Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/strazzere/elf-dump-fix
Utils use to dump android ELF from memory and do some fix including the ELF section header rebuilding
https://github.com/strazzere/elf-dump-fix
android elf elf-dump memory-dump reverse-engineering
Last synced: 2 months ago
JSON representation
Utils use to dump android ELF from memory and do some fix including the ELF section header rebuilding
- Host: GitHub
- URL: https://github.com/strazzere/elf-dump-fix
- Owner: strazzere
- Created: 2022-11-28T18:34:04.000Z (about 2 years ago)
- Default Branch: master
- Last Pushed: 2022-11-29T04:37:44.000Z (about 2 years ago)
- Last Synced: 2023-03-22T12:34:50.640Z (almost 2 years ago)
- Topics: android, elf, elf-dump, memory-dump, reverse-engineering
- Language: C
- Homepage:
- Size: 62.5 KB
- Stars: 24
- Watchers: 2
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# elf-dump-fix
This repository includes two utilities about dumping and fixing arm elf32/elf64 from memory.- `dump`
- Run on android, then dump an ELF from a processes memory and fix the headers. It will attempt to rebuild the Section Headers for better IDA analysis.
- `sofix`
- Run on PC, can fix an ELF file that was dumped from memory and rebuild the Section Headers for better IDA analysis.The main target is to rebuild the Section Header of an ELF by memory dumped. Useful in breaking a packed file which had been protected with UPX or something like 360 libjiagu.so
## Build
The build system has been revamped to just use a docker container for all the compilation and ndk setup. The Makefile will automatically download the required container. The local build still depends on some valid `CXX` environment variable.- dump
- ```
make
```
- output path is `build/local/{armeabi-v7a|arm64-v8a}/dump`
- sofix
- ```
make local
```
- output path is `build/sofix`
## HowToUse
- sofix
- `params `
- `` the elf file dumped from memory. (you can use dd or IDA debugger dumping an ELF file from android process)
- `` the memory base for the elf file dumped from memory, if you don't know, pass 0
- `` the output file
- example
- `./sofix dumped.so 0x6f5a4000 b.so`
- dump
- This is run on Android Phone
- make sure your phone have root access.
- push it onto /data/local/tmp and grant +x like this
- `adb push build/local/arm64-v8a/dump /data/local/tmp/ && adb shell chmod 755 /data/local/tmp/dump`
- use adb shell to enter your phone and switch to root user by su command.
- params ` [is-stop-process-before-dump] [is-fix-so-after-dump]`
- `` the process id you want to dump
- `` the start address of ELF you want to dump in process memory, you can get this by ```cat /proc//maps```
- `` the end address of ELF you want to dump in process memory, you can get this by ```cat /proc//maps```
- `` the fixed ELF output path in your phone.
- `[is-stop-process-before-dump]` 0/1 should send sigal to the process before doing dump job, useful in some anti dumping app. if there is no anti dumping on your target process, 0 is ok
- `[is-fix-so-after-dump]` 0/1 should do the fix job and Section Header rebuilding, if you pass on, it will try to fix the ELF after dump.
- example
- if you want to dump libc.so, and your `/proc/[pid]/maps` like this
- ```
40105000-4014c000 r-xp 00000000 b3:19 717 /system/lib/libc.so
4014c000-4014d000 ---p 00000000 00:00 0
4014d000-4014f000 r--p 00047000 b3:19 717 /system/lib/libc.so
4014f000-40152000 rw-p 00049000 b3:19 717 /system/lib/libc.so
40152000-40160000 rw-p 00000000 00:00 0
```
- `./dump 1148 0x40105000 0x40160000 ./out.so 0 1`
- dump to `40160000` not `40152000` is because the ELF `.bss` memory if exist should be dump too, the fix process depends on it.
## Compare between no-fix and fixed ELF
![](imgs/no-fix.png)
![](imgs/fix.png)## Original work by maiyao1988
This is just some changes to the build system, and updating certain files from the original work created by [maiyao1988](https://github.com/maiyao1988) in their repo at [maiyao1988/elf-dump-fix](https://github.com/maiyao1988/elf-dump-fix).