ELF - My note for quick review

101 TL;DR

101 in a single image from Wikipedia:

ELF

• Executable and Linkable Fotmat.
• Major usage (in file header, offset 0x10)
  1. Executable
  2. Shared library
  3. Core file (core dump)
• The word segments is used at runtime (text segment, data segment, stack, heap). Sections means the functions in elf file. link time.

Header info

The ELF file header consists of two header, ELF header and program header table.

ELF header

• OSABI, ISA
• pointer to entry point

Program hader

The program header table tells the system how to create a process image (memory layout).

How ELF link libraries dynamically linked library

I don’t know why, but it took several hours to understand PLT and GOT…

• PLT(.plt): Procedure Linkage Table. One of ELF sections. A .plt section points to GOT. Caller sections call function by call name_in_pltsection.
• GOT(.got.plt): Global Offset Table. One of ELF sections. All shared library symbol, which are unknown untill runtime, are stored with the pair of real loaded address. The addresses of shared library is stored dynamicall when the functions called.
• Figures here helped me to get an concept of GOT/PLT: https://reverseengineering.stackexchange.com/a/19380
• https://www.youtube.com/watch?v=kUk5pw4w0h4.

Reference

• Wikipedia: https://en.wikipedia.org/wiki/Executable_and_Linkable_Format
• Video: In-depth: ELF - The Extensible & Linkable Format