aboutsummaryrefslogtreecommitdiff
path: root/plugins/elf.lua
blob: bf8095f995fb665edb8c3a685290298ad722e212 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
--
-- elf.lua: Executable and Linkable Format
--
-- Copyright (c) 2017, Přemysl Eric Janouch <p@janouch.name>
--
-- Permission to use, copy, modify, and/or distribute this software for any
-- purpose with or without fee is hereby granted.
--
-- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-- WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-- MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
-- SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-- OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-- CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
--

-- See man 5 elf, /usr/include/elf.h and /usr/include/llvm/Support/ELF.h

local detect = function (c)
	return #c >= 4 and c:read (4) == "\x7FELF"
end

local ph_type_table = {
	[0]   = "unused segment",
	[1]   = "loadable segment",
	[2]   = "dynamic linking information",
	[3]   = "interpreter pathname",
	[4]   = "auxiliary information",
	[5]   = "reserved",
	[6]   = "the program header table itself",
	[7]   = "the thread-local storage template"
}

local xform_ph_flags = function (u32)
	local info = {}
	if u32 & 0x4 ~= 0 then table.insert (info, "read")    end
	if u32 & 0x2 ~= 0 then table.insert (info, "write")   end
	if u32 & 0x1 ~= 0 then table.insert (info, "execute") end

	local junk = u32 & ~0x7
	if junk ~= 0 then
		table.insert (info, ("unknown: %#x"):format (junk))
	end

	if #info == 0 then return 0 end

	local result = info[1]
	for i = 2, #info do result = result .. ", " .. info[i] end
	return result
end

local decode_ph = function (elf, c)
	local ph = {}
	ph.type = c:u32 ("type: %s", function (u32)
		-- TODO: there are more known weird values and ranges
		name = ph_type_table[u32]
		if name then return name end
		return "unknown: %#x", u32
	end)
	if elf.class == 2 then ph.flags = c:u32 ("flags: %s", xform_ph_flags) end
	ph.offset = elf.uwide (c, "offset in file: %#x")
	ph.vaddr = elf.uwide (c, "virtual address: %#x")
	ph.paddr = elf.uwide (c, "physical address: %#x")
	ph.filesz = elf.uwide (c, "size in file: %d")
	ph.memsz = elf.uwide (c, "size in memory: %d")
	if elf.class == 1 then ph.flags = c:u32 ("flags: %s", xform_ph_flags) end
	ph.align = elf.uwide (c, "alignment: %d")
	return ph
end

local sh_type_table = {
	[0]   = "null entry",
	[1]   = "program-defined contents",
	[2]   = "symbol table",
	[3]   = "string table",
	[4]   = "relocation entries",
	[5]   = "symbol hash table",
	[6]   = "dynamic linking information",
	[7]   = "information about the file",
	[8]   = "data occupies no space in file",
	[9]   = "relocation entries",
	[10]  = "reserved",
	[11]  = "symbol table",
	[14]  = "pointers to initialization functions",
	[15]  = "pointers to terminnation functions",
	[16]  = "pointers to pre-init functions",
	[17]  = "section group",
	[18]  = "indices for SHN_XINDEX entries"
}

local xform_sh_flags = function (u)
	-- TODO: there are more known weird values and ranges
	local info = {}
	if u & 0x1 ~= 0 then table.insert (info, "write") end
	if u & 0x2 ~= 0 then table.insert (info, "alloc") end
	if u & 0x4 ~= 0 then table.insert (info, "execinstr") end

	local junk = u & ~0x7
	if junk ~= 0 then
		table.insert (info, ("unknown: %#x"):format (junk))
	end

	if #info == 0 then return 0 end

	local result = info[1]
	for i = 2, #info do result = result .. ", " .. info[i] end
	return result
end

local decode_sh = function (elf, c)
	local sh = {}
	-- TODO: decode the values, give the fields meaning
	sh.name = c:u32 ("name index: %d")
	sh.type = c:u32 ("type: %s", function (u32)
		-- TODO: there are more known weird values and ranges
		name = sh_type_table[u32]
		if name then return name end
		return "unknown: %#x", u32
	end)
	sh.flags = elf.uwide (c, "flags: %s", xform_sh_flags)
	sh.addr = elf.uwide (c, "load address: %#x")
	sh.offset = elf.uwide (c, "offset in file: %#x")
	sh.size = elf.uwide (c, "size: %d")
	sh.link = c:u32 ("header table index link: %d")
	sh.info = c:u32 ("extra information: %d")
	sh.addralign = elf.uwide (c, "address alignment: %d")
	sh.entsize = elf.uwide (c, "size of records: %d")
	return sh
end

