ELF文件结构
一、简介
ELF代表Executable and Linkable Format,是类Unix平台最通用的二进制文件格式,嵌入式设备很多都是Linux系统,它里面的可执行程序就是ELF格式,包含以下三种情况:
- 目标文件.o
- 动态库文件.so
- .o和.so链接得到的二进制可执行文件
二、生成ELF文件
1、示例代码
hello.c
#include<stdio.h>
int main(int argc,char *argv[])
{
printf("Hello World!\n");
return 0 ;
}2、预编译
解释:源文件hello.c和相关的头文件会被预编译器预编译成为一个.i文件
命令:gcc -E hello.c -o hello.i,处理后结果如下
# 1 "hello.c"
# 1 "<built-in>"
# 1 "<command-line>"
# 31 "<command-line>"
# 1 "/usr/include/stdc-predef.h" 1 3 4
# 32 "<command-line>" 2
# 1 "hello.c"
# 1 "/usr/include/stdio.h" 1 3 4
# 27 "/usr/include/stdio.h" 3 4
# 1 "/usr/include/x86_64-linux-gnu/bits/libc-header-start.h" 1 3 4
# 33 "/usr/include/x86_64-linux-gnu/bits/libc-header-start.h" 3 4
# 1 "/usr/include/features.h" 1 3 4
# 461 "/usr/include/features.h" 3 4
......
extern void funlockfile (FILE *__stream) __attribute__ ((__nothrow__ , __leaf__));
# 858 "/usr/include/stdio.h" 3 4
extern int __uflow (FILE *);
extern int __overflow (FILE *, int);
# 873 "/usr/include/stdio.h" 3 4
# 2 "hello.c" 2
# 3 "hello.c"
int main(int argc,char *argv[])
{
printf("Hello World!\n");
return 0 ;
}3、编译
解释:编译过程就是将预处理完的文件进行一系列的词法分析,语法分析,语义分析以及优化后生成相应的汇编文件。
命令:gcc -S hello.c -o hello.s,处理后的内容如下
.file "hello.c"
.text
.section .rodata
.LC0:
.string "Hello World!"
.text
.globl main
.type main, @function
main:
.LFB0:
.cfi_startproc
endbr64
pushq %rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
movq %rsp, %rbp
.cfi_def_cfa_register 6
subq $16, %rsp
movl %edi, -4(%rbp)
movq %rsi, -16(%rbp)
leaq .LC0(%rip), %rdi
call puts@PLT
movl $0, %eax
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size main, .-main
.ident "GCC: (Ubuntu 9.4.0-1ubuntu1~20.04.2) 9.4.0"
.section .note.GNU-stack,"",@progbits
.section .note.gnu.property,"a"
.align 8
.long 1f - 0f
.long 4f - 1f
.long 5
0:
.string "GNU"
1:
.align 8
.long 0xc0000002
.long 3f - 2f
2:
.long 0x3
3:
.align 8
4:4、汇编
解释: 汇编器是将汇编代码转变成机器可以执行的指令,每一个汇编语句几乎都对应一条机器指令。
命令:gcc -c hello.c -o hello.o,或者as hello.s -o hello.o,处理后的内容如下
$ hexdump -C hello.o
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 01 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 |..>.............|
00000020 00 00 00 00 00 00 00 00 20 03 00 00 00 00 00 00 |........ .......|
00000030 00 00 00 00 40 00 00 00 00 00 40 00 0e 00 0d 00 |....@.....@.....|
00000040 f3 0f 1e fa 55 48 89 e5 48 83 ec 10 89 7d fc 48 |....UH..H....}.H|
00000050 89 75 f0 48 8d 3d 00 00 00 00 e8 00 00 00 00 b8 |.u.H.=..........|
00000060 00 00 00 00 c9 c3 48 65 6c 6c 6f 20 57 6f 72 6c |......Hello Worl|
00000070 64 21 00 00 47 43 43 3a 20 28 55 62 75 6e 74 75 |d!..GCC: (Ubuntu|
00000080 20 39 2e 34 2e 30 2d 31 75 62 75 6e 74 75 31 7e | 9.4.0-1ubuntu1~|
00000090 32 30 2e 30 34 2e 32 29 20 39 2e 34 2e 30 00 00 |20.04.2) 9.4.0..|
000000a0 04 00 00 00 10 00 00 00 05 00 00 00 47 4e 55 00 |............GNU.|
000000b0 02 00 00 c0 04 00 00 00 03 00 00 00 00 00 00 00 |................|
000000c0 14 00 00 00 00 00 00 00 01 7a 52 00 01 78 10 01 |.........zR..x..|
