Elfcall

Generate call graph data for an elf binary.

Elfcall performs two functions:

• trees: generate a tree of libraries akin to what the dynamic linker would see

• graphs: generate a graph that shows linked libraries and symbols exported and needed.

For the graphs, there are several different output formats (text, cypher for Neo4j, Dot, and gexf for Gephi or NetworkX).

How does it work?

On a high level, it works by way of extracting symbols from the ELF, and figuring out dependencies via links and RPATH, and then outputting data to file. An important contribution by way of developing this library is also trying to document the process, which I found only vaguely documented in several places. Previous art of interested that inspired me to work on this:

• This talk that gives a good high level overview.

• libtree which I couldn’t easily go off of because I’m not an expert in C or C++.

• callgraph inspired me for the graphs, but I wanted a slightly more organized implementation.

Background material about the method can be found in this article and you can learn more about ELF from any of these sources:

• https://en.wikipedia.org/wiki/Executable_and_Linkable_Format

• https://en.wikipedia.org/wiki/Weak_symbol

• https://refspecs.linuxbase.org/elf/elf.pdf

• https://android.googlesource.com/platform/art/+/master/runtime/elf.h

• https://docs.oracle.com/cd/E19683-01/816-1386/chapter6-43405/index.html

And this is helpful for understanding the dynamic linker:

• https://refspecs.linuxbase.org/elf/gabi4+/ch5.dynamic.html#dynamic-section

To see the code, head over to the repository.

Getting started with Elfcall

Elfcall can be installed from pypi or directly from the repository. See Installation for installation, and then the Getting Started section for using elfcall on the command line.

Support

• For bugs and feature requests, please use the issue tracker.

• For contributions, visit Spliced on Github.

Resources

GitHub Repository

The code on GitHub.