elfutils 0.177 released with eu-elfclassify
elfutils 0.177 was released with various bug fixes (if you ever had issues updating > 2GB ELF files using libelf, this release is for you!) and some new features. One of the features is eu-elfclassify, a utility by Florian Weimer to analyze ELF objects.
People use various tricks to construct ELF files that might make it non-trivial to determine what kind of ELF file you might be dealing with. Even a simple question like “is this a program executable or shared library?” might be tricky given the fact that (static) PIE executables look a lot like shared libraries. And some “shared libraries” are also “program executables”. e.g. Qt likes to provide some information about how the files have been build. So you can link against it as a shared library, but you can also execute it as if it was a program:
$ /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
This is the QtCore library version Qt 5.11.3
(x86_64-little_endian-lp64 shared (dynamic) release build; by GCC 8.3.0)
Installation prefix: /usr
Library path: lib/x86_64-linux-gnu
Include path: include/x86_64-linux-gnu/qt5
Processor features: sse3 sse2[required] ssse3 fma cmpxchg16b sse4.1 sse4.2 movbe popcnt aes avx f16c rdrand bmi avx2 bmi2 rdseed
glibc does the same thing for its shared libraries. Which is nice if you just quickly need to know what libc version is installed on a system, but might make it tricky to determine what kind of ELF file something really is.
eu-classify has a mode that will tell you whether such a file is primarily a shared library or primarily a program executable. And of course is able to classify it as both a library and a program. Hopefully eu-classify can replace the usage of the file (1) utility in various tools, with a more precise way to classify ELF files.
Usage: elfclassify [OPTION...] FILE...
Determine the type of an ELF file.
All of the classification options must apply at the same time to a particular
file. Classification options can be negated using a "--not-" prefix.
Since modern ELF does not clearly distinguish between programs and dynamic
shared objects, you should normally use either --executable or --shared to
identify the primary purpose of a file. Only one of the --shared and
--executable checks can pass for a file.
If you want to know whether an ELF object might a program or a shared library
(but could be both), then use --program or --library. Some ELF files will
classify as both a program and a library.
If you just want to know whether an ELF file is loadable (as program or
library) use --loadable. Note that files that only contain (separate) debug
information (--debug-only) are never --loadable (even though they might contain
program headers). Linux kernel modules are also not --loadable (in the normal
sense).
Without any of the --print options, the program exits with status 0 if the
requested checks pass for all input files, with 1 if a check fails for any
file, and 2 if there is an environmental issue (such as a file read error or a
memory allocation error).
When printing file names, the program exits with status 0 even if no file names
are printed, and exits with status 2 if there is an environmental issue.
On usage error (e.g. a bad option was given), the program exits with a status
code larger than 2.
The --quiet or -q option suppresses some error warning output, but doesn't
change the exit status.
Classification options
--core File is an ELF core dump file
--debug-only File is a debug only ELF file (separate .debug,
.dwo or dwz multi-file)
--elf File looks like an ELF object or archive/static
library (default)
--elf-archive File is an ELF archive or static library
--elf-file File is an regular ELF object (not an
archive/static library)
--executable File is (primarily) an ELF program executable (not
primarily a DSO)
--library File is an ELF shared object (DSO) (might also be
an executable)
--linux-kernel-module File is a linux kernel module
--loadable File is a loadable ELF object (program or shared
object)
--program File is an ELF program executable (might also be a
DSO)
--shared File is (primarily) an ELF shared object (DSO)
(not primarily an executable)
--unstripped File is an ELF file with symbol table or .debug_*
sections and can be stripped further
Input flags
-f, --file Only classify regular (not symlink nor special
device) files
--no-stdin Do not read files from standard input (default)
--stdin Also read file names to process from standard
input, separated by newlines
--stdin0 Also read file names to process from standard
input, separated by ASCII NUL bytes
-z, --compressed Try to open compressed files or embedded (kernel)
ELF images
Output flags
--matching If printing file names, print matching files
(default)
--no-print Do not output file names
--not-matching If printing file names, print files that do not
match
--print Output names of files, separated by newline
--print0 Output names of files, separated by ASCII NUL
Additional flags
-q, --quiet Suppress some error output (counterpart to
--verbose)
-v, --verbose Output additional information (can be specified
multiple times)
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
Report bugs to https://sourceware.org/bugzilla.