Linux kernel analysis--elf file format analysis

The elf file (target file) format is mainly three kinds:

1) can redirect files : The file holds the code and the appropriate data, which is used to create an executable file or a shared target file together with other target files. (The target file or the static library file, which is usually a file with a. A and. o suffix of Linux)

2) executable file : The file holds a program to execute. (e.g. BASH,GCC, etc.)

3) share the destination file : Shared library. The file holds the code and the appropriate data, which is used by the connection editor and the dynamic linker link. (Linux is suffixed with. so files.) ）

A generic ELF file consists of three index tables:

1 ELF Header: At the beginning of the file, a roadmap was saved, describing the organization of the file.

2 Program Header table: Tells the system how to create a process image. The target file used to construct the process image must have the Program Header table, which is not required to relocate the file.

3 Section Header Table : Contains information describing the sections of a file, each of which has an entry in the table, each giving information such as section name, section size. The destination file used for the link must contain the section Header table, and the other destination files may or may not have this table.

1. Analysis Elf file header (elf header)

Enter terminal input: cd/usr/include/elf.h, view elf's file header contains the entire file control structure

By the way, choose a simple code example:

Run the compilation to generate the elf executable file.

Use the ' readelf ' command to get information about the following Elf header files, such as:

With the information, you can draw the Elf header size of 64bytes, so you can use the Hexdump tool to open the 16 tab of the header file.

For example, use the: ' Hexdump–x elf1–n 64 ' command to view the elf file header 16-in-A-tab (top 64bytes) to analyze the format.

First line, corresponding to E_ident[ei_nident]. The actual representation of the content is 7f454c46020101000000000000000000, the first four bytes 7f454c46 (0x45,0x4c,46 is ' e ', ' l ', ' f ' corresponding to the ASCII encoding) is a magic number, indicating that this is an Elf object.

The next byte 02 represents a 64-bit object, and the next byte 01 represents the small-end method, and the next byte 01 represents the file header version. The remaining defaults are set to 0.

The second line, the E_type value is 0x0002, represents an executable file. The E_machine value is 0x003e, which represents the advanced Micro Devices x86-64 processor architecture. The E_version value is 0x00000100, which indicates the current version. The e_entry value is 0x 004003f0, which indicates the entry point (which is used below).

The third row , thee_phoff value is 0x40, represents the program Header table. The E_shoff value is 0x1290, which represents the offset address of the segment table.

Row four, the E_flags value is 0x00000000, which indicates an unknown processor-specific flag. The E_ehsize value is 0x0040, which indicates the elf file header size (exactly 64 bytes). E_phentsize represents the length of the entry in a Program Header table with a value of 0x0038. The value of E_phnum is 0x0008, which gives the number of entries in the Program Header table. A e_shentsize value of 0x0040 indicates a segment header size of 64 bytes. The E_shnum value is 0x001f, which indicates that there are 31 entries in the Segment table. The E_shstrndx value is 0x001c, which represents the index number in the segment table of the segment name string table.

2 , find the section Header table through the file header and understand its contents

Input: Hexdump–x elf1 to display the contents of Elf1 with a 16-digit number

(where the Red second column is the offset address of the 16 binary representation)

Input: Objdump–x elf1 to display information about each segment and symbol table in Elf1:

Input: Readelf–a elf1 to view individual segment information:

ELF file header information:

paragraph table Section Header Table :

The index value of . Text is.

symbol Table Symbol Table :

3 , find sections by section Header table

In an elf file there is a section Header table, through which we can navigate to all the sections, and the E_shoff variable in the ELF header is the offset of the Header table entry for the section header. Each section corresponds to a section header, so as soon as you find each sectionheader in the sections Header table, you can find the section you want through the sections header.

The following is an example of the executable file Elf1, which holds the section of the code snippet as an example of the process of reading one of the sections.

Use the ' vi/usr/include/elf.h ' command to view the structure of the sections header:

From the above analysis, each section header in section headers table occupies a size of 64 bytes, ELF header Gets the value of the E_shoff variable is 0x1170, that is, the table inlet offset, by looking at E_ The Shnum value is 0x001e, which indicates that there are 30 entries in the Segment table.

So there are 30 segments starting from 0x00001170, 64 bytes per segment, input hexdump elf1 view:

The first segment, where the content is all 0, does not represent any segment.

The second segment, for. Interp segment, segment offset Sh_offset to 0x200, segment size sh_size to 0x1c

The third segment, for. Note.abi-tag segment, segment offset Sh_offset is 0X 21c, segment size sh_size to 0x20.

Fourth paragraph, for. Note.gnu.build-i segment, segment offset sh_offset to 0x23c (Red line), segment size sh_size to 0X 24 (blue Line).

Fifth paragraph, for. Gnu.hash segment, segment offset Sh_offset to 0X 260, segment size Sh_size 0X 1c

...... The middle segment is omitted ...

14th paragraph, for. Text segment, segment offset Sh_offset to 0X 3f0, segment size sh_size 0X 182

Let's take a look at the readelf–s elf1 command to see all the section headers that are stored in the sections table of Elf1.

We use the readelf command to view the contents of the. Text section,

Enter Readelf–x elf1 to view the contents of the section of the. Text of the 14 index number:

The following is a Hexdump method to read the contents of this section, by looking at section header. Text in the offset and size are 0x3f0 and 0x182, respectively, by 16 binary to the 10 binary to get offset:1008 and size:386.

Input Hexdump–s 1008–n 386–c Elf1

Got the same as the above readelf.

Use the following command to disassemble the text segment (. Text) of Elf1:

Objdump–d Elf1 Get as:

As you can see, the 16 binary data used with disassembly is the same as the one previously found.

We can use the same method to view other sections,. Data data segment. BBS stack segment (holds data that is not initialized). symtab (symbol table) segment.

① View the section of the. Data Data segment

Relatively simple, use Readelf–x 24 (index number) elf1 (file name) to view

Analysis of other segments of the table

4 , understanding Common. Text. Strtab. Symtab. Rodata and other sections

The ①.text section is a collection of executable instructions, both. Data and. Text are sections of the Progbits type, which is the program and code to run in the future. The query segment table indicates that the bit offset of the text section is 0x0000440,size to 0x0000192.

The ②.strtab section, which belongs to the Strtab type, can be seen in a file with a string that stores the name of the symbol. The bit offset is 0x0001f08,size to 0x0000238.

The ③.symtab section stores the symbolic names defined in all sections, such as "Data_items", "Start_loop", and "Symtab" section, which is part of the Symtab type. It describes the "memory address" in "memory" for the symbols in. Strtab. The bit offset is 0x00018f0,size to 0x0000618.

④.rodata Section,ro represents readonly, which is read-only data (const). The bit offset is 0x00005e0,size to 0x000000c.

Linux kernel analysis--elf file format analysis