Restoring external symbol calls in IDA when ELF sections are deleted
Some time ago I wrote ZwoELF, an ELF parsing and manipulation library for Python, to learn about the ELF format. I used it for the hack.lu 2013 CTF challenge ELF to manipulate the binary file after it was compiled and linked. While writing ZwoELF I soon realized that almost every analysis tool rely on the sections of the ELF binary (like IDA, readelf and even strings). The problem with this is, the sections are optional and are not needed to execute the binary file. This means the sections can be missing or even be totally misleading. So I wrote ZwoELF with the intention to ignore the sections of an ELF binary and still try to get the same results (the example script "readElf.py" gets the same information that "readelf" of the "elfutils" packet gets but without using the sections).
Since almost all ELF analysis tools rely on sections, one of the obvious obfuscation techniques that can be used (for CTF challenges or by malware authors) is to delete the sections of an ELF binary. When they are deleted, IDA for example is not able to show you calls to external symbols like a call to "malloc()" or "printf()" (or at least I do not know how, I am not an IDA expert but I did not find anything on the Internet about it. If anyone knows an easier way to do it, please let me know).
Here is an example image of the "main()" function of the x86 "ls" binary.

And exactly there was my problem. The sections where deleted and I wanted the calls to external symbols be shown in IDA (I have access to IDA 6.1.1100421). The simplest way I could come up with was to use ZwoELF in combination with IDAPython. I wrote this small IDAPython script to restore the names of the symbols.
Here is the "main()" function of the x86 "ls" binary again, but this time after the IDAPython script was used.

At the moment, the ZwoELF library does only work with x86 binaries. But we (FluxFingers) need it for a project we are working on that will also be used with x86_64 binaries. So I think in the next time ZwoELF will also support x86_64 binaries.
Since almost all ELF analysis tools rely on sections, one of the obvious obfuscation techniques that can be used (for CTF challenges or by malware authors) is to delete the sections of an ELF binary. When they are deleted, IDA for example is not able to show you calls to external symbols like a call to "malloc()" or "printf()" (or at least I do not know how, I am not an IDA expert but I did not find anything on the Internet about it. If anyone knows an easier way to do it, please let me know).
Here is an example image of the "main()" function of the x86 "ls" binary.

And exactly there was my problem. The sections where deleted and I wanted the calls to external symbols be shown in IDA (I have access to IDA 6.1.1100421). The simplest way I could come up with was to use ZwoELF in combination with IDAPython. I wrote this small IDAPython script to restore the names of the symbols.
Here is the "main()" function of the x86 "ls" binary again, but this time after the IDAPython script was used.

At the moment, the ZwoELF library does only work with x86 binaries. But we (FluxFingers) need it for a project we are working on that will also be used with x86_64 binaries. So I think in the next time ZwoELF will also support x86_64 binaries.
Trackbacks
The author does not allow comments to this entry
Comments
Display comments as Linear | Threaded
driest on :
sqall on :
dera on :
I have been using pyelftools, but ZwoELF looks much better for this purpose. Good job.
sqall on :