From bfaee2c402c30eb3a41c84b7315e37c0caa9406b Mon Sep 17 00:00:00 2001 From: Yacine Elhamer Date: Sun, 2 Apr 2023 17:34:13 +0100 Subject: [PATCH] Add a class (SYMTAB) for the symbol table --- capa/features/extractors/elf.py | 38 +++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/capa/features/extractors/elf.py b/capa/features/extractors/elf.py index 7201cc9f..9db24262 100644 --- a/capa/features/extractors/elf.py +++ b/capa/features/extractors/elf.py @@ -604,6 +604,44 @@ class SHNote: return ABITag(os, kmajor, kminor, kpatch) +class SYMTAB: + def __init__(self, endian: str, bitness: int, symtab_buf: bytes, symtab_entsize:int, symtab_sz: int, strtab_buf: bytes, strtab_sz: int) -> None: + self.symbols = [] + self.symnum = int(symtab_sz / symtab_entsize) + self.entsize = symtab_entsize + + self.strings = strtab_buf + self.strings_sz = strtab_sz + + self._parse(endian, bitness, symtab_buf) + + def _parse(self, endian: str, bitness: int, symtab_buf) -> None: + """ + return the symbol's information in + the order specified by sys/elf32.h + """ + for i in range(self.symnum): + if bitness == 32: + name, value, size, info, other, shndx = struct.unpack_from(endian+"IIIBBH", symtab_buf, i*self.entsize) + elif bitness == 64: + name, info, other, shndx, value, size = struct.unpack_from(endian+"IBBBQQ", symtab_buf, i*self.entsize) + + self.symbols.append((name, value, size, info, other, shndx)) + + def fetch_str(self, offset) -> str: + """ + fetch a symbol's name from symtab's + associated strings' section (SHT_STRTAB) + """ + for i in range(offset, self.strings_sz): + if self.strings[i] == 0: + return self.strings[offset:i].decode() + + def get_symbols(self) -> Tuple[int, int, int, int, int, int]: + for symbol in self.symbols: + yield symbol + + def guess_os_from_osabi(elf) -> Optional[OS]: return elf.ei_osabi