Is it possible to check the hash in the "GNU_HASH" section of an ELF executable?

Question

When I disassemble an ELF executable, I see a section GNU_HASH that seems to contain a hash. I think it is a signature in order to check if the executable was patched or infected by a virus.

Is there a way to check this signature ? Does Linux automatically check this signature when running the program ?

Answer 1

When i disassemble an elf executable, i see a section that contains a GNU hash. I think it is a signature in order to check if executable was patch or infected by a virus.

No, it is not. You are confusing two common uses of hash functions:

• the use of Cryptographic hash functions for digitally signing data, and
• the use of a (typically non-cryptographic) hash function to allow fast lookup of data, typically via a hash table

ELF binaries contain a "hash section" to allow fast lookup of symbols from the ELF's symbol table, to speed up linking. This section is called "hash section" because it contains a hash table. It has nothing to do with integrity checking.

To quote the ELF specification:

Hash Table

A hash table of Elf32_Word objects supports symbol table access.

source: SYSTEM V APPLICATION BINARY INTERFACE, page 94