hexdump elfデータ構造解析
stripからのつづき
hello4はいまのところ440byte
readelf,stripにできるところまでシェイプアップしました。
つぎはhexdumpでバイナリ的に解析して、さらにシェイプアップしてみます。
[hirasawa@ubunt1004-32-2 gcc-Programming-Kobo]$ hexdump -C hello4 00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............| 00000010 02 00 03 00 01 00 00 00 cc 80 04 08 34 00 00 00 |............4...| 00000020 18 01 00 00 00 00 00 00 34 00 20 00 03 00 28 00 |........4. ...(.| 00000030 04 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 |................| 00000040 00 80 04 08 fd 00 00 00 fd 00 00 00 05 00 00 00 |................| 00000050 00 10 00 00 01 00 00 00 fd 00 00 00 00 00 00 00 |................| 00000060 00 91 04 08 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000070 00 10 00 00 51 e5 74 64 00 00 00 00 00 00 00 00 |....Q.td........| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................| 00000090 04 00 00 00 55 89 e5 53 83 ec 10 b8 04 00 00 00 |....U..S........| 000000a0 bb 01 00 00 00 8b 4d 08 8b 55 0c cd 80 89 45 f8 |......M..U....E.| 000000b0 8b 45 f8 83 c4 10 5b 5d c3 55 89 e5 53 b8 01 00 |.E....[].U..S...| 000000c0 00 00 8b 55 08 89 d3 cd 80 5b 5d c3 55 89 e5 83 |...U.....[].U...| 000000d0 ec 18 c7 44 24 04 07 00 00 00 c7 04 24 f6 80 04 |...D$.......$...| 000000e0 08 e8 ae ff ff ff 89 45 fc 8b 45 fc 89 04 24 e8 |.......E..E...$.| 000000f0 c5 ff ff ff c9 c3 68 65 6c 6c 6f 0a 00 00 2e 73 |......hello....s| 00000100 68 73 74 72 74 61 62 00 2e 74 65 78 74 00 2e 72 |hstrtab..text..r| 00000110 6f 64 61 74 61 00 00 00 00 00 00 00 00 00 00 00 |odata...........| 00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000140 0b 00 00 00 01 00 00 00 06 00 00 00 94 80 04 08 |................| 00000150 94 00 00 00 62 00 00 00 00 00 00 00 00 00 00 00 |....b...........| 00000160 04 00 00 00 00 00 00 00 11 00 00 00 01 00 00 00 |................| 00000170 02 00 00 00 f6 80 04 08 f6 00 00 00 07 00 00 00 |................| 00000180 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................| 00000190 01 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 |................| 000001a0 fd 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 |................| 000001b0 01 00 00 00 00 00 00 00 |........| 000001b8 [hirasawa@ubunt1004-32-2 gcc-Programming-Kobo]$
readelf -hでヘッダー情報をみると
[hirasawa@ubunt1004-32-2 gcc-Programming-Kobo]$ readelf -h hello4 ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0x80480cc Start of program headers: 52 (bytes into file) Start of section headers: 280 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 3 Size of section headers: 40 (bytes) Number of section headers: 4 Section header string table index: 3
elfファイルの構造定義をみつけるべく、elf.hを検索すると
[hirasawa@ubunt1004-32-2 include]$ pwd
/usr/include
[hirasawa@ubunt1004-32-2 include]$ find . -type f -name elf.h -exec ls -ltr {} \;
-rw-r--r-- 1 root root 114504 2011-01-22 08:52 ./elf.h
-rw-r--r-- 1 root root 9902 2012-01-05 00:23 ./linux/elf.h
-rw-r--r-- 1 root root 1012 2011-01-22 08:35 ./sys/elf.h
[hirasawa@ubunt1004-32-2 include]$ むー、どれだよ わかんねーよw
一番でかい、./elf.hを見ることにする elf-headerは
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf64_Half e_type; /* Object file type */
Elf64_Half e_machine; /* Architecture */
Elf64_Word e_version; /* Object file version */
Elf64_Addr e_entry; /* Entry point virtual address */
Elf64_Off e_phoff; /* Program header table file offset */
Elf64_Off e_shoff; /* Section header table file offset */
Elf64_Word e_flags; /* Processor-specific flags */
Elf64_Half e_ehsize; /* ELF header size in bytes */
Elf64_Half e_phentsize; /* Program header table entry size */
Elf64_Half e_phnum; /* Program header table entry count */
Elf64_Half e_shentsize; /* Section header table entry size */
Elf64_Half e_shnum; /* Section header table entry count */
Elf64_Half e_shstrndx; /* Section header string table index */
} Elf64_Ehdr;
みたいで
unsigned charは1B
Elf32_Halfは2B
Elf32_Swordは4B
Elf32_Wrod 4B
Elf32_Addr 4B
Elf42_Off 4B
だそうです。
32bit/64bit section-headeraは
typedef struct
{
Elf32_Word sh_name; /* Section name (string tbl index) */
Elf32_Word sh_type; /* Section type */
Elf32_Word sh_flags; /* Section flags */
Elf32_Addr sh_addr; /* Section virtual addr at execution */
Elf32_Off sh_offset; /* Section file offset */
Elf32_Word sh_size; /* Section size in bytes */
Elf32_Word sh_link; /* Link to another section */
Elf32_Word sh_info; /* Additional section information */
Elf32_Word sh_addralign; /* Section alignment */
Elf32_Word sh_entsize; /* Entry size if section holds table */
} Elf32_Shdr;
typedef struct
{
Elf64_Word sh_name; /* Section name (string tbl index) */
Elf64_Word sh_type; /* Section type */
Elf64_Xword sh_flags; /* Section flags */
Elf64_Addr sh_addr; /* Section virtual addr at execution */
Elf64_Off sh_offset; /* Section file offset */
Elf64_Xword sh_size; /* Section size in bytes */
Elf64_Word sh_link; /* Link to another section */
Elf64_Word sh_info; /* Additional section information */
Elf64_Xword sh_addralign; /* Section alignment */
Elf64_Xword sh_entsize; /* Entry size if section holds table */
} Elf64_Shdr;
つづいて program-headerは
typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
typedef struct
{
Elf64_Word p_type; /* Segment type */
Elf64_Word p_flags; /* Segment flags */
Elf64_Off p_offset; /* Segment file offset */
Elf64_Addr p_vaddr; /* Segment virtual address */
Elf64_Addr p_paddr; /* Segment physical address */
Elf64_Xword p_filesz; /* Segment size in file */
Elf64_Xword p_memsz; /* Segment size in memory */
Elf64_Xword p_align; /* Segment alignment */
} Elf64_Phdr;
