Merge pull request #370 from IoT-Inspector/elf-handler

martonilles · web-flow · commit d85aba87b67f · 2022-05-09T13:29:15.000+02:00
Add ELF handler and kernel initramfs extraction
diff --git a/default.nix b/default.nix
@@ -16,7 +16,6 @@
 , unar
 , file
 , hyperscan
-, pkg-config
 }:
 
 let
@@ -36,9 +35,11 @@ let
   self = mkPoetryApp {
     projectDir = ./.;
 
+    preferWheels = true;
+
     # Python dependencies that need special care, like non-python
     # build dependencies
-    overrides = poetry2nix.overrides.withDefaults (self: super: {
+    overrides = poetry2nix.overrides.withoutDefaults (self: super: {
       python-lzo = super.python-lzo.overridePythonAttrs (_: {
         buildInputs = [
           lzo
@@ -60,20 +61,16 @@ let
         ];
       });
 
-      file-magic = super.file-magic.overridePythonAttrs (_: {
+      file-magic = (super.file-magic.override { preferWheel = false; }).overridePythonAttrs (_: {
         patchPhase = ''
           substituteInPlace magic.py --replace "find_library('magic')" "'${file}/lib/libmagic.so'"
         '';
       });
 
       hyperscan = super.hyperscan.overridePythonAttrs (_: {
         buildInputs = [
-          self.poetry
           hyperscan
         ];
-        nativeBuildInputs = [
-          pkg-config
-        ];
       });
     });
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -29,6 +29,7 @@ file-magic = "^0.4.0"
 hyperscan = "^0.2.0"
 lark = "^1.1.2"
 lz4 = "^4.0.0"
+lief = "^0.12.1"
 
