Elf File Format analysis

ELF file format Analysis Basic Knowledge:1.ELFthree types of files:

L Can reposition:

Compiler and Assembler creation

Needs to be handled by the linker before it can run

L Executable

All relocation work and symbolic parsing completed

In addition to the shared library symbols that are parsed at run time

L Shared Library

Symbolic information required by the linker

Code that can be executed directly at run time

2.ELFtwo points of view of a file:

3. The target file structure can be relocated:

ELF Head

. text

. rodata

. Data

. BSS

. sym

. rel.txt

. rel.data

. Line

. Debug

. strtab

Section Head Table

Analysis Process :

Customize a simple program and compile it. Generate Some Elf files:

Type Hexdump-x hello in the terminal and you will see a lot of 16 binary encodings.

The data is 16 binary (because the-X option is used) and the first column is the offset address.

Use the following command to display information about each segment in Hello: objdump–x hello

The output results are as follows:

You can also use the following command to view individual segment information:

Readelf-a Hello

The contents of the Hello file are analyzed below

l File Header analysis:

The first is the elf file header, which is defined as (in/usr/include/elf.h) the 64-bit system consists of two parts:

2.section Header

typedef struct

{

Elf32_word Sh_name; /* section name (string TBL Index) */

Elf32_word Sh_type; /* Section type */

Elf32_word Sh_flags; /* Section Flags */

Elf32_addr sh_addr; /* Section virtual addr at Execution */

Elf32_off Sh_offset; /* Section file offset */

Elf32_word sh_size; /* Section size in bytes */

Elf32_word Sh_link; /* Link to another section */

Elf32_word Sh_info; /* Additional section information */

Elf32_word sh_addralign; /* Section Alignment */

Elf32_word sh_entsize; /* Entry Size if section holds table */

} ELF32_SHDR;

typedef struct

{

Elf64_word Sh_name; /* section name (string TBL Index) */

Elf64_word Sh_type; /* Section type */

Elf64_xword Sh_flags; /* Section Flags */

Elf64_addr sh_addr; /* Section virtual addr at Execution */

Elf64_off Sh_offset; /* Section file offset */

Elf64_xword sh_size; /* Section size in bytes */

Elf64_word Sh_link; /* Link to another section */

Elf64_word Sh_info; /* Additional section information */

Elf64_xword sh_addralign; /* Section Alignment */

Elf64_xword sh_entsize; /* Entry Size if section holds table */

} ELF64_SHDR;

Second line: E_type ( two bytes ) The value is 0x0002, which represents an executable file.

Elf File Format analysis