您的位置: 首页  >  文章  >  ELF Parse

ELF Parse

分类: 文章 2024-01-23 14:31:40

ELF Parse

To see the information of the ELF header:

$readelf -h a.out

ELF Header:

Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2’s complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400440
Start of program headers: 64 (bytes into file)
Start of section headers: 4512 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 30
Section header string table index: 27

Let’s go through each field:

  • Magic:7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
    ELF Parse

  • Type: identifies the object file type.

    • 0:No file type
    • 1:relocatable file
    • 2:executable file
    • 3.shared object file
    • 4.core file

  • Machine:Specifies the required architecture value for an ELF file e.g.
    x86_64, MIPS, SPARC, etc.

  • Version: Specifies the version number of the current object file.

  • Entry point address: Specifies the memory address where the very first
    code to be executed. The address of main function is the default in
    a normal application program, but it can be any function by explicitly specifying the function name to gcc.

  • Start of program headers: The offset of the program header table, in
    bytes. In the example, this number is 64 bytes, which means the 65th
    byte, or + 64, is the start address of the program
    header table. That is, if a program is loaded at address 0x10000 in memory, then the start address is 0x10000 (the very first byte of Magic field,
    where the value 0x7f resides) and the start address of program header
    table is 0x10000 + 0x40 = 0x10040.

  • Start of section headers: The offset of the section header table in bytes,similar to the start of program headers. In the example, it is 6648 bytes into file.

  • Flags: Hold processor-specific flags associated with the file. When the
    program is loaded, in a x86 machine, EFLAGS register is set according
    to this value. In the example, the value is 0x0, which means EFLAGS
    register is in a clear state.

  • Size of this header: Specifies the total size of ELF header’s size in bytes.In the example, it is 64 bytes, which is equivalent to Start of program headers. Note that these two numbers are not necessary equivalent,
    as program header table might be placed far away from the ELF header.
    The only fixed component in the ELF executable binary is the ELF
    header, which appears at the very beginning of the file.

  • Size of program headers: Specifies the size of each program header
    in bytes. In the example, it is 64 bytes.

  • Number of program headers:Specifies the total number of program
    headers. In the example, the file has a total of 9 program headers.

  • Size of section headers: Specifies the size of each section header in
    bytes. In the example, it is 64 bytes.

  • Number of section headers Specifies the total number of section headers. In the example, the file has a total of 31 section headers. In a section header table, the first entry in the table is always an empty section.

  • Section header string table index Specifies the index of the header
    in the section header table that points to the section that holds all null-terminated strings.

相关推荐