ELF64 ===== What is ELF64? -------------- ELF64 is the 64-bit Executable and Linkable Format used on Unix-like systems. The ELF header (struct elf64_hdr) is located at the beginning of the object file and is used to locate all other parts of the file (sections, program headers, symbol tables, etc.). Object files (\*.o), shared objects and executables all start with this header. .. image:: ../_images/68747470733a2f2f692e696d6775722e636f6d2f4169394f714f422e706e67.png :alt: ELF header diagram :align: center Preface ------- A high-level view of an ELF file: .. image:: ../_images/479e744cf1e8b875f5f863c6611810a56dcd72d1fd8ac26ef937f6d33d42d4dbc62a656347a63085647c587c1b9f598a3239849e1198b500758796a4.png :alt: ELF file layout :align: center .. code-block:: c typedef struct elf64_hdr { unsigned char e_ident[EI_NIDENT]; /* ELF "magic number" */ Elf64_Half e_type; Elf64_Half e_machine; Elf64_Word e_version; Elf64_Addr e_entry; /* Entry point virtual address */ Elf64_Off e_phoff; /* Program header table file offset */ Elf64_Off e_shoff; /* Section header table file offset */ Elf64_Word e_flags; Elf64_Half e_ehsize; Elf64_Half e_phentsize; Elf64_Half e_phnum; Elf64_Half e_shentsize; Elf64_Half e_shnum; Elf64_Half e_shstrndx; } Elf64_Ehdr; ELF identification ------------------ code: `Linux elf.h `_ The ELF file always starts with the four bytes ``7f 45 4c 46`` (0x7f, 'E', 'L', 'F'). The first 16 bytes form the identification array (``e_ident``); the first byte (``0x7f``) marks the file as binary, and the next three bytes are the ASCII signature "ELF". .. code-block:: text e_ident (first 16 bytes, example for a 64-bit little-endian ELF): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .. image:: ../_images/b89533896a5f2d38cf09f1354e807b4f6276057affaf8fafe54372090ba70e9fae73f4e83a156800ff863c7a4196e99a73b8ffed8a0717b694c00ad3.png :alt: ELF magic bytes visualization :align: center ELFCLASS -------- The class byte (``e_ident[EI_CLASS]``) indicates 32-bit or 64-bit objects: - ``1`` = ELFCLASS32 (32-bit) - ``2`` = ELFCLASS64 (64-bit) The screenshot below compares a program compiled normally on a 64-bit host versus compiled with ``-m32`` (32-bit). .. image:: ../_images/587e7d3b9bdafd01ed1a1b4cc59a9a11d6e60d773336d7827385aab80b6e453fb1c4ae17ae0f4f5feadef9a8822d51794a8f07f5f7911975eb319853.png :alt: ELFCLASS 64-bit vs 32-bit comparison :align: center ELF file structure ------------------ - ``elf64_hdr``: elf header - ``elf64_shdr``: elf section header - ``elf64_phdr``: elf program header elf64_hdr --------- the definition .. code-block:: c typedef struct elf64_hdr { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf64_Half e_type; /* Object file type */ Elf64_Half e_machine; /* Architecture */ Elf64_Word e_version; /* Object file version */ Elf64_Addr e_entry; /* Entry point virtual address */ Elf64_Off e_phoff; /* Program header table file offset */ Elf64_Off e_shoff; /* Section header table file offset */ Elf64_Word e_flags; /* Processor-specific flags */ Elf64_Half e_ehsize; /* ELF header size in bytes */ Elf64_Half e_phentsize; /* Program header table entry size */ Elf64_Half e_phnum; /* Program header table entry count */ Elf64_Half e_shentsize; /* Section header table entry size */ Elf64_Half e_shnum; /* Section header table entry count */ Elf64_Half e_shstrndx; /* Section