英文:
Understanding SHT_NOTE section ".note.ABI-tag" of an ELF exectable
问题
I understand that you want to know how to manually extract information from an ELF executable file, specifically related to the ".note.ABI-tag" section. Below, I'll provide some guidance on how to extract this information manually from the binary file.
-
Section Headers Information:
You've already identified the relevant information about the ".shstrtab" section, sh_name offset, and sh_offset. This is a good starting point. -
Extracting Data from the ".note.ABI-tag" Section:
To manually extract information from the ".note.ABI-tag" section, you need to understand the format of the section and the data it contains.- The ".note.ABI-tag" section typically contains a series of "note" entries. Each entry has a specific format:
namesz(4 bytes): The size of the note's name field.descsz(4 bytes): The size of the note's descriptor (data) field.type(4 bytes): The type of the note.name(variable length, null-terminated): The name of the note.desc(variable length): The descriptor data.
You've already identified the sh_offset as 0x0254 and sh_size as 0x20 for this section. So, this section covers the data from 0x0254 to 0x0274.
- Start by reading the first 4 bytes at offset 0x0254. This will give you the
namesz. In your case, it's "04 00 00 00," which represents 4 bytes in little-endian format. - Next, read the next 4 bytes to get
descsz. It's "10 00 00 00," indicating 16 bytes. - The next 4 bytes represent
type. It's "01 00 00 00," which corresponds to type 1, "NT_GNU_ABI_TAG." - Now, you can use
nameszto determine the length of the name. Since it's 4 bytes, read the next 4 bytes as the null-terminated name. In your case, it should be "GNU."
At this point, you've extracted the name of the note, which is "GNU." You can continue reading the next 16 bytes as the descriptor data, which may contain additional information.
- The ".note.ABI-tag" section typically contains a series of "note" entries. Each entry has a specific format:
-
Interpreting the Descriptor Data:
The descriptor data may contain specific information about the ABI tag. In your example, it mentions "OS Linux 3.2.0." -
Additional Entries:
If there are multiple entries in the ".note.ABI-tag" section, you can repeat the above process to extract each entry's information sequentially.
Remember that this process requires a good understanding of the ELF file format and its specific sections. The ELF specification documents can provide detailed information on the format of sections like ".note.ABI-tag."
英文:
I'm trying to understand the Linux ELF executable file. I wrote a simple C "Hello World" programe and compiled it into executable using GCC.
For "Section Headers" I can understand the last one ".shstrtab" and the second one ".interp", for there are just some offsets allowing me to find out what is it refering to.
But for sction header ".note.ABI-tag" I'm just confused.
Content listed below comes from my HelloWorld executable:
...
00000230 01 00 00 00 00 00 00 00 2f 6c 69 62 36 34 2f 6c |......../lib64/l|
00000240 64 2d 6c 69 6e 75 78 2d 78 38 36 2d 36 34 2e 73 |d-linux-x86-64.s|
00000250 6f 2e 32 00 04 00 00 00 10 00 00 00 01 00 00 00 |o.2.............| <-- (5) start at 0x0254 (value: "0x04")
00000260 47 4e 55 00 00 00 00 00 03 00 00 00 02 00 00 00 |GNU.............|
00000270 00 00 00 00 04 00 00 00 14 00 00 00 03 00 00 00 |................| <-- (6) end at 0x0274 (note included)
00000280 47 4e 55 00 42 5c e5 58 cc 7b 78 91 e0 e1 b0 9a |GNU.B\.X.{x.....|
00000290 3d 09 5b 6a 03 c1 7c bb 01 00 00 00 01 00 00 00 |=.[j..|.........|
000002a0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000002b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...
000022a0 72 54 4d 43 6c 6f 6e 65 54 61 62 6c 65 00 00 2e |rTMCloneTable...|
000022b0 73 79 6d 74 61 62 00 2e 73 74 72 74 61 62 00 2e |symtab..strtab..|
000022c0 73 68 73 74 72 74 61 62 00 2e 69 6e 74 65 72 70 |shstrtab..interp|
000022d0 00 2e 6e 6f 74 65 2e 41 42 49 2d 74 61 67 00 2e |..note.ABI-tag..| <-- (3) name starts at 0x22d1
000022e0 6e 6f 74 65 2e 67 6e 75 2e 62 75 69 6c 64 2d 69 |note.gnu.build-i|
000022f0 64 00 2e 67 6e 75 2e 68 61 73 68 00 2e 64 79 6e |d..gnu.hash..dyn|
...
00002440 00 00 00 00 00 00 00 00 23 00 00 00 07 00 00 00 |........#.......| <-- (2) sh_name offset is 0x23
00002450 02 00 00 00 00 00 00 00 54 02 40 00 00 00 00 00 |........T.@.....|
00002460 54 02 00 00 00 00 00 00 20 00 00 00 00 00 00 00 |T....... .......| <-- (4) sh_offset = 0x0254, sh_size = 0x20
00002470 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00002480 00 00 00 00 00 00 00 00 31 00 00 00 07 00 00 00 |........1.......|
...
00002b00 00 00 00 00 00 00 00 00 11 00 00 00 03 00 00 00 |................|
00002b10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00002b20 ae 22 00 00 00 00 00 00 19 01 00 00 00 00 00 00 |."..............| <-- (1).shstrtab starts at 0x22ae
00002b30 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
00002b40 00 00 00 00 00 00 00 00 (end of the file) |........|
00002b48
What I'm able to understand is that:
- At position (1) (in section header ".shstrtab") it show that .shstrtab starts at 0x22ae
- At position (2) it shows that sh_name offset of this section is 0x23
- So I can find it's sh_name at position (3) (0x22ae + 0x23 = 0x22d1), it is ".note.ABI-tag"
- At position (4) it shows that sh_offset is 0x0254 while sh_size is 0x20
- So I can find the content from 0x0254 to 0x0274 (not included) (0x0254 + 0x20 = 0x0274)
And that's all the information I can find.
But what I cannot understand is:
why my ELF parser tell me that it can find more information:
Note Segment (offset=0x254, size=32)
Name="GNU"
Type=1
Type String="NT_GNU_ABI_TAG"
Description="OS Linux 3.2.0"
Where are those key and values come from? How can I find it manually?
The articles on the web seems not helping:
I've searched some articles and maybe this one is the most detail one: https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-18048.html
But I still cannot get the point.
For example it says "each entry is an array of 4-byte words in the format of the target processor", so it seems that I should divide the bytes between 0x0254 (included) and 0x0274 (not included) into 8 "4 byte word", which should be:
1st word: 04 00 00 00
2nd word: 10 00 00 00
3rd word: 01 00 00 00
4th word: 47 4e 55 00
5th word: 00 00 00 00
6th word: 03 00 00 00
7th word: 02 00 00 00
8th word: 00 00 00 00
Then it says "The first namesz bytes in name contain a null-terminated character representation of the entry's owner or originator."
But in the 1st "4 byte word", "0x04" which is terminated by "0x00" is not a printable character but ASCII controll character "End of Transmission".
So basically the question is, how can I find manually from the binary file for those information showed by ELF parser?
答案1
得分: 2
1st word: 04 00 00 00 - n_namesz - 名字字段的字节长度。它是4 - "GNU"
2nd word: 10 00 00 00 - n_descsz - 描述字段的字节长度。
3rd word: 01 00 00 00 - n_type - NT_GNU_ABI_TAG标签(或ELF_NOTE_ABI或类似标签)
4th word: 47 4e 55 00 - "GNU" 带有零终止符
5th word: 00 00 00 00 - 操作系统描述符 - ELF_NOTE_OS_LINUX,
6th word: 03 00 00 00 - ABI的主要版本号
7th word: 02 00 00 00 - ABI的次要版本号
8th word: 00 00 00 00 - ABI的次次要版本号
英文:
Scraping it from elf(5) section Notes (Nhdr) I was able to determine:
1st word: 04 00 00 00 - n_namesz - the name of the name field in bytes. It is 4 - "GNU"
2nd word: 10 00 00 00 - n_descsz - The length of the descriptor field in bytes.
3rd word: 01 00 00 00 - n_type - The NT_GNU_ABI_TAG label (or ELF_NOTE_ABI or similar)
4th word: 47 4e 55 00 - "GNU" with zero terminator
5th word: 00 00 00 00 - OS descriptor - ELF_NOTE_OS_LINUX,
6th word: 03 00 00 00 - major version of the ABI
7th word: 02 00 00 00 - minor version of the ABI
8th word: 00 00 00 00 - subminor version of the ABI
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论