Linux ELF File structure and linuxelf file structure

Linux ELF File structure and linuxelf file structure

ELF File Types in Linux are divided into the following types:

1. relocated files, such as SimpleSection. o;

2. executable files, such as/bin/bash;

3. Share the target file, such as/lib/libc. so.

In the next article, we will use objdump, readelf, hexdump, And nm to analyze a relocable file SimpleSection. o in Linux.

First, add the SimpleSection. c source code:

int printf( const char* format, ... );int global_init_var = 84;int global_uninit_var;void func1( int i ){printf( "%d\n", i );}int main(void){static int static_var = 85;static int static_var2;int a = 1;int b;func1( static_var + static_var2 + a + b );return a;}

Run the following command:

Gcc-c SimpleSection. c

To obtain SimpleSection. o, we will first attach the binary content of SimpleSection. o and the overall outline.

Run the following command:

Hexdump-C SimpleSection. o to obtain the binary content of SimpleSection. o.

In computer science, binary 0 1 can represent code, letters, numbers (decimal number and hexadecimal number ).

00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|00000010  01 00 3e 00 01 00 00 00  00 00 00 00 00 00 00 00  |..>.............|00000020  00 00 00 00 00 00 00 00  88 01 00 00 00 00 00 00  |................|00000030  00 00 00 00 40 00 00 00  00 00 40 00 0d 00 0a 00  |....@.....@.....|00000040  55 48 89 e5 48 83 ec 10  89 7d fc 8b 45 fc 89 c6  |UH..H....}..E...|00000050  bf 00 00 00 00 b8 00 00  00 00 e8 00 00 00 00 c9  |................|00000060  c3 55 48 89 e5 48 83 ec  10 c7 45 f8 01 00 00 00  |.UH..H....E.....|00000070  8b 15 00 00 00 00 8b 05  00 00 00 00 01 d0 03 45  |...............E|00000080  f8 03 45 fc 89 c7 e8 00  00 00 00 8b 45 f8 c9 c3  |..E.........E...|00000090  54 00 00 00 55 00 00 00  25 64 0a 00 00 47 43 43  |T...U...%d...GCC|000000a0  3a 20 28 55 62 75 6e 74  75 2f 4c 69 6e 61 72 6f  |: (Ubuntu/Linaro|000000b0  20 34 2e 36 2e 33 2d 31  75 62 75 6e 74 75 35 29  | 4.6.3-1ubuntu5)|000000c0  20 34 2e 36 2e 33 00 00  14 00 00 00 00 00 00 00  | 4.6.3..........|000000d0  01 7a 52 00 01 78 10 01  1b 0c 07 08 90 01 00 00  |.zR..x..........|000000e0  1c 00 00 00 1c 00 00 00  00 00 00 00 21 00 00 00  |............!...|000000f0  00 41 0e 10 86 02 43 0d  06 5c 0c 07 08 00 00 00  |.A....C..\......|00000100  1c 00 00 00 3c 00 00 00  00 00 00 00 2f 00 00 00  |....<......./...|00000110  00 41 0e 10 86 02 43 0d  06 6a 0c 07 08 00 00 00  |.A....C..j......|00000120  00 2e 73 79 6d 74 61 62  00 2e 73 74 72 74 61 62  |..symtab..strtab|00000130  00 2e 73 68 73 74 72 74  61 62 00 2e 72 65 6c 61  |..shstrtab..rela|00000140  2e 74 65 78 74 00 2e 64  61 74 61 00 2e 62 73 73  |.text..data..bss|00000150  00 2e 72 6f 64 61 74 61  00 2e 63 6f 6d 6d 65 6e  |..rodata..commen|00000160  74 00 2e 6e 6f 74 65 2e  47 4e 55 2d 73 74 61 63  |t..note.GNU-stac|00000170  6b 00 2e 72 65 6c 61 2e  65 68 5f 66 72 61 6d 65  |k..rela.eh_frame|00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|*000001c0  00 00 00 00 00 00 00 00  20 00 00 00 01 00 00 00  |........ .......|000001d0  06 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000001e0  40 00 00 00 00 00 00 00  50 00 00 00 00 00 00 00  |@.......P.......|000001f0  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|00000200  00 00 00 00 00 00 00 00  1b 00 00 00 04 00 00 00  |................|00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000220  b0 06 00 00 00 00 00 00  78 00 00 00 00 00 00 00  |........x.......|00000230  0b 00 00 00 01 00 00 00  08 00 00 00 00 00 00 00  |................|00000240  18 00 00 00 00 00 00 00  26 00 00 00 01 00 00 00  |........&.......|00000250  03 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000260  90 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|00000270  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|00000280  00 00 00 00 00 00 00 00  2c 00 00 00 08 00 00 00  |........,.......|00000290  03 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000002a0  98 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|000002b0  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|000002c0  00 00 00 00 00 00 00 00  31 00 00 00 01 00 00 00  |........1.......|000002d0  02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000002e0  98 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|000002f0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|00000300  00 00 00 00 00 00 00 00  39 00 00 00 01 00 00 00  |........9.......|00000310  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|00000320  9c 00 00 00 00 00 00 00  2b 00 00 00 00 00 00 00  |........+.......|00000330  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|00000340  01 00 00 00 00 00 00 00  42 00 00 00 01 00 00 00  |........B.......