Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
140 views

Executable File Format

The document discusses the executable file format ELF, explaining how compilers transform source code into machine code, linkers combine object files into executables, and loaders load executables and libraries into memory to launch processes. It provides details on the ELF format, including standard sections like text, data, symbol tables, and how these sections map from the ELF file to memory during process execution.

Uploaded by

Sarah Tambunan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
140 views

Executable File Format

The document discusses the executable file format ELF, explaining how compilers transform source code into machine code, linkers combine object files into executables, and loaders load executables and libraries into memory to launch processes. It provides details on the ELF format, including standard sections like text, data, symbol tables, and how these sections map from the ELF file to memory during process execution.

Uploaded by

Sarah Tambunan
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Executable File Format

Wei Wang

CS4630/CS6501 1
Spring 2016 Defense Against the Dark Arts
Viruses
● File infection
● Types of viruses
● Detection of viruses
● Anti-anti-virus

CS4630/CS6501 2
Spring 2016 Defense Against the Dark Arts
Compiler, Linker and Loader

Process a.out
Execute File:
a.out Memory:

Source files: libc.so


Object files:
source1.c compiler librt.so
source1.o
source2.s linker loader
source2.o b.so
source3.cpp
source3.o
a.out's
Shared Library: code
b.so

CS4630/CS6501 3
Spring 2016 Defense Against the Dark Arts
Compiler, Linker and Loader cont'd

Compiler transforms source code into binary machine code (object
code)
– Example: gcc, Clang, vc_compilerCTP.exe

Linker takes object files and libraries files, and combies them into a
single executable file or library file
– Example: GNU ld, lld, LINK.exe

Loader load an executable file and libraries into memory to start a
new process (part of OS)
– Executable loader: load executable files
● Example: execve (system call)
– Dynamic linking load: load dynamic libraries

Example: ld-linux.so

CS4630/CS6501 4
Spring 2016 Defense Against the Dark Arts
Compiler, Linker and Loader cont'd
More about Loader
● Brings an executable file and required libraries on disk
into memory to start a new process
● Tasks:
– Copy executable file code (text section) and global variables
(data section) into memory
– Copy arguments and environment variables into memory
– Initialize registers
– Jump to start of program to execute (_start function)
– Load dynamic libraries (map dynamic libraries code into
memory)

CS4630/CS6501 5
Spring 2016 Defense Against the Dark Arts
Compiler, Linker and Loader cont'd
● For compiler, linker and loaders to work
properly, they have to agree on the format of
object files, executable files and library files
● The most common formats are:
– ELF on *nix: Executable and Linkable Format
– PE on Windows: Portable Executable
– Mach-O on OS X

CS4630/CS6501 6
Spring 2016 Defense Against the Dark Arts
The ELF Format
● Executable and Linkable Format
● Defines format for:
– Executables
– Object files
– Dynamic libraries (shared libraries)
– Core dumps

CS4630/CS6501 7
Spring 2016 Defense Against the Dark Arts
ELF Format Examples
ELF Header
● ELF Header: basic
Program Header Table
identification information of
Other Sections
this file
Text Section
● Program header table:
Other Sections
location of text and data
sections Data Section

Other Sections
● Text section: the code
Relocation Information
● Relocation information: for
relocatable text and data Symbol Table

sections Debug Info

Section Header Table

CS4630/CS6501 8
Spring 2016 Defense Against the Dark Arts
ELF Format Examples (cont'd)
ELF Header
● Data sections:
Program Header Table
– .rodata: read-only Other Sections
– .bss: uninitialized global Text Section
variables
Other Sections
– .data: initialized global
variables Data Section

● Example of other sections: Other Sections

– .dynamic: dynamic linking Relocation Information


information Symbol Table
– .got: global offset table Debug Info
– .init; process initialization code Section Header Table

CS4630/CS6501 9
Spring 2016 Defense Against the Dark Arts
ELF Format Examples (cont'd)
ELF Header
● Symbol table: locate Program Header Table
program symbolic Other Sections
definition (e.g., Text Section
exported function Other Sections
name) Data Section
● Section header table: Other Sections

location and Relocation Information


information of each Symbol Table
section Debug Info

Section Header Table

CS4630/CS6501 10
Spring 2016 Defense Against the Dark Arts
ELF File to Process Memory
ELF Header Kernel Memory
Program Header Table
Other Sections Stack

