理解 ELF 可执行文件的 SHT_NOTE 部分 “.note.ABI-tag”。

huangapple go评论102阅读模式
英文:

Understanding SHT_NOTE section ".note.ABI-tag" of an ELF exectable

问题

I understand that you want to know how to manually extract information from an ELF executable file, specifically related to the ".note.ABI-tag" section. Below, I'll provide some guidance on how to extract this information manually from the binary file.

  1. Section Headers Information:
    You've already identified the relevant information about the ".shstrtab" section, sh_name offset, and sh_offset. This is a good starting point.

  2. Extracting Data from the ".note.ABI-tag" Section:
    To manually extract information from the ".note.ABI-tag" section, you need to understand the format of the section and the data it contains.

    • The ".note.ABI-tag" section typically contains a series of "note" entries. Each entry has a specific format:
      • namesz (4 bytes): The size of the note's name field.
      • descsz (4 bytes): The size of the note's descriptor (data) field.
      • type (4 bytes): The type of the note.
      • name (variable length, null-terminated): The name of the note.
      • desc (variable length): The descriptor data.

    You've already identified the sh_offset as 0x0254 and sh_size as 0x20 for this section. So, this section covers the data from 0x0254 to 0x0274.

    • Start by reading the first 4 bytes at offset 0x0254. This will give you the namesz. In your case, it's "04 00 00 00," which represents 4 bytes in little-endian format.
    • Next, read the next 4 bytes to get descsz. It's "10 00 00 00," indicating 16 bytes.
    • The next 4 bytes represent type. It's "01 00 00 00," which corresponds to type 1, "NT_GNU_ABI_TAG."
    • Now, you can use namesz to determine the length of the name. Since it's 4 bytes, read the next 4 bytes as the null-terminated name. In your case, it should be "GNU."

    At this point, you've extracted the name of the note, which is "GNU." You can continue reading the next 16 bytes as the descriptor data, which may contain additional information.

  3. Interpreting the Descriptor Data:
    The descriptor data may contain specific information about the ABI tag. In your example, it mentions "OS Linux 3.2.0."

  4. Additional Entries:
    If there are multiple entries in the ".note.ABI-tag" section, you can repeat the above process to extract each entry's information sequentially.

Remember that this process requires a good understanding of the ELF file format and its specific sections. The ELF specification documents can provide detailed information on the format of sections like ".note.ABI-tag."

英文:

I'm trying to understand the Linux ELF executable file. I wrote a simple C "Hello World" programe and compiled it into executable using GCC.

For "Section Headers" I can understand the last one ".shstrtab" and the second one ".interp", for there are just some offsets allowing me to find out what is it refering to.

But for sction header ".note.ABI-tag" I'm just confused.

Content listed below comes from my HelloWorld executable:

...
00000230  01 00 00 00 00 00 00 00  2f 6c 69 62 36 34 2f 6c  |......../lib64/l|
00000240  64 2d 6c 69 6e 75 78 2d  78 38 36 2d 36 34 2e 73  |d-linux-x86-64.s|
00000250  6f 2e 32 00 04 00 00 00  10 00 00 00 01 00 00 00  |o.2.............| <-- (5) start at 0x0254 (value: "0x04")
00000260  47 4e 55 00 00 00 00 00  03 00 00 00 02 00 00 00  |GNU.............|
00000270  00 00 00 00 04 00 00 00  14 00 00 00 03 00 00 00  |................| <-- (6) end at 0x0274 (note included)
00000280  47 4e 55 00 42 5c e5 58  cc 7b 78 91 e0 e1 b0 9a  |GNU.B\.X.{x.....|
00000290  3d 09 5b 6a 03 c1 7c bb  01 00 00 00 01 00 00 00  |=.[j..|.........|
000002a0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000002b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
...
000022a0  72 54 4d 43 6c 6f 6e 65  54 61 62 6c 65 00 00 2e  |rTMCloneTable...|
000022b0  73 79 6d 74 61 62 00 2e  73 74 72 74 61 62 00 2e  |symtab..strtab..|
000022c0  73 68 73 74 72 74 61 62  00 2e 69 6e 74 65 72 70  |shstrtab..interp|
000022d0  00 2e 6e 6f 74 65 2e 41  42 49 2d 74 61 67 00 2e  |..note.ABI-tag..| <-- (3) name starts at 0x22d1
000022e0  6e 6f 74 65 2e 67 6e 75  2e 62 75 69 6c 64 2d 69  |note.gnu.build-i|
000022f0  64 00 2e 67 6e 75 2e 68  61 73 68 00 2e 64 79 6e  |d..gnu.hash..dyn|
...
00002440  00 00 00 00 00 00 00 00  23 00 00 00 07 00 00 00  |........#.......| <-- (2) sh_name offset is 0x23
00002450  02 00 00 00 00 00 00 00  54 02 40 00 00 00 00 00  |........T.@.....|
00002460  54 02 00 00 00 00 00 00  20 00 00 00 00 00 00 00  |T....... .......| <-- (4) sh_offset = 0x0254, sh_size = 0x20
00002470  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
00002480  00 00 00 00 00 00 00 00  31 00 00 00 07 00 00 00  |........1.......|

