-
Notifications
You must be signed in to change notification settings - Fork 142
/
low.go
97 lines (85 loc) · 1.65 KB
/
low.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package coldfire
import (
"debug/elf"
"github.com/yalue/elf_reader"
"os"
"bytes"
)
func EqualBytes(b1, b2 byte) bool {
s1 := make([]byte, 1)
s1[0] = b1
s2 := make([]byte, 1)
s2[0] = b2
return bytes.Equal(s1, s2)
}
func VerifyELFMagic(fname string) bool {
f := IOReader(fname)
_, err := elf.NewFile(f)
Check(err)
if err != nil {
return false
}
var ident [16]uint8
f.ReadAt(ident[0:], 0)
Check(err)
if ident[0] == '\x7f' && ident[1] == 'E' && ident[2] == 'L' && ident[3] == 'F' {
return true
}
return true
}
func IsELF(fname string) bool {
raw, err := os.ReadFile(fname)
Check(err)
_, elf_err := elf_reader.ParseELFFile(raw)
if elf_err == nil {
return false
}
return true
}
func IsEXE(fname string) bool {
f := IOReader(fname)
_, err := elf.NewFile(f)
Check(err)
if err != nil {
return false
}
var ident [16]uint8
f.ReadAt(ident[0:], 0)
Check(err)
if ident[0] == 'M' && ident[1] == 'Z' {
return true
}
return false
}
//func IsELFInfected(fname string) bool {
//
//}
// Checks if an ELF file is designed for AMD x86_64
func Is64Bit(fname string) bool {
if IsELF(fname) {
f := IOReader(fname)
elfile, err := elf.NewFile(f)
Check(err)
if (elfile.Class.String() == "ELFCLASS64" && elfile.Machine.String() == "EM_X86_64") {
return true
}
return false
} else if IsEXE(fname) {
}
return false
}
func Caves(file string, min_size int) map[string]map[string]int {
if IsELF(file) {
elfile, err := elf.Open(file)
Check(err)
for _, sect := range elfile.Sections {
data, _ := sect.Data()
for off := 0; off < len(data); off++{
if EqualBytes(data[off], 0x00) {
}
}
}
} else {
}
return nil
}