Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Linux ELF Not Recognised

See original GitHub issue

Description

Testing capa with a basic Linux kernel module fails.

root@debian:~/src/git/linux_kernel_hacking/0_Basic_LKMs/0.0_Basic# ~/capa example.ko
loading : [8<]
ERROR:capa:--------------------------------------------------------------------------------
ERROR:capa: Input file does not appear to target a supported OS.
ERROR:capa:
ERROR:capa: capa currently only supports analyzing executables for some operating systems (including Windows and Linux).
ERROR:capa:--------------------------------------------------------------------------------
root@debian:~/src/git/linux_kernel_hacking/0_Basic_LKMs/0.0_Basic# file example.ko
example.ko: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=dc941d6e3f77657bcbacf3d2d23c06b7a209e00d, not stripped
root@debian:~/src/git/linux_kernel_hacking/0_Basic_LKMs/0.0_Basic#

Steps to Reproduce

Files tested are available on VT:

Versions

capa v3.1.0-0-gc0851fc

Additional Information

Input file is a simple compile of the example Linux kernel module from the following source code: https://github.com/xcellerator/linux_kernel_hacking/tree/master/0_Basic_LKMs/0.0_Basic Compiled on Debian.

root@debian:~/src/git/linux_kernel_hacking/0_Basic_LKMs/0.0_Basic# cat /etc/debian_version
11.2

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5

github_iconTop GitHub Comments

1reaction
williballenthincommented, Jan 13, 2022

this ELF file also makes vivisect pretty unhappy:

❯ python -m capa.main ~/Downloads/82dae644c7a956a41d70097b7a749ca26fc6e04f0fa3186ee72955b2b5c550b6
loading : 100%|███████████████████████████| 658/658 [00:00<00:00, 2485.65 rules/s]
..  analyzing programINFO:Elf:self._parsePheaders
INFO:Elf:self._parseDynLinkInfo
INFO:Elf:self._parseSections
INFO:Elf:self._parseDynamicsFromSections
INFO:Elf:self._parseDynStrs
INFO:Elf:no dynamic string tableinfo found: DT_STRTAB: None  DT_STRSZ: None
INFO:Elf:self._parseDynSyms
INFO:Elf:self._parseDynRelocs
INFO:Elf:self._parseDynSymsFromSections
INFO:Elf:self._parseSectionSymbols
INFO:Elf:self._parseSectionRelocs
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x8e0
INFO:Elf:section reloc: reloc: @0x1 4
INFO:Elf:section reloc: reloc: @0x8 11
INFO:Elf:section reloc: reloc: @0xd 4
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x928
INFO:Elf:section reloc: reloc: @0x3 11
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x958
INFO:Elf:section reloc: reloc: @0x0 1
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x970
INFO:Elf:section reloc: reloc: @0x4 2
INFO:Elf:section reloc: reloc: @0xc 2
WARNING:Elf:_parseSectionRelocs: Reloc section differs from Dynamics: 0x9d0
INFO:Elf:section reloc: reloc: @0x150 1
INFO:Elf:section reloc: reloc: @0x380 1
INFO:Elf:done parsing ELF
INFO:vivisect:elf: no program headers found!
WARNING:vivisect.parsers.elf:unknown reloc type: 4  (at 0x1)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x1 4
00000000 (08)   r_offset: 0x00000001 (1)
00000008 (08)   r_info: 0x1300000004 (81604378628)
00000010 (08)   r_addend: 0xfffffffffffffffc (18446744073709551612)

WARNING:vivisect.parsers.elf:unknown reloc type: 11  (at 0x8)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x8 11
00000000 (08)   r_offset: 0x00000008 (8)
00000008 (08)   r_info: 0x30000000b (12884901899)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 4  (at 0xd)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0xd 4
00000000 (08)   r_offset: 0x0000000d (13)
00000008 (08)   r_info: 0x1500000004 (90194313220)
00000010 (08)   r_addend: 0xfffffffffffffffc (18446744073709551612)

