Difference between revisions of "User:Hatter/ELF format"

Revision as of 18:10, 9 September 2012

The Extecutable and Linkable Format (ELF) is used to construct binary executables for the Linux Operating System.

Reading ELF files

A variety of applications, debuggers, disassemblers, and resource viewers are available to read ELF formatted binaries:

• hexdump
• readelf
• objdump

Parsing elf files

It is relatively trivial to find your imagebase at runtime using some small assembly:

 
.section .data
.section .text
 
.globl _start
 
_start:
 jmp startup
 
getpc:
 mov (%rsp), %rax
 ret
startup:
 call getpc
 dec %rax
 xor %rcx, %rcx
find_header:
 cmpl $0x464c457f, (%rax,%rcx,4)   # Did we find our ELF base pointer?
 je find_sections
 dec %rax
 jmp find_header
find_sections:
 # %rax now = base pointer of ELF image.
 ...
 

Some ELF-64 tips (VERY RAW):

• Diagram of a 64-bit ELF Header:

       0x0 - 0xf                   = "ELF Format Information"
       Entry-point                 = 0x18 - 0x1f
       Start of section headers    = 0x28 - 0x2f
       Size of each section        = 0x3a - 0x3b
       Number of section headers   = 0x3c - 0x3d

• Diagram of a 64-bit section header: (0x40 bytes in length)

         [0x0-0x3]     shstrtab offset for section name.
                       shstrtab is defined between the end of
                       .text and the beginning of the section
                       headers

         [0x4-0x7]     section type - 0 is null, 1 is progbits, 2 is symtab, 3 is strtab
         [0x8-0xf]     section flags
         [0x10-0x17]   section address
         [0x18-0x1f]   section offset
         [0x20-0x27]   section size

• Diagram of a 64-bit symbol table entry:

         [0x0-0x3]    Name offset
         [0x4-0x5]    Bind
         [0x6-0x7]    Ndx
         [0x8-0xf]    Symbol pointer (Function pointer, data pointer, etc)
         [0x10-0x17]  Null barrier