Detect ELF package notes from fedora binaries
wagoodman opened this issue · comments
Alex Goodman commented
#2396 adds the capability to detect binaries where there the .note.package
on the binary is purely a JSON payload. This is a little different than what you'll find with a binary in a fedora distribution:
objdump -s -j .note.package /bin/ld
/bin/ld: file format elf64-littleaarch64
Contents of section .note.package:
039c 04000000 7c000000 7e1afeca 46444f00 ....|...~...FDO.
03ac 7b227479 7065223a 2272706d 222c226e {"type":"rpm","n
03bc 616d6522 3a226269 6e757469 6c73222c ame":"binutils",
03cc 22766572 73696f6e 223a2232 2e34302d "version":"2.40-
03dc 31342e66 63333922 2c226172 63686974 14.fc39","archit
03ec 65637475 7265223a 22616172 63683634 ecture":"aarch64
03fc 222c226f 73437065 223a2263 70653a2f ","osCpe":"cpe:/
040c 6f3a6665 646f7261 70726f6a 6563743a o:fedoraproject:
041c 6665646f 72613a33 39227d00 fedora:39"}.
Note the header at the top before the JSON payload. Based on the documentation the prefix is a ELF section header:
typedef struct {
Elf_Word sh_name;
Elf_Word sh_type;
Elf_Word sh_flags;
Elf_Addr sh_addr;
Elf_Off sh_offset;
Elf_Word sh_size;
Elf_Word sh_link;
Elf_Word sh_info;
Elf_Word sh_addralign;
Elf_Word sh_entsize;
} Elf_Shdr;
It would be ideal to eventually be able to decode .note.package
sections that are not purely JSON payloads such that we can get to the JSON payload, even if we drop the section header info entirely.