Interpreting elf files with instances (2)

Interpreting elf files with instances (2)
Bkbll (bkbll@cnhonker.net, kbll@tom.com)
2003/09/09
3. Section
Similarly, we first give the section structure:
Typedef struct
{
Elf32_word sh_name;/* index in section string table */
Elf32_word sh_type;/* section type */
Elf32_word sh_flags;/* Section flags */
Elf32_addr sh_addr;/* Section virtual ADDR at execution */
Elf32_off sh_offset;/* section File offset */
Elf32_word sh_size;/* section size in bytes */
Elf32_word sh_link;/* link to another section */
Elf32_word sh_info;/* additional section information */
Elf32_word sh_addralign;/* Section alignment */
Elf32_word sh_entsize;/* entry size if section holds table */
} Elf32_shdr;

The calculated size is sizeof (elf32_shdr) = 0x28, which is exactly the same as the e_shentsize of the preceding elf header.
From the e_shoff value of the elf header, we can get the position/offset of the first section in the file 0x2178,
From e_shnum, we can know that there are a total of 0x22 sections. The C language algorithm can be used as follows:
Fseek (FP, 0x2178, 0 );
Fread (buffer, 0x22,0x28, FP );
All sections can be read into the buffer.
Let's take a look at the meaning of a section (4th sections (Note: Starting from 0th) in the file. The offset should be: 0x2178 + 4*0x28 = 0x2218, we use 4th sections as an example ):
[Netconf @ linux1 elf] $ hexdump-S 0x2218-n 40-C elf8
00002218 37 00 00 00 0b 00 00 00 00 00 00 00 50 81 04 08 | 7 ...... |
00002228 50 01 00 00 50 00 00 00 05 00 00 01 00 00 | p... |
00002238 04 00 00 00 10 00 00 00 | ...... |
Where:
Sh_name: 4 Bytes: 37 00 00 00 indicates the index of the section name in the section string table.
Sh_type: 4 Bytes: 0b 00 00 indicates the type of the Section, from elf. in H, we can see that the definition of 0x0b = 11 is: sht_dynsym 11/* dynamic linker symbol table */, indicating a dynamic connection symbol table.
Sh_flags: 4 Bytes: 02 00 00 indicates the type of the section. 0x02 is an alloc-type section.
Sh_addr: 4 Bytes: 50 81 04 08 when executed, the virtual address of this section is 0x08048150
Sh_offset: 4 Bytes: 50 01 00 indicates the position/offset of the section content in the file 0x150
Sh_size: 4 Bytes: 50 00 00 00 section size 0x50
Sh_link: 4-byte 01 00 00 00 connect to other sections
Sh_info: 4 Bytes: 04 00 00 00 section Other information
Sh_addralign: Alignment value of section 04 00 00
Sh_entsize: 4 Bytes: 10 00 00 if this section defines a table, this value indicates the size of each structure in the table.

Note: The values of sh_link and sh_info have different meanings with sh_type.
Sh_type sh_link sh_info
==================================
Sht_dynamic the section header index of 0
The string table used
Entries in the Section.
Sht_hash the section header index of 0
The symbol table to which
Hash table applies.
Sht_rel, the section header index
Sht_rela the associated symbol table. The section to which
Relocation applies.
Sht_symtab, the section header index of one greater than the symbol
Sht_dynsym the associated string table. Table index of the last local
Symbol (binding stb_local ).
Other shn_undef 0

