OS / Linux - Executable and Linkable Format (ELF)

> Operating System - Kernel (Windows, Unix, Linux)

1 - About

The Executable and Linkable Format (ELF, formerly named Extensible Linking Format), is a object file format (executable files and shared libraries) used also for core dumps.

Advertising

3 - Format

The format of an ELF follows the structure of the object file format.

A program is divided into sections and uses principally the following:

  • .text for code (read-only),
  • .data for data (read-write),
  • .bss for uninitialized data (read-write);

A program must have at least .text section.

3.1 - Section

A section is a block of memory that contains either program code or data.

Section Type executable by the CPU Desc
code yes
.data no for storing data
.bss no for storing program data
debug no
  • Sections
# Header
fileName: file format elf64-x86-64
# Series of disassembled sections
Disassembly of section .interp:
...
Disassembly of section .note.ABI-tag:
...
Disassembly of section .note.gnu.build-id:
...
...
etc
  • Row in section
# Row in section with three columns
4004d6: 55 push rbp
# Row in section with an optional fourth column for comment
lea r12,[rip+0x2008ee] # 600e10 <__frame_dummy_init_array_entry>

where:

  • 0x4004d6 is the address of an assembly instruction.
  • 0x55 is the assembly instruction in raw hex values.
  • push %rbp is the assembly instruction in text values in a .text section (the assembly instructions are actual program code). In a .data section, this information is meaningless.
  • An optional fourth column is a comment that appears when there is a reference to an address to inform where the address originates. Example: the referenced address from [rip+0x2008ee] is 0x600e10, where the variable __frame_dummy_init_array_entry resides.
Advertising

3.2 - Text Section

Example of text section with two functions:

  • _start
  • and deregister_tm_clones.
00000000004003e0 <_start>:
4003e0: 31 ed xor ebp,ebp
4003e2: 49 89 d1 mov r9,rdx
4003e5: 5e pop rsi
...more assembly code....
0000000000400410 <deregister_tm_clones>:
400410: b8 3f 10 60 00 mov eax,0x60103f
400415: 55 push rbp
400416: 48 2d 38 10 60 00 sub rax,0x601038
...more assembly code....

where:

4 - Management

4.1 - See

5 - Documentation / Reference

Advertising
os/elf.txt · Last modified: 2018/12/26 16:22 by gerardnico