ELF Header Fields
editELF Header Fields
editThese fields contain Linux Executable Linkable Format (ELF) metadata.
These fields are in beta and are subject to change.
ELF Header Field Details
edit| Field | Description | Level |
|---|---|---|
|
Machine architecture of the ELF file. type: keyword example: |
extended |
|
|
Byte sequence of ELF file. type: keyword example: |
extended |
|
|
CPU type of the ELF file. type: keyword example: |
extended |
|
|
Extracted when possible from the file’s metadata. Indicates when it was built or compiled. It can also be faked by malware creators. type: date |
extended |
|
|
List of exported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
|
A hash of the Go language imports in an ELF file excluding standard library imports. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. The algorithm used to calculate the Go symbol hash and a reference implementation are available [here](https://github.com/elastic/toutoumomoma). type: keyword example: |
extended |
|
|
List of imported Go language element names and types. type: flattened |
extended |
|
|
Shannon entropy calculation from the list of Go imports. type: long |
extended |
|
|
Variance for Shannon entropy calculation from the list of Go imports. type: long |
extended |
|
|
Set to true if the file is a Go executable that has had its symbols stripped or obfuscated and false if an unobfuscated Go executable. type: boolean |
extended |
|
|
Version of the ELF Application Binary Interface (ABI). type: keyword |
extended |
|
|
Header class of the ELF file. type: keyword |
extended |
|
|
Data table of the ELF header. type: keyword |
extended |
|
|
Header entrypoint of the ELF file. type: long |
extended |
|
|
"0x1" for original ELF files. type: keyword |
extended |
|
|
Application Binary Interface (ABI) of the Linux OS. type: keyword |
extended |
|
|
Header type of the ELF file. type: keyword |
extended |
|
|
Version of the ELF header. type: keyword |
extended |
|
|
A hash of the imports in an ELF file. An import hash can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. This is an ELF implementation of the Windows PE imphash. type: keyword example: |
extended |
|
|
List of imported element names and types. type: flattened Note: this field should contain an array of values. |
extended |
|
|
Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
|
|
Variance for Shannon entropy calculation from the list of imported element names and types. type: long |
extended |
|
|
An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
|
Chi-square probability distribution of the section. type: long |
extended |
|
|
Shannon entropy calculation from the section. type: long |
extended |
|
|
ELF Section List flags. type: keyword |
extended |
|
|
ELF Section List name. type: keyword |
extended |
|
|
ELF Section List offset. type: keyword |
extended |
|
|
ELF Section List physical size. type: long |
extended |
|
|
ELF Section List type. type: keyword |
extended |
|
|
Variance for Shannon entropy calculation from the section. type: long |
extended |
|
|
ELF Section List virtual address. type: long |
extended |
|
|
ELF Section List virtual size. type: long |
extended |
|
|
An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath type: nested Note: this field should contain an array of values. |
extended |
|
|
ELF object segment sections. type: keyword |
extended |
|
|
ELF object segment type. type: keyword |
extended |
|
|
List of shared libraries used by this ELF object. type: keyword Note: this field should contain an array of values. |
extended |
|
|
telfhash symbol hash for ELF file. type: keyword |
extended |
Field Reuse
editThe elf fields are expected to be nested at:
-
file.elf -
process.elf
Note also that the elf fields are not expected to be used directly at the root of the events.