µ±Ç°Î»ÖãºLinux½Ì³Ì - Linux - ½â¶Á ELF Îļþ

½â¶Á ELF Îļþ

×÷Õߣºwangdb < [email protected]>
ÈÕÆÚ£º2001-4-16


±¾ÎÄÐðÊöÈçºÎ½â¶Á ELF Îļþ¡£

´ò¿ªÒ»¸ö ELF Îļþ½â¶Áʱ£¬ÎÒÃÇÊ×ÏÈÓöµ½µÄÊÇÒ»¸ö ELF ÎļþÍ·¡£ELF ÎļþÍ·
¸ø³ö½â¶ÁÕû¸ö ELF ÎļþµÄ·¾¶Í¼£¬ËüÊÇÒ»¸ö¹Ì¶¨µÄ½á¹¹¡£ÎļþÍ·µÄ½á¹¹ÔÚϵͳ
Í·Îļþ elf.h Öж¨Ò壬Èç¹ûÊÇ 32 λµÄ¶þ½øÖÆÎļþ£¬ËüÊÇÒ»¸ö Elf32_Ehdr
½á¹¹£¬Èç¹ûÊÇ 64 λµÄ¶þ½øÖÆÎļþ£¬ÔòÊÇÒ»¸ö Elf64_Ehdr ½á¹¹¡£ÎÞÂÛÊǺÎÖÖ
½á¹¹£¬½á¹¹µÄµÚÒ»¸ö³ÉÔ±ÊÇÒ»¸ö 16 ×Ö½ÚµÄ e_ident£¬Ëü¸ø³öÁËÕû¸ö ELF ÎÄ
¼þµÄ½â¶Á·½Ê½¡£¾¿¾¹ÊÇ 32 λµÄ Elf32_Ehdr ½á¹¹»¹ÊÇ 64 λµÄ Elf64_Ehdr
½á¹¹£¬¾Í¿´ e_ident[4] µÄÄÚÈÝÁË¡£´ÓÎļþÆ«ÒƵĽǶÈÀ´Ëµ£¬Ò²¾ÍÊÇÎļþÆ«ÒÆ
Ϊ 4 µÄ×Ö½ÚÈ·¶¨ÁË ELF Îļþ¾¿¾¹ÊÇ 32 λµÄ»¹ÊÇ 64 λµÄ¡£ÕâÀïÎÒÃÇ×ñ´ÓÏ°
¹ß°ÑÎļþ¿ªÍ·µÄÆðʼµÚÒ»¸ö×Ö½ÚµÄÎļþÆ«ÒÆÔ¼¶¨Îª 0£¬ÏÂÃæµÄËùÓÐÐðÊö¶¼×ñ´Ó
Õâ¸öÔ¼¶¨¡£

ÓÚÊÇÎÒÃÇÒª×öµÄµÚÒ»¼þÊÂÊǽâ¶ÁÕâ¸ö e_ident£¬È·¶¨ ELF ÎļþÊÇ 32 λµÄ»¹
ÊÇ 64 λµÄ£¬»òÕßÊÇÆäËûλÊýµÄ£¬´Ó¶øÈ·¶¨ ELF ÎļþÍ·µÄ½á¹¹¡£Îª´Ë£¬¼Ù¶¨
´ò¿ªELF Îļþʱ·µ»ØµÄÎļþÃèÊö·ûÊÇ fd£¬

lseek(fd, 0, SEEK_SET);
read(fd, buf, 16);

¶Á³öµÄ buf ÀïÇ°Ëĸö×Ö½ÚÊÇ Magic Number£¨¶ÔÓ¦ÎļþÆ«ÒÆ 0-3£©¡£Èç¹û

buf[0] = 0x7f¡¢buf[1] = ''E''¡¢buf[2] = ''L''¡¢buf[3] = ''F''

