How to read Dwarf files?

[eddynaka]

Hi,

I created a dummy program in c that uses the following command line:

gcc -Wall hello.c -o hello -gdwarf

With that, it generated the hello file + a folder called hello.dSYM. So, with that, how can I load that and read using ELFSharp?

Thank you!

[konrad-kruczynski]

Hi Eddy, ELFSharp does not directly support reading DWARF data. You can read necessary section, but this will be all just a bunch of bytes. You can however use another library: https://github.com/csholmq/ElfParser that uses ELFSharp internally. DWARF support may be added one day, any PR in that subject would also be nice. If you need anything else, feel free to write it, otherwise I'll close the ticket soon.

[eddynaka]

HI @konrad-kruczynski ,

sorry for that. I thought in one thing and wrote another.

So, ELFSharp can read MACH-O, right?

Since I'm new to this, I tried to generate a file to be read by it (ELFSharp).

Do you know where I can find some samples, like, how to compile/read the binary after creating it?

Thank you again!

[konrad-kruczynski]

Oh, I see, so the question was actually more general. Due to some problem with ELFSharp's webpage examples are not easily accessible, but stay tuned since I'm planning to fix the webpage today. I'll send you a link then.

[eddynaka]

yeah, my idea was:

1. how do i generate an elf binary?
2. is it something with mach-o? how does that work?

very dummy questions. thank you again.

[konrad-kruczynski]

1. The method you have chosen is correct. After executing that gcc line hello will be an ELF executable.
2. No, Mach-O is a binary format used in Apple's OSes (iOS, macOS etc).

[eddynaka]

Hi @konrad-kruczynski ,

interesting...because i tried to load the hello using the ELFReader and I couldn't. Even, I tried to check if that was an ELF, it failed as well.

Attached you can find a hello.c / hello and the dwarf (that i know ELFSharp does not read). But at least, I would expect (based on ur comments), that I would be able to read the hello

dwarf.zip

[konrad-kruczynski]

Please try looking at the examples on the ELFSharp's webpage (I have just uploaded the content) and check if it works for you.

[konrad-kruczynski]

I have just looked at the zip file you sent some time ago and it seems you compiled the file on the macOS, is that true? In that case you indeed need to use Mach-O related classes to read it.

[eddynaka]

Can I ask how to do that?

And how did you know about the macOS?

Thank you for the help and guidance.

[konrad-kruczynski]

I checked that the files are Mach-O binaries, which are normally only produced on Apple's OSes (sans cross-compilation). To read one using ELFSharp you can try:

var machO = MachOReader.Load(File.ReadAllBytes("hello"));

[eddynaka]

interesting!

if I have a hello, is it possible to check if that was made from macOS or Ubuntu, for example?

I know that I could try both loaders, but is there a better way?

[eddynaka]

Do you happen to have more examples using MachOReader?

[evmaus]

@eddynaka -- Drive by comment, but -- in general, the first few bytes of a binary can be used to get to an "expected" format (as a sort of signature).

I don't recall if ELFSharp has a method for reading just those & getting back a binary type, but it wouldn't be too hard to do that.

Also, second drive by comment--since you're a current contributor on a project I used to work on: if you're looking at enabling checks in BinSkim for Mach-O files, you'll probably need a good list of which flags should be expected/required & the effects of those flags on the binary on Mac OSX; all the ELF rules were developed with only Linux in mind. Unfortunately, although clang/gcc run on both, the compiler mitigations available on particular platforms often vary/differ and they'll show up differently in the binaries, too.

[eddynaka]

@evmaus , thanks for letting me know! yeah, the idea is to use ElfSharp to read mach-o and generate rules.

[konrad-kruczynski]

Hi @eddynaka Just as @evmaus has written, there is no way currently to identify a binary using one method. I considered this as non-useful since we usually we know the type in advance. If there would be any usage for that, it can be implemented, just make a separate issue.

As for checking type of the binary, on Unix systems you can use file utility with the binary given as a first and only parameter.

[konrad-kruczynski]

@eddynaka Is there anything else to answer within this ticket or can I close it?

[eddynaka]

you can close! thank you :)