Following ELF imports

Ndgs · March 3, 2025, 11:15am

Everyone working with dynamically linked ELF files must deal with this, probably semi-manually as I do

You’re reversing some ELF library or executable, following the flow of some code path, and it ends with a function that is imported from some library. IDA will try to determine the prototype with what it has available, but this is not always useful. Especially on certain architectures, where IDA thinks the imported function takes no arguments, or an incorrect number of arguments.

Currently, I manually identify what library the symbol is in, using a combination of GNU find and readelf, to recursively search a sysroot where my target ELF files are. Then I manually open the library in a new IDA instance, let it perform analysis, find the function, and (at a minimum) copy the prototype to the original IDB. That way I can at least have the prototype correct in the “main” IDB. In many cases, I have to reverse the function in the library, and add a function comment in the “main” IDB

In my use-case, where I layout an entire filesystem structure exactly as it is in the target filesystem, it would be relatively easy to automatically identify the library that a given function is imported from (by parsing ELF sections of all imported libraries), using a hard-coded relative search path.

For example, I may have /ida/targets/target1-rootfs/usr/sbin/app open in IDA

Functions of the exe are typically imported from …/lib and …/usr/lib

What an implementation would look like:

When reaching the call and prototype of the imported function, a context menu might have a dropdown showing which libraries relative to the current ELF contain the implementation. Choosing one could have a “open in new IDA session”

Another option would be to look for the IDB in the same search path, and offer an “import prototypes” action. And an “import function level comments” for the function, if the IDB for the library has a function level comment for the function

This would be a nice improvement.

A far more ambitious solution would be seamlessly referencing functions across multiple ELF files within one IDA process. I understand that would require massive changes unless done in very clever way. I don’t expect this to happen any time soon, it’s more work than benefits

The first ideas could be done with a plugin and/or scripting with headless/batch mode IDA, but I’m not aware of any doing it at this time.

Topic		Replies	Views
New function prototype editor not available from decompiler Bugs	1	59	February 24, 2025
Copy (user created) assembly comments to pseudocode Feature requests	2	61	March 13, 2025
I would like to propose an addition to this topic to fully automate reverse engineering using idapython and Python3 IDA General	2	103	February 15, 2025
Anyway to syncronize common type declaration between Ida databases? IDA General ideas	2	74	March 11, 2025
How use old idb with new ida 9 eh(exception) plugin? IDA General	5	75	March 13, 2025

Following ELF imports

Related topics