diff --git a/Theory/ELF.md b/Theory/ELF.md index 59bad96..7ee9c46 100644 --- a/Theory/ELF.md +++ b/Theory/ELF.md @@ -1,29 +1,29 @@ Executable and Linkable Format ================================================================================ -ELF (Executable and Linkable Format) is a standard file format for executable files and shared libraries. Linux, as well as, many UNIX-like operating systems uses this format. Let's look on structure of the ELF-64 Object File Format and some defintions in the linux kernel source code related with it. +ELF (Executable and Linkable Format) is a standard file format for executable files, object code, shared libraries, and core dumps. Linux, as well as, many other UNIX-like operating systems uses this format. Let's look on the structure of ELF-64 File Format and some defintions in the linux kernel source code related with it. -An ELF object file consists of the following parts: +An ELF file consists of the following parts: -* ELF header - describes the main characteristics of the object file: type, CPU architecture, the virtual address of the entry point, the size and offset the remaining parts, etc...; -* Program header table - listing the available segments and their attributes. Program header table need loaders for placing sections of the file as virtual memory segments; -* Section header table - contains description of the sections. +* ELF header - describes the main characteristics of the object file: type, CPU architecture, virtual address of the entry point, size and offset of the remaining parts, etc...; +* Program header table - lists the available segments and their attributes. Program header table needs loaders for placing sections of this file as virtual memory segments; +* Section header table - contains the description of sections. Now let's look closer on these components. **ELF header** -It's located in the beginning of the object file. It's main point is to locate all other parts of the object file. File header contains following fields: +It's located in the beginning of the object file. Its main point is to locate all other parts of the object file. ELF header contains following fields: -* ELF identification - array of bytes which helps to identify the file as an ELF object file and also provides information about general object file characteristic; -* Object file type - identifies the object file type. This field can describe that ELF file is a relocatable object file, executable file, etc...; +* ELF identification - array of bytes which helps identify this file as an ELF file and also provides information about general object file characteristics; +* Object file type - identifies the object file type. This field can describe whether this file is a relocatable file or executable file, etc...; * Target architecture; * Version of the object file format; * Virtual address of the program entry point; * File offset of the program header table; * File offset of the section header table; -* Size of an ELF header; -* Size of a program header table entry; +* Size of the ELF header; +* Size of the program header table entry; * and other fields... You can find `elf64_hdr` structure which presents ELF64 header in the linux kernel source code: @@ -47,11 +47,11 @@ typedef struct elf64_hdr { } Elf64_Ehdr; ``` -This structure defined in the [elf.h](https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf.h) +This structure defines in the [elf.h](https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf.h) **Sections** -All data is stored in sections in an Elf object file. Sections identified by index in the section header table. Section header contains following fields: +All data is stored in sections in an Elf file. Sections are identified by index in the section header table. Section header contains following fields: * Section name; * Section type; @@ -64,7 +64,7 @@ All data is stored in sections in an Elf object file. Sections identified by ind * Address alignment boundary; * Size of entries, if section has table; -And presented with the following `elf64_shdr` structure in the linux kernel: +And presented with the following `elf64_shdr` structure in the linux kernel source code: ```C typedef struct elf64_shdr { @@ -83,7 +83,7 @@ typedef struct elf64_shdr { **Program header table** -All sections are grouped into segments in an executable or shared object file. Program header is an array of structures which describe every segment. It looks like: +All sections are grouped into segments in an executable file or shared library. Program header table is an array of structures which describe every segment. It looks like: ```C typedef struct elf64_phdr { @@ -98,16 +98,14 @@ typedef struct elf64_phdr { } Elf64_Phdr; ``` -in the linux kernel source code. +`elf64_phdr` structure defines in the same [elf.h](https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf.h). -`elf64_phdr` defined in the same [elf.h](https://github.com/torvalds/linux/blob/master/include/uapi/linux/elf.h). - -And ELF object file also contains other fields/structures which you can find in the [Documentation](http://www.uclibc.org/docs/elf-64-gen.pdf). Now let's look on the `vmlinux`. +And ELF file also contains other fields/structures which you can find in the [Documentation](http://www.uclibc.org/docs/elf-64-gen.pdf). Now let's look on the `vmlinux`. vmlinux -------------------------------------------------------------------------------- -`vmlinux` is relocatable ELF object file too. So we can look at it with the `readelf` util. First of all let's look on a header: +`vmlinux` is an ELF file too. So we can look at it with the `readelf` util. First of all, let's look on the elf header of vmlinux: ``` $ readelf -h vmlinux @@ -144,15 +142,15 @@ ffffffff80000000 - ffffffffa0000000 (=512 MB) kernel text mapping, from phys 0 So we can find it in the `vmlinux` with: ``` -readelf -s vmlinux | grep ffffffff81000000 +$ readelf -s vmlinux | grep ffffffff81000000 1: ffffffff81000000 0 SECTION LOCAL DEFAULT 1 65099: ffffffff81000000 0 NOTYPE GLOBAL DEFAULT 1 _text 90766: ffffffff81000000 0 NOTYPE GLOBAL DEFAULT 1 startup_64 ``` -Note that here is address of the `startup_64` routine is not `ffffffff80000000`, but `ffffffff81000000` and now i'll explain why. +Note that ,the address of `startup_64` routine is not `ffffffff80000000`, but `ffffffff81000000`. Now I'll explain why. -We can see following definition in the [arch/x86/kernel/vmlinux.lds.S](https://github.com/torvalds/linux/blob/master/arch/x86/kernel/vmlinux.lds.S): +We can see the following definition in the [arch/x86/kernel/vmlinux.lds.S](https://github.com/torvalds/linux/blob/master/arch/x86/kernel/vmlinux.lds.S): ``` . = __START_KERNEL; @@ -176,10 +174,11 @@ Where `__START_KERNEL` is: `__START_KERNEL_map` is the value from documentation - `ffffffff80000000` and `__PHYSICAL_START` is `0x1000000`. That's why address of the `startup_64` is `ffffffff81000000`. -And the last we can get program headers from `vmlinux` with the following command: +At last we can get program headers from `vmlinux` with the following command: ``` -readelf -l vmlinux + +$ readelf -l vmlinux Elf file type is EXEC (Executable file) Entry point 0x1000000