Elfread
Elfread
This utility can process linux x86 ELF files and generate a report, what function may call what function with the list of possible arguments.
Ironically, so far, it is win32 command line utility.
For Oracle RDBMS, first extract object files (use linux ar or cygwin):
ar -x libserver11.a
About 4000 files will be extracted. Then run elfread utility:
elfread.exe *.o
There are two passes: first when the utility counting arguments number for each function and second when text report and GraphViz file is produced.
For better arguments number recognition, it is good to feed as many object files as possible at a time.
Almost for each object file, .txt file will be created here is an examples: kks1.o.txt, ain.o.txt.
What we can see here:
1) Trace log writings:
kksSetBindType() may call ksdwrf (" kksSetBindType: child not typechecked ci=%p check=%u\n", var_44, var_3C)2) Memory allocations:
kksParseCommands() may call kksalc (0xc8, 1, "ctxcdef: kksParseCommands") kksParseCommands() may call kksalx (0x24, 1, "unmdef: kksParseCommands")
(Often, first part of string-comment is structure name and second is the place where actual allocation has been made)
3) Internal SQL execution:
ausdrv() may call rpisplu (?, ?, ?, ?, "update sys.assembly$ set audit$ = :1 where obj# = :2", 0x35, ?, ?)
4) Dangerous sprintf calls where first argument is pointing to the local stack
(hexadecimal number in brackets is local array size):
zlkestp() may call sprintf (var_2F8[0x100], "%s \"%.*s.%.*s\"", "view", ?, var_B8, var_C8, var_BC)
By the way, var_XXX and arg_XXX names convention are the same as in IDA.
5) Errors may be raised by function:
aindrv() may call ksesec0 (0x373e) aindrv() may call ksesec0 (0x378c) aindrv() may call ksesec0 (0x3873)
(Numbers prefixed with "0x" are hexadecimal as in C/C++)
6) Events checked by function:
kksSetBindType() may call dbkdChkEventRdbmsErr (0x2733)
* Grep
All these reports are grepable of course.
For example, see which function may call X:
cat *.txt | grep "may call X"
Which function may raise error N?
cat *.txt | grep "may call ksesec (0x1234)"
* GraphViz output
It is also can produce function graph in GraphViz form.
Use:
elfread.exe *.o (function_name|regex)
Like:
elfread.exe *.o kks.*
You'll got a bunch of kks*.gv files, each is in GraphViz form.
http://www.graphviz.org/
Get it, install it and use to render it into PNG graphics:
dot -Tpng func.gv -ofunc.png
You'll get something like here in example:
(click it to enlarge)
Not as good as IDA, but nevertheless...
* TODO
Produce output files in such form so it is easy to import into MediaWiki
* NB:
This utility may (and most likely) contain error, so be prepared that its output may be erroneous unexpectedly.
Recent comments
7 weeks 2 days ago
20 weeks 6 days ago
20 weeks 6 days ago
30 weeks 2 days ago
31 weeks 6 days ago
31 weeks 6 days ago
32 weeks 2 days ago
33 weeks 10 hours ago
33 weeks 2 days ago
33 weeks 2 days ago