C++ links: executable and object file formats (ELF, Mach-O, PE); debugging data formats (DWARF, PDB): articles, documentation, software, and talks.
Executable files, debugging data, object code, shared libraries - file formats information, specifications, software - with relevance to compiler toolchains, debuggers, and general program analysis.
Organization: Preference given to the most specific category; e.g., if an article discusses DLL-specific information, then it belongs to the DLL section (in preference to the more general PE).
See also:
Contents:
- General: Readings - Software: Debugging Information - Talks
- DLL: Readings - Software - Talks
- DWARF: Readings - Software - Talks
- ELF: Readings - Software - Talks
- Mach-O: Readings - Software - Talks
- PDB: Readings - Software - Talks
- PE: Readings - Software - Talks
- Actually Portable Executable
- Comparison of executable file formats - https://en.wikipedia.org/wiki/Comparison_of_executable_file_formats
- Executable and object file formats - https://en.wikipedia.org/wiki/Template:Executables
- Exploring Object File Formats
- 2024; MaskRay (Fangrui Song)
- https://maskray.me/blog/2024-01-14-exploring-object-file-formats
- From Hack to Elaborate Technique—A Survey on Binary Rewriting
- ACM Computing Surveys 52(3) 2019
- Matthias Wenzl, Georg Merzdovnik, Johanna Ullrich, and Edgar Weippl
- https://dl.acm.org/citation.cfm?doid=3341324.3316415
- https://publications.sba-research.org/publications/201906%20-%20GMerzdovnik%20-%20From%20hack%20to%20elaborate%20technique.pdf
- Linux Foundation Referenced Specifications: ABI, ELF, DWARF - https://refspecs.linuxfoundation.org/
- Type Inference on Executables
- ACM Computing Surveys, Vol. 48, No. 4, Article 65, 2016
- Juan Caballero and Zhiqiang Lin
- https://www.utdallas.edu/~zxl111930/file/CSUR16.pdf
- http://web.cse.ohio-state.edu/~lin.3021/file/CSUR16.pdf
- Visual Documentation - File formats - Executables: ELF, Mach-O, PE (SVG and PDF available)
- https://github.com/corkami/pics/blob/master/binary/README.md#executables
- elf101: https://github.com/corkami/pics/tree/master/binary/elf101
- macho101: https://github.com/corkami/pics/tree/master/binary/macho101
- pe101: https://github.com/corkami/pics/tree/master/binary/pe101
- pe102: https://github.com/corkami/pics/tree/master/binary/pe102
See also: DWARF, PDB, Debugging: Implementation
- Distribution of debug information
- 2022; MaskRay (Fangrui Song)
- https://maskray.me/blog/2022-10-30-distribution-of-debug-information
- Assemblage: A dataset (and tool for building) binary executable corpuses
- Assemblage is both a dataset (of x86-64 ELF and Windows PE executables) and a cloud-based distributed system for building large, diverse, corpuses of binaries.
- https://assemblage-dataset.net/
- Assemblage: Automatic Binary Dataset Construction for Machine Learning
- 2024
- Chang Liu, Rebecca Saul, Yihao Sun, Edward Raff, Maya Fuchs, Townsend Southard Pantano, James Holt, Kristopher Micinski
- https://arxiv.org/abs/2405.03991
- Backdoor Factory (BDF): patch PE, ELF, Mach-O binaries with shellcode - https://github.com/secretsquirrel/the-backdoor-factory
- Binary2Groundtruth: Generates a ground truth map of a binary with the help of debug symbols
- Supports PE and ELF binaries.
- https://github.com/LL-MM/approxis-groundtruth
- bingrep: Greps through binaries from various OSs and architectures, and colors them (ELF, Mach-O, PE)
- Bloaty McBloatface: a size profiler for binaries (ELF, Mach-O) - https://github.com/google/bloaty
- http://blog.reverberate.org/2016/11/07/introducing-bloaty-mcbloatface.html
- How Bloaty Works
- “(Ab)using Compiler Tools”; CppCon 2019; Reka Kovacs
- Boost Dynamic Library Load (Boost.DLL): Library for comfortable work with DLL and DSO
- cave_miner: search for code cave in binaries (ELF, Mach-O, PE), and inject code in them
- checksec.py: Checksec tool in Python, rich output, based on LIEF
- A simple tool to verify the security properties of your binaries.
- https://github.com/Wenzel/checksec.py
- codesize: Code size visualization tool with PDB/ELF/Mach-O support
- Delinker: Unlinks a binary executable to get back a set of .o object files for further transformation and re-linking.
- https://github.com/jnider/delinker
- Reverse the Linking Process
- Compiler, Architecture, and Tools Conference (CATC) 2018
- Joel Nider
- https://software.intel.com/en-us/download/reverse-the-linking-process
- Detect-It-Easy: Program for determining types of files for Windows, Linux and MacOS
- elfshaker: a low-footprint, high-performance version control system fine-tuned for binaries
- stores snapshots of directories into highly-compressed pack files and provides fast on-demand access to the stored files
- particularly good for storing lots of similar files, for example object files from an incremental build
- https://github.com/elfshaker/elfshaker
- FileBytes
- Library to read and edit files in the following formats: Executable and Linking Format (ELF), Portable Executable (PE), MachO and OAT (Android Runtime)
- https://scoding.de/filebytes-introduction
- https://github.com/sashs/filebytes/
- Fileformat: A set of libraries and tools for representation, manipulation, and analysis of binary files in various object file formats
- COFF, ELF, Intel HEX, Mach-O, PE, raw data
- https://github.com/avast/retdec/tree/master/src/fileformat
- https://github.com/avast/retdec/wiki/Project-Repository-Structure
- FunctionSimSearch
- Example C++ code to demonstrate how to do SimHash-based similarity search over CFGs extracted from disassemblies
- https://github.com/googleprojectzero/functionsimsearch
- Searching statically-linked vulnerable library functions in executable code
- golfclub: Binary Golf Examples and Resources (ELF, PE)
- injectdso - A collection of tools for injecting DSOs - https://github.com/huku-/injectdso
- LIEF - Library to Instrument Executable Formats
- The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
- https://github.com/lief-project/LIEF
- https://lief.quarkslab.com/
- references: https://lief.quarkslab.com/doc/latest/references.html
- objconv: Object file converter
- A utility for cross-platform development of function libraries, for converting and modifying object files and for dumping and disassembling object and executable files for all x86 and x86-64 platforms.
- This utility can be used for converting object files between COFF/PE, OMF, ELF and Mach-O formats for all 32-bit and 64-bit x86 platforms. Can modify symbol names in object files. Can build, modify and convert function libraries across platforms. Can dump object files and executable files. Also includes a very good disassembler supporting the SSE4, AVX, AVX2, AVX512, FMA3, FMA4, XOP and Knights Corner instruction sets. Source code included (GPL).
- https://www.agner.org/optimize/#objconv
- Pyew - https://github.com/joxeankoret/pyew
- Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
- Qiew - Hex/File format viewer (ELF and PE plugins available) - https://github.com/mtivadar/qiew
- RetDec: a retargetable machine-code decompiler based on LLVM
- Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
- Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.
- https://github.com/avast-tl/retdec
- Ropper - ROP gadget finder and binary information tool (ELF, PE, Mach-O)
- Sample Binaries: Sample binary executables (for a number of architectures) for binary analysis testing
- Samples of binary with different formats and architectures. A test suite for your binary analysis tools. (ELF, Mach-O, PE)
- symtool: Static symbol manipulation tool for ELF and Mach-O objects
- https://github.com/calebzulawski/symtool
- Changing symbol visibility
- Renaming symbols
- Actions are performed in-place, leaving the rest of the binary untouched
- The Witchcraft Compiler Collection
- https://github.com/endrazine/wcc
- wld: The Witchcraft Linker
- wld takes an ELF executable as an input and modifies it to create a shared library.
- wcc: The Witchcraft Compiler
- The wcc compiler takes binaries (ELF, PE, ...) as an input and creates valid ELF binaries as an output. It can be used to create relocatable object files from executables or shared libraries.
- wsh: The Witchcraft shell
- The witchcraft shell accepts ELF shared libraries, ELF ET_DYN executables and Witchcraft Shell Scripts written in Punk-C as an input. It loads all the executables in its own address space and makes their API available for programming in its embedded interpreter. This provides for binaries functionalities similar to those provided via reflection on languages like Java.
- wldd: print shared libraries compilation flags
- wcch: generate C headers from binaries
- ddbug - Display debugging information
- ddbug is a utility that can extract useful information from DWARF/PDB debugging data. Its goal is to use the debugging information to provide insights into the code generation.
- Supports: ELF files with DWARF, Mach-O files with DWARF, Windows PDB files (mimimal)
- https://github.com/gimli-rs/ddbug
- llvm-debuginfo-analyzer: Print a logical representation of low-level debug information
- llvm-debuginfo-analyzer parses debug and text sections in binary object files and prints their contents in a logical view, which is a human readable representation that closely matches the structure of the original user source code. Supported object file formats include ELF, Mach-O, PDB and COFF.
- https://llvm.org/docs/CommandGuide/llvm-debuginfo-analyzer.html
- https://github.com/llvm/llvm-project/tree/main/llvm/tools/llvm-debuginfo-analyzer
- https://github.com/SNSystems/llvm-debuginfo-analyzer
- (original tool, not maintained) DIVA - Debug Information Visual Analyzer
- DIVA is a command line tool that processes DWARF debug information contained within ELF files and prints the semantics of that debug information. The DIVA output is designed to be understandable by software programmers without any low-level compiler or DWARF knowledge; as such, it can be used to report debug information bugs to the compiler provider.
- https://github.com/SNSystems/DIVA
- 2017 EuroLLVM Developers’ Meeting lightning talk
- Reverse Engineering Binaries
- DevConf.CZ 2019; Divya Basant Kumar
- https://www.youtube.com/watch?v=TZVBK5hu0sk
- My Little Object File: How Linkers Implement C++
- CppCon 2017; Michael Spencer
- (ELF, MachO, COFF)
- https://www.youtube.com/watch?v=a5L66zguFe4
- The Life of Binaries
- Adaptive DLL Hijacking
- DLLs and Visual C++ run-time library behavior - https://docs.microsoft.com/en-us/cpp/build/run-time-library-behavior
- Dynamic-Link Library Best Practices - https://msdn.microsoft.com/library/windows/desktop/dn633971.aspx
- Everything You Never Wanted To Know About DLLs - http://blog.omega-prime.co.uk/2011/07/04/everything-you-never-wanted-to-know-about-dlls/
- GOTOHELL.DLL: Software Dependencies and the Maintenance of Microsoft Windows
- The Maintainers 2016; Stephanie Dick, Dan Volmar
- http://themaintainers.org/s/GOTOHELLDLL1.pdf
- How can I specify that my DLL should resolve a DLL dependency from the same directory that the DLL is in?
