Binary Architect: ELFSPIRIT Framework Analyzes, Patches, and Camouflages ELF Files

ELFSPIRIT is a comprehensive static analysis and injection framework designed to parse, manipulate, patch, and camouflage ELF files. With elfspirit, you can explore the intricacies of the ELF format and have the freedom to finely manipulate every byte within the ELF file. Whether you are engaging in virtual Capture The Flag challenges or conducting research on real-world viruses, elfspirit provides a versatile platform. Its applications span from user mode programs to rootkits, offering a solid foundation for a wide range of endeavors.

We can easily edit any byte of ELF files using elfspirit, such as removing the stack non executable feature (-z noexecstack) of executable binary files.

The original PT_GNU-STACK segment only had read and write permissions (6=rw), as shown below

You can use elfspirit to grant executable permissions to the PT_GNU-STACK segment. Just set the parameters (i, j) to the coordinates of the target.

$ elfspirit edit -P -i11 -j6 -m7 myelf 
6->7

Wasn’t this process a piece of cake?

As is well known, the firmware of many embedded devices is bare metal programs without ELF header. Therefore, elfspirit can be used to add ELF header information, making it convenient to use reverse engineering tools such as IDA to decompile it.

# Add elf header for IoT firmware.bin
$ ./elfspirit addelfinfo -a arm -m 32 -e big -b 0x18308000 ~/Documents/app.bin

In addition, elfspirit also has the function of splicing firmware. A common situation we encounter is that IoT firmware has many bins stored in different partitions. They share an address space, and if you only analyze a single bin, you will find that the function jumps to an unfamiliar address. At this point, we need to use elfspirit join

# Connect multi-bin
$ ./elfspirit joinelf -a arm -m 32 -e big -c ./configure/bininfo.json ~/Documents/app.bin

• Change the ELF interpreter (“the dynamic loader/linker”) of executables:

  elfspirit --set-interpreter [-s]<new interpreter> ELF

• Change the RPATH or RUNPATH of executables and libraries:

  elfspirit --set-rpath [-s]<rpath> ELF
  elfspirit --set-runpath [-s]<rpath> ELF

• Add section or segment of executables and libraries:

  elfspirit --add-section [-z]<size> ELF
  elfspirit --add-segment [-z]<size> ELF

• Silvio text segment infectction technic:

  elfspirit --infect-silvio [-s]<shellcode> [-z]<size> ELF

• Reverse text segment infectction technic (Skeksi):

  elfspirit --infect-skeksi [-s]<shellcode> [-z]<size> ELF

• Data segment infectction technic (Skeksi):

  elfspirit --infect-data [-s]<shellcode> [-z]<size> ELF

Install & Use

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy