elf-file-format.txt
来自「ELF文件格式分析,对于linux初学者来说还是挺不错的」· 文本 代码 · 共 539 行 · 第 1/2 页
TXT
539 行
/* The following are used with relocations */
#define ELF32_R_SYM(x) ((x) >> 8)
#define ELF32_R_TYPE(x) ((x) & 0xff)
typedef struct elf32_rel {
Elf32_Addr r_offset;
Elf32_Word r_info;
} Elf32_Rel;每个Elf32_Rel项为8 Bytes大小,.rel.text节有5项,.rel.data节有一项: r_offset自然是相对于节中偏移量, r_info是一个无符号32位型,由上面所定义两个宏可知其中包含两个意义: 低8位是type 高24位是sym,即在symtab中的索引值
.symtab section header
000002a0 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................|
000002b0 f0 02 00 00 20 01 00 00 0a 00 00 00 0d 00 00 00 |.... ...........|
000002c0 04 00 00 00 10 00 00 00 |........ |
.strtab section header
000002c0 09 00 00 00 03 00 00 00 | ........|
000002d0 00 00 00 00 00 00 00 00 10 04 00 00 90 00 00 00 |................|
000002e0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
.symtab section
000002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000300 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00000310 00 00 00 00 00 00 00 00 00 00 00 00 03 00 01 00 |................|
00000320 00 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 |................|
00000330 00 00 00 00 00 00 00 00 00 00 00 00 03 00 05 00 |................|
00000340 00 00 00 00 00 00 00 00 00 00 00 00 03 00 06 00 |................|
00000350 0a 00 00 00 00 00 00 00 19 00 00 00 01 00 06 00 |................|
00000360 22 00 00 00 00 00 00 00 24 00 00 00 02 00 01 00 |".......$.......|
00000370 27 00 00 00 00 00 00 00 18 00 00 00 01 00 03 00 |'...............|
00000380 2a 00 00 00 24 00 00 00 11 00 00 00 02 00 01 00 |*...$...........|
00000390 2f 00 00 00 38 00 00 00 11 00 00 00 02 00 01 00 |/...8...........|
000003a0 35 00 00 00 19 00 00 00 0c 00 00 00 01 00 06 00 |5...............|
000003b0 00 00 00 00 00 00 00 00 00 00 00 00 03 00 07 00 |................|
000003c0 46 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |F...............|
000003d0 51 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |Q...............|
000003e0 62 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |b...............|
000003f0 75 00 00 00 24 00 00 00 11 00 00 00 12 00 01 00 |u...$...........|
00000400 81 00 00 00 38 00 00 00 11 00 00 00 12 00 01 00 |....8...........|
/* This info is needed when parsing the symbol table */
#define STB_LOCAL 0
#define STB_GLOBAL 1
#define STB_WEAK 2
#define STT_NOTYPE 0
#define STT_OBJECT 1
#define STT_FUNC 2
#define STT_SECTION 3
#define STT_FILE 4
#define ELF_ST_BIND(x) ((x) >> 4)
#define ELF_ST_TYPE(x) (((unsigned int) x) & 0xf)
#define ELF32_ST_BIND(x) ELF_ST_BIND(x)
#define ELF32_ST_TYPE(x) ELF_ST_TYPE(x)
typedef struct elf32_sym{
Elf32_Word st_name;
Elf32_Addr st_value;
Elf32_Word st_size;
unsigned char st_info;
unsigned char st_other;
Elf32_Half st_shndx;
} Elf32_Sym;
.strtab section
00000410 00 64 70 74 65 73 74 2e 63 00 5f 5f 6d 6f 64 75 |.dptest.c.__modu|
00000420 6c 65 5f 6b 65 72 6e 65 6c 5f 76 65 72 73 69 6f |le_kernel_versio|
