bearparser is a library designed for parsing Portable Executables (PE) and Executable and Linkable Format (ELF) files. Originally built for PE file parsing, it has now been extended to support ELF files, making it versatile for cross-platform executable analysis.
-
Qt6 SDK
-
Qt6 Core
-
CMake (http://www.cmake.org/)
Optionally, you can build with older versions of Qt (Qt4, Qt5) by setting an appropriate CMake flag:
cmake -G "Unix Makefiles" -D USE_QT4=ON ../
The following features have been added to bearparser to support ELF files on Linux:
- ELF Bitness Detection (32/64-bit): Automatically detects whether an ELF file is 32-bit or 64-bit.
- Entry Point Parsing: Parses the entry point address from ELF headers.
- Image Base Calculation: Calculates the image base of ELF files from the
PT_LOADsection header. - Raw and Virtual Size Calculation: Computes both raw and virtual sizes for ELF sections.
- Raw and Virtual Alignment Calculation: Provides accurate alignment values for ELF sections.
- ELFFileBuilder: Introduced a basic
ELFFileBuilderto assist with building ELF structures. - 32/64-bit Header Support via
std::variant: Usesstd::variantto handle the different ELF header structures based on bitness. - Lazy Caching: Implements lazy caching for expensive operations to improve performance.
- Core ELFFile Encapsulation: Introduced encapsulation of core ELF data structures within the
ELFFileclass for better modularity and management.
To build and compile the library:
cmake -G "Unix Makefiles" -D USE_QT4=ON ../
make
For detailed ELF file parsing examples, see the Wiki.
In addition to bearparser, check out PE-bear, a GUI application built using bearparser.
More info: PE-bear GitHub