analyzer.py
ofrak.core.elf.analyzer
ElfBasicHeaderAttributesAnalyzer (Analyzer)
Deserialize the ElfBasicHeader, which contains the first 7 fields of the ELF header. These fields are all endianness- & word-size-agnostic, and in fact define the endianness and word size for the remainder of the header.
The remaining fields are deserialized as part of the ElfHeader. See "ELF header (Ehdr)" in https://man7.org/linux/man-pages/man5/elf.5.html for details.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfBasicHeader |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfBasicHeader:
tmp = await resource.get_data()
deserializer = BinaryDeserializer(io.BytesIO(tmp))
(
ei_magic,
ei_class,
ei_data,
ei_version,
ei_osabi,
ei_abiversion,
ei_pad,
) = deserializer.unpack_multiple("4sBBBBB7s")
assert ei_magic == b"\x7fELF"
return ElfBasicHeader(
ei_magic, ei_class, ei_data, ei_version, ei_osabi, ei_abiversion, ei_pad
)
ElfDynamicSectionAnalyzer (Analyzer)
If an object file participates in dynamic linking, its program header table will have an element of type PT_DYNAMIC. This segment contains the .dynamic section.
Descriptions of the Dynamic Table entries may be found herein: https://docs.oracle.com/cd/E19683-01/817-3677/chapter6-42444/index.html
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfDynamicEntry |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfDynamicEntry:
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer)
ElfHeaderAttributesAnalyzer (Analyzer)
Deserialize the ElfHeader, which contains all of the ELF header fields except the first 7. The first 7 fields are deserialized as part of the ElfBasicHeader. The remaining fields locate all other ELF structures. Use to understand ELF structure details, find program and section headers for unpacking, extract entry point for execution analysis, or validate ELF structure integrity.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfHeader |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfHeader:
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer)
ElfPointerAnalyzer (Analyzer)
Extracts and deserializes virtual address pointer values from ELF pointer array sections, converting raw bytes to addresses based on the binary's word size and endianness. Pointers reference functions or data locations in memory. Use when analyzing specific pointer entries in .init_array, .fini_array, .ctors, .dtors, or other pointer arrays to determine what addresses they reference, understand initialization order, or prepare to modify pointer targets. Each pointer entry is analyzed individually.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfVirtualAddress |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfVirtualAddress:
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer)
ElfProgramAttributesAnalyzer (Analyzer)
Extracts ProgramAttributes from the ELF header's machine type field and flags, determining
the instruction set architecture (x86, ARM, MIPS, PowerPC, etc.), bit width (16/32/64-bit),
endianness, and processor-specific flags. This information defines what kind of CPU can
execute the binary. Use to understand the target platform for an ELF binary, verify
compatibility with target systems, determine what disassembler or emulator to use, or check
architectural assumptions before analysis. Critical for setting up proper analysis tools.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional[ofrak.model.component_model.ComponentConfig] |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ProgramAttributes |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(
self, resource: Resource, config: Optional[ComponentConfig] = None
) -> ProgramAttributes:
elf_header = await resource.get_only_descendant_as_view(
ElfHeader, r_filter=ResourceFilter.with_tags(ElfHeader)
)
elf_basic_header = await resource.get_only_descendant_as_view(
ElfBasicHeader, r_filter=ResourceFilter.with_tags(ElfBasicHeader)
)
return ProgramAttributes(
elf_header.get_isa(),
None,
elf_basic_header.get_bitwidth(),
elf_basic_header.get_endianness(),
None,
)
ElfProgramHeaderAttributesAnalyzer (Analyzer)
Deserializes ELF program header (Phdr) structures to extract segment type (LOAD, DYNAMIC, INTERP, etc.), file offset, virtual address where segment is loaded, physical address, file size, memory size (may be larger if includes .bss), segment flags (readable, writable, executable), and alignment requirements. Program headers define how the ELF is loaded into memory. Use when analyzing specific segments to understand ELF memory layout, determine loading behavior, find executable or data regions, or prepare for memory-based modifications. Critical for understanding runtime memory organization.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfProgramHeader |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfProgramHeader:
segment_structure = await resource.view_as(ElfSegmentStructure)
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer, segment_structure.segment_index)
ElfRelaAnalyzer (Analyzer)
Deserializes ElfRelaEntry entries with addends (Elf32_Rela or Elf64_Rela structures) to extract offset (where to apply relocation), symbol index (which symbol is involved), relocation type (how to compute the value), and addend (constant to add to the symbol value). Relocations specify how addresses should be adjusted during linking or loading. Use when debugging linking issues, preparing for code relocation, understanding dynamic symbol resolution, or analyzing specific relocation entries to understand how position-independent code works. Each entry describes one address adjustment.
