Shulou(Shulou.com)06/01 Report--

This article shares with you the content of a sample analysis of ELF files in linux. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Sample program

Our example program is as follows:

# include int main (int argc,char * argv []) {printf ("hello shouwangxiansheng\ n"); return 0;}

Compile:

$gcc-o hello hello.c

Get the hello executable file.

View file types

The file command can be used to view file types:

$file hello hello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter / lib64/l, for GNU/Linux 2.6.32, BuildID [sha1] = 8f1de0f59bdfe9aaff85ade6898173aa436b296a, not stripped

From the results, we can know that it is an ELF executable file, and it is a 64-bit program with dynamic links, and the final not stripped also indicates that it retains symbol table information or debugging information.

If it is not an executable file, what is its information? For example:

$file hello.c hello.c: C source, UTF-8 Unicode text

You see.

View ELF header

Readelf is used to view ELF files, while:

$readelf-h hello ELF Header: Magic: 7f 45 4c 46 02 01 00 00 00 Class: ELF64 Data: 2's complement Little endian Version: 1 (current) OS/ABI: UNIX-System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64

You can see that it is EXEC, an executable file, and a small-end program that runs on X86-64. The information in this header is also useful when cross-compiling. For example, if you cross-compile the executable file of powerpc on an x86 machine, but it is not recognized and cannot be run on powerpc, you might as well use readelf to see if its Machine field is not compiled.

Find a string in the ELF file

For example, if you write a version number or a special string in a file, you can search for it through the strings command:

$strings hello | grep shouwang hello shouwangxiansheng

View the size of each segment of the ELF file

$size hello text data bss dec hex filename 1210 552 8 1770 6ea hello

Here you can see the number of code segments and data segments, and if necessary, you can optimize the code as needed to reduce the disk space footprint.

View linked dynamic libraries

Can't find the dynamic library at run time? Let's take a look at which libraries it links:

$ldd hello linux-vdso.so.1 = > (0x00007ffd16386000) libc.so.6 = > / lib/x86_64-linux-gnu/libc.so.6 (0x00007f507e083000) / lib64/ld-linux-x86-64.so.2 (0x00007f507e44d000)

You can see that the dynamic library it links to is / lib/x86_64-linux-gnu/libc.so.6, and if the file does not exist, there will be an error at run time. You can also refer to "the production and use of dynamic libraries" here.

View symbol tabl

Do not know if the newly added function or global variable has been compiled? How to see if there is anything in the symbol table (as long as the symbol table is not removed):

$nm hello | find the main function U _ _ libc_start_main@@GLIBC_2.2.5 00000000400526 T main in the grep main # symbol table

If it is not found or preceded by U, there is no address, indicating that the function is not defined in the elf file.

It is useful when there is something wrong with the link.

Slimming down ELF files

When I looked at the file through file, I saw the word not stripped, because it contains some symbol table information, because the file will be slightly larger, if removed, the binary file will become smaller, but the symbol table information will be gone, which will affect the problem location.

$ls-lh hello # before slimming-rwxrwxr-x 1 root root 8.4K $strip hello $ls-lh hello # slimming behind-rwxrwxr-x 1 root root 6.2K

As you can see, after losing weight, the binaries become smaller. When the executable file is larger, the slimming effect will be more obvious. Of course, rest assured that this will not affect the normal operation of the program, but will only affect debugging and problem location.

At this time, look at the symbol table:

$nm hello nm: hello: no symbols

Print file checksum

If the binary file is corrupted or is the same version during transfer, take a look at the checksum and block count:

$sum hello 33513 7

Of course you can also use:

$md5sum hello 521efed706c3b485dd3b5e96e48b138a hello

To compare the MD5 value.

Thank you for reading! This is the end of this article on "sample analysis of ELF files in linux". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it out for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.