Awesome
wsym
Adds symbols to an ELF file. Sort of the opposite of strip. This is in a very early stage of development and should be considered PoC/beta software.
why
I made this because I wanted gdb to know about the symbols I defined in IDA when reverse engineering. I really think there should be an easier way to do this but I couldn't find anything that gdb understands except ELF, so yeah... overkill. Please let me know if there is an easier way to tell gdb about user defined symbols.
However this tool might be useful anyway since it is a more generic solution.
how to use
usage: wsym.py [-h] [-v] [-f SYMBOLS] [-i SYMBOLS] [-n SYMBOLS] input output
There are multiple ways to provide symbols that should be added to the binary.
-f, --flat
This is a very simple flat file format, one symbol per line:
hex_addr name [hex_size]
-i, --ida
Using this option you can provide a .map file generated by IDA.
File > Produce File > Create MAP File -> segmentation & local
-n, --nm
This is the output of nm, the flags outputted by nm to describe each symbol are ignored.
wsym will generate a new ELF file which can be directly run under gdb, or you can use the add-symbol-file command in order to load the symbols from the generated file while debugging the original one.
Warning: running wsym repeatedly on a binary generated by itself will keep increasing the file size and is probably a bad idea. Always rerun on the original file.
how this works
We recreate the section header table at the end of the file. Adding original sections if there are any and re-adjusting their sh_link and sh_info if needed.
We also add a GHOST section for each segment, this covers the whole segment in case no other sections are present.
We create a new symtab called .wsymtab containing the provided symbols. A new strtab for this symtab is added but we also make a new shstrtab for all section names. This allows us to touch the original file as little as possible.
future work
-
MORE TESTING: IIRC there is some weird stuff going on with symtabs and entries need to be in a particular order for it to work etc, etc... Maybe we should be nice and do this for the user.
-
Add a parser for another IDA output format in order to have sizes
-
Allow for symbol types (data would be nice)
-
Link a symbol to the smallest section containing said symbol (instead of taking the first one that matches the address)