Professional Documents
Culture Documents
Understanding Linux: Blog Archive
Understanding Linux: Blog Archive
Understanding Linux
Blog Archive
▼ 2010 (13)
► March (6)
▼ April (4)
Hacking Linu x u sing Virtu al Machine (Vmware Workst...
VMWare Player 3.0 (A boon to Linu x Hackers/Newbies...
Process Address Space
Execu table File Formats (ELF)
► May (2)
► Ju ne (1)
ELF Header
Program Headers
Section Headers
1 de 15 28-07-2010 15:22
Understanding Linux: Executable File Formats (ELF) http://havefunwhileulearn.blogspot.com/2010/04/...
/************************* test.c
************************/
int global1 = 100;
int global2;
int main (void)
{
global2 = 200;
2 de 15 28-07-2010 15:22
Understanding Linux: Executable File Formats (ELF) http://havefunwhileulearn.blogspot.com/2010/04/...
global1 = 300;
printf(“global1 = %d global2 = %d\n”, global1,
global2);
return 0;
}
# file a.out
a.out ELF 32-bit LSB executable, Intel 80386, version
1 (SYSV), for GNU/Linux 2.6.9, dynamically linked
(user shared libs), for GNU/Linux 2.6.9, not stripped
ELF He ade r
Always lie at the start of the executable file. ELF header has an overall
information about the entire elf file. It describes the target architecture
(Intel 80386 in this case), version of elf, location and number of program
and section headers. It also contains the location of the first executable
instruction (called entry point).
Lets print the contents of ELF header for our “a.out” elf executable. You
can use the tool “readelf” to dissect the elf executable.
ELF HEADER
-----------
#define EI_NIDENT 16
typedef struct {
unsigned char e_ident[EI_NIDENT]; // elf magic
Elf32_Half e_type;
Elf32_Half e_machine; // target machine
architecture
Elf32_Word e_version;
Elf32_Addr e_entry; // entry point address
Elf32_Off e_phoff; // program hdr table’s file
offset
Elf32_Off e_shoff; // section hgr table’s file
offset
Elf32_Word e_flags;
Elf32_Half e_ehsize; // elf header size in bytes
Elf32_Half e_phentsize; // size of one entry in
program
3 de 15 28-07-2010 15:22
Understanding Linux: Executable File Formats (ELF) http://havefunwhileulearn.blogspot.com/2010/04/...
# readelf -h a.out
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00
00
Class: ELF32
Data: 2's complement,
little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable
file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x80482b0
Start of program headers: 52 (bytes into
file)
Start of section headers: 1980 (bytes into
file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 7
Size of section headers: 40 (bytes)
Number of section headers: 28
Section header string table index: 25
The first four bytes hold a magic number identifying the file as ELF
executable.
4 de 15 28-07-2010 15:22
Understanding Linux: Executable File Formats (ELF) http://havefunwhileulearn.blogspot.com/2010/04/...
The second (0x45), third (0x4c) and fourth (0x46) characters are in fact the
ASCII values for ‘E’, ‘L’, ‘F’. The “file” command reads this magic
number to determine if this is an ELF file or not.
Note the entry point address. This is the address of first instruction where
the control is transferred after loading the executable in memory.
Elf Header also contains the offset at which the program header table
and section header table are placed in the a.out file.
There are various other sections as well. But we will concentrate only on
the above sections.
Lets print the section header for above sections. Again, readelf can be
used to print the section headers.
5 de 15 28-07-2010 15:22
Understanding Linux: Executable File Formats (ELF) http://havefunwhileulearn.blogspot.com/2010/04/...
Elf32_Word sh_info;
Elf32_Word sh_addralign;
Elf32_Word sh_entsize;
} Elf32_Shdr;
# readelf –S a.out
(only important fields are shown below)
Section Headers:
[Nr] Name Type Addr Off Size
Flg
Note the se ct ion t ype (NOBITS) of .bss section. NOBITS indicates that
section does not occupy any space in th executable file.
Also, note that the virt ual addre ss of sections .symtab, .strtab is 0, which
means that they are not loaded in memory. They are only used during
debugging of the program.
The offse t specifies where the actual bytes for that section reside in the
elf file.
For eg. offset for .text section is 0x2b0, which means that the machine
instructions for this program lie at an offset of 0x2b0 from the start of a.out
file.
offset for .text section is 0x2b0, which means that the machine instructions
for this program lie at an offset of 0x2b0 from the start of a.out file.
6 de 15 28-07-2010 15:22