Bob5421 Bob5421 - 5 months ago 23
Linux Question

Is it possible to check the hash in the "GNU_HASH" section of an ELF executable?

When I disassemble an ELF executable, I see a section

GNU_HASH
that seems to contain a hash. I think it is a signature in order to check if the executable was patched or infected by a virus.

Is there a way to check this signature ? Does Linux automatically check this signature when running the program ?

Answer

When i disassemble an elf executable, i see a section that contains a GNU hash. I think it is a signature in order to check if executable was patch or infected by a virus.

No, it is not. You are confusing two common uses of hash functions:

ELF binaries contain a "hash section" to allow fast lookup of symbols from the ELF's symbol table, to speed up linking. This section is called "hash section" because it contains a hash table. It has nothing to do with integrity checking.

To quote the ELF specification:

Hash Table

A hash table of Elf32_Word objects supports symbol table access.

source: SYSTEM V APPLICATION BINARY INTERFACE, page 94

Comments