ELF (wip)

An elf (PL: elves) is a type of humanoid supernatural being in Germanic folklore….ah I mean ELF the Executable and Linkable Format. The structure: +---------------------+ | ELF Header | +---------------------+ | Prog Header Table | +---------------------+ | LOAD SECTIONS... | +---------------------+ | LOAD SECTIONS... | +---------------------+ | LOAD SECTIONS... | +---------------------+ | Section header Table| +---------------------+ The ELF header is 64 bytes in length for 64 bits programs and 52 for 32 bits. ELF file header $ hexdump -C -n64 /usr/bin/ls # hexdump of first 64 bytes 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 03 00 3e 00 01 00 00 00 a0 5f 00 00 00 00 00 00 |..>......_......| 00000020 40 00 00 00 00 00 00 00 b8 13 02 00 00 00 00 00 |@...............| 00000030 00 00 00 00 40 00 38 00 0d 00 40 00 1b 00 1a 00 |....@.8...@.....| 00000040 (64b ver.) Bit-offset size Field Purpose ----------------------------------------------------------------- Elf Ident. 0x00 4 MAG The Magic number 0x7F E L F 0x04 1 CLASS Format: 1 - 32bit 2 - 64bit 0x05 1 DATA Endianness: 1 - LE 2 - BE 0x06 1 VERSION Current version of ELF 1 0x07 1 OSABI Target OS ABI (see appendix) 0x08 1 ABIVERSION linux ignores it * 0x09 7 PAD Padding , 0s ----------------------------------------------------------------- 0x10 2 type type of object file REL/EXEC/DYN/etc.. 0x12 2 machine ISA 0x14 4 version 1 ----------------------------------------------------------------- 8/4 bytes 0x18 8(4) entry Entry point 0x20 8(4) phoff offset of program header, usually 64 or 52 0x28 8(4) shoff offset of section header table ------------------------------------------------------------------ 0x30 4 flags Depends on architecture 0x34 2 ehsize size of this header, normally 64 or 52 0x36 2 phentsize size of a program header entry 0x38 2 phnum numbers of program header entries 0x3A 2 shentsize size of section header entry 0x3C 2 shnum humber of section header entries 0x3E 2 shstrndx index of section header table entry that contains the section names 0x40 -----------------END OF ELF FILE HEADER---------------- Program header table (64b ver.) Bit-offset size Field Purpose ----------------------------------------------------------------- 0x00 4 type See appendix 0x04 4 flags 1-X 2-W 4-R 0x08 8 offset offset of the segment in the file 0x10 8 vaddr VA of the segment in memory 0x18 8 paddr PA of segment - where applicable 0x20 8 filesz size of segment in file (bytes) 0x28 8 memsz size of segment in memory (bytes) 0x30 8 align 0 and 1 - no align. Otherwise power of 2 0x38 ------------------------END OF PROGRAM HEADER ----(56)--- Let’s use this example: $ readelf -l /usr/bin/ls Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040 0x00000000000002d8 0x00000000000002d8 R 0x8 INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318 0x000000000000001c 0x000000000000001c R 0x1 [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2] LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000 0x0000000000003638 0x0000000000003638 R 0x1000 ..... $ hexdump -C /usr/bin/ls # Size of program header entry is 0x38 = 56 00000000 | ... | First 64 bytes ELF File header ---------------------------------------------------------- 00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |........@.......| 00000050 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |@.......@.......| 00000060 d8 02 00 00 00 00 00 00 d8 02 00 00 00 00 00 00 |................| 00000070 08 00 00 00 00 00 00 00 -- -- -- -- -- -- -- -- |........ -split-- -- -- -- -- -- -- -- -- 03 00 00 00 04 00 00 00 ........| 00000080 18 03 00 00 00 00 00 00 18 03 00 00 00 00 00 00 |................| 00000090 18 03 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 |................| 000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000000b0 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000d0 38 36 00 00 00 00 00 00 38 36 00 00 00 00 00 00 |86......86......| 000000e0 00 10 00 00 00 00 00 00 01 00 00 00 05 00 00 00 |................| 000000f0 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 |.@.......@......| Note that this thing if little endian. The first program header [40, 4] : Type is 6, this is PHDR [44, 4] : Flags is 4, this is read only [48, 8] : Offset is 0x40, this offset in file, i.e. THIS TABLE [50, 16] : vaddr and paddr, they are the same : 0x40; [60, 8] : filesz == 0x2d8 == 728. Here 728 == phnum * phentsize = 13 * 56. i.e. [68, 8] : memsz == 0x2d8 == filesz, implying there is no BSS in this seg. the size of the program header table. [70, 8] : align = 0x8 , i.e. 2^8 = 256 bytes Appendix EL_OSABI OS -------------------------------------------- 0x00 System V 0x01 HP-UX 0x02 NetBSD 0x03 Linux 0x04 GNU Hurd 0x06 Solaris 0x07 AIX 0x08 IRIX 0x09 FreeBSD 0x0A Tru64 0x0B Novell ModestoA 0x0C OpenBSD 0x0D OpenVMS 0x0E NonStop Kernel 0x0F AROS 0x10 FnixOS 0x11 Nuxi CloudABI 0x12 Stratus Technologies OpenVOS Types of Program Headers: TYPE [0:3] Name Meaning -------------------------------------------- 0x0 NULL program header table unused 0x1 LOAD loadable segment 0x2 DYNAMIC Dyn. linking info 0x3 INTERP interpreter info 0x4 NOTE Aux. info 0x5 SHLIB Reserved 0x6 PHDR Segment containing PH table itself 0x7 TLS Thread-local storage template 0x60000000 LOOS reserved inclusive range OS Specific 0x6FFFFFFF HIOS |_ 0x70000000 LOPROC reserved inclusive range Processor Specific 0x7FFFFFFF HIPROC |_ ABIVERSION: ABIVERSION is ignored for statically-linked executables.