Learning ELF

A few weeks ago I was working with modifying ELF files to muck around with symbols and DWARF data structures.

At first I thought it might be somewhat obscure, but it turns out that it's actually quite straightforward. The only "gotcha" for me was how some sections are both "regular sections" but also, at least from an API perspective from the libelf library, made special/"first-class" - in particular, the string table for section names.

The Gist of it

An ELF file is basically made up of the following, glossing over 32-vs-64 bit concerns.

• A header (Elf32_Ehdr in libelf). This has versions, flags, machine information, etc.
• A program header table, which describes the file in terms of segments - what should get mapped, what's data vs. executable, etc.
• A section header table (an array of Elf32_Shdr) with name, type, offsets. The name is an index into a string table; one of these string tables hold section names, but there may be others for things like symbol strings.
• A collection of sections, which hold all the other information, each described by a section header. There may be sections with no data, and there may be "unused" areas in the file, unreferenced by any section.

The section type effectively tells you how to interpret the section data. For example, string tables hold null-terminated strings, referenced by offset, starting with a zero-length string as a first entry.

Resources

Here are some handy resources for learning and playing with ELF files.

• libelf, the man page for the libelf access library, allowing read and write operations.
• readelf, the tool to dump data from ELF files.
• ELF Format
• Exploring object file formats, which covers both ELF and COFF and Mach-O.
• A minimal, complete and correct ELF file, including interactive visualization of the binary content if you like ot click around.
• ELF page on Wikipedia.

Callback

In some ways, these takes me back to my Chasing Symbols post, which appears will always be work-in-progress (if nothing else, because it seems like the more time passes, the more I keep learning.

Happy binary file layouts!

Tags:  debugging

Home