names string table index */ } Elf64_Ehdr; link go to the definition ------------------------- .. _definition_hook: - :ref:`e_ident `: Magic number and other info - :ref:`e_type `: Object file type - :ref:`e_machine `: Architecture - :ref:`e_version `: Object file version - [e_entry](): Entry point virtual address - [e_phoff](): Program header table file offset - [e_shoff](): Section header table file offset - [e_flags](): Processor-specific flags - [e_ehsize](): ELF header size in bytes - [e_phentsize](): Program header table entry size - [e_phnum](): Program header table entry count - [e_shentsize](): Section header table entry size - [e_shnum](): Section header table entry count - [e_shstrndx](): Section names string table index the value (enum like) e_ident ------- .. _e_ident: INDEX: ``[0, 1, 2, 3]`` .. code-block:: c #define EI_MAG0 0 /* File identification byte 0 index */ #define ELFMAG0 0x7f /* Magic number byte 0 */ #define EI_MAG1 1 /* File identification byte 1 index */ #define ELFMAG1 'E' /* Magic number byte 1 */ #define EI_MAG2 2 /* File identification byte 2 index */ #define ELFMAG2 'L' /* Magic number byte 2 */ #define EI_MAG3 3 /* File identification byte 3 index */ #define ELFMAG3 'F' /* Magic number byte 3 */ INDEX: ``[4]`` .. code-block:: c #define ELFCLASSNONE 0 /* Invalid class */ #define ELFCLASS32 1 /* 32-bit objects */ #define ELFCLASS64 2 /* 64-bit objects */ #define ELFCLASSNUM 3 INDEX: ``[5]`` .. code-block:: c #define ELFDATANONE 0 /* Invalid data encoding */ #define ELFDATA2LSB 1 /* 2's complement, little endian */ #define ELFDATA2MSB 2 /* 2's complement, big endian */ #define ELFDATANUM 3 INDEX: ``[6]`` .. code-block:: c #define EI_VERSION 6 /* File version byte index */ /* Value must be EV_CURRENT */ INDEX: ``[7]`` .. code-block:: c #define ELFOSABI_NONE 0 /* UNIX System V ABI */ #define ELFOSABI_SYSV 0 /* Alias. */ #define ELFOSABI_HPUX 1 /* HP-UX */ #define ELFOSABI_NETBSD 2 /* NetBSD. */ #define ELFOSABI_GNU 3 /* Object uses GNU ELF extensions. */ #define ELFOSABI_LINUX ELFOSABI_GNU /* Compatibility alias. */ #define ELFOSABI_SOLARIS 6 /* Sun Solaris. */ #define ELFOSABI_AIX 7 /* IBM AIX. */ #define ELFOSABI_IRIX 8 /* SGI Irix. */ #define ELFOSABI_FREEBSD 9 /* FreeBSD. */ #define ELFOSABI_TRU64 10 /* Compaq TRU64 UNIX. */ #define ELFOSABI_MODESTO 11 /* Novell Modesto. */ #define ELFOSABI_OPENBSD 12 /* OpenBSD. */ #define ELFOSABI_ARM_AEABI 64 /* ARM EABI */ #define ELFOSABI_ARM 97 /* ARM */ #define ELFOSABI_STANDALONE 255 /* Standalone (embedded) application */ INDEX: ``[8]`` .. code-block:: c #define EI_ABIVERSION 8 /* ABI version */ INDEX: ``[9]`` .. code-block:: c #define EI_PAD 9 /* Byte index of padding bytes */ :ref:`back ` e_type ------ .. _e_type: .. code-block:: c #define ET_NONE 0 /* No file type */ #define ET_REL 1 /* Relocatable file */ #define ET_EXEC 2 /* Executable file */ #define ET_DYN 3 /* Shared object file */ #define ET_CORE 4 /* Core file */ #define ET_NUM 5 /* Number of defined types */ #define ET_LOOS 0xfe00 /* OS-specific range start */ #define ET_HIOS 0xfeff /* OS-specific range end */ #define ET_LOPROC 0xff00 /* Processor-specific range start */ #define ET_HIPROC 0xffff /* Processor-specific range end */ :ref:`back ` e_machine --------- .. _e_machine: .. code-block:: c #define EM_NONE 0 /* No machine */ #define EM_M32 1 /* AT&T WE 32100 */ #define EM_SPARC 2 /* SUN SPARC */ #define EM_386 3 /* Intel 80386 */ #define EM_68K 4 /* Motorola m68k family */ #define EM_88K 5 /* Motorola m88k family */ #define EM_IAMCU 6 /* Intel MCU */ #define EM_860 7 /* Intel 80860 */ #define EM_MIPS 8 /* MIPS R3000 big-endian */ #define EM_S370 9 /* IBM System/370 */ #define EM_MIPS_RS3_LE 10 /* MIPS R3000 little-endian */ /* reserved 11-14 */ #define EM_PARISC 15 /* HPPA */ /* reserved 16 */ #define EM_VPP500 17 /* Fujitsu VPP500 */ #define EM_SPARC32PLUS 18 /* Sun's "v8plus" */ #define EM_960 19 /* Intel 80960 */ #define EM_PPC 20 /* PowerPC */ #define EM_PPC64 21 /* PowerPC 64-bit */ #define EM_S390 22 /* IBM S390 */ #define EM_SPU 23 /* IBM SPU/SPC */ /* reserved 24-35 */ #define EM_V800 36 /* NEC V800 series */ #define EM_FR20 37 /* Fujitsu FR20 */ #define EM_RH32 38 /* TRW RH-32 */ #define EM_RCE 39 /* Motorola RCE */ #define EM_ARM 40 /* ARM */ #define EM_FAKE_ALPHA 41 /* Digital Alpha */ #define EM_SH 42 /* Hitachi SH */ #define EM_SPARCV9 43 /* SPARC v9 64-bit */ #define EM_TRICORE 44 /* Siemens Tricore */ #define EM_ARC 45 /* Argonaut RISC Core */ #define EM_H8_300 46 /* Hitachi H8/300 */ #define EM_H8_300H 47 /* Hitachi H8/300H */ #define EM_H8S 48 /* Hitachi H8S */ #define EM_H8_500 49 /* Hitachi H8/500 */ #define EM_IA_64 50 /* Intel Merced */ #define EM_MIPS_X 51 /* Stanford MIPS-X */ #define EM_COLDFIRE 52 /* Motorola Coldfire */ #define EM_68HC12 53 /* Motorola M68HC12 */ #define EM_MMA 54 /* Fujitsu MMA Multimedia Accelerator */ #define EM_PCP 55 /* Siemens PCP */ #define EM_NCPU 56 /* Sony nCPU embedded RISC */ #define EM_NDR1 57 /* Denso NDR1 microprocessor */ #define EM_STARCORE 58 /* Motorola Start*Core processor */ #define EM_ME16 59 /* Toyota ME16 processor */ #define EM_ST100 60 /* STMicroelectronic ST100 processor */ #define EM_TINYJ 61 /* Advanced Logic Corp. Tinyj emb.fam */ #define EM_X86_64 62 /* AMD x86-64 architecture */ #define EM_PDSP 63 /* Sony DSP Processor */ #define EM_PDP10 64 /* Digital PDP-10 */ #define EM_PDP11 65 /* Digital PDP-11 */ #define EM_FX66 66 /* Siemens FX66 microcontroller */ #define EM_ST9PLUS 67 /* STMicroelectronics ST9+ 8/16 mc */ #define EM_ST7 68 /* STmicroelectronics ST7 8 bit mc */ #define EM_68HC16 69 /* Motorola MC68HC16 microcontroller */ #define EM_68HC11 70 /* Motorola MC68HC11 microcontroller */ #define EM_68HC08 71 /* Motorola MC68HC08 microcontroller */ #define EM_68HC05 72 /* Motorola MC68HC05 microcontroller */ #define EM_SVX 73 /* Silicon Graphics SVx */ #define EM_ST19 74 /* STMicroelectronics ST19 8 bit mc */ #define EM_VAX 75 /* Digital VAX */ #define EM_CRIS 76 /* Axis Communications 32-bit emb.proc */ #define EM_JAVELIN 77 /* Infineon Technologies 32-bit emb.proc */ #define EM_FIREPATH 78 /* Element 14 64-bit DSP Processor */ #define EM_ZSP 79 /* LSI Logic 16-bit DSP Processor */ #define EM_MMIX 80 /* Donald Knuth's educational 64-bit proc */ #define EM_HUANY 81 /* Harvard University machine-independent object files */ #define EM_PRISM 82 /* SiTera Prism */ #define EM_AVR 83 /* Atmel AVR 8-bit microcontroller */ #define EM_FR30 84 /* Fujitsu FR30 */ #define EM_D10V 85 /* Mitsubishi D10V */ #define EM_D30V 86 /* Mitsubishi D30V */ #define EM_V850 87 /* NEC v850 */ #define EM_M32R 88 /* Mitsubishi M32R */ #define