Next: ELF Section Headers, Previous: ELF File, Up: Top [Contents][Index]
The ELF headers are always to be found at the beginning of an ELF file. However, it is also common to find ELF data embedded in other container formats (such as an ELF section!) and sometimes ELF headers are used to describe non-conformance ELF contents. Therefore poking at headers directly is not that uncommon.
The Poke types provided to denote ELF headers are Elf64_Ehdr
and Elf32_Ehdr
, for 64-bit and 32-bit ELF files respectively.
type Elf32_Ehdr = struct { Elf_Ident e_ident; Elf_Half e_type; Elf_Half e_machine; Elf_Word e_version = ELF_EV_CURRENT; Elf32_Addr e_entry; Elf32_Off e_phoff; Elf32_Off e_shoff; Elf_Word e_flags; offset<Elf_Half,B> e_ehsize; offset<Elf_Half,B> e_phentsize; Elf_Half e_phnum; offset<Elf_Half,B> e_shentsize; Elf_Half e_shnum; Elf_Half e_shstrndx; };
type Elf64_Ehdr = struct { Elf_Ident e_ident; Elf_Half e_type; Elf_Half e_machine; Elf_Word e_version = ELF_EV_CURRENT; Elf64_Addr e_entry; Elf64_Off e_phoff; Elf64_Off e_shoff; Elf_Word e_flags; offset<Elf_Half,B> e_ehsize; offset<Elf_Half,B> e_phentsize; Elf_Half e_phnum; offset<Elf_Half,B> e_shentsize; Elf_Half e_shnum; Elf_Half e_shstrndx; };
e_ident
Is a field that describes the encoding of the contents that follow in
the ELF file. The data in this field is encoded in a clever way that
only requires to read the information byte by byte. This is
necessary, because part of the information stored in e_ident
is
precisely the encoding used by the data in the ELF file:
type Elf_Ident = struct { byte[4] ei_mag == [0x7fUB, 'E', 'L', 'F']; byte ei_class; byte ei_data; byte ei_version; byte ei_osabi; byte ei_abiversion; byte[7] ei_pad; };
Where:
ei_mag
Is the magic number identifying the ELF file. It is always 0x7F.
ei_class
Determines the class of the ELF file. This can be one of
ELF_CLASS_NONE
, ELF_CLASS_32
or ELF_CLASS_64
denoting and “invalid class”, a 32-bit ELF file and a 64-bit ELF
file respectively.
I personally have never come across an ELF file with
ELF_CLASS_NONE
. But if such class is found, it shall be
considered as a data integrity error. That is the approach
implemented in this pickle.
ei_data
Determines the encoding of the data in the file. This can be one of
ELF_DATA_NONE
, ELF_DATA_2LSB
or ELF_DATA_2MSB
,
denoting no encoding, 2’s complement and little endian, and 2’s
complement and big endian.
Note that at this point the only supported encoding for signed numbers in ELF files is 2’s complement.
This pickle considers an ELF file with encoding ELF_DATA_NONE
as a data integrity error.
ei_version
Is the ELF header version number. This must be ELF_EV_CURRENT
.
ei_osabi
Identifies the ABI or operating system (these concepts are mixed in
ELF) used by the ELF file. This must be one of the ELF_OSABI_*
values defined in elf-common.pk.
The ELF specification recommends this field to be
ELF_OSABI_NONE
, which actually identifies the “UNIX System V
ABI”.
ei_abiversion
Identifies the version of the ABI to which the ELF file is targeted.
The ELF spec points out that the purpose of this field is to
distinguish among incompatible versions of an ABI, and that its
interpretation ultimately depends on the value of ei_osabi
.
ei_pad
Are unused bytes. These bytes may be used for some particular purpose in future versions of the ELF specification, and currently they must be set to zero.
e_type
Identifies the kind of ELF file: whether it is an object file, an executable, a dynamic object or a core dump.
This field is checked against the file-types
configuration
parameter, and pretty-printed accordingly.
e_machine
Identifies the machine type on which the elf file is supposed to run.
When poke maps or constructs a Elf64_Ehdr
(or
Elf32_Edhr
) struct, it sets the global ELF machine to the value
of this field.
This field is checked against the machine-types
configuration
parameter, and pretty-printed accordingly.
e_version
Identifies the ELF version the ELF file conforms to. It must hold
ELF_EV_CURRENT
.
e_entry
Is the virtual memory address of the entry point of a process
executing the program in this ELF file. This can be 0#B
.
e_phoff
Is the file offset of the program header table. If the ELF file
doesn’t contain any segment, then the table is empty and this field
contains 0#B
.
e_shoff
Is the file offset of the section header table. If the ELF file
doesn’t contain any section, then the table is empty and this field
contains 0#B
.
e_flags
Is a bitmap of file flags. This field contains ORed ELF_EF_*
values.
This field is checked against the filed-flags
configuration
parameter, and pretty-printed accordingly.
e_ehsize
Is the size in bytes of the ELF header.
e_phentsize
Is the size in bytes of one entry in the program header table.
e_phnum
Is the number of entries in the program header table.
e_shentsize
Is the size in bytes of one entry in the section header table.
e_shnum
Is the number of entries in the section header table.
e_shstrndx
Is the index in the section header table of the entry associated with the string table that contains the names of the sections stored in the file.
If the ELF file doesn’t contain a section name string table (which is
uncommon but certainly possible) then this field contains
ELF_SHN_UNDEF
.
XXX
Next: ELF Section Headers, Previous: ELF File, Up: Top [Contents][Index]