Questions about this topic? Sign up to ask in the talk tab.
User:Hatter/ELF format
From NetSec
The Extecutable and Linkable Format (ELF) is used to construct binary executables for the Linux Operating System.
Reading ELF files
A variety of applications, debuggers, disassemblers, and resource viewers are available to read ELF formatted binaries:
- hexdump
- readelf
- objdump
Parsing elf files
It is relatively trivial to find your imagebase at runtime using some small assembly:
.section .data .section .text .globl _start _start: jmp startup getpc: mov (%rsp), %rax ret startup: call getpc dec %rax xor %rcx, %rcx find_header: cmpl $0x464c457f, (%rax,%rcx,4) # Did we find our ELF base pointer? je find_sections dec %rax jmp find_header find_sections: # %rax now = base pointer of ELF image. ... |
Some ELF-64 tips (VERY RAW):
- Diagram of a 64-bit ELF Header:
0x0 - 0xf = "ELF Format Information"
Entry-point = 0x18 - 0x1f
Start of section headers = 0x28 - 0x2f
Size of each section = 0x3a - 0x3b
Number of section headers = 0x3c - 0x3d
- Diagram of a 64-bit section header: (0x40 bytes in length)
[0x0-0x3] shstrtab offset for section name.
shstrtab is defined between the end of
.text and the beginning of the section
headers
[0x4-0x7] section type - 0 is null, 1 is progbits, 2 is symtab, 3 is strtab
[0x8-0xf] section flags
[0x10-0x17] section address
[0x18-0x1f] section offset
[0x20-0x27] section size
- Diagram of a 64-bit symbol table entry:
[0x0-0x3] Name offset
[0x4-0x5] Bind
[0x6-0x7] Ndx
[0x8-0xf] Symbol pointer (Function pointer, data pointer, etc)
[0x10-0x17] Null barrier