- How to turn a DLL into a standalone EXE - https://hshrzd.wordpress.com/2016/07/21/how-to-turn-a-dll-into-a-standalone-exe/
- Import by Hash in x64 Assembly - https://emsea.github.io/2017/12/04/import-by-hash/
- Isolating a plugin into its own directory
- Rpath emulation: absolute DLL references on Windows - http://blog.omega-prime.co.uk/2012/12/06/rpath-emulation-absolute-dll-references-on-windows/
- Shellcode: In-Memory Execution of DLL - https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/
- Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques
- What is so special about the instance handle 0x10000000? - https://blogs.msdn.microsoft.com/oldnewthing/20121227-00/?p=5713/
- Windows DLL Hijacking (Hopefully) Clarified
- Dependencies: An open-source modern Dependency Walker
- Dependency Walker - http://www.dependencywalker.com/
- Detours - https://www.microsoft.com/en-us/research/project/detours/
- DetoursNT: Detours with just single dependency - NTDLL
- DLL Diagnostic Tools: Tools for diagnosing DLL dependency loading issues
- DLL_to_EXE: Converts a DLL into a ready-to-use EXE. Supports both 32 and 64 bit DLLs
- EasyHook
- GNU Binary Utilities - https://sourceware.org/binutils/docs/binutils/
- dlltool: Create files needed to build and use DLLs - https://sourceware.org/binutils/docs/binutils/dlltool.html
- InjectDLL: a Windows command line tool to inject DLLs into other processes - http://bytepointer.com/tools/index.htm#injectdll
- Koppeling: Adaptive DLL hijacking / dynamic export forwarding
- loadlibrary: Porting Windows Dynamic Link Libraries to Linux
- MemoryModule: Library to load a DLL from memory
- PESecInfo: A simple tool to view important DLL Characteristics and change DEP and ASLR
- Rattler: Automated DLL Enumerator
- https://github.com/sensepost/rattler
- Rattler: Identifying and Exploiting DLL Preloading Vulnerabilities
- What the Dll? Finding and Exploiting DLL preloading vulnerabilities - Chris Le Roy
- Reflective DLL Injection with PowerShell - https://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
- ReflectiveDLLInjection - https://github.com/stephenfewer/ReflectiveDLLInjection
- ReloadLibrary
- ReloadLibrary is a quick-and-dirty anti-hook library. Given the name of a .dll, it will make a temporary copy of the .dll on disk, load the copy, and overwrite the import address table with corresponding function addresses in the cloned library.
- https://github.com/nickcano/ReloadLibrary
- ThreadContinue: Reflective DLL injection using SetThreadContext() and NtContinue()
- WinDepends: Windows Dependencies
- a rewrite of the Dependency Walker utility
- https://github.com/hfiref0x/WinDepends
- 2017 - Everything You Ever Wanted to Know about DLLs
- 2017 - Memory-Based Library Loading: Someone Did That Already
- DWARF Debugging Standard Website - http://dwarfstd.org/
- DWARF Debugging Standard Wiki - http://wiki.dwarfstd.org/
- An interesting tree serialization algorithm from DWARF - https://eli.thegreenplace.net/2011/09/29/an-interesting-tree-serialization-algorithm-from-dwarf
- David A's DWARF Page - https://www.prevanders.net/dwarf.html
- Debugging formats DWARF and STAB - https://www.ibm.com/developerworks/library/os-debugging/
- DWARF Extensions For Heterogeneous Debugging
- DWARF Extensions for Separate Debug Information Files - https://gcc.gnu.org/wiki/DebugFission
- DWARF Package File Format - https://gcc.gnu.org/wiki/DebugFissionDWP
- DWARF: Debug Information is Huge and What to do About It
- Exploring the DWARF debug format information - https://www.ibm.com/developerworks/aix/library/au-dwarf-debug-format/index.html
- From Debugging-Information Based Binary-Level Type Inference to CFG Generation
- Conference on Data and Application Security and Privacy (CODASPY) 2018
- D. Zeng and G. Tan
- http://www.cse.psu.edu/~gxt29/papers/cfgConsMeta.pdf
- How debuggers work: Part 3 - Debugging information - http://eli.thegreenplace.net/2011/02/07/how-debuggers-work-part-3-debugging-information
- Implementing a Debugger: The Fundamentals - https://backtrace.io/blog/debugger-internals/
- Improving C++ Builds with Split DWARF - https://www.productive-cpp.com/improving-cpp-builds-with-split-dwarf/
- Introduction to the DWARF Debugging Format - http://www.dwarfstd.org/doc/Debugging%20using%20DWARF.pdf
- Programmatic access to the call stack in C++ - https://eli.thegreenplace.net/2015/programmatic-access-to-the-call-stack-in-c/
- Querying DWARF For Fun And Profit - https://developers.redhat.com/blog/2015/01/22/querying-dwarf-for-fun-and-profit/
- Reliable and Fast DWARF-based Stack Unwinding
- OOPSLA 2019
- Théophile Bastian, Stephen Kell, Francesco Zappa Nardelli
- https://www.di.ens.fr/~zappa/projects/frdwarf/
- https://2019.splashcon.org/details/splash-2019-oopsla/30/Reliable-and-Fast-DWARF-based-Stack-Unwinding
- The contents of DWARF sections - https://eli.thegreenplace.net/2011/12/26/the-contents-of-dwarf-sections
- Using COMDAT Sections to Reduce the Size of DWARF Debug Information - https://gcc.gnu.org/wiki/DwarfSeparateTypeInfo
- Where are your symbols, debuginfo and sources? - https://gnu.wildebeest.org/blog/mjw/2016/02/02/where-are-your-symbols-debuginfo-and-sources/
- Writing a Linux Debugger Part 4: Elves and dwarves - https://blog.tartanllama.xyz/writing-a-linux-debugger-elf-dwarf/
- Compressed debug sections
- 2022; MaskRay (Fangrui Song)
- https://maskray.me/blog/2022-01-23-compressed-debug-sections
- zstd compressed debug sections
- 2022; MaskRay (Fangrui Song)
- https://maskray.me/blog/2022-09-09-zstd-compressed-debug-sections
- dareog: ORC meets DWARF - https://github.com/emersion/dareog
- Debug Frame Checking: Check
.eh_frameand.debug_frameinformation - dsymutil - manipulate archived DWARF debug symbol files
- DWARF Explorer - a GUI utility for navigating the DWARF debug information
- dwarfexport: Export dwarf debug information from IDA Pro - https://github.com/ALSchwalm/dwarfexport
- dwarfidl: Language, library and tools for DWARF-described interfaces - https://github.com/stephenrkell/dwarfidl
- dwgrep: a tool, an associated language (Zwerg), and a library (libzwerg) for querying Dwarf (debuginfo) graphs
- project: https://github.com/pmachata/dwgrep
- syntax: http://pmachata.github.io/dwgrep/syntax.html
- tutorial: http://pmachata.github.io/dwgrep/tutorial.html
- website: http://pmachata.github.io/dwgrep/
- dwz: DWARF optimization and duplicate removal tool
- gimli: A lazy, zero-copy parser for the DWARF debugging format
- https://github.com/gimli-rs/gimli
- Speeding Up
dwarfdumpWith Rust - https://robert.ocallahan.org/2018/03/speeding-up-dwarfdump-with-rust.html
- libbacktrace: A C library that may be linked into a C/C++ program to produce symbolic backtraces
- As of September 2016, libbacktrace only supports ELF and PE/COFF executables with DWARF debugging information. The library is written to make it straightforward to add support for other object file and debugging formats.