The section table is the most important part of the ELF File. Basically, all the stuff needs to be searched.
For example,. dynsym,. symtab,. Got,. BSS, etc. The symbol table we will mention later will also be retrieved from here.
Let's take a look at the e_shstrndx mentioned in the elf header. This value defines the position of the section string table in the section. Here we can calculate its position:
E_shoff + e_shstrndx * e_shentsize (starting position + Serial Number * each size)
= 0x2178 + 31*0x28 = 0x2650
Let's take a look at the content of this section:
[Netconf @ linux1 elf] $ hexdump-S 0x2650-n 40-C elf8
00002650 11 00 00 00 03 00 00 00 00 00 00 00 00 | ...... |
00002660 4A 20 00 00 2B 01 00 00 00 00 00 00 00 00 | j... + ...... |
00002670 01 00 00 00 00 00 00 | ...... |
Here we can provide the following information:
Sh_name = 0x11, sh_type = 0x03, sh_offset = 0x204a, sh_size = 0x12b
Sh_name is useless currently.
Sh_type: 0x03: sht_strtab 3/* string table */
OK. We have found the string table. Let's see what is in the string table:
[Netconf @ linux1 elf] $ hexdump-s 0x204a-N 299-C elf8
2017204a 00 2E 73 79 6D 74 61 62 00 2E 73 74 74 61 62 |... symtab... strtab |
2017205a 00 2E 73 68 73 74 72 74 61 62 00 2E 69 6e 74 65 |... shstrtab... inte |
2017206a 72 70 00 2E 6e 6f 74 65 2E 41 42 49 2D 74 61 67 | RP... note. Abi-tag |
2017207a 00 2E 68 61 73 68 00 2E 64 79 6e 73 79 6D 00 2E |... hash... dynsym... |
2017208a 64 79 6e 73 74 72 00 2E 67 6e 75 2E 76 65 72 73 | dynstr... GNU. Vers |
2017209a 69 6f 6e 00 2E 67 6e 75 2E 76 65 72 73 69 6f 6e | ion... GNU. Version |
201720aa 5f 72 00 2E 72 65 6C 2E 64 79 6e 00 2E 72 65 6C | _ r... Rel. dyn... rel |
201720ba 2E 70 6C 74 00 2E 69 6e 69 74 00 2E 74 65 78 74 |. PLT... init... text |
201720ca 00 2E 66 69 6e 69 00 2E 72 6f 64 61 74 61 00 2E |... fini... rodata... |
201720da 64 61 74 61 00 2E 65 68 5f 66 72 61 6D 65 00 2E | data... eh_frame... |
201720ea 64 79 6e 61 6D 69 63 00 2E 63 74 6f 72 73 00 2E | dynamic... ctors... |
201720fa 64 74 6f 72 73 00 2E 6a 63 72 00 2E 67 6f 74 00 | dtors... JCR... got. |
2017210a 2E 62 73 73 00 2E 63 6f 6D 6D 65 6e 74 00 2E 64 |. BSS... comment... d |
2017211a 65 62 75 67 5f 61 72 61 6e 67 65 73 00 2E 64 65 | ebug_aranges ..de |
2017212a 62 75 67 5f 70 75 62 6e 61 6D 65 73 00 2E 64 65 | bug_pubnames ..de |
201710000a 62 75 67 5f 69 6e 66 6f 00 2E 64 65 62 75 67 5f | bug_info .. debug _ |
2017214a 61 62 62 72 65 76 00 2E 64 65 62 75 67 5f 6C 69 | abbrev .. debug_li |
2017215a 6e 65 00 2E 64 65 62 75 67 5f 66 72 61 6D 65 00 | ne... debug_frame. |
2017216a 2E 64 65 62 75 67 5f 73 74 72 00 |. debug_str. |

Here is what we are looking for. Through the sh_name value, you can find your own section name in this string table.
For example, if the sh_name of the first section is 0x37, we can find that the offset in the string table is 0x37 (end at 0x00 ).
Let's take a look: String start position 0x204a + 0x37 = 0x2081
Read 10 bytes of content first:
[Netconf @ linux1 elf] $ hexdump-S 0x2081-N 10-C elf8
00002081 2E 64 79 6e 73 79 6D 00 2E 64 |. dynsym .. d |
The front of 0x00 is. dynsym. This is the section name we are looking.
Through the previous process, we can find the corresponding section names to see the readelf results:
[Netconf @ linux1 elf] $ readelf-s elf8
There are 34 section headers, starting at offset 0x2178:

