Search code examples
linuxreverse-engineeringelf

How do I strip section header table in an ELF file?

I am new to ELF binary protection.

I want to strip section header table to avoid debugging.

I try to find section header table offset on disk by run readelf -h, and try to nop them, but they are all 0.

How can I strip section header table?

Thanks in advance.

Solution

  • First of all you can check which sections are present in your elf with readelf --section-headers. You should see something like this:

    $ readelf --section-headers <your-file>

[ #] Name               Type            Address            Offset
     Size              Size.Ent         Flags     -     -  Alignment
[ 0]                   NULL             0000000000000000  00000000
     0000000000000000  0000000000000000           0     0     0
[ 1] .data             PROGBITS         00000000006000b0  000000b0
     000000000000003b  0000000000000000  WA       0     0     1
[ 2] .text             PROGBITS         0000000000a000f0  000000f0
     00000000000003e9  0000000000000000  AX       0     0     1
[ 3] .shstrtab         STRTAB           0000000000000000  000004d9
     0000000000000027  0000000000000000           0     0     1
[ 4] .symtab           SYMTAB           0000000000000000  00000680
     0000000000000438  0000000000000018           5    41     8
[ 5] .strtab           STRTAB           0000000000000000  00000ab8
     0000000000000258  0000000000000000           0     0     1

    And you should be aware that most of sections are added by linker since the only real parts you need in your binary are .text and .data. Most of other information can be omitted if you do linkage manually.

    If you are using classic ld linker, i would recommend trying options --strip-all and --strip-debug. As name suggests, they remove debug-info and other symbolic information from binary - here you can see the docs.

    $ readelf --section-headers <your-file>

[ #] Name               Type            Address            Offset
     Size              Size.Ent         Flags     -     -  Alignment
[ 0]                   NULL             0000000000000000  00000000
     0000000000000000  0000000000000000           0     0     0
[ 1] .data             PROGBITS         00000000006000b0  000000b0
     000000000000003b  0000000000000000  WA       0     0     1
[ 2] .text             PROGBITS         0000000000a000f0  000000f0
     00000000000003e9  0000000000000000  AX       0     0     1
[ 3] .shstrtab         STRTAB           0000000000000000  000004d9
     0000000000000017  0000000000000000           0     0     1

    But by now you should probably have only 3 sections and since most of the data is already omitted, you can stop at that point - now your .shstrtab only contains names of text and data sections - it's not really a secret it does :)

    And now it really depends on how far you are ready to go.

    If you would like to proceed, i would suggest trying another tool called strip (from binutils) which you can use like this: strip --remove-section=shstrtab <your-file> - it basically removes the undesired section but it's not that easy to get rid of .shstrtab as i remember using it.

    You can even try removing it by yourself - since you know exact offset of section (and it's probably at the very end of file), you can just place zeroes over it aka "renaming" sections to null :)

    And according to ELF specs shstrtab is not required for execution so you should be ok even if you manually remove it from file (removing those bytes) - just keep other pointers,offsets,etc valid

    In my case removing debug info was ok so i didn't go that far but you can - I would just wish you good luck :)