...
00002b00  00 00 00 00 00 00 00 00  11 00 00 00 03 00 00 00  |................|
00002b10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00002b20  ae 22 00 00 00 00 00 00  19 01 00 00 00 00 00 00  |."..............| <-- (1).shstrtab starts at 0x22ae
00002b30  00 00 00 00 00 00 00 00  01 00 00 00 00 00 00 00  |................|
00002b40  00 00 00 00 00 00 00 00  (end of the file)        |........|
00002b48

What I'm able to understand is that:

  • At position (1) (in section header ".shstrtab") it show that .shstrtab starts at 0x22ae
  • At position (2) it shows that sh_name offset of this section is 0x23
  • So I can find it's sh_name at position (3) (0x22ae + 0x23 = 0x22d1), it is ".note.ABI-tag"
  • At position (4) it shows that sh_offset is 0x0254 while sh_size is 0x20
  • So I can find the content from 0x0254 to 0x0274 (not included) (0x0254 + 0x20 = 0x0274)

And that's all the information I can find.

But what I cannot understand is:

why my ELF parser tell me that it can find more information:

Note Segment (offset=0x254, size=32)
	Name="GNU"
	Type=1
	Type String="NT_GNU_ABI_TAG"
	Description="OS Linux 3.2.0"

Where are those key and values come from? How can I find it manually?

The articles on the web seems not helping:

I've searched some articles and maybe this one is the most detail one: https://docs.oracle.com/cd/E23824_01/html/819-0690/chapter6-18048.html

But I still cannot get the point.

For example it says "each entry is an array of 4-byte words in the format of the target processor", so it seems that I should divide the bytes between 0x0254 (included) and 0x0274 (not included) into 8 "4 byte word", which should be:

1st word: 04 00 00 00
2nd word: 10 00 00 00
3rd word: 01 00 00 00
4th word: 47 4e 55 00
5th word: 00 00 00 00
6th word: 03 00 00 00
7th word: 02 00 00 00
8th word: 00 00 00 00

Then it says "The first namesz bytes in name contain a null-terminated character representation of the entry's owner or originator."

But in the 1st "4 byte word", "0x04" which is terminated by "0x00" is not a printable character but ASCII controll character "End of Transmission".

So basically the question is, how can I find manually from the binary file for those information showed by ELF parser?

答案1

得分: 2

1st word: 04 00 00 00 - n_namesz - 名字字段的字节长度。它是4 - "GNU"
2nd word: 10 00 00 00 - n_descsz - 描述字段的字节长度。
3rd word: 01 00 00 00 - n_type - NT_GNU_ABI_TAG标签(或ELF_NOTE_ABI或类似标签)
4th word: 47 4e 55 00 - "GNU" 带有零终止符
5th word: 00 00 00 00 - 操作系统描述符 - ELF_NOTE_OS_LINUX,
6th word: 03 00 00 00 - ABI的主要版本号
7th word: 02 00 00 00 - ABI的次要版本号
8th word: 00 00 00 00 - ABI的次次要版本号

英文:

Scraping it from elf(5) section Notes (Nhdr) I was able to determine:

1st word: 04 00 00 00 - n_namesz - the name of the name field in bytes. It is 4 - "GNU"
2nd word: 10 00 00 00 - n_descsz - The length of the descriptor field in bytes.
3rd word: 01 00 00 00 - n_type - The NT_GNU_ABI_TAG label (or ELF_NOTE_ABI or similar)
4th word: 47 4e 55 00 - "GNU" with zero terminator
5th word: 00 00 00 00 - OS descriptor - ELF_NOTE_OS_LINUX,
6th word: 03 00 00 00 - major version of the ABI
7th word: 02 00 00 00 - minor version of the ABI
8th word: 00 00 00 00 - subminor version of the ABI

huangapple
  • 本文由 发表于 2020年1月6日 16:40:51
  • 转载请务必保留本文链接:https://go.coder-hub.com/59608986.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定