ELF (wip)

An elf (PL: elves) is a type of humanoid supernatural being in Germanic folklore….ah I mean ELF the Executable and Linkable Format.

The structure:

+---------------------+
|   ELF  Header       |
+---------------------+
|   Prog Header Table |
+---------------------+
|   LOAD SECTIONS...  |
+---------------------+
|   LOAD SECTIONS...  |
+---------------------+
|   LOAD SECTIONS...  |
+---------------------+
| Section header Table|
+---------------------+

The ELF header is 64 bytes in length for 64 bits programs and 52 for 32 bits.

ELF file header

$ hexdump -C -n64 /usr/bin/ls
# hexdump of first 64 bytes

00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  03 00 3e 00 01 00 00 00  a0 5f 00 00 00 00 00 00  |..>......_......|
00000020  40 00 00 00 00 00 00 00  b8 13 02 00 00 00 00 00  |@...............|
00000030  00 00 00 00 40 00 38 00  0d 00 40 00 1b 00 1a 00  |....@.8...@.....|
00000040

(64b ver.)
Bit-offset  size Field          Purpose
----------------------------------------------------------------- Elf Ident.
0x00        4    MAG            The Magic number 0x7F E L F
0x04        1    CLASS          Format:     1 - 32bit   2 - 64bit
0x05        1    DATA           Endianness: 1 - LE      2 - BE
0x06        1    VERSION        Current version of ELF  1
0x07        1    OSABI          Target OS ABI (see appendix)
0x08        1    ABIVERSION     linux ignores it *
0x09        7    PAD            Padding , 0s
----------------------------------------------------------------- 
0x10        2    type           type of object file REL/EXEC/DYN/etc..
0x12        2    machine        ISA
0x14        4    version        1
----------------------------------------------------------------- 8/4 bytes
0x18        8(4) entry          Entry point 
0x20        8(4) phoff          offset of program header, usually 64 or 52
0x28        8(4) shoff          offset of section header table
------------------------------------------------------------------
0x30        4    flags          Depends on architecture
0x34        2    ehsize         size of this header, normally 64 or 52
0x36        2    phentsize      size of a program header entry
0x38        2    phnum          numbers of program header entries
0x3A        2    shentsize      size of section header entry
0x3C        2    shnum          humber of section header entries
0x3E        2    shstrndx       index of section header table entry
                                that contains the section names
0x40        -----------------END OF ELF FILE HEADER----------------

Program header table



(64b ver.)
Bit-offset  size Field          Purpose
-----------------------------------------------------------------
0x00        4    type           See appendix
0x04        4    flags          1-X 2-W 4-R
0x08        8    offset         offset of the segment in the file
0x10        8    vaddr          VA of the segment in memory
0x18        8    paddr          PA of segment - where applicable
0x20        8    filesz         size of segment in file   (bytes)
0x28        8    memsz          size of segment in memory (bytes)
0x30        8    align          0 and 1 - no align. Otherwise power of 2
0x38    ------------------------END OF PROGRAM HEADER ----(56)---

Let’s use this example:

$ readelf -l /usr/bin/ls

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  PHDR           0x0000000000000040 0x0000000000000040 0x0000000000000040
                 0x00000000000002d8 0x00000000000002d8  R      0x8
  INTERP         0x0000000000000318 0x0000000000000318 0x0000000000000318
                 0x000000000000001c 0x000000000000001c  R      0x1
      [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000003638 0x0000000000003638  R      0x1000
  .....


$ hexdump -C /usr/bin/ls
# Size of program header entry is 0x38 = 56

00000000  |
...       | First 64 bytes ELF File header 
----------------------------------------------------------
00000040  06 00 00 00 04 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000050  40 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |@.......@.......|
00000060  d8 02 00 00 00 00 00 00  d8 02 00 00 00 00 00 00  |................|
00000070  08 00 00 00 00 00 00 00  -- -- -- -- -- -- -- --  |........ 
-split--  -- -- -- -- -- -- -- --  03 00 00 00 04 00 00 00           ........|
00000080  18 03 00 00 00 00 00 00  18 03 00 00 00 00 00 00  |................|
00000090  18 03 00 00 00 00 00 00  1c 00 00 00 00 00 00 00  |................|
000000a0  1c 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|

000000b0  01 00 00 00 04 00 00 00  00 00 00 00 00 00 00 00  |................|
000000c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000d0  38 36 00 00 00 00 00 00  38 36 00 00 00 00 00 00  |86......86......|
000000e0  00 10 00 00 00 00 00 00  01 00 00 00 05 00 00 00  |................|
000000f0  00 40 00 00 00 00 00 00  00 40 00 00 00 00 00 00  |.@.......@......|

Note that this thing if little endian. The first program header

  • [40, 4] : Type is 6, this is PHDR
  • [44, 4] : Flags is 4, this is read only
  • [48, 8] : Offset is 0x40, this offset in file, i.e. THIS TABLE
  • [50, 16] : vaddr and paddr, they are the same : 0x40;
  • [60, 8] : filesz == 0x2d8 == 728. Here 728 == phnum * phentsize = 13 * 56. i.e.
  • [68, 8] : memsz == 0x2d8 == filesz, implying there is no BSS in this seg. the size of the program header table.
  • [70, 8] : align = 0x8 , i.e. 2^8 = 256 bytes

Appendix

EL_OSABI        OS
--------------------------------------------
0x00            System V
0x01            HP-UX
0x02            NetBSD
0x03            Linux
0x04            GNU Hurd
0x06            Solaris
0x07            AIX
0x08            IRIX
0x09            FreeBSD
0x0A            Tru64
0x0B            Novell ModestoA
0x0C            OpenBSD
0x0D            OpenVMS
0x0E            NonStop Kernel
0x0F            AROS
0x10            FnixOS
0x11            Nuxi CloudABI
0x12            Stratus Technologies OpenVOS

Types of Program Headers:

TYPE [0:3]      Name        Meaning
--------------------------------------------
0x0             NULL        program header table unused
0x1             LOAD        loadable segment
0x2             DYNAMIC     Dyn. linking info
0x3             INTERP      interpreter info
0x4             NOTE        Aux. info
0x5             SHLIB       Reserved
0x6             PHDR        Segment containing PH table itself
0x7             TLS         Thread-local storage template
0x60000000      LOOS        reserved inclusive range OS Specific
0x6FFFFFFF      HIOS         |_
0x70000000      LOPROC      reserved inclusive range Processor Specific
0x7FFFFFFF      HIPROC       |_

ABIVERSION: ABIVERSION is ignored for statically-linked executables.

Oct 10, 2023






Fun with Image Maps and SVGs via benji February 20, 2024

Over the past few weeks I've been playing around with making some images on my website interactive. My "informatics" class in high school taught us some basic HTML. By basic I mean in notepad and writing everything by hand, saving to a...

Goblin Week 2024 via Helvetica Blanc January 26, 2024

It snuck up on me, but I managed to draw my little goblins to celebrate the week! I love my children - they're like awful Pikmin. I've uploaded the whole parade as a print, as well as individual prints for each goblin. There's something very fu…

How to trust gpg keys via Travis Shears Personal Site October 27, 2023

After moving some GPG keys to a new computer I kept getting these trust warnings. It is NOT certain that the key belongs to the person named in the user ID.If you * really * know what you are doing, you may answer the next question with yes. Use this key a…

Generated by openring from webring