How to open elf file in windows. What is the .ELF File Extension? Nodes describing data

19.5 Generic URL format Summarizing the above, we note that:? The URL starts with the access protocol used.? For all applications except online news and email, this is followed by the delimiter://.? Then the hostname of the server is specified.? Finally

3.3.1. RSS Format You can read site news in different ways. The easiest way is to visit the site from time to time and view new messages. You can put a program that connects to a news channel and itself receives headlines or annotations of news, according to

MP3 Format The MP3 format was created to distribute music files compressed with the MPEG 1 level 3 codec. It is currently the most popular format for distributing music over the Internet, and beyond. It is supported by absolutely all programs for recording and processing sound, for

MP3 Format The audio compression method, as well as the format of compressed audio files, proposed by the international organization MPEG (Moving Pictures Experts Group - Video Recording Experts Group), is based on perceptual audio coding. Work on the creation of efficient coding algorithms

The ELF Format The ELF format has several types of files that we have called differently so far, such as an executable file or an object file. However, the ELF standard distinguishes between the following types:1. A relocatable file that contains instructions and data that can be

Number Format Finally got to the number format. I have already mentioned it more than once, now I will put everything on the shelves (although you could already understand the general meaning). Numbers in Excel can be displayed in various formats. In this section, we will talk about what number formats exist and how

In this review, we will only talk about the 32-bit version of this format, because we do not need the 64-bit one yet.

Any ELF file (including object modules of this format) consists of the following parts:

• ELF file header;
• Table of program sections (may be absent in object modules);
• Sections of the ELF file;
• Section table (may not be present in the executable module);
• For performance reasons, ELF format does not use bit fields. And all structures are usually 4-byte aligned.

Now let's look at the types used in the headers of ELF files:

Now consider the file header:

#define EI_NIDENT 16 struct elf32_hdr (unsigned char e_ident; Elf32_Half e_type; Elf32_Half e_machine; Elf32_Word e_version; Elf32_Addr e_entry; / * Entry point * / Elf32_Off e_phoff; Elf32_Off e_shoff; Elf32_Word e_flags; Elf32_Half e_ehsize; Elf32_Half e_phentsize; Elf32_Half e_phnum; Elf32_Half e_shentsize; Elf32_Half e_shnum; Elf32_Half e_shstrndx; );

The e_ident array contains information about the system and consists of several subfields.

Struct ( unsigned char ei_magic; unsigned char ei_class; unsigned char ei_data; unsigned char ei_version; unsigned char ei_pad; )

• ei_magic - constant value for all ELF files, equal to ( 0x7f, "E", "L", "F")
• ei_class - ELF file class (1 - 32 bits, 2 - 64 bits which we don't consider)
• ei_data - determines the byte order for this file (this order depends on the platform and can be direct (LSB or 1) or reverse (MSB or 2)) For Intel processors, only the value 1 is allowed.
• ei_version is a rather useless field, and if not equal to 1 (EV_CURRENT) then the file is considered invalid.

The ei_pad field is where operating systems store their identification information. This field may be empty. It doesn't matter to us either.

The e_type header field can contain multiple values, for executable files it must be ET_EXEC equal to 2

e_machine - determines the processor on which this executable file can run (For us, the value of EM_386 is 3)

The e_version field corresponds to the ei_version field from the header.

The e_entry field defines the starting address of the program, which is placed in eip before starting the program.

The e_phoff field specifies the offset from the beginning of the file where the program section table is located, used to load programs into memory.

I will not list the purpose of all fields, not all are needed for loading. I will describe only two more.

The e_phentsize field defines the size of the entry in the program section table.

And the e_phnum field specifies the number of entries in the program section table.

The section table (non-program) is used to link programs. we will not consider it. Also, we will not consider dynamically linked modules. This topic is quite complicated, not suitable for a first acquaintance. :)

Now about the program sections. The format of the program section table entry is as follows:

Struct elf32_phdr( Elf32_Word p_type; Elf32_Off p_offset; Elf32_Addr p_vaddr; Elf32_Addr p_paddr; Elf32_Word p_filesz; Elf32_Word p_memsz; Elf32_Word p_flags; Elf32_Word p_align; );

More about fields.

• p_type - defines the type of program section. It can take several values, but we are only interested in one. PT_LOAD(1). If the section is of this type, then it is intended to be loaded into memory.
• p_offset - determines the offset in the file from which this section begins.
• p_vaddr Specifies the virtual address where this section should be loaded into memory.
• p_paddr - defines the physical address where this section should be loaded. This field does not have to be used and is only meaningful for some platforms.
• p_filesz - Determines the size of a section in a file.
• p_memsz - determines the size of a section in memory. This value may be greater than the previous one. The p_flag field defines the type of access to sections in memory. Some sections are allowed to be performed, some to be recorded. Everyone is available for reading in existing systems.

