Reputation: 9163
Is it possible to check the hash in the "GNU_HASH" section of an ELF executable?
When I disassemble an ELF executable, I see a section GNU_HASH that seems to contain a hash. I think it is a signature in order to check if the executable was patched or infected by a virus.
Is there a way to check this signature ? Does Linux automatically check this signature when running the program ?
Upvotes: 4
Views: 5273
Answers (1)
Reputation: 83635
When i disassemble an elf executable, i see a section that contains a GNU hash. I think it is a signature in order to check if executable was patch or infected by a virus.
No, it is not. You are confusing two common uses of hash functions:
- the use of Cryptographic hash functions for digitally signing data, and
- the use of a (typically non-cryptographic) hash function to allow fast lookup of data, typically via a hash table
ELF binaries contain a "hash section" to allow fast lookup of symbols from the ELF's symbol table, to speed up linking. This section is called "hash section" because it contains a hash table. It has nothing to do with integrity checking.
To quote the ELF specification:
Hash Table
A hash table of
Elf32_Wordobjects supports symbol table access.
source: SYSTEM V APPLICATION BINARY INTERFACE, page 94
Upvotes: 11
Related Questions
- Is there a glibc hash function?
- Getting the ELF header of the main executable
- There is a signature for a specific ABI in an ELF or binary file?
- How to check if a program was statically compiled in c
- For ELF file, how to tell which section contains execution binary code?
- How to see the GNU debuglink value of an ELF file?
- Is there any emacs mode for checking ELF file
- How to identify whether a file is elf file using C language function?
- Is there a tool to obtain info on a particular symbol in an ELF .o or executable file?
- Is there a way to detect an ELF binary is broken/tampered or not?