- https://github.com/ianlancetaylor/libbacktrace
- https://github.com/gcc-mirror/gcc/tree/master/libbacktrace
- libdwarf - DWARF debugging information - https://sourceforge.net/projects/libdwarf/
- Libdwarf And Dwarfdump - http://wiki.dwarfstd.org/index.php?title=Libdwarf_And_Dwarfdump
- Libdwarf: Library to provide access to DWARF debugging information
- Libdwarf meta repository that combines libdwarf with its dependency libelf
- https://github.com/avast-tl/libdwarf
- libdwarfpp: A high-level API for accessing DWARF debugging information in C++
- libdwarfw: A C library to write DWARF debugging information
- llvm-dwarfdump - dump and verify DWARF debug information
- llvm-locstats - calculate statistics on DWARF debug location
- Pahole and the dwarves: Debugging Information Manipulation Tools
- https://git.kernel.org/pub/scm/devel/pahole/pahole.git/
- https://github.com/acmel/dwarves
- https://www.spinics.net/lists/dwarves/
- The 7 dwarves: debugging information beyond gdb - https://landley.net/kdocs/ols/2007/ols2007v2-pages-35-44.pdf
- Poke-a-hole and friends - https://lwn.net/Articles/335942/
- pahole and other DWARF2 utilities - https://lwn.net/Articles/206805/
- How to avoid wasting megabytes of memory a few bytes at a time - https://developers.redhat.com/blog/2016/06/01/how-to-avoid-wasting-megabytes-of-memory-a-few-bytes-at-a-time/
- read-dwarf: a tool for exploring, symbolically executing, and validating ELF binaries generated from C, using DWARF debugging information
- structhole: Look for holes in structs by examining DWARF debugging output - https://github.com/cemeyer/structhole
- I Embedded a Programming Language In Debug Information
- Pure Virtual C++ 2024
- Sy Brand (TartanLlama)
- https://www.youtube.com/watch?v=luogje8IHpM
- dwarbf: A Brainfuck interpreter written in DWARF debug information
- Reliable Stack Traces, the Reality of Myth: DWARF Stack Unwinding and other stories
- DWARF v5 Highlights - Why You Care
- 2018 LLVM Developers’ Meeting; Paul Robinson
- https://www.youtube.com/watch?v=2Pb00xz8uH8
- FOSDEM 2018 - Debugging Tools
- DWARF Pieces And Other DWARF Location Woes
- Andreas Arnez
- https://fosdem.org/2018/schedule/event/dwarfpieces/
- DWARF5 and GNU extensions
- Rust versus DWARF versus LLVM
- DWARF Pieces And Other DWARF Location Woes
- Build-ids, symbols and debuginfo tooling BoF
- GNU Tools Cauldron 2017; Mark Wielaard
- https://slideslive.com/38902681/buildids-symbols-and-debuginfo-tooling-bof
- Consistent Views at Recommended Breakpoints (bis)
- GNU Tools Cauldron 2017; Alexandre Oliva
- https://slideslive.com/38902686/consistent-views-at-recommended-breakpoints-bis
- Related post: https://developers.redhat.com/blog/2017/07/11/statement-frontier-notes-and-location-views/
- Debugging Debug Information
- Workshop on Software Correctness and Reliability 2017; Francesco Zappa Nardelli
- https://www.youtube.com/watch?v=lBJIrGgEP1A
- Tales from Binary Formats (ENTROPY 2018 slides) - https://entropy2018.sciencesconf.org/data/nardelli.pdf
- Cheap generation of debugging information
- Journées Compilation 2016; Xavier Leroy
- http://pauillac.inria.fr/~xleroy/talks/Compilation-2016.pdf
- Debugging debuggers!! (Symbolic Debugging with DWARF)
- Fixing LTO Debug Information
- GNU Tools Cauldron 2016; Richard Biener
- https://www.youtube.com/watch?v=xtm7DxDG5js
- https://gcc.gnu.org/wiki/cauldron2016?action=AttachFile&do=view&target=Cauldron2016-LTOEarlyDebug.pdf
- DWARF What Should GCC Tell GDB
- GNU Tools Cauldron 2013; Michael Eager
- https://www.youtube.com/watch?v=2aWmp5FXLb0
- Dwarf Oriented Programming - Overwriting the Exception Handling Cache Pointer
- DEFCON 20; Rodrigo Rubira Branco, James Oakley, Sergey Bratus
- https://www.youtube.com/watch?v=FjjTZatJ3ao
- https://www.defcon.org/images/defcon-20/dc-20-presentations/Branco-Oakley-Bratus/DEFCON-20-Branco-Oakley-Bratus-Dwarf-Oriented-Programming.pdf
- Exploiting the hard-working DWARF: Trojan and Exploit Techniques With No Native Executable Code
- 2011; James Oakley and Sergey Bratus
- http://www.cs.dartmouth.edu/~sergey/battleaxe/
- Slides: http://www.cs.dartmouth.edu/~sergey/battleaxe/hackito_2011_oakley_bratus.pdf
- Report: http://www.cs.dartmouth.edu/reports/TR2011-688.pdf
- Paper: https://www.usenix.org/legacy/event/woot11/tech/final_files/Oakley.pdf
- Video (WOOT'11): https://www.usenix.org/conference/woot11/exploiting-hard-working-dwarf-trojan-and-exploit-techniques-no-native-executable
- Video (Shmoocon 2011): https://www.youtube.com/watch?v=nLH7ytOTYto
- What is new in DWARF5
- GNU Tools Cauldron 2015; Hafiz Abid Qadeer
- https://www.youtube.com/watch?v=Q04ScFDCmyQ&gl=CA
- https://gcc.gnu.org/wiki/cauldron2015?action=AttachFile&do=view&target=Hafiz+Abid+Qadeer_+What+is+new+in+DWARF5.pdf
- ELF and ABI Standards - Linux Foundation Referenced Specifications - http://refspecs.linuxfoundation.org/elf/
- Awesome ELF Resources: ELF Resources and Links
- ELF101 a Linux executable walkthrough - https://speakerdeck.com/ange/booklet-elf101-a-linux-executable-walkthrough
- ELF Format Cheatsheet
- Executable and Linkable Format: format specification - https://formats.kaitai.io/elf/
- Learning Linux Binary Analysis (2016) - Ryan O'Neill - http://www.bitlackeys.org/#research
- linux-re-101
- References - SkyFree.org - http://www.skyfree.org/linux/references/references.html
- A short note on entrypoint obscuring in ELF binaries
- tmp.0ut Volume 2; February 2022
- s01den
- https://tmpout.sh/2/2.html
- About ELF Auxiliary Vectors - http://articles.manugarg.com/aboutelfauxiliaryvectors
- Analyzing ELF Binaries with Malformed Headers
- Part 1 - Emulating Tiny Programs
- Part 2 - Mapping Program Logic with Qiling and Graphviz
- Part 3 - Automatically Solving a Corrupted Keygenme with angr
- Analyzing The Simplest C++ Program
- Anatomy of an ELF core file - https://www.gabriel.urdhr.fr/2015/05/29/core-file/
- Armouring the ELF: Binary encryption on the UNIX platform
- Phrack Magazine #58 (2001-12-28)
- scut & grugq
- http://www.phrack.org/issues/58/5.html
- https://grugq.github.io/docs/phrack-58-05.txt
- Cheating the ELF: Subversive Dynamic Linking to Libraries - https://grugq.github.io/docs/subversiveld.pdf
- Computer Science from the Bottom Up - https://www.bottomupcs.com/
- Behind the process - https://www.bottomupcs.com/chapter07.xhtml
- Dynamic Linking - https://www.bottomupcs.com/chapter08.xhtml
- Constructing the ELF - A Magnetized Needle and a Steady Hand - http://nullprogram.com/blog/2016/11/17/
- Custom ELF program headers—what, why and how - http://www.cl.cam.ac.uk/~srk31/blog/2017/02/14/
- Rag-bag of utilities and scripts that do strange things with ELF files - https://github.com/stephenrkell/elftin/
- Dynamic Linking in ELF - http://dandylife.net/blog/archives/660
- ELF - No Section Header? No Problem - https://em386.blogspot.com/2006/10/elf-no-section-header-no-problem.html
- ELF Binary Mangling
- Part 1: Concepts - https://n0.lol/ebm/1.html
- Part 2: Golfin' - https://n0.lol/ebm/2.html
- Part 3: Weaponization - https://n0.lol/ebm/3.html
- Part 4: Limit Break - https://n0.lol/ebm/4.html
- ELF File Format - http://resources.infosecinstitute.com/elf-file-format/
- ELF hash function may overflow
- ELF Hello World Tutorial
- ELF introspection, robustly and portably - http://www.cl.cam.ac.uk/~srk31/blog/devel/elf-introspection.html
- ELF loading and dynamic linking - https://www.gabriel.urdhr.fr/2015/01/22/elf-linking/
- ELF shared library injection forensics - https://backtrace.io/blog/elf-shared-library-injection-forensics/
- ELF symbol lookup
- ELF: symbol lookup via DT_HASH - https://flapenguin.me/2017/04/24/elf-lookup-dt-hash/
- ELF: better symbol lookup via DT_GNU_HASH - https://flapenguin.me/2017/05/10/elf-lookup-dt-gnu-hash/
- ELF symbol visibility and the perils of name clashing
- ELFs are dorky, Elves are cool - Sergey Bratus and Julian Bangert - PoC||GTFO 00 - https://greatscottgadgets.com/pocorgtfo/pocorgtfo00.pdf
- ELF: From The Programmer's Perspective (1995) - http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.37.8698
- ELF, libelf, compressed sections and elfutils - https://gnu.wildebeest.org/blog/mjw/2016/01/13/elf-libelf-compressed-sections-and-elfutils/
- Eli Bendersky - Linkers and loaders - http://eli.thegreenplace.net/tag/linkers-and-loaders
- Load-time relocation of shared libraries - https://eli.thegreenplace.net/2011/08/25/load-time-relocation-of-shared-libraries
- Position Independent Code (PIC) in shared libraries - https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries
- Position Independent Code (PIC) in shared libraries on x64 - https://eli.thegreenplace.net/2011/11/11/position-independent-code-pic-in-shared-libraries-on-x64
- Library order in static linking - https://eli.thegreenplace.net/2013/07/09/library-order-in-static-linking
- Evolution of the ELF object file format
- 2024; MaskRay (Fangrui Song)
- https://maskray.me/blog/2024-05-26-evolution-of-elf-object-file-format
- Executable and Linkable Format 101
- Part 1: Sections and Segments - http://www.intezer.com/executable-linkable-format-101-part1-sections-segments/
- Part 2: Symbols - http://www.intezer.com/executable-linkable-format-101-part-2-symbols/
- Part 3: Relocations - https://www.intezer.com/executable-and-linkable-format-101-part-3-relocations/
- Part 4: Dynamic Linking - https://www.intezer.com/executable-linkable-format-101-part-4-dynamic-linking/
- Exploiting ELF Expansion Variables - https://backtrace.io/blog/exploiting-elf-expansion-variables/
- Generating executable files from scratch - https://github.com/cameronswinoga/yabfc/wiki/Generating-executable-files-from-scratch
- GNU Hash ELF Sections
- Good Practices in Library Design, Implementation, and Maintenance - https://www.akkadia.org/drepper/goodpractice.pdf
- Have fun with LIEF and Executable Formats - Play with ELF symbols - Part 2 (renaming dynamic symbols) - https://blog.quarkslab.com/have-fun-with-lief-and-executable-formats.html#elf
- How is a binary executable organized? Let's explore it! - https://jvns.ca/blog/2014/09/06/how-to-read-an-executable/
- How To Write Shared Libraries - https://www.akkadia.org/drepper/dsohowto.pdf
- I/O patterns on ELF binary initialization - https://glandium.org/blog/?p=1016
- Improving binary layout for progressive decompression (2011) - https://glandium.org/blog/?p=2320