000000d0 1b 0c 07 08 90 01 00 00 1c 00 00 00 1c 00 00 00 |................|
000000e0 00 00 00 00 26 00 00 00 00 45 0e 10 86 02 43 0d |....&....E....C.|
000000f0 06 5d 0c 07 08 00 00 00 00 00 00 00 00 00 00 00 |.]..............|
00000100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000110 01 00 00 00 04 00 f1 ff 00 00 00 00 00 00 00 00 |................|
00000120 00 00 00 00 00 00 00 00 00 00 00 00 03 00 01 00 |................|
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000140 00 00 00 00 03 00 03 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 00 00 00 00 00 00 00 00 03 00 04 00 |................|
00000160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000170 00 00 00 00 03 00 05 00 00 00 00 00 00 00 00 00 |................|
00000180 00 00 00 00 00 00 00 00 00 00 00 00 03 00 07 00 |................|
00000190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001a0 00 00 00 00 03 00 08 00 00 00 00 00 00 00 00 00 |................|
000001b0 00 00 00 00 00 00 00 00 00 00 00 00 03 00 09 00 |................|
000001c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 00 00 00 00 03 00 06 00 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 00 00 00 00 09 00 00 00 12 00 01 00 |................|
000001f0 00 00 00 00 00 00 00 00 26 00 00 00 00 00 00 00 |........&.......|
00000200 0e 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 |................|
00000210 00 00 00 00 00 00 00 00 24 00 00 00 10 00 00 00 |........$.......|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000230 00 68 65 6c 6c 6f 2e 63 00 6d 61 69 6e 00 5f 47 |.hello.c.main._G|
00000240 4c 4f 42 41 4c 5f 4f 46 46 53 45 54 5f 54 41 42 |LOBAL_OFFSET_TAB|
00000250 4c 45 5f 00 70 75 74 73 00 00 00 00 00 00 00 00 |LE_.puts........|
......hello.o的file信息
5、链接
解释: 链接的主要内容就是把各个模块之间相互引用的部分都处理好,使得各个模块之间能够正确的衔接。
命令:gcc hello.o -o hello,或者ld hello.o -o hello,处理后的内容如下
$ hexdump -C hello
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 03 00 3e 00 01 00 00 00 60 10 00 00 00 00 00 00 |..>.....`.......|
00000020 40 00 00 00 00 00 00 00 78 39 00 00 00 00 00 00 |@.......x9......|
00000030 00 00 00 00 40 00 38 00 0d 00 40 00 1f 00 1e 00 |....@.8...@.....|
00000040 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 |........@.......|
00000050 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 |@.......@.......|
00000060 d8 02 00 00 00 00 00 00 d8 02 00 00 00 00 00 00 |................|
00000070 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 |................|
00000080 18 03 00 00 00 00 00 00 18 03 00 00 00 00 00 00 |................|
00000090 18 03 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 |................|
000000a0 1c 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
000000b0 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000d0 f8 05 00 00 00 00 00 00 f8 05 00 00 00 00 00 00 |................|
000000e0 00 10 00 00 00 00 00 00 01 00 00 00 05 00 00 00 |................|
000000f0 00 10 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|
