Bulk Shared Library Collecting for Ghidra

FirmwareEmbedded Systems
Written By Tim

If you’ve ever used Ghidra to analyze ELFs taken off of embedded devices (routers, automotive modules, etc.) you’re probably highly familiar with this classic message:

0 external symbols resolved, 267 remain unresolved.

Thanks, Ghidra.

That being said, it’s a relatively simple problem to solve! Our hero: Load Shared Libraries From Disk!

An image showing Ghidra's Import Options menu, with Load Libraries from Disk and Library Search Paths visible.

Load Libraries From Disk, my savior

Usually, this issue just means that you have to point Ghidra to the device’s folder of shared libraries, and make sure “Load Libraries From Disk” is checked.

Buuut… it’s not always that simple.

The Issue

The device I’m currently working with has over five hundred shared libraries, all spread out across random folders within the filesystem. Bleh!

This is a common issue I’ve run into when working with embedded systems. You want to import an arbitrary binary into Ghidra, but first you have to spend 10 minutes tracking down where all of it’s shared libraries are located! A major pain.

But have no fear, a one-liner is here! (every Linux graybeard’s favorite saying)

A One-Liner to Collect Shared Libraries

To solve this issue, I wrote a quick bash one-liner:

find . -exec file -F '' {} \; | grep -i elf | grep -i "shared object" | awk '{print $1}' | xargs -i cp {} shared-libraries/

(I’ve also thrown it on my GitHub here, if you’d prefer)

What does it do?

  • Runs ‘find’ to recursively iterate through all files in a given directory

  • Executes ‘file’ on each one of them to determine file type

  • Greps the results of ‘file’ to determine if the file is an ELF

  • Greps through the resulting ELFs to determine if they’re a ‘shared object’

  • Uses ‘awk’ to grab only the file path/name from the previous greps

  • Uses ‘xargs’ to copy the resulting file to the ‘shared-libraries/’ folder!

Overall, I’d say it’s pretty hacky, but it does a great job!

Limitations

Now, no one-liner does everything, and this one definitely has some limitations!

If you have two shared libraries with the same name, it will copy one over the other with no remorse. Be warned!

Making Use of It

Now, how might this be useful?

Currently, I’m working on a QNX-based automotive head unit that contains a wide variety of proprietary shared libraries. I used this one-liner to pull all of them into a folder, and now I only ever have to specify one external library path in Ghidra!

I ran ‘ls -la | wc’ to check the file count, and it pulled in 727 shared objects in total - sheesh!

In Conclusion

Anyways, that’s all from me - hopefully someone out there finds this one-liner useful.

Thanks for reading!

Tim
Next

Firmware Border Binaries and Multi-Binary Taint Analysis