Loading the ELF format.

With the title, we figured it out a bit. Now I will give an algorithm for loading a binary file of the ELF format. The algorithm is schematic, you should not consider it as a working program.

Int LoadELF (unsigned char *bin) ( struct elf32_hdr *EH = (struct elf32_hdr *)bin; struct elf32_phdr *EPH; if (EH->e_ident != 0x7f || // Control MAGIC EH->e_ident != "E" || EH->e_ident != "L" || EH->e_ident != "F" || EH->e_ident != ELFCLASS32 || // Control class EH->e_ident != ELFDATA2LSB || // byte order EH->e_ident != EV_CURRENT || // version EH->e_type != ET_EXEC || // type EH->e_machine != EM_386 || // platform EH->e_version != EV_CURRENT) // and again version, just in case return ELF_WRONG; EPH = (struct elf32_phdr *)(bin + EH->e_phoff); while (EH->e_phnum--) ( if (EPH->p_type == PT_LOAD) memcpy (EPH->p_vaddr, bin + EPH->p_offset, EPH->p_filesz); EPH = (struct elf32_phdr *)((unsigned char *)EPH + EH->e_phentsize)); ) return ELF_OK; )

On a serious note, it’s worth analyzing the EPH->p_flags fields and setting access rights to the corresponding pages, and simply copying won’t work here, but this no longer applies to the format, but to memory allocation. Therefore, we will not talk about it now.

PE format.

In many ways, it is similar to the ELF format, and not surprisingly, there should also be sections available for download.

Like everything in Microsoft :) the PE format is based on the EXE format. The file structure is:

• 00h - EXE header (I will not consider it, it is old as Dos. :)
• 20h - OEM header (nothing significant in it);
• 3ch - real PE header offset in the file (dword).
• stub movement table;
• stub;
• PE header;
• object table;
• file objects;

stub is a program that runs in real mode and does some preliminary work. It may not be available, but sometimes it may be needed.

We are interested in something else, the PE header.

Its structure is like this:

Struct pe_hdr ( unsigned long pe_sign; unsigned short pe_cputype; unsigned short pe_objnum; unsigned long pe_time; unsigned long pe_cofftbl_off; unsigned long pe_cofftbl_size; unsigned short pe_nthdr_size; unsigned short pe_flags; unsigned short pe_magic; unsigned short pe_link_peverdata_code; unsigned long_size; ; unsigned long pe_udata_size; unsigned long pe_entry; unsigned long pe_code_base; unsigned long pe_data_base; unsigned long pe_image_base; unsigned long pe_obj_align; unsigned long pe_file_align; // ... well, and a lot of other things, unimportant. );

Lots of things are there. Suffice it to say that the size of this header is 248 bytes.

And the main thing is that most of these fields are not used. (Who builds like that?) No, of course, they have a well-known purpose, but my test program, for example, contains zeros in the fields pe_code_base, pe_code_size, etc., but it works fine. The conclusion suggests itself that the file is loaded based on the table of objects. That's what we'll talk about.

The object table follows immediately after the PE header. The entries in this table have the following format:

Struct pe_ohdr ( unsigned char o_name; unsigned long o_vsize; unsigned long o_vaddr; unsigned long o_psize; unsigned long o_poff; unsigned char o_reserved; unsigned long o_flags; );

• o_name - section name, it is absolutely indifferent for loading;
• o_vsize - section size in memory;
• o_vaddr - memory address relative to ImageBase;
• o_psize - section size in the file;
• o_poff - section offset in the file;
• o_flags - section flags;

Here it is worth dwelling on the flags in more detail.

• 00000004h - used for code with 16 bit offsets
• 00000020h - code section
• 00000040h - initialized data section
• 00000080h - uninitialized data section
• 00000200h - comments or any other type of information
• 00000400h - overlay section
• 00000800h - will not be part of the program image
• 00001000h - general data
• 00500000h - default alignment unless otherwise specified
• 02000000h - can be unloaded from memory
• 04000000h - not cached
• 08000000h - not pageable
• 10000000h - shared
• 20000000h - feasible
• 40000000h - can be read
• 80000000h - you can write

Again, I will not be with shared and overlay sections, we are interested in code, data and access rights.

In general, this information is already enough to download a binary file.

Loading PE format.

This is again not a finished program, but a loading algorithm.

And again, many points are not covered, as they go beyond the topic.