00000100 00 10 00 00 00 00 00 00 f5 01 00 00 00 00 00 00 |................|
00000110 f5 01 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|
00000120 01 00 00 00 04 00 00 00 00 20 00 00 00 00 00 00 |......... ......|
00000130 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 00 |. ....... ......|
00000140 60 01 00 00 00 00 00 00 60 01 00 00 00 00 00 00 |`.......`.......|
00000150 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 |................|
00000160 b8 2d 00 00 00 00 00 00 b8 3d 00 00 00 00 00 00 |.-.......=......|
00000170 b8 3d 00 00 00 00 00 00 58 02 00 00 00 00 00 00 |.=......X.......|
00000180 60 02 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |`...............|
00000190 02 00 00 00 06 00 00 00 c8 2d 00 00 00 00 00 00 |.........-......|
000001a0 c8 3d 00 00 00 00 00 00 c8 3d 00 00 00 00 00 00 |.=.......=......|
000001b0 f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 |................|
000001c0 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 |................|
000001d0 38 03 00 00 00 00 00 00 38 03 00 00 00 00 00 00 |8.......8.......|
000001e0 38 03 00 00 00 00 00 00 20 00 00 00 00 00 00 00 |8....... .......|
000001f0 20 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 | ...............|
00000200 04 00 00 00 04 00 00 00 58 03 00 00 00 00 00 00 |........X.......|
00000210 58 03 00 00 00 00 00 00 58 03 00 00 00 00 00 00 |X.......X.......|
00000220 44 00 00 00 00 00 00 00 44 00 00 00 00 00 00 00 |D.......D.......|
00000230 04 00 00 00 00 00 00 00 53 e5 74 64 04 00 00 00 |........S.td....|
00000240 38 03 00 00 00 00 00 00 38 03 00 00 00 00 00 00 |8.......8.......|
00000250 38 03 00 00 00 00 00 00 20 00 00 00 00 00 00 00 |8....... .......|
00000260 20 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 | ...............|
00000270 50 e5 74 64 04 00 00 00 14 20 00 00 00 00 00 00 |P.td..... ......|
00000280 14 20 00 00 00 00 00 00 14 20 00 00 00 00 00 00 |. ....... ......|
00000290 44 00 00 00 00 00 00 00 44 00 00 00 00 00 00 00 |D.......D.......|
000002a0 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 |........Q.td....|
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000002d0 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 |................|
000002e0 52 e5 74 64 04 00 00 00 b8 2d 00 00 00 00 00 00 |R.td.....-......|
000002f0 b8 3d 00 00 00 00 00 00 b8 3d 00 00 00 00 00 00 |.=.......=......|
00000300 48 02 00 00 00 00 00 00 48 02 00 00 00 00 00 00 |H.......H.......|
00000310 01 00 00 00 00 00 00 00 2f 6c 69 62 36 34 2f 6c |......../lib64/l|
00000320 64 2d 6c 69 6e 75 78 2d 78 38 36 2d 36 34 2e 73 |d-linux-x86-64.s|
00000330 6f 2e 32 00 00 00 00 00 04 00 00 00 10 00 00 00 |o.2.............|
00000340 05 00 00 00 47 4e 55 00 02 00 00 c0 04 00 00 00 |....GNU.........|
00000350 03 00 00 00 00 00 00 00 04 00 00 00 14 00 00 00 |................|
00000360 03 00 00 00 47 4e 55 00 72 d0 7f ed d7 66 59 f9 |....GNU.r....fY.|
00000370 5a a1 2c 69 f5 84 fa 89 f9 1c 33 72 04 00 00 00 |Z.,i......3r....|