- In-Memory-Only ELF Execution (Without tmpfs) - https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
- In the lands of corrupted elves: Breaking ELF software with Melkor fuzzer - https://www.blackhat.com/docs/us-14/materials/arsenal/us-14-Hernandez-Melkor-Slides.pdf
- Introduction to the ELF Format
- Part I: The ELF Header - https://blog.k3170makan.com/2018/09/introduction-to-elf-format-elf-header.html
- Part II: Understanding Program Headers - https://blog.k3170makan.com/2018/09/introduction-to-elf-format-part-ii.html
- Part III: The Section Headers - https://blog.k3170makan.com/2018/09/introduction-to-elf-file-format-part.html
- Part IV: Exploring Section Types and Special Sections - https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-iv.html
- Part V: Understanding C start up .init_array and .fini_array sections - https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-v.html
- Part VI(1): The Symbol Table and Relocations - https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-vi.html
- Part VI(2): The Symbol Table and Relocations - https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-vi_18.html
- Part VI(3): More Relocation tricks - r_addend execution - https://blog.k3170makan.com/2018/10/introduction-to-elf-format-part-vi-more.html
- Part VII: Dynamic Linking / Loading and the .dynamic section - https://blog.k3170makan.com/2018/11/introduction-to-elf-format-part-vii.html
- Inside ELF Symbol Tables
- Linux Internals - Dynamic Linking Wizardry - https://0x00sec.org/t/linux-internals-dynamic-linking-wizardry/1082
- Linux Internals - The Art Of Symbol Resolution - https://0x00sec.org/t/linux-internals-the-art-of-symbol-resolution/1488
- Making our own executable packer
- What's in a Linux executable? - https://fasterthanli.me/blog/2020/whats-in-a-linux-executable/
- Running an executable without exec - https://fasterthanli.me/blog/2020/running-an-executable-without-exec/
- Position-independent code - https://fasterthanli.me/blog/2020/position-independent-code/
- ELF relocations - https://fasterthanli.me/blog/2020/elf-relocations/
- The simplest shared library - https://fasterthanli.me/blog/2020/the-simplest-shared-library/
- Loading multiple ELF objects - https://fasterthanli.me/blog/2020/loading-multiple-elf-objects/
- Dynamic symbol resolution - https://fasterthanli.me/blog/2020/dynamic-symbol-resolution/
- Dynamic linker speed and correctness - https://fasterthanli.me/blog/2020/dynamic-linker-speed-and-correctness/
- GDB scripting and Indirect functions - https://fasterthanli.me/blog/2020/gdb-scripting-and-indirect-functions/
- Safer memory-mapped structures - https://fasterthanli.me/blog/2020/safer-memory-mapped-structures/
- More ELF relocations - https://fasterthanli.me/blog/2020/more-elf-relocations/
- A no_std Rust binary - https://fasterthanli.me/blog/2020/a-no-std-rust-binary/
- Thread-local storage - https://fasterthanli.me/blog/2020/thread-local-storage/
- Modern ELF Infection Techniques of SCOP Binaries
- PoC||GTFO 0x20, January 2020; Ryan "ElfMaster" O'Neill
- https://archive.org/details/pocorgtfo20/page/n44/mode/1up?view=theater
- Palindromic 64 bit ELF binaries
- Position Independent Executables - https://blog.fpmurphy.com/2008/06/position-independent-executables.html
- Programming With Ones and Zeros
- Part 1 - http://www.hanshq.net/ones-and-zeros.html
- Ones and Zeros, Part 2: Making Executable Files - http://www.hanshq.net/making-executables.html
- RE a 64bit ELF binary - Devil’s swapper write-up - https://0x00sec.org/t/re-a-64bit-elf-binary-devils-swapper-write-up/2379
- Relocations in ELF Toolchains - https://www.sifive.com/blog/2017/08/21/all-aboard-part-2-relocations/
- Resolving ELF Relocation Name / Symbols - https://em386.blogspot.com/2006/10/resolving-elf-relocation-name-symbols.html
- Secure Code Partitioning With ELF binaries (SCOP) - http://bitlackeys.org/papers/secure_code_partitioning_2018.txt
- Special sections in Linux binaries - https://lwn.net/Articles/531148/
- The 101 of ELF Binaries on Linux: Understanding and Analysis - https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/
- The Anatomy of an Executable - dissection of a simple "hello world" ELF binary - https://github.com/mewrev/dissection
- The Cerberus ELF Interface - http://phrack.org/issues/61/8.html
- The Cost Of ELF Symbol Hashing
- The ELF Object File Format by Dissection (1995) - http://www.linuxjournal.com/article/1060
- The Executable and Linkable Format (ELF)
- The missing link: explaining ELF static linking, semantically - Stephen Kell, Dominic P. Mulligan, Peter Sewell - OOPSLA 2016
- Uncovering a few SIGSEGVs in binutils' BFD and GLIBC
- Understanding Linux ELF RTLD internals - http://s.eresi-project.org/inc/articles/elf-rtld.txt
- Understanding the Memory Layout of Linux Executables - https://gist.github.com/CMCDragonkai/10ab53654b2aa6ce55c11cfc5b2432a4
- 'Weird Machine' patterns - https://www.researchgate.net/publication/283630248_%27Weird_Machine%27_patterns
- Writing shared libraries - http://plan99.net/~mike/writing-shared-libraries.html
- Compressed arbitrary sections
- This article describes SHF_ALLOC|SHF_COMPRESSED sections in ELF and a proposed linker option --compress-sections to compress arbitrary sections.
- https://maskray.me/blog/2023-07-07-compressed-arbitrary-sections
- Linux/ELF .eh_frame from the bottom up
- 2024-02-13
- Pete Cawley
- https://www.corsix.org/content/elf-eh-frame
- How programs get run: ELF binaries - https://lwn.net/Articles/631631/
- How statically linked programs run on Linux - https://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux
- How to execute an object file
- Part 1: Calling a simple function without linking: https://blog.cloudflare.com/how-to-execute-an-object-file-part-1/
- Part 2: Handling relocations: https://blog.cloudflare.com/how-to-execute-an-object-file-part-2/
- Part 3: Dealing with external libraries: https://blog.cloudflare.com/how-to-execute-an-object-file-part-3/
- https://github.com/cloudflare/cloudflare-blog/tree/master/2021-03-obj-file
- Linux x86 Program Start Up (dynamically loaded x86 ELF files) - http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html
- Running ELF executables from memory
- Executing ELF binary files from memory with memfd_create syscall
- https://www.guitmz.com/running-elf-from-memory/
- The Design and Implementation of Userland Exec
- 2004; the grugq - https://grugq.github.io/docs/
- https://grugq.github.io/docs/ul_exec.txt
- Building an ELF Parser with Frida
- ELF Parsing Bugs by Example with Melkor Fuzzer
- Some ELF Parser Bugs
- tmp.0ut Volume 2; February 2022
- netspooky
- https://tmpout.sh/2/3.html
- Targeting File Parsers with S2E and Kaitai Struct - targeted symbolic execution of readelf
- https://adrianherrera.github.io/post/kaitai-s2e/
- 2017; Adrian Herrera
- Weird ELFs, or a tale of breaking parsers once again
- tmp.0ut #003 - 2023-11
- g1inko
- https://tmpout.sh/3/13.html
- A Deep dive into (implicit) Thread Local Storage
- All about thread-local storage
- Android ELF TLS
- ELF Binary Relocations and Thread Local Storage - Stafford Horne
- TLS Examples
- ELF Binaries and Relocation Entries
- Thread Local Storage
- How Relocations and Thread Local Storage are Implemented
- ELF Handling For Thread-Local Storage
- Thread Local Storage (ELF Thread Local Storage ABI)
- TLS Examples
- https://github.com/stffrdhrn/tls-examples
- ELF Binaries and Relocation Entries
- Thread Local Storage
- 84 byte aarch64 ELF
- tmp.0ut Volume 2; February 2022
- netspooky
- https://tmpout.sh/2/14.html
- A small ELF: Small 114 byte x86_64 ELF
- 2021; subvisor
- https://ftp.lol/posts/small-elf.html
- A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux
- Cramming a Tiny Program into a Tiny ELF File: A Case Study
- tmp.0ut Volume 3; 2023-11
- lm978
- https://tmpout.sh/3/22.html
- Smallest x86 ELF Hello World
- 2008; Ryan Henszey
- http://timelessname.com/elfbin/
- Tiny ELF Files: Revisited in 2021
- 2021; Nathan Otterness
- https://nathanotterness.com/2021/10/tiny_elf_modernized.html
- A Technique for Hooking Internal Functions of Dynamically-Linked ELF Binaries
- Bashing ELFs Like a Caveman
- tmp.0ut Volume 2; February 2022
- RiS
- https://tmpout.sh/2/12.html
- Honey, I Shrunk the ELFs: Lightweight Binary Tailoring of Shared Libraries
- EMSOFT 2019
- ACM Transactions on Embedded Computing Systems (TECS) 18, 5s, Article 102 (October 2019)
- Andreas Ziegler, Julian Geus, Bernhard Heinloth, Timo HÖnig, Daniel Lohmann
- https://dl.acm.org/citation.cfm?id=3358222
- https://www4.cs.fau.de/Publications/2019/ziegler_19_emsoft.pdf
- How To Strip An ELF Object Without Fully Understanding It
- Inserting Debugging Instrumentation into an Internal Function Using Redirect-to-PLT
- Tweaking binaries with elfedit
- ABI Dumper - a tool to dump ABI of an ELF object containing DWARF debug info - https://github.com/lvc/abi-dumper
- abidiff - compares the Application Binary Interfaces (ABI) of two shared libraries in ELF format
- https://sourceware.org/libabigail/manual/abidiff.html
- Comparing ABIs for Compatibility with libabigail – Part 1 - https://developers.redhat.com/blog/2014/10/23/comparing-abis-for-compatibility-with-libabigail-part-1/
- Comparing ABIs for Compatibility with libabigail – Part 2 - https://developers.redhat.com/blog/2014/10/28/comparing-abis-for-compatibility-libabigail-part-2/
- Talk: Libabigail: How semantic analysis of C and C++ ELF binaries can be used to analyze ABI changes (openSUSE Conference 2017)
- binception: Generate hash values for functions within an ELF binary - https://github.com/enferex/binception
- binch: a light BINary patCH tool - https://github.com/tunz/binch
- Binsider
- Binsider offers powerful static and dynamic analysis tools, similar to readelf(1) and strace(1). It lets you inspect strings, examine linked libraries, and perform hexdumps, all within a user-friendly TUI.
- https://github.com/orhun/binsider
- core2ELF64: Recover 64 bit ELF executables from memory dump
- dnload: Minimal binary generator for *nix operating systems
- dnload.py is a script for generating minimal ELF binaries from C code. It serves no practical real-world use case, but can be utilized to aid in the creation of size-limited demoscene productions.