Text Section

Process Memory
ELF Executable

Other Sections
Heap
Data Section

Other Sections Data Section


Relocation Information Other Sections
Symbol Table
Other Sections
Debug Info
Text Section
Section Header Table
CS4630/CS6501 11
Spring 2016 Defense Against the Dark Arts
ELF File to Process Memory cont'd
● Some sections will be directly copied to
memory:
– Example: .text, .data, .init, .dynamic
– The location (memory addresses) of these sections
are defined in the ELF (if not PIC/PIE and ASLR)
● Some sections will not be copied to memory
– Example: symbol table, debug info

CS4630/CS6501 12
Spring 2016 Defense Against the Dark Arts
Analyzing ELF Files
● readelf: Display information about ELF files
– readelf -h executable
● Show ELF header
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048330

CS4630/CS6501 13
Spring 2016 Defense Against the Dark Arts
Analyzing ELF Files cont'd
● readelf -S executable
– Show section information
Section address Section address flag
in memory in file
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 08048134 000134 000013 00 A 0 0 1
. . .
[ 5] .dynsym DYNSYM 080481ac 0001ac 000060 10 A 6 1 4
[ 6] .dynstr STRTAB 0804820c 00020c 000053 00 A 0 0 1
. . .
[ 9] .rel.dyn REL 0804828c 00028c 000008 08 A 5 0 4
. . .
[13] .text PROGBITS 08048330 000330 0001d2 00 AX 0 0 16
[24] .data PROGBITS 08049750 000750 000008 00 WA 0 0 4
[28] .debug_info PROGBITS 00000000 00079e 0000d6 00 0 0 1

CS4630/CS6501 14
Spring 2016 Defense Against the Dark Arts
Analyzing ELF Files cont'd
● Each section also has a flg
● In the end of readelf -S output, the flags
explained
● The flag bits determine whether a section can
be read, written, executed, etc., NOT the
section name; viruses might modify the flag bits
so that a .text section becomes writable!

CS4630/CS6501 15
Spring 2016 Defense Against the Dark Arts
Analyzing ELF Files cont'd
● readelf has many other useful options
– Read the man page for more information
● objdump: the disassemblr
● hexdump: raw hexadecimal dump
● file: determine file type
– file executable
● For more information, Google “ELF format
specification”

CS4630/CS6501 16
Spring 2016 Defense Against the Dark Arts
The PE Format
● Portable Executable
● Also called PE32 (because it is 32-bit code);
PE32+ is for 64-bit code
● Older formats exist for 16-bit DOS and
Windows 3.1

CS4630/CS6501 17
Spring 2016 Defense Against the Dark Arts
The PE Format cont'd
● Similar to ELF format
– PE header and DOS header
– Text and data sections
– Relocation informations
– Symbol table
– Debug information
– And other sections
● Common sections are .text (for code), .data (read/write
data), .rdata (read-only data, .reloc (relocation data used
to build IATs)

CS4630/CS6501 18
Spring 2016 Defense Against the Dark Arts
PE Format Example

.reloc section

Other Sections

Data Section

Text Section

Section Table
PE HEADER

DOS HEADER

CS4630/CS6501 19
Spring 2016 Defense Against the Dark Arts
DOS Header
● If a program is invoked within a DOS command
prompt window, it starts executing here
● For most PE32 executables, the DOS header
contains a tiny executable that prints: “This
application must be run from Windows”, then
exits

CS4630/CS6501 20
Spring 2016 Defense Against the Dark Arts
Dead Space in Executable File
Formats
● There are empty spaces in executable files
– The beginning of ELF files
– Empty spaces between functions
– Empty spaces between sections
– Nops in functions
– Some linkers make executable file align to page
boundaries
● Simpilies the loader's job

CS4630/CS6501 21
Spring 2016 Defense Against the Dark Arts
Executable File Format and Viruses
● Question: Why do we care about the details of the PE
file format?
● Answer: Because a virus writer will try to infect the PE
file in such a way as to make the virus code execute,
while making the PE file look as it would normally
look. The job of anti-virus software is to find well-
disguised viruses.
● Dead spaces are perfect locations to hide viruses
– CIH virus break itself into parts and hide in the dead spaces
between PE sections

CS4630/CS6501 22
Spring 2016 Defense Against the Dark Arts

You might also like