00000380 10 00 00 00 01 00 00 00 47 4e 55 00 00 00 00 00 |........GNU.....|
00000390 03 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................|
000003a0 02 00 00 00 06 00 00 00 01 00 00 00 06 00 00 00 |................|
000003b0 00 00 81 00 00 00 00 00 06 00 00 00 00 00 00 00 |................|
000003c0 d1 65 ce 6d 00 00 00 00 00 00 00 00 00 00 00 00 |.e.m............|
000003d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000003e0 3d 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 |=... ...........|
000003f0 00 00 00 00 00 00 00 00 0b 00 00 00 12 00 00 00 |................|
00000400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000410 1f 00 00 00 12 00 00 00 00 00 00 00 00 00 00 00 |................|
00000420 00 00 00 00 00 00 00 00 59 00 00 00 20 00 00 00 |........Y... ...|
00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000440 68 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 |h... ...........|
00000450 00 00 00 00 00 00 00 00 10 00 00 00 22 00 00 00 |............"...|
00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000470 00 6c 69 62 63 2e 73 6f 2e 36 00 70 75 74 73 00 |.libc.so.6.puts.|
00000480 5f 5f 63 78 61 5f 66 69 6e 61 6c 69 7a 65 00 5f |__cxa_finalize._|
00000490 5f 6c 69 62 63 5f 73 74 61 72 74 5f 6d 61 69 6e |_libc_start_main|
000004a0 00 47 4c 49 42 43 5f 32 2e 32 2e 35 00 5f 49 54 |.GLIBC_2.2.5._IT|
000004b0 4d 5f 64 65 72 65 67 69 73 74 65 72 54 4d 43 6c |M_deregisterTMCl|
000004c0 6f 6e 65 54 61 62 6c 65 00 5f 5f 67 6d 6f 6e 5f |oneTable.__gmon_|
000004d0 73 74 61 72 74 5f 5f 00 5f 49 54 4d 5f 72 65 67 |start__._ITM_reg|
000004e0 69 73 74 65 72 54 4d 43 6c 6f 6e 65 54 61 62 6c |isterTMCloneTabl|
000004f0 65 00 00 00 00 00 02 00 02 00 00 00 00 00 02 00 |e...............|
00000500 01 00 01 00 01 00 00 00 10 00 00 00 00 00 00 00 |................|
00000510 75 1a 69 09 00 00 02 00 31 00 00 00 00 00 00 00 |u.i.....1.......|
00000520 b8 3d 00 00 00 00 00 00 08 00 00 00 00 00 00 00 |.=..............|
00000530 40 11 00 00 00 00 00 00 c0 3d 00 00 00 00 00 00 |@........=......|
00000540 08 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 |................|
00000550 08 40 00 00 00 00 00 00 08 00 00 00 00 00 00 00 |.@..............|
00000560 08 40 00 00 00 00 00 00 d8 3f 00 00 00 00 00 00 |.@.......?......|
00000570 06 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000580 e0 3f 00 00 00 00 00 00 06 00 00 00 03 00 00 00 |.?..............|
00000590 00 00 00 00 00 00 00 00 e8 3f 00 00 00 00 00 00 |.........?......|
000005a0 06 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 |................|
000005b0 f0 3f 00 00 00 00 00 00 06 00 00 00 05 00 00 00 |.?..............|
000005c0 00 00 00 00 00 00 00 00 f8 3f 00 00 00 00 00 00 |.........?......|
000005d0 06 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 |................|
000005e0 d0 3f 00 00 00 00 00 00 07 00 00 00 02 00 00 00 |.?..............|
000005f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
......
