Elf file format

Android is built on Linux, and its underlying code is assembled by installing the Linux executable file--elf format. This article combined with the so file in Android to understand the elf format, most of the data collected online, elf format is located in Android Source: Elf.h.

elf can be broadly divided into three parts: Elf Head, Program Head table, section Head table; There are also dynamic symbol tables that are not marked,

Elf Head:

#defineEi_nident 16typedefstruct{unsignedCharE_ident[ei_nident];//MagicElf32_half E_type;//Type 1: Relocate file; 2: Executable file; 3: Share fileElf32_half E_machine;//CPU StructureElf32_word e_version;//versionElf32_addr E_entry;//Program Entry point executable: main;so: UselessElf32_off E_phoff;//Program Header table offsetElf32_off E_shoff;//Section table offsetElf32_word E_flags;//file and processor-related flagsElf32_half e_ehsize;//elf Head sizeElf32_half e_phentsize;//program head takes up space is sizeElf32_half E_phnum;//number of program header itemsElf32_half e_shentsize;//section Header occupies space that is sizeElf32_half E_shnum;//number of section areasElf32_half E_shstrndx;//string table, indexed in the section area} ELF32_EHDR;

we will find e_ehsize = E_phoff (why?) See the first picture). In the elf head we can easily find that there are three main parts: info-related, program-header-related, node-area-header-related, exactly what the linker and loader need. E_phoff, e_phentsize, e_phnum loaders must be;E_shoff, E_shentsize, E_shnum, E_SHSTRNDX are linker must.

PHDR Head:

typedefstructElf32_phdr{elf32_word P_type; //Segment TypeElf32_off P_offset;//The offset address of the segmentElf32_addr p_vaddr;//segment mapping to in-memory addressesElf32_addr p_paddr;//This address will not be usedElf32_word P_filesz;//Segment SizeElf32_word P_memsz;//The size of the address space that segment occupies in memoryElf32_word P_flags;//segment actionable read and Write permissionsElf32_word p_align;//align by several bytes} ELF32_PHDR;

The emphasis is on P_offset and P_filesz, which are the starting address and size of the segment, P_type for segment type see the macro definition of the PT beginning in elf.h; p_ The operational rights of the flags for segment are described in the elf.h of PF at the beginning of the macro definition (as with the Linux file Permissions rwx).

SHDR Head:

typedefstruct{Elf32_word sh_name; //Section Name:.data,. Dynamic,. Got,. Init ...Elf32_word Sh_type;//Section typeElf32_word Sh_flags;//Section PermissionsElf32_addr sh_addr;//section maps to in-memory start addressesElf32_off Sh_offset;//the section's offset in the fileElf32_word sh_size;//Section sizeElf32_word Sh_link;//generally, the index of the string table in section Header table used for the sections, see Resources 3Elf32_word Sh_info;//Elf32_word sh_addralign;//Section is aligned by several bytesElf32_word sh_entsize;//The size of the table item in the section content, for example,. Dynamic is 8 explained below} ELF32_SHDR;

Dynamic symbol table (dynamic_symbol_table):

　　

After introducing the overall framework of the ELF format, you will have a closer look at the links and some sections.

. Dynamic: The section contains dynamically linked information that will contain the SHF_ALLOC bit, and whether the shf_write bit is 1 dependent on the processor; in short, it contains a series of dynamic structures

struct dynamic{elf32_sword d_tag;union{    elf32_sword d_val;    Elf32_addr d_ptr;    } D_un;} Elf32_dyn;

D_tag Controls whether D_un is D_val or d_ptr , and D_tag to identify which section (the macro definition that starts with DT in elf.h), d_un the offset in the file (not exactly correct!). For example, D_tag 6 is dt_symtab for. Dynsym, then D_un is. Dynsym is offset. It is worth mentioning that in this section,sh_addralign is 4,Sh_entsize is 8 (why look at the dynamic structure).

Some tips:

1 string symbol table. Shstrtab followed by section_header_table; the section table header is distributed at the end of the elf file, and the string symbol table is often the most up-to-the-back content.

2

Information:

1 "original" simple and rude so plus decryption implementation

2 "original" hand-crafted elf files

3 Elf file Format parsing (embedded many in this format)

Elf file format