But now it’s worth talking a little about the existing system features.

System features.

Despite the flexibility of the protections available in processors (protection at the level of descriptor tables, protection at the segment level, page level protection), in existing systems (both in Windows and in Unix), only page protection is fully used, which, although it can keep code from being written, but cannot keep data from being executed. (Maybe this is the reason for the abundance of system vulnerabilities?)

All segments are addressed from linear address zero and extend to the end of linear memory. Process demarcation occurs only at the page table level.

In this regard, all modules are linked not from the starting addresses, but with a sufficiently large offset in the segment. On Windows, the base address in the segment is 0x400000, on Unix (Linux or FreeBSD) it is 0x8048000.

Some features are also related to the paging of memory.

ELF files are linked in such a way that the boundaries and sizes of sections fall on 4 kilobyte blocks of the file.

And in the PE format, despite the fact that the format itself allows you to align sections of 512 bytes, 4k section alignment is used, a smaller alignment in Windows is not considered correct.

If your computer has antivirus program can scan all files on the computer, as well as each file individually. You can scan any file by right-clicking on the file and selecting the appropriate option to scan the file for viruses.

For example, in this figure, file my-file.elf, then you need to right-click on this file, and in the file menu select the option "scan with AVG". Selecting this option will open AVG Antivirus and scan the file for viruses.

Sometimes an error can result from incorrect software installation, which may be due to a problem that occurred during the installation process. It may interfere with your operating system associate your ELF file with the correct software application, influencing the so-called "file extension associations".

Sometimes simple reinstalling Dolphin (emulator) may solve your problem by properly linking ELF with Dolphin (emulator). In other cases, file association problems may result from bad software programming developer, and you may need to contact the developer for further assistance.

Advice: Try updating Dolphin (emulator) to the latest version to make sure you have the latest patches and updates.

This may seem too obvious, but often the ELF file itself may be causing the problem. If you received a file via an email attachment or downloaded it from a website and the download process was interrupted (for example, by a power outage or other reason), the file may be corrupted. If possible, try to get a fresh copy of the ELF file and try to open it again.

Carefully: A corrupted file can cause collateral damage to previous or existing malware on your PC, so it's important to keep your computer up to date with an up-to-date antivirus.

If your ELF file associated with the hardware on your computer to open the file you may need update device drivers associated with this equipment.

This problem usually associated with media file types, which depend on the successful opening of the hardware inside the computer, for example, sound card or video card. For example, if you are trying to open an audio file but cannot open it, you may need to update sound card drivers.

Advice: If when you try to open an ELF file you get .SYS file related error message, the problem could probably be associated with corrupted or outdated device drivers that need to be updated. This process can be facilitated by using driver update software such as DriverDoc.

If the steps didn't solve the problem and you are still having problems opening ELF files, this may be due to lack of available system resources. Some versions of ELF files may require a significant amount of resources (eg. memory/RAM, processing power) to open properly on your computer. This problem is quite common if you are using fairly old computer hardware and a much newer operating system at the same time.

This problem can occur when the computer is having a hard time completing a task because the operating system (and other services running in the background) can consume too many resources to open ELF file. Try closing all applications on your PC before opening Nintendo Wii Game File. By freeing up all available resources on your computer, you will ensure the best conditions for trying to open the ELF file.

If you completed all the above steps and your ELF file still won't open, you may need to run hardware upgrade. In most cases, even with older hardware versions, the processing power can still be more than enough for most user applications (unless you're doing a lot of CPU-intensive work like 3D rendering, financial/science modeling, or media-intensive work) . In this way, it is likely that your computer does not have enough memory(more commonly referred to as "RAM", or RAM) to perform the task of opening a file.

Version of this answer with good TOC and more content: http://www.cirosantilli.com/elf-hello-world (click here 30k char limit)

Standards

ELF is given by LSB:

• core generic: http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/elf-generic.html
• core AMD64: http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-AMD64/LSB-Core-AMD64/book1.html

LSB mostly refers to other standards with minor extensions, in particular:

generic (both by SCO):

• System V ABI 4.1 (1997) http://www.sco.com/developers/devspecs/gabi41.pdf, not 64 bits, although a magic number is reserved for it. The same for the main files.
• System V ABI Update DRAFT 17 (2003) http://www.sco.com/developers/gabi/2003-12-17/contents.html adds 64 bits. Only updates chapters 4 and 5 of the previous document: the rest remain valid and still referenced.

