elf 文件格式解析
2024-05-28 08:29:12
elf案例解析源代码
int main() {asm("movl $42, %ebx \n\t""movl $1 , %eax \n\t""int $0x80 \n\t"); }链接代码
MEMORY {CODE (R!X) : ORIGIN = 0x200300 , LENGTH = 16M } SECTIONS {.text 0x200400 : { *(.text) } > CODE"/DISCARD/" : { *(*) } }makefile.PHONY:all cleanENTRY=-e mainall:gcc -fno-builtin -c test.c -o test.o -gld -T link.lds test.o -g -o ad.out $(ENTRY)clean:rm -f test.o *.outhexdump -C ad.out00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 3e 00 01 00 00 00 00 04 20 00 00 00 00 00 |..>....... .....| 00000020 40 00 00 00 00 00 00 00 38 04 00 00 00 00 00 00 |@.......8.......| 00000030 00 00 00 00 40 00 38 00 02 00 40 00 05 00 02 00 |....@.8...@.....| 00000040 01 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 00 00 20 00 00 00 00 00 00 00 20 00 00 00 00 00 |.. ....... .....| 00000060 17 04 00 00 00 00 00 00 17 04 00 00 00 00 00 00 |................| 00000070 00 00 20 00 00 00 00 00 51 e5 74 64 06 00 00 00 |.. .....Q.td....| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000a0 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 |................| 000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000400 55 48 89 e5 bb 2a 00 00 00 b8 01 00 00 00 cd 80 |UH...*..........| 00000410 b8 00 00 00 00 5d c3 00 2e 73 79 6d 74 61 62 00 |.....]...symtab.| 00000420 2e 73 74 72 74 61 62 00 2e 73 68 73 74 72 74 61 |.strtab..shstrta| 00000430 62 00 2e 74 65 78 74 00 00 00 00 00 00 00 00 00 |b..text.........| 00000440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000470 00 00 00 00 00 00 00 00 1b 00 00 00 01 00 00 00 |................| 00000480 06 00 00 00 00 00 00 00 00 04 20 00 00 00 00 00 |.......... .....| 00000490 00 04 00 00 00 00 00 00 17 00 00 00 00 00 00 00 |................| 000004a0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000004b0 00 00 00 00 00 00 00 00 11 00 00 00 03 00 00 00 |................| 000004c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004d0 17 04 00 00 00 00 00 00 21 00 00 00 00 00 00 00 |........!.......| 000004e0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 000004f0 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 |................| 00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000510 78 05 00 00 00 00 00 00 78 00 00 00 00 00 00 00 |x.......x.......| 00000520 04 00 00 00 04 00 00 00 08 00 00 00 00 00 00 00 |................| 00000530 18 00 00 00 00 00 00 00 09 00 00 00 03 00 00 00 |................| 00000540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000550 f0 05 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 |................| 00000560 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00000570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000590 00 00 00 00 03 00 01 00 00 04 20 00 00 00 00 00 |.......... .....| 000005a0 00 00 00 00 00 00 00 00 01 00 00 00 04 00 f1 ff |................| 000005b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000005c0 00 00 00 00 04 00 f1 ff 00 00 00 00 00 00 00 00 |................| 000005d0 00 00 00 00 00 00 00 00 08 00 00 00 12 00 01 00 |................| 000005e0 00 04 20 00 00 00 00 00 17 00 00 00 00 00 00 00 |.. .............| 000005f0 00 74 65 73 74 2e 63 00 6d 61 69 6e 00 |.test.c.main.| 000005fd
分析
分析程序
#include<stdio.h> #include<elf.h> int main() {FILE * fp = fopen("../ldmemory/ad.out","rb");char s[2048];fread(s,1,2048,fp);Elf64_Ehdr* hdr;Elf64_Shdr* sdr;Elf64_Phdr* pdr;*(char**)&hdr = s;int a;return 0; }主要是包含相关的结构体
调试
(gdb) p *(Elf64_Ehdr*)(s) $17 = {e_ident = "\177ELF\002\001\001\000\000\000\000\000\000\000\000", e_type = 2,e_machine = 62, e_version = 1, e_entry = 2098176, e_phoff = 64, e_shoff = 1080,e_flags = 0, e_ehsize = 64, e_phentsize = 56, e_phnum = 2, e_shentsize = 64, e_shnum = 5,e_shstrndx = 2} (gdb) p *(Elf64_Phdr*)(s + 64) $18 = {p_type = 1, p_flags = 5, p_offset = 0, p_vaddr = 2097152, p_paddr = 2097152,p_filesz = 1047, p_memsz = 1047, p_align = 2097152} (gdb) p *(Elf64_Phdr*)(s + 64 + 56) $19 = {p_type = 1685382481, p_flags = 6, p_offset = 0, p_vaddr = 0, p_paddr = 0,p_filesz = 0, p_memsz = 0, p_align = 16} (gdb) p *(Elf64_Shdr*)(s + 1080) $20 = {sh_name = 