00000430 6e 00 68 6f 6f 6b 00 6f 70 00 69 6e 69 74 00 63 |n.hook.op.init.c|
00000440 6c 65 61 6e 00 5f 5f 6d 6f 64 75 6c 65 5f 6c 69 |lean.__module_li|
00000450 63 65 6e 73 65 00 70 72 69 6e 74 5f 64 72 6f 70 |cense.print_drop|
00000460 00 6e 66 5f 72 65 67 69 73 74 65 72 5f 68 6f 6f |.nf_register_hoo|
00000470 6b 00 6e 66 5f 75 6e 72 65 67 69 73 74 65 72 5f |k.nf_unregister_|
00000480 68 6f 6f 6b 00 69 6e 69 74 5f 6d 6f 64 75 6c 65 |hook.init_module|
00000490 00 63 6c 65 61 6e 75 70 5f 6d 6f 64 75 6c 65 00 |.cleanup_module.|在.symtab section header和.strtab section header中分别可以找到其section实体:
在.symtab section中,每个Elf32_Sym是16 Bytes,一共包含18个entry,每个entry中:
st_name是在.strtab section中可以找到的相对值,在.strtab中的字符串
st_value是
st_size是
st_info有8个bit,又分为两部分:
低四位是type,有NOTYPE,OBJECT,FUNC,SECTION,FILE五种,值为0,1,2,3,4
高四位是bind,有LOCAL,GLOBAL,WEAK三种,值为0,1,2
st_other尚不明,值为0意为DEFAULT
st_shndx是一个16位数,表明所在section header索引
在.strtab section所存与.shstrtab作用类似,专用于存储字符串。
其中又可得出若干规律如下:
与section header table类似的是,第0项为空,不起任何作用。
每个PROGBITS section都有一个值为空的sym结构
在C语言中标明为extern类型的都是GLOBAL,
由本文件内导出的sym都是GLOBAL,shndx有值
由其它文件导入的sym都是GLOBAL,shndx无值
crq@106 $ objdump -d dptest.o
dptest.o: file format elf32-i386
Disassembly of section .text:
00000000 <.text>:
0: 83 ec 0c sub $0xc,%esp
3: 8b 15 00 00 00 00 mov 0x0,%edx
9: 85 d2 test %edx,%edx
b: 74 0e je 0x1b
d: 83 ec 0c sub $0xc,%esp
10: 8b 44 24 20 mov 0x20(%esp,1),%eax
14: ff 30 pushl (%eax)
16: ff d2 call *%edx
18: 83 c4 10 add $0x10,%esp
1b: b8 01 00 00 00 mov $0x1,%eax
20: 83 c4 0c add $0xc,%esp
23: c3 ret
24: 83 ec 18 sub $0x18,%esp
27: 68 00 00 00 00 push $0x0
2c: e8 fc ff ff ff call 0x2d
31: 83 c4 1c add $0x1c,%esp
34: c3 ret
35: 8d 76 00 lea 0x0(%esi),%esi
38: 83 ec 18 sub $0x18,%esp
3b: 68 00 00 00 00 push $0x0
40: e8 fc ff ff ff call 0x41
45: 83 c4 1c add $0x1c,%esp
48: c3 ret原始文件:
crq@110 $ hexdump -C dptest.o
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 01 00 03 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 38 01 00 00 00 00 00 00 34 00 00 00 00 00 28 00 |8.......4.....(.|
00000030 0b 00 08 00 |.... |
.text section
00000030 83 ec 0c 8b 15 00 00 00 00 85 d2 74 | ...........t|
00000040 0e 83 ec 0c 8b 44 24 20 ff 30 ff d2 83 c4 10 b8 |.....D$ .0......|
00000050 01 00 00 00 83 c4 0c c3 83 ec 18 68 00 00 00 00 |...........h....|
00000060 e8 fc ff ff ff 83 c4 1c c3 8d 76 00 83 ec 18 68 |..........v....h|
00000070 00 00 00 00 e8 fc ff ff ff 83 c4 1c c3 00 00 00 |................|
.data section
00000080 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |................|
00000090 00 00 00 00 ff ff ff 7f |........ |
.modinfo section
00000090 6b 65 72 6e 65 6c 5f 76 | kernel_v|
000000a0 65 72 73 69 6f 6e 3d 32 2e 34 2e 33 32 2d 41 43 |ersion=2.4.32-AC|
000000b0 00 6c 69 63 65 6e 73 65 3d 47 50 4c 00 |.license=GPL. |
.comment section
000000b0 00 47 43 | .GC|
000000c0 43 3a 20 28 47 4e 55 29 20 33 2e 32 2e 32 20 32 |C: (GNU) 3.2.2 2|
000000d0 30 30 33 30 32 32 32 20 28 52 65 64 20 48 61 74 |0030222 (Red Hat|
000000e0 20 4c 69 6e 75 78 20 33 2e 32 2e 32 2d 35 29 00 | Linux 3.2.2-5).|
.shstrtab section
000000f0 00 2e 73 79 6d 74 61 62 00 2e 73 74 72 74 61 62 |..symtab..strtab|
00000100 00 2e 73 68 73 74 72 74 61 62 00 2e 72 65 6c 2e |..shstrtab..rel.|
00000110 74 65 78 74 00 2e 72 65 6c 2e 64 61 74 61 00 2e |text..rel.data..|
00000120 62 73 73 00 2e 6d 6f 64 69 6e 66 6f 00 2e 63 6f |bss..modinfo..co|
00000130 6d 6d 65 6e 74 00 00 00 |mment... |
null section header
00000130 00 00 00 00 00 00 00 00 | ........|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
.text & .rel.text section header
00000160 1f 00 00 00 01 00 00 00 06 00 00 00 00 00 00 00 |................|
00000170 34 00 00 00 49 00 00 00 00 00 00 00 00 00 00 00 |4...I...........|
00000180 04 00 00 00 00 00 00 00 1b 00 00 00 09 00 00 00 |................|
00000190 00 00 00 00 00 00 00 00 a0 04 00 00 28 00 00 00 |............(...|
000001a0 09 00 00 00 01 00 00 00 04 00 00 00 08 00 00 00 |................|
.data & .rel.data section header
000001b0 29 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 |)...............|
000001c0 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 |................|
000001d0 04 00 00 00 00 00 00 00 25 00 00 00 09 00 00 00 |........%.......|
000001e0 00 00 00 00 00 00 00 00 c8 04 00 00 08 00 00 00 |................|
000001f0 09 00 00 00 03 00 00 00 04 00 00 00 08 00 00 00 |................|
.bss & .modinfo section header
00000200 2f 00 00 00 08 00 00 00 03 00 00 00 00 00 00 00 |/...............|
00000210 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000220 04 00 00 00 00 00 00 00 34 00 00 00 01 00 00 00 |........4.......|
00000230 02 00 00 00 00 00 00 00 98 00 00 00 25 00 00 00 |............%...|
00000240 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
.comment & .shstrtab section header
00000250 3d 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 |=...............|
00000260 bd 00 00 00 33 00 00 00 00 00 00 00 00 00 00 00 |....3...........|
00000270 01 00 00 00 00 00 00 00 11 00 00 00 03 00 00 00 |................|
00000280 00 00 00 00 00 00 00 00 f0 00 00 00 46 00 00 00 |............F...|
00000290 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
.symtab & .strtab section header
000002a0 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................|
000002b0 f0 02 00 00 20 01 00 00 0a 00 00 00 0d 00 00 00 |.... ...........|
000002c0 04 00 00 00 10 00 00 00 09 00 00 00 03 00 00 00 |................|
000002d0 00 00 00 00 00 00 00 00 10 04 00 00 90 00 00 00 |................|
000002e0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
.symtab section
000002f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000300 01 00 00 00 00 00 00 00 00 00 00 00 04 00 f1 ff |................|
00000310 00 00 00 00 00 00 00 00 00 00 00 00 03 00 01 00 |................|
