Resolved Import address

2025-12-12 15:49:46 -08:00 · 2023-08-02 16:41:24 +05:30
parent 26935ee6e6
commit 62f50265bc
2 changed files with 23 additions and 15 deletions
--- a/capa/features/extractors/elffile.py
+++ b/capa/features/extractors/elffile.py
@@ -11,6 +11,7 @@ from typing import Tuple, Iterator
 from pathlib import Path

 from elftools.elf.elffile import ELFFile, SymbolTableSection
+from elftools.elf.relocation import RelocationSection

 import capa.features.extractors.common
 from capa.features.file import Export, Import, Section
@@ -48,17 +49,15 @@ def extract_file_export_names(elf: ELFFile, **kwargs):


 def extract_file_import_names(elf: ELFFile, **kwargs):
+    # Create a dictionary to store symbol names by their index
+    symbol_names = {}
+
+    # Extract symbol names and store them in the dictionary
    for section in elf.iter_sections():
        if not isinstance(section, SymbolTableSection):
            continue

-        if section["sh_entsize"] == 0:
-            logger.debug("Symbol table '%s' has a sh_entsize of zero!", section.name)
-            continue
-
-        logger.debug("Symbol table '%s' contains %s entries:", section.name, section.num_symbols())
-
-        for symbol in section.iter_symbols():
+        for _, symbol in enumerate(section.iter_symbols()):
            # The following conditions are based on the following article
            # http://www.m4b.io/elf/export/binary/analysis/2015/05/25/what-is-an-elf-export.html
            if not symbol.name:
@@ -72,9 +71,23 @@ def extract_file_import_names(elf: ELFFile, **kwargs):
            if symbol.entry.st_name == 0:
                continue

-            # TODO(williballenthin): extract symbol address
-            # https://github.com/mandiant/capa/issues/1608
-            yield Import(symbol.name), FileOffsetAddress(0x0)
+            symbol_names[_] = symbol.name
+
+    for section in elf.iter_sections():
+        if not isinstance(section, RelocationSection):
+            continue
+
+        if section["sh_entsize"] == 0:
+            logger.debug("Symbol table '%s' has a sh_entsize of zero!", section.name)
+            continue
+
+        logger.debug("Symbol table '%s' contains %s entries:", section.name, section.num_relocations())
+
+        for relocation in section.iter_relocations():
+            # Extract the symbol name from the symbol table using the symbol index in the relocation
+            if relocation["r_info_sym"] not in symbol_names:
+                continue
+            yield Import(symbol_names[relocation["r_info_sym"]]), FileOffsetAddress(relocation["r_offset"])


 def extract_file_section_names(elf: ELFFile, **kwargs):
--- a/tests/test_elffile_features.py
+++ b/tests/test_elffile_features.py
@@ -23,11 +23,6 @@ def test_elffile_import_features():
        "__libc_start_main",
        "malloc",
        "__cxa_finalize",
-        "memfrob@@GLIBC_2.2.5",
-        "puts@@GLIBC_2.2.5",
-        "__libc_start_main@@GLIBC_2.2.5",
-        "malloc@@GLIBC_2.2.5",
-        "__cxa_finalize@@GLIBC_2.2.5",
    ]
    path = Path(SAMPLE_PATH)
    elf = ELFFile(io.BytesIO(path.read_bytes()))