Summary
when running Blint —src . on C or Rust ELF binaries, the generated metadata incorrectly sets "exe_type": "gobinary". This misclassification is due to a regex in binary.py that matches .go anywhere in the binary, including ELF sections like .got.plt.
Steps to reproduce
- Run
[[Blint]] --src .on a C or Rust ELF binary - Observe the generated metadata:
{
"file_path": "./main",
"is_shared_libiary": true,
...
"exe_type": "gobinary",
...Root cause
in binary.py, the folowing regex is used to detect go binaries rdata rodat
# line 1313 of binary.py
file_extns_from_rdata = r".*\.(go|s|dll|exe|pdb)"- This regex matches any occurrence of
.goeven as part of ELF section names like.got.plt, leading to false positives.
ELF Section Context
- .got.plt: a table where resolved addresses from external functions are stored. it is writable by default due to lazy binding, unless Relocation Read-Only is used or the LD_BIND_NOW environment variable is set
- Elf Format Cheat Sheet
Solution
I’ve made a fork of the project that can be accessed here: betim - blint
The update I’ve made makes the regex only match the file extensions and not substrings within section names.
file_extns_from_rdata = r".*\.(go|s|dll|exe|pdb)(\s|$)"- appending
(\s|$)makes sure there’s whitespace or if its at the end of a string
Result after Fix
with updating the regex, the metadata for the same ELF binary i tested is now correct showing "exe_type": "genericbinary"
I’ve also tested it with various binaries to ensure nothing was broken in the process of this:
- PE (dll, x86, x64, dotnet)
- Go
- Rust
I haven’t seen any issues yet from this change, I would like to make pull request to this project, this will help ensure accurate metadata in future binary analysis.