0, sh_type = 0, sh_flags = 0, sh_addr = 0, sh_offset = 0, sh_size = 0,sh_link = 0, sh_info = 0, sh_addralign = 0, sh_entsize = 0} (gdb) p *(Elf64_Shdr*)(s + 1080 + 64) $21 = {sh_name = 27, sh_type = 1, sh_flags = 6, sh_addr = 2098176, sh_offset = 1024,sh_size = 23, sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0} (gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64) $22 = {sh_name = 17, sh_type = 3, sh_flags = 0, sh_addr = 0, sh_offset = 1047, sh_size = 33,sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0} (gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64 + 64) $23 = {sh_name = 1, sh_type = 2, sh_flags = 0, sh_addr = 0, sh_offset = 1400, sh_size = 120,sh_link = 4, sh_info = 4, sh_addralign = 8, sh_entsize = 24} (gdb) p *(Elf64_Shdr*)(s + 1080 + 64 + 64 + 64 + 64) $24 = {sh_name = 9, sh_type = 3, sh_flags = 0, sh_addr = 0, sh_offset = 1520, sh_size = 13,sh_link = 0, sh_info = 0, sh_addralign = 1, sh_entsize = 0}elf标准头,头长sizeof,即e_phoff,长64program header则是+64位置。program header有e_phnum=2个,一个长e_phentsize=56字节(Program Header ENTry SIZE)。section header则是1080位置。共有e_shnum个section header,一个长e_shentsize=64字节。字符串表(字符串存储位置)在第e_shstrndx=2或者类型sh_type=3的那一个也可以。sh_offset表示对应section的数据位置,sh_size表示数据长度。有其他的属性,sh_name则表示在shstrtable的起始位置的第n个。
最终结果
0 - 40 ehdr 40 - b0 phdrb0 400 -- file 0400 - 417 -- section1 417 - 438 -- section2 438 - 578 -- sections 578 - 5f0 -- section3 5f0 - 5fd -- section440这些都是16进制数,方便对照上面的hexdump查看结果。*表示的这些范围内的数据都是0
(gdb) x /32xb s+128 0x7fffffffde10: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde18: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde20: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde28: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 (gdb) x /64xb s+176 0x7fffffffde40: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde48: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde50: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde58: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde60: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde68: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde70: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x7fffffffde78: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00可以看到都是
0
elf 文件格式解析相关推荐
- cfile清空文件内容_编译-链接-加载 :ELF文件格式解析
摘要:对于C++的初学者,经常在程序的编译或者加载过程中遇到很多错误,类似undefined reference to ... 和 GLIBCXX_3.4.20 not found 等.这些错误都涉及 ...
- elf section类型_ELF文件格式解析
ELF文件格式解析 ELF(Executable and Linking Format) 1) 可重定位的对象文件(Relocatable file) 2) 可执行的对象文件(Executable f ...
- gcc 删除elf_ELF文件格式解析器 原理 + 代码
本文为看雪论坛精华文章 看雪论坛作者ID:菜鸟m号 附件链接:[原创] ELF文件格式解析器 原理 + 代码 写在前面: 读<Linux二进制>,发现作者对 ELF文件格式部分并没有做详细 ...
- elf文件格式实例解析
试验环境:archlinux 速龙3000+(即x86兼容32位处理器) 必须软件:gcc binutils 参考资料: System V application binary interface E ...
- elf文件格式_Android so(ELF) 文件解析
Android so(ELF) 文件解析 Android so(ELF) 文件解析 前言 生成 so 文件 相关工具 objdump readelf 整体结构图 头部结构 段表结构 字符串表结构 程序 ...
- Elf动态解析符号过程(转载) - *nix文件格式 - j4ckl1u
导读: 本篇文章以linux为平台为例,演示ELF动态解析符号的过程. 不正之处,还请斧正. 通常,ELF解析符号方式称为lazy MODE装载的.这种装载技术是ELF平台上 默认的方式.在不同的体系 ...
- ELF文件格式与进程地址空间的联系
http://blog.csdn.net/q_l_s/article/details/52597330 三.分析在fork产生新进程中ELF文件格式与进程地址空间的联系 1.进程的虚拟地址空间 每个程 ...
- 【Android 逆向】ELF 文件格式 ( 程序头数据 | 节区头数据 | 动态符号表 )
文章目录 一.程序头数据 二.节区头数据 三.动态符号表 一.程序头数据 在上一篇博客 [Android 逆向]ELF 文件格式 ( ELF 程序头入口大小 | ELF 程序头入口个数 | ELF 文 ...
- 【Android 逆向】ELF 文件格式 ( ELF 文件头 | ELF 文件头标志 | ELF 文件位数 | ELF 文件大小端格式 )
文章目录 一.ELF 文件简介 二.ELF 文件头 三.ELF 文件头标志 四.ELF 文件位数 五.ELF 文件大小端格式 一.ELF 文件简介 在上一篇博客 [Android 逆向]ELF 文件格 ...
最新文章
- jxl导入Excel文件抛出java.lang.StringIndexOutOfBoundsException异常
- IT运维管理员如何写好一份年终总结?
- 通过组策略禁止用户安装任何软件
- void函数调用时显示不允许使用不完整的_4位数码管显示模块驱动
- 一个撕心裂肺的爱情故事
- shell中lsort,uniq,cut,wc,seq命令使用
- 不需要Excel的可视化大屏,究竟可以多炫酷?附20份模板
- 将JS对象转换为JSON字符串
- 加速BERT:从架构优化、模型压缩到模型蒸馏最新进展详解
- el表达式字符串与变量拼接
- [BZOJ1085][SCOI2005]骑士精神
- exoplay切换全屏_ExoPlayer播放视频的简单使用及播放视频宽高设置的源码分析
- UCGUI使用的24位颜色RGB数值对照表
- json 日期格式化
- 完美解决IDEA 中Maven插件报红详细攻略(含阿里云镜像下载失败),差点泪崩...冲冲冲
- kali 插耳机没声音
- 【项目管理/PMP/PMBOK第六版/新考纲】纯干货!Sprint冲刺/冲刺计划会/每日站立会/冲刺评审会/冲刺回顾会,系列文章建议收藏
- Go语言自学系列 | golang中的if语句
- 想做程序员?弄明白这些问题,你会少走很多弯路
- MySQL数据库13——插入数据(INSERT)