00000320 00 00 00 00 00 00 00 00 00 00 00 00 03 00 03 00 |................|
00000330 00 00 00 00 00 00 00 00 00 00 00 00 03 00 05 00 |................|
00000340 00 00 00 00 00 00 00 00 00 00 00 00 03 00 06 00 |................|
00000350 0a 00 00 00 00 00 00 00 19 00 00 00 01 00 06 00 |................|
00000360 22 00 00 00 00 00 00 00 24 00 00 00 02 00 01 00 |".......$.......|
00000370 27 00 00 00 00 00 00 00 18 00 00 00 01 00 03 00 |'...............|
00000380 2a 00 00 00 24 00 00 00 11 00 00 00 02 00 01 00 |*...$...........|
00000390 2f 00 00 00 38 00 00 00 11 00 00 00 02 00 01 00 |/...8...........|
000003a0 35 00 00 00 19 00 00 00 0c 00 00 00 01 00 06 00 |5...............|
000003b0 00 00 00 00 00 00 00 00 00 00 00 00 03 00 07 00 |................|
000003c0 46 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |F...............|
000003d0 51 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |Q...............|
000003e0 62 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 |b...............|
000003f0 75 00 00 00 24 00 00 00 11 00 00 00 12 00 01 00 |u...$...........|
00000400 81 00 00 00 38 00 00 00 11 00 00 00 12 00 01 00 |....8...........|
/* This info is needed when parsing the symbol table */
#define STB_LOCAL 0
#define STB_GLOBAL 1
#define STB_WEAK 2
#define STT_NOTYPE 0
#define STT_OBJECT 1
#define STT_FUNC 2
#define STT_SECTION 3
#define STT_FILE 4
#define ELF_ST_BIND(x) ((x) >> 4)
#define ELF_ST_TYPE(x) (((unsigned int) x) & 0xf)
#define ELF32_ST_BIND(x) ELF_ST_BIND(x)
#define ELF32_ST_TYPE(x) ELF_ST_TYPE(x)
typedef st眭uct elf32_sym{
Elf32_Word st_name;
Elf32_Addr st_value;
Elf32_Word st_size;
unsigned char st_info;
unsigned char st_other;
Elf32_Half st_shndx;
} Elf32_Sym;
.strtab section
00000410 00 64 70 74 65 73 74 2e 63 00 5f 5f 6d 6f 64 75 |.dptest.c.__modu|
00000420 6c 65 5f 6b 65 72 6e 65 6c 5f 76 65 72 73 69 6f |le_kernel_versio|
00000430 6e 00 68 6f 6f 6b 00 6f 70 00 69 6e 69 74 00 63 |n.hook.op.init.c|
00000440 6c 65 61 6e 00 5f 5f 6d 6f 64 75 6c 65 5f 6c 69 |lean.__module_li|
00000450 63 65 6e 73 65 00 70 72 69 6e 74 5f 64 72 6f 70 |cense.print_drop|
00000460 00 6e 66 5f 72 65 67 69 73 74 65 72 5f 68 6f 6f |.nf_register_hoo|
00000470 6b 00 6e 66 5f 75 6e 72 65 67 69 73 74 65 72 5f |k.nf_unregister_|
00000480 68 6f 6f 6b 00 69 6e 69 74 5f 6d 6f 64 75 6c 65 |hook.init_module|
00000490 00 63 6c 65 61 6e 75 70 5f 6d 6f 64 75 6c 65 00 |.cleanup_module.|
.rel.text & .rel.data section
000004a0 05 00 00 00 01 0d 00 00 28 00 00 00 01 03 00 00 |........(.......|
000004b0 2d 00 00 00 02 0e 00 00 3c 00 00 00 01 03 00 00 |-.......<.......|
000004c0 41 00 00 00 02 0f 00 00 08 00 00 00 01 02 00 00 |A...............|
000004d0
/* The following are used with relocations */
#define ELF32_R_SYM(x) ((x) >> 8)
#define ELF32_R_TYPE(x) ((x) & 0xff)
typedef struct elf32_rel {
Elf32_Addr r_offset;
Elf32_Word r_info;
} Elf32_Rel;⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?