Section headers:
[Nr] Name type ADDR off size es flg lk inf al
[0] Null 00000000 000000 000000 00 0 0 0
[1]. interp progbits 080480f4 0000f4 000013 00 A 0 0 1
[2]. Note. Abi-tag note 08048108 000108 000020 00 A 0 0 4
[3]. Hash hash 08048128 000128 000028 04 a 4 0 4
[4]. dynsym 08048150 000150 000050 10 A 5 1 4
[5]. dynstr strtab 080481a0 0001a0 00004c 00 A 0 0 1
[6]. GNU. Version versym 080481ec 0001ec 00000a 02 a 4 0 2
[7]. GNU. version_r verneed 080481f8 0001f8 000020 00 A 5 1 4
[8]. Rel. Dyn rel 08048218 000218 000008 08 A 4 0 4
[9]. Rel. PLT rel 08048220 000220 000010 08 A 4 B 4
[10]. init progbits 08048230 000230 000018 00 ax 0 0 4
[11]. PLT progbits 08048248 000248 000030 04 ax 0 0 4
[12]. Text progbits 08048278 000278 000170 00 ax 0 0 4
[13]. Fini progbits 080483e8 0003e8 00001c 00 ax 0 0 4
[14]. rodata progbits 08048404 000404 000050 00 A 0 0 4
[15]. Data progbits 08049454 000454 00000c 00 wa 0 0 4
[16]. eh_frame progbits 08049460 000460 000004 00 wa 0 0 4
[17]. Dynamic dynamic 08049464 000464 running C8 08 wa 5 0 4
[18]. ctors progbits 0804952c 00052c 000008 00 wa 0 0 4
[19]. dtors progbits 08049534 000534 000008 00 wa 0 0 4
[20]. JCR progbits 0804953c 00053c 000004 00 wa 0 0 4
[21]. Got progbits 08049540 000540 000018 04 wa 0 0 4
[22]. BSS nobits 08049558 000558 000004 00 wa 0 0 4
[23]. Comment progbits 00000000 000558 000132 00 0 0 1
[24]. debug_aranges progbits 00000000 000690 000058 00 0 0 8
[25]. debug_pubnames progbits 00000000 0006e8 000025 00 0 0 1
[26]. debug_info progbits 00000000 00070d 000c85 00 0 0 1
[27]. debug_abbrev progbits 00000000 001392 000127 00 0 0 1
[28]. debug_line progbits 00000000 0014b9 0001f2 00 0 0 1
[29]. debug_frame progbits 00000000 0016ac 000014 00 0 0 4
[30]. debug_str progbits 00000000 0016c0 00098a 01 MS 0 0 1
[31]. shstrtab strtab 00000000 00204a 00012b 00 0 0 1
[32]. symtab 00000000 0026c8 0004c0 10 33 37 4
[33]. strtab 00000000 002b88 0001dd 00 0 0 1
Key to flags:
W (write), A (alloc), x (execute), m (merge), S (strings)
I (Info), L (link order), g (group), x (unknown)
O (extra OS processing required) O (OS specific), P (processor specific)
[Netconf @ linux1 elf] $
4. Symbol
The symbol structure is as follows:
/* Symbol table entry .*/

Typedef struct
{
Elf32_word st_name;/* symbol name (string TBL index )*/
Elf32_addr st_value;/* symbol value */
Elf32_word st_size;/* symbol size */
Unsigned char st_info;/* symbol type and binding */
Unsigned char st_other;/* symbol visibility */
Elf32_section st_shndx;/* Section Index */
} Elf32_sym;
The symbol structure size is: sizeof (elf32_sym) = 0x10.
An elf file usually contains two symbol tables. dynsym, one is. symtab. The former indicates the symbols (such as functions) that need to be located/loaded when the program is running, and the latter indicates the list of all symbols in the system.
The structure position can be seen from the section table above: 0x26c8, which is the starting point from the file 0x26c8 offset.
Let's read the 68th structure (0x26c8 + 68*0x10 = 0x2b08 ):
[Netconf @ linux1 elf] $ hexdump-s 0x2b08-N 16-C./elf8
20172b08 77 01 00 00 8e 83 04 08 1D 00 00 00 12 00 0C 00 | W ...... |
20172b18
Combined with the definition of struct, the content and meaning of each byte can be analyzed.
St_name: 77 01 00 00: offset 0x177 in the symbol string table
St_value: 8e 83 04 08: loading address 0x80438e8
St_size: 1D 00 00 00: symbol size
St_shndx: 0C 00: If st_shndx = sh_undef, it indicates that the symbol does not belong to any section and needs to be located again. "When the linker assembles the target file with another file defining the symbol, the reference to the symbol in the file will be linked to the current actual definition" (from alert7)
For example, st_shndx = 12 of the 68th structure indicates that it belongs to the 12th sections. It can be seen from the previous list that it is defined in the. text section.