Link to this headingExecutable and Linkable Format (ELF)

Types of Files:

  • Executable Files
  • Shared library files
  • Object files

Link to this headingLinux Kernel Image

Convert vmlinux/vmlinuz/bzImage/zImage kernel image to ELF
Multi Part Series on ELF files

Link to this headingELF Header

Read Header Information:

>>> readelf -W -h `which cat` ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address: 0x2c00 Start of program headers: 64 (bytes into file) Start of section headers: 37384 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 11 Size of section headers: 64 (bytes) Number of section headers: 27 Section header string table index: 26

ELF Header:

  1. Magic Number
    • 7F 45 4C 46
  2. Class
    • 00: Invalid
    • 01: 32bit Object
    • 02: 64bit Object
  3. Data Encoding
    • 00: Invalid
    • 01: Least Significant Byte First (LSB)
    • 02: Most Significant Byte First (MSB)
  4. Version
    • 01: Version of ELF 1.0
  5. OS ABI
    • 00: None/System V (Most common)
    • 01: HP-UX
    • 02: NetBSD
    • 03: Linux
  6. ABI Version
    • 00: Not used
  7. Padding
    • 00 00 00 00 00 00 00
  8. Type
    • 00 00: No File Type
    • 00 01: Relocatable file type (Object Files .o files)
    • 00 02: Executable file (Non ASLR executables)
    • 00 03: Shared object file (Shared Libraries and ASLR Executables)
    • 00 04: Core file (Core Dumps)
  9. Machine Type
    • 00 03: x86
    • 00 08: MIPS
    • 00 28: ARM
    • 00 3E: amd64
    • 00 B7: ARMv8
    • 00 F3: RISC-V
  10. ELF Version
    • 00 00 00 01: Always set to ELF version 1.0
  11. Entry point
    • Entry point of the application
  12. Program headers offset
    • The start of the Program Headers at offset from binging of the file
  13. Section headers offset
    • The start of the Section Headers at offset from binging of the file
  14. Flags
    • OS and Archetecture Dependent
  15. ELF Header Size
    • Size of the Header Size (Kind of useless)
  16. Size of each Program Header
    • All program segments are the same size
  17. The Number of Program Headers
  18. Size of each Section Header
    • All sections are the same size
  19. The Number of Section Headers
  20. Section table index
    • Used to resolve the names of the sections in the file

Link to this headingSegments

Also known as program headers
relevant at Runtime

Segment Header:

  1. Type of Segment
    • 00 00: Null (Can be used to disable a segment)
    • 00 01: Loaded into memory
    • 00 02: Dynamic linked libraries
    • 00 03: Interpreted (only ASLR has this segment)
    • 00 04: Note (Hold debugger information)
    • 00 05: HLIB (Not used)
    • 00 06: Physical Address (Location where this will be loaded into memory)
    • 00 07: Thread Local Storage (Thread Local Varbales)
  2. Offset
    • Where in the elf file this segment starts
  3. Virtual Address
    • Where in Virtual memory this will be located
  4. Physical Address
    • Where in Physical memory this will be located. Only when this is the only option
  5. File Size
    • How big the segment is
  6. Size of the segment in memory
    • If it is larger than the file size the rest is set to 00 values
  7. Flags
    • Permissions of the segments RWX
  8. Align
    • Align bytes to either 4 bytes or 8 bytes

List Segments in a File:

>>> readelf -W -l `which cat` Elf file type is DYN (Shared object file) Entry point 0x2c00 There are 11 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x000268 0x000268 R 0x8 INTERP 0x0002a8 0x00000000000002a8 0x00000000000002a8 0x00001c 0x00001c R 0x1 [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2] LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x001520 0x001520 R 0x1000 LOAD 0x002000 0x0000000000002000 0x0000000000002000 0x003f91 0x003f91 R E 0x1000 LOAD 0x006000 0x0000000000006000 0x0000000000006000 0x0021b0 0x0021b0 R 0x1000 LOAD 0x008a90 0x0000000000009a90 0x0000000000009a90 0x000630 0x0007c8 RW 0x1000 DYNAMIC 0x008c38 0x0000000000009c38 0x0000000000009c38 0x0001f0 0x0001f0 RW 0x8 NOTE 0x0002c4 0x00000000000002c4 0x00000000000002c4 0x000044 0x000044 R 0x4 GNU_EH_FRAME 0x007210 0x0000000000007210 0x0000000000007210 0x0002b4 0x0002b4 R 0x4 GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10 GNU_RELRO 0x008a90 0x0000000000009a90 0x0000000000009a90 0x000570 0x000570 R 0x1 Section to Segment mapping: Segment Sections... 00 01 .interp 02 .interp .note.gnu.build-id .note.ABI-tag .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt 03 .init .plt .text .fini 04 .rodata .eh_frame_hdr .eh_frame 05 .init_array .fini_array .data.rel.ro .dynamic .got .data .bss 06 .dynamic 07 .note.gnu.build-id .note.ABI-tag 08 .eh_frame_hdr 09 10 .init_array .fini_array .data.rel.ro .dynamic .got

