What is the space between [ELF Header] and [data segment]?
I compiled very very simple assembly code with nasm and ld under Linux (CentOS6 32bit).
nasm -f elf -o basic1.o basic1.asm
ld -o basic1 basic1.o
cat basic1.asm
;---------------------------------------
section .data
msg db 'hello world', 10, 00
section .bss
tests resd 100
segment .text
global _start
_start:
And, I execute the objdump with -x option.
basic1: file format elf32-i386
basic1
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048060
Program Header:
LOAD off 0x00000000 vaddr 0x08049000 paddr 0x08049000 align 2**12
filesz 0x00000061 memsz 0x000001f4 flags rw-
Sections:
Idx Name Size VMA LMA File off Algn
0 .data 0000000d 08049054 08049054 00000054 2**2
CONTENTS, ALLOC, LOAD, DATA
1 .bss 00000190 08049064 08049064 00000061 2**2
ALLOC
2 .comment 0000001f 00000000 00000000 00000061 2**0
CONTENTS, READONLY
SYMBOL TABLE:
08049054 l d .data 00000000 .data
08049064 l d .bss 00000000 .bss
00000000 l d .comment 00000000 .comment
00000000 l df *ABS* 00000000 basic1.asm
08049054 l .data 00000000 msg
08049064 l .bss 00000000 tests
08048060 g .data 00000000 _start
08049061 g *ABS* 00000000 __bss_start
08049061 g *ABS* 00000000 _edata
080491f4 g *ABS* 00000000 _end
According to Wikipedia's description, the ELF file structure has a header of size 0x34 in a 32-bit environment.
And the output of my compiled assembly code has a data segment at position 0x54.
So what code is in between 0x35 and 0x53?
When I saw the contents using the xxd command, I got the following results. What does this result mean?
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 0300 0100 0000 6080 0408 3400 0000 ........`...4...
0000020: b000 0000 0000 0000 3400 2000 0100 2800 ........4. ...(.
0000030: 0700 0400 0100 0000 0000 0000 0090 0408 ................
0000040: 0090 0408 6100 0000 f401 0000 0600 0000 ....a...........
0000050: 0010 0000 6865 6c6c 6f20 776f 726c 640a ....hello world.
0000060: 0000 5468 6520 4e65 7477 6964 6520 4173 ..The Netwide As
0000070: 7365 6d62 6c65 7220 302e 3939 2e30 3500 sembler 0.99.05.
0000080: 002e 7379 6d74 6162 002e 7374 7274 6162 ..symtab..strtab
0000090: 002e 7368 7374 7274 6162 002e 6461 7461 ..shstrtab..data
00000a0: 002e 6273 7300 2e63 6f6d 6d65 6e74 0000 ..bss..comment..
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000d0: 0000 0000 0000 0000 1b00 0000 0100 0000 ................
00000e0: 0300 0000 5490 0408 5400 0000 0d00 0000 ....T...T.......
00000f0: 0000 0000 0000 0000 0400 0000 0000 0000 ................
0000100: 2100 0000 0800 0000 0300 0000 6490 0408 !...........d...
0000110: 6100 0000 9001 0000 0000 0000 0000 0000 a...............
0000120: 0400 0000 0000 0000 2600 0000 0100 0000 ........&.......
0000130: 0000 0000 0000 0000 6100 0000 1f00 0000 ........a.......
0000140: 0000 0000 0000 0000 0100 0000 0000 0000 ................
0000150: 1100 0000 0300 0000 0000 0000 0000 0000 ................
0000160: 8000 0000 2f00 0000 0000 0000 0000 0000 ..../...........
0000170: 0100 0000 0000 0000 0100 0000 0200 0000 ................
0000180: 0000 0000 0000 0000 c801 0000 b000 0000 ................
0000190: 0600 0000 0700 0000 0400 0000 1000 0000 ................
00001a0: 0900 0000 0300 0000 0000 0000 0000 0000 ................
00001b0: 7802 0000 3500 0000 0000 0000 0000 0000 x...5...........
00001c0: 0100 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 5490 0408 ............T...
00001e0: 0000 0000 0300 0100 0000 0000 6490 0408 ............d...
00001f0: 0000 0000 0300 0200 0000 0000 0000 0000 ................
0000200: 0000 0000 0300 0300 0100 0000 0000 0000 ................
0000210: 0000 0000 0400 f1ff 0c00 0000 5490 0408 ............T...
0000220: 0000 0000 0000 0100 1000 0000 6490 0408 ............d...
0000230: 0000 0000 0000 0200 1600 0000 6080 0408 ............`...
0000240: 0000 0000 1000 0100 1d00 0000 6190 0408 ............a...
0000250: 0000 0000 1000 f1ff 2900 0000 6190 0408 ........)...a...
0000260: 0000 0000 1000 f1ff 3000 0000 f491 0408 ........0.......
0000270: 0000 0000 1000 f1ff 0062 6173 6963 312e .........basic1.
0000280: 6173 6d00 6d73 6700 7465 7374 7300 5f73 asm.msg.tests._s
0000290: 7461 7274 005f 5f62 7373 5f73 7461 7274 tart.__bss_start
00002a0: 005f 6564 6174 6100 5f65 6e64 00 ._edata._end.
In addition, what does the code after 0x80 that the comment segment ends mean?
YouHoGeon2 Answers
You can get a little more verbose information about how sections are placed in your ELF with readelf -S <your_file>. Then you may see there are some more sections before the .data, like
- empty section with 0 size at 0 align
.textsection where the code is stored.datawhere data is stored- ...
there are also some debugging sections like:
.shstrtab- Section header string table which simply stores names of other sections,- symbol table in
.symtab, .strtabwhere labels(strings) from your assembly code are stored
How sections are placed is controlled by ld's linker script which you can write by hand to place sections with more precision.
You my also remove those debugging sections with strip -R symtab <your_file>, but you cannot remove .shstrtable since it is generated after file is linked. Also dont forget that sections are aligned and there may be some "holes" between them.
So, both of your questions can be answered after you read file with readelf and then match it with ELF specification.
And the following are my assumptions:
Since somewhere there should be a section that holds other sections names (.shstrtab), i think this is what you see at 0x80:
0000080: 002e 7379 6d74 6162 002e 7374 7274 6162 ..symtab..strtab
0000090: 002e 7368 7374 7274 6162 002e 6461 7461 ..shstrtab..data
00000a0: 002e 6273 7300 2e63 6f6d 6d65 6e74 0000 ..bss..comment..
And there is an another section before the .data (before 0x53) which you gonna see later
Random GuyIt's the Program header, explained in the Wikipedia as well.
The e_phoff member of the ELF header (file offset 0x1C) has value 0x34, there are e_phnum (file offset 0x2C) or 1 entry (read: segments), so the program header ends at offset 0x54.
Besides the program and the file header there is also the Section header, starting at e_shoff (file offset 0x20) or 0xb0, containing 7 entries (file offset 0x30) and ending at offset 0x1c8.
Most of this sections are not shown by readelf by default.
You will find that the entry at index 4 (offset 0x150) is for the String table, starting at offset 0x80 (see value at 0x160) and of size 0x2e (see value at 0x164).
Thereby at 0x80 there are the strings used by the ELF structure itself.
Margaret BloomUser contributions licensed under CC BY-SA 3.0