• specific architecture:

  • IA-32: http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-IA32/LSB-Core-IA32/elf-ia32.html points mainly to http://www.sco.com/developers /devspecs/abi386-4.pdf
  • AMD64: http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-AMD64/LSB-Core-AMD64/elf-amd64.html , basically points to http://www.x86-64.org/ documentation/abi.pdf

A handy resume can be found at:

Its structure can be examined using user-friendly ways such as readelf and objdump .

Create an example

Let's break down a minimal Linux x86-64 executable example:

Section .data hello_world db "Hello world!", 10 hello_world_len equ $ - hello_world section .text global _start _start: mov rax, 1 mov rdi, 1 mov rsi, hello_world mov rdx, hello_world_len syscall mov rax, 60 mov rdi, 0 syscall

Compiled with

Nasm -w+all -f elf64 -o "hello_world.o" "hello_world.asm" ld -o "hello_world.out" "hello_world.o"

• NASM 2.10.09
• Binutils version 2.24 (contains ld)
• Ubuntu 14.04

We don't use a C program as that would complicate the analysis which would be level 2 :-)

hexadecimal representations of binary

Global file structure

An ELF file contains the following parts:

• ELF header. Indicates the position of the section header table and program header table.

  Section header table (optional in the executable). Each of them has section headers e_shnum , each of which indicates the position of the section.

  N partitions with N<= e_shnum (необязательно в исполняемом файле)

  Program header table (only for executable files). Each of these has e_phnum program headers, each of which indicates the position of the segment.

  N segments, with N<= e_phnum (необязательно в исполняемом файле)

The order of these parts is not fixed: the only fixed thing is the ELF header, which must be first in the file: The common docs say:

ELF header

The easiest way to watch the header is:

readelf -h hello_world.o readelf -h hello_world.out

Byte in object file:

00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF...........| 00000010 01 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 |..>.............| 00000020 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 | [email protected]| 00000030 00 00 00 00 40 00 00 00 00 00 40 00 07 00 03 00 |[email protected]@.....|

00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF...........| 00000010 02 00 3e 00 01 00 00 00 b0 00 40 00 00 00 00 00 |..> [email protected]| 00000020 40 00 00 00 00 00 00 00 10 01 00 00 00 00 00 00 |@...............| 00000030 00 00 00 00 40 00 38 00 02 00 40 00 06 00 03 00 |[email protected]@.....|

Presented structure:

Typedef struct (unsigned char e_ident; Elf64_Half e_type; Elf64_Half e_machine; Elf64_Word e_version; Elf64_Addr e_entry; Elf64_Off e_phoff; Elf64_Off e_shoff; Elf64_Word e_flags; Elf64_Half e_ehsize; Elf64_Half e_phentsize; Elf64_Half e_phnum; Elf64_Half e_shentsize; Elf64_Half e_shnum; Elf64_Half e_shstrndx;) Elf64_Ehdr;

Decay by hand:

0 0: EI_MAG = 7f 45 4c 46 = 0x7f "E", "L", "F" : ELF magic number

0 4: EI_CLASS=02=ELFCLASS64: 64-bit elf

0 5: EI_DATA = 01 = ELFDATA2LSB: big end data

0 6: EI_VERSION = 01: format version

0 7: EI_OSABI (2003 only) = 00 = ELFOSABI_NONE: No extensions.

0 8: EI_PAD = 8x 00: reserved bytes. Must be set to 0.

1 0: e_type = 01 00 = 1 (big endian) = ET_REl: relocatable format

In the executable 02 00 for ET_EXEC .

1 2: e_machine = 3e 00 = 62 = EM_X86_64: AMD64 architecture

1 4: e_version = 01 00 00 00: should be 1

1 8: e_entry = 8x 00: entry point of the execution address, or 0 if not applicable, as for an object file, since there is no entry point.

In the executable, this is b0 00 40 00 00 00 00 00 . TODO: what else can we install? The kernel seems to put the IP directly into this value, it is not hardcoded.

2 0: e_phoff = 8x 00: program header table offset, 0 if not.

40 00 00 00 in the executable, meaning it starts right after the ELF header.

2 8: e_shoff = 40 7x 00 = 0x40: section header table file offset, 0 if none.

3 0: e_flags = 00 00 00 00 TODO. Specially for Arch.

3 4: e_ehsize = 40 00: size of this elf header. Why is this field? How can this change?

3 6: e_phentsize = 00 00: size of each program header, 0 if none.

38 00 in executable file: file length is 56 bytes

3 8: e_phnum = 00 00: number of program header entries, 0 if none.

02 00 in the executable: there are 2 entries.

3 A: e_shentsize and e_shnum = 40 00 07 00: section header size and number of entries

Section header table

An array of Elf64_Shdr structures.