- https://github.com/faemiyah/dnload
- dress: add symbols back into a stripped ELF binary (~strip)
- drow: Utility for patching ELF files post-build
- dt_infect: ELF Shared library injector using DT_NEEDED precedence infection. Acts as a permanent LD_PRELOAD
- DynELFSymbols: Helps to create backdoor/MitM shared-object files
- dynStruct: a tool using dynamoRio to monitor memory accesses of an ELF binary via a data gatherer, and use this data to recover structures of the original code
- https://github.com/ampotos/dynStruct
- dynStruct: An automatic reverse engineering tool for structure recovery and memory use analysis - Daniel Mercier - Master Thesis (2017)
- dynStruct: An automatic reverse engineering tool for structure recovery and memory use analysis - Mercier, Daniel and Chawdhary, Aziem and Jones, Richard E. (2017), IEEE 24th International Conference on Software Analysis, Evolution and Reengineering (SANER)
- ECFS: extended core file snapshot format
- https://github.com/elfmaster/ecfs
- DEF CON 23 - Ryan Oneill - Advances in Linux Process Forensics Using ECFS - https://www.youtube.com/watch?v=fCJJnJ84MSE
- an extension to the existing ELF core file format in Linux. Its job is to intercept the Linux core-dump handler, catch the core-dump before it is written to disk, and carefully reconstruct it into an ecfs-core file.
- execute memory snapshots so they can start running where they left off - https://github.com/elfmaster/ecfs_exec
- elf-bf-tools - https://github.com/bx/elf-bf-tools
- This project contains tools that can be used to coerce the gcc's runtime loader into performing interesting operations using only valid relocation entries and symbols.
- ELF Parser: Cross Platform ELF analysis
- https://github.com/jacob-baines/elfparser
- elfparser-ng: Multiplatform CLI and GUI tool to show information about ELF files
- elf-parser: identifying/extracting various sections of an ELF file
- elf-strings: The better strings utility for the reverse engineer - https://github.com/LloydLabs/elf-strings
- ELF/PaX Utilities - https://github.com/gentoo/pax-utils
- https://en.wikibooks.org/wiki/Grsecurity/Additional_Utilities
- scanelf - Prints out information specific to the ELF structure of a binary - https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities#Extracting_ELF_information_from_binaries
- dumpelf - Converts a ELF file into human readable C code that defines a structure with the same image as the original ELF file - https://wiki.gentoo.org/wiki/Hardened/PaX_Utilities#Programming_with_ELF_files
- ELF Tailoring (EMSOFT 2019)
- see: ELF: Readings: "Honey, I Shrunk the ELFs: Lightweight Binary Tailoring of Shared Libraries"
- https://gitlab.cs.fau.de/i4/pub/elftailor
- ELF diet: Tool to shrink the tailored ELF files to a smaller size
- remove_from_elf: Tool to remove functions from ELF library interfaces and to overwrite their implementation
- librarytrader: Tool for static and dynamic analysis of dependencies between application(s) and shared libraries which allows us to determine unused functions
- ELF Tool Chain Project - https://sourceforge.net/projects/elftoolchain/
- A BSD-licensed implementation of compilation tools (nm, ar, as, ld, etc.) for the ELF object format.
- ELFbac: runtime intent-level ABI-granular memory protection for Linux - http://elfbac.org/
- ELFen: Extract and spell check read-only strings within ELF binaries - https://github.com/enferex/ELFen
- Elfesteem: Executable file format parser/generator - https://github.com/serpilliere/elfesteem
- ElfFrag: Binary Debloating of ELF binaries
- Elfhack: to optimize ELF binaries for size and cold startup speed - https://github.com/mozilla/positron/tree/master/build/unix/elfhack
- ELFIO - ELF (Executable and Linkable Format) reader and producer implemented as a header only C++ library
- ELFkickers (ebfc, elfls, elftoc, infect, objres, rebind, sstrip) - http://www.muppetlabs.com/~breadbox/software/elfkickers.html
- Elfkit: Rust ELF parsing, manipulation, and (re)linking toolkit - https://github.com/aep/elfkit
- ELFManip: Modify ELF executables - https://github.com/schieb/ELFManip
- elfutils
- a collection of utilities and libraries to read, create and modify ELF binary files, find and handle DWARF debug data, symbols, thread state and stacktraces for processes and core files on GNU/Linux
- https://sourceware.org/elfutils/
- ELFXtract: an automated analysis tool used for enumerating ELF binaries
- Exodus - a tool that makes it easy to successfully relocate Linux ELF binaries from one system to another
- GNU Binary Utilities - https://sourceware.org/binutils/docs/binutils/
- elfedit: Update the ELF header of ELF files - https://sourceware.org/binutils/docs/binutils/elfedit.html
- nm: List symbols from object files - https://sourceware.org/binutils/docs/binutils/nm.html
- objdump: Display information from object files - https://sourceware.org/binutils/docs/binutils/objdump.html
- readelf: Display the contents of ELF format files - https://sourceware.org/binutils/docs/binutils/readelf.html
- size: List section sizes and total size - https://sourceware.org/binutils/docs/binutils/size.html
- examples:
- https://mcuoneclipse.com/2012/09/24/code-size-information-with-gcc-for-armkinetis/
- https://mcuoneclipse.com/2013/04/14/text-data-and-bss-code-and-data-size-explained/
- http://www.geeksforgeeks.org/memory-layout-of-c-program/
- http://cs-fundamentals.com/c-programming/memory-layout-of-c-program-code-data-segments.php#size-of-code-data-bss-segments
- examples:
- 9 essential GNU binutils tools - https://opensource.com/article/19/10/gnu-binutils
- GNU Binutils: the ELF Swiss Army Knife - https://interrupt.memfault.com/blog/gnu-binutils
- HoloDec: Decompiler for x86 and x86-64 ELF binaries - https://github.com/cararasu/holodec
- Lepton: a Lightweight ELF Parsing Tool
- designed specifically for analyzing and editing binaries with damaged or corrupted ELF headers
- https://github.com/BinaryResearch/lepton
- Libelf - ELF object file access library - http://www.mr511.de/software/english.html
- libelf-howto - http://chris.rohlf.googlepages.com/libelf-howto.c
- Libelf.js: LibELF port for JavaScript - https://github.com/AlexAltea/libelf.js
- Libelfin: C++11 ELF/DWARF parser - a from-scratch C++11 library for reading ELF binaries and DWARFv4 debug information - https://github.com/aclements/libelfin
- libelfmaster: Secure ELF parsing library
- https://github.com/elfmaster/libelfmaster
- libelfmaster_examples - https://github.com/elfmaster/libelfmaster_examples
- readelfmaster: A reimplementation of GNU readelf
- LibGolf: A Library for Binary Golf
- This library helps with Binary Golf. The idea is to get out of your way as soon as possible, and you let you get straight to customizing fields within the ELF and Program header.
- https://github.com/xcellerator/libgolf
- Dead Bytes
- tmp.0ut Volume 1 - April 2021; xcellerator
- https://tmpout.sh/1/1.html
- machine-code: Assemblers, disassemblers, & ELF stuff
- tools that relate to machine code and object formats; for all architectures
- libraries for working with binary code: assembly, disassembly, instruction tables, object formats, and related areas
- https://gitlab.com/weinholt/machine-code
- Mandibule: Linux ELF injector for x86 / x86_64 / arm / arm64
- Doesn't use
dlopenand can inject into statically linked targets by mapping manually the ELF in memory from syscalls only - https://github.com/ixty/mandibule
- Doesn't use
- Melkor - An ELF File Format Fuzzer - https://github.com/IOActive/Melkor_ELF_Fuzzer
- objdump beautifier - https://github.com/diouziou/bod
- Supported Targets: elf32-littlearm, elf32-tradlittlemips, elf32-i386, elf64-x86-64
- PatchELF: A small utility to modify the dynamic linker and RPATH of ELF executables
- patchkit - https://github.com/lunixbochs/patchkit
- Patches an ELF binary using one or more simple Python scripts.
- pyelftools: Pure-python library for parsing ELF and DWARF - https://github.com/eliben/pyelftools
- smol: Shoddy minsize-oriented linker
- https://github.com/Shizmob/smol
- Intricacies of sizecoding on Linux - Revision 2019 Seminar
- sqlelf: Explore ELF objects through the power of SQL
- A tool that utilizes SQLite's virtual table functionality to allow you to explore Linux ELF objects through SQL
- https://github.com/fzakaria/sqlelf
- Stasis: build static position-independant-executables without any runtime requirements (no libc or ldso)
- syms2elf: a plugin to export the symbols recognized to the ELF symbol table
- Hex-Ray's IDA Pro and radare2 - https://github.com/danigargu/syms2elf
- Binary Ninja - https://github.com/monosource/syms2elf
- The ERESI Reverse Engineering Software Interface: ELFsh (ELF shell), Embedded ELF Debugger (e2dbg)
- http://www.eresi-project.org
- https://github.com/thorkill/eresi
- https://github.com/thorkill/eresi/wiki/EresiArticles
- Next-Generation Debuggers For Reverse Engineering:
- https://www.blackhat.com/presentations/bh-europe-07/ERSI/Presentation/bh-eu-07-ersi-apr19.pdf
- https://www.blackhat.com/presentations/bh-europe-07/ERSI/Whitepaper/bh-eu-07-ersi-WP-apr19.pdf
- https://www.ekoparty.org/archivo/2007/eko3-Julio%20Auto%20-%20Next-Generation%20Debuggers%20For%20Reverse%20Engineering.pdf
- Vtable-Dumper - a tool to list content of virtual tables in a C++ shared library - https://github.com/lvc/vtable-dumper
- elfloader: An architecture-agnostic ELF file flattener for shellcode
- elfloader is a super simple loader for ELF files that generates a flat in-memory representation of the ELF.
- This allows you to turn any ELF into shellcode, or a simpler file format that is easier to load in hard-to-reach areas, like embedded devices.
