search
githubEdit

ELF Basic Information

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Program Headers

The describe to the loader how to load the ELF into memory:

readelf -lW lnstat

Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1c00
There are 9 program headers, starting at offset 64

Program Headers:
  Type           Offset   VirtAddr           PhysAddr           FileSiz  MemSiz   Flg Align
  PHDR           0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R   0x8
  INTERP         0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R   0x1
      [Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
  LOAD           0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
  LOAD           0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW  0x10000
  DYNAMIC        0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW  0x8
  NOTE           0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R   0x4
  GNU_EH_FRAME   0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R   0x4
  GNU_STACK      0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW  0x10
  GNU_RELRO      0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   03     .init_array .fini_array .dynamic .got .data .bss 
   04     .dynamic 
   05     .note.gnu.build-id .note.ABI-tag .note.package 
   06     .eh_frame_hdr 
   07     
   08     .init_array .fini_array .dynamic .got

The previous program has 9 program headers, then, the segment mapping indicates in which program header (from 00 to 08) each section is located.

hashtag
PHDR - Program HeaDeR

Contains the program header tables and metadata itself.

hashtag
INTERP

Indicates the path of the loader to use to load the binary into memory.

hashtag
LOAD

These headers are used to indicate how to load a binary into memory. Each LOAD header indicates a region of memory (size, permissions and alignment) and indicates the bytes of the ELF binary to copy in there.

For example, the second one has a size of 0x1190, should be located at 0x1fc48 with permissions read and write and will be filled with 0x528 from the offset 0xfc48 (it doesn't fill all the reserved space). This memory will contain the sections .init_array .fini_array .dynamic .got .data .bss.

hashtag
DYNAMIC

This header helps to link programs to their library dependencies and apply relocations. Check the .dynamic section.

hashtag
NOTE

This stores vendor metadata information about the binary.

hashtag
GNU_EH_FRAME

Defines the location of the stack unwind tables, used by debuggers and C++ exception handling-runtime functions.

hashtag
GNU_STACK

Contains the configuration of the stack execution prevention defense. If enabled, the binary won't be able to execute code from the stack.

hashtag
GNU_RELRO

Indicates the RELRO (Relocation Read-Only) configuration of the binary. This protection will mark as read-only certain sections of the memory (like the GOT or the init and fini tables) after the program has loaded and before it begins running.

In the previous example it's copying 0x3b8 bytes to 0x1fc48 as read-only affecting the sections .init_array .fini_array .dynamic .got .data .bss.

Note that RELRO can be partial or full, the partial version do not protect the section .plt.got, which is used for lazy binding and needs this memory space to have write permissions to write the address of the libraries the first time their location is searched.

hashtag
TLS

Defines a table of TLS entries, which stores info about thread-local variables.

hashtag
Section Headers

Section headers gives a more detailed view of the ELF binary

It also indicates the location, offset, permissions but also the type of data it section has.

hashtag
Meta Sections

  • String table: It contains all the strings needed by the ELF file (but not the ones actually used by the program). For example it contains sections names like .text or .data. And if .text is at offset 45 in the strings table it will use the number 45 in the name field.

    • In order to find where the string table is, the ELF contains a pointer to the string table.

  • Symbol table: It contains info about the symbols like the name (offset in the strings table), address, size and more metadata about the symbol.

hashtag
Main Sections

  • .text: The instruction of the program to run.

  • .data: Global variables with a defined value in the program.

  • .bss: Global variables left uninitialized (or init to zero). Variables here are automatically intialized to zero therefore preventing useless zeroes to being added to the binary.

  • .rodata: Constant global variables (read-only section).

  • .tdata and .tbss: Like the .data and .bss when thread-local variables are used (__thread_local in C++ or __thread in C).

  • .dynamic: See below.

hashtag
Symbols

Symbols is a named location in the program which could be a function, a global data object, thread-local variables...