Ôò±íÃ÷ÕâÊÇÒ»¸ö ELF ¸ñʽµÄ¶þ½øÖÆÎļþ£¬·ñÔò²»ÊÇ¡£ÈçÇ°ÃæËùÊö£¬ÎÒÃÇÊ×ÏȹØ
×¢µÄÊÇ buf[4]¡£Èç¹û buf[4] µÄÖµÊÇ 1£¬ÔòÊÇ 32 λµÄ£»Èç¹ûÊÇ 2£¬ÔòÊÇ 64
λµÄ¡£½ÓÏÂÀ´ÊÇ buf[5]£¬Ëü¸ø³ö×Ö½ÚÐòÌØÐÔ¡£Èç¹ûËüµÄÖµÊÇ 1£¬ÔòÊÇ LSB µÄ£»
Èç¹ûÊÇ 2£¬ÔòÊÇ MSB µÄ¡£¶Ô Intel x86 »úÆ÷£¬buf[5] = 1£»¶Ô Sun Sparc£¬
buf[5] = 2¡£¸ú×Å buf[5] µÄ buf[6] ¸ø³ö ELF ÎļþÍ·µÄ°æ±¾ÐÅÏ¢£¬µ±Ç°Ëü
µÄÖµÊÇ EV_CURRENT£¨²Î¼û elf.h Öеĺ궨Ò壩¡£¶Ô buf[6] = EV_CURRENT
µÄ ELF ÎļþÍ·£¬´Ó buf[7] ¿ªÊ¼£¬Ò²¼´ e_ident ºóÃæµÄ 9 ¸ö×Ö½ÚÈ«²¿ÎªÁ㣬
ÔÝʱûÓÐʹÓá£

ÏÖÔÚÈ·¶¨ÁËÎļþÍ·µÄ½á¹¹£¬ÎÒÃǾͿÉÒÔ½â¶ÁÎļþÍ·ÁË¡£ÏÂÎÄÖÐÎÒÃÇÒÔ 32 λµÄ
ELF ÎļþΪÀýÀ´ËµÃ÷¡£¶Ô 64 λµÄ£¬´óͬСÒ죬°ÑËùÓÐ Elf32_*** ½á¹¹»»³É
¶ÔÓ¦µÄ Elf64_*** ½á¹¹£¬¿´¿´ elf.h ¾Íʲô¶¼Çå³þÁË¡£32 λµÄ ELF ÎļþÍ·
½á¹¹¶¨ÒåÈçÏ£º

#define EI_NIDENT (16)

typedef uint16_t Elf32_Half;
typedef uint32_t Elf32_Word;
typedef uint32_t Elf32_Addr;
typedef uint32_t Elf32_Off;

typedef struct {
unsigned char e_ident[EI_NIDENT]; /* ÉÏÎÄËù˵µÄ e_ident */
Elf32_Half e_type; /* ÎļþÀàÐÍ */
Elf32_Half e_machine; /* »úÆ÷ÀàÐÍ */
Elf32_Word e_version; /* Îļþ°æ±¾ */
Elf32_Addr e_entry; /* ³ÌÐòÈë¿ÚÐéµØÖ· */
Elf32_Off e_phoff; /* ³ÌÐòÍ·±íÎļþÆ«ÒÆ */
Elf32_Off e_shoff; /* ½ÚÍ·±íÎļþÆ«ÒÆ*/
Elf32_Word e_flags; /* ´¦ÀíÆ÷Ïà¹ØµÄ±êÖ¾ */
Elf32_Half e_ehsize; /* ELF ÎļþÍ·´óС */
Elf32_Half e_phentsize; /* ³ÌÐòÍ·±íÿ¸ö±íÏîµÄ´óС */
Elf32_Half e_phnum; /* ³ÌÐòÍ·±íµÄ±íÏîÊýÄ¿ */
Elf32_Half e_shentsize; /* ½ÚÍ·±íÿ¸ö±íÏîµÄ´óС*/
Elf32_Half e_shnum; /* ½ÚÍ·±íµÄ±íÏîÊýÄ¿ */
Elf32_Half e_shstrndx; /* ½ÚÃû×Ö·û´®µÄ½ÚÍ·±í±íÏîË÷Òý */
} Elf32_Ehdr;

