syntax = "proto2";
import "yara.proto";
package elf;
option (yara.module_options) = {
name : "elf"
root_message: "elf.ELF"
rust_module: "elf"
cargo_feature: "elf-module"
};
message ELF {
// Type of the ELF file (e.g., executable, shared object).
optional Type type = 1;
// Architecture of the machine for which the binary is compiled.
optional Machine machine = 2;
// Operating system and ABI designation of the file.
optional OsAbi osabi = 18;
// Entry point address of the executable.
optional uint64 entry_point = 3;
// File offset pointing to the section header table.
optional uint64 sh_offset = 4;
// Size in bytes of a single section header entry.
optional uint32 sh_entry_size = 5;
// File offset pointing to the program header table.
optional uint64 ph_offset = 6;
// Size in bytes of a single program header entry.
optional uint32 ph_entry_size = 7;
// Number of section header entries in the table.
optional uint64 number_of_sections = 8 [(yara.field_options).deprecation_notice = {
text: "this field is deprecated",
help: "use `elf.sections.len()` instead",
replacement: "sections.len()"
}];
// Number of program header entries in the table.
optional uint64 number_of_segments = 9 [(yara.field_options).deprecation_notice = {
text: "this field is deprecated",
help: "use `elf.segments.len()` instead",
replacement: "segments.len()"
}];
// Count of symbols stored in the static symbol table.
optional uint64 symtab_entries = 10;
// Count of symbols stored in the dynamic symbol table.
optional uint64 dynsym_entries = 11;
// Count of entries present in the dynamic linking section.
optional uint64 dynamic_section_entries = 12;
// Array of sections described by the section header table.
repeated Section sections = 13;
// Array of segments described by the program header table.
repeated Segment segments = 14;
// Static symbols extracted from the file.
repeated Sym symtab = 15;
// Dynamic symbols extracted from the file.
repeated Sym dynsym = 16;
// Entries extracted from the dynamic linking structure.
repeated Dyn dynamic = 17;
}
enum Type {
option (yara.enum_options).inline = true;
ET_NONE = 0x0000; // no type
ET_REL = 0x0001; // relocatable
ET_EXEC = 0x0002; // executable
ET_DYN = 0x0003; // Shared-Object-File
ET_CORE = 0x0004; // Corefile
ET_LOPROC = 0xFF00; // Processor-specific
ET_HIPROC = 0x00FF; // Processor-specific
}
enum Machine {
option (yara.enum_options).inline = true;
EM_NONE = 0; // 0x0000 No type
EM_M32 = 1; // 0x0001 AT&T WE 32100
EM_SPARC = 2; // 0x0002 SPARC
EM_386 = 3; // 0x0003 Intel 80386
EM_68K = 4; // 0x0004 Motorola 68000
EM_88K = 5; // 0x0005 Motorola 88000
EM_IAMCU = 6; // 0x0006 Intel MCU
EM_860 = 7; // 0x0007 Intel 80860
EM_MIPS = 8; // 0x0008 MIPS I Architecture
EM_S370 = 9; // 0x0009 IBM S370
EM_MIPS_RS3_LE = 10; // 0x000A MIPS RS3000 Little-endian
EM_PPC = 20; // 0x0014 PowerPC
EM_PPC64 = 21; // 0x0015 64-bit PowerPC
EM_ARM = 40; // 0x0028 ARM
EM_X86_64 = 62; // 0x003E AMD/Intel x86_64
EM_AARCH64 = 183; // 0x00B7 64-bit ARM
}
enum OsAbi {
option (yara.enum_options).inline = true;
OSABI_NONE = 0;
OSABI_HPUX = 1; // Hewlett-Packard HP-UX
OSABI_NETBSD = 2;
OSABI_LINUX = 3;
OSABI_GNU_HURD = 4;
OSABI_SOLARIS = 6; // Sun Solaris
OSABI_AIX = 7; // IBM AIX
OSABI_IRIX = 8; // Silicon Graphics IRIX
OSABI_FREE_BSD =9;
OSABI_TRU64 = 10; // Compaq TRU64 UNIX
OSABI_MODESTO = 11; // Novell Modesto
OSABI_OPENBSD = 12;
OSABI_OPENVMS = 13;
OSABI_NSK = 14; // Hewlett-Packard Non-Stop Kernel
OSABI_AROS = 15; // Amiga Research OS
OSABI_FENIXOS = 16; // FenixOS highly scalable multi-core OS
OSABI_CLOUDABI = 17; // Nuxi Cloud ABI
OSABI_OPENVOS = 18; // Stratus Technologies OpenVOS
OSABI_ARM_AEABI = 64;
OSABI_ARM = 97;
OSABI_STANDALONE = 255; // Standalone (embedded) application
}
message Section {
// Section type classification (e.g., PROGBITS, SYMTAB).
