Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "User:Hatter/ELF format"

From NetSec
Jump to: navigation, search
(Created page with "The '''E'''xtecutable and '''L'''inkable '''F'''ormat (ELF) is used to construct binary executables for the Linux Operating System. == Reading ELF files == A variety of...")
(No difference)

Revision as of 19:03, 9 September 2012

The Extecutable and Linkable Format (ELF) is used to construct binary executables for the Linux Operating System.


Reading ELF files

A variety of applications, debuggers, disassemblers, and resource viewers are available to read ELF formatted binaries:

  • hexdump
  • readelf
  • objdump

Parsing elf files

It is relatively trivial to find your imagebase at runtime using some small assembly: 

 
.section .data
.section .text
 
.globl _start
 
_start:
 jmp startup
 
getpc:
 mov (%rsp), %rax
 ret
startup:
 call getpc
 dec %rax
 xor %rcx, %rcx
find_header:
 cmpl $0x464c457f, (%rax,%rcx,4)   # Did we find our ELF base pointer?
 je find_sections
 dec %rax
 jmp find_header
find_sections:
 # %rax now = base pointer of ELF image.
 ...
 
Retrieved from "http://nets.ec/index.php?title=User:Hatter/ELF_format&oldid=8972"