ELF Header Manipulation

Apr 3, 2025 by Zacharia Mansouri | 157 views

https://cylab.be/blog/405/elf-header-manipulation

Executable and Linkable Format (ELF) files are the backbone of Linux executables and shared libraries. Their headers provide critical information that helps the kernel load and execute them correctly. However, malicious actors often manipulate ELF headers to evade detection or hinder analysis. In this blog post, we’ll explore ELF header manipulation techniques, their impact on analysis tools, and how to programmatically inspect and modify ELF headers using Python.

Understanding the ELF Header

The ELF header is the starting point of an ELF file. It contains metadata required for the proper loading and execution of the program.

ELF Header Structure

Here’s a minimal ELF header layout in C for reference (32-bit):

struct Elf32_Ehdr {
    unsigned char e_ident[16];
    uint16_t e_type;
    uint16_t e_machine;
    uint32_t e_version;
    uint32_t e_entry;
    uint32_t e_phoff;
    uint32_t e_shoff;
    uint32_t e_flags;
    uint16_t e_ehsize;
    uint16_t e_phentsize;
    uint16_t e_phnum;
    uint16_t e_shentsize;
    uint16_t e_shnum;
    uint16_t e_shstrndx;
};

The Elf32_Ehdr/Elf64_Ehdr structures the header bytes of any 32/64-bit ELF file and can be read using the readelf tool:

readelf -h example.elf

Field	Corresponding row of `readelf -h example.elf`	Data
`e_ident`	Magic	ELF Identification data, containing the ELF magic number (`\x7fELF`), class (`32-bit` or `64-bit`), endianness, file version, operating system, ABI version, and padding bytes
`e_type`	Type	File object type e.g., whether the file is an executable, relocatable object, shared object, or core dump
`e_machine`	Machine	Target instruction set architecture (e.g., `x86`, `ARM`)
`e_version`	Version	Typically `1` for the current ELF version
`e_entry`	Entry point address	Address where execution starts in an executable ELF file
`e_phoff`	Start of program headers	Offset (in bytes) to the program header table from the beginning of the file
`e_shoff`	Start of section headers	Offset (in bytes) to the section header table from the beginning of the file
`e_flags`	Flags	CPU-specific flags for the ELF file (architecture-dependent)
`e_ehsize`	Size of this header	Size (in bytes) of the ELF header
`e_phentsize`	Size of program headers	Size (in bytes) of each program header table entry
`e_phnum`	Number of program headers	Total number of entries in the program header table
`e_shentsize`	Size of section headers	Size (in bytes) of each section header table entry
`e_shnum`	Number of section headers	Total number of entries in the section header table
`e_shstrndx`	Section header string table index	Index in the section header table where section names are stored

Detailed information on each field is available in this chapter of the Linux Foundation Referenced Specifications.

Malicious Manipulations of ELF Headers

Anomalous & Invalid ELF Techniques

These techniques hinder static analysis by stripping metadata, misleading analysts, or corrupting ELF structures for evasion and anti-analysis:

misleading metadata: altering e_ident to report a different ABI (e.g., FreeBSD) confuses analysts while remaining executable
corrupting the section header table: modifying e_shoff, e_shnum, or e_shentsize disrupts ELF parsing
overlapping headers: creating overlaps between the ELF header and other structures (e.g., segment headers)
invalid string table index: setting e_shstrndx to an invalid value can break section name resolution.

Basic Tools Overview

Several tools help inspect and manipulate ELF files, here are a few of them:

file: identifies ELF type, architecture, and endianness, even when other tools fail, run with: file example.elf
readelf: displays detailed ELF info but fails with missing or corrupted fields, run with: readelf -a example.elf
pyelftools: python library for parsing ELF files; fails gracefully on corrupted/empty section headers
objdump: displays ELF info and disassembles code, fails on severe corruption, run with: objdump -x example.elf
binutils: includes tools like nm, ld, and objcopy for symbol extraction and manipulation

In the following, we’ll use readelf and pyelftools to analyze which ELF headers trigger errors, warnings, or prevent execution.

