Concepts
A segment is a piece of a information which is mapped into the memory (of a process). A ELF binary can have zero or multiple segments. It defines also where the OS should put it into the memory. Each segment has a Program Header which describes the sections within.
A section is a distinctive part of a segment with a defined purpose. A segment can have zero or multiple sections.
The ELF header
The ELF file header looks like this:
# hexdump /bin/ls -C | head 00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 00000010 03 00 3e 00 01 00 00 00 60 61 00 00 00 00 00 00 00000020 40 00 00 00 00 00 00 00 68 37 02 00 00 00 00 00 00000030 00 00 00 00 40 00 38 00 0b 00 40 00 1e 00 1d 00
Explanation:
| Byte# | Byte | Content |
|---|---|---|
| 1 | 7F | |
| 2 | 45 | E |
| 3 | 4C | L |
| 4 | 46 | F |
| 5 | 02 | Class: 0 = None 1 = 32 Bit object 2 = 64 Bit object |
| 6 | 01 | Data encoding: 0 = None 1 = LSB 2 = MSB |
| 7 | 01 | Version. There is only version 1. |
| 8 | 00 | ABI Application Binary Interface: 0 = None/System V (mostly used) 1 = HP-UX 2 = NetBSD 3 = Linux |
| 9 | 00 | ABI version. Normally 0. |
| 10 | 00 | Padding |
| 11 | 00 | Padding |
| 12 | 00 | Padding |
| 13 | 00 | Padding |
| 14 | 00 | Padding |
| 15 | 00 | Padding |
| 16 | 00 | Padding |
| 17 18 | 03 00 | File Type: 0 ET_NONE = None 1 ET_REL = Relocatable file (.o) 2 ET_EXEC = Executable file 3 ET_DYN = Shared object file (.so) 4 ET_CORE = Core file (memory dump file) |
| 19 20 | 3e 00 | Machine Type: 0x03 = x86 0x28 = ARM 0x3E = amd64 |
| 21 22 23 24 | 01 00 00 00 | Version. Always 1. |
| 25 26 27 28 29 30 31 32 | 60 61 00 00 00 00 00 00 | Relative address of the main function: 0x6160 (or 0 for libraries) |
| 33 34 35 36 37 38 39 40 | 40 00 00 00 00 00 00 00 | Start of the program headers (from byte 64 on relative to the beginning of the file.) |
| 41 42 43 44 45 46 47 48 | 68 37 02 00 00 00 00 00 | Start of the section headers (from byte 0x023768 = 145256 on relative to the beginning of the file.) |
| 49 50 51 52 | 00 00 00 00 | Processor flags |
| 53 54 | 40 00 | Size of this header header (until byte 64; kind of useless here) |
| 55 56 | 38 00 | Size of the program headers: 0x38 = 56 byte. |
| 57 58 | 0b 00 | Number of program headers: 11 |
| 59 60 | 40 00 | Size of section headers: 0x40 = 64 byte. |
| 61 62 | 1e 00 | Number of section headers: 30 |
| 63 64 | 1d 00 | Index of section header string table: 29 |
This information can also be obtained with readelf -h /bin/ls.
ELF symbols
A symbol is a reference to code or data like a variable or function. There are usually two sections with symbol tables:
.symtabcontains all symbols and.dynsymcontains only the dynamic / global symbols.
Note that .symtab contains also all symbols from .dynsym. The symbols in .dynsym are all symbols needed at runtimes. Symbols in .symtab can also be symbols from functions which were never called (e.g. from a library). Therefore, some binaries strip the .symtab section altogether, which makes debugging harder but doesn’t affect execution.
ELF relocation
Relocation is a technique to resolve symbol references. If a ELF object references a function in another library, the reference is compiled with a placeholder. As soon as it is compiled into an executable binary, the linker resolves the placeholders and references the addresses where the shared library is placed in the program’s memory.
Example: Compile the following C code
_start() {
foo();
}
with gcc -nostdlib -shared ref1.c -o ref1 and dissassemble the binary:
Disassembly of section .plt:
0000000000001000 <.plt>:
1000: ff 35 02 30 00 00 pushq 0x3002(%rip) # 4008 <_GLOBAL_OFFSET_TABLE_+0x8>
1006: ff 25 04 30 00 00 jmpq *0x3004(%rip) # 4010 <_GLOBAL_OFFSET_TABLE_+0x10>
100c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000001010 <foo@plt>:
1010: ff 25 02 30 00 00 jmpq *0x3002(%rip) # 4018 <foo>
1016: 68 00 00 00 00 pushq $0x0
101b: e9 e0 ff ff ff jmpq 1000 <.plt>
Disassembly of section .text:
0000000000001020 <_start>:
1020: 55 push %rbp
1021: 48 89 e5 mov %rsp,%rbp
1024: b8 00 00 00 00 mov $0x0,%eax
1029: e8 e2 ff ff ff callq 1010 <foo@plt>
102e: 90 nop
102f: 5d pop %rbp
1030: c3 retq
Leave a Reply
You must be logged in to post a comment.