4.2 File Format Analysis

4.2 File Format Analysis

20135206 at Jia Xin

?

The generic Elf file consists of three index tables: Elf Header,program header table,section Header table.

1) ELF header: At the beginning of the document, a roadmap was saved, describing the organization of the document.

2) Program Header table: tells the system how to create a process image. The target file used to construct the process image must have the Program Header table, which is not required to relocate the file.

3) Section Header table: Contains information describing the sections of a file, each section has an entry in the table, and each item gives information such as the section name and section size. The destination file used for the link must contain the section Header table, and the other destination files may or may not have this table.

?

1. Analysis Elf file header (elf header)

   Run the compilation to generate the elf executable file.

   Use the ' readelf–a elf1 ' command to get information about the ELF header header file

   Find the ELF header size of 52bytes, using the Hexdump tool to open the header file 16 in the tab.

   Hexdump–x elf1–n 64: View Elf File header 16-Step tabulation

   ?

   The first four bytes 7f454c46 is the magic number, indicating that this is an Elf object. The next byte 01 represents a 32-bit object, and the next byte 01 represents the small-end method, and the next byte 01 represents the file header version. The remaining defaults are set to 0.

   Second line: The E_type value is 0x0002, which represents an executable file. The E_machine value is 0x0003. The E_version value is 0x00000100, which indicates the current version. The E_entry value is 0x 08048330, which represents the entry point. The E_phoff value is 0x40, which represents the program Header table.

   The third line: The E_shoff value is 0x113c, which represents the offset address of the segment table. The E_flags value is 0x00000000, which indicates an unknown processor-specific flag. The E_ehsize value is 0x0034, which represents the elf file header size. E_phentsize represents the length of the entry in a Program Header table with a value of 0x0020. The value of E_phnum is 0x0009, which gives the number of entries in the Program Header table. A e_shentsize value of 0x0028 indicates a segment header size of 52 bytes.

   Row four: The E_shnum value is 0x001e, which indicates that there are 30 entries in the Segment table. The E_shstrndx value is 0x001b, which represents the index number in the segment table of the segment name string table.

   ?

   2. Find the section Header table through the file header to understand its contents

   File Elf1 Displays the type of the generated target file Elf1

   Elf1 is an executable file.

   Input: Ls–l elf1 View the size of the ELF1:

   The elf1 size is 7160 bytes.

   Input: Hexdump–x elf1 to display the contents of Elf1 with a 16-digit number

   Input: Readelf–a elf1 to view individual segment information:

   Cong section Header table: where the index number of text is 13

   Symbol table:

   ?

   3. Find sections by section Header table

   As soon as you find each section header in the Sections Header table, you can find the desired section by using the sections header.

   Use the ' vi/usr/include/elf.h ' command to view the structure of the sections header:

   Use the readelf command to view the contents of the. Text section, enter Readelf–x Elf1, to view the contents of the. Text section of the 13 index number, and output the 16 process output of the ". Text" byte:

   Read in Hexdump. Text, first look at the section Header,.text offset and size are 0x330 and 0x19c, respectively, through 16 binary to 10 binary conversion to get offset:816 and size:412.

   Input Hexdump–s 816–n 412–c Elf1

   Comparing with the above readelf, we find the results are the same.

   Disassembly of the Elf1 text segment (. Text): Objdump–d elf1

   ?

   4, understand common. Text. Strtab. Symtab. Rodata and Other sections

   The ①.text section is a collection of executable instructions, both. Data and. Text are sections of the Progbits type, which is the program and code to run in the future. The query segment table indicates that the bit offset of the text section is 0x0000440,size to 0x0000192.

   The ②.strtab section, which belongs to the Strtab type, can be seen in a file with a string that stores the name of the symbol. The bit offset is 0x0001f08,size to 0x0000238.

   ?

   The ③.symtab section stores the symbolic names defined in all sections, such as "Data_items", "Start_loop", and "Symtab" section, which is part of the Symtab type. It describes the "memory address" in "memory" for the symbols in. Strtab. The bit offset is 0x00018f0,size to 0x0000618.

   ?

   The ④.rodata Section,ro represents read only, which is the ReadOnly data (const). The bit offset is 0x00005e0,size to 0x000000c.

4.2 File Format Analysis