EM_MN10300 89 /* Matsushita MN10300 */ #define EM_MN10200 90 /* Matsushita MN10200 */ #define EM_PJ 91 /* picoJava */ #define EM_OPENRISC 92 /* OpenRISC 32-bit embedded processor */ #define EM_ARC_COMPACT 93 /* ARC International ARCompact */ #define EM_XTENSA 94 /* Tensilica Xtensa Architecture */ #define EM_VIDEOCORE 95 /* Alphamosaic VideoCore */ #define EM_TMM_GPP 96 /* Thompson Multimedia General Purpose Proc */ #define EM_NS32K 97 /* National Semi. 32000 */ #define EM_TPC 98 /* Tenor Network TPC */ #define EM_SNP1K 99 /* Trebia SNP 1000 */ #define EM_ST200 100 /* STMicroelectronics ST200 */ #define EM_IP2K 101 /* Ubicom IP2xxx */ #define EM_MAX 102 /* MAX processor */ #define EM_CR 103 /* National Semi. CompactRISC */ #define EM_F2MC16 104 /* Fujitsu F2MC16 */ #define EM_MSP430 105 /* Texas Instruments msp430 */ #define EM_BLACKFIN 106 /* Analog Devices Blackfin DSP */ #define EM_SE_C33 107 /* Seiko Epson S1C33 family */ #define EM_SEP 108 /* Sharp embedded microprocessor */ #define EM_ARCA 109 /* Arca RISC */ #define EM_UNICORE 110 /* PKU-Unity & MPRC Peking Uni. mc series */ #define EM_EXCESS 111 /* eXcess configurable cpu */ #define EM_DXP 112 /* Icera Semi. Deep Execution Processor */ #define EM_ALTERA_NIOS2 113 /* Altera Nios II */ #define EM_CRX 114 /* National Semi. CompactRISC CRX */ #define EM_XGATE 115 /* Motorola XGATE */ #define EM_C166 116 /* Infineon C16x/XC16x */ #define EM_M16C 117 /* Renesas M16C */ #define EM_DSPIC30F 118 /* Microchip Technology dsPIC30F */ #define EM_CE 119 /* Freescale Communication Engine RISC */ #define EM_M32C 120 /* Renesas M32C */ /* reserved 121-130 */ #define EM_TSK3000 131 /* Altium TSK3000 */ #define EM_RS08 132 /* Freescale RS08 */ #define EM_SHARC 133 /* Analog Devices SHARC family */ #define EM_ECOG2 134 /* Cyan Technology eCOG2 */ #define EM_SCORE7 135 /* Sunplus S+core7 RISC */ #define EM_DSP24 136 /* New Japan Radio (NJR) 24-bit DSP */ #define EM_VIDEOCORE3 137 /* Broadcom VideoCore III */ #define EM_LATTICEMICO32 138 /* RISC for Lattice FPGA */ #define EM_SE_C17 139 /* Seiko Epson C17 */ #define EM_TI_C6000 140 /* Texas Instruments TMS320C6000 DSP */ #define EM_TI_C2000 141 /* Texas Instruments TMS320C2000 DSP */ #define EM_TI_C5500 142 /* Texas Instruments TMS320C55x DSP */ #define EM_TI_ARP32 143 /* Texas Instruments App. Specific RISC */ #define EM_TI_PRU 144 /* Texas Instruments Prog. Realtime Unit */ /* reserved 145-159 */ #define EM_MMDSP_PLUS 160 /* STMicroelectronics 64bit VLIW DSP */ #define EM_CYPRESS_M8C 161 /* Cypress M8C */ #define EM_R32C 162 /* Renesas R32C */ #define EM_TRIMEDIA 163 /* NXP Semi. TriMedia */ #define EM_QDSP6 164 /* QUALCOMM DSP6 */ #define EM_8051 165 /* Intel 8051 and variants */ #define EM_STXP7X 166 /* STMicroelectronics STxP7x */ #define EM_NDS32 167 /* Andes Tech. compact code emb. RISC */ #define EM_ECOG1X 168 /* Cyan Technology eCOG1X */ #define EM_MAXQ30 169 /* Dallas Semi. MAXQ30 mc */ #define EM_XIMO16 170 /* New Japan Radio (NJR) 16-bit DSP */ #define EM_MANIK 171 /* M2000 Reconfigurable RISC */ #define EM_CRAYNV2 172 /* Cray NV2 vector architecture */ #define EM_RX 173 /* Renesas RX */ #define EM_METAG 174 /* Imagination Tech. META */ #define EM_MCST_ELBRUS 175 /* MCST Elbrus */ #define EM_ECOG16 176 /* Cyan Technology eCOG16 */ #define EM_CR16 177 /* National