- https://github.com/gamozolabs/elfloader
- ELF Loading: A Deep Dive Into Runtime Linking
- Denver C++ Meetup 2024-09
- Andrew Kaster
- https://www.youtube.com/watch?v=IY1FwkFu44E
- How Linux ELF Symbols Work and How They Are Used in C++ and C Programming
- In-depth: ELF - The Extensible & Linkable Format
- ELF Crafting: Uncovering Advanced Anti-analysis techniques for the Linux Platform
- r2con2019; Nacho Sanmillan (ulexec)
- https://www.youtube.com/watch?v=adYOSO0tn9M
- https://github.com/radareorg/r2con2019/tree/master/talks/elf_crafting
- Executable Code Golf: Making Tiny Binaries for Constrained Systems
- linux.conf.au 2019; Nathan Egge
- https://www.youtube.com/watch?v=J5WX-wN_RKY
- https://2019.linux.conf.au/schedule/presentation/160/
- XLINK compressing linker
- Objtool: A Hidden Gem of Executable Parsing
- DevConf.US 2019; Matt Helsley
- https://www.youtube.com/watch?v=I7srCw-Ns7Y
- C++ in Elvenland
- The Bits Between the Bits: How We Get to main()
- CppCon 2018; Matt Godbolt
- https://www.youtube.com/watch?v=dOfucXtyEsU
- Slides: https://mattgodbolt.github.io/cppcon-bits-between-bits/
- ELF linking: what it means and why it matters
- 2017; Stephen Kell
- https://www.cl.cam.ac.uk/~srk31/research/talks/kell17elf-slides.pdf
- Everything You Always Wanted to Know About "Hello, World"* (*But Were Afraid To Ask)
- LLD from a user's perspective
- Intra-Process Memory Protection for Applications on ARM and X86: Leveraging the ELF ABI
- BlackHat USA 2016; Sergey Bratus & Maxwell Koo & Julian Bangert
- https://www.youtube.com/watch?v=YXh2aIc9u64
- Slides: http://www.cs.dartmouth.edu/~sergey/io/elfbac/bh16-elfbac-slides.pdf
- Whitepaper: http://www.cs.dartmouth.edu/~sergey/io/elfbac/bh16-elfbac-whitepaper.pdf
- New LLD linker for ELF
- 2016 EuroLLVM Developers' Meeting; Rui Ueyama
- https://www.youtube.com/watch?v=CYCRqjVa6l4
- https://llvm.org/devmtg/2016-03/Presentations/EuroLLVM%202016-%20New%20LLD%20linker%20for%20ELF.pdf
- Dark Side of the ELF
- DEF CON 23 (2015); Alessandro Di Federico, Yan Shoshitaishvili
- https://www.youtube.com/watch?v=aGoDYa7Kbec
- How the ELF Ruined Christmas
- USENIX Security Symposium 2015
- Alessandro Di Federico, Amat Cama, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna
- https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/di-frederico
- https://sites.cs.ucsb.edu/~chris/research/doc/usenix15_elf.pdf
- leakless: Function redirection via ELF tricks
- ABIs, linkers and other animals
- 2014; Stephen Kell
- https://www.cl.cam.ac.uk/~srk31/research/talks/kell14abis-slides.pdf
- ELF Eccentricities
- CONFidence 2013; Julian Bangert, Sergey Bratus
- https://www.youtube.com/watch?v=4LU6N6THh2U
- https://infocon.org/cons/CONFidence/CONFidence%202013/presentations/julian_bangert_sergey_bratus.pdf
- Any Input Is a Program Weird Machines in ABI
- CONFidence 2013; Rebecca Bx Shapiro, Julian Bangert, Sergey Bratus
- https://www.youtube.com/watch?v=crt5gxOoUuM
- https://infocon.org/cons/CONFidence/CONFidence%202013/presentations/julian_bangert_rebecca_shapiro_sergey_bratus.pdf
- "Weird Machines" in ELF: A Spotlight on the Underappreciated Metadata
- USENIX Workshop on Offensive Technologies (WOOT) 2013
- Rebecca Shapiro, Sergey Bratus, Sean W. Smith
- https://www.usenix.org/conference/woot13/workshop-program/presentation/shapiro
- http://www.cs.dartmouth.edu/~sergey/wm/woot13-shapiro.pdf
- https://www.youtube.com/watch?v=6xbirzvr-mQ
- Programming Weird Machines with ELF Metadata
- DEF CON 20 (2012); Rebecca "bx" Shapiro, Sergey Bratus
- https://www.youtube.com/watch?v=V5KsUm1KfZE
- https://www.youtube.com/watch?v=YgtxxLCVD-o
- http://cs.dartmouth.edu/~bx/elf-bf-tools/slides/elf-defcon20.pdf
- The Care and Feeding of Weird Machines Found in Executable Metadata
- 29C3 (2012); Rebecca “bx” Shapiro, Sergey Bratus
- https://media.ccc.de/v/29c3-5195-en-executable_metadata_h264
- https://www.youtube.com/watch?v=57UtbZGEEQA
- http://www.cs.dartmouth.edu/~bx/elf-bf-tools/slides/ELF-29c3.pdf
- Mach-O Runtime Architecture - http://math-atlas.sourceforge.net/devel/assembly/MachORuntime.pdf
- Mach-O Programming Topics - https://developer.apple.com/library/content/documentation/DeveloperTools/Conceptual/MachOTopics/0-Introduction/introduction.html
- OS X ABI Mach-O File Format Reference
- osx-re-101 - https://github.com/michalmalik/osx-re-101
- Reverse Engineering/Mac OS X - https://en.wikibooks.org/wiki/Reverse_Engineering/Mac_OS_X
- The Apple Compact Unwinding Format: Documented and Explained
- Basics of the Mach-O file format - https://samhuri.net/posts/2010/01/basics-of-the-mach-o-file-format/
- Dynamic Linking: ELF vs. Mach-O - http://timetobleed.com/dynamic-linking-elf-vs-mach-o/
- Dynamic Linking of Imported Functions in Mach-O
- Dynamic symbol table duel: ELF vs Mach-O, round 2 - http://timetobleed.com/dynamic-symbol-table-duel-elf-vs-mach-o-round-2/
- DYLD Detayled - The internals of DYLD, the dynamic linker, and the
__LINKEDITsection - http://newosxbook.com/articles/DYLD.html - Extracting libraries from dyld_shared_cache - https://worthdoingbadly.com/dscextract/
- Friday Q&A 2012-04-27: PLCrashReporter and Unwinding the Stack With DWARF - https://www.mikeash.com/pyblog/friday-qa-2012-04-27-plcrashreporter-and-unwinding-the-stack-with-dwarf.html
- Friday Q&A 2012-05-04: PLCrashReporter and Unwinding the Stack With DWARF, Part 2 - https://www.mikeash.com/pyblog/friday-qa-2012-05-04-plcrashreporter-and-unwinding-the-stack-with-dwarf-part-2.html
- Friday Q&A 2012-11-09: dyld: Dynamic Linking On OS X - https://www.mikeash.com/pyblog/friday-qa-2012-11-09-dyld-dynamic-linking-on-os-x.html
- Friday Q&A 2012-11-30: Let's Build A Mach-O Executable - https://www.mikeash.com/pyblog/friday-qa-2012-11-30-lets-build-a-mach-o-executable.html
- Having Fun with Obfuscated Mach-O Files - https://www.pnfsoftware.com/blog/having-fun-with-obfuscated-mach-o-files/
- Hello Mach-O: Dissection of minimal Intel 32-bits, 204 bytes, Mach-O "Hello World" executable file - https://seriot.ch/projects/hello_macho.html
- Mach-O Binaries - http://www.m4b.io/reverse/engineering/mach/binaries/2015/03/29/mach-binaries.html
- Mach-O Executables - https://www.objc.io/issues/6-build-tools/mach-o-executables/
- MacOS Dylib Injection through Mach-O Binary Manipulation
- Parsing Mach-O files - https://lowlevelbits.org/parsing-mach-o-files/
- Playing with Mach-O binaries and dyld
- Redirection of Imported Functions in Mach-O - https://www.codeproject.com/Articles/187192/Redirection-of-Imported-Functions-in-Mach-O
- Running Executables on macOS From Memory - https://blog.cylance.com/running-executables-on-macos-from-memory
- Runtime binary loading via the dynamic loader on Apple Mac OS X - http://www.subreption.com/blog/2009/02/runtime-binary-loading-via-the-dynamic-loader-on-apple-mac-os-x.html
- The Mach-O Transition: Darling in the Past 5 Years - http://blog.darlinghq.org/2017/02/the-mach-o-transition-darling-in-past-5.html
- cctools-port: Apple cctools port for Linux, *BSD and Windows (Cygwin)
- fishhook: A library that enables dynamically rebinding symbols in Mach-O binaries running on iOS
- This provides functionality that is similar to using DYLD_INTERPOSE on OS X
- https://github.com/facebook/fishhook
- jtool: (Mach-O Analyzer) - http://www.newosxbook.com/tools/jtool.html
- llvm-otool: Mach-O dumping tool
- MacDependency: shows all dependent libraries and frameworks of a given executable, dynamic library or framework on Mac OS X
- mach_override: runtime function overriding for Mac OS X - https://github.com/rentzsch/mach_override
- MachoAnalysis: collection of analysis utils - https://github.com/eeeyes/macho_analysis
- macholibre: Mach-O & Universal Binary Parser - https://github.com/aaronst/macholibre
- Mach-O Libre: Pile Driving Apple Malware with Static Analysis, Big-Data, and Automation - https://www.first.org/resources/papers/conf2016/FIRST-2016-130.pdf
- machO-tools - https://github.com/bx/machO-tools
- macho-unwind-info: A parser for Apple's Compact Unwinding Format used in the __unwind_info section of Mach-O binaries
- MachOExplorer - https://github.com/everettjf/MachOExplorer
- Machotools - "a small set of tools built on top of macholib to retrieve and change informations about mach-o files. Think of it as a pure python, cross-platform implementation of install_name_tool"
- MachOView: a visual Mach-O file browser - https://sourceforge.net/projects/machoview/
- MachOView fork: https://github.com/gdbinit/MachOView
- Maloader: userland Mach-O loader for Linux - https://github.com/shinh/maloader
- XMachOViewer: a Mach-O viewer for Windows, Linux, MacOS
- Demystify Mach-O
- Chaos Communication Camp (CCC) 2023
- Garrigan Stafford
- https://www.youtube.com/watch?v=S9FFzsF0aIA
- https://media.ccc.de/v/camp2023-57032-demystify_mach_o
- Mach-O Tricks
- BaiJiuCon at Mobile Security Conference (MOSEC) 2018
- Luca (@qwertyoruiopz)
- http://iokit.racing/machotricks.pdf
- http://web.archive.org/web/20220428071443/https://iokit.racing/machotricks.pdf
- Mach-O Malware Analysis: Combatting Mac OSX/iOS Malware with Data Visualization
- DEF CON 21 (2013)
- Remy Baumgarten
- https://www.youtube.com/watch?v=7yiTzyt-iRc
- https://infocon.org/cons/DEF%20CON/DEF%20CON%2021/DEF%20CON%2021%20presentations/Remy%20Baumgarten/
