fq/elf at c47c3866c40be3da34716d94ade2bc9540bb47d1 - fq

wader/fq

mirror of https://github.com/wader/fq.git synced 2024-12-26 15:02:28 +03:00

History

Mattias Wadman 12105d8c1d elf: Treat missing string tables as empty to be more robust Makes it possible to decode shellcode snippets etc: $ fq -n '"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAIAAAAAAAsDxmvwYADwU=" \| frombase64 \| elf \| d' \|00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f\|0123456789abcdef\|.{}: (elf) \| \| \| error: elf: BitBufRange: failed at position 0 (read size 4294967296 seek pos 0): outside buffer \| \| \| header{}: \| \| \| ident{}: 0x00\|7f 45 4c 46 \|.ELF \| magic: raw bits (valid) 0x00\| 02 \| . \| class: 64 (2) 0x00\| 01 \| . \| data: "little_endian" (1) 0x00\| 01 \| . \| version: 1 0x00\| 00 \| . \| os_abi: "sysv" (0) 0x00\| 00 \| . \| abi_version: 0 0x00\| 00 00 00 00 00 00 00\| .......\| pad: raw bits (all zero) 0x10\|02 00 \|.. \| type: "exec" (0x2) 0x10\| 3e 00 \| >. \| machine: "x86_64" (0x3e) (AMD x86-64) 0x10\| 01 00 00 00 \| .... \| version: 1 0x10\| 78 00 40 00 00 00 00 00\| x.@.....\| entry: 4194424 0x20\|40 00 00 00 00 00 00 00 \|@....... \| phoff: 64 0x20\| 00 00 00 00 00 00 00 00\| ........\| shoff: 0 0x30\|00 00 00 00 \|.... \| flags: 0 0x30\| 40 00 \| @. \| ehsize: 64 0x30\| 38 00 \| 8. \| phentsize: 56 0x30\| 01 00 \| .. \| phnum: 1 0x30\| 00 00 \| .. \| shentsize: 0 0x30\| 00 00 \| .. \| shnum: 0 0x30\| 00 00\| ..\| shstrndx: 0 \| \| \| program_headers[0:1]: \| \| \| [0]{}: program_header 0x40\|01 00 00 00 \|.... \| type: "load" (1) (Loadable segment) \| \| \| flags{}: 0x40\| 05 \| . \| unused0: 0 0x40\| 05 \| . \| r: true 0x40\| 05 \| . \| w: false 0x40\| 05 \| . \| x: true 0x40\| 00 00 00 \| ... \| unused1: 0 0x40\| 00 00 00 00 00 00 00 00\| ........\| offset: 0x0 0x50\|00 00 40 00 00 00 00 00 \|..@..... \| vaddr: 0x400000 0x50\| 00 00 40 00 00 00 00 00\| ..@.....\| paddr: 0x400000 0x60\|00 00 00 00 01 00 00 00 \|........ \| filesz: 4294967296 0x60\| 00 00 00 00 01 00 00 00\| ........\| memsz: 4294967296 0x70\|00 00 20 00 00 00 00 00 \|.. ..... \| align: 2097152 0x70\| b0 3c 66 bf 06 00 0f 05\| .<f.....\| unknown0: raw bits $ fq -n '"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAIAAAAAAAsDxmvwYADwU=" \| frombase64 \| . as $b \| elf \| $b[.header.entry-.program_headers[0].vaddr:]' \| ndisasm -b 64 - 00000000 B03C mov al,0x3c 00000002 66BF0600 mov di,0x6 00000006 0F05 syscall	2022-09-06 11:31:48 +02:00
..
testdata	xml: Allow trailing <?procinstr?>	2022-08-11 23:48:29 +02:00
elf.go	elf: Treat missing string tables as empty to be more robust	2022-09-06 11:31:48 +02:00

Mattias Wadman 12105d8c1d elf: Treat missing string tables as empty to be more robust

Makes it possible to decode shellcode snippets etc:

$ fq -n '"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAIAAAAAAAsDxmvwYADwU=" | frombase64 | elf | d'
    |00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f|0123456789abcdef|.{}: (elf)
    |                                               |                |  error: elf: BitBufRange: failed at position 0 (read size 4294967296 seek pos 0): outside buffer
    |                                               |                |  header{}:
    |                                               |                |    ident{}:
0x00|7f 45 4c 46                                    |.ELF            |      magic: raw bits (valid)
0x00|            02                                 |    .           |      class: 64 (2)
0x00|               01                              |     .          |      data: "little_endian" (1)
0x00|                  01                           |      .         |      version: 1
0x00|                     00                        |       .        |      os_abi: "sysv" (0)
0x00|                        00                     |        .       |      abi_version: 0
0x00|                           00 00 00 00 00 00 00|         .......|      pad: raw bits (all zero)
0x10|02 00                                          |..              |    type: "exec" (0x2)
0x10|      3e 00                                    |  >.            |    machine: "x86_64" (0x3e) (AMD x86-64)
0x10|            01 00 00 00                        |    ....        |    version: 1
0x10|                        78 00 40 00 00 00 00 00|        x.@.....|    entry: 4194424
0x20|40 00 00 00 00 00 00 00                        |@.......        |    phoff: 64
0x20|                        00 00 00 00 00 00 00 00|        ........|    shoff: 0
0x30|00 00 00 00                                    |....            |    flags: 0
0x30|            40 00                              |    @.          |    ehsize: 64
0x30|                  38 00                        |      8.        |    phentsize: 56
0x30|                        01 00                  |        ..      |    phnum: 1
0x30|                              00 00            |          ..    |    shentsize: 0
0x30|                                    00 00      |            ..  |    shnum: 0
0x30|                                          00 00|              ..|    shstrndx: 0
    |                                               |                |  program_headers[0:1]:
    |                                               |                |    [0]{}: program_header
0x40|01 00 00 00                                    |....            |      type: "load" (1) (Loadable segment)
    |                                               |                |      flags{}:
0x40|            05                                 |    .           |        unused0: 0
0x40|            05                                 |    .           |        r: true
0x40|            05                                 |    .           |        w: false
0x40|            05                                 |    .           |        x: true
0x40|               00 00 00                        |     ...        |        unused1: 0
0x40|                        00 00 00 00 00 00 00 00|        ........|      offset: 0x0
0x50|00 00 40 00 00 00 00 00                        |..@.....        |      vaddr: 0x400000
0x50|                        00 00 40 00 00 00 00 00|        ..@.....|      paddr: 0x400000
0x60|00 00 00 00 01 00 00 00                        |........        |      filesz: 4294967296
0x60|                        00 00 00 00 01 00 00 00|        ........|      memsz: 4294967296
0x70|00 00 20 00 00 00 00 00                        |.. .....        |      align: 2097152
0x70|                        b0 3c 66 bf 06 00 0f 05|        .<f.....|  unknown0: raw bits
$ fq -n '"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAFAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAIAAAAAAAsDxmvwYADwU=" | frombase64 | . as $b | elf | $b[.header.entry-.program_headers[0].vaddr:]' | ndisasm -b 64 -
00000000  B03C              mov al,0x3c
00000002  66BF0600          mov di,0x6
00000006  0F05              syscall

2022-09-06 11:31:48 +02:00

testdata

xml: Allow trailing <?procinstr?>

2022-08-11 23:48:29 +02:00

elf.go

elf: Treat missing string tables as empty to be more robust

2022-09-06 11:31:48 +02:00