|00000350  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000360  c7 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000370  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|00000380  00 00 00 00 00 00 00 00  57 00 00 00 01 00 00 00  |........W.......|00000390  02 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000003a0  c8 00 00 00 00 00 00 00  58 00 00 00 00 00 00 00  |........X.......|000003b0  00 00 00 00 00 00 00 00  08 00 00 00 00 00 00 00  |................|000003c0  00 00 00 00 00 00 00 00  52 00 00 00 04 00 00 00  |........R.......|000003d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000003e0  28 07 00 00 00 00 00 00  30 00 00 00 00 00 00 00  |(.......0.......|000003f0  0b 00 00 00 08 00 00 00  08 00 00 00 00 00 00 00  |................|00000400  18 00 00 00 00 00 00 00  11 00 00 00 03 00 00 00  |................|00000410  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000420  20 01 00 00 00 00 00 00  61 00 00 00 00 00 00 00  | .......a.......|00000430  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|00000440  00 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  |................|00000450  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000460  c8 04 00 00 00 00 00 00  80 01 00 00 00 00 00 00  |................|00000470  0c 00 00 00 0b 00 00 00  08 00 00 00 00 00 00 00  |................|00000480  18 00 00 00 00 00 00 00  09 00 00 00 03 00 00 00  |................|00000490  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000004a0  48 06 00 00 00 00 00 00  66 00 00 00 00 00 00 00  |H.......f.......|000004b0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|000004c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|*000004e0  01 00 00 00 04 00 f1 ff  00 00 00 00 00 00 00 00  |................|000004f0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 01 00  |................|00000500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000510  00 00 00 00 03 00 03 00  00 00 00 00 00 00 00 00  |................|00000520  00 00 00 00 00 00 00 00  00 00 00 00 03 00 04 00  |................|00000530  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000540  00 00 00 00 03 00 05 00  00 00 00 00 00 00 00 00  |................|00000550  00 00 00 00 00 00 00 00  11 00 00 00 01 00 03 00  |................|00000560  04 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|00000570  21 00 00 00 01 00 04 00  00 00 00 00 00 00 00 00  |!...............|00000580  04 00 00 00 00 00 00 00  00 00 00 00 03 00 07 00  |................|00000590  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000005a0  00 00 00 00 03 00 08 00  00 00 00 00 00 00 00 00  |................|000005b0  00 00 00 00 00 00 00 00  00 00 00 00 03 00 06 00  |................|000005c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|000005d0  32 00 00 00 11 00 03 00  00 00 00 00 00 00 00 00  |2...............|000005e0  04 00 00 00 00 00 00 00  42 00 00 00 11 00 f2 ff  |........B.......|000005f0  04 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|00000600  54 00 00 00 12 00 01 00  00 00 00 00 00 00 00 00  |T...............|00000610  21 00 00 00 00 00 00 00  5a 00 00 00 10 00 00 00  |!.......Z.......|00000620  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|00000630  61 00 00 00 12 00 01 00  21 00 00 00 00 00 00 00  |a.......!.......|00000640  2f 00 00 00 00 00 00 00  00 53 69 6d 70 6c 65 53  |/........SimpleS|00000650  65 63 74 69 6f 6e 2e 63  00 73 74 61 74 69 63 5f  |ection.c.static_|00000660  76 61 72 2e 31 35 39 34  00 73 74 61 74 69 63 5f  |var.1594.static_|00000670  76 61 72 32 2e 31 35 39  35 00 67 6c 6f 62 61 6c  |var2.1595.global|00000680  5f 69 6e 69 74 5f 76 61  72 00 67 6c 6f 62 61 6c  |_init_var.global|00000690  5f 75 6e 69 6e 69 74 5f  76 61 72 00 66 75 6e 63  |_uninit_var.func|000006a0  31 00 70 72 69 6e 74 66  00 6d 61 69 6e 00 00 00  |1.printf.main...|000006b0  11 00 00 00 00 00 00 00  0a 00 00 00 05 00 00 00  |................|000006c0  00 00 00 00 00 00 00 00  1b 00 00 00 00 00 00 00  |................|000006d0  02 00 00 00 0e 00 00 00  fc ff ff ff ff ff ff ff  |................|000006e0  32 00 00 00 00 00 00 00  02 00 00 00 03 00 00 00  |2...............|000006f0  00 00 00 00 00 00 00 00  38 00 00 00 00 00 00 00  |........8.......|00000700  02 00 00 00 04 00 00 00  fc ff ff ff ff ff ff ff  |................|00000710  47 00 00 00 00 00 00 00  02 00 00 00 0d 00 00 00  |G...............|00000720  fc ff ff ff ff ff ff ff  20 00 00 00 00 00 00 00  |........ .......|00000730  02 00 00 00 02 00 00 00  00 00 00 00 00 00 00 00  |................|00000740  40 00 00 00 00 00 00 00  02 00 00 00 02 00 00 00  |@...............|00000750  21 00 00 00 00 00 00 00                           |!.......|