Each entry contains metadata about that section.

e_shoff of the ELF header gives the starting position here, 0x40.

e_shentsize and e_shnum from the ELF header say we have 7 entries, each 0x40 long.

So the table takes bytes from 0x40 to 0x40 + 7 + 0x40 - 1 = 0x1FF.

Some section titles are reserved for certain section types: http://www.sco.com/developers/gabi/2003-12-17/ch4.sheader.html#special_sections for example. .text requires type SHT_PROGBITS and SHF_ALLOC + SHF_EXECINSTR

readelf -S hello_world.o:

There are 7 section headers, starting at offset 0x40: Section Headers: Name Type Address Offset Size EntSize Flags Link Info Align [0] NULL 0000000000000000 00000000 0000000000000000 0000000000000000 0 0 0 [1] .data PROGBITS 0000000000000000 00000200 0000000000000000 000000000000000d WA 0 0 4 [ 2] .text PROGBITS 0000000000000000 00000210 0000000000000027 0000000000000000 AX 0 0 16 [3] .shstrtab STRTAB 0000000000000000 00000240 0000000000000032 0000000000000000 0 0 1 [4] .symtab SYMTAB 0000000000000000 00000280 0000000000000018 00000000000000a8 5 6 4 [5] .strtab STRTAB 00000330 0000000000000000 0000000000000034 0000000000000000 0 0 1 [ 6] .rela.text RELA 0000000000000000 00000370 0000000000000018 0000000000000018 4 2 4 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), l (large) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific)

struct , represented by each entry:

Typedef struct ( Elf64_Word sh_name; Elf64_Word sh_type; Elf64_Xword sh_flags; Elf64_Addr sh_addr; Elf64_Off sh_offset; Elf64_Xword sh_size; Elf64_Word sh_link; Elf64_Word sh_info; Elf64_Xword sh_addralign; Elf64_Xword sh_entsize; ) Elf64;

Sections

Index section 0

Contained in bytes 0x40 to 0x7F.

The first section is always magical: http://www.sco.com/developers/gabi/2003-12-17/ch4.sheader.html says:

If the number of partitions is greater than or equal to SHN_LORESERVE (0xff00), e_shnum is set to SHN_UNDEF (0) and the actual number of partition header table entries is contained in the sh_size field of the partition header at index 0 (otherwise, the sh_size member of the initial entry contains 0).

There are other magical sections in Figure 4-7: Special Section Indexes.

At index 0, SHT_NULL is required. Are there other uses for this: What is the use of the SHT_NULL section in ELF? ?

.data section

Data is section 1:

00000080 01 00 00 00 01 00 00 00 03 00 00 00 00 00 00 00 |................| 00000090 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 |................| 000000a0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Here, 1 says that the name of this section starts at the first character of this section and ends at the first NUL character, making up the string.data .

Data is one of the section names which has a predefined meaning http://www.sco.com/developers/gabi/2003-12-17/ch4.strtab.html

These sections store initialized data that contributes to the program's memory image.

• 80 4: sh_type = 01 00 00 00: SHT_PROGBITS: section contents are not specified by ELF, only by how the program interprets it. It's ok, since a .data .

  80 8: sh_flags = 03 7x 00: SHF_ALLOC and SHF_EXECINSTR: http://www.sco.com/developers/gabi/2003-12-17/ch4.sheader.html#sh_flags , as required from the .data section

  90 0: sh_addr = 8x 00: in which virtual address the section will be placed at runtime, 0 if not placed

  90 8: sh_offset = 00 02 00 00 00 00 00 00 = 0x200: number of bytes from the beginning of the program to the first byte in this section

  a0 0: sh_size = 0d 00 00 00 00 00 00 00

  If we take 0xD bytes, starting at sh_offset 200, we see:

  00000200 48 65 6c 6c 6f 20 77 6f 72 6c 64 21 0a 00 |Hello world!.. |

  AHA! So our string "Hello world!" is in the data section, as we said, it's on NASM.

  Once we've finished hd , we'll look at it like this:

  Readelf -x .data hello_world.o

  which outputs:

  Hex dump of section ".data": 0x00000000 48656c6c 6f20776f 726c6421 0a Hello world!.

  NASM sets decent properties for this section because it magically refers to .data: http://www.nasm.us/doc/nasmdoc7.html#section-7.9.2

  Also note that this was the wrong partition choice: a good C compiler would put the line in .rodata instead, because it's read-only, and that would allow OS optimization to continue.

  a0 8: sh_link and sh_info = 8x 0: do not apply to this section type. http://www.sco.com/developers/gabi/2003-12-17/ch4.sheader.html#special_sections

  b0 0: sh_addralign = 04 = TODO: why is this alignment necessary? Is it only for sh_addr and also for characters inside sh_addr ?

  b0 8: sh_entsize = 00 = section does not contain a table. If != 0, this means that the section contains a table of records of a fixed size. In this file, we can see from the readelf output that this is the case for the .symtab and .rela.text sections.