WARNING:vivisect.parsers.elf:unknown reloc type: 11  (at 0x3)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x3 11
00000000 (08)   r_offset: 0x00000003 (3)
00000008 (08)   r_info: 0x30000000b (12884901899)
00000010 (08)   r_addend: 0x00000011 (17)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x0)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x0 1
00000000 (08)   r_offset: 0x00000000 (0)
00000008 (08)   r_info: 0x100000001 (4294967297)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 2  (at 0x4)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x4 2
00000000 (08)   r_offset: 0x00000004 (4)
00000008 (08)   r_info: 0x100000002 (4294967298)
00000010 (08)   r_addend: 0x00000014 (20)

WARNING:vivisect.parsers.elf:unknown reloc type: 2  (at 0xc)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0xc 2
00000000 (08)   r_offset: 0x0000000c (12)
00000008 (08)   r_info: 0x200000002 (8589934594)
00000010 (08)   r_addend: 0x0000000c (12)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x150)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x150 1
00000000 (08)   r_offset: 0x00000150 (336)
00000008 (08)   r_info: 0x1400000001 (85899345921)
00000010 (08)   r_addend: 0x00000000 (0)

WARNING:vivisect.parsers.elf:unknown reloc type: 1  (at 0x380)
WARNING:vivisect.parsers.elf:00000000 (24) Elf64Reloca: reloc: @0x380 1
00000000 (08)   r_offset: 0x00000380 (896)
00000008 (08)   r_info: 0x1200000001 (77309411329)
00000010 (08)   r_addend: 0x00000000 (0)

INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect.parsers.elf:sva==0, using relocation name: 1: ''
INFO:vivisect:Failed to find file for 0x00000000 (__this_module) (and filelocal == True!)
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/home/user/code/capa-pub/capa/main.py", line 1095, in <module>
    sys.exit(main())
  File "/home/user/code/capa-pub/capa/main.py", line 986, in main
    extractor = get_extractor(
  File "/home/user/code/capa-pub/capa/main.py", line 463, in get_extractor
    vw = get_workspace(path, format, sigpaths)
  File "/home/user/code/capa-pub/capa/main.py", line 403, in get_workspace
    vw = viv_utils.getWorkspace(path, analyze=False, should_save=False)
  File "/home/user/code/viv-utils/viv_utils/__init__.py", line 106, in getWorkspace
    vw.loadFromFile(fp)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/__init__.py", line 2737, in loadFromFile
    fname = mod.parseFile(self, filename=filename, baseaddr=baseaddr)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/parsers/elf.py", line 31, in parseFile
    return loadElfIntoWorkspace(vw, elf, filename=filename, baseaddr=baseaddr)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/vivisect/parsers/elf.py", line 531, in loadElfIntoWorkspace
    valu = vw.readMemoryPtr(sva)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 187, in readMemoryPtr
    return self.readMemValue(va, self.imem_psize)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 169, in readMemValue
    bytes = self.readMemory(addr, size)
  File "/home/user/env/lib/python3.8/site-packages/vivisect-1.0.5-py3.8.egg/envi/memory.py", line 539, in readMemory
    raise envi.SegmentationViolation(va)
envi.exc.SegmentationViolation: SegmentationViolation('Bad Memory Access: 0x0')
0reactions
williballenthincommented, Jan 13, 2022

the note is not represented by a program header, only a section.

  Size of program headers:           0 (bytes)
  Number of program headers:         0
  Size of section headers:           64 (bytes)
  Number of section headers:         25
Read more comments on GitHub >

github_iconTop Results From Across the Web

Executable says "line 1: ELF: not found" when starts
Yes, I'd expect an ELF file to be binary. If a UNIX-like OS doesn't know how to execute an ELF file directly, or...
Read more >
Linux generated elf not working in Windows (sources not found)
The Linux generated .elf after flashing it gives the error that it can't access the sources and I can't do anything. Probably the...
Read more >
bash: ELF: command not found - LinuxQuestions.org
At the command prompt it may be qcadlink in another folder - which can be verified by typing `which qcadlink` in the comand...
Read more >
Trying to unzip a tgz in WSL but get ELF not found error
I would like to unzip a .tgz file, but I get an ELF not found error . I am using Windows 10 and...
Read more >
Linux executable fails with "File not found" even though the file ...
Strongly suggests that the system does not have the /lib/ld-linux.so.2 ELF interpreter. That is, this 64-bit system does not have any 32-bit ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Shellcode mode as an option within IDA plugin

Next page

New feature: Instruction