linux二进制分析笔记-ELF节头(section header)

我的个人博客:www.saoguang.top
[TOC]

ELF节头(section header)

1. ELF头，ELF段头(Segments header),节头(section header)
2. 程序由段组成，段由节组成。
3. 有节，不一定有节头

ELF节头定义

32位的：

typedef struct {
    Elf32_Word   sh_name;//giving the location of a null-terminated string（也就是以null结尾的字符串的地址）
    Elf32_Word   sh_type;//节类型
    Elf32_Word   sh_flags;//节标志
    Elf32_Addr   sh_addr;//节地址
    Elf32_Off    sh_offset;//节偏移
    Elf32_Word   sh_size;//the section's size in bytes.(大小，字节)
    Elf32_Word   sh_link;
    Elf32_Word   sh_info;
    Elf32_Word   sh_addralign;
    Elf32_Word   sh_entsize;
} Elf32_Shdr;

查看更多信息：http://refspecs.linuxbase.org/elf/elf.pdf

ELF节类型

.bss

• 存储未初始化的全局数据，默认的当程序运行时，会被初始化为0。是data段的一部分。
• This section holds uninitialized data that contribute to the program’s memory image. By definition, the system initializes the data with zeros when the program begins to run. The section occupies no file space, as indicated by the section type, SHT_NOBITS.

.comment

• 版本控制信息（不知道啥用）
• This section holds version control information.

.data && .data1

• 存储已经初始化了的全局变量等数据
• These sections hold initialized data that contribute to the program’s memory image.

.debug

• 存储调试（符号调试）信息
• This section holds information for symbolic debugging. The contents are unspecified. All section names with the prefix .debug are reserved for future use.

.dynamic

• 动态链接信息
• This section holds dynamic linking information and has attributes such as SHF_ALLOC and SHF_WRITE. Whether the SHF_WRITE bit is set is determined by the operating system and processor.

.hash

• （有时也成为.gnu .hash）用于查询符号的哈希表（散列表）
• This section holds a symbol hash table
  下面的散列算法是用来在LinuxELF文件中查找符号名的。
• 用于查找Linux ELF文件中的符号名的散列算法

uint32_t
dl_new_hash(const char * s)
{
    uint32_t h = 5381;
    for(unsigned char c = *s; c != '\0'; c = *++s)
        h = h * 33 + c;//常写为h = ((h << 5) + h) + c
    return h;
}

.line

• 描述源代码与机器码之间的符号调试的行数信息。
• This section holds line number information for symbolic debugging, which describes the correspondence between the source program and the machine code. The contents are unspecified.

.note

• （…）
• This section holds information in the format that is described in the “Note Section” in Chapter 2.

.rodata && .rodata1

• 只读数据，例如C语言中的常量字符串 : printf("Hello world!");
• These sections hold read-only data that typically contribute to a non-writable segment in the process image. See “Program Header” in Chapter 2 for more information.
• 例如:
  

.shstrtab

• 节的名称字符串。
• This section holds section names

.strtab

• 当有符号表时该节有效，符号字符串表，会被.symtab中的ElfN_Sym结构中的st_name条目引用。
• This section holds strings, most commonly the strings that represent the names associated with symbol table entries. If a file has a loadable segment that includes the symbol string table, the section’s attributes will include the SHF_ALLOC bit; otherwise, that bit will be off.

.symtab

• 存储符号表，保存了ElfN_Sym类型的符号信息。
• This section holds a symbol table, as “Symbol Table” in this chapter describes. If a file has a loadable segment that includes the symbol table, the section’s attributes will include the SHF_ALLOC bit; otherwise, that bit will be off.

typedef struct {
    Elf32_Word    st_name;
    Elf32_Addr    st_value;
    Elf32_Word    st_size;
    unsigned char st_info;
    unsigned char st_other;
    Elf32_Half    st_shndx;
} Elf32_Sym;

.text

• 存储程序代码的段。
• This section holds the “text,” or executable instructions, of a program.

.plt

• 过程链接表（Procedure Linkage Table，PTL），包含了动态链接器从共享库导入的函数所必需的相关代码。存在于text段中

.got.plt

• .got节保存了全局偏移表。.got和.plt一起提供了对导入的共享库函数的访问入口，由动态链接器在运行时进行修改。

.dynsym

• 保存了从共享库导入的动态符号信息。存在于text段中

.dynstr

• 保存了动态符号字符串表。

.ctors && .dtors

• ctors(构造器)，dtors(析构器)。保存了指向构造函数和析构函数的地址。构造器在main函数执行之前执行，析构器在main函数执行之后被执行。
• 通常黑客和病毒编写者，会在构造器中，编写反调试函数实现。让调试器跟踪自身。