 
 [tool.poetry.dev-dependencies]
diff --git a/tests/handlers/executable/test_elf.py b/tests/handlers/executable/test_elf.py
@@ -0,0 +1,98 @@
+import pytest
+from helpers import unhex
+
+from unblob.file_utils import File
+from unblob.handlers.executable.elf import ELF64Handler
+from unblob.models import ValidChunk
+
+ELF_CONTENT = unhex(
+    """\
+00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
+00000010  03 00 3e 00 01 00 00 00  60 10 00 00 00 00 00 00  |..>.....`.......|
+00000020  40 00 00 00 00 00 00 00  30 10 00 00 00 00 00 00  |@.......0.......|
+00000030  00 00 00 00 40 00 38 00  0c 00 40 00 03 00 02 00  |....@.8...@.....|
+00000040  06 00 00 00 04 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
+00000050  40 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |@.......@.......|
+00000060  a0 02 00 00 00 00 00 00  a0 02 00 00 00 00 00 00  |................|
+00000070  08 00 00 00 00 00 00 00  03 00 00 00 04 00 00 00  |................|
+00000080  00 00 00 00 00 00 00 00  18 03 00 00 00 00 00 00  |................|
+00000090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000000a0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
+000000b0  01 00 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
+000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000000d0  e0 02 00 00 00 00 00 00  e0 02 00 00 00 00 00 00  |................|
+000000e0  00 10 00 00 00 00 00 00  01 00 00 00 05 00 00 00  |................|
+000000f0  00 10 00 00 00 00 00 00  00 10 00 00 00 00 00 00  |................|
+00000100  00 10 00 00 00 00 00 00  1b 00 00 00 00 00 00 00  |................|
+00000110  1b 00 00 00 00 00 00 00  00 10 00 00 00 00 00 00  |................|
+00000120  01 00 00 00 04 00 00 00  e0 02 00 00 00 00 00 00  |................|
+00000130  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
+00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000150  00 10 00 00 00 00 00 00  01 00 00 00 06 00 00 00  |................|
+00000160  e0 02 00 00 00 00 00 00  b8 3d 00 00 00 00 00 00  |.........=......|
+00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000180  00 00 00 00 00 00 00 00  00 10 00 00 00 00 00 00  |................|
+00000190  02 00 00 00 06 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001a0  c8 3d 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.=..............|
+000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001c0  08 00 00 00 00 00 00 00  04 00 00 00 04 00 00 00  |................|
+000001d0  00 00 00 00 00 00 00 00  38 03 00 00 00 00 00 00  |........8.......|
+000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001f0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
+00000200  04 00 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000210  68 03 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |h...............|
+00000220  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000230  08 00 00 00 00 00 00 00  53 e5 74 64 04 00 00 00  |........S.td....|
+00000240  00 00 00 00 00 00 00 00  38 03 00 00 00 00 00 00  |........8.......|
+00000250  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000260  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
+00000270  50 e5 74 64 04 00 00 00  00 00 00 00 00 00 00 00  |P.td............|
+00000280  0c 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
+00000290  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000002a0  08 00 00 00 00 00 00 00  51 e5 74 64 06 00 00 00  |........Q.td....|
+000002b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+000002d0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|
+000002e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00001000  f3 0f 1e fa 48 83 ec 08  48 8b 05 d9 2f 00 00 48  |....H...H.../..H|
+00001010  85 c0 74 02 ff d0 48 83  c4 08 c3 00 2e 73 68 73  |..t...H......shs|
+00001020  74 72 74 61 62 00 2e 69  6e 69 74 00 00 00 00 00  |trtab..init.....|
+00001030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+00001070  0b 00 00 00 01 00 00 00  06 00 00 00 00 00 00 00  |................|
+00001080  00 10 00 00 00 00 00 00  00 10 00 00 00 00 00 00  |................|
+00001090  1b 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000010a0  04 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000010b0  01 00 00 00 03 00 00 00  00 00 00 00 00 00 00 00  |................|
+000010c0  00 00 00 00 00 00 00 00  1b 10 00 00 00 00 00 00  |................|
+000010d0  11 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000010e0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000010f0
+"""
+)
+
+
+def test_chunk_is_calculated():
+    file = File.from_bytes(ELF_CONTENT)
+    chunk = ELF64Handler().calculate_chunk(file, 0)
+
+    assert isinstance(chunk, ValidChunk)
+    assert chunk.start_offset == 0
+    assert chunk.end_offset == len(ELF_CONTENT)
+
+
+@pytest.mark.parametrize(
+    "offset, byte",
+    [
+        pytest.param(0x10, 0xFE, id="invalid e_type"),
+        pytest.param(0x12, 0xFE, id="invalid e_machine"),
+        pytest.param(0x14, 0xFE, id="invalid e_version"),
+    ],
+)
+def test_invalid_header(offset, byte):
+    file = File.from_bytes(ELF_CONTENT)
+    file[offset] = byte
+    chunk = ELF64Handler().calculate_chunk(file, 0)
+
+    assert chunk is None
