Shulou(Shulou.com)06/01 Report--

This article mainly explains "Overview of windows PE file and Linux ELF file". Interested friends may wish to have a look at it. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "Overview of windows PE files and Linux ELF files"!

1. Overview of windows PE file and Linux ELF file

The executable file in windows is pe file format, and the executable file in Linux is ELF file, and its file format is ELF file format. In addition to executable files (Excutable File), relocatable target files (RellocatableObject File), shared object files (SharedObject File) and core dump files (CoreDump File) under Linux are also ELF format files.

2. ELF file structure analysis 2.1 ELF file view

Use readelf, a special tool under Linux, to view elf file information.

View the source code in readelf

A typical ELF file is roughly structured as follows:

General structure of ELF file (ELF Header) program header table (Program Header Table) code segment (.text) data segment (.data) bss segment (.bss) table string table (.shstrtab) section table (Section Header Table) symbol table (.symtab) string table (.strtab) relocation table (.rel.text) relocation table (.rel.data) 2.2.1 file header is used to record information about an ELF file (how many bits? What is the CPU platform that can run? Where is the entry point of the program) check the ELF header

In the source code of readelf, the variable type Elf_Internal_Ehdr_, is defined in the internal header file

# defineEI_NIDENT 16 / * Size of e_ident [] * / typedefstruct elf_internal_ehdr {unsigned char eident [ei _ NIDENT]; / * ELF "magicnumber" * / bfd_vma estrangement; / * Entry point virtual address * / bfd_size_type e_phoff / * Program header table file offset * / bfd_size_type estrangshoffs; / * Section header table file offset * / unsigned long eBay version; / * Identifies object file version * / unsigned long estrangements; / * Processor-specific flags * / unsigned short e_type / * Identifies object file type * / unsigned short ethereal machine; / * Specifies required architecture * / unsigned int estrangehsize; / * ELF header size in bytes * / unsigned int estrangphentsize; / * Program header table entry size * / unsigned int e_phnum / * Program header tableentry count * / unsigned int estrangshentsize; / * Section header tableentry size * / unsigned int estrangshnumm; / * Section header tableentry count * / unsigned int estrangshstrndx; / * Section header string table index * /} Elf_Internal_Ehdr

Viewed in the header file that comes with Linux, there are a total of 14 fields in the structure of the source file header, corresponding to the file hexadecimal.

# define EI_NIDENT (16) typedef struct {unsigned char eident [ei _ NIDENT]; / * Magic number and other info * / Elf32_Half eigentype; / * Object file type * / Elf32_Half eigenmachine; / * Architecture * / Elf32_Word estrangement version; / * Object file version * / Elf32_Addr e_entry / * Entry point virtual address * / Elf32_Off estrangphoffs; / * Program header table file offset * / Elf32_Off estrangshoffs; / * Section header table file offset * / Elf32_Word estrangements; / * Processor-specific flags * / Elf32_Half e_ehsize / * ELF header size in bytes * / Elf32_Half estrangphentsize; / * Program header table entry size * / Elf32_Half estrangphnum; / * Program header table entry count * / Elf32_Half estrangshentsize; / * Section header table entry size * / Elf32_Half e_shnum / * Section header table entry count * / Elf32_Half estrangshstrndx; / * Section header string table index * /} Elf32_Ehdr;2.2.2 program header table

Records the relevant information about each Segment, such as type, offset of the corresponding file, size, attributes, and so on.

Program header table and segment header table are relatively independent, they are managed by the ELF file header. After the ELF file is loaded, the mapping relationship between the loadable segment and the memory image in the ELF file is generally only in the executable file, including the program header table. The program header table contains several program header table items, the object described in the program header table is called "Segment", the Segment describes the data block after the ELF file is loaded, and the Section describes the data block before the ELF file is loaded. Generally speaking, there is a corresponding relationship between the two. For example, the loading information of the code segment .text is saved in the Segment where the code is stored in the header table item of the program, and the loading information of the data segment .data is saved in the Segment where the data is stored in the header table item of the program. Sometimes in order to simplify the number of items in the program's header table, multiple segments of the same type will be set as a Segment for the entire ELF file.