½á¹¹µÄ¸÷¸ö³ÉÔ±µÄº¬ÒåÈç×¢ÊÍÖÐËù½âÊ͵ġ£¶Ô ELF Îļþ£¬ÓÐÁ½¸öÊÓͼ£¬Ò»¸öÊÇ
´Ó×°ÔØÔËÐнǶȵģ¬ÁíÒ»¸öÊÇ´ÓÁ¬½Ó½Ç¶ÈµÄ¡£´Ó×°ÔØÔËÐнǶȣ¬ÎÒÃǹØ×¢µÄÊdzÌ
ÐòÍ·±í£¬ÓɳÌÐòÍ·±íµÄÖ¸Òý°Ñ ELF Îļþ¼ÓÔؽøÄÚ´æÔËÐÐËü¡£´ÓÁ¬½ÓµÄ½Ç¶È£¬ÎÒ
ÃǹØ×¢½ÚÍ·±í£¬ÓɽÚÍ·±íµÄÖ¸Òý°Ñ¸÷¸ö½ÚÁ¬½Ó×é×°ÆðÀ´¡£e_type µÄÖµÓëÕâÁ½¸ö
ÊÓͼÏàÁªÏµ£¬ÓÉËüÎÒÃÇ¿ÉÒÔÖªµÀÄܹ»´ÓÄĸöÊÓͼȥ½â¶Á¡£Èç¹û e_type = 1£¬±í
Ã÷ËüÊÇÖض¨Î»Îļþ£¬¿ÉÒÔ´ÓÁ¬½ÓÊÓͼȥ½â¶ÁËü£»Èç¹û e_type = 2£¬±íÃ÷ËüÊÇ¿É
Ö´ÐÐÎļþ£¬ÖÁÉÙ¿ÉÒÔ´Ó×°ÔØÔËÐÐÊÓͼȥ½â¶ÁËü£»Èç¹û e_type = 3£¬±íÃ÷ËüÊǹ²
Ïí¶¯Ì¬¿âÎļþ£¬Í¬Ñù¿ÉÒÔÖÁÉÙ´Ó×°ÔØÔËÐÐÊÓͼȥ½â¶ÁËü£»Èç¹û e_type = 4£¬±í
Ã÷ËüÊÇ Core dump Îļþ£¬¿ÉÒÔ´ÓÄĸöÊÓͼȥ½â¶ÁÒÀÀµÓÚ¾ßÌåµÄʵÏÖ¡£

