elf 文件格式解析

最新推荐文章于 2025-09-25 14:21:34 发布

原创最新推荐文章于 2025-09-25 14:21:34 发布 · 630 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#c++

Linux 专栏收录该内容

9 篇文章

订阅专栏

本文详细解析了一个简单的ELF文件的结构，包括源代码、链接代码、Makefile及hexdump输出。通过分析程序展示了如何使用结构体解析ELF头、程序头和节头，并在GDB中进行调试，理解其内存布局。

                    
                        
                    
                    
elf案例解析


源代码

int main() {
   asm("movl $42, %ebx \n\t"
       "movl $1 , %eax \n\t"
       "int $0x80      \n\t");
}



链接代码

MEMORY {
   CODE (R!X) :  ORIGIN = 0x200300 , LENGTH = 16M
}
SECTIONS
{
  .text 0x200400 : { *(.text) } > CODE
  "/DISCARD/" : { *(*) }
}



makefile

.PHONY:all clean

ENTRY=-e main

all:
       gcc -fno-builtin -c test.c -o test.o -g
       ld -T link.lds test.o -g -o ad.out $(ENTRY)

clean:
       rm -f test.o *.out



hexdump -C ad.out

00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 3e 00 01 00 00 00  00 04 20 00 00 00 00 00  |..>....... .....|
00000020  40 00 00 00 00 00 00 00  38 04 00 00 00 00 00 00  |@.......8.......|
00000030  00 00 00 00 40 00 38 00  02 00 40 00 05 00 02 00  |....@.8...@.....|
00000040  01 00 00 00 05 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  00 00 20 00 00 00 00 00  00 00 20 00 00 00 00 00  |.. ....... .....|
00000060  17 04 00 00 00 00 00 00  17 04 00 00 00 00 00 00  |................|
00000070  00 00 20 00 00 00 00 00  51 e5 74 64 06 00 00 00  |.. .....Q.td....|
00000080  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000000a0  00 00 00 00 00 00 00 00  10 00 00 00 00 00 00 00  |................|
000000b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000400  55 48 89 e5 bb 2a 00 00  00 b8 01 00 00 00 cd 80  |UH...*..........|
00000410  b8 00 00 00 00 5d c3 00  2e 73 79 6d 74 61 62 00  |.....]...symtab.|
00000420  2e 73 74 72 74 61 62 00  2e 73 68 73 74 72 74 61  |.strtab..shstrta|
00000430  62 00 2e 74 65 78 74 00  00 00 00 00 00 00 00 00  |b..text.........|
00000440  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000470  00 00 00 00 00 00 00 00  1b 00 00 00 01 00 00 00  |................|
00000480  06 00 00 00 00 00 00 00  00 04 20 00 00 00 00 00  |.......... .....|
00000490  00 04 00 00 00 00 00 00  17 00 00 00 00 00 00 00  |................|
000004a0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000004b0  00 00 00 00 00 00 00 00  11 00 00 00 03 00 00 00  |................|
000004c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004d0  17 04 00 00 00 00 00 00  21 00 00 00 00 00 00 00  |........!.......|
000004e0  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
000004f0  00 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  |................|
00000500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000510  78 05 00 00 00 00 00 00  78 00 00 00 00 00 00 00  |x.......x.......|
00000520  04 00 00 00 04 00 00 00  08 00 00 00 00 00 00 00  |................|
00000530  18 00 00 00 00 00 00 00  09 00 00 00 03 00 00 00  |................|
00000540  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000550  f0 05 00 00 00 00 00 00  0d 00 00 00 00 00 00 00  |................|
00000560  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00000570  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000590  00 00 00 00 03 00 01 00  00 04 20 00 00 00 00 00  |.......... .....|
000005a0  00 00 00 00 00 00 00 00  01 00 00 00 04 00 f1 ff  |................|
000005b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000005c0  00 00 00 00 04 00 f1 ff  00 00 00 00 00 00 00 00  |................|
000005d0  00 00 00 00 00 00 00 00  08 00 00 00 12 00 01 00  |................|
000005e0  00 04 20 00 00 00 00 00  17 00 00 00 00 00 00 00  |.. .............|
000005f0  00 74 65 73 74 2e 63 00  6d 61 69 6e 00           |.test.c.main.|
000005fd





