DEV Community

Cover image for Building an ELF Binary analyzer in Python (Phase 3: section listing)
Angel Bandres
Angel Bandres

Posted on

Building an ELF Binary analyzer in Python (Phase 3: section listing)

#python #cybersecurity #security #tutorial

I am back! 😀😮‍💨

I was procrastinating too much to not write this lol, I'm actually pretty lazy for writing, but stepping out of my comfort zone to do what's necessary will help me in the long run.

ANYWAYS, I made some progress a few weeks back with Phase 3 of my binary analyzer, which is listing of sections. This time, I only finished ELF binaries, since I haven't worked on PE yet (again, procrastination FTL).

Now then, how does the section table work?

The section header table in ELF files lets you localize all of the file's sections. It is an array of structures that I will show you more later on through the screenshots. That means, when reading the binary, you can opt for either parsing one by one and forgetting about it or storing the information in a linear/sequential data structure. I opted for the latter, using a list to store the information all sections (although any other sequence data structure might work just fine) and dictionaries within the list to store the information of each section, and also to make it more usable with my recursive dictionary printing function lolol.

Also, the first entry in the section header table is usually filled with zeros. Take that into consideration if you want to parse the table yourself.

How can you differentiate a section from the other one?

Each one has their own name, which can be extracted from the Section Header String Table, which is essentially a table that stores the strings for these names (these people have a way with their words istg). Originally, in these structures, the Name field is an index into this table, so it is necessary to use the ELF header to be able to localize these strings (which are null-terminated btw) through the e_shstrndx field and getting the last section .shstrtab whose offset points to section header string table.

Alright then, how does it visually represent each section?

Here's a screenshot of the first 4 sections of /bin/ls

The first four sections of /bin/ls

As you can see, the index of the entry in the table is at the top, inside square brackets and starting from 0. Then, the information for all of its fields is shown, until the next entry in the table.

Comparing my output to readelf -S:

readelf's output on /bin/ls' section listing

...I'll let you figure this out.

Will you do section listing for PE files too?

Yes! I'm on my way to doing so. Make sure to check out my Github repository here if you want to check the full source code and follow for more updates.

See you later :)

Top comments (0)