Semi. CompactRISC CR16 */ #define EM_ETPU 178 /* Freescale Extended Time Processing Unit */ #define EM_SLE9X 179 /* Infineon Tech. SLE9X */ #define EM_L10M 180 /* Intel L10M */ #define EM_K10M 181 /* Intel K10M */ /* reserved 182 */ #define EM_AARCH64 183 /* ARM AARCH64 */ /* reserved 184 */ #define EM_AVR32 185 /* Amtel 32-bit microprocessor */ #define EM_STM8 186 /* STMicroelectronics STM8 */ #define EM_TILE64 187 /* Tilera TILE64 */ #define EM_TILEPRO 188 /* Tilera TILEPro */ #define EM_MICROBLAZE 189 /* Xilinx MicroBlaze */ #define EM_CUDA 190 /* NVIDIA CUDA */ #define EM_TILEGX 191 /* Tilera TILE-Gx */ #define EM_CLOUDSHIELD 192 /* CloudShield */ #define EM_COREA_1ST 193 /* KIPO-KAIST Core-A 1st gen. */ #define EM_COREA_2ND 194 /* KIPO-KAIST Core-A 2nd gen. */ #define EM_ARCV2 195 /* Synopsys ARCv2 ISA. */ #define EM_OPEN8 196 /* Open8 RISC */ #define EM_RL78 197 /* Renesas RL78 */ #define EM_VIDEOCORE5 198 /* Broadcom VideoCore V */ #define EM_78KOR 199 /* Renesas 78KOR */ #define EM_56800EX 200 /* Freescale 56800EX DSC */ #define EM_BA1 201 /* Beyond BA1 */ #define EM_BA2 202 /* Beyond BA2 */ #define EM_XCORE 203 /* XMOS xCORE */ #define EM_MCHP_PIC 204 /* Microchip 8-bit PIC(r) */ #define EM_INTELGT 205 /* Intel Graphics Technology */ /* reserved 206-209 */ #define EM_KM32 210 /* KM211 KM32 */ #define EM_KMX32 211 /* KM211 KMX32 */ #define EM_EMX16 212 /* KM211 KMX16 */ #define EM_EMX8 213 /* KM211 KMX8 */ #define EM_KVARC 214 /* KM211 KVARC */ #define EM_CDP 215 /* Paneve CDP */ #define EM_COGE 216 /* Cognitive Smart Memory Processor */ #define EM_COOL 217 /* Bluechip CoolEngine */ #define EM_NORC 218 /* Nanoradio Optimized RISC */ #define EM_CSR_KALIMBA 219 /* CSR Kalimba */ #define EM_Z80 220 /* Zilog Z80 */ #define EM_VISIUM 221 /* Controls and Data Services VISIUMcore */ #define EM_FT32 222 /* FTDI Chip FT32 */ #define EM_MOXIE 223 /* Moxie processor */ #define EM_AMDGPU 224 /* AMD GPU */ /* reserved 225-242 */ #define EM_RISCV 243 /* RISC-V */ #define EM_BPF 247 /* Linux BPF -- in-kernel virtual machine */ #define EM_CSKY 252 /* C-SKY */ #define EM_LOONGARCH 258 /* LoongArch */ #define EM_NUM 259 /* Old spellings/synonyms. */ #define EM_ARC_A5 EM_ARC_COMPACT /* If it is necessary to assign new unofficial EM_* values, please pick large random numbers (0x8523, 0xa7f2, etc.) to minimize the chances of collision with official or non-GNU unofficial values. */ #define EM_ALPHA 0x9026 :ref:`back ` e_version --------- .. _e_version: .. code-block:: c #define EV_NONE 0 /* Invalid ELF version */ #define EV_CURRENT 1 /* Current version */ #define EV_NUM 2 :ref:`back ` elf64_shdr ---------- All data stores in a sections in an Elf object file. Sections identified by index in the section header table. .. code-block:: c typedef struct { Elf64_Word sh_name; /* Section name (string tbl index) */ Elf64_Word sh_type; /* Section type */ Elf64_Xword sh_flags; /* Section flags */ Elf64_Addr sh_addr; /* Section virtual addr at execution */ Elf64_Off sh_offset; /* Section file offset */ Elf64_Xword sh_size; /* Section size in bytes */ Elf64_Word sh_link; /* Link to another section */ Elf64_Word sh_info; /* Additional section information */ Elf64_Xword sh_addralign; /* Section alignment */ Elf64_Xword sh_entsize; /* Entry size if section holds table */ } Elf64_Shdr; :ref:`back `