.text section

Now that we've made one section by hand, let's graduate and use readelf -S of the other sections.

Name Type Address Offset Size EntSize Flags Link Info Align [ 2] .text

Text is executable but not writable: if we try to write Linux segfaults to it. Let's see if we really have the code:

Objdump -d hello_world.o

Hello_world.o: file format elf64-x86-64 Disassembly of section .text: 0000000000000000<_start>: 0: b8 01 00 00 00 mov $0x1,%eax 5: bf 01 00 00 00 mov $0x1,%edi a: 48 be 00 00 00 00 00 movabs $0x0,%rsi 11: 00 00 00 14: ba 0d 00 00 00 mov $0xd,%edx 19: 0f 05 syscall 1b: b8 3c 00 00 00 mov $0x3c,%eax 20: bf 00 00 00 00 mov $0x0,%edi 25: 0f 05 syscall

If we have grep b8 01 00 00 on hd , we see that it only happens at 00000210 , which is what this section says. And the size is 27, which also fits. Therefore, we must talk about the correct section.

This looks like the correct code: a write followed by an exit .

The most interesting part is the line a , which does:

Movabs $0x0,%rsi

pass the address of the string to the system call. Currently 0x0 is just a placeholder. After binding, it will change:

4000ba: 48 be d8 00 60 00 00 movabs $0x6000d8,%rsi

This modification is possible due to the data in the .rela.text section.

SHT_STRTAB

Sections with sh_type == SHT_STRTAB are called string tables.

Such sections are used by other sections when string names are to be used. The Usage section says:

• what line do they use
• what is the index in the table of target rows where the row starts

So, for example, we could have a string table containing: TODO: should we start with \0 ?

Data: \0 a b c \0 d e f \0 Index: 0 1 2 3 4 5 6 7 8

And if another section wants to use the string d e f , they must point to index 5 of that section (letter d).

Known string tables:

• .shstrtab
• .strtab

.shstrtab

Section type: sh_type == SHT_STRTAB .

Common name: section title header line.

The section name.shstrtab is reserved. The standard says:

This section contains section names.

This section specifies the e_shstrnd field of the ELF header itself.

The row indices of this section are indicated by the sh_name field of the section headers that denote the rows.

This section does not specify SHF_ALLOC , so it will not appear in the executable.

Readelf -x .shstrtab hello_world.o

Hex dump of section ".shstrtab": 0x00000000 002e6461 7461002e 74,657,874 73,747,274 002e7368 ..data..text..sh 0x00000010 6162002e 73796d74 6162002e strtab..symtab .. 0x00000020 73747274 6162002e 72656c61 2e746578 strtab..rela.tex 0x00000030 7400 t.

The data in this section is in a fixed format: http://www.sco.com/developers/gabi/2003-12-17/ch4.strtab.html

If we look at the other section names, we can see that they all contain numbers, eg. the .text section is numbered 7 .

Then each line ends when the first NUL character is found, e.g. character 12 \0 immediately after .text\0 .

.symtab

Section type: sh_type == SHT_SYMTAB .

Common name: symbol table.

Let's first note that:

• sh_link = 5
• sh_info=6

In the SHT_SYMTAB section, these numbers mean that:

• Strings
• which give symbol names are in section 5, .strtab
• relocation data is in section 6, .rela.text

A good high-level tool for disassembling this section:

Nm hello_world.o

which gives:

0000000000000000 T _start 0000000000000000 d hello_world 000000000000000d a hello_world_len

This is, however, a high-level representation that omits certain types of characters and denotes characters. A more detailed breakdown can be obtained using:

Readelf -s hello_world.o

which gives:

Symbol table ".symtab" contains 7 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000000 0 FILE LOCAL DEFAULT ABS hello_world.asm 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 3: 0000000000000000 0 _

The binary format of the table is documented at http://www.sco.com/developers/gabi/2003-12-17/ch4.symtab.html

Readelf -x .symtab hello_world.o

What gives:

Hex dump of section ".symtab": 0x00000000 00000000 00000000 00000000 00000000 ................ 0x00000010 00000000 00000000 01000000 0400f1ff ............... . 0x00000020 00000000 00000000 00000000 00000000 ................ 0x00000030 00000000 0x00000000 00000000 0x000000 00000000 000000 ................ 0x00000040 00000000 00000000 00000000 0x000000 .............. 0x00000050 00000000 00000000 00000000 00000000 ...... 0x00000070 00000000 00000000 1d000000 0000f1ff ................ 0x00000080 0d000000 00000000 00000000 00000000 ................ 0x00000090 2d000000 10000200 00000000 00000000 -............. 0x000000a0 00000000 00000000 ........