°´ÕÕÕâÁ½¸öÊÓͼ£¬Õû¸ö ELF ÎļþµÄÄÚÈÝÕâÑùÀ´×éÖ¯£ºÊ×ÏÈÊÇ ELF ÎļþÍ·£¬Ò²
¾ÍÊÇÉÏÃæµÄ Elf32_Ehdr ½á¹¹¡£»òÕß¶Ô 64 λµÄ ELF Îļþ£¬ÊÇ Elf64_Ehdr
½á¹¹¡£ELF ÎļþͷλÓÚÎļþ¿ªÊ¼´¦£¬ÎÞÂÛ e_type µÄÖµÊÇʲô£¬ËüÊDZØÐëÓеġ£
Æä´ÎÊdzÌÐòÍ·±í£¬¶Ô¿ÉÖ´ÐÐÎļþ(e_type = 2)ºÍ¶¯Ì¬¿âÎļþ(e_type = 3)£¬Ëü
ÊDZØÐëÓеġ£¶ÔÖض¨Î»Îļþ(e_type = 1)£¬³ÌÐòÍ·±íµÄÓÐÎÞÊÇ¿ÉÑ¡µÄ¡£ÀýÈçÓÃ
gcc µÄ -c Ñ¡ÏîÉú³ÉµÄ .o Îļþ£¬¾ÍûÓгÌÐòÍ·±í¡£µ«ÎÞÂÛÈçºÎ£¬e_phoff ºÍ
e_phnum¡¢e_phentsize ¸ø³öÁË ELF ÎļþµÄ³ÌÐòÍ·±íÐÅÏ¢¡£Ã»ÓгÌÐòÍ·±íʱËü
ÃǵÄֵΪÁ㡣Ȼºó¾ÍÊǾÍÊǽÚÍ·±í£¬¶Ô¿ÉÖ´ÐÐÎļþºÍ¶¯Ì¬¿âÎļþ£¬ËüµÄÓÐÎÞÊÇ
¿ÉÑ¡µÄ£¬¶ÔÖض¨Î»Îļþ£¬ËüÊDZØÐëÓеġ£e_shoff ºÍ e_shnum¡¢e_shentsize
¸ø³ö½ÚÍ·±íÐÅÏ¢¡£×îºó¾ÍÊÇÎļþµÄ´úÂëºÍÊý¾ÝÕâЩ¾ßÌåÄÚÈÝÁË¡£Èç¹ûÓнÚÍ·±í£¬
´ÓÁ¬½ÓÊÓͼȥ½â¶Á£¬ELF ÎļþµÄ¾ßÌå´úÂëºÍÊý¾ÝÄÚÈÝÊÇÒÔ½ÚΪµ¥Î»×éÖ¯µÄ¡£Ëù
ÓеĴúÂëºÍÊý¾Ý¶¼·ÖÊôÓÚijһ½Ú£¬²¢ÇÒ²»ÄÜͬʱÊôÓÚÁ½¸ö½Ú¡£¸÷¸ö½Ú²»Äܽ»²æ£¬
²»ÄÜÓÐͬʱÁ½¸ö½Ú¸²¸ÇͬһÄÚÈÝ¡£Ã¿Ò»½ÚÔÚ½ÚÍ·±íÖÐÓÐÒ»¸ö±íÏîÓëÖ®¶ÔÓ¦£¬¸ø
³ö¸Ã½ÚµÄÏà¹ØÐÅÏ¢¡£Èç¹ûÓгÌÐòÍ·±í£¬´Ó×°ÔØÔËÐÐÊÓͼȥ½â¶Á£¬ËùÓдúÂëºÍÊý
¾Ý¶¼·ÖÊôÓÚijһ³ÌÐò¶Î¡£ÓëÁ¬½ÓÊÓͼ²»Í¬£¬´ËʱÓн»²æµÄÇé¿ö¡£Ä³Ð©ÄÚÈÝ¿ÉÄÜ
ͬʱÊôÓÚ¼¸¸ö³ÌÐò¶Î£¬Ò²¼´¿ÉÄÜÓм¸¸ö¶Î¸²¸ÇͬһÄÚÈÝ¡£Í¬Ê±£¬´Ó³ÌÐòÍ·±íÀ´
¿´£¬¿ÉÄÜijЩ¶Î²»°üº¬ÈκξßÌåµÄ´úÂëºÍÊý¾ÝÄÚÈÝ¡£ÀýÈ磬¸ø³ö¶¯Ì¬Á¬½ÓÐÅÏ¢
µÄ³ÌÐò¶ÎµÄËùÓÐÄÚÈݶ¼Í¬Ê±Êý¾Ý¶Î¡£×¢Òâ²»Òª°ÑÕâÀïËù˵µÄ³ÌÐò¶ÎÓëÎÒÃÇͨ³£
Ëù˵µÄÎı¾¶Î¡¢Êý¾Ý¶ÎºÍ¶ÑÕ»¶ÎÕ⼸¸ö¸ÅÄîÏà»ìÏý£¬ËäÈ»ËüÃÇÓÐÁªÏµ¡£³ÌÐò¼Ó
ÔؽøÄÚ´æʱ£¬¸ù¾Ý³ÌÐòÍ·±íÐÅÏ¢À´¾Í½â¶Á¡£