The data structure of the program header table

/ * Program segment header. * / typedef struct {Elf32_Word paired type; / * Segment type * / Elf32_Off paired offset; / * offset of the content corresponding to Segment file offset Segment in the file * / Elf32_Addr pairvaddr; / * linear address of Segment virtual address Segment in memory * / Elf32_Addr p_paddr / * Segment physical address * / Elf32_Word packs filesz; / * Segment size in file * / Elf32_Word packs memsz; / * Segment size in memory * / Elf32_Word packs; / * Segment flags * / Elf32_Word packs; / * Segment alignment * /} Elf32_Phdr # define PT_NULL 0 / * Program header table entry unused * / # define PT_LOAD 1 / * Loadable program segment * / # define PT_DYNAMIC 2 / * Dynamic linking information * / # define PT_INTERP 3 / * Program interpreter * / # define PT_NOTE 4 / * Auxiliary information * / # define PT_SHLIB 5 / * Reserved * / # define PT_PHDR 6 / * Entry for header table itself * / # define PT_TLS 7 / * Thread-local storage segment * / # define PT_NUM 8 / * Number of defined types * /

P_flag permission attribute Flag

The value indicates that macro 1 is executable PE_X2 writable PE_W3 readable PE_R

2.2.3 Section header table

The main data used to record ELF files

View section

Data structure of the section header:

Typedef struct {Elf32_Word sh_name; / * Section name (string tbl index) * / Elf32_Word sh_type; / * Section type * / Elf32_Word sh_flags; / * Section flags * / Elf32_Addr sh_addr; / * Section virtual addr at execution * / Elf32_Off sh_offset / * Section file offset * / Elf32_Word sh_size; / * Section size in bytes * / Elf32_Word sh_link; / * Link to another section * / Elf32_Word sh_info; / * Additional section information * / Elf32_Word sh_addralign; / * Section alignment * / Elf32_Word sh_entsize / * Entry size if section holds table * /} Elf32_Shdr

The section header table has a total of 10 fields, which are as follows:

(1) the sh_name segment name, which is a 4-byte offset, records the offset of the segment name string in the segment table string table (".shstrtab" section). The segment table string is not in the form of a table, but a file block that stores all the contents of the segment table string in the segment of ".shstrtab". According to the offset of ".shstrtab", plus sh_name, you can access the corresponding segment name string for each segment.

The starting address is 000017ac, and the offset of the first segment table item is 001b, and the offset of the ".shstrtab" segment is 0016ae.

Therefore, the offset of the calculated segment name should be 0x0000001b + 0x000016ae = 0x000016c9

Based on the results of the calculation, look at 0x000016c9:

(2) sh_type, indicating the type of segment. There are many types of segments, including SHT_PROGBITS, which represents program data, SHT_SYMTAB represents symbol table, SHT_STRTAB represents string table, and specially stores constructor array segment SHT_INIT_ARRAY and destructor array segment SHT_FINI_ARRAY.

A .txt code segment

B. data segment

C. radata records constant data

D. Symtab records the data of the symbol table (equivalent to the export table of the PE file)

E. Strtab string table segment

F. Shstrtab has a table string table segment

G. rel .plt records the relocation of a section (equivalent to the import table of a PE file)

The corresponding macros are as follows:

/ * Legal values for sh_type (section type). * / # define SHT_NULL 0 / * Section header table entry unused * / # define SHT_PROGBITS 1 / * Program data * / # define SHT_SYMTAB 2 / * Symbol table * / # define SHT_STRTAB 3 / * String table * / # define SHT_RELA 4 / * Relocation entries with addends * / # define SHT_HASH 5 / * Symbol hash table * / # define SHT_DYNAMIC 6 / * Dynamic linking information * / # define SHT_NOTE 7 / * Notes * / # define SHT_NOBITS 8 / * Program space with no data (bss) * / # define SHT_REL 9 / * Relocation entries No addends * / # define SHT_SHLIB 10 / * Reserved * / # define SHT_DYNSYM 11 / * Dynamic linker symbol table * / # define SHT_INIT_ARRAY 14 / * Array of constructors * / # define SHT_FINI_ARRAY 15 / * Array of destructors * / # define SHT_PREINIT_ARRAY 16 / * Array of pre-constructors * /

(3) sh_flags, which indicates the segment flag and records the attributes of the segment. Where 0 indicates the default attribute, 1 indicates that the segment is writable, and takes the value bit SHF_WRITE. 2 indicates that the segment needs to be allocated memory space after loading, and the value is SHF_ALLOC. 4 means executable, with a value of SHF_EXECINSTR, and the segment flag attribute can be superimposed.

(4) sh_addr, which represents the linear address of the loaded segment

(5) sh_offset, which indicates the offset of the segment in the file, according to which the position of the segment can be determined and the contents of the segment can be read.

(6) sh_size, which indicates the size of the segment in bytes. It is important to note that if the segment type is SHT_NOBITS and there is no data in the segment, then the size of the segment does not refer to the size of the file block, but to the amount of memory consumed by the segment after loading.

Sh_link and sh_info represent the link information of the segment, which is generally used to describe the link information of the symbol table segment and the relocation table segment. For a symbol table segment (SHT_SYMTAB), sh_link records the index of the segment table item in the segment table corresponding to the string table segment (typically, .strtab) used by the symbol table.

Sh_info records the symbol table item of the last local symbol in the symbol table plus 1, which usually happens to be the symbol table item index of the first global symbol, which can help the connector locate the first global symbol more quickly. As shown in the following figure: the information sh_info of the symbol table section in the paragraph happens to be the index of the local symbol + 1.

For the relocation table segment (the segment type is SHT_REL), the sh_link records the index in the early segment of the symbol table item of the relocation action, while the sh_info records the index of the segment table entry in the segment table corresponding to the relocation.

Sh_typesh_linksh_infoSHT_DYNAMIC the string table used in this entry the index in the segment table SHT_HASH the segment table index of the symbol table to which this hash table applies the segment table index SHT_REL related symbol table segment table index used to relocate the segment table index SHT_RELA associated string table index symbol table index of the last local symbol + 1 other SHN_UNDEF0

(9) sh_addralign, indicates the alignment of the segment. The alignment rule is sh_offset% sh_addralign = 0, that is, the file offset of the segment must be an integral multiple of sh_addralign, and the value of sh_addralign must be an integral multiple of 2, entering 1, 2, 4, 8, and so on.

Alignment value alignment indicates that 0 has no alignment requirement and 1 has no alignment requirement

4 alignment 4 satisfies sh_iffset% 4 = 016 alignment 16 satisfies sh_iffset% 16 = 032 alignment 32 satisfies sh_iffset% 32 = 0

(10) sh_entsize, which is generally used to save the injected symbol table segment. When the table segment is relocated, it indicates the size of the table item saved in the segment. For example, the entry size of the symbol table saved in the symbol table segment ".symtab" is sizeof (Elf32_sym) = 16 bytes, and the entry size of the relocation table saved in the relocation table segment ".rel.plt" is sizeof (Elf32_rel) = 8 bytes.

2.2.4 ELF symbol Table (Symbol Table)

The symbol table of the ELF file stores the symbol information in the program, including the file name, function name, global variable name and so on. The symbol table is generally saved in a section called ".strtab", and the corresponding section table item type is SHT_SYMTAB. The symbol table contains a plurality of symbol table items, each of which records the name, location, type and other information of the symbol.

The data structure of symbolic representation:

Typedef struct {Elf32_Word st_name; / * Symbol name (string tbl index) * / Elf32_Addr st_value; / * Symbol value * / Elf32_Word st_size; / * Symbol size * / unsigned char st_info; / * Symbol type and binding * / unsigned char st_other / * Symbol visibility * / Elf32_Section st_shndx; / * Section index * /} Elf32_Sym

2.2.5 ELF relocation Table (Reloc Table)

Relocation tables are common in relocatable target files. Executables generated by static links generally do not include relocation tables. Executable files generated by dynamic links are not discussed for the time being. The relocation table is generally saved in a segment that starts with the name ".rel". The type of table entry in this section is the segment that the SHT_REL,ELF file needs to relocate, and generally corresponds to a relocation table. For example, the relocation table of the code segment ".txt" is kept in the ".rel.text" and the relocation table of the data segment ".data" remains in the ".rel.data".

The relocation table contains a plurality of relocation table items, each of which records a relocation information, including the relocation symbol, location, type, and so on.

/ * Relocation table entry without addend (in section of type SHT_REL). * / typedef struct {Elf32_Addr ringing offset; / * Address * / Elf32_Word ritual info; / * Relocation type and symbol index * /} Elf32_Rel

2.2.6 ELF string Table (String Table)

The segment and symbol tables in the ELF file need to record segment and symbol names, which are strings. However, segment table items and symbol table items are fixed-length data structures and cannot store strings of variable length. Therefore, the FLE file centrally stores the contents of the name string in a segment, called a string table. These segment table items and symbol table items only need to record the position of the segment name string or symbol name string in the corresponding list item.

Although the content of a stored string table is called a string table, it is not in the form of a table, but a file area.

At this point, I believe you have a deeper understanding of the "Overview of windows PE files and Linux ELF files". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.