Analyzing Files With elfdump
Various tools are available to analyze the contents of an ELF file, including the standard Unix utilities dump(1), nm(1), and size(1). Under Oracle Solaris, these tools have been largely superseded by elfdump(1).
The ELF format organizes data into sections. Sections are in turn allocated to units known as segments. Some segments describe how portions of a file are mapped into memory. See mmapobj(2). These loadable segments can be displayed by using the elfdump(1) command and examining the LOAD entries.
$ elfdump -p -NPT_LOAD libfoo.so.1
Program Header[0]:
p_vaddr: 0 p_flags: [ PF_X PF_R ]
p_paddr: 0 p_type: [ PT_LOAD ]
p_filesz: 0x53c p_memsz: 0x53c
p_offset: 0 p_align: 0x10000
Program Header[1]:
p_vaddr: 0x1053c p_flags: [ PF_X PF_W PF_R ]
p_paddr: 0 p_type: [ PT_LOAD ]
p_filesz: 0x114 p_memsz: 0x13c
p_offset: 0x53c p_align: 0x10000
....
|
There are two loadable segments in the shared object libfoo.so.1, commonly referred to as the text and data segments. The text segment is mapped to allow reading and execution of its contents, PF_X PF_R. The data segment is mapped to also allow its contents to be modified, PF_W. The memory size, p_memsz, of the data segment differs from the file size, p_filesz. This difference accounts for the .bss section, which is part of the data segment, and is dynamically created when the segment is loaded.
Programmers usually think of a file in terms of the symbols that define the functions and data elements within their code. These symbols can be displayed using the -s option to elfdump. For example.
$ elfdump -sN.symtab libfoo.so.1
Symbol Table Section: .symtab
index value size type bind oth ver shndx name
....
[36] 0x00010628 0x00000028 OBJT GLOB D 0 .data data
....
[38] 0x00010650 0x00000028 OBJT GLOB D 0 .bss bss
....
[40] 0x00000520 0x0000000c FUNC GLOB D 0 .init _init
....
[44] 0x00000508 0x00000014 FUNC GLOB D 0 .text foo
....
[46] 0x0000052c 0x0000000c FUNC GLOB D 0 .fini _fini
|
The symbol table information displayed by elfdump includes the section the symbol is associated with. The elfdump -c option can be used to display information about these sections.
$ elfdump -c libfoo.so.1
....
Section Header[6]: sh_name: .text
sh_addr: 0x4f8 sh_flags: [ SHF_ALLOC SHF_EXECINSTR ]
sh_size: 0x28 sh_type: [ SHT_PROGBITS ]
sh_offset: 0x4f8 sh_entsize: 0
sh_link: 0 sh_info: 0
sh_addralign: 0x8
Section Header[7]: sh_name: .init
sh_addr: 0x520 sh_flags: [ SHF_ALLOC SHF_EXECINSTR ]
sh_size: 0xc sh_type: [ SHT_PROGBITS ]
sh_offset: 0x520 sh_entsize: 0
sh_link: 0 sh_info: 0
sh_addralign: 0x4
Section Header[8]: sh_name: .fini
sh_addr: 0x52c sh_flags: [ SHF_ALLOC SHF_EXECINSTR ]
sh_size: 0xc sh_type: [ SHT_PROGBITS ]
sh_offset: 0x52c sh_entsize: 0
sh_link: 0 sh_info: 0
sh_addralign: 0x4
....
Section Header[12]: sh_name: .data
sh_addr: 0x10628 sh_flags: [ SHF_WRITE SHF_ALLOC ]
sh_size: 0x28 sh_type: [ SHT_PROGBITS ]
sh_offset: 0x628 sh_entsize: 0
sh_link: 0 sh_info: 0
sh_addralign: 0x4
....
Section Header[14]: sh_name: .bss
sh_addr: 0x10650 sh_flags: [ SHF_WRITE SHF_ALLOC ]
sh_size: 0x28 sh_type: [ SHT_NOBITS ]
sh_offset: 0x650 sh_entsize: 0
sh_link: 0 sh_info: 0
sh_addralign: 0x4
....
|
The output from elfdump(1) in the above example shows the association of the functions _init, foo, and _fini to the sections .init, .text and .fini. These sections, because of their read-only nature, are part of the text segment.
Similarly, the data arrays data, and bss are associated with the sections .data and .bss respectively. These sections, because of their writable nature, are part of the data segment.
- © 2010, Oracle Corporation and/or its affiliates