translation-archives

It is a common standard file format for executable files, relocatable code (object ie .o files), shared libraries, and core dumps. It is a spec of ABI (Application Binary interface). By design it is flexible, extensible, cross-platform, CPU architecture & ISA independent. It can be loaded at any memory address by the kernel and automatically, all symbols used, are adjusted to the offset from that memory address where it was loaded into.

File name extensions : none, .axf, .bin, .elf, .o, .prx, .puff, .ko, .mod and .so

Magic Number : 0x7F ‘E’ ‘L’ ‘F’

 Image Source : Wikipedia

• Program header table : zero or more memory segments. Only appears at executable. It tells how the executable should be put into the process virtual memory (How to create a process image). This is must for process image, executable files and shared objects. For Relocatable object files, this is not needed.
• Section header table : zero or more sections. Tells how or where section should be loaded. Each section entry in table contains section name and section size. Section Header Table must for the files used in link editing.
• Data : of program header table or section header table.
• ELF header (52 or 64 byte long for 32 or 64 bit) : defines whether to use 32 or 64 bits.
• Program header : Tells how to create process image.

Sections are smallest indivisible units in ELF file that can be processed. (Linking view). Sections hold the bulk of object file information for the linking view. This data includes instructions, data, symbol table, and relocation information.

Segments are smallest individual units that can be mapped to memory by exec or linker. (Executable view)

Section vs Segment : In an object file section exists before linking, while segment exists after linking in executable file. Linker puts one or more sections into a single segment.

Sections and segments have no specified order in ELF. Only the ELF header has a fixed position in the file.

Tools :

• readelf : gives info about ELF files. (from GNU binutils).
• elfutils : alternative to binutils.
• elfdump : dumps ELF information of an ELF file.
• objdump : gives info of obj files. It uses the Binary File Descriptor library as a back-end to structure the ELF data.
• file : can display some information about ELF files, including ISA for which the code in a relocatable, executable, or shared object file is intended, or on which an ELF core dump was produced.
• nm : gives symbol information of an object file.

Examples with readelf tool : git clone https://github.com/bit-Control/elf_examples.git

Kernel and ELF :

3 important Program header entry –

• PT_LOAD – areas of the new program’s running memory (code+data section of size of BSS – filled with zero)
• PT_INTERP – run-time linker needed to assemble the complete program.
• PT_GNU_STACK – indicates whether the program’s stack should be made executable or not.

Loading ELF :

1. read elf header (contains info of rest of the file)
2. find program header which directs to text and data section leading to executable image.

Parsing elf executable :

1. Check buffer size to accommodate elf header and program header.
2. Check elf magic number.
3. Check max segment number in program header for validity.
4. Extract segment and entry.
5. Fill corresponding structure of program header from extracted data.

Relocation :

1. Check elf header.
2. Get load address.
3. Allocate space form program sections.
4. Copy from the image in ram to allocated space.
5. Resolve kernel symbol table of external references.
6. Go to entry point using entry point in header as base plus offset or do a symbol lookup or just return a success. Hence driver can be loaded later also.

Github Projects :

LIEF – Library to Instrument Executable Formats

Information Resources :

• Wikipedia
• SYSTEM V APPLICATION BINARY INTERFACE
• System V Application Binary Interface – DRAFT – 10 June 2013
• ELF for the ARM® Architecture
• ELF reference
• Understanding the ELF
• The 101 of ELF Binaries on Linux: Understanding and Analysis
• The ELF Object File Format: Introduction
• MANpage : ELF(5) Linux Programmer’s Manual
• System V Application Binary Interface : AMD64 Architecture Processor Supplement
• ELF example 001
• A collection of programs that access and manipulate ELF files
• An ELF parsing and manipulation library for Python
• ELF walkthrough (pictorial)
• ELF Hello World Tutorial
• kernel documentation
• How programs get run: ELF binaries
• Optimising ELF
• Squeezing ELF
• Paper [Security] An Evil Copy: How the Loader Betrays You
• ELF : Oracle docs
• ELF hello 002
• ELF article 001
• teensy elf executable (64 bit)
• Ones and Zeros, Part 2:  Making Executable Files
• Load-time relocation of shared libraries
• Position Independent Code (PIC) in shared libraries
• Relocatable vs. Position-Independent Code (or, Virtual Memory isn’t Just For Swap)
• About readelf
• ARM ELF format
• OSDev Wiki
• https://www.bottomupcs.com/elf.xhtml
• Patch a elf binary in linux with radare2
• Use gdb to Modify Binary
• Using GDB to modify an executable
• Doing a Reverse Hex Dump
• Modifying Linux ELF Binaries – Changing Callq Addresses
• How can I change the values in esp?
• What are the available libraries to statically modify ELF executables?
• fixing bugs in binaries using r2
• patch elf
• ELF spec
• Screwing elf header for fun and profit
• Security : Breaking ELF software with Melkor fuzzer
• Deconstructing an ELF File
• IELFO – ELF File Producer Interface
• ELF & ABI collection
• The ELF file format
• ELF slides
• Analyzing the Linker Map file with a little help from the ELF and the DWARF
• Signing and verifying ELF files
• An ELF virus prototype
• PatchELF
• The Art Of ELF: Analysis and Exploitations
• A collection of resources for linux reverse engineering
• Lab 03 – Executables. Static Analysis

Book :

Learning Linux Binary Analysis

---

Translation: https://dongs.xyz/post/translations/elf-executable-and-linkable-format/

This site is open source. Improve this page.