ELF文件格式一例分析:以nasm生成一尽量小的ELF文件,以二进制方式,以objdump方式,以readelf方式,分析加载入内存及运行规律,得出结论。 编辑一个小的asm文件如下:
crq@ $ cat new18.asm
global _start
_start:
ud0
ud1
ud2很简单,只有 ud0, ud1, ud2 三个指令,都是产生非法 Opcode 码所用。编译生成ELF如下:
crq@ $ nasm -f elf new18.asm
crq@ $ ld new18.o
这样就生成了a.out是ELF格式文件,再使用objcopy除去无关紧要的节:
crq@ $ objcopy -S -R .comment -R .bss a.out
运行:
crq@ $ ./a.out
Illegal instruction
果如所料,程序接收到一个 SIGILL 信号默认动作是被 kill 掉了,再使用 objdump 反汇编一下:
crq@ $ objdump -d a.out
a.out: file format elf32-i386
Disassembly of section .text:
08048080 <.text>:
8048080: 0f ff (bad)
8048082: 0f b9 ud2b
8048084: 0f 0b ud2a
正文段只有三行汇编语言指令。文件大小:
crq@ $ ls -l a.out
-rwxr-xr-x 1 crq users 272 Nov 22 09:22 a.out
剩余 272 Bytes. 再使用 readelf 分析:
crq@ $ readelf -a a.out
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048080
Start of program headers: 52 (bytes into file)
Start of section headers: 152 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 40 (bytes)
Number of section headers: 3
Section header string table index: 2
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .text PROGBITS 08048080 000080 000006 00 AX 0 0 16
[ 2] .shstrtab STRTAB 00000000 000086 000011 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings)
I (info), L (link order), G (group), x (unknown)
O (extra OS processing required) o (OS specific), p (processor specific)
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x08048000 0x08048000 0x00086 0x00086 R E 0x1000
Section to Segment mapping:
Segment Sections...
00 .text
There is no dynamic segment in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
ELF Header部分正常,Section Headers中有三项,第一项按惯例为空的。 Program Headers只有一项。再印出二进制码如下:
crq@ $ hexdump -C a.out
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 |............4...|
00000020 98 00 00 00 00 00 00 00 34 00 20 00 01 00 28 00 |........4. ...(.|
00000030 03 00 02 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 86 00 00 00 86 00 00 00 05 00 00 00 |................|
00000050 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000080 0f ff 0f b9 0f 0b 00 2e 73 68 73 74 72 74 61 62 |........shstrtab|
00000090 00 2e 74 65 78 74 00 00 00 00 00 00 00 00 00 00 |..text..........|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000000c0 0b 00 00 00 01 00 00 00 06 00 00 00 80 80 04 08 |................|
000000d0 80 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 10 00 00 00 00 00 00 00 01 00 00 00 03 00 00 00 |................|
000000f0 00 00 00 00 00 00 00 00 86 00 00 00 11 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
00000110
0x000~0x034 是 ELF Header; 0x034~0x054 是一项Program Headers; 0x054~0x080 是填充零字节; 0x080~0x086 是 .text 段内容; 0x086~0x098 是 .shstrtab 段内容; 0x098~0x110 是三项Section Headers; 对照 elf.h 文件分析如下:
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 |............4...|
00000020 98 00 00 00 00 00 00 00 34 00 20 00 01 00 28 00 |........4. ...(.|
00000030 03 00 02 00 |.... |
typedef struct elf32_hdr {
unsigned char e_ident[EI_NIDENT];
Elf32_Half e_type;
Elf32_Half e_machine;
Elf32_Word e_version;
Elf32_Addr e_entry; /* Entry point */
Elf32_Off e_phoff;
Elf32_Off e_shoff;
Elf32_Word e_flags;
Elf32_Half e_ehsize;
Elf32_Half e_phentsize;
Elf32_Half e_phnum;
Elf32_Half e_shentsize;
Elf32_Half e_shnum;
Elf32_Half e_shstrndx;
} Elf32_Ehdr;其中 ELF32_Half 是16位,其余类型 ELF32_Word, ELF32_Addr, ELF32_Off 等都是32位。 宏 EI_NIDENT 定义为 16,即 ELF Header 头部有16Bytes特征字节。
00000030 01 00 00 00 00 00 00 00 00 80 04 08 | ............|
00000040 00 80 04 08 86 00 00 00 86 00 00 00 05 00 00 00 |................|
00000050 00 10 00 00 |.... |
typedef struct elf32_phdr{
Elf32_Word p_type;
Elf32_Off p_offset;
Elf32_Addr p_vaddr;
Elf32_Addr p_paddr;
Elf32_Word p_filesz;
Elf32_Word p_memsz;
Elf32_Word p_flags;
Elf32_Word p_align;
} Elf32_Phdr;
00000080 0f ff 0f b9 0f 0b |...... |
00000080 00 2e 73 68 73 74 72 74 61 62 | ..shstrtab|
00000090 00 2e 74 65 78 74 00 00 |..text.. |
00000090 00 00 00 00 00 00 00 00 | ........|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000c0 0b 00 00 00 01 00 00 00 06 00 00 00 80 80 04 08 |................|
000000d0 80 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 |................|
000000e0 10 00 00 00 00 00 00 00 |........ |
000000e0 01 00 00 00 03 00 00 00 | ........|
000000f0 00 00 00 00 00 00 00 00 86 00 00 00 11 00 00 00 |................|
00000100 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
typedef struct {
Elf32_Word sh_name;
Elf32_Word sh_type;
Elf32_Word sh_flags;
Elf32_Addr sh_addr;
Elf32_Off sh_offset;
Elf32_Word sh_size;
Elf32_Word sh_link;
Elf32_Word sh_info;
Elf32_Word sh_addralign;
Elf32_Word sh_entsize;
} Elf32_Shdr;又查阅 nasmdoc.txt 一文中对这三个 UD 指令的描述如下:
B.4.320 `UD0', `UD1', `UD2': Undefined Instruction
UD0 ; 0F FF [186,UNDOC]
UD1 ; 0F B9 [186,UNDOC]
UD2 ; 0F 0B [186]
`UDx' can be used to generate an invalid opcode exception, for
testing purposes.
`UD0' is specifically documented by AMD as being reserved for this
purpose.
`UD1' is documented by Intel as being available for this purpose.
`UD2' is specifically documented by Intel as being reserved for this
purpose. Intel document this as the preferred method of generating
an invalid opcode exception.
All these opcodes can be used to generate invalid opcode exceptions
on all currently available processors.有趣的是,注意 objdump 的这一段输出:
8048080: 0f ff (bad)
8048082: 0f b9 ud2b
8048084: 0f 0b ud2a
在 nasm 中的三条合法指令在 GNU as 中是只有两条合法的,并且名称也不相同,ud2a 和 ud2b,三条用途都是产生 opcode 异常。
Tags: ELF Linux assembly