00002000 01 00 02 00 48 65 6c 6c 6f 20 57 6f 72 6c 64 21 |....Hello World!|
......三、ELF文件解析
ELF文件头的定义参考binutils源码(include/elf/internal.h)或者linux内核源码(include/uapi/linux/elf.h)
1、Elf64_Ehdr
(1) e_ident
| 偏移 | 大小 | 值 | 说明 |
| 0x00-0x03 | 4 | \x7FELF | 魔术字 |
| 0x04 | 1 | 2 | ei_class:ELFCLASS64,64位 |
| 0x05 | 1 | 1 | ei_data:ELFDATA2LSB,小端 |
| 0x06 | 1 | 1 | ei_version:E_CURRENT |
| 0x07 | 1 | 0 | ei_osabi:ELFOSABI_NONE |
| 0x08 | 1 | 0 | ei_abiversion:0 |
| 0x09-0x0E | 6 | 0 | ei_pad |
| 0x0F | 1 | 0 | ei_nident_SIZE:0 |
(2) 其他
| 偏移 | 大小 | 值 | 说明 |
| 0x10-0x11 | 2 | 3 | e_type64:ET_DYN,文件类型 |
| 0x12-0x13 | 2 | 0x3E | e_machine:EM_X86_64,机器架构 |
| 0x14-0x17 | 4 | 1 | e_version:EV_CURRENT,目标文件版本 |
| 0x18-0x1F | 8 | 0x1060 | e_entry,入口点地址 |
| 0x20-0x27 | 8 | 0x40 | e_phoff,Program header table file offset,程序头部表偏移 |
| 0x28-0x2F | 8 | 0x3978 | e_shoff,Section header table file offset,节头表偏移 |
| 0x30-0x33 | 4 | 0 | e_flags,Processor-specific flags,文件中与特定处理器相关的标志 |
| 0x34-0x35 | 2 | 0x40 | e_ehsize,ELF 文件头部的字节长度 |
| 0x36-0x37 | 2 | 0x38 | e_phentsize,Program header table entry size,程序头部表中每个表项的字节长度 |
| 0x38-0x39 | 2 | 0x0D | e_phnum,Program header table entry count,程序头部表的项数 |
| 0x3A-0x3B | 2 | 0x40 | e_shentsize,Section header table entry size,节头的字节长度 |
| 0x3C-0x3D | 2 | 0x1F | e_shnum,Section header table entry count,节头表中的项数 |
| 0x3E-0x3F | 2 | 0x1E | e_shstrndx,Section header string table index,节头表中与节名字符串表相关的表项的索引值 |
2、Elf64_Phdr
(1)第一段
| 偏移 | 大小 | 值 | 说明 |
| 0x40-0x43 | 4 | 6 | p_type:PT_PHDR,程序头,段类型 |
| 0x44-0x47 | 4 | 4 | p_flags:PF_Read,可读 |
| 0x48-0x4F | 8 | 0x40 | p_offset,文件偏移 |
| 0x50-0x57 | 8 | 0x40 | p_vaddr,虚拟地址 |
| 0x58-0x5F | 8 | 0x40 | p_paddr,物理地址 |
| 0x60-0x67 | 8 | 0x2D8 | p_filesz,文件中段大小 |
| 0x68-0x6F | 8 | 0x2D8 | p_memsz,内存中段大小 |
| 0x70-0x77 | 8 | 0x08 | p_align,Segment alignment, file & memory,对齐 |
| 0x78-0x317 | 0x2A0 | ... | 此段的剩余内容 |
(2)其他段类似第一段解析的方式,可以用readelf -S hello解析
$ readelf -l hello
Elf file type is DYN (Shared object file)
Entry point 0x1060
There are 13 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000002d8 0x00000000000002d8 R 0x8
INTERP 0x0000000000000318 0x0000000000000318 0x0000000000000318
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x00000000000005f8 0x00000000000005f8 R 0x1000
LOAD 0x0000000000001000 0x0000000000001000 0x0000000000001000
0x00000000000001f5 0x00000000000001f5 R E 0x1000
LOAD 0x0000000000002000 0x0000000000002000 0x0000000000002000
0x0000000000000160 0x0000000000000160 R 0x1000
LOAD 0x0000000000002db8 0x0000000000003db8 0x0000000000003db8
0x0000000000000258 0x0000000000000260 RW 0x1000
DYNAMIC 0x0000000000002dc8 0x0000000000003dc8 0x0000000000003dc8
0x00000000000001f0 0x00000000000001f0 RW 0x8
NOTE 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
NOTE 0x0000000000000358 0x0000000000000358 0x0000000000000358
0x0000000000000044 0x0000000000000044 R 0x4
GNU_PROPERTY 0x0000000000000338 0x0000000000000338 0x0000000000000338
