Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "User:Hatter/ELF format"

From NetSec
Jump to: navigation, search
(Created page with "The '''E'''xtecutable and '''L'''inkable '''F'''ormat (ELF) is used to construct binary executables for the Linux Operating System. == Reading ELF files == A variety of...")
 
Line 36: Line 36:
 
  ...
 
  ...
 
</source>}}
 
</source>}}
 +
 +
 +
 +
Some ELF-64 tips (VERY RAW):
 +
 +
 +
* '''Diagram of a 64-bit ELF Header:'''
 +
        0x0 - 0xf                  = "ELF Format Information"
 +
        Entry-point                = 0x18 - 0x1f
 +
        Start of section headers    = 0x28 - 0x2f
 +
        Size of each section        = 0x3a - 0x3b
 +
        Number of section headers  = 0x3c - 0x3d
 +
 +
 +
* '''Diagram of a 64-bit section header:'''  ''(0x40 bytes in length)''
 +
          [0x0-0x3]    shstrtab offset for section name.
 +
                        shstrtab is defined between the end of
 +
                        .text and the beginning of the section
 +
                        headers
 +
 +
          [0x4-0x7]    section type - 0 is null, 1 is progbits, 2 is symtab, 3 is strtab
 +
          [0x8-0xf]    section flags
 +
          [0x10-0x17]  section address
 +
          [0x18-0x1f]  section offset
 +
          [0x20-0x27]  section size
 +
 +
* '''Diagram of a 64-bit symbol table entry:'''
 +
 +
          [0x0-0x3]    Name offset
 +
          [0x4-0x5]    Bind
 +
          [0x6-0x7]    Ndx
 +
          [0x8-0xf]    Symbol pointer (Function pointer, data pointer, etc)
 +
          [0x10-0x17]  Null barrier

Revision as of 18:10, 9 September 2012

The Extecutable and Linkable Format (ELF) is used to construct binary executables for the Linux Operating System.


Reading ELF files

A variety of applications, debuggers, disassemblers, and resource viewers are available to read ELF formatted binaries:

  • hexdump
  • readelf
  • objdump

Parsing elf files

It is relatively trivial to find your imagebase at runtime using some small assembly:

 
.section .data
.section .text
 
.globl _start
 
_start:
 jmp startup
 
getpc:
 mov (%rsp), %rax
 ret
startup:
 call getpc
 dec %rax
 xor %rcx, %rcx
find_header:
 cmpl $0x464c457f, (%rax,%rcx,4)   # Did we find our ELF base pointer?
 je find_sections
 dec %rax
 jmp find_header
find_sections:
 # %rax now = base pointer of ELF image.
 ...
 


Some ELF-64 tips (VERY RAW):


  • Diagram of a 64-bit ELF Header:
       0x0 - 0xf                   = "ELF Format Information"
       Entry-point                 = 0x18 - 0x1f
       Start of section headers    = 0x28 - 0x2f
       Size of each section        = 0x3a - 0x3b
       Number of section headers   = 0x3c - 0x3d


  • Diagram of a 64-bit section header: (0x40 bytes in length)
         [0x0-0x3]     shstrtab offset for section name.
                       shstrtab is defined between the end of
                       .text and the beginning of the section
                       headers
         [0x4-0x7]     section type - 0 is null, 1 is progbits, 2 is symtab, 3 is strtab
         [0x8-0xf]     section flags
         [0x10-0x17]   section address
         [0x18-0x1f]   section offset
         [0x20-0x27]   section size
  • Diagram of a 64-bit symbol table entry:
         [0x0-0x3]    Name offset
         [0x4-0x5]    Bind
         [0x6-0x7]    Ndx
         [0x8-0xf]    Symbol pointer (Function pointer, data pointer, etc)
         [0x10-0x17]  Null barrier