Programmatic Header Manipulation with Python

This is the example.c file that will be used in the rest of this blog post:

#include <stdio.h>

int main() {
	printf("Example.\n");
	return 0;
}

Compiled to build example.elf:

gcc example.c -o example.elf

Using the pyelftools library, we can parse and manipulate ELF headers. Let’s explore some examples but first, let’s install it:

python3 -m pip install pyelftools

Reading an ELF Header

from elftools.elf.elffile import ELFFile

def read_elf_header(file_path):
    with open(file_path, 'rb') as f:
        elf = ELFFile(f)
        header = elf.header
        print("ELF Header:")
        for key, value in header.items():
            print(f"{key}: {value}")

read_elf_header('example.elf')

Modifying an ELF Header

from elftools.elf.elffile import ELFFile
from elftools.elf.enums import ENUM_E_IDENT_OSABI

def modify_elf_osabi(file_path, new_osabi):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        # Seek to the OSABI field in the e_ident array
        f.seek(8)
        f.write(bytes([ENUM_E_IDENT_OSABI[new_osabi]]))

modify_elf_osabi('example.elf', 'ELFOSABI_FREEBSD')

Note that class and endianness are automatically managed by pyelftools.

Observing Manipulation Reactions

The following program corrupts each field to determine which ones trigger an error or warning when readelf reads the corrupted executable and whether that executable still runs correctly after a specific field is corrupted.

from elftools.elf.elffile import ELFFile
import struct
import shutil

def modify_elf(file_path, modification_func, suffix):
    new_file = f"{file_path}_{suffix}"
    shutil.copy(file_path, new_file)  # Create a new file
    modification_func(new_file)
    print(f"[+] Modified ELF saved as {new_file}")

def modify_elf_magic(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(0)
        f.write(b'\x00\x00\x00\x00')  # Corrupt ELF magic

def modify_elf_class(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(4)
        f.write(b'\x03')  # Invalid ELF class

def modify_elf_endianness(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(5)
        f.write(b'\x03')  # Invalid endianness

def modify_elf_eversion(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(6)
        f.write(b'\xFF')  # Invalid file version

def modify_elf_os(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(7)
        f.write(b'\xFF')  # Invalid OS

def modify_elf_osabi(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(8)
        f.write(b'\xff')  # Invalid OSABI

def modify_elf_padding(file_path):
    with open(file_path, 'r+b') as f:
        f.seek(9)
        f.write(b'\xFF' * 7)  # Corrupt padding bytes

def modify_elf_etype(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_type'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_emachine(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_machine'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_version(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_version'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_entry_point(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_entry'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_phoff(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_phoff'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_shoff(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_shoff'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_flags(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_flags'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_ehsize(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_ehsize'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_phentsize(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_phentsize'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_phnum(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_phnum'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_shentsize(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_shentsize'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_shnum(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_shnum'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

def modify_elf_shstrndx(file_path):
    with open(file_path, 'r+b') as f:
        elf = ELFFile(f)
        ehdr = elf.header
        ehdr['e_shstrndx'] = 0xFFFF
        f.seek(0)
        f.write(elf.structs.Elf_Ehdr.build(ehdr))

if __name__ == "__main__":
    test_file = "example.elf"
    
