elf: capa fails to extract import / export symbols

[mike-hunhoff]

see original comment.

capa fails to extract import / export symbols from file with SHA256 hash a881dd981034d225cc2a298358fccccc9792df478c81d7e678d12b6658fe266a. This appears to partially be a result of the symbols being availible through a .dynamic section:

ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              DYN (Shared object file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0x0
  Start of program headers:          52 (bytes into file)
  Start of section headers:          4576 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         8
  Size of section headers:           40 (bytes)
  Number of section headers:         4
  Section header string table index: 3

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .dynstr           STRTAB          00000300 000300 0001e9 00   A  0   0  1
  [ 2] .dynamic          DYNAMIC         00001eb0 000eb0 000118 08  WA  1   0  4
  [ 3] .shstrtab         STRTAB          00000000 0010d8 000105 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  D (mbind), p (processor specific)

Dynamic section at offset 0xeb0 contains 25 entries:
  Tag        Type                         Name/Value
 0x00000003 (PLTGOT)                     0x1fc8
 0x00000002 (PLTRELSZ)                   88 (bytes)
 0x00000017 (JMPREL)                     0x608
 0x00000014 (PLTREL)                     REL
 0x00000011 (REL)                        0x5f0
 0x00000012 (RELSZ)                      24 (bytes)
 0x00000013 (RELENT)                     8 (bytes)
 0x6ffffffa (RELCOUNT)                   3
 0x00000006 (SYMTAB)                     0x1f0
 0x0000000b (SYMENT)                     16 (bytes)
 0x00000005 (STRTAB)                     0x300
 0x0000000a (STRSZ)                      489 (bytes)
 0x6ffffef5 (GNU_HASH)                   0x4ec
 0x00000004 (HASH)                       0x538
 0x00000001 (NEEDED)                     Shared library: [liblog.so]
 0x00000001 (NEEDED)                     Shared library: [libc.so]
 0x00000001 (NEEDED)                     Shared library: [libm.so]
 0x00000001 (NEEDED)                     Shared library: [libstdc++.so]
 0x00000001 (NEEDED)                     Shared library: [libdl.so]
 0x0000000e (SONAME)                     Library soname: [libtool-checker.so]
 0x0000001a (FINI_ARRAY)                 0x1ea8
 0x0000001c (FINI_ARRAYSZ)               8 (bytes)
 0x0000001e (FLAGS)                      BIND_NOW
 0x6ffffffb (FLAGS_1)                    Flags: NOW
 0x00000000 (NULL)                       0x0
spring@spring-VirtualBox:~/Documents/BinExport

capa as of now specifically looks for a symbol table section when extracting import / export symbols from ELF files: https://github.com/mandiant/capa/blob/0622f452086b6cdc30e00f71b4c53e8bcae62821/capa/features/extractors/elffile.py#L27

https://github.com/mandiant/capa/blob/0622f452086b6cdc30e00f71b4c53e8bcae62821/capa/features/extractors/elffile.py#L57

[mike-hunhoff]

capa extracts import symbols but not export symbols from the sample with SHA256 hash 687e79cde5b0ced75ac229465835054931f9ec438816f2827a8be5f3bd474929.