- Slides: https://infocon.org/cons/DEF%20CON/DEF%20CON%2021/DEF%20CON%2021%20presentations/Remy%20Baumgarten/DEFCON-21-Baumgarten-Mach-O-Viz.pdf
- Paper: https://infocon.org/cons/DEF%20CON/DEF%20CON%2021/DEF%20CON%2021%20presentations/Remy%20Baumgarten/DEFCON-21-Baumgarten-Mach-O-Viz-WP.pdf
- Video: https://infocon.org/cons/DEF%20CON/DEF%20CON%2021/DEF%20CON%2021%20video%20and%20slides%20x265/DEF%20CON%2021%20Hacking%20Conference%20Presentation%20By%20Remy%20Baumgarten%20-%20Combatting%20Mac%20OSX%20iOS%20Malware%20with%20Data%20Visualization%20-%20Video%20and%20Slides.mp4
- http://macsecurity.net/view/42/
- http://www.securitytube.net/video/9133
- Let your Mach-O fly
(Program Database)
- Binary Rewriting With Syzygy, Pt. I - https://doar-e.github.io/blog/2017/08/05/binary-rewriting-with-syzygy/
- CodeView Debug Info Format - http://llvm.org/docs/SourceLevelDebugging.html#codeview-debug-info-format
- Improving Link Time on Windows with clang-cl and lld - http://blog.llvm.org/2018/01/improving-link-time-on-windows-with.html
- Jan Gray on inventing/implementing PDB files 1990-94 - https://twitter.com/jangray/status/659916997711544320
- LLVM on Windows now supports PDB Debug Info - http://blog.llvm.org/2017/08/llvm-on-windows-now-supports-pdb-debug.html
- PDB File Format - https://github.com/google/syzygy/wiki/PdbFileFormat
- PDB Files: What Every Developer Must Know - https://www.wintellect.com/pdb-files-what-every-developer-must-know
- PDB File Internals - http://www.informit.com/articles/article.aspx?p=22685
- PDB v2.0 File Format documentation - https://reverseengineering.stackexchange.com/questions/2548/pdb-v2-0-file-format-documentation
- radare2 PDB usage - https://github.com/radare/radare2/blob/master/doc/pdb/pdb_usage
- The PDB File Format - https://llvm.org/docs/PDB/
- The PDB Info Stream (aka the PDB Stream) - http://llvm.org/docs/PDB/PdbStream.html
- PDB File Internals - http://www.informit.com/articles/article.aspx?p=22685
- PDB Info Stream - https://www.reddit.com/r/programming/comments/6ukeuk/llvm_on_windows_now_supports_pdb_debug_info/dlvtucx/
- PDB Stream Decomposition - https://moyix.blogspot.com/2007/08/pdb-stream-decomposition.html
- pdbparse - Stream Descriptions wiki - https://code.google.com/archive/p/pdbparse/wikis/StreamDescriptions.wiki
- Symbols the Microsoft Way - https://randomascii.wordpress.com/2013/03/09/symbols-the-microsoft-way/
- The Types Stream - https://moyix.blogspot.com/2007/10/types-stream.html
- What’s inside a PDB File? - https://blogs.msdn.microsoft.com/vcblog/2016/02/08/whats-inside-a-pdb-file/
- crunchersharp
- analyses debugger information file (PDB, so Microsoft Visual C++ only) and presents info about user defined structures (size, padding, etc.)
- https://github.com/msinilo/crunchersharp
- http://msinilo.pl/blog2/post/p425/
- cv2pdb: converter of DMD CodeView/DWARF debug information to PDB files
- Debug Interface Access SDK (DIA SDK) - provides access to debug information stored in PDB files - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-interface-access/debug-interface-access-sdk
- drpdb: Convert from Microsoft PDB format into a MySQL database - https://github.com/briterator/drpdb
- LLVM Jit Pdb: Debugging LLVM JIT code inside Visual Studio with PDB
- llvm-pdbutil - PDB File forensics and diagnostics - https://llvm.org/docs/CommandGuide/llvm-pdbutil.html - https://github.com/llvm-mirror/llvm/tree/master/tools/llvm-pdbutil
- llvm-symbolizer - convert addresses into source code locations - https://llvm.org/docs/CommandGuide/llvm-symbolizer.html - https://github.com/Microsoft/llvm/tree/master/test/tools/llvm-symbolizer/pdb
- MetadataTools:
Various tools and helpers to read assembly metadata - https://github.com/KirillOsenkov/MetadataTools
- Pdb - extract .pdb information from a .dll/.exe debug directory (Pdb Guid, age, path to .pdb); download the .pdb from symbol server; determine if a .dll matches a .pdb; find a matching .pdb in a folder for a given .dll - https://github.com/KirillOsenkov/MetadataTools/tree/master/Pdb
- microsoft-pdb: Information from Microsoft about the PDB format - https://github.com/Microsoft/microsoft-pdb
- MSFViewer - viewing and understanding PDB Multi-Stream File (MSF) data - https://github.com/apoch/epoch-language/tree/master/Tools/MSFViewer
- pdbdownload: A Python script to download PDB files associated with a Portable Executable (PE)
- pdbex: an utility for reconstructing structures and unions from the PDB into compilable C headers
- pdbinfo: displays information about PDB symbol files (timestamp, GUID, and age) - https://github.com/randomascii/tools/tree/master/pdbinfo
- PDBparse - Python code to parse Microsoft PDB files - https://github.com/moyix/pdbparse
- PdbReader & PdbWriter - Common Compiler Infrastructure (CCI) - https://github.com/Microsoft/cci/tree/master/PDBReaderAndWriter
- PDBRipper: an utility to extract an information from PDB files
- RawPDB: A C++17 library for reading Microsoft Program Debug Database PDB files
- resym: Cross-platform tool that allows browsing and extracting C and C++ type declarations from PDB files
- SymDiff: Diff tool for comparing symbols in PDB files
- Syzygy Transformation Toolchain - PDB Module - https://github.com/google/syzygy/tree/master/syzygy/pdb
- Crashing Your Way to Medium-IL: Exploiting the PDB Parser for Privilege Escalation
- CodeView, the MS Debug Info Format in LLVM
- 2016 LLVM Developers’ Meeting
- R. Kleckner
- https://www.youtube.com/watch?v=5twzd06NqGU
- http://www.llvm.org/devmtg/2016-11/Slides/Kleckner-CodeViewInLLVM.pdf
- A dive into the PE file format
- Ahmed Hesham
- Introduction
- Part 1: Overview
- Part 2: DOS Header, DOS Stub and Rich Header
- Part 3: NT Headers
- Part 4: Data Directories, Section Headers and Sections
- Part 5: PE Imports (Import Directory Table, ILT, IAT)
- Part 6: PE Base Relocations
- LAB 1: Writing a PE Parser
- A smallest PE executable (x64) with every byte executed - https://drakopensulo.wordpress.com/2017/08/06/smallest-pe-executable-x64-with-every-byte-executed/
- Abusing undocumented features to spoof PE section headers
- An Analysis of the Windows PE Checksum Algorithm - https://www.codeproject.com/Articles/19326/An-Analysis-of-the-Windows-PE-Checksum-Algorithm
- An In-Depth Look into the Win32 Portable Executable File Format
- Part 1: http://reversingproject.info/wp-content/uploads/2009/05/an_in-depth_look_into_the_win32_portable_executable_file_format_part_1.pdf / http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1
- Part 2: http://reversingproject.info/wp-content/uploads/2009/05/an_in-depth_look_into_the_win32_portable_executable_file_format_part_2.pdf / http://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part2
- Binary offsets, virtual addresses and pefile - https://5d4a.wordpress.com/2017/09/21/binary-offsets-virtual-addresses-and-pefile/
- Calling Arbitrary Functions In EXEs: Performing Calls to EXE Functions Like DLL Exports
- Case studies in Rich Header analysis and hunting (2018-08-09) - http://ropgadget.com/posts/richheader_hunting.html
- Common Object File Format (COFF) - https://support.microsoft.com/en-us/help/121460/common-object-file-format-coff
- Dynamic Reconstruction of Relocation Information for Stripped Binaries
- Research in Attacks, Intrusions and Defenses (RAID) 2014
- Vasilis Pappas, Michalis Polychronakis, Angelos D. Keromytis
- http://www.cs.columbia.edu/~vpappas/papers/reloc.raid14.pdf
- https://www.youtube.com/watch?v=fVIuguG2mw8
- Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage
- https://www.sec.in.tum.de/i20/publications/finding-the-needle-a-study-of-the-pe32-rich-header-and-respective-malware-triage
- https://www.semanticscholar.org/paper/Finding-the-Needle-A-Study-of-the-PE32-Rich-Header-Webster-Kolosnjaji/44adfa896e6598b1723507060126125a0cad39a1
- Rich Header: a collection of the work performed investigating the PE32 Rich Header - https://github.com/HolmesProcessing/RichHeader-Service_Collection
- Fully undetectable backdooring PE files - https://haiderm.com/fully-undetectable-backdooring-pe-files/
- Introducing New Packing Method: First Reflective PE Packer Amber - https://pentest.blog/introducing-new-packing-method-first-reflective-pe-packer/
- Lost in the Loader: The Many Faces of the Windows PE File Format
- International Symposium on Research in Attacks, Intrusions and Defenses (RAID) 2021
- Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti
- https://www.eurecom.fr/en/publication/6603
- https://www.youtube.com/watch?v=yuptIE--UPw
- Microsoft Portable Executable (PE) and Common Object File Format (COFF) Specification - https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547.aspx
- Microsoft's Rich Signature (undocumented) - http://ntcore.com/Files/richsign.htm
- Modern PE Mangling
- PE (corkami wiki) - https://corkamiwiki.github.io/PE - https://github.com/corkami/docs/blob/master/PE/PE.md
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format - https://msdn.microsoft.com/en-us/library/ms809762.aspx
- PeLib Resources about the PE format - http://www.pelib.com/resources.php
- Portable Executable File Corruption Preventing Malware From Running
- What types of obstructions and anomalies in the PE file can make the Windows Portable Executable Image Loader and other PE parsing programs fail to load the file or display an error message?