´ÓÁ¬½ÓÊÓͼÀ´½â¶Á£¬ÆäÖÐÓÐÒ»½ÚµÄÄÚÈÝÊÇһЩÒÔÁã½áβµÄ×Ö·û´®¡£e_shstrndx
¸ø³ö¸Ã½ÚÔÚ½ÚÍ·±íÖеıíÏîË÷Òý¡£ÕâЩ×Ö·û´®ÊǸ÷½ÚµÄÃû×Ö¡£

Á˽âÁËÕâЩºó£¬ÎÒÃÇ¿ÉÒÔ·Ö±ð´ÓÁ½¸öÊÓͼÀ´½â¶Á ELF ÎļþÁË¡£ÏÈ¿´Á¬½ÓÊÓͼ£¬
ÓÚÊÇÎÒÃÇ

Elf32_Ehdr e_hdr;
void *SecHdrTbl;

lseek(fd, 0, SEEK_SET);
read(fd, &e_hdr, sizeof(e_hdr));
SecHdrTbl = malloc(e_hdr.e_shnum * e_hdr.e_shentsize);
lseek(fd, e_hdr.e_shoff, SEEK_SET);
read(fd, SecHdrTbl, e_hdr.e_shnum * e_hdr.e_shentsize);

ÎÒÃÇ¿´¿´½ÚÍ·±íÊÇʲôÑùµÄ£¬ÒòΪ½ÚÍ·±íµÄ¸÷¸ö±íÏî¸ø³öÁËÈçºÎ´ÓÁ¬½ÓÊÓͼ
½â¶Á ELF ÎļþµÄ·¾¶Í¼¡£½ÚÍ·±íµÄÿ¸ö±íÏîÊÇÒ»¸öÈçϵĽṹ£º

typedef struct
{
Elf32_Word sh_name; /* ½ÚÃûË÷Òý */
Elf32_Word sh_type; /* ½ÚÀàÐÍ */
Elf32_Word sh_flags; /* ¼ÓÔغͶÁд±êÖ¾ */
Elf32_Addr sh_addr; /* Ö´ÐÐʱµÄÐéµØÖ· */
Elf32_Off sh_offset; /* ÔÚÎļþÖеÄÆ«ÒÆ */
Elf32_Word sh_size; /* ×Ö½Ú´óС */
Elf32_Word sh_link; /* ÓëÆäËû½ÚµÄ¹ØÁª */
Elf32_Word sh_info; /* ÆäËûÐÅÏ¢ */
Elf32_Word sh_addralign; /* ×Ö½Ú¶ÔÆë */
Elf32_Word sh_entsize; /* Èç¹ûÓɱíÏî×é³É£¬Ã¿¸ö±íÏîµÄ´óС */
} Elf32_Shdr;

ÔÙ¿´×°ÔØÔËÐÐÊÓͼ£º

void *ProHdrTbl;

ProHdrTbl = malloc(e_hdr.e_phnum * e_hdr.e_phentsize);
lseek(fd, e_hdr.e_phoff, SEEK_SET);
read(fd, SecHdrTbl, e_hdr.e_phnum * e_hdr.e_phentsize);

ÿ¸ö³ÌÐòÍ·±íµÄÿ¸ö±íÏîµÄ½á¹¹Îª£º

typedef struct
{
Elf32_Word p_type; /* ¶ÎÀàÐÍ */
Elf32_Off p_offset; /* ÔÚÎļþÖеÄÆ«ÒÆ */
Elf32_Addr p_vaddr; /* Ö´ÐÐʱµÄÐéµØÖ· */
Elf32_Addr p_paddr; /* Ö´ÐÐʱµÄÎïÀíµØÖ· */
Elf32_Word p_filesz; /* ÔÚÎļþÖеÄ×Ö½ÚÊý */
Elf32_Word p_memsz; /* ÔÚÄÚ´æÖеÄ×Ö½ÚÊý */
Elf32_Word p_flags; /* ±êÖ¾ */
Elf32_Word p_align; /* ×Ö½Ú¶ÔÆë */
} Elf32_Phdr;

