Geek Answers Handbook

Reading ELF String Table on Linux with C

I want to write a program that reads a row table of a binary file. Binary is in ELF running on REDHAT linux 32. I did the following -

  • Read the Elf Header
  • Read all sections

Below is my program.

Entry Address of Binary - 0x8048340 Start of Program Header - 52 Start of section header - 3272 Size of header - 52 Number of section headers - 36 Size of each section headers - 40 Number of section headers - 36 Section header Offset - 3272 string tbl index for section[0] is 0 string tbl index for section[1] is 27 string tbl index for section[7] is 35 string tbl index for section[1879048182] is 49 string tbl index for section[11] is 59 string tbl index for section[3] is 67 string tbl index for section[1879048191] is 75 string tbl index for section[1879048190] is 88 string tbl index for section[9] is 103 string tbl index for section[9] is 112 string tbl index for section[1] is 121 string tbl index for section[1] is 116 string tbl index for section[1] is 127 string tbl index for section[1] is 133 string tbl index for section[1] is 139 string tbl index for section[1] is 147 string tbl index for section[1] is 157 string tbl index for section[1] is 164 string tbl index for section[1] is 171 string tbl index for section[6] is 176 string tbl index for section[1] is 185 string tbl index for section[1] is 190 string tbl index for section[1] is 199 string tbl index for section[8] is 205 string tbl index for section[1] is 210 string tbl index for section[1] is 219 string tbl index for section[1] is 234 string tbl index for section[1] is 250 string tbl index for section[1] is 262 string tbl index for section[1] is 276 string tbl index for section[1] is 288 string tbl index for section[1] is 301 string tbl index for section[1] is 312 string tbl index for section[3] is 17 string tbl index for section[2] is 1 string tbl index for section[3] is 9

I understand that the sh_name in Elf32_Shdr is basically the index of the String table, which actually contains a NULL string with the final action. I want to show this line with zero completion. I have a question here -

  • In the above output, we see that for the section headers there are several records that have sh_type = 3 (SHT_STRTAB). So I don’t understand how can I map the index (sh_name in Elf32_Shdr) to which section?

After printing Elf32_Shdr for sections that have sh_type = 3, I get the following output -

 Section header Offset - 3272 sh_name - 67 sh_type - 3 sh_flags - 2 sh_addr - 80481e8 sh_offset - 488 sh_size - 94 sh_link - 0 sh_info - 0 sh_addralign - 1 sh_entsize - 0 -------------------------------------------------------------- sh_name - 17 sh_type - 3 sh_flags - 0 sh_addr - 0 sh_offset - 2948 sh_size - 323 sh_link - 0 sh_info - 0 sh_addralign - 1 sh_entsize - 0 -------------------------------------------------------------- sh_name - 9 sh_type - 3 sh_flags - 0 sh_addr - 0 sh_offset - 6008 sh_size - 664 sh_link - 0 sh_info - 0 sh_addralign - 1 sh_entsize - 0 --------------------------------------------------------------
0
source share
2 answers

I myself could figure out the answer :). Although coding took a lot of time. Here's how to do it if someone wants to direct it to the future - Each binary usually contains three String tables -

 1. .dynstr 2. .shstrtab 3. .strtab

In the above question, we are dealing with .shstrtab, which when expanded means - Section Header STRING TABLE. After reading the ELF header, we find the next field in the ELF header - e_shstrndx. This is the index in which we can find .shstrtab. The following formula can be used to calculate how this is done -

 offset = ((elfHdr.e_shstrndx)*elfHdr.e_shentsize)+elfHdr.e_shoff

The value of each parameter is

 elfHdr.e_shstrndx = index where we can find .shstrtab elfHdr.e_shentsize = Size of each Section Header elfHdr.e_shoff = Offset at which section header starts.
+3
source

In short, the e_shstrndx field of the e_shstrndx executable header contains the index of the section names of the ELF table row.

The " libelf by Example " tutorial has a longer explanation, as well as sample code showing how to extract section names using functions in the ELF (3) API.

+1
source

More articles:


All Articles