Binary‐level program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Tomás Sánchez López at http://www.tomas‐sanchez.com/material/ELF.ppt 1
Executable File Formats • An executable file format – Specifies the format of executable files – Consumed by loaders and linkers • Executable file is the input of binary analysis • Executable and Linkable Format (ELF) – Used by Unix‐like systems • Portable Executable (PE) – Used by Windows 2
ELF Overview • Standard executable file format used in most Unix systems – Format for executable files, object code (.o), shared libraries (.so), and core dumps • Support different processors and data encodings • Replaced older executable formats (a.out and COFF formats) • Official documentation – http ://www.skyfree.org/linux/references/ELF_Format. pdf 3
Types of ELF Files • Three main types – Relocatable files (.o): code and data to be linked with other object files • gcc ‐c test.c ‐o test.o – Shared object files (.so): libraries • gcc ‐c ‐fPIC shared.c • gcc ‐shared ‐o libshared.so shared.o – Executable files • gcc test.o ‐o test 4
Two Views of Executables • Execution view – The objective file used for code execution • Linking view – The objective file needs to be linked with other objective files (e.g., libraries) 5
ELF File Layout • An ELF header • Program header table – For execution view – Viewing the file as a series of segments • Section header table – For linking view – Viewing the file as a series of sections * From Wiki 6
ELF Header • Info about – whether 32 or 64 bit format, – whether big or small endianness, – ISA (x86, x64, SPARC, …) – execution entry point, – info about the program header table and section header table (their offsets in the file and sizes of entries) – … 7
Program Header Table • For execution – Tell the system how to create a process in memory • The file divided into segments and each has – Type; requested mem location; permissions; size (in file and memory) – E.g., • code segment (readable and executable) • data segments (readable and writable, or just readable) • The loader uses this table – To load ELF segments into memory and assign permission bits 8
Segment Types LOAD Portion of file to be loaded into memory INTERP Pointer to dynamic linker for this executable (.interp section) DYNAMIC Pointer to dynamic linking information (.dynamic section) 9
Example (readelf ‐l /bin/ls) 10
Loading and Executing an ELF Executable 1. Open the file 2. Map LOAD segments into memory and assign permission bits 3. Call the dynamic linker (specified in the INTERP segment) and pass info about the executable – Retrieve info from the DYNAMIC segment – Load required libraries into memory – … – Transfer control to the execution entry point to start program execution 11
Section Header Table • For the linking view – Contains info that describes the file’s sections • Sections have – Name and type – Requested memory location at run time – Permissions 12
Important Sections .interp Path name of program interpreter (Dynamic linker) .text Code (executable instructions) of a program .data Initialized data .bss Uninitilized data .init Executable instruction for process initilization .fini Executalbe intructions for process termination .plt Holds the procedure linkage table .re.<x> Relocation information for section <x> .dynamic Dynamic linking information 13
Example (readelf ‐S /bin/ls) 14
The Process of Static Linking • Take multiple object files • Merge sections of the same type into the result object file – E.g., merge the text sections into one text section • Relocate code/data – Through the help of relocation information 15
Static Linking Example int x = 5; extern int function(); int main() { file 1 int r = x +function (); exit (0); } int v = 10; int u = 32; int z; file 2 int function() { return v+u; } 16
Static Linking Example Relocatable Object files Headers System Code System code System Data main () .text a () main () System Code int x = 5 System Data int x = 5 .data funtion () int v = 10 int v = 10 int u = 32 int u = 32 .bss Uninitialized data int y others 17
Dynamically Linked Libraries • Need to be compiled position independent (PIC) – ‘‐fPIC’ in gcc • The main executable – Uses the Procedure Linkage Table (PLT) for calling functions in a library – Uses a Global Offset table (GOT) with pointers to variables created at compile and linking time – Some performance cost through PLT/GOT calls 18
Static and Dynamic Linking Relocatable File 1 Relocatable File N Static Linking Executable Object File DLLs Dynamic Linker Execution 19
Key Take‐Away • Supports both execution and linking views • Great support for static/dynamic linking, cross‐compilation and others 20
Recommend
More recommend
