elf

package

v0.0.0-...-e9c19ba Latest Latest Go to latest Published: Feb 9, 2026 License: Apache-2.0 Imports: 18 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aquasecurity/tracee

Links

Open Source Insights

Documentation ¶

Overview ¶

Package elf provides comprehensive ELF binary analysis utilities.

This package offers functionality for analyzing ELF binaries including: - Symbol resolution and offset calculation - Function instruction analysis (finding RET instructions) - Support for multiple architectures (x86_64, ARM64) - Memory-optimized symbol loading with selective caching - Support for different symbol types (Rust, C++, etc.)

The main type is ElfAnalyzer which provides a high-level interface for ELF binary analysis with efficient memory management through memory mapping and selective symbol loading.

Index ¶

Variables
func GetCompatibleElfMachines() []elf.Machine
func GetHostElfMachine() elf.Machine
func HasElfMagic(bytesArray []byte) bool
func Is32BitMachine(machine elf.Machine) bool
func IsElf(bytesArray []byte) bool
func IsElfFile(filePath string) bool
func IsMachineCompatibleWithHost(machine elf.Machine) bool
type ElfAnalyzer
- func NewElfAnalyzer(filePath string, wantedSymbols []WantedSymbol) (*ElfAnalyzer, error)
type ElfSymbol
- func (s ElfSymbol) IsImported() bool
type GoVersion
type PlainSymbolName
- func (s PlainSymbolName) Matches(symbolName string) bool
- func (s PlainSymbolName) String() string
type WantedSymbol
- func NewPlainSymbolName(name string) WantedSymbol
- func WantedSymbolsFromStrings(symbols map[string]struct{}) []WantedSymbol

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrNotGoBinary = errors.New("not a go binary")

View Source

var ErrSymbolNotFound = errors.New("symbol not found")

Functions ¶

func GetCompatibleElfMachines ¶

func GetCompatibleElfMachines() []elf.Machine

GetCompatibleElfMachines returns all ELF machine types that can run on the host. On 64-bit hosts, this includes both native 64-bit and 32-bit compat binaries. For example, on x86_64 hosts, both EM_X86_64 and EM_386 (i386) binaries can run.

func GetHostElfMachine ¶

func GetHostElfMachine() elf.Machine

GetHostElfMachine returns the ELF machine type for the host architecture. Tracee only supports x86_64 and arm64.

func HasElfMagic ¶

func HasElfMagic(bytesArray []byte) bool

HasElfMagic checks if the given bytes start with the ELF magic number (0x7F 'ELF'). This is a fast check that only validates the first 4 bytes.

func Is32BitMachine ¶

func Is32BitMachine(machine elf.Machine) bool

Is32BitMachine returns true if the given ELF machine type is a 32-bit architecture.

func IsElf ¶

func IsElf(bytesArray []byte) bool

IsElf checks if the given bytes represent a valid ELF file. Currently this only checks the magic number, but can be expanded in the future to include more comprehensive ELF validation.

func IsElfFile ¶

func IsElfFile(filePath string) bool

IsElfFile checks if the file at the given path is an ELF file (fast magic-only check).

func IsMachineCompatibleWithHost ¶

func IsMachineCompatibleWithHost(machine elf.Machine) bool

IsMachineCompatibleWithHost checks if the given ELF machine type can run on this host.

Types ¶

type ElfAnalyzer ¶

type ElfAnalyzer struct {
	// contains filtered or unexported fields
}

func NewElfAnalyzer ¶

func NewElfAnalyzer(filePath string, wantedSymbols []WantedSymbol) (*ElfAnalyzer, error)

func (*ElfAnalyzer) Close ¶

func (ea *ElfAnalyzer) Close() error

func (*ElfAnalyzer) GetFilePath ¶

func (ea *ElfAnalyzer) GetFilePath() string

func (*ElfAnalyzer) GetFunctionRetInsts ¶

func (ea *ElfAnalyzer) GetFunctionRetInsts(funcName string) ([]uint64, error)

func (*ElfAnalyzer) GetGoVersion ¶

func (ea *ElfAnalyzer) GetGoVersion() (*GoVersion, error)

func (*ElfAnalyzer) GetMachine ¶

func (ea *ElfAnalyzer) GetMachine() elf.Machine

GetMachine returns the ELF machine type (architecture) of the binary.

func (*ElfAnalyzer) GetSymbol ¶

func (ea *ElfAnalyzer) GetSymbol(symbolName string) (*ElfSymbol, error)

func (*ElfAnalyzer) GetSymbolOffset ¶

func (ea *ElfAnalyzer) GetSymbolOffset(symbolName string) (uint64, error)

func (*ElfAnalyzer) Is32Bit ¶

func (ea *ElfAnalyzer) Is32Bit() bool

Is32Bit returns true if the ELF binary is a 32-bit architecture.

func (*ElfAnalyzer) IsArchCompatible ¶

func (ea *ElfAnalyzer) IsArchCompatible() bool

IsArchCompatible checks if the ELF binary's architecture is compatible with the host. On x86_64 hosts, both 64-bit (EM_X86_64) and 32-bit (EM_386) binaries are compatible.

type ElfSymbol ¶

type ElfSymbol struct {
	Name        string
	Info, Other byte
	Section     elf.SectionIndex
	Value, Size uint64
}

func (ElfSymbol) IsImported ¶

func (s ElfSymbol) IsImported() bool

type GoVersion ¶

type GoVersion struct {
	Major, Minor, Patch int
}

type PlainSymbolName ¶

type PlainSymbolName string

PlainSymbolName represents a regular symbol name for exact string matching

func (PlainSymbolName) Matches ¶

func (s PlainSymbolName) Matches(symbolName string) bool

func (PlainSymbolName) String ¶

func (s PlainSymbolName) String() string

type WantedSymbol ¶

type WantedSymbol interface {
	Matches(symbolName string) bool
	String() string
}

WantedSymbol interface for different types of symbols that can be searched for

func NewPlainSymbolName ¶

func NewPlainSymbolName(name string) WantedSymbol

NewPlainSymbolName creates a WantedSymbol for exact string matching

func WantedSymbolsFromStrings ¶

func WantedSymbolsFromStrings(symbols map[string]struct{}) []WantedSymbol

WantedSymbolsFromStrings converts a map of string symbols to WantedSymbol slice

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL