主要是在官方版的基础上,删除了大量没用的描述,保留了格式(当然也是最枯燥无味的)
现在整理的比较系统的只是header。section的还没看完,整理的也不好。
以后看完了写个大体的描述。画个框图给大家解释。
有用的应用:写溢出攻击程序,去掉依赖的库。。。。
ELF: Executable and Linking Format
+ Figure : ELF File Format
Linking View Execution View
============ ==============
ELF header ELF header
Program header table (optional) Program header table
Section 1 Segment 1
... Segment 2
Section n ...
Section header table Section header table (optional)
+ Figure : ELF 32-Bit Data Types
Name Size Alignment Purpose
==== ==== ========= =======
Elf32_Addr 4 4 Unsigned program address
Elf32_Half 2 2 Unsigned medium integer
Elf32_Off 4 4 Unsigned file offset
Elf32_Sword 4 4 Signed large integer
Elf32_Word 4 4 Unsigned large integer
unsigned char 1 1 Unsigned small integer
=========================== ELF header ===========================
typedef struct {
unsigned char e_ident[16];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry;
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shstrndx;
} Elf32_Ehdr;
* e_ident[16]
The first 4 bytes identifies the file as an ELF object file:
+------------+------------+------------+------------+
| e_ident[0] | e_ident[1] | e_ident[2] | e_ident[3] |
| 0x7f | 'E' | 'L' | 'F' |
+------------+------------+------------+------------+
e_ident[4] identifies the file's class, or capacity:
0: Invalid class 1: 32-bit objects 2: 64-bit objects
Byte e_ident[5] specifies the data encoding of the processor-specific
data in the object file:
0: Invalid data encoding 1: LSB(least significant byte) 2: MSB(Most significant byte)
Byte e_ident[6] specifies the ELF header version number:
1: Current version
e_ident[7] -- e_ident[15]: These bytes are reserved and set to zero.
* e_type
This member identifies the object file type.
Name Value Meaning
==== ===== =======
ET_NONE 0 No file type
ET_REL 1 Relocatable file
ET_EXEC 2 Executable file
ET_DYN 3 Shared object file
ET_CORE 4 Core file (reserved)
ET_LOPROC 0xff00 Processor-specific
ET_HIPROC 0xffff Processor-specific
* e_machine
This member's value specifies the required architecture for an
individual file.
Name Value Meaning
==== ===== =======
EM_NONE 0 No machine
EM_M32 1 AT&T WE 32100
EM_SPARC 2 SPARC
EM_386 3 Intel 80386
EM_68K 4 Motorola 68000
EM_88K 5 Motorola 88000
EM_860 7 Intel 80860
EM_MIPS 8 MIPS RS3000
* e_version
This member identifies the object file version.
Name Value Meaning
==== ===== =======
EV_NONE 0 Invalid version
EV_CURRENT 1 Current version
* e_entry
This member gives the virtual address to which the system first
transfers control, thus starting the process. If the file has no
associated entry point, this member holds zero.
* e_phoff
This member holds the program header table's file offset in bytes.
If the file has no program header table, this member holds zero.
* e_shoff
This member holds the section header table's file offset in bytes.
If the file has no section header table, this member holds zero.
* e_flags
This member holds processor-specific flags associated with the file.
The 32-bit Intel Architecture defines no flags; so this member contains zero.
* e_ehsize
This member holds the ELF header's size in bytes.
* e_phentsize
This member holds the size in bytes of one entry in the file's
program header table; all entries are the same size.
* e_phnum
This member holds the number of entries in the program header
table. Thus the product of e_phentsize and e_phnum gives the table's
size in bytes. If a file has no program header table, e_phnum holds
the value zero.
* e_shentsize
This member holds a section header's size in bytes. A section header
is one entry in the section header table; all entries are the same
size.
* e_shnum
This member holds the number of entries in the section header table.
Thus the product of e_shentsize and e_shnum gives the section header
table's size in bytes. If a file has no section header table,
e_shnum holds the value zero.
* e_shstrndx
This member holds the section header table index of the entry
associated with the section name string table. If the file has no
section name string table, this member holds the value SHN_UNDEF.
See ``Sections'' and ``String Table'' below for more information.
|
楼主
标题置顶
标题高亮