0x0000000000000020 0x0000000000000020 R 0x8
GNU_EH_FRAME 0x0000000000002014 0x0000000000002014 0x0000000000002014
0x0000000000000044 0x0000000000000044 R 0x4
GNU_STACK 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x0000000000000000 0x0000000000000000 RW 0x10
GNU_RELRO 0x0000000000002db8 0x0000000000003db8 0x0000000000003db8
0x0000000000000248 0x0000000000000248 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.property .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt
03 .init .plt .plt.got .plt.sec .text .fini
04 .rodata .eh_frame_hdr .eh_frame
05 .init_array .fini_array .dynamic .got .data .bss
06 .dynamic
07 .note.gnu.property
08 .note.gnu.build-id .note.ABI-tag
09 .note.gnu.property
10 .eh_frame_hdr
11
12 .init_array .fini_array .dynamic .got3、Elf64_Shdr
(1)第一节没有名字,这里以第二节为例
| 偏移 | 大小 | 值 | 说明 |
| 0x39B8-0x39BB | 4 | 0x1B | sh_name,对应.interp,节名称,对应string tbl的偏移 |
| 0x39BC-0x39BF | 4 | 1 | s_type:SHT_PROGBITS,节类型 |
| 0x39C0-0x39C7 | 8 | 2 | s_flags:AlLOC,Miscellaneous section attributes |
| 0x39C8-0x39CF | 8 | 0x318 | s_addr,Section virtual addr at execution,节虚拟地址 |
| 0x39D0-0x39D7 | 8 | 0x318 | s_offset,Section file offset,节文件偏移 |
| 0x39D8-0x39DF | 8 | 0x1C | s_size,Size of section in bytes,节大小 |
| 0x39E0-0x39E3 | 4 | 0 | s_link,Index of another section,其他节偏移 |
| 0x39E4-0x39E7 | 4 | 0 | s_info,Additional section information,可选节信息 |
| 0x39E8-0x39EF | 8 | 1 | s_addralign,Section alignment,节对齐 |
| 0x39F0-0x39F7 | 8 | 0 | entsize,Entry size if section holds table |
对应的内容
/lib64/ld-linux-x86-64.so.2
(2)其他节类似第一节解析的方式,可以用readelf -S hello解析
$ readelf -S hello
There are 31 section headers, starting at offset 0x3978:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000000318 00000318
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.gnu.propert NOTE 0000000000000338 00000338
0000000000000020 0000000000000000 A 0 0 8
[ 3] .note.gnu.build-i NOTE 0000000000000358 00000358
0000000000000024 0000000000000000 A 0 0 4
[ 4] .note.ABI-tag NOTE 000000000000037c 0000037c
0000000000000020 0000000000000000 A 0 0 4
[ 5] .gnu.hash GNU_HASH 00000000000003a0 000003a0
0000000000000024 0000000000000000 A 6 0 8
[ 6] .dynsym DYNSYM 00000000000003c8 000003c8
00000000000000a8 0000000000000018 A 7 1 8
[ 7] .dynstr STRTAB 0000000000000470 00000470
0000000000000082 0000000000000000 A 0 0 1
[ 8] .gnu.version VERSYM 00000000000004f2 000004f2
000000000000000e 0000000000000002 A 6 0 2
[ 9] .gnu.version_r VERNEED 0000000000000500 00000500
0000000000000020 0000000000000000 A 7 1 8
[10] .rela.dyn RELA 0000000000000520 00000520
00000000000000c0 0000000000000018 A 6 0 8
[11] .rela.plt RELA 00000000000005e0 000005e0
0000000000000018 0000000000000018 AI 6 24 8
[12] .init PROGBITS 0000000000001000 00001000
000000000000001b 0000000000000000 AX 0 0 4
[13] .plt PROGBITS 0000000000001020 00001020
0000000000000020 0000000000000010 AX 0 0 16
[14] .plt.got PROGBITS 0000000000001040 00001040
0000000000000010 0000000000000010 AX 0 0 16
