x86 Disassembly/Linux Executable Files
The Linux Executable Files page of the X86 Disassembly Wikibook is a stub. You can help by expanding this section.
The ELF file format (short for Executable and Linking Format) was developed by Unix System Laboratories to be a successor to previous file formats such as COFF and a.out. In many respects, the ELF format is more powerful and versatile than previous formats, and has widely become the standard on Linux, Solaris, IRIX, and FreeBSD (although the FreeBSD-derived Mac OS X uses the Mach-O format instead). ELF has also been adopted by OpenVMS for Itanium and BeOS for x86.
Historically, Linux has not always used ELF; Red Hat Linux 4 was the first time that distribution used ELF; previous versions had used the a.out format.
ELF Objects are broken down into different segments and/or sections. These can be located by using the ELF header found at the first byte of the object. The ELF header provides the location for both the program header and the section header. Using these data structures the rest of the ELF objects contents can be found, this includes .text and .data segments which contain code and data respectively.
The GNU readelf utility, from the binutils package, is a common tool for parsing ELF objects.
Each ELF file is made up of one ELF header, followed by file data. The file data can include:
- Program header table, describing zero or more segments
- Section header table, describing zero or more sections
- Data referred to by entries in the program or section header table
The segments contain information that is necessary for runtime execution of the file, while sections contain important data for linking and relocation. Each byte in the entire file is taken by no more than one section at a time, but there can be orphan bytes, which are not covered by a section. In the normal case of a Unix executable one or more sections are enclosed in one segment.
Relocatable ELF Files
Relocatable ELF files are created by compilers. They need to be linked before running.
Those files are often found in
.a archives, with a
a.out is a very simple format consisting of a header (at offset 0) which contains the size of 3 executable sections (code, data, bss), plus pointers to additional information such as relocations (for .o files), symbols and symbols' strings. The actual sections contents follows the header. Offsets of different sections are computed from the size of the previous section.
The a.out format is now rarely used.