The ELF shell is an interactive, modular, and scriptable ELF (Executable & Linking Format) machine for static binary instrumentation of executable files, shared libraries and relocatable ELF objects. Its innovative features make it usable by reverse engineers and security analysts for embedded analysis using compiled C code extensions of binary programs. It features execution flow redirection that allows for dynamic analyzers generation and binary-level testing. ELFsh is compatible with kernel hardening patches : It can perform operational modifications on non-executable stack and heap based systems, and this for multiple architectures.

The main features of the ELF shell are :

• Injection of new compiled C code into a binary executable or dynamic library file.
• Function redirection for all kind of functions.
• Relinking of dynamic or static binary files to add all sorts of dependences without moving the original address space.
• Full access in read/write mode to the ELF data structures from the scripting language, including but not limited to:
  • The Global Offset Table (.got) section
  • The dynamic linking section (.dynamic)
  • The constructors (.ctors) and destructors (.dtors) array
  • The ELF GNU version tables (contributor needed for SUN/Solaris version tables format)
  • The ELF interpreter (.interp) section
  • ELF dynamic and static symbol tables (.dynsym and .symtab)
  • ELF relocation tables (.rel(a).*)
  • ELF Hash table (.hash)
  • All other sections in raw read/write mode using hexadecimal strings