Yield ELF module & module versions for imports and api calls

[colton-gabertan]

Summary

Most backends seem to be able to identify the imported/linked library functions as well as which module and module version that the binary intends to use during runtime. Specifically for the Ghidra backend, the .strtab section holds this information and may be parsed to provide this output to the feature extractor.

The expected yielded output would be something like:

import(glibc_2.2.5.strncpy)
import(strncpy)
api(glibc_2.2.5.strncpy)
api(strncpy)

Motivation

Including this extra information opens up an avenue for rule development to begin hunting for and identifying exploits that may be used in ELF malware. However, this proposal is definitely up for discussion :).

For example, see: https://www.cvedetails.com/vulnerability-list.php?vendor_id=72&product_id=767&version_id=371647&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=17&sha=cd6c5400827bf3ce3acc8b59d9356fb4b7d92a87