Next: , Previous: , Up: Top   [Contents][Index]


7 ELF Header

The ELF headers are always to be found at the beginning of an ELF file. However, it is also common to find ELF data embedded in other container formats (such as an ELF section!) and sometimes ELF headers are used to describe non-conformance ELF contents. Therefore poking at headers directly is not that uncommon.

The Poke types provided to denote ELF headers are Elf64_Ehdr and Elf32_Ehdr, for 64-bit and 32-bit ELF files respectively.

7.1 Overview

type Elf32_Ehdr =
  struct
  {
    Elf_Ident e_ident;
    Elf_Half e_type;
    Elf_Half e_machine;
    Elf_Word e_version = ELF_EV_CURRENT;
    Elf32_Addr e_entry;
    Elf32_Off e_phoff;
    Elf32_Off e_shoff;
    Elf_Word e_flags;
    offset<Elf_Half,B> e_ehsize;
    offset<Elf_Half,B> e_phentsize;
    Elf_Half e_phnum;
    offset<Elf_Half,B> e_shentsize;
    Elf_Half e_shnum;
    Elf_Half e_shstrndx;
  };
type Elf64_Ehdr =
  struct
  {
    Elf_Ident e_ident;
    Elf_Half e_type;
    Elf_Half e_machine;
    Elf_Word e_version = ELF_EV_CURRENT;
    Elf64_Addr e_entry;
    Elf64_Off e_phoff;
    Elf64_Off e_shoff;
    Elf_Word e_flags;
    offset<Elf_Half,B> e_ehsize;
    offset<Elf_Half,B> e_phentsize;
    Elf_Half e_phnum;
    offset<Elf_Half,B> e_shentsize;
    Elf_Half e_shnum;
    Elf_Half e_shstrndx;
  };

7.2 Fields

e_ident

Is a field that describes the encoding of the contents that follow in the ELF file. The data in this field is encoded in a clever way that only requires to read the information byte by byte. This is necessary, because part of the information stored in e_ident is precisely the encoding used by the data in the ELF file:

type Elf_Ident =
  struct
  {
    byte[4] ei_mag == [0x7fUB, 'E', 'L', 'F'];
    byte ei_class;
    byte ei_data;
    byte ei_version;
    byte ei_osabi;
    byte ei_abiversion;
    byte[7] ei_pad;
  };

Where:

ei_mag

Is the magic number identifying the ELF file. It is always 0x7F.

ei_class

Determines the class of the ELF file. This can be one of ELF_CLASS_NONE, ELF_CLASS_32 or ELF_CLASS_64 denoting and “invalid class”, a 32-bit ELF file and a 64-bit ELF file respectively.

I personally have never come across an ELF file with ELF_CLASS_NONE. But if such class is found, it shall be considered as a data integrity error. That is the approach implemented in this pickle.

ei_data

Determines the encoding of the data in the file. This can be one of ELF_DATA_NONE, ELF_DATA_2LSB or ELF_DATA_2MSB, denoting no encoding, 2’s complement and little endian, and 2’s complement and big endian.

Note that at this point the only supported encoding for signed numbers in ELF files is 2’s complement.

This pickle considers an ELF file with encoding ELF_DATA_NONE as a data integrity error.

ei_version

Is the ELF header version number. This must be ELF_EV_CURRENT.

ei_osabi

Identifies the ABI or operating system (these concepts are mixed in ELF) used by the ELF file. This must be one of the ELF_OSABI_* values defined in elf-common.pk.

The ELF specification recommends this field to be ELF_OSABI_NONE, which actually identifies the “UNIX System V ABI”.

ei_abiversion

Identifies the version of the ABI to which the ELF file is targeted. The ELF spec points out that the purpose of this field is to distinguish among incompatible versions of an ABI, and that its interpretation ultimately depends on the value of ei_osabi.

ei_pad

Are unused bytes. These bytes may be used for some particular purpose in future versions of the ELF specification, and currently they must be set to zero.

e_type

Identifies the kind of ELF file: whether it is an object file, an executable, a dynamic object or a core dump.

This field is checked against the file-types configuration parameter, and pretty-printed accordingly.

e_machine

Identifies the machine type on which the elf file is supposed to run.

When poke maps or constructs a Elf64_Ehdr (or Elf32_Edhr) struct, it sets the global ELF machine to the value of this field.

This field is checked against the machine-types configuration parameter, and pretty-printed accordingly.

e_version

Identifies the ELF version the ELF file conforms to. It must hold ELF_EV_CURRENT.

e_entry

Is the virtual memory address of the entry point of a process executing the program in this ELF file. This can be 0#B.

e_phoff

Is the file offset of the program header table. If the ELF file doesn’t contain any segment, then the table is empty and this field contains 0#B.

e_shoff

Is the file offset of the section header table. If the ELF file doesn’t contain any section, then the table is empty and this field contains 0#B.

e_flags

Is a bitmap of file flags. This field contains ORed ELF_EF_* values.

This field is checked against the filed-flags configuration parameter, and pretty-printed accordingly.

e_ehsize

Is the size in bytes of the ELF header.

e_phentsize

Is the size in bytes of one entry in the program header table.

e_phnum

Is the number of entries in the program header table.

e_shentsize

Is the size in bytes of one entry in the section header table.

e_shnum

Is the number of entries in the section header table.

e_shstrndx

Is the index in the section header table of the entry associated with the string table that contains the names of the sections stored in the file.

If the ELF file doesn’t contain a section name string table (which is uncommon but certainly possible) then this field contains ELF_SHN_UNDEF.

7.3 Usage

XXX


Next: , Previous: , Up: Top   [Contents][Index]