Linux kernel Analysis Practice four--elf file format analysis
I. Overview
1.ELF full name executable and linkable format, executable connection format, elf format files are used to store Linux programs. The elf file (target file) format is mainly three kinds:
- Redirected files: The file holds the code and the appropriate data to create an executable file or a shared target file with other target files. (The target file or the static library file, which is usually a file with a. A and. o suffix of Linux)
- Executable file: The file holds a program to execute. (e.g. BASH,GCC, etc.)
- Shared destination file: Shared library. The file holds the code and the appropriate data, which is used by the connection editor and the dynamic linker link. (Linux is suffixed with. so files.) )
The target file participates in both the program link and the program execution:
The generic Elf file consists of three index tables: Elf Header,program header table,section Header table.
- ELF header: At the beginning of the file, a roadmap was saved, describing the organization of the document.
- Program Header table: tells the system how to create a process image. The target file used to construct the process image must have the Program Header table, which is not required to relocate the file.
- Section Header table: Contains information describing the sections of a file, each of which has an entry in the table, each giving information such as section name, section size. The destination file used for the link must contain the section Header table, and the other destination files may or may not have this table.
Second, analysis elf file header (elf header)
- Enter terminal input: Cd/usr/include Enter the Include folder to view the Elf.h file, view elf's file header contains the entire file control structure
- Write a small program to compile and generate the executable file.
Use the ' readelf–a Clare ' command to get information about the following Elf header files, such as:
- With the information, you can draw the Elf header size of 64bytes, so you can use the Hexdump tool to open the 16 tab of the header file.
For example, use the: ' Hexdump–x hello–n 64 ' command to view the header of the hello file in 16 tables (top 64bytes) to parse the format.
- First line, corresponding to E_ident[ei_nident]. The actual representation of the content is 7f454c46020101000000000000000000, the first four bytes 7f454c46 (0x45,0x4c,0x46 is ' e ', ' l ', ' f ' corresponding to the ASCII encoding) is a magic number, indicating that this is an Elf object. The next byte 02 represents a 64-bit object, and the next byte 01 represents the small-end method, and the next byte 01 represents the file header version. The remaining defaults are set to 0.
- The second line, the E_type value is 0x0002, represents an executable file. The E_machine value is 0x003e, which represents the advanced Micro Devices x86-64 processor architecture. The E_version value is 0x00000100, which indicates the current version. The E_entry value is 0x 004003f0, which represents the entry point.
- The third row, the E_phoff value is 0x40, represents the program Header table. The E_shoff value is 0x1278, which represents the offset address of the segment table.
Row four, the E_flags value is 0x00000000, which indicates an unknown processor-specific flag. The E_ehsize value is 0x0040, which indicates the elf file header size (exactly 64bytes). E_phentsize represents the length of the entry in a Program Header table with a value of 0x0038. The value of E_phnum is 0x0008, which gives the number of entries in the Program Header table. A e_shentsize value of 0x0040 indicates a segment header size of 64 bytes. The E_shnum value is 0x001f, which indicates that there are 31 entries in the Segment table. The E_shstrndx value is 0x001c, which represents the index number in the segment table of the segment name string table.
Third, find the section Header table through the file header to understand its contents
- File Elf1 Displays the type of the generated target file Hello
- Elf1 is an executable file. Input: Ls–l hello to see the size of Hello:
- The hello size is 6712 bytes.
Input: hexdump–x Hello to display the contents of hello with a 16-digit number
(where the second column is the offset address of the 16 binary representation)
- Input: objdump–x Hello to display information about each segment in Hello and the symbol table:
- Input: Readelf–a Hello to view individual segment information:
- Elf File header information:
- Cong Section Header table:
- Symbol table:
Iv. find sections by section Header table
In an elf file there is a section Header table, through which we can navigate to all the sections, and the E_shoff variable in the ELF header is the offset of the Header table entry for the section header. Each section corresponds to a section header, so you can find your desired section by using the sections header as soon as you find each of the sections in the Header table.
The following is an example of the executable hello, which holds the section of the code snippet as an example of the process of reading one of the sections.
Use the ' vi/usr/include/elf.h ' command to view the structure of the sections header:
From the above analysis, each section header in section headers table occupies a size of 64 bytes, ELF header Gets the value of the E_shoff variable is 0x1278, that is, the table inlet offset, by looking at E_ The Shnum value is 0x001f, which indicates that there are 31 entries in the Segment table.
So there are 31 segments starting from 0x00001278, 64 bytes per segment, input hexdump elf1 view:
"Practice Report" Linux practice Four