Figure 1

Run the ls-l SimpleSection. o command to obtain the file size of 1880 bytes. The preceding binary content is exactly 1880 bytes (0x758 is converted to 10 By 1880 ).

The overall profile of SimpleSection. o is shown below. Readers may wonder why such a picture is generated. As we analyze the content of each segment in depth, the answer will naturally be revealed.

Figure 2

We can see that 0x758 is the end of all segments, and the conversion to decimal is 1880 bytes. The file size is the same as the file size we just obtained.

Next we will use the command to analyze each part of the ELF File structure:

1. ELF Header

Run readelf-h SimpleSection. o.

Figure 3

The ELF File Header structure and related parameters are defined in "/usr/include/elf. h", as follows:

typedef struct{  unsigned char e_ident[EI_NIDENT];     /* Magic number and other info */  Elf32_Half    e_type;                 /* Object file type */  Elf32_Half    e_machine;              /* Architecture */  Elf32_Word    e_version;              /* Object file version */  Elf32_Addr    e_entry;                /* Entry point virtual address */  Elf32_Off     e_phoff;                /* Program header table file offset */  Elf32_Off     e_shoff;                /* Section header table file offset */  Elf32_Word    e_flags;                /* Processor-specific flags */  Elf32_Half    e_ehsize;               /* ELF header size in bytes */  Elf32_Half    e_phentsize;            /* Program header table entry size */  Elf32_Half    e_phnum;                /* Program header table entry count */  Elf32_Half    e_shentsize;            /* Section header table entry size */  Elf32_Half    e_shnum;                /* Section header table entry count */  Elf32_Half    e_shstrndx;             /* Section header string table index */} Elf32_Ehdr;

Type: ELF File Type. In this example, It is REL (Relocatable File), which can be relocated.

Start of section headers: the offset of the field Table in the file, that is, the position of Section Table in Figure 2 is 392 (0x188 ).

Size of section headers: the Size of the ELF File Header is 64 bytes.

Number of section headers: Number of ELF disconnections. In this example, 13 segments are supported. See Figure 7.

