF analysis tools rely on sections, one of the obvious obfuscation techniques that can be used (for CTF challenges or by malware authors) is to delete the sections of an ELF binary. When they are deleted, IDA for example is not able to show you calls to external symbols like a call to "malloc()" or "printf()" (or at least I do not know how, I am not an IDA expert but I did not find anything on the Internet about it. If anyone knows an easier way to do it, please let me know).

Here is an example image of the "main()" function of the x86 "ls" binary.



And exactly there was my problem. The sections where deleted and I wanted the calls to external symbols be shown in IDA (I have access to IDA 6.1.1100421). The simplest way I could come up with was to use ZwoELF in combination with IDAPython. I wrote this small IDAPython script to restore the names of the symbols.

Here is the "main()" function of the x86 "ls" binary again, but this time after the IDAPython script was used.



At the moment, the ZwoELF library does only work with x86 binaries. But we (FluxFingers) need it for a project we are working on that will also be used with x86_64 binaries. So I think in the next time ZwoELF will also support x86_64 binaries.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

driest on :

Ida 6.5 somehow manages to do this automagically. Would be interesting to see how they do it.

sqall on :

Thx, good to know. I do not have access to this version, so I could not check this.

dera on :

I suggest you don't name the restored functions "_restored", but rather "_, i.e. "_malloc" this will cause IDA to name function arguments for the particular function.

I have been using pyelftools, but ZwoELF looks much better for this purpose. Good job.

sqall on :

This is a great suggestion. I look into it and check how IDA reacts. Thanks.

The author does not allow comments to this entry

Add Comment

Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Form options

Submitted comments will be subject to moderation before being displayed.