- https://toddcullumresearch.com/2017/07/16/portable-executable-file-corruption/
- Portable Executable File Format – A Reverse Engineer View - http://www.stonedcoder.org/~kd/lib/CBJ-2005-74.pdf
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format - https://msdn.microsoft.com/en-us/library/ms809762.aspx
- Resource Hacker: a resource editor for 32-bit and 64-bit Windows applications
- Resources: Microsoft Portable Executable and COFF (32-bit and 64-bit) Format - http://bytepointer.com/resources/
- Robust Static Analysis of Portable Executable Malware - Katja Hahn, Master Thesis - https://github.com/katjahahn/PortEx/tree/master/masterthesis
- The sad state of PE parsing - http://lucasg.github.io/2017/04/28/the-sad-state-of-pe-parsing/
- The Undocumented Microsoft "Rich" Header - http://bytepointer.com/articles/the_microsoft_rich_header.htm
- Tiny PE: Creating the smallest possible PE executable - http://www.phreedom.org/research/tinype/
- Undocumented PECOFF - https://media.blackhat.com/bh-us-11/Vuksan/BH_US_11_VuksanPericin_PECOFF_WP.pdf
- Why does a corrupted binary sometimes result in "Program too big to fit in memory"? - https://blogs.msdn.microsoft.com/oldnewthing/20060130-00/?p=32483
- Why does the Windows Portable Executable (PE) format have both an import section and input directory?
- Why does the Windows Portable Executable (PE) format have separate tables for import names and import addresses?
- Why is 0x00400000 the default base address for an executable? - https://blogs.msdn.microsoft.com/oldnewthing/20141003-00/?p=43923
- Adlice PEViewer - https://www.adlice.com/download/roguekillerpe/
- bearparser: Portable Executable parsing library - https://github.com/hasherezade/bearparser
- CFF Explorer - http://www.ntcore.com/exsuite.php
- coff_nm:
nmandaddr2linebut for DI "debug-info" COFF files- prints out function, global, and source line information from a .dbg "DI" COFF debug file
- can handle both DI magic files and CAB (cabinet) files with DI files inside of them
- https://github.com/gamozolabs/coff_nm
- Corkami PE files corpus - https://github.com/corkami/pocs/tree/master/PE
- ExpDiff: Diff tool for comparing export tables in PE images - https://github.com/WalkingCat/ExpDiff
- Five PE Analysis Tools Worth Looking At - https://blog.malwarebytes.com/threat-analysis/2014/05/five-pe-analysis-tools-worth-looking-at/
- libpeconv: A small library for mapping and unmapping PE files
- https://github.com/hasherezade/libpeconv
- Demo: RunPE (Process Hollowing) - https://github.com/hasherezade/libpeconv/tree/master/run_pe
- pe_unmapper: Small tool to convert a PE from a virtual format into a raw format
- https://github.com/hasherezade/libpeconv/tree/master/pe_unmapper
- Malware-Analayzer PE Tools - http://www.malware-analyzer.com/pe-tools
- Manalyze, a static analyzer for PE executables - https://manalyzer.org/ - https://github.com/JusticeRage/Manalyze
- MiTeC EXE Explorer: Executable File Explorer for OS/2, NE, PE32, PE32+ and VxD file types
- pefile: a Python module to read and work with PE (Portable Executable) files - https://github.com/erocarrera/pefile
- PeLib: PE file manipulation library - https://github.com/avast-tl/pelib
- PeRebuilder - https://github.com/AaLl86/retroware
- automatically reconstruct the PE, and save it in a form that the Windows Loader is able to run (fixing the file alignment, relocating each section, fixing the import address table, and so on...)
- pev: The PE file analysis toolkit
- PEview - http://wjradburn.com/software/
- PE Anatomist - PE files internals
- PE Insider - http://cerbero.io/peinsider/
- PE Tools - Portable executable (PE) manipulation toolkit
- Process Viewer, PE files Editor, Dumper, Rebuilder, Comparator, Analyzer
- https://petoolse.github.io/petools/
- https://github.com/petoolse/petools
- PE Tree: Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5.
- Can also be used with IDA Pro to dump in-memory PE files and reconstruct imports.
- https://github.com/blackberry/pe_tree
- PE-bear - https://hshrzd.wordpress.com/pe-bear/
- pe-parse - Principled, lightweight C/C++ PE parser - https://github.com/trailofbits/pe-parse
- PE-sieve: a small tool for investigating inline hooks (and other in-memory code patches)
- pe_recovery_tools: Helper tools for recovering dumped PE files - https://github.com/hasherezade/pe_recovery_tools
- pe_to_shellcode: Converts PE into a shellcode
- pedump - dump windows PE files using Ruby - http://pedump.me/ - https://github.com/zed-0xff/pedump
- pelook: PE/COFF dump and conversion tool - http://bytepointer.com/tools/index.htm#pelook
- pesign + efikeygen: Linux tools for signed PE-COFF binaries
- Signing tools for PE-COFF binaries. Compliant with the PE and Authenticode specifications.
- https://github.com/rhboot/pesign
- pestudio - https://www.winitor.com/
- peupdate: update hidden PE and PDB information in Win32/64 executables - http://bytepointer.com/tools/index.htm#peupdate
- PortEx: Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness
- https://github.com/katjahahn/PortEx/
- http://katjahahn.github.io/PortEx/
- Robust Static Analysis of Portable Executable Malware - Katja Hahn, Master Thesis - https://github.com/katjahahn/PortEx/tree/master/masterthesis
- Wiki - https://github.com/katjahahn/PortEx/wiki
- PE Visualizer - https://github.com/katjahahn/PortEx/wiki/PE-Visualizer
- PortexAnalyzerGUI: Graphical interface for PortEx, a Portable Executable and Malware Analysis Library
- PPEE: A Professional PE File Explorer - https://www.mzrst.com/
- Process Dump: Windows tool for dumping malware PE files from memory back to disk for analysis
- http://split-code.com/processdump.html
- https://github.com/glmcdona/Process-Dump
- An Introduction to Dumping Malware with Process Dump - https://www.youtube.com/watch?v=dCU7N-Oh3jg
- rcedit: Command line tool to edit resources of EXE file on Windows
- readpe: The PE file analysis toolkit
- Open source, full-featured, multiplatform command line toolkit to work with and analyze PE (Portable Executables) binaries.
- https://github.com/mentebinaria/readpe
- Reflective PE Unloader
- This is code that can be used within a PE file to allow it to reflectively reconstruct itself in memory at runtime. The result is a byte for byte copy of the original PE file. This can be combined with Reflective DLL Injection to allow code to reconstruct itself after being loaded through an arbitrary means.
- https://github.com/zeroSteiner/reflective-polymorphism
- ripPE - section extractor and profiler for PE file analysis - https://github.com/matonis/ripPE
- Sizer - Win32/64 executable size report utility
- Sizer - Win32 executable size report utility - https://github.com/tsafin/pdb-sizer
- SoReL-20M: Sophos-ReversingLabs 20 million sample dataset
- https://github.com/sophos-ai/SOREL-20M
- SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection
- 2020; Richard Harang, Ethan M. Rudd
- https://arxiv.org/abs/2012.07634
- Sophos-ReversingLabs (SOREL) 20 Million sample malware dataset
- SymbolSort: A Utility for Measuring C++ Code Bloat
- WinDiff: Web-based tool that allows browsing and comparing symbol and type information of Microsoft Windows binaries across different versions of the OS
- μthenticode: a cross-platform library for verifying Authenticode signatures
- https://github.com/trailofbits/uthenticode
- Verifying Windows binaries, without Windows
- DreamLoader: Simple 32/64-bit PEs loader
- In-Memory PE Loader: A very simple PE loader for loading DLLs into memory without using LoadLibray
- Amber: Reflective PE packer
- Crinkler: an executable file compressor (or rather, a compressing linker) for Windows for compressing small demoscene executables
- fasm_packer: PE Packer written in x86 assembly (FASM syntax)
- kkpView: Compression ratio analyzer for 64k intros through kkp files (rekkrunchy output)
- kkrunchy: pretty good executable compression
- http://www.farbrausch.de/~fg/kkrunchy/
- Rekkrunchy: fork of rygs kkrunchy_k7 0.23a4/asm07, with patches
- fixed pdb loading, pack ratio analysis
- https://github.com/ConspiracyHu/rekkrunchy-with-analytics
- squishy: a modern pc 64k intro packer
- http://logicoma.io/squishy/
- modern 64k intro compression
- Revision Online 2020 Seminar; jake "ferris" taylor / logicoma
- https://www.youtube.com/watch?v=O5LfE_qNzes
- 2018 - Reflective PE Unloading
- BSides Cleveland 2018; Spencer McIntyre
- https://www.youtube.com/watch?v=GbCVVYMNUzA
- http://www.irongeek.com/i.php?page=videos/bsidescleveland2018/b00-reflective-pe-unloading-spencer-mcintyre
- 2018 - DEF CON 26 - Relocation Bonus
- A look into the Windows Portable Executable (PE) header and how it can be weaponized to destroy parsers, disassemblers, and other tools
- DEFCON-26-Nick-Cano-Relocation-Bonus-Attacking-the-Win-Loader.pdf
- https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Nick%20Cano/
- https://github.com/nickcano/RelocBonus
- https://github.com/nickcano/RelocBonusSlides
- 2013 - 44Con 2013 - Exploring the Portable Executable format - Ange Albertini
- 2013 - NoVA Hackers - 2013-03-11 - Joshua Pitts - Backdooring Win32 Portable Executables
- 2012 - Hack in Paris 2012 - Ange Albertini A Bit More of PE
- 2012 - Hashdays 2012 - Byte-ing the PE that fails you - Ange Albertini
- 2011 - Berlinsides - x86 & PE - Ange Albertini - https://speakerdeck.com/ange/x86-and-pe
- 2011 - BlackHat 2011 - Constant Insecurity: Things you didn’t know about (PE) Portable Executable file format
- https://www.youtube.com/watch?v=uoQL3CE24ls
- https://www.reversinglabs.com/newsroom/blog/constant-insecurity-things-you-didnt-know-about-pe-portable-executable-file-format.html
- Paper - Undocumented PECOFF: https://media.blackhat.com/bh-us-11/Vuksan/BH_US_11_VuksanPericin_PECOFF_WP.pdf
- Slides: https://media.blackhat.com/bh-us-11/Vuksan/BH_US_11_VuksanPericin_PECOFF_Slides.pdf