Several command to view the ELF file "secret"

Starters: No. [public] Programming Pearls

Author: Mr. Rye

Website: https://www.yanbinghu.com/2019/10/13/54745.html

Foreword

In Linux, the format is ELF executable file format, but there are some commands that can help us understand them more "secret" in order to help us solve the problem.

The sample program

Our sample program is as follows:

//来源：公众号【编程珠玑】
//hello.c
#include<stdio.h>
int main(int argc,char *argv[])
{
    printf("hello shouwangxiansheng\n");
    return 0 ;
}

Compile:

$ gcc -o hello hello.c

Get hello executable.

View file types

file command can be used to view the file types:

$ file hello
hello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.32, BuildID[sha1]=8f1de0f59bdfe9aaff85ade6898173aa436b296a, not stripped

From the results, we can know that it is the ELF executable file, and is a 64-bit program, there are dynamically linked, not stripped last also shows that it retains the symbol table information or debugging information.

If it is not an executable file, its information is what is it? for example:

$ file hello.c
hello.c: C source, UTF-8 Unicode text

See the bar.

View ELF header

readelf for viewing ELF file, and:

$ readelf -h hello
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
(略)

We can see that it is EXEC, you can execute the file, and the small end of the program, which runs on X86-64. In cross-compiler, when the header information is also very useful. For example, you cross on x86 machines powerpc compiled executable file, but not recognized by powerpc, can not run, it is better to see it with readelf the Machine field, is not no good compiler.

Find string ELF file

For example, you write a version number or special character string in a file, you can search through the strings command:

$ strings hello|grep shouwang
hello shouwangxiansheng

View ELF file size of each segment

$ size hello
   text       data     bss     dec     hex filename
   1210        552       8    1770     6ea hello

Here you can see the code segment, the number of each data segment accounted for, when necessary, can also optimize the code needed to reduce the disk space occupied.

View dynamic link library

Can not find the dynamic run-time library? It is better to look at the link which libraries it:

$ ldd hello
    linux-vdso.so.1 =>  (0x00007ffd16386000)
    libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f507e083000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f507e44d000)

It can be seen that the dynamic link library is /lib/x86_64-linux-gnu/libc.so.6, and if the file does not exist, an error will occur at runtime. Here you can also refer to " Creating and using dynamic libraries ."

Check the symbol table

Add new functions or global variables do not know if I have translated into? There is no symbol table to see how it (the premise is the symbol table is not removed):

$ nm hello |grep main  #符号表中查找main函数
                 U __libc_start_main@@GLIBC_2.2.5
0000000000400526 T main

If none is found, or in front of a U, no address, indicating that this function is not defined in this document elf.

Useful links when something goes wrong with Austria.

ELF file for the weight-loss

Front view files when file by and saw not stripped of words, since it contains a number of symbol table information, because the file will be slightly larger, if removed, the binary file will be smaller, but there will be no symbol table information , the problem will affect the positioning.

$ ls -lh hello  #瘦身前
-rwxrwxr-x 1 root root 8.4K
$ strip hello
$ ls -lh hello #瘦身后
-rwxrwxr-x 1 root root 6.2K

It can be seen after slimming binary file smaller. When the greater the executable file, slimming effect will be more obvious. Of course not worry, this will not affect the normal operation of the program, only to debug and locate the problem affected.

This time look at the symbol table:

$ nm hello
nm: hello: no symbols

Print file checksum

Binary file transfer process has not been damaged or whether it is the same version, to see the block checksum and count it:

$ sum hello
33513     7

Of course, you can also use:

$ md5sum hello
521efed706c3b485dd3b5e96e48b138a  hello

To compare md5 value.

to sum up

ELF file hidden wealth of information, if used properly, it will help us better locate or develop problems.