Playing with ARM binaries in IDA Pro

I have been expanding my view of the world, and I decided to play with some ARM ELF binaries, but I ran into a problem with relocations, symbols, and the corresponding function strings being properly matched in IDA Pro.  Below is a method I used on 2 binaries (yes, testing is a hardcore part of my diet) in order to get the function name relocated and named correctly on the PLT entries and the corresponding functions.

In order to address this problem, I had to do several things:

1. Import the ELF definitions into IDA Pro
2. Read ELF standard and ARM ELF Format
3. Parse the ARM ELF and Identify the Dynamic Section from the Program Header
4. Identify the String Table, the Symbol Table, the Program Linkage Table, and Relocations
5. Merge the Symbol Table Data and Relocation Address Information
6. Name each corresponding sub routine name with the value in the

I actually worked on 1 and 2 for some time.  In order for me to grasp all the indirection, I used IDA Pro to create the various sections, and I would just jump around to the values being referenced or cross referenced.  It was not the most optimal method, but when it all clicked, it only took me a few hours to put together the Python Script.

Below are the first steps.  First edit the elf.h from any *nix system.  Some commenting may be required, because IDA may complain about missing header files or types with the same names.  Thy must sweat and grunt alittle to get some respect. This is left a character building exercise for the reader.  Next, open the “Local Types” subview,  select all the types, right click, and “Synchronize to idb”.

Importing ELF C-Header into IDA Pro

Synchronize the Local Types with IDB

Run the script, and it prompts you for the starting address of the file.  I recommend you scroll all the way up to the top of the file, put the cursor on the very first address, and just enter ScreenEA(). But to each his or her own.

Now for the functionality of the script.  The biggest challenge was wrapping ye old mind around the relocations and seeing how the names were magically resolved.  Once I realized this third dimension of reference, everything came together like a Vulcan Mind Meld….and I was one with the binary.

The script works by creating the ELF Ehdr at the beginning of the file, and then reads the Dwords of the offset to the corresponding Phdrs.  From there, I jump to the Phdr address and create the Phdr structures.  If the Phdr structure is PT_DYNAMIC, I note the section size jump to that section and create all the Dyn structures until I reach end of memory.  After I create all the Dyn stuctures, I jump to the DT_STRTAB use MakeStr on all the strings up to the DT_STRSZ.  After this, I jump back to the PT_DYNAMIC section and then process the symbol table, DT_SYMTAB converting all the relocations and the symbol table simultaneously.  The relocations include the DT_REL and DT_JMPREL respectively and they have a corresponding size, DT_RELSZ and DT_PLTRELSZ.  I also find the DT_SYMTAB and the DT_STRTAB values and then process the relocations.

DYNAMIC Segment with processed Dyn structures

The relocations are processed in the following manner.  First I create the relocation structures up to the  DT_PLTRELSZ or DT_RELSZ bytes.  Then I walk through the relocations structures and read its symbol table index.  I create a Sym structure at that location, and then get the symbols name (st_name) index into the string table.  From here I just rename the symbol, the relocation, and the actual function that corresponds to the function call that will jump to the relocation.  Below is an image depicting my final result and below that is a link to the code.

Imports named (left) and function names (far-right)

IDA Pro code for processing the ARM Elf Binary: ida_pro_process_elf_hdrs.py
IDA Pro code for processing the Elf Relocs Section: ida_pro_process_reloc.py
IDA Pro code for processing the Elf Sym Section: ida_pro_process_reloc.py

For those interested information on the ELF Specification: Wikipedia