Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/egibs/rsd

Rust implemention of xxd -e -l 64
https://github.com/egibs/rsd

binary-analysis elf elf-header elf-parser linux rust xxd

Last synced: about 1 month ago
JSON representation

Rust implemention of xxd -e -l 64

Host: GitHub
URL: https://github.com/egibs/rsd
Owner: egibs
License: apache-2.0
Created: 2024-06-08T23:52:38.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-09-11T11:51:56.000Z (2 months ago)
Last Synced: 2024-09-11T17:39:29.431Z (2 months ago)
Topics: binary-analysis, elf, elf-header, elf-parser, linux, rust, xxd
Language: Rust
Homepage:
Size: 163 KB
Stars: 0
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# rsd

`rsd` Rust implementation of something resembling `xxd -e -l 64`. Its functionality is limited to looking at the headers of ELF binaries and outputting the details in a mostly- human-readable format.

## Why?

I wanted to learn Rust a little better; I also wanted a more readable version of `xxd -e -l 64` when parsing ELF headers rather than parsing something like this:
```
ced27abc2bef:/# xxd -e -l 64 /bin/sh
00000000: 464c457f 00010102 00000000 00000000 .ELF............
00000010: 00b70003 00000001 0000a780 00000000 ................
00000020: 00000040 00000000 000a0348 00000000 @.......H.......
00000030: 00000000 00380040 00400009 00180019 [email protected]...@.....
```
or this:
```
ced27abc2bef:/# xxd -l 64 /bin/sh
00000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
00000010: 0300 b700 0100 0000 80a7 0000 0000 0000 ................
00000020: 4000 0000 0000 0000 4803 0a00 0000 0000 @.......H.......
00000030: 0000 0000 4000 3800 0900 4000 1900 1800 [email protected]...@.....
```

I've been writing YARA rules recently and knowing how to locate information like this can prove useful, though making it more human-readable is more efficient as well.

## What works for now?

- Building locally via `rustc`, Docker, or Apko (via Melange)
- ELF binaries

## Usage

`./rsd `

Example (run from Wolfi):
```
./rsd /bin/sh
Full header:
7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00 03 00 B7 00 01 00 00 00 80 A7 00 00 00 00 00 00 40 00 00 00 00 00 00 00 48 03 0A 00 00 00 00 00 00 00 00 00 40 00 38 00 09 00 40 00 19 00 18 00 ELF File Type: Shared (0x03)
Machine Type: AArch64 (0x00B7)

ELF Class: 64-bit
Data Encoding: Little-endian
ELF Version: 1
Entry Point Address: 42880
Program Header Table Offset: 64
Section Header Table Offset: 656200
ELF Header Size: 64 bytes
Program Header Table Entry Size: 56 bytes
Number of Program Header Table Entries: 9
Section Header Table Entry Size: 64 bytes
Number of Section Header Table Entries: 25
Section Header String Table Index: 24

Segment Information:
Segment 0:
Type: PT_NOTE (0x00000004)
Offset: 64
Virtual Address: 64
Physical Address: 64
File Size: 0x00000000000001F8 (504 bytes)
Memory Size: 0x00000000000001F8 (504 bytes)
Flags: Unknown (0x00000008)

Segment 1:
Type: PT_NOTE (0x00000004)
Offset: 568
Virtual Address: 568
Physical Address: 568
File Size: 0x000000000000001B (27 bytes)
Memory Size: 0x000000000000001B (27 bytes)
Flags: R (0x00000001)

Segment 2:
Type: PT_SHLIB (0x00000005)
Offset: 0
Virtual Address: 0
Physical Address: 0
File Size: 0x000000000008F118 (586008 bytes)
Memory Size: 0x000000000008F118 (586008 bytes)
Flags: Unknown (0x00010000)

Segment 3:
Type: PT_PHDR (0x00000006)
Offset: 646864
Virtual Address: 646864
Physical Address: 646864
File Size: 0x0000000000002399 (9113 bytes)
Memory Size: 0x0000000000002A00 (10752 bytes)
Flags: Unknown (0x00010000)

Segment 4:
Type: PT_PHDR (0x00000006)
Offset: 651720
Virtual Address: 651720
Physical Address: 651720
File Size: 0x0000000000000220 (544 bytes)
Memory Size: 0x0000000000000220 (544 bytes)
Flags: Unknown (0x00000008)

Segment 5:
Type: PT_NOTE (0x00000004)
Offset: 596
Virtual Address: 596
Physical Address: 596
File Size: 0x0000000000000020 (32 bytes)
Memory Size: 0x0000000000000020 (32 bytes)
Flags: X (0x00000004)

Segment 6:
Type: PT_NOTE (0x00000004)
Offset: 585820
Virtual Address: 585820
Physical Address: 585820
File Size: 0x0000000000000034 (52 bytes)
Memory Size: 0x0000000000000034 (52 bytes)
Flags: X (0x00000004)

Segment 7:
Type: PT_PHDR (0x00000006)
Offset: 0
Virtual Address: 0
Physical Address: 0
File Size: 0x0000000000000000 (0 bytes)
Memory Size: 0x0000000000000000 (0 bytes)
Flags: Unknown (0x00000010)

Segment 8:
Type: PT_NOTE (0x00000004)
Offset: 646864
Virtual Address: 646864
Physical Address: 646864
File Size: 0x0000000000002130 (8496 bytes)
Memory Size: 0x0000000000002130 (8496 bytes)
Flags: R (0x00000001)
```

Running `rsd` from MacOS will result in this:
```
❯ ./rsd /bin/sh
/bin/sh is not an ELF file (CAFEBABE).
```

## Will anything be added to this project?

Maybe -- I want to start automating various things in whatever language seems right.

Analyzing Mach-O binaries (i.e., MacOS binaries) doesn't seem to be as common but would be something to support in a future PR.