Section header string table index, the subscript of the segment where the field table string table is located in the field table. In this example, the size is less than 10, as shown in figure 7.

2.. text

Run the following command:

Objdump-d SimpleSection. o.

Figure 4

 

3.. data

Run the command objdump-s SimpleSection. o to obtain the data segment, for example:

Figure 5

In this example

int global_init_var = 84;static int static_var = 85;

A total of 8 bytes, one is 0x00000054, the decimal is 84; the other is 0x0000000056, And the decimal is 85.

4. bss

Run the command objdump-h SimpleSection. o to obtain the following information:

Figure 6

In this example

static int static_var2;

You will notice that int global_uninit_var; is neither in. data nor in. bss. If static is added to the front, it exists in the. bss segment.

5.. rodata

Read-only data stored in. rodata. 25640a00.% d \ n stands for the ASCII table.

6. shstrtab (field table string table)

1. The storage is

... Symtab... strtab... shstrtab... rela. text... data... bs... rodata... comment... note. GNU-stak... rela. eh_frame

7. strtab (string table)

1. The storage is

SimpleSection. c. static_var.1594.static_var2.1595.global_init_var.global_uninit_var.func1.printf.main

8. Section Table

Run readelf-S SimpleSection. o to get the following code:

Figure 7

This explains why we need to draw this image in Figure 1.

Offset indicates the segment Offset, and Size indicates the segment Size.

Type, PROGBITS indicates the segment, NOBITS indicates that the space is not occupied,. RELA indicates the relocation segment, STRTAB indicates the string table, and SYMTAB indicates the symbol table.

EntSize indicates the size of duplicate content if the segment contains duplicate content. For example, the symbol table to be introduced below is composed of repeated content.

When TYPE is RELA, Link indicates that the corresponding symbol table used for this section is in the segment table. In this example, 11 is used. Info indicates the subscript of the segment used by the relocated table in the field table .. Rela. text is 1, and. rela. eh_frame is 8.

9. symtab (symbol table)

Run readelf-s SimpleSection. o to get the following code:

Figure 8

Name indicates the subscript of the string in the string table;

Ndx, SimpleSection. c is ABS, global_uninit_var is COM, which indicates that the variable is strongly referenced or weak referenced. the data segment is not in. in the bss segment, it will be determined when waiting for the link.

Printf is UND, indicating that no external function is defined.

Global_init_var, NDX is 3, indicating in. data, and the rest are similar. The subscript of the segment where the symbol is located in the field table. See figure 7.

Bind GLOBAL indicates that external functions and variables can be referenced or referenced.

TYPE indicates the OBJECT, FUNC indicates the function, SECTION indicates the segment, FILE indicates the FILE, and printf indicates the NOTYPE, indicating that no definition is made, and an external function is referenced.

SIZE indicates the SIZE.

Value indicates the offset in this section. For example, static_var.1594 indicates that the offset in the. data section is 4. The offset of main in the. data Segment is 21.

Finally, we will introduce the command nm SimpleSection. o. The result is as follows:

It can be seen that all functions and variables that can be referenced or referenced by external entities are presented.

T indicates text, D Indicates data, B Indicates bss, C indicates Common, and a indicates Undef.

Non-static local variables in the program are neither in the Data Segment nor in the code segment, and may be in the stack segment.

So far, all segments have been analyzed. This article is based on the self-cultivation of programmers.

A detailed introduction of the linux elf File's source function and other situations. Thank you very much.

Dynamic Links to linux ELF files on intel platforms. First, it is easier to find information in this aspect, and second, it means that this discussion is more important than other dynamic links (after all, it is now the world of intel ). Of course, with such an example, the dynamic links of ELF files on other platforms are similar. After reading this article, you can "give an example, but not a third.
As this is a series of articles, I plan to write it in three parts. The first part mainly analyzes loading and involves the content of the dl_open function, but this function contains too much content. Here, it mainly includes the _ dl_map_object and _ dl_init parts, because the dynamic link file is mapped to the memory space through the information obtained in the ELF File, _ dl_init is a special initialization. This is an implementation of object-oriented functions.

Elf File running in Linux

Chmod 777 wocao
./Wocao
No execution permission