Link to this headingSections

Relevant at Linktime

Common Sections:

  • .text: code.
  • .data: initialized data.
  • .rodata: initialized read-only data.
  • .bss: uninitialized data.
  • .plt: PLT (Procedure Linkage Table) (IAT equivalent).
  • .got: GOT entries dedicated to dynamically linked global variables.
  • .got.plt: GOT entries dedicated to dynamically linked functions.
  • .symtab: global symbol table.
  • .dynamic: Holds all needed information for dynamic linking.
  • .dynsym: symbol tables dedicated to dynamically linked symbols.
  • .strtab: string table of .symtab section.
  • .dynstr: string table of .dynsym section.
  • .interp: RTLD embedded string.
  • .rel.dyn: global variable relocation table.
  • .rel.plt: function relocation table.
  • shstrtab: Table for the names of each of the sections

Section Header:

  1. Section Name
    • Offset into the string table
  2. Type
    • 00 00: Null (Ignored)
    • 00 01: Process Bits
    • 00 02: Symbol table (List of symbol table structures)
    • 00 03: String Table (List of null terminated strings)
    • 00 04: Relocation
    • 00 05: Hash table
    • 00 06: Dynamic linking
    • 00 07: Note (Debugging info)
    • 00 08: No Bits (uninitialized variables)
    • 00 09: Relocation
    • 00 0A: SH Library
    • 00 0B: Dynmaic Symbols (List of symbol table structures)
  3. Flags
    • 01: Writable
    • 02: Allocate
    • 04: Executable Instructions
  4. Where Address will appear in memory
  5. Offset of location in the elf file
  6. How large the Size is in the elf file
  7. Linked to another section
  8. Info
  9. Address Align
  10. Entry Size
    • size for data in an array in the section

List Sections in a File:

>>> readelf -l -S `which cat` There are 27 section headers, starting at offset 0x9208: Section Headers: [Nr] Name Type Address Off Size ES Flg Lk Inf Al [ 0] NULL 0000000000000000 000000 000000 00 0 0 0 [ 1] .interp PROGBITS 00000000000002a8 0002a8 00001c 00 A 0 0 1 [ 2] .note.gnu.build-id NOTE 00000000000002c4 0002c4 000024 00 A 0 0 4 [ 3] .note.ABI-tag NOTE 00000000000002e8 0002e8 000020 00 A 0 0 4 [ 4] .gnu.hash GNU_HASH 0000000000000308 000308 000060 00 A 5 0 8 [ 5] .dynsym DYNSYM 0000000000000368 000368 0005e8 18 A 6 1 8 [ 6] .dynstr STRTAB 0000000000000950 000950 0002c9 00 A 0 0 1 [ 7] .gnu.version VERSYM 0000000000000c1a 000c1a 00007e 02 A 5 0 2 [ 8] .gnu.version_r VERNEED 0000000000000c98 000c98 000060 00 A 6 1 8 [ 9] .rela.dyn RELA 0000000000000cf8 000cf8 000810 18 A 5 0 8 [10] .rela.plt RELA 0000000000001508 001508 000018 18 AI 5 22 8 [11] .init PROGBITS 0000000000002000 002000 00001b 00 AX 0 0 4 [12] .plt PROGBITS 0000000000002020 002020 000020 10 AX 0 0 16 [13] .text PROGBITS 0000000000002040 002040 003f42 00 AX 0 0 16 [14] .fini PROGBITS 0000000000005f84 005f84 00000d 00 AX 0 0 4 [15] .rodata PROGBITS 0000000000006000 006000 00120e 00 A 0 0 32 [16] .eh_frame_hdr PROGBITS 0000000000007210 007210 0002b4 00 A 0 0 4 [17] .eh_frame PROGBITS 00000000000074c8 0074c8 000ce8 00 A 0 0 8 [18] .init_array INIT_ARRAY 0000000000009a90 008a90 000008 08 WA 0 0 8 [19] .fini_array FINI_ARRAY 0000000000009a98 008a98 000008 08 WA 0 0 8 [20] .data.rel.ro PROGBITS 0000000000009aa0 008aa0 000198 00 WA 0 0 32 [21] .dynamic DYNAMIC 0000000000009c38 008c38 0001f0 10 WA 6 0 8 [22] .got PROGBITS 0000000000009e28 008e28 0001d0 08 WA 0 0 8 [23] .data PROGBITS 000000000000a000 009000 0000c0 00 WA 0 0 32 [24] .bss NOBITS 000000000000a0c0 0090c0 000198 00 WA 0 0 32 [25] .comment PROGBITS 0000000000000000 0090c0 00004c 01 MS 0 0 1 [26] .shstrtab STRTAB 0000000000000000 00910c 0000f7 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), l (large), p (processor specific)