Struct malwaredb_types::exec::elf::Elf

pub struct Elf<'a> {
    pub is64bit: bool,
    pub arch: Architecture,
    pub has_overlay: Option<bool>,
    pub ordering: Ordering,
    pub executable_type: ExecutableType,
    pub os: OperatingSystem,
    pub sections: Option<Vec<Section<'a>>>,
    pub imports: Option<Imports>,
    pub interpreter: Option<String>,
    pub contents: &'a [u8],
}

The struct to partially represent the ELF (Executable and Linkable File) format

This is the file type used for Linux, *BSD (FreeBSD, OpenBSD, NetBSD, etc), Haiku, Solaris, and possibly some others.

Effort is made to fail gracefully, since malware may not obey all the rules, and some information is better than none because some part of the data wasn’t parsed correctly.

Fields

is64bit: bool

If the program is 64-bit

arch: Architecture

Instruction set architecture for this binary

has_overlay: Option<bool>

If the binary has extra data after the last section, could be used to hide something

ordering: Ordering

Byte ordering for this binary

executable_type: ExecutableType

Executable subtype: Program, Library, or Core file?

os: OperatingSystem

Operating System for this binary

sections: Option<Vec<Section<'a>>>

Sections of this binary

imports: Option<Imports>

External libraries used by this application or library

interpreter: Option<String>

The path for the ELF loader (or interpreter)

contents: &'a [u8]

The array containing the raw bytes used to parse this program

Implementations

impl<'a> Elf<'a>

pub fn from(contents: &'a [u8]) -> Result<Self>

ELF parsed from a sequence of bytes

Trait Implementations

impl<'a> Clone for Elf<'a>

fn clone(&self) -> Elf<'a>

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<'a> Debug for Elf<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'a> Display for Elf<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'a> ExecutableFile for Elf<'a>

fn architecture(&self) -> Architecture

Get the architecture type

fn pointer_size(&self) -> usize

Get the pointer size, 32- or 64-bit

fn operating_system(&self) -> OperatingSystem

Get the operating system type for a binary

fn compiled_timestamp(&self) -> Option<DateTime<Utc>>

Get the compilation timestamp, if available

fn num_sections(&self) -> u32

Number of sections for a binary

fn sections(&self) -> Option<&Vec<Section<'_>>>

Vec of sections for the binary

fn import_hash(&self) -> Option<String>

Import hash of the binary

fn fuzzy_imports(&self) -> Option<String>

SSDeep fuzzy hash of the binary

impl<'a> SpecimenFile for Elf<'a>

const MAGIC: &'static [&'static [u8]] = _

Magic number, the bytes at the beginning of the file, which identify the file format Some file types have more than one possible magic number

fn type_name(&self) -> &'static str

Common name for a specific file type