local abi_table = {
	[0]   = "UNIX System V ABI",
	[1]   = "HP-UX operating system",
	[2]   = "NetBSD",
	[3]   = "GNU/Linux",
	[4]   = "GNU/Hurd",
	[6]   = "Solaris",
	[7]   = "AIX",
	[8]   = "IRIX",
	[9]   = "FreeBSD",
	[10]  = "TRU64 UNIX",
	[11]  = "Novell Modesto",
	[12]  = "OpenBSD",
	[13]  = "OpenVMS",
	[14]  = "Hewlett-Packard Non-Stop Kernel",
	[15]  = "AROS",
	[16]  = "FenixOS",
	[17]  = "Nuxi CloudABI",
	[64]  = "Bare-metal TMS320C6000",
	[64]  = "AMD HSA runtime",
	[65]  = "Linux TMS320C6000",
	[97]  = "ARM",
	[255] = "Standalone (embedded) application"
}

local type_table = {
	[0]   = "no file type",
	[1]   = "relocatable file",
	[2]   = "executable file",
	[3]   = "shared object file",
	[4]   = "core file"
}

local machine_table = {
	[0]   = "no machine",
	[1]   = "AT&T WE 32100",
	[2]   = "SPARC",
	[3]   = "Intel 386",
	[4]   = "Motorola 68000",
	[5]   = "Motorola 88000",
	[6]   = "Intel MCU",
	[7]   = "Intel 80860",
	[8]   = "MIPS R3000",
	[9]   = "IBM System/370",
	[10]  = "MIPS RS3000 Little-endian",
	[15]  = "Hewlett-Packard PA-RISC",
	[17]  = "Fujitsu VPP500",
	[18]  = "Enhanced instruction set SPARC",
	[19]  = "Intel 80960",
	[20]  = "PowerPC",
	[21]  = "PowerPC64",
	[22]  = "IBM System/390",
	[23]  = "IBM SPU/SPC",
	[36]  = "NEC V800",
	[37]  = "Fujitsu FR20",
	[38]  = "TRW RH-32",
	[39]  = "Motorola RCE",
	[40]  = "ARM",
	[41]  = "DEC Alpha",
	[42]  = "Hitachi SH",
	[43]  = "SPARC V9",
	[44]  = "Siemens TriCore",
	[45]  = "Argonaut RISC Core",
	[46]  = "Hitachi H8/300",
	[47]  = "Hitachi H8/300H",
	[48]  = "Hitachi H8S",
	[49]  = "Hitachi H8/500",
	[50]  = "Intel IA-64 processor architecture",
	[51]  = "Stanford MIPS-X",
	[52]  = "Motorola ColdFire",
	[53]  = "Motorola M68HC12",
	[54]  = "Fujitsu MMA Multimedia Accelerator",
	[55]  = "Siemens PCP",
	[56]  = "Sony nCPU embedded RISC processor",
	[57]  = "Denso NDR1 microprocessor",
	[58]  = "Motorola Star*Core processor",
	[59]  = "Toyota ME16 processor",
	[60]  = "STMicroelectronics ST100 processor",
	[61]  = "Advanced Logic Corp. TinyJ embedded processor family",
	[62]  = "AMD x86-64 architecture",
	[63]  = "Sony DSP Processor",
	[64]  = "Digital Equipment Corp. PDP-10",
	[65]  = "Digital Equipment Corp. PDP-11",
	[66]  = "Siemens FX66 microcontroller",
	[67]  = "STMicroelectronics ST9+ 8/16 bit microcontroller",
	[68]  = "STMicroelectronics ST7 8-bit microcontroller",
	[69]  = "Motorola MC68HC16 Microcontroller",
	[70]  = "Motorola MC68HC11 Microcontroller",
	[71]  = "Motorola MC68HC08 Microcontroller",
	[72]  = "Motorola MC68HC05 Microcontroller",
	[73]  = "Silicon Graphics SVx",
	[74]  = "STMicroelectronics ST19 8-bit microcontroller",
	[75]  = "Digital VAX",
	[76]  = "Axis Communications 32-bit embedded processor",
	[77]  = "Infineon Technologies 32-bit embedded processor",
	[78]  = "Element 14 64-bit DSP Processor",
	[79]  = "LSI Logic 16-bit DSP Processor",
	[80]  = "Donald Knuth's educational 64-bit processor",
	[81]  = "Harvard University machine-independent object files",
	[82]  = "SiTera Prism",
	[83]  = "Atmel AVR 8-bit microcontroller",
	[84]  = "Fujitsu FR30",
	[85]  = "Mitsubishi D10V",
	[86]  = "Mitsubishi D30V",
	[87]  = "NEC v850",
	[88]  = "Mitsubishi M32R",
	[89]  = "Matsushita MN10300",
	[90]  = "Matsushita MN10200",
	[91]  = "picoJava",
	[92]  = "OpenRISC 32-bit embedded processor",
	[93]  = "ARC International ARCompact processor",
	[94]  = "Tensilica Xtensa Architecture",
	[95]  = "Alphamosaic VideoCore processor",
	[96]  = "Thompson Multimedia General Purpose Processor",
	[97]  = "National Semiconductor 32000 series",
	[98]  = "Tenor Network TPC processor",
	[99]  = "Trebia SNP 1000 processor",
	[100] = "STMicroelectronics (www.st.com) ST200",
	[101] = "Ubicom IP2xxx microcontroller family",
	[102] = "MAX Processor",
	[103] = "National Semiconductor CompactRISC microprocessor",
	[104] = "Fujitsu F2MC16",
	[105] = "Texas Instruments embedded microcontroller msp430",
	[106] = "Analog Devices Blackfin (DSP) processor",
	[107] = "S1C33 Family of Seiko Epson processors",
