ELF Format

I'm finally decided to spend 6 months to learn about Linux Malware and all the things related to it, and this is the first step to enter the Linux Malware field -> Learn about ELF Format

Why learn ELF Format?

It is an executable, I don't need to explain about this, the name itself is Executable and Linkable Format, If you want to write a program like "ls" command -> Then have to compile and create ELF file using programming language

A common misconception is that ELF files are just for binaries or executables, it also use fo object code, shared libraries, and core dumps. (it in the spefication of ELF)

To study the ELF Format is to study the way of Linux Programs works, to understand how an operating system works -> that alone will give a skill to do DFIR or malware analysis after all malware are just some software.

What is it?

If you ever use command like "cd", "ls" or "cat",... then you are running an ELF, how do I know that is an ELF. In Linux you can run a command file /bin/ls and it will return something like this

 ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
 dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, 
 BuildID[sha1]=2f15ad836be3339dec0e2e6a3c637e08e48aacbd, 
 for GNU/Linux 3.2.0, stripped

Wow! That a huge information the command "file" has gave us.

Let's take a look at those:

• ELF 64-Bit

• LSB shared object

• x86-64

• Version 1(SYSV)

• dynamically linked

• Interpreter /lib64/ld-linux-x86-64.so.2

• BuildID[sha1]=2f15ad836be3339dec0e2e6a3c637e08e48aacbd

• For GNU/Linux 3.2.0

• Stripped

Command "file" is a command that going to parse the