Linux and security practices four--elf file format analysis

Last Update:2016-06-02 Source: Internet

Author: User

Tags 0xc0 hex code

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Linux and security practices four--elf file format analysis One, elf file format Overview 1. ELF: Is the format of an object file that defines what is put in different types of object files and what format to put them in. Ii. Analysis of an elf file

Take one of the simplest HelloWorld procedures for example

1. elf File header

Using the tool to view elf file headers: readelf-h obj

The file header structure definition can be found in/usr/include/elf.h:

A total size of 64 bytes, converted into 16 binary for 0x40. Locate the first 0x40 byte in the hex code, which is the Header information Section (Note the reverse order problem when reading):

(1) Identification

Part one: Accounts for four bytes. 7f 4c 46, should be read as 4c, 7f, corresponding to ASCII code ELF., indicating that this is an Elf object.

Part Two: Takes up one byte. A 02 representation is a 64-bit object.

Part Three: Takes up one byte. The 01 representation is a small-end representation.

Part IV: Takes up a single byte. 01 indicates the file header version.

The rest defaults to 0.

(2) Information

E_type: two bytes, 01 00 means a relocation file.

E_machine: two bytes, 3e 00 represents the INTEL80386 processor architecture.

E_version: four bytes, 01 00 00 00 indicates the current version.

E_entry: eight bytes, 00 00 00 00 00 00 00 00 indicates that the current program does not have an entry point.

E_phoff: eight bytes, 00 00 00 00 00 00 00 00 indicates no program Header table.

E_shoff: Eight bytes, 90 02 00 00 00 00 00 00 indicates that the offset address of the segment table is at 00 00 00 00 00 00 02 90.

E_flags: four bytes, 00 00 00 00 Indicates unknown processor-specific flag # Ef_sh_unknown 0x0.

E_ehsize: two bytes, 40 00 indicates that the elf file header size is 00 40 (64 bytes).

E_phentsize: two bytes, 00 00 indicates that the relocation file does not have a program Header table.

E_phnum: two bytes, 00 00 indicates that the relocation file does not have a program Header table.

E_ehentsize: two bytes, 40 00 indicates the segment header size is 00 40 (64 bytes), and the size of each header in the section Header table.

E_shnum: two bytes, 0d 00 indicates that there are 13 entries in the Segment table, that is, the paragraph table has 13 segments.

E_shstrndx: two bytes, 0a 00 indicates the index number of the segment table string in the Segment table, and the Shstrab Segment table index number is 0a, or 10.

2. Find each section through the file header

View Segment table information using the tool: Readelf-s obj

(1) Find the paragraph table

In the file header E_shoff can find the Segment table offset address 00 00 00 00 00 00 02 90, from this address to find the segment table.

The Cong length is from E_ehentsize to 00 40 (64 bytes).

The number of Cong is 13 from E_shnum.

The segment table structure can be found in/usr/include/elf.h:

(2) Analysis of a paragraph table

The first segment: all zeros and does not represent any segment.

Second segment:

Sh_name: four bytes, 20 00 00 00 indicates that the segment name is offset in. Shstrtab, which is the. Test section.

Sh_type: four bytes, 01 00 00 00 Indicates that this segment has the information defined by the program, and its format and meaning are determined entirely by the program, which represents Progbits.

Sh_flags: eight bytes, 06 00 00 00 00 00 00 00 indicates Alloc and execute.

Sh_addr: eight bytes, 00 00 00 00 00 00 00 00 represents the virtual address of the section in memory, the. o file does not need to be executed, this is all 0.

Sh_offset: eight bytes, 40 00 00 00 00 00 00 00 Indicates the offset between the section and the file header.

Sh_size: eight bytes, 11 00 00 00 00 00 00 00 indicates the size occupied by the section of the file.

Sh_link: four bytes, 00 00 00 00 indicates no link information.

Sh_info: four bytes, 00 00 00 00 indicates no secondary information.

Sh_addralign: eight bytes, 01 00 00 00 00 00 00 00 indicates the byte alignment length.

Sh_entsize: eight bytes, 00 00 00 00 00 00 00 00 indicates no entry. (3) All paragraph tables

Third paragraph:

Paragraph name:. Rel.text

Type: RELA

Flag: Info

Relative file header offset: 0x1e0

Occupancy Size: 0x30

Fourth paragraph:

Segment name:. Data

Type: progbits

Flag: Write, Alloc

Relative file header offset: 0x51

Occupancy Size: 0

Fifth paragraph:

Segment name:. BSS

Type: nobits

Flag: Write, Alloc

Relative file header offset: 0x51

Occupancy Size: 0

Sixth paragraph:

Paragraph name:. Rodata

Type: progbits

Logo: Alloc

Relative file header offset: 0x51

Occupancy Size: 0x0b

Seventh paragraph:

Paragraph name:. Comment

Type: progbits

Logo: Merge, strings

Relative file header offset: 0x5c

Occupancy Size: 0x26

Eighth paragraph:

Paragraph name:. Note.gnu-stack

Type: progbits

Flag: None

Relative file header offset: 0x82

Occupancy Size: 0

Nineth paragraph:

Paragraph name:. Eh_frame

Type: progbits

Logo: Alloc

Relative file header offset: 0x88

Occupancy Size: 0x38

Tenth paragraph:

Paragraph name:. Rela.eh_frame

Type: RELA

Flag: Info

Relative file header offset: 0x210

Occupancy Size: 0x18

11th paragraph:

Paragraph name:. Shstrtab

Type: Strtab

Flag: None

Relative file header offset: 0x228

Occupancy Size: 0x61

12th paragraph:

Paragraph name:. Symtab

Type: Strtab

Flag: None

Relative file header offset: 0xc0

Occupancy Size: 0x0108

13th paragraph:

Paragraph name:. Strtab

Type: Strtab

Flag: None

Relative file header offset: 0x1c8

Occupancy Size: 0x11

Third, understand the common section 1. . Text section: A collection of executable directives in this section

With the information just now, we can find the size of 0x11 from the file offset 0x40. text section:

You can view the program by disassembling it:

2.. rodata: This section is read-only data, RO represents read Only

From the offset 0x51, find the size 0x0b. Rodata section:

Use the ASCII code table to translate the data to the string in the. c File: Hello 5309.

2.. Comment: This section is used to store compiler version information

From the offset 0x5c, find the size 0x26. Comment section:

3. Symtab: This section holds the symbolic names defined in all sections, typically variables, function shstrtab, and symtab often refer to strings in Strtab

From the offset 0xc0, find the size 0x0108. Symtab section:

4.. strtab: This section is a string table of the paragraph table

From the offset 0x1c8, find the size 0x11. Strtab section:

The data is separated by "0" in three parts, translated in ASCII code:

6c 2e 63:ELF.C

6d 6e:main

The 73:puts

Linux and security practices four--elf file format analysis

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More