使用 readelf 查看 ELF 文件的 elf header :
$ readelf -h /bin/echo
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x2be0
Start of program headers: 64 (bytes into file)
Start of section headers: 37336 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 13
Size of section headers: 64 (bytes)
Number of section headers: 30
Section header string table index: 29
(base) ➜ hd /bin/echo -n 64
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 03 00 3e 00 01 00 00 00 e0 2b 00 00 00 00 00 00 |..>......+......|
00000020 40 00 00 00 00 00 00 00 d8 91 00 00 00 00 00 00 |@...............|
00000030 00 00 00 00 40 00 38 00 0d 00 40 00 1e 00 1d 00 |[email protected]...@.....|
00000040
// linux-4.19/include/uapi/linux/elf.h
#define EI_NIDENT 16
typedef struct elf64_hdr {
unsigned char e_ident[EI_NIDENT]; // off: 0, size: 16
Elf64_Half e_type; // off: 16, size: 2
Elf64_Half e_machine; // off: 18, size: 2
Elf64_Word e_version; // off: 20, size: 4
Elf64_Addr e_entry; // off: 24, size: 8 Entry point virtual address
Elf64_Off e_phoff; // off: 32, size: 8 Program header table file offset
Elf64_Off e_shoff; // off: 40, size: 8 Section header table file offset
Elf64_Word e_flags; // off: 48, size: 4
Elf64_Half e_ehsize; // off: 52, size: 2
Elf64_Half e_phentsize; // off: 54, size: 2
Elf64_Half e_phnum; // off: 56, size: 2
Elf64_Half e_shentsize; // off: 58, size: 2
Elf64_Half e_shnum; // off: 60, size: 2
Elf64_Half e_shstrndx;
} Elf64_Ehdr;
// 长度64字节
(gdb) p/d (Elf64_Ehdr *)0 + 1
$33 = 64
// include/uapi/linux/elf.h
typedef __u16 Elf64_Half;
typedef __u32 Elf64_Word;
typedef __u64 Elf64_Addr;
typedef __u64 Elf64_Off;
Entry point address: 0x2be0
cstool x64 $(hexdump -v -e '"\\\\""x" 1/1 "%02x" ""' /bin/echo -s 0x2be0 -n 26)
0 f3 0f 1e fa endbr64
4 31 ed xor ebp, ebp
6 49 89 d1 mov r9, rdx
9 5e pop rsi
a 48 89 e2 mov rdx, rsp
d 48 83 e4 f0 and rsp, 0xfffffffffffffff0
11 50 push rax
12 54 push rsp
13 4c 8d 05 56 30 00 00 lea r8, [rip + 0x3056]
// or
hd /bin/echo -s 0x2be0 -n 26
00002be0 f3 0f 1e fa 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 |....1.I..^H..H..|
00002bf0 f0 50 54 4c 8d 05 56 30 00 00 |.PTL..V0..|
00002bfa
cstool x64 "f3 0f 1e fa 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 f0 50 54 4c 8d 05 56 30 00 00"
0 f3 0f 1e fa endbr64
4 31 ed xor ebp, ebp
6 49 89 d1 mov r9, rdx
9 5e pop rsi
a 48 89 e2 mov rdx, rsp
d 48 83 e4 f0 and rsp, 0xfffffffffffffff0
11 50 push rax
12 54 push rsp
13 4c 8d 05 56 30 00 00 lea r8, [rip + 0x3056]
Start of program headers: 64 (bytes into file)
..
Size of program headers: 56 (bytes)
..
Number of program headers: 13