ELF file: location data segment begins Why not be aligned?

Others 2020-04-04 08:43:59 views: null

problem:

Shown below, it is a first text section, data section is the second, the Align alignment: 0x1000 (4kb) are aligned.
Q: Why start position data segment virtual address is not 0x08049000?
Here Insert Picture Description

A:
The following picture shows the memory map after the program execution, the first segment is a text area, a second data region is read-only, read and write the third data region.

The following program runtime memory map can be known, the beginning of the region is read-only data 0x49000.

Consisting essentially 填充区域和.ctors,.dtors,.dynamic,.got部分(重定位完成后的只读数据区域), the starting position can virtual 0x08049f08 (ELF format according to the above second data segment to be loaded EFL规范p_vaddr ( mod PAGE_SIZE )=p_offset ( mod PAGE_SIZE )), it can be seen that the value from the memory 0x08049000 is 0x08049f08 fill value, and according to the above FIG. ELF format GNU_RELRO(memory address is just the tail of a memory page: 0x08049f08-0x0804a000), explained with reference to [3], the tail comprises a read only memory page data relocation.

And then the next memory page 0x084a000-0x084b000 is a readable and writable data segment ( 填充数据+只读数据)
Here Insert Picture Description
** Summary: ** can be seen from the distribution of memory, the starting position of the data segment 32 of the file is actually 0x08049000,
mainly comprising:填充区域 + 只读数据 + 读写数据 + 填充区域

Expansion: 64-bit ELF executables

The following is the file format of the document 64:

  • text section, data section is aligned 200,000.
  • Text segment in memory area can be used: 0x400000-0x600000
  • Region segment data memory space can be used: 0x600000-0x800000
  • text segment and data segment in the memory space, the intermediate data read-only area size 0x1000
    Here Insert Picture Description
    Here Insert Picture Description

summary

32, 64 can be seen that there are many bit ELF file text and data segments filled area intermediate section, it can be used as a storage location of virions

reference

elf official specification: http://refspecs.linuxbase.org/elf/elf.pdf
Linux / Unix environment in the analysis of the virus ELF format https://www2.isye.gatech.edu/~yxie77/computer_engineering.pdf
[3] Relevant to Executable and Linkable acronyms the Format (ELF) https://www.cs.stevens.edu/~jschauma/631/elf.html

Dr. 熊
Published 118 original articles · won praise 14 · views 50000 +
Private letter concerns

Guess you like

Origin blog.csdn.net/github_38641765/article/details/90404970
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com