	[108] = "Sharp embedded microprocessor",
	[109] = "Arca RISC Microprocessor",
	[110] = "microprocessor series from PKU-Unity Ltd." ..
		" and MPRC of Peking University",
	[111] = "eXcess: 16/32/64-bit configurable embedded CPU",
	[112] = "Icera Semiconductor Inc. Deep Execution Processor",
	[113] = "Altera Nios II soft-core processor",
	[114] = "National Semiconductor CompactRISC CRX",
	[115] = "Motorola XGATE embedded processor",
	[116] = "Infineon C16x/XC16x processor",
	[117] = "Renesas M16C series microprocessors",
	[118] = "Microchip Technology dsPIC30F Digital Signal Controller",
	[119] = "Freescale Communication Engine RISC core",
	[120] = "Renesas M32C series microprocessors",
	[131] = "Altium TSK3000 core",
	[132] = "Freescale RS08 embedded processor",
	[133] = "Analog Devices SHARC family of 32-bit DSP processors",
	[134] = "Cyan Technology eCOG2 microprocessor",
	[135] = "Sunplus S+core7 RISC processor",
	[136] = "New Japan Radio (NJR) 24-bit DSP Processor",
	[137] = "Broadcom VideoCore III processor",
	[138] = "RISC processor for Lattice FPGA architecture",
	[139] = "Seiko Epson C17 family",
	[140] = "The Texas Instruments TMS320C6000 DSP family",
	[141] = "The Texas Instruments TMS320C2000 DSP family",
	[142] = "The Texas Instruments TMS320C55x DSP family",
	[160] = "STMicroelectronics 64bit VLIW Data Signal Processor",
	[161] = "Cypress M8C microprocessor",
	[162] = "Renesas R32C series microprocessors",
	[163] = "NXP Semiconductors TriMedia architecture family",
	[164] = "Qualcomm Hexagon processor",
	[165] = "Intel 8051 and variants",
	[166] = "STMicroelectronics STxP7x family of configurable" ..
		" and extensible RISC processors",
	[167] = "Andes Technology compact code size embedded RISC processor family",
	[168] = "Cyan Technology eCOG1X family",
	[168] = "Cyan Technology eCOG1X family",
	[169] = "Dallas Semiconductor MAXQ30 Core Micro-controllers",
	[170] = "New Japan Radio (NJR) 16-bit DSP Processor",
	[171] = "M2000 Reconfigurable RISC Microprocessor",
	[172] = "Cray Inc. NV2 vector architecture",
	[173] = "Renesas RX family",
	[174] = "Imagination Technologies META processor architecture",
	[175] = "MCST Elbrus general purpose hardware architecture",
	[176] = "Cyan Technology eCOG16 family",
	[177] = "National Semiconductor CompactRISC CR16 16-bit microprocessor",
	[178] = "Freescale Extended Time Processing Unit",
	[179] = "Infineon Technologies SLE9X core",
	[180] = "Intel L10M",
	[181] = "Intel K10M",
	[183] = "ARM AArch64",
	[185] = "Atmel Corporation 32-bit microprocessor family",
	[186] = "STMicroeletronics STM8 8-bit microcontroller",
	[187] = "Tilera TILE64 multicore architecture family",
	[188] = "Tilera TILEPro multicore architecture family",
	[190] = "NVIDIA CUDA architecture",
	[191] = "Tilera TILE-Gx multicore architecture family",
	[192] = "CloudShield architecture family",
	[193] = "KIPO-KAIST Core-A 1st generation processor family",
	[194] = "KIPO-KAIST Core-A 2nd generation processor family",
	[195] = "Synopsys ARCompact V2",
	[196] = "Open8 8-bit RISC soft processor core",
	[197] = "Renesas RL78 family",
	[198] = "Broadcom VideoCore V processor",
	[199] = "Renesas 78KOR family",
	[200] = "Freescale 56800EX Digital Signal Controller (DSC)",
	[201] = "Beyond BA1 CPU architecture",
	[202] = "Beyond BA2 CPU architecture",
	[203] = "XMOS xCORE processor family",
	[204] = "Microchip 8-bit PIC(r) family",
	[205] = "reserved by Intel",
	[206] = "reserved by Intel",
	[207] = "reserved by Intel",
	[208] = "reserved by Intel",
	[209] = "reserved by Intel",
	[210] = "KM211 KM32 32-bit processor",
	[211] = "KM211 KMX32 32-bit processor",
	[212] = "KM211 KMX16 16-bit processor",
	[213] = "KM211 KMX8 8-bit processor",
	[214] = "KM211 KVARC processor",
	[215] = "Paneve CDP architecture family",
	[216] = "Cognitive Smart Memory Processor",
	[217] = "iCelero CoolEngine",
	[218] = "Nanoradio Optimized RISC",
	[219] = "CSR Kalimba architecture family",
	[224] = "AMD GPU architecture",
	[244] = "Lanai 32-bit processor",
	[247] = "Linux kernel bpf virtual machine"
}

