Linux ELF格式分析【转】
转自:https://www.cnblogs.com/feng9exe/p/6899351.html
http://www.cnblogs.com/hzl6255/p/3312262.html
ELF, Executable and Linking Format, 是一种用于可执行文件、目标文件、共享库和核心转储的标准文件格式。 ELF格式是是UNIX系统实验室作为ABI(Application Binary Interface)而开发和发布的。
这里简单介绍一下相关历史:
- UNIX: 最初采用的格式为a.out,之后被System V中的COFF取代,最后则被SVR4中的ELF格式所取代。
- Windows: 采用的则是COFF格式的变种PE格式
- MAC OS X: 采用的是Mach-O格式
ELF有四种不同的类型:
1. 可重定位文件(Relocatable): 编译器和汇编器产生的.o文件,需要被Linker进一步处理
2. 可执行文件(Executable): Have all relocation done and all symbol resolved except perhaps shared library symbols that must be resolved at run time
3. 共享对象文件(Shared Object): 即动态库文件(.so)
4. 核心转储文件(Core File):
1.ELF文件结构
可以从两个角度来描述ELF文件结构
~1. Compilers,assemblers,linkers: 由Section header table描述的Sections组成
~2. System loader: 由Program header table描述的Segments组成
TIP:
- A single segment usually consist of several sections.
- Relocatable files have Section header tables. Executable files have Program header tables. Shared object files have both
- Sections are intended for further processing by a linker, while the segments are intended to be mapped into memory
- 只有ELF header是固定在文件的首部, 而Program header和Section header的位置则由ELF header指出
ELF数据表示: 六种数据类型(32-bit)
| Name | Size | Alignment | Purpose |
| Elf32_Addr | 4 | 4 | Unsigned program address |
| Elf32_Off | 4 | 4 | Unsigned file offset |
| Elf32_Half | 2 | 2 | Unsigned medium interger |
| Elf32_Word | 4 | 4 | unsigned interger |
| Elf32_Sword | 4 | 4 | Signed interger |
| unsigned char | 1 | 1 | Unsigned small interger |
@1:
ELF header: 在文件开始处,描述了整个文件的组织,占用 52-bytes
#define EI_NIDENT (16)
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
我们来看看一个最基本的ELF header
[root@bogon ~]# readelf -h a.out ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x80482a0 /* e_entry */ Start of program headers: 52 (bytes into file) /* e_phoff */ Start of section headers: 1992 (bytes into file) /* e_shoff: See Starting address of section headers */ Flags: 0x0 Size of this header: 52 (bytes) /* e_ehsize */ Size of program headers: 32 (bytes) /* e_phentsize */ Number of program headers: 8 /* e_phnum */ Size of section headers: 40 (bytes) /* e_shentsize */ Number of section headers: 29 /* e_shnum */ Section header string table index: 26 /* e_shstrndx */
从elf header我们可以得到如下信息?
@2:
section header: 包含section的信息。
每个section header占 40-bytes (即e_shentsize大小)
/* Section header. */
typedef struct
{
elf32_word sh_name; /* Section name (string tbl index) */
elf32_word sh_type; /* Section type */
elf32_word sh_flags; /* Section flags */
elf32_addr sh_addr; /* Section virtual addr at execution */
elf32_off sh_offset; /* Section file offset */
elf32_word sh_size; /* Section size in bytes */
elf32_word sh_link; /* Link to another section */
elf32_word sh_info; /* Additional section information */
elf32_word sh_addralign; /* Section alignment */
elf32_word sh_entsize; /* Entry size if section holds table */
} elf32_shdr;
Section Type(*sh_type*)
PROGBITS: This holds program contents including code, data, and debugger information.
NOBITS: Like PROGBITS. However, it occupies no space.
SYMTAB and DYNSYM: These hold symbol table. [See below]
STRTAB: This is a string table, like the one used in a.out. [See below]
REL and RELA: These hold relocation information.
DYNAMIC and HASH: This holds information related to dynamic linking.
下面列举了一些常见的Section:
.text: (PROGBITS:ALLOC+EXECINSTR)
可执行代码
.data: (PROGBITS:ALLOC+WRITE)
初始化数据
.rodata:(PROGBITS:ALLOC)
只读数据
.bss: (NOBITS:ALLOC+WRITE)
未初始化数据,运行时会置0
.rel.text, .rel.data, and .rel.rodata:(REL)
静态链接的重定位信息
.rel.plt: (REL)
The list of elements in the PLT, which are liable to the relocatio during the dynamic linking(if PLT is used)
.rel.dyn: (REL)
The relocation for dynamically linked functions(if PLT is not used)
.symtab:
符号表
.strtab:
字符串表
.shstrtab:
Section String Table, 段名表
.init, .fini: (PROGBITS:ALLOC+EXECINSTR)
程序初始化与终结代码段
.interp: (PROGBITS:ALLOC)
This section holds the pathname of a program interpreter.For present,this is used to run the run-time dynamic linker to load the program and to link in any required shared libraries.
.got, .plt: (PROGBIT)
动态链接的跳转表和全局入口表.