[15] .plt.sec PROGBITS 0000000000001050 00001050
0000000000000010 0000000000000010 AX 0 0 16
[16] .text PROGBITS 0000000000001060 00001060
0000000000000185 0000000000000000 AX 0 0 16
[17] .fini PROGBITS 00000000000011e8 000011e8
000000000000000d 0000000000000000 AX 0 0 4
[18] .rodata PROGBITS 0000000000002000 00002000
0000000000000011 0000000000000000 A 0 0 4
[19] .eh_frame_hdr PROGBITS 0000000000002014 00002014
0000000000000044 0000000000000000 A 0 0 4
[20] .eh_frame PROGBITS 0000000000002058 00002058
0000000000000108 0000000000000000 A 0 0 8
[21] .init_array INIT_ARRAY 0000000000003db8 00002db8
0000000000000008 0000000000000008 WA 0 0 8
[22] .fini_array FINI_ARRAY 0000000000003dc0 00002dc0
0000000000000008 0000000000000008 WA 0 0 8
[23] .dynamic DYNAMIC 0000000000003dc8 00002dc8
00000000000001f0 0000000000000010 WA 7 0 8
[24] .got PROGBITS 0000000000003fb8 00002fb8
0000000000000048 0000000000000008 WA 0 0 8
[25] .data PROGBITS 0000000000004000 00003000
0000000000000010 0000000000000000 WA 0 0 8
[26] .bss NOBITS 0000000000004010 00003010
0000000000000008 0000000000000000 WA 0 0 1
[27] .comment PROGBITS 0000000000000000 00003010
000000000000002b 0000000000000001 MS 0 0 1
[28] .symtab SYMTAB 0000000000000000 00003040
0000000000000618 0000000000000018 29 46 8
[29] .strtab STRTAB 0000000000000000 00003658
0000000000000203 0000000000000000 0 0 1
[30] .shstrtab STRTAB 0000000000000000 0000385b
000000000000011a 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
l (large), p (processor specific)
4、Elf64_Sym
(1) 第29个符号表
| 偏移 | 大小 | 值 | 说明 |
| 0x32E0-0x32E3 | 4 | 1 | st_name,偏移对应crtstuff.c |
| 0x32E4 | 1 | 4 | sym_info:STB_LOCAL | STT_FILE |
| 0x32E5 | 1 | 0 | sym_other |
| 0x32E6-0x32E7 | 2 | 0xFFF1 | sym_shndx,Associated section index,关联节索引 |
| 0x32E8-0x32EF | 8 | 0 | sym_value,Value of the symbol,符号值 |
| 0x32F0-0x32F7 | 8 | 0 | sym_size,Associated symbol size,关联符号大小 |
名字
(2)其他符号表类似第一个符号表解析的方式,可以用readelf -s hello解析
$ readelf -s hello
Symbol table '.dynsym' contains 7 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2)
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
4: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
5: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
6: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@GLIBC_2.2.5 (2)
Symbol table '.symtab' contains 65 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000318 0 SECTION LOCAL DEFAULT 1
2: 0000000000000338 0 SECTION LOCAL DEFAULT 2
3: 0000000000000358 0 SECTION LOCAL DEFAULT 3
4: 000000000000037c 0 SECTION LOCAL DEFAULT 4
5: 00000000000003a0 0 SECTION LOCAL DEFAULT 5
6: 00000000000003c8 0 SECTION LOCAL DEFAULT 6
7: 0000000000000470 0 SECTION LOCAL DEFAULT 7
8: 00000000000004f2 0 SECTION LOCAL DEFAULT 8
9: 0000000000000500 0 SECTION LOCAL DEFAULT 9
10: 0000000000000520 0 SECTION LOCAL DEFAULT 10
11: 00000000000005e0 0 SECTION LOCAL DEFAULT 11
12: 0000000000001000 0 SECTION LOCAL DEFAULT 12
13: 0000000000001020 0 SECTION LOCAL DEFAULT 13