    modify_elf(test_file, modify_elf_magic, "corrupt_magic")
    modify_elf(test_file, modify_elf_class, "corrupt_class")
    modify_elf(test_file, modify_elf_endianness, "corrupt_endianness")
    modify_elf(test_file, modify_elf_eversion, "corrupt_eversion")
    modify_elf(test_file, modify_elf_os, "corrupt_os")
    modify_elf(test_file, modify_elf_osabi, "corrupt_osabi")
    modify_elf(test_file, modify_elf_padding, "corrupt_padding")
    modify_elf(test_file, modify_elf_etype, "corrupt_etype")
    modify_elf(test_file, modify_elf_emachine, "corrupt_emachine")
    modify_elf(test_file, modify_elf_version, "corrupt_version")
    modify_elf(test_file, modify_elf_entry_point, "corrupt_entry")
    modify_elf(test_file, modify_elf_phoff, "corrupt_phoff")
    modify_elf(test_file, modify_elf_shoff, "corrupt_shoff")
    modify_elf(test_file, modify_elf_flags, "corrupt_flags")
    modify_elf(test_file, modify_elf_ehsize, "corrupt_ehsize")
    modify_elf(test_file, modify_elf_phentsize, "corrupt_phentsize")
    modify_elf(test_file, modify_elf_phnum, "corrupt_phnum")
    modify_elf(test_file, modify_elf_shentsize, "corrupt_shentsize")
    modify_elf(test_file, modify_elf_shnum, "corrupt_shnum")
    modify_elf(test_file, modify_elf_shstrndx, "corrupt_shstrndx")
    
    print("[+] ELF file modifications complete.")

Here is the output:

Field	Parsed by `readelf` without errors?	Still executable?
`e_ident` (Magic)	❌ No	❌ No
`e_ident` (Class)	❌ No	✅ Yes
`e_ident` (Endianness)	✅ Yes	✅ Yes
`e_ident` (File version)	✅ Yes	✅ Yes
`e_ident` (Operating system)	✅ Yes	✅ Yes
`e_ident` (ABI version)	✅ Yes	✅ Yes
`e_ident` (Padding)	✅ Yes	✅ Yes
`e_type`	❌ No	❌ No
`e_machine`	✅ Yes	❌ No
`e_version`	✅ Yes	✅ Yes
`e_entry`	✅ Yes	❌ No
`e_phoff`	❌ No	❌ No
`e_shoff`	❌ No	✅ Yes
`e_flags`	✅ Yes	✅ Yes
`e_ehsize`	✅ Yes	✅ Yes
`e_phentsize`	❌ No	❌ No
`e_phnum`	❌ No	❌ No
`e_shentsize`	❌ No	✅ Yes
`e_shnum`	❌ No	✅ Yes
`e_shstrndx`	❌ No	✅ Yes

Some fields are crucial for both readelf and execution: e_ident (Magic), e_type, e_machine, e_entry, e_phoff, e_phentsize, and e_phnum must remain valid for the ELF file to be executable. Corrupting these results in either a parsing failure or an unexecutable file.

Some fields break readelf but don’t prevent execution: e_ident (Class) causes readelf errors but doesn’t stop execution. This suggests that the loader can handle an incorrect class, but readelf has stricter validation.

Some fields break execution but don’t cause readelf errors: e_machine, e_entry affect execution but are still readable by readelf. This makes sense because e_machine defines CPU compatibility, and e_entry is the entry point for execution.

Some fields do not impact execution significantly: e_ident (Endianness, File version, OS, ABI version), e_version, e_flags, e_shentsize, e_shnum, and e_shstrndx can be modified without affecting execution. These fields might be informational or related to section headers, which are less critical at runtime.

ELF validation tools emphasize offsets and structural integrity, while execution depends more on entry points and program headers.

Conclusion

ELF header manipulation can significantly impact how analysis tools interpret binaries and whether an executable runs correctly. While some modifications, like changing the OSABI or padding bytes, may go unnoticed, others, such as corrupting the ELF magic or e_type, render the file unreadable or unexecutable. By systematically altering these fields and observing their effects, we gain insight into potential evasion techniques used by malware and the robustness of analysis tools like readelf and pyelftools.

References

E. Cozzi, M. Graziano, Y. Fratantonio and D. Balzarotti, “Understanding Linux Malware,” 2018 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2018, pp. 161-175, doi: 10.1109/SP.2018.00054
ELF Specification: https://refspecs.linuxfoundation.org/elf/elf.pdf
pyelftools Documentation: https://github.com/eliben/pyelftools
Linux Foundation Referenced Specifications: https://refspecs.linuxfoundation.org/

This blog post is licensed under CC BY-SA 4.0