local decode = function (c)
	assert (c.position == 1)
	if not detect (c ()) then error ("not an ELF file") end

	local p = c.position, c:read (4)
	c (p, p + 3):mark ("ELF magic")

	local elf = {}
	elf.class = c:u8 ("ELF class: %s", function (u8)
		if u8 == 1 then return "32-bit" end
		if u8 == 2 then return "64-bit" end
		return "invalid: %d", u8
	end)
	elf.data = c:u8 ("ELF data: %s", function (u8)
		if u8 == 1 then
			c.endianity = "le"
			return "little-endian"
		end
		if u8 == 2 then
			c.endianity = "be"
			return "big-endian"
		end
		return "invalid: %d", u8
	end)
	elf.version = c:u8 ("ELF version: %d")
	elf.abi = c:u8 ("OS ABI: %s", function (u8)
		name = abi_table[u8]
		if name then return name end
		return "unknown: %d", u8
	end)
	elf.abi_version = c:u8 ("OS ABI version: %d")

	-- The padding is reserved, no big sense in marking it
	local padding = c:read (7)

	-- We cannot decode anything further if we don't know endianity
	if elf.data ~= 1 and elf.data ~= 2 then return end

	-- And the same applies to the class
	if     elf.class == 1 then elf.uwide = c.u32
	elseif elf.class == 2 then elf.uwide = c.u64
	else return end

	elf.type = c:u16 ("type of file: %s", function (u16)
		name = type_table[u16]
		if name then return name end
		return "unknown: %d", u16
	end)
	elf.machine = c:u16 ("required architecture: %s", function (u16)
		name = machine_table[u16]
		if name then return name end
		return "unknown: %d", u16
	end)
	elf.version = c:u32 ("version: %d")
	elf.entry = elf.uwide (c, "program entry address: %#x")
	elf.ph_offset = elf.uwide (c, "program header table offset: %#x")
	elf.sh_offset = elf.uwide (c, "section header table offset: %#x")
	elf.flags = c:u32 ("processor-specific flags: %#x")
	elf.eh_size = c:u16 ("ELF header size: %d")
	c (1, elf.eh_size):mark ("ELF header")

	elf.ph_entry_size = c:u16 ("program header size: %d")
	elf.ph_number = c:u16 ("program header count: %d")
	elf.sh_entry_size = c:u16 ("section header size: %d")
	elf.sh_number = c:u16 ("section header count: %d")
	elf.sh_string_index = c:u16 ("section header index for strings: %d")

	for i = 1, elf.ph_number do
		local start = elf.ph_offset + (i - 1) * elf.ph_entry_size
		local pchunk = c (1 + start, start + elf.ph_entry_size)
		pchunk:mark ("ELF program header %d", i - 1)
		decode_ph (elf, pchunk)
	end

	-- Only mark section headers after we've decoded them all,
	-- so that we can name them using the section containing section names
	local shs = {}
	for i = 1, elf.sh_number do
		local start = elf.sh_offset + (i - 1) * elf.sh_entry_size
		local schunk = c (1 + start, start + elf.sh_entry_size)
		sh = decode_sh (elf, schunk)
		shs[i], shs[sh] = sh, schunk
	end

	local strings
	if elf.sh_string_index ~= 0 and elf.sh_string_index < elf.sh_number then
		local sh = shs[elf.sh_string_index + 1]
		strings = c (sh.offset + 1, sh.offset + sh.size)
	end
	for i, sh in ipairs (shs) do
		local schunk = shs[sh]
		if strings and sh.name < #strings then
			sh.name_string = strings (sh.name + 1):cstring ()
			schunk:mark ("ELF section header %d (%s)", i - 1, sh.name_string)
		else
			schunk:mark ("ELF section header %d", i - 1)
		end
	end
end

hex.register { type="elf", detect=detect, decode=decode }