TIP: 符号表(symtab)和字符串表(strtab)的区别
strtab就是记录ELF文件中的字符串常量,变量名等等
symtab记录的则是函数和变量(符号), 主要用于链接时目标文件之间对地址的引用
下面是基本的Section header tables [0x7c8 = 1992]
[root@bogon ~]# readelf -s a.out there are 29 section headers, starting at offset 0x7c8: section headers: [nr] name type addr off size es flg lk inf al [ 0] null 00000000 000000 000000 00 0 0 0 [ 1] .interp progbits 08048134 000134 000013 00 a 0 0 1 [ 2] .note.abi-tag note 08048148 000148 000020 00 a 0 0 4 [ 3] .hash hash 08048168 000168 000024 04 a 4 0 4 [ 4] .dynsym dynsym 0804818c 00018c 000040 10 a 5 1 4 [ 5] .dynstr strtab 080481cc 0001cc 000045 00 a 0 0 1 [ 6] .gnu.version versym 08048212 000212 000008 02 a 4 0 2 [ 7] .gnu.version_r verneed 0804821c 00021c 000020 00 a 5 1 4 [ 8] .rel.dyn rel 0804823c 00023c 000008 08 a 4 0 4 [ 9] .rel.plt rel 08048244 000244 000010 08 a 4 11 4 [10] .init progbits 08048254 000254 000017 00 ax 0 0 4 [11] .plt progbits 0804826c 00026c 000030 04 ax 0 0 4 [12] .text progbits 080482a0 0002a0 000198 00 ax 0 0 16 [13] .fini progbits 08048438 000438 00001c 00 ax 0 0 4 [14] .rodata progbits 08048454 000454 00000c 00 a 0 0 4 [15] .eh_frame_hdr progbits 08048460 000460 00001c 00 a 0 0 4 [16] .eh_frame progbits 0804847c 00047c 000058 00 a 0 0 4 [17] .ctors progbits 080494d4 0004d4 000008 00 wa 0 0 4 [18] .dtors progbits 080494dc 0004dc 000008 00 wa 0 0 4 [19] .jcr progbits 080494e4 0004e4 000004 00 wa 0 0 4 [20] .dynamic dynamic 080494e8 0004e8 0000c8 08 wa 5 0 4 [21] .got progbits 080495b0 0005b0 000004 04 wa 0 0 4 [22] .got.plt progbits 080495b4 0005b4 000014 04 wa 0 0 4 [23] .data progbits 080495c8 0005c8 000004 00 wa 0 0 4 [24] .bss nobits 080495cc 0005cc 000008 00 wa 0 0 4 [25] .comment progbits 00000000 0005cc 000114 00 0 0 1 [26] .shstrtab strtab 00000000 0006e0 0000e5 00 0 0 1 [27] .symtab symtab 00000000 000c50 000440 10 28 49 4 [28] .strtab strtab 00000000 001090 000249 00 0 0 1 key to flags: w (write), a (alloc), x (execute), m (merge), s (strings) i (info), l (link order), g (group), x (unknown) o (extra os processing required) o (os specific), p (processor specific)
这里的string是以null结尾的字符序列,用来表示Symbol和Section的名称,用索引来引用该字符串
对于Section string[.shstrtab] , ELF Header中的成员变量e_shstrndx则指明了所在Section,
索引则保存在每个Elf32_Shdr的sh_name中
定位和重定位程序的符号定义和引用
Relocation table:
@3:
Program header: 指出怎样创建进程映像,含有每个program header的入口
每个Program segment Header占 32-bytes(即e_phentsize大小)
typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
Type of segment(*p_type*)
PT_PHDR: Specifies the location and size of the program header table itself, both in the file and in the memory image of the program. PT_LOAD: This segment is a loadable segment. PT_DYNAMIC: This array element specifies dynamic linking information. PT_INTERP: This element specified the location and size of a null-terminated path name to invoke as an interpreter.
下面是Program header实例
[root@bogon ~]# readelf -l a.out
Elf file type is EXEC (Executable file)
Entry point 0x80482a0
There are 8 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4
INTERP 0x000134 0x08048134 0x08048134 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x004d4 0x004d4 R E 0x1000
LOAD 0x0004d4 0x080494d4 0x080494d4 0x000f8 0x00100 RW 0x1000
DYNAMIC 0x0004e8 0x080494e8 0x080494e8 0x000c8 0x000c8 RW 0x4
NOTE 0x000148 0x08048148 0x08048148 0x00020 0x00020 R 0x4
GNU_EH_FRAME 0x000460 0x08048460 0x08048460 0x0001c 0x0001c R 0x4
GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RW 0x4
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.ABI-tag .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04 .dynamic
05 .note.ABI-tag
06 .eh_frame_hdr
07
@4:
Section: 提供了目标文件的各项信息(如指令、数据、符号表、重定位信息等)
2. ELF文件分析
很多工具可以用来分析ELF文件
除了上面的readelf外,还有objdump,objcopy等
# objdump -x /bin/ls # 查看ELF文件的section # objdump -j .data -s /bin/ls # 显示指定section内容 # # objcopy -O binary -j .text a.out text.bin # 将.text section导入到text.bin文件中
完整的分析教程: <Linux C编程一站式学习-ELF文件>
3. ELF文件解析
很多地方有对ELF文件的解析 Linux对ELF文件的加载:
execve() –> sys_execve() –> do_execve() –> search_binary_handler() -elf-> load_elf_binary()/load_elf_library()
binutils中readelf很形象的解析了ELF文件
开源项目ELFToolChain
atratus/coLinux/LINE: 其中的ELF Loader值得参考
4. 参考文档
RefSpes: Linux Foundation Referenced Specifications
SysV ABI: System V ABI
ELF规范: Executable and Linking Format Specification V1.2
ELF格式: ELF Format
PE格式: PE Format