The entries are of type:

Typedef struct ( Elf64_Word st_name; unsigned char st_info; unsigned char st_other; Elf64_Half st_shndx; Elf64_Addr st_value; Elf64_Xword st_size; ) Elf64_Sym;

Like the partition table, the first entry is magic and is set to fixed meaningless values.

Entry 1 has ELF64_R_TYPE == STT_FILE . ELF64_R_TYPE continues inside st_info .

Byte analysis:

10 8: st_name = 01000000 = character 1 in .strtab , which until the next \0 does hello_world.asm

This fragment of the info file can be used by the linker to determine which segments of the segment are coming.

10 12: st_info = 04

Bits 0-3 = ELF64_R_TYPE = Type = 4 = STT_FILE: The main purpose of this entry is to use st_name to specify the name of the file generated by this object file.

Bits 4-7 = ELF64_ST_BIND = Binding = 0 = STB_LOCAL . Required value for STT_FILE .

10 13: st_shndx = Symbol table Header table Index = f1ff = SHN_ABS . Required for STT_FILE .

20 0: st_value = 8x 00: required for value for STT_FILE

20 8: st_size = 8x 00: no allocated size

Now from readelf we quickly interpret the rest.

STT_SECTION

There are two such elements, one pointing to .data and the other to .text (section indexes 1 and 2).

Num: Value Size Type Bind Vis Ndx Name 2: 0000000000000000 0 SECTION LOCAL DEFAULT 1 3: 0000000000000000 0 SECTION LOCAL DEFAULT 2

TODO, what is their purpose?

STT_NOTYPE

Then enter the most important characters:

Num: Value Size Type Bind Vis Ndx Name 4: 0000000000000000 0 NOTYPE LOCAL DEFAULT 1 hello_world 5: 000000000000000d 0 NOTYPE LOCAL DEFAULT ABS hello_world_len 6: 0000000000000000 start NOTYPE GLOBAL _String 2

hello_world is in the .data section (index 1). This value is 0: it points to the first byte of this section.

Start is marked with GLOBAL visibility, as we wrote:

global_start

at NASM. This is necessary as it should be considered as an entry point. Unlike C, NASM labels are local by default.

hello_world_len points to the special st_shndx == SHN_ABS == 0xF1FF .

0xF1FF is chosen so as not to conflict with other sections.

st_value == 0xD == 13 , which is the value we stored there on assembly: the length of the string Hello World! .

This means that the move will not affect this value: it is a constant.

This is a small optimization that our assembler does for us and has ELF support.

If we used the hello_world_len address anywhere, the assembler would fail to mark it as SHN_ABS and the linker would have an extra relocation later.

SHT_SYMTAB in the executable

By default, NASM places the .symtab in the executable.

This is only used for debugging. Without symbols, we are completely blind and must redesign everything.

You can remove it with objcopy and the executable will still work. Such executables are called split executables.

.strtab

Holds strings for the character table.

In this section, sh_type == SHT_STRTAB .

Points to sh_link == 5 of the .symtab section.

Readelf -x .strtab hello_world.o

Hex dump of section ".strtab": 0x00000000 0068656c 6c6f5f77 6f726c64 2e61736d .hello_world.asm 0x00000010 0068656c 6c6f5f77 6f726c64 0068656c .hello_world.hel 0x00000020 6c6f5f77 6f726c64 5f6c656e 005f7374 lo_world_len._st 0x00000030 61727400 art.

This means it's an ELF level restriction that global variables cannot contain NUL characters.

.rela.text

Section type: sh_type == SHT_RELA .

Common name: move section.

Rela.text contains relocation data that specifies how the address should be changed when the last executable is linked. This indicates the bytes of the text area that should be changed when linking occurs with the correct memory locations.

Basically, it converts the object text containing the 0x0 placeholder address:

A:48 be 00 00 00 00 00 movabs $0x0,%rsi 11:00 00 00

to the actual executable code containing the final 0x6000d8:

4000ba: 48 be d8 00 60 00 00 movabs $0x6000d8,%rsi 4000c1: 00 00 00

The sh_info = 6 of the .symtab section was specified.

readelf -r hello_world.o gives:

Relocation section ".rela.text" at offset 0x3b0 contains 1 entries: Offset Info Type Sym. Value Sym. Name + Addend 00000000000c 000200000001 R_X86_64_64 0000000000000000 .data + 0

The section does not exist in the executable.