分析


分析程序

#include<stdio.h>
#include<elf.h>
int main() {
  FILE * fp = fopen("../ldmemory/ad.out","rb");
  char s[2048];
  fread(s,1,2048,fp);
  Elf64_Ehdr* hdr;
  Elf64_Shdr* sdr;
  Elf64_Phdr* pdr;
  *(char**)&hdr = s;
  int a;
  return 0;
}


主要是包含相关的结构体



调试

(gdb) p *(Elf64_Ehdr*)(s)
$17 = {e_ident = "\177ELF\002\001\001\000\000\000\000\000\000\000\000", e_type = 2,
 e_machine = 62, e_version = 1, e_entry = 2098176, e_phoff = 64, e_shoff = 1080,
 e_flags = 0, e_ehsize = 64, e_phentsize = 56, e_phnum = 2, e_shentsize = 64, e_shnum = 5,
 e_shstrndx = 2}
(gdb) p *(Elf64_Phdr*)(s + 64)
$18 = {p_type = 1, p_flags = 5, p_offset = 0, p_vaddr = 2097152, p_paddr = 2097152,
 p_filesz = 1047, p_memsz = 1047, p_align = 2097152}
(gdb) p *(Elf64_Phdr*)(s + 64 + 56)
$19 = {p_type = 1685382481, p_flags = 6, p_offset = 0, p_vaddr = 0, p_paddr = 0,
 p_filesz = 0, p_memsz = 0, p_align = 16}
(gdb) p *(Elf64_Shdr*)(s + 1080)
$20 = {sh_name = 0, sh_type = 0, sh_flags = 0, sh_addr = 0, sh_offset = 0, sh_size = 0,
 sh_link = 0, sh_info = 0, sh_addralign = 0, sh_entsize = 0}
(gdb) p *(Elf64_Shdr*)(s + 1080 + 64)
$21 = {sh_name = 27, sh_type = 1, sh_flags = 6, sh_addr = 2098176, sh_offset = 1024,
 sh_size = 23, sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0}
(gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64)
$22 = {sh_name = 17, sh_type = 3, sh_flags = 0, sh_addr = 0, sh_offset = 1047, sh_size = 33,
 sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0}
(gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64 + 64)
$23 = {sh_name = 1, sh_type = 2, sh_flags = 0, sh_addr = 0, sh_offset = 1400, sh_size = 120,
 sh_link = 4, sh_info = 4, sh_addralign = 8, sh_entsize = 24}
(gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64 + 64 + 64)
$24 = {sh_name = 9, sh_type = 3, sh_flags = 0, sh_addr = 0, sh_offset = 1520, sh_size = 13,
 sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0}


elf标准头，头长sizeof,即e_phoff,长64

program header则是+64位置。program header有e_phnum=2个，一个长e_phentsize=56字节(Program Header ENTry SIZE)。

section header则是1080位置。共有e_shnum个section header，一个长e_shentsize=64字节。字符串表（字符串存储位置）在第e_shstrndx=2或者类型sh_type=3的那一个也可以。

sh_offset表示对应section的数据位置,sh_size表示数据长度。有其他的属性，sh_name则表示在shstrtable的起始位置的第n个。



最终结果

0 - 40 ehdr
40 - b0 phdr

b0   400  -- file 0

400 - 417 -- section1
417 - 438 -- section2
438 - 578 -- sections
578 - 5f0 -- section3
5f0 - 5fd -- section4



40这些都是16进制数，方便对照上面的hexdump查看结果。

*表示的这些范围内的数据都是0

(gdb) x /32xb s+128
0x7fffffffde10: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde18: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde20: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde28: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
(gdb) x /64xb s+176
0x7fffffffde40: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde48: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde50: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde58: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde68: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
0x7fffffffde78: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00


可以看到都是0







                