http://sourceware.org/git/?p=glibc.git;a=blob_plain;f=elf/elf.h
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfRelaEntry |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfRelaEntry:
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer)
ElfSectionHeaderAttributesAnalyzer (Analyzer)
Deserializes ELF section header (Shdr) structures to extract section name index (into string table), section type (PROGBITS, SYMTAB, STRTAB, etc.), section flags (writable, allocatable, executable), virtual address, file offset, section size, link to related section, additional info field, address alignment, and entry size for fixed-size entry sections. Section headers describe the file's organization. Use when analyzing specific sections to understand their properties, find particular sections like .text or .data, determine section attributes, or navigate ELF file structure.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfSectionHeader |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfSectionHeader:
section_structure = await resource.view_as(ElfSectionStructure)
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer, section_structure.section_index)
ElfSectionMemoryRegionAnalyzer (Analyzer)
Extracts memory region information for ELF sections by reading the virtual address and size fields from section headers, determining where each section will be located in memory when the ELF is loaded. Sections may or may not be allocated in memory (depending on SHF_ALLOC flag). Use to understand where ELF sections are loaded in memory, map file offsets to virtual addresses, plan memory-based modifications, or understand memory layout for debugging. Bridges file-based and memory-based views of sections.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
MemoryRegion |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> MemoryRegion:
section = await resource.view_as(ElfSectionStructure)
section_header = await section.get_header()
return MemoryRegion(
virtual_address=section_header.sh_addr,
size=section_header.sh_size,
)
ElfSectionNameAnalyzer (Analyzer)
Resolves ELF section names from the section header string table (.shstrtab) using the sh_name field from section headers as an index. Section names like ".text", ".data", ".bss", ".rodata" are stored as NULL-terminated strings in a dedicated string section. Use to identify sections by their symbolic names rather than numeric indexes, find specific sections for analysis (like finding .text for code), understand section purposes, or display human-readable section information. Makes ELF navigation much more intuitive.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
AttributesType[NamedProgramSection] |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> AttributesType[NamedProgramSection]:
section = await resource.view_as(ElfSectionStructure)
section_header = await section.get_header()
elf_r = await section.get_elf()
string_section = await elf_r.get_section_name_string_section()
try:
((_, raw_section_name),) = await string_section.resource.search_data(
SECTION_NAME_PATTERN, start=section_header.sh_name, max_matches=1
)
section_name = raw_section_name.rstrip(b"\x00").decode("ascii")
except ValueError as e:
LOGGER.info("String section is empty! Using '<no-strings>' as section name")
section_name = "<no-strings>" # This is what readelf returns in this situation
return AttributesType[NamedProgramSection](
name=section_name,
)
ElfSegmentAnalyzer (Analyzer)
Extracts and analyzes detailed attributes from ELF program segments (from program headers), including segment type classification, memory protection flags, size information, alignment requirements, and relationships to sections. Segments define how the binary is loaded and mapped in memory. Use when analyzing specific program segments to understand memory layout, determine what code/data regions are loaded where, find segment boundaries for modifications, or understand memory protection and access patterns. Critical for memory-based binary analysis.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfSegment |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfSegment:
segment = await resource.view_as(ElfSegmentStructure)
segment_header = await segment.get_header()
return ElfSegment(
segment_index=segment_header.segment_index,
virtual_address=segment_header.p_vaddr,
size=segment_header.p_memsz,
)
ElfSymbolAttributesAnalyzer (Analyzer)
Deserializes and extracts detailed attributes from ELF symbol table entries including symbol name (as an index into the string table), value/address, size in bytes, binding type (local, global, weak), symbol type (function, object, section), visibility, and section index. These attributes reflect what the ELF header claims, which might not match what's actually in the binary. Use when you need to examine or modify the symbol metadata that the OS loader will read, but don't rely on these for discovering actual symbols in the binary.
analyze(self, resource, config=None)
async
Analyze a resource for to extract specific ResourceAttributes.
Users should not call this method directly; rather, they should run Resource.run or Resource.analyze.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
resource |
Resource |
The resource that is being analyzed |
required |
config |
Optional config for analyzing. If an implementation provides a default, this default will always be used when config would otherwise be None. Note that a copy of the default config will be passed, so the default config values cannot be modified persistently by a component run. |
None |
Returns:
| Type | Description |
|---|---|
ElfSymbol |
The analysis results |
Source code in ofrak/core/elf/analyzer.py
async def analyze(self, resource: Resource, config=None) -> ElfSymbol:
symbol_structure = await resource.view_as(ElfSymbolStructure)
deserializer = await _create_deserializer(resource)
return self.deserialize(deserializer, symbol_structure.symbol_index)