14: 0000000000001040 0 SECTION LOCAL DEFAULT 14
15: 0000000000001050 0 SECTION LOCAL DEFAULT 15
16: 0000000000001060 0 SECTION LOCAL DEFAULT 16
17: 00000000000011e8 0 SECTION LOCAL DEFAULT 17
18: 0000000000002000 0 SECTION LOCAL DEFAULT 18
19: 0000000000002014 0 SECTION LOCAL DEFAULT 19
20: 0000000000002058 0 SECTION LOCAL DEFAULT 20
21: 0000000000003db8 0 SECTION LOCAL DEFAULT 21
22: 0000000000003dc0 0 SECTION LOCAL DEFAULT 22
23: 0000000000003dc8 0 SECTION LOCAL DEFAULT 23
24: 0000000000003fb8 0 SECTION LOCAL DEFAULT 24
25: 0000000000004000 0 SECTION LOCAL DEFAULT 25
26: 0000000000004010 0 SECTION LOCAL DEFAULT 26
27: 0000000000000000 0 SECTION LOCAL DEFAULT 27
28: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
29: 0000000000001090 0 FUNC LOCAL DEFAULT 16 deregister_tm_clones
30: 00000000000010c0 0 FUNC LOCAL DEFAULT 16 register_tm_clones
31: 0000000000001100 0 FUNC LOCAL DEFAULT 16 __do_global_dtors_aux
32: 0000000000004010 1 OBJECT LOCAL DEFAULT 26 completed.8061
33: 0000000000003dc0 0 OBJECT LOCAL DEFAULT 22 __do_global_dtors_aux_fin
34: 0000000000001140 0 FUNC LOCAL DEFAULT 16 frame_dummy
35: 0000000000003db8 0 OBJECT LOCAL DEFAULT 21 __frame_dummy_init_array_
36: 0000000000000000 0 FILE LOCAL DEFAULT ABS hello.c
37: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
38: 000000000000215c 0 OBJECT LOCAL DEFAULT 20 __FRAME_END__
39: 0000000000000000 0 FILE LOCAL DEFAULT ABS
40: 0000000000003dc0 0 NOTYPE LOCAL DEFAULT 21 __init_array_end
41: 0000000000003dc8 0 OBJECT LOCAL DEFAULT 23 _DYNAMIC
42: 0000000000003db8 0 NOTYPE LOCAL DEFAULT 21 __init_array_start
43: 0000000000002014 0 NOTYPE LOCAL DEFAULT 19 __GNU_EH_FRAME_HDR
44: 0000000000003fb8 0 OBJECT LOCAL DEFAULT 24 _GLOBAL_OFFSET_TABLE_
45: 0000000000001000 0 FUNC LOCAL DEFAULT 12 _init
46: 00000000000011e0 5 FUNC GLOBAL DEFAULT 16 __libc_csu_fini
47: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterTMCloneTab
48: 0000000000004000 0 NOTYPE WEAK DEFAULT 25 data_start
49: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@@GLIBC_2.2.5
50: 0000000000004010 0 NOTYPE GLOBAL DEFAULT 25 _edata
51: 00000000000011e8 0 FUNC GLOBAL HIDDEN 17 _fini
52: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@@GLIBC_
53: 0000000000004000 0 NOTYPE GLOBAL DEFAULT 25 __data_start
54: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
55: 0000000000004008 0 OBJECT GLOBAL HIDDEN 25 __dso_handle
56: 0000000000002000 4 OBJECT GLOBAL DEFAULT 18 _IO_stdin_used
57: 0000000000001170 101 FUNC GLOBAL DEFAULT 16 __libc_csu_init
58: 0000000000004018 0 NOTYPE GLOBAL DEFAULT 26 _end
59: 0000000000001060 47 FUNC GLOBAL DEFAULT 16 _start
60: 0000000000004010 0 NOTYPE GLOBAL DEFAULT 26 __bss_start
61: 0000000000001149 38 FUNC GLOBAL DEFAULT 16 main
62: 0000000000004010 0 OBJECT GLOBAL HIDDEN 25 __TMC_END__
63: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_registerTMCloneTable
64: 0000000000000000 0 FUNC WEAK DEFAULT UND __cxa_finalize@@GLIBC_2.2