ÎÒÃÇ¿´Ò»¿´ÕâÁ½¸öÊÓͼ֮¼äµÄÏ໥¹ØÁª£¬¶Ô¶¯Ì¬¿âÎļþ£¬¹²ÓÐÈý¸ö³ÌÐò¶Î£¬Èç
¹ûÊÇÓà gcc ±àÒëÉú³ÉµÄ£¬°´ÎļþÆ«ÒƺÍÐéµØÖ·Ôö³¤´ÎÐòÅÅÁУ¬Îı¾¶Î°üº¬ÈçÏÂ
ÕâЩ½Ú£º

.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_d
.gnu.version_r
.rel.data
.rel.got
.rel.plt
.init
.plt
.text
.fini
.rodata

ͬÑùÊÇ°´ÎļþÆ«ÒƺÍÐéµØÖ·Ôö³¤´ÎÐòÅÅÁУ¬Êý¾Ý¶Î°üº¬ÈçÏÂÕâЩ½Ú£º

.data
.eh_frame
.ctors
.dtors
.got
.dynamic
.bss£º

ÁíÍ⻹ÓÐÒ»¸ö³ÌÐò¶Î£¬Ëü¸ø³ö¶¯Ì¬Á¬½ÓÐÅÏ¢£¬ËüÖ»°üº¬ÓÐÒ»½Ú

.dynamic

ÎÒÃÇ¿´µ½£¬ÕâÒ»¶ÎÓëÊý¾Ý¶ÎÓн»²æÁË¡£´ËÍ⻹ÓÐһЩ½ÚËüÃDz»ÊôÓÚÈκÎÒ»¸ö³Ì
Ðò¶Î£¬ÕâЩ½ÚÊÇ£º

.comment
.note
.shstrtab
.symtab
.strtab

¶Ô¿ÉÖ´ÐÐÎļþ£¬¹²ÓÐÁù¸ö³ÌÐò¶Î£¬Èç¹ûÊÇÓà gcc ±àÒëÉú³ÉµÄ£¬°´ÎļþÆ«ÒƺÍÐé
µØÖ·Ôö³¤´ÎÐòÅÅÁУ¬Îı¾¶Î°üº¬ÈçÏÂÕâЩ½Ú£º

.interp
.note.ABI-tag
.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.got
.rel.plt
.init
.plt
.text
.fini
.rodata

ͬÑùÊÇ°´ÎļþÆ«ÒƺÍÐéµØÖ·Ôö³¤´ÎÐòÅÅÁУ¬¿ÉÖ´ÐÐÎļþµÄÊý¾Ý¶Î°üº¬ÈçÏÂÕâЩ
½Ú£º

.data
.eh_frame
.ctors
.dtors
.got
.dynamic
.bss

³ÌÐò½âÊͶÎ(INTERP)ÓëÎı¾¶ÎÏཻ²æ£¬Ö»°üº¬ .interp Ò»½Ú¡£¸ø³ö¶¯Ì¬Á¬½Ó
ÐÅÏ¢µÄ³ÌÐò¶ÎͬÑùÓëÊý¾Ý¶ÎÏཻ²æ£¬Ö»°üº¬ .dynamic ½Ú¡£ÁíÒ»¸ö³ÌÐò¶Î£¬Óë
Îı¾¶ÎÏཻ²æ£¬°üº¬ .note.ABI-tag ½Ú£¬Ëü¸ø³ö¸¨ÖúÐÅÏ¢¡£´ËÍ⣬»¹ÓÐÒ»¸ö
³ÌÐò¶Î£¬ËüÖ¸³ÌÐòÍ·±í×ÔÉí¡£Í¬¶¯Ì¬¿âÎļþÒ»Ñù£¬ÏÂÃæµÄһЩ½Ú²»ÊôÓÚÈκγÌ
Ðò¶Î£º

.stab
.stabstr
.comment
.note
.shstrtab
.symtab
.strtab

[δÍê´ýÐø]