required SectionType type = 1;
// Section attributes represented as bitwise flags.
required uint64 flags = 2;
// Virtual address where the section resides in memory.
required uint64 address = 3;
// Size in bytes of the section data.
required uint64 size = 4;
// Physical file offset pointing to the section contents.
required uint64 offset = 5;
// Name of the section as a string.
optional string name = 6;
}
enum SectionType {
option (yara.enum_options).inline = true;
SHT_NULL = 0; // Section header table entry unused
SHT_PROGBITS = 1; // Program data
SHT_SYMTAB = 2; // Symbol table
SHT_STRTAB = 3; // String table
SHT_RELA = 4; // Relocation entries with addends
SHT_HASH = 5; // Symbol hash table
SHT_DYNAMIC = 6; // Dynamic linking information
SHT_NOTE = 7; // Notes
SHT_NOBITS = 8; // Program space with no data (bss)
SHT_REL = 9; // Relocation entries, no addends
SHT_SHLIB = 10; // Reserved
SHT_DYNSYM = 11; // Dynamic linker symbol table
SHT_INIT_ARRAY = 14; // Array of constructors
SHT_FINI_ARRAY = 15; // Array of destructors
}
message Segment {
// Classification of the program segment (e.g., LOAD, DYNAMIC).
required SegmentType type = 1;
// Access permissions and flags of the segment.
required uint32 flags = 2 [(yara.field_options).fmt = "flags:SegmentFlags"];
// Physical file offset pointing to the beginning of the segment.
required uint64 offset = 3;
// Virtual address where the segment is loaded in memory.
required uint64 virtual_address = 4;
// Physical address of the segment, used on systems without virtual memory.
required uint64 physical_address = 5;
// Size of the segment inside the file.
required uint64 file_size = 6;
// Size of the segment when mapped into memory.
required uint64 memory_size = 7;
// Required alignment boundary of the segment in memory and on disk.
required uint64 alignment = 8;
}
enum SegmentType {
option (yara.enum_options).inline = true;
PT_NULL = 0; // The array element is unused
PT_LOAD = 1; // Loadable segment
PT_DYNAMIC = 2; // Segment contains dynamic linking info
PT_INTERP = 3; // Contains interpreter pathname
PT_NOTE = 4; // Location & size of auxiliary info
PT_SHLIB = 5; // Reserved, unspecified semantics
PT_PHDR = 6; // Location and size of program header table
PT_TLS = 7; // Thread-Local Storage
PT_GNU_EH_FRAME = 0x6474e550;
PT_GNU_STACK = 0x6474e551;
PT_GNU_RELRO = 0x6474e552;
PT_GNU_PROPERTY = 0x6474e553;
}
enum SegmentFlags {
option (yara.enum_options).inline = true;
PF_X = 0x1; // Segment is executable
PF_W = 0x2; // Segment is writable
PF_R = 0x4; // Segment is readable
}
message Sym {
// Name of the symbol as a string.
optional string name = 1;
// Value associated with the symbol (typically an address or offset).
required uint64 value = 2;
// Size in bytes of the object referenced by the symbol.
required uint64 size = 3;
// Symbol type classification (e.g., FUNC, OBJECT).
required SymType type = 4;
// Binding attributes of the symbol (e.g., GLOBAL, LOCAL).
required SymBind bind = 5;
// Index of the section associated with this symbol.
