elf: implement file export name extractor

[williballenthin]

capa/capa/features/extractors/elffile.py

Line 88 in 430f9da

# TODO(williballenthin): implement extract_file_export_names

[Aayush-Goel-04]

I investigated ways to distinguish between import and export symbols. The current implementation identifies symbols as imports solely based on their type and name. However, after careful analysis, I found that the st_shndx field in the symbol entry plays a critical role in differentiating between imports and exports. If symbol.entry.st_shndx = SHN_UNDEF (0x00), it signifies that the symbol is not defined within the ELF file, making it an import. On the other hand, the st_shndx field of export symbols points to the section index of the section where the symbol is defined.

The current extract_file_export_names extracts both import and export name from .dynsym and .symtab. We should consider incorporating the st_shndx field check to accurately identify import and export symbols.

@williballenthin what are your thoughts

[williballenthin]

great find and excellent explanation. do you have any references to the specifications that support these conclusions? it would be great to link to them in the code.

how do you think we should proceed? would you like to propose some updates to the code?

[williballenthin]

this article is very wordy but provides nice clear definitions at the bottom:

http://www.m4b.io/elf/export/binary/analysis/2015/05/25/what-is-an-elf-export.html

it's generally consistent with what you posted @Aayush-Goel-04 though it describes a few edge cases. seems like it shouldn't be too hard to handle.

[Aayush-Goel-04]

this article is very wordy but provides nice clear definitions at the bottom:

I was looking at the same paper.

In above screenshot only the first two points of import and export differ st_value and st_shndx. st_type is same for both export and import.

Some info on SHN_UNDEF. Some more I found https://stackoverflow.com/questions/12666253/elf-imports-and-exports

@williballenthin Shall I proceed with identifying import and exports based on definition given in screenshot above.

[williballenthin]

yes, please!

[Aayush-Goel-04]

@williballenthin I think we should look for export symbols in section.name == .dynsym rather than looking at all symbols for isinstance(section, SymbolTableSection). I am not sure if we should also look at .symtab section name . Can you shed some light here.

Also Since #1608 is closely related to this I will get that done as well.

[williballenthin]

i'm willing to go with your recommendation, especially if we can provide references to specifications or example files (for any edge cases we find). i don't have any particular knowledge of the ELF format, so i trust what you learn.

if you need an opinion on which strategy to use, i'm happy to discuss, though i'd appreciate a bit of detail around what you've considered so far.