diff --git a/tests/integration/executable/elf/elf32/__input__/sample_32_be.elf b/tests/integration/executable/elf/elf32/__input__/sample_32_be.elf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2e48e9356134d947f71cf7027043234fe9721776926b49b640e2af019654e976
+size 5877
diff --git a/tests/integration/executable/elf/elf32/__input__/sample_32_le.elf b/tests/integration/executable/elf/elf32/__input__/sample_32_le.elf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:17f17175f6b65306d43695804a1199e3acfc13c907df8b44e38eb1315abd0c2d
+size 15601
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/0-13.unknown b/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/0-13.unknown
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fa247b1e7697ed1e1ea26bb5905b2624a7d169cc2825398cc87fb3aa979e763
+size 13
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/13-5877.elf32 b/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/13-5877.elf32
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:445d44e2a476c24f551d6e586d95b7690b8d2677897000b0ae60bbfa57a26c14
+size 5864
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/13-5877.elf32_extract/.gitkeep b/tests/integration/executable/elf/elf32/__output__/sample_32_be.elf_extract/13-5877.elf32_extract/.gitkeep
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/0-13.unknown b/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/0-13.unknown
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fa247b1e7697ed1e1ea26bb5905b2624a7d169cc2825398cc87fb3aa979e763
+size 13
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/13-15601.elf32 b/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/13-15601.elf32
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:322b323386d8557cee838a9b262588be94b51614099473790462e081069e9875
+size 15588
diff --git a/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/13-15601.elf32_extract/.gitkeep b/tests/integration/executable/elf/elf32/__output__/sample_32_le.elf_extract/13-15601.elf32_extract/.gitkeep
diff --git a/tests/integration/executable/elf/elf64/__input__/sample_64_be.elf b/tests/integration/executable/elf/elf64/__input__/sample_64_be.elf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2945ec360f313e81c830b9ac518c590294edd9a84ce45d5b22cd099a1015fb9a
+size 67741
diff --git a/tests/integration/executable/elf/elf64/__input__/sample_64_le.elf b/tests/integration/executable/elf/elf64/__input__/sample_64_le.elf
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ddf96896b4007c571dfad76a62a12014106fc084b1ad20eb23869f59a89000e
+size 16709
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/0-13.unknown b/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/0-13.unknown
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fa247b1e7697ed1e1ea26bb5905b2624a7d169cc2825398cc87fb3aa979e763
+size 13
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/13-67741.elf64 b/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/13-67741.elf64
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:753f52b6578ee0beff0c6945b90e61aced95e923eb7638a145ce2725d814b373
+size 67728
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/13-67741.elf64_extract/.gitkeep b/tests/integration/executable/elf/elf64/__output__/sample_64_be.elf_extract/13-67741.elf64_extract/.gitkeep
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/0-13.unknown b/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/0-13.unknown
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3fa247b1e7697ed1e1ea26bb5905b2624a7d169cc2825398cc87fb3aa979e763
+size 13
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/13-16709.elf64 b/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/13-16709.elf64
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0cdef48cbc719bac1d8b8379f3f841c1431ae03a1976a3a84e459003165e1697
+size 16696
diff --git a/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/13-16709.elf64_extract/.gitkeep b/tests/integration/executable/elf/elf64/__output__/sample_64_le.elf_extract/13-16709.elf64_extract/.gitkeep
diff --git a/unblob/handlers/__init__.py b/unblob/handlers/__init__.py
@@ -1,6 +1,7 @@
 from ..models import Handlers
 from .archive import ar, arc, arj, cab, cpio, dmg, rar, sevenzip, stuffit, tar, zip
 from .compression import bzip2, compress, gzip, lz4, lzh, lzip, lzma, lzo, xz
+from .executable import elf
 from .filesystem import (
     cramfs,
     extfs,
@@ -61,4 +62,6 @@
     lz4.SkippableFrameHandler,
     lz4.DefaultFrameHandler,
     xz.XZHandler,
+    elf.ELF32Handler,
+    elf.ELF64Handler,
 )
diff --git a/unblob/handlers/executable/__init__.py b/unblob/handlers/executable/__init__.py
diff --git a/unblob/handlers/executable/elf.py b/unblob/handlers/executable/elf.py
diff --git a/unblob/processing.py b/unblob/processing.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:2e48e9356134d947f71cf7027043234fe9721776926b49b640e2af019654e976`
	`3`	`+size 5877`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:17f17175f6b65306d43695804a1199e3acfc13c907df8b44e38eb1315abd0c2d`
	`3`	`+size 15601`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:3fa247b1e7697ed1e1ea26bb5905b2624a7d169cc2825398cc87fb3aa979e763`
	`3`	`+size 13`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+version https://git-lfs.github.com/spec/v1`
	`2`	`+oid sha256:445d44e2a476c24f551d6e586d95b7690b8d2677897000b0ae60bbfa57a26c14`
	`3`	`+size 5864`