required uint32 shndx = 6;
// Visibility scope of the symbol (e.g., DEFAULT, HIDDEN).
required SymVisibility visibility = 7;
}
enum SymType {
option (yara.enum_options).inline = true;
STT_NOTYPE = 0; // Symbol type is unspecified
STT_OBJECT = 1; // Symbol is a data object
STT_FUNC = 2; // Symbol is a code object
STT_SECTION = 3; // Symbol associated with a section
STT_FILE = 4; // Symbol's name is file name
STT_COMMON = 5; // Symbol is a common data object
STT_TLS = 6; // Symbol is thread-local data object
}
enum SymBind {
option (yara.enum_options).inline = true;
STB_LOCAL = 0; // Local symbol
STB_GLOBAL = 1; // Global symbol
STB_WEAK = 2; // Weak symbol
}
enum SymVisibility {
option (yara.enum_options).inline = true;
STV_DEFAULT = 0; // Visibility by binding
STV_INTERNAL = 1; // Reserved
STV_HIDDEN = 2; // Not visible to other components
STV_PROTECTED = 3; // Visible in other but cannot be preempted.
}
message Dyn {
// Classification type of the dynamic entry (e.g., NEEDED, STRTAB).
optional DynType type = 1;
// Value or address associated with the dynamic entry.
optional uint64 val = 2;
}
enum DynType {
option (yara.enum_options).inline = true;
DT_NULL = 0; // End of the dynamic entries
DT_NEEDED = 1; // Name of needed library
DT_PLTRELSZ = 2; // Size in bytes of PLT relocs
DT_PLTGOT = 3; // Processor defined value */
DT_HASH = 4; // Address of symbol hash table
DT_STRTAB = 5; // Address of string table
DT_SYMTAB = 6; // Address of symbol table
DT_RELA = 7; // Address of Rela relocs
DT_RELASZ = 8; // Total size of Rela relocs
DT_RELAENT = 9; // Size of one Rela reloc
DT_STRSZ = 10; // Size of string table
DT_SYMENT = 11; // Size of one symbol table entry
DT_INIT = 12; // Address of init function
DT_FINI = 13; // Address of termination function
DT_SONAME = 14; // Name of shared object
DT_RPATH = 15; // Library search path (deprecated)
DT_SYMBOLIC = 16; // Start symbol search here
DT_REL = 17; // Address of Rel relocs
DT_RELSZ = 18; // Total size of Rel relocs
DT_RELENT = 19; // Size of one Rel reloc
DT_PLTREL = 20; // Type of reloc in PLT
DT_DEBUG = 21; // For debugging; unspecified
DT_TEXTREL = 22; // Reloc might modify .text
DT_JMPREL = 23; // Address of PLT relocs
DT_BIND_NOW = 24; // Process relocations of object
DT_INIT_ARRAY = 25; // Array with addresses of init fct
DT_FINI_ARRAY = 26; // Array with addresses of fini fct
DT_INIT_ARRAYSZ = 27; // Size in bytes of DT_INIT_ARRAY
DT_FINI_ARRAYSZ = 28; // Size in bytes of DT_FINI_ARRAY
DT_RUNPATH = 29; // Library search path
DT_FLAGS = 30; // Flags for the object being loaded
DT_ENCODING = 32; // Start of encoded range
DT_LOOS = 0x6000000d;
DT_HIOS = 0x6ffff000;
DT_VALRNGLO = 0x6ffffd00;
DT_VALRNGHI = 0x6ffffdff;
DT_ADDRRNGLO = 0x6ffffe00;
DT_ADDRRNGHI = 0x6ffffeff;
DT_VERSYM = 0x6ffffff0;
DT_RELACOUNT = 0x6ffffff9;
DT_RELCOUNT = 0x6ffffffa;
DT_FLAGS_1 = 0x6ffffffb;
DT_VERDEF = 0x6ffffffc;
DT_VERDEFNUM = 0x6ffffffd;
DT_VERNEED = 0x6ffffffe;
DT_VERNEEDNUM = 0x6fffffff;
DT_LOPROC = 0x70000000;
DT_HIPROC = 0x7fffffff;
}