-
Notifications
You must be signed in to change notification settings - Fork 24
Home
secnotes edited this page May 17, 2025
·
5 revisions
Welcome to the elfspirit wiki!
ELFSPIRIT is a comprehensive static analysis and injection framework designed to parse, manipulate, patch, and camouflage ELF files. With elfspirit, you can explore the intricacies of the ELF format and have the freedom to finely manipulate every byte within the ELF file. Whether you are engaging in virtual Capture The Flag challenges or conducting research on real-world viruses, elfspirit provides a versatile platform. Its applications span from user mode programs to rootkits, offering a solid foundation for a wide range of endeavors.
┌──(kali㉿kali)-[~/Tools]
└─$ elfspirit
Current version: 1.10.0
Usage: elfspirit [function] [option]<argument>... ELF
Currently defined functions:
parse Parse ELF file statically like readelf
edit Modify ELF file information freely
shellcode Extract binary fragments and convert shellcode. [extract, hex2bin]
firmware Add ELF info to firmware or join mutli bin file. [bin2elf, joinelf]
patch Patch ELF. [--set-interpreter, --set-rpath, --set-runpath]
confuse Obfuscate ELF symbols. [--rm-section, --rm-shdr, --rm-strip, confuse]
infect Infect ELF like virus. [--infect-silvio, --infect-skeksi, --infect-data, exe2so]
forensic Analyze the Legitimacy of ELF File Structure. [checksec]
other Deprecated cmd. [addsec, injectso(deprecate)]
Currently defined options:
-n, --section-name=<section name> Set section name
-z, --section-size=<section size> Set section size
-f, --file-name=<file name> File containing code(e.g. so, etc.)
-s, --string-name=<string name> String value
-c, --configure-name=<file name> File containing configure(e.g. json, etc.)
-a, --architecture=<ELF architecture> ELF architecture
-m, --class=<ELF machine> ELF class(e.g. 32bit, 64bit, etc.)
--value=<math value> Reserve value(e.g. 7=111=rwx)
-e, --endian=<ELF endian> ELF endian(e.g. little, big, etc.)
-b, --base=<ELF base address> ELF base address
-o, --offset=<injection offset> Offset of injection point
-i, --row=<object index> Index of the object to be read or written
-j, --column=<vertical axis> The vertical axis of the object to be read or written
-l, --length=<string length> Display the maximum length of the string
-v, --version-libc=<libc version> Libc.so or ld.so version
-h, --help[={none|English|Chinese}] Display this output
-A, (no argument) Display all ELF file infomation
-H, (no argument) Display | Edit ELF file header
-S, (no argument) Display | Edit the section header
-P, (no argument) Display | Edit the program header
-B, (no argument) Display | Edit .symtab information
-D, (no argument) Display | Edit .dynsym information
-L, (no argument) Display | Edit .dynamic information
-R, (no argument) Display | Edit relocation section
-I, (no argument) Display | Edit pointer(e.g. .init_array, etc.)
-G, (no argument) Display hash table
Detailed Usage:
elfspirit parse [-A|H|S|P|B|D|R|I|G] ELF
elfspirit edit [-H|S|P|B|D|R|I] [-i]<row> [-j]<column> [-m|-s]<int|string value> ELF
elfspirit bin2elf [-a]<arm|x86> [-m]<32|64> [-e]<little|big> [-b]<base address> ELF
elfspirit joinelf [-a]<arm|x86> [-m]<32|64> [-e]<little|big> [-c]<configuration file> OUT_ELF
elfspirit hex2bin [-s]<shellcode hex> [-z]<size>
elfspirit extract [-n]<section name> ELF
[-o]<file offset> [-z]<size> ELF
elfspirit hook [-s]<hook symbol> [-f]<new function bin> [-o]<new function start offset> ELF
elfspirit exe2so [-s]<symbol> [-m]<function offset> [-z]<function size> ELF
elfspirit addsec [-n]<section name> [-z]<section size> [-o]<offset(optional)> ELF
elfspirit injectso [-n]<section name> [-f]<so name> [-c]<configure file>
[-v]<libc version> ELF
elfspirit checksec ELF
elfspirit --edit-section-flags [-i]<row of section> [-m]<permission> ELF
elfspirit --edit-segment-flags [-i]<row of segment> [-m]<permission> ELF
elfspirit --edit-hex [-o]<offset> [-s]<hex string> [-z]<size> ELF
elfspirit --edit-pointer [-n]<section name> [-i]<index of item> [-m]<pointer value> ELF
elfspirit --set-pointer [-o]<offset> [-m]<pointer value> ELF
elfspirit --set-interpreter [-s]<new interpreter> ELF
elfspirit --set-rpath [-s]<rpath> ELF
elfspirit --set-runpath [-s]<runpath> ELF
elfspirit --add-section [-z]<size> ELF
elfspirit --add-segment [-z]<size> ELF
elfspirit --rm-section [-n]<section name> ELF
[-c]<multi section name> ELF
elfspirit --rm-shdr ELF
elfspirit --rm-strip ELF
elfspirit --confuse-symbol [-n]<.strtab|.shstrtab|.dynstr> ELF
elfspirit --refresh-hash ELF
elfspirit --infect-silvio [-s]<shellcode> [-z]<size> ELF
elfspirit --infect-skeksi [-s]<shellcode> [-z]<size> ELF
elfspirit --infect-data [-s]<shellcode> [-z]<size> ELF
- 0x01. Play with Symbol
- 0x02. Implement ELF Static Hook by Injecting .got.plt
- 0x03. ELF Virus Technology: ELF Infection
- 0x04. Transform EXE into LIB
- 0x05. Analyze Binary Protection Flags
- 0x06. Obfuscate ELF
- 0x07. Inject Shared Libraries into Executables
- 0x08. Infect ELF Interpreter
- 0x09. Forensics
- 0x10. Other Topics