Each symbol entry contains:

  • Name

  • Binding attributes (weak, local or global): A local symbol can only be accessed by the program itself while the global symbol are shared outside the program. A weak object is for example a function that can be overridden by a different one.

  • Type: NOTYPE (no type specified), OBJECT (global data var), FUNC (function), SECTION (section), FILE (source-code file for debuggers), TLS (thread-local variable), GNU_IFUNC (indirect function for relocation)

  • Section index where it's located

  • Value (address sin memory)

  • Size

hashtag
Dynamic Section

The NEEDED directory indicates that the program needs to load the mentioned library in order to continue. The NEEDED directory completes once the shared library is fully operational and ready for use.

hashtag
Relocations

The loader also must relocate dependencies after having loaded them. These relocations are indicated in the relocation table in formats REL or RELA and the number of relocations is given in the dynamic sections RELSZ or RELASZ.

hashtag
Static Relocations

If the program is loaded in a place different from the preferred address (usually 0x400000) because the address is already used or because of ASLR or any other reason, a static relocation corrects pointers that had values expecting the binary to be loaded in the preferred address.

For example any section of type R_AARCH64_RELATIV should have modified the address at the relocation bias plus the addend value.

hashtag
Dynamic Relocations and GOT

The relocation could also reference an external symbol (like a function from a dependency). Like the function malloc from libC. Then, the loader when loading libC in an address checking where the malloc function is loaded, it will write this address in the GOT (Global Offset Table) table (indicated in the relocation table) where the address of malloc should be specified.

hashtag
Procedure Linkage Table

The PLT section allows to perform lazy binding, which means that the resolution of the location of a function will be performed the first time it's accessed.

So when a program calls to malloc, it actually calls the corresponding location of malloc in the PLT (malloc@plt). The first time it's called it resolves the address of malloc and stores it so next time malloc is called, that address is used instead of the PLT code.

hashtag
Program Initialization

After the program has been loaded it's time for it to run. However, the first code that is run isn't always the main function. This is because for example in C++ if a global variable is an object of a class, this object must be initialized before main runs, like in:

Note that these global variables are located in .data or .bss but in the lists __CTOR_LIST__ and __DTOR_LIST__ the objects to initialize and destruct are stored in order to keep track of them.

From C code it's possible to obtain the same result using the GNU extensions :

From a compiler perspective, to execute these actions before and after the main function is executed, it's possible to create a init function and a fini function which would be referenced in the dynamic section as INIT and FIN. and are placed in the init and fini sections of the ELF.

The other option, as mentioned, is to reference the lists __CTOR_LIST__ and __DTOR_LIST__ in the INIT_ARRAY and FINI_ARRAY entries in the dynamic section and the length of these are indicated by INIT_ARRAYSZ and FINI_ARRAYSZ. Each entry is a function pointer that will be called without arguments.

Moreover, it's also possible to have a PREINIT_ARRAY with pointers that will be executed before the INIT_ARRAY pointers.

hashtag
Initialization Order

  1. The program is loaded into memory, static global variables are initialized in .data and unitialized ones zeroed in .bss.

  2. All dependencies for the program or libraries are initialized and the the dynamic linking is executed.

  3. PREINIT_ARRAY functions are executed.

  4. INIT_ARRAY functions are executed.

  5. If there is a INIT entry it's called.

  6. If a library, dlopen ends here, if a program, it's time to call the real entry point (main function).

hashtag
Thread-Local Storage (TLS)

They are defined using the keyword __thread_local in C++ or the GNU extension __thread.

Each thread will maintain a unique location for this variable so only the thread can access its variable.

When this is used the sections .tdata and .tbss are used in the ELF. Which are like .data (initialized) and .bss (not initialized) but for TLS.

Each variable will hace an entry in the TLS header specifying the size and the TLS offset, which is the offset it will use in the thread's local data area.

The __TLS_MODULE_BASE is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module.

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousBasic Stack Binary Exploitation MethodologyNextExploiting Tools

Last updated