没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
Understanding ELF using readelf and objdump
What is ELF? ELF (Executable and Linking Format) is file format that defines how an object file
is composed and organized. With this information, your kernel and the binary loader know how to
load the file, where to look for the code, where to look the initialized data, which shared library
that needs to be loaded and so on.
First of all, you should know about different kind of ELF object:
• Relocatable file: an object file that holds code and data suitable
for linking with other object files to create an executable or a
shared object file. In other word, you can say that relocatable
file is a foundation for creating executables and libraries.
This is kind of file you get if you compile a source code like this:
$ gcc -c test.c
That will produce test.o, which is a relocatable file.
Kernel module (either suffixed with .o or .ko) is also a form of
relocatable file.
• Executable file: object file that holds a program suitable for
execution. Yes, that means, your XMMS mp3 player, your vcd software
player, even your text editor are all ELF executable files.
This is also a familiar file if you compile a program:
$ gcc -o test test.c
After you make sure the executable bit of "test" is enabled, you
can execute it. The question is, what about shell script? Shell
script is NOT ELF executable, but the interpreter IS.
• Shared object file: This file holds code and data suitable for
linking in two contexts:
1. The link editor may process it with other relocatable and
shared object file to create another object file.
2. The dynamic linker combines it with an executable file and
other shared objects to create a process image.
In simple words, these are the files that you usually see with
suffix .so (normally located inside /usr/lib on most Linux
installation).
Is there any other way to detect the ELF type? Yes there is. In every
ELF object, there is a file header that explains what kind file it is.
Assuming you have installed binutils package, you can use readelf to read
this header. For example (command results are shortened to show related
fields only):
$ readelf -h /bin/ls
Type: EXEC (Executable file)
$ readelf -h /usr/lib/crt1.o
Type: REL (Relocatable file)
$ readelf -h /lib/libc-2.3.2.so
Type: DYN (Shared object file)
"File" command works too for object file identification, but I won't
discuss it further. Let's focus on readelf and objdump, since we will
use both of them.
To make us easier to study ELF, you can use the following simple C program:
/* test.c */
#include<stdio.h>
int global_data = 4;
int global_data_2;
int main(int argc, char **argv)
{
int local_data = 3;
printf("Hello World\n");
printf("global_data = %d\n", global_data);
printf("global_data_2 = %d\n", global_data_2);
printf("local_data = %d\n", local_data);
return (0);
}
And compile it:
$ gcc -o test test.c
A. Examining ELF header.
The produced binary will be our examination target. Let's start with the
content of the ELF header:
$ readelf -h test
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x80482c0
Start of program headers: 52 (bytes into file)
Start of section headers: 2060 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 7
Size of section headers: 40 (bytes)
Number of section headers: 28
Section header string table index: 25
What does this header tell us?
• This executable is created for Intel x86 32 bit architecture
("machine" and "class" fields).
• When executed, program will start running from virtual address
0x80482c0 (see entry point address). The "0x" prefix here means
it is a hexadecimal number. This address doesn't point to our
main() procedure, but to a procedure named _start. Never felt you
had created such thing? Of course you don't. _start procedure is
created by the linker whose purpose is to initialize your program.
• This program has a total of 28 sections and 7 segments.
What is section? Section is an area in the object file that contains
information which is useful for linking: program's code, program's data
(variables, array, string), relocation information and other. So, in
each area, several information is grouped and it has a distinct meaning:
code section only hold code, data section only holds initialized or
non-initialized data, etc. Section Header Table (SHT) tells us exactly
剩余13页未读,继续阅读
资源评论
球爸
- 粉丝: 2
- 资源: 14
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功