Actual bytes:

00000370 0c 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 |................| 00000380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Represented struct:

Typedef struct ( Elf64_Addr r_offset; Elf64_Xword r_info; Elf64_Sxword r_addend; ) Elf64_Rela;

370 0: r_offset = 0xC: address to address.text whose address will be changed

370 8: r_info = 0x200000001. Contains 2 fields:

• ELF64_R_TYPE = 0x1: The value depends on the exact architecture.
• ELF64_R_SYM = 0x2: The index of the partition pointed to by the address, therefore .data , which is at index 2.

The AMD64 ABI says that type 1 is called R_X86_64_64 and that it represents the S+A operation where:

• S: the value of the symbol in the object file, here 0 because we are pointing to 00 00 00 00 00 00 00 00 from movabs $0x0,%rsi
• a: the addition present in the r_added field

This address is added to the partition where the move is running.

This move operation operates on 8 bytes.

380 0: r_addend = 0

Thus, in our example, we conclude that the new address will be: S + A = .data + 0 , and thus the first in the data section.

Program Title Table

Displayed only in the executable file.

Contains information about how the executable should be placed in the process's virtual memory.

The executable file is created by the linker object file. The main tasks that the linker performs:

determine which sections of the object files go into which segments of the executable.

In Binutils it comes down to parsing the builder script and working with a lot of defaults.

You can get the linker script used with ld --verbose and install the custom one with ld -T .

navigate through text sections. It depends on how multiple partitions fit into memory.

readelf -l hello_world.out gives:

Elf file type is EXEC (Executable file) Entry point 0x4000b0 There are 2 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align LOAD 0x0000000000000000 0x0000000000400000 0x0000000000400000 0x00000000000000d7 0x00000000000000d7 RE 200000 LOAD 0x00000000000000d8 0x00000000006000d8 0x00000000006000d8 0x000000000000000d 0x000000000000000d RW 200000 Section to Segment mapping: Segment Sections... 00 .text 01 .data

In the ELF header e_phoff , e_phnum and e_phentsize told us that there are 2 program headers that start at 0x40 and are 0x38 bytes long each, so they are:

00000040 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 |[email protected]@.....| 00000060 d7 00 00 00 00 00 00 00 d7 00 00 00 00 00 00 00 |................| 00000070 00 00 20 00 00 00 00 00 |.. ..... |

00000070 01 00 00 00 06 00 00 00 | ........| 00000080 d8 00 00 00 00 00 00 00 d8 00 60 00 00 00 00 00 |..........`.....| 00000090 d8 00 60 00 00 00 00 00 0d 00 00 00 00 00 00 00 |..`.............| 000000a0 0d 00 00 00 00 00 00 00 00 00 20 00 00 00 00 00 |.......... .....| typedef struct ( Elf64_Word p_type; Elf64_Word p_flags; Elf64_Off p_offset; Elf64_Addr p_vaddr; Elf64_Addr p_paddr; Elf64_Xword p_filesz; Elf64_Xword p_memsz; Elf64_Xword p_align; ) Elf64_Phdr;

Breakdown of the first:

• 40 0: p_type = 01 00 00 00 = PT_LOAD: TODO. I think this means it will be loaded into memory. Other types may not necessarily be.
• 40 4: p_flags = 05 00 00 00 = execute and read permissions, do not write TODO
• 40 8: p_offset = 8x 00 TODO: what is this? It looks like offsets from the beginning of the segments. But would that mean that some segments are intertwined? You can play with it a bit: gcc -Wl,-Ttext-segment=0x400030 hello_world.c
• 50 0: p_vaddr = 00 00 40 00 00 00 00 00: starting virtual memory address to load this segment into
• 50 8: p_paddr = 00 00 40 00 00 00 00 00: starting physical address to load into memory. Only questions for systems where the program can set the physical address. Otherwise, as with System V systems, anything can happen. Seems like NASM will just copy p_vaddrr
• 60 0: p_filesz = d7 00 00 00 00 00 00 00: TODO vs p_memsz
• 60 8: p_memsz = d7 00 00 00 00 00 00 00: TODO
• 70 0: p_align = 00 00 20 00 00 00 00 00: 0 or 1 means no alignment is required TODO, what does that mean? otherwise redundant with other fields

The second is similar.

Section to Segment mapping:

the readelf section tells us that:

• 0 - segment.text . Yup, that's why it's executable and not writable.
• 1 - segment.data .