Questions about this topic? Sign up to ask in the talk tab.

User:Hatter/ELF format

From NetSec
< User:Hatter
Revision as of 19:03, 9 September 2012 by LashawnSeccombe (Talk | contribs) (Created page with "The '''E'''xtecutable and '''L'''inkable '''F'''ormat (ELF) is used to construct binary executables for the Linux Operating System. == Reading ELF files == A variety of...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The Extecutable and Linkable Format (ELF) is used to construct binary executables for the Linux Operating System.


Reading ELF files

A variety of applications, debuggers, disassemblers, and resource viewers are available to read ELF formatted binaries:

  • hexdump
  • readelf
  • objdump

Parsing elf files

It is relatively trivial to find your imagebase at runtime using some small assembly: 

 
.section .data
.section .text
 
.globl _start
 
_start:
 jmp startup
 
getpc:
 mov (%rsp), %rax
 ret
startup:
 call getpc
 dec %rax
 xor %rcx, %rcx
find_header:
 cmpl $0x464c457f, (%rax,%rcx,4)   # Did we find our ELF base pointer?
 je find_sections
 dec %rax
 jmp find_header
find_sections:
 # %rax now = base pointer of ELF image.
 ...
 
Retrieved from "http://nets.ec/index.php?title=User:Hatter/ELF_format&oldid=8972"