Binarylevel program analysis: Executable File Formats Gang Tan CSE - - PowerPoint PPT Presentation

binary level program analysis executable file formats
SMART_READER_LITE
LIVE PREVIEW

Binarylevel program analysis: Executable File Formats Gang Tan CSE - - PowerPoint PPT Presentation

Aug 26, 2023 255 likes •466 views

Binarylevel program analysis: Executable File Formats Gang Tan CSE 597 Spring 2019 Penn State University * Some slides adapted from those by Toms Snchez Lpez at http://www.tomassanchez.com/material/ELF.ppt 1 Executable File

slide-1
SLIDE 1

Binary‐level program analysis: Executable File Formats

Gang Tan

CSE 597 Spring 2019 Penn State University

1

* Some slides adapted from those by Tomás Sánchez López at http://www.tomas‐sanchez.com/material/ELF.ppt

slide-2
SLIDE 2

Executable File Formats

  • An executable file format

– Specifies the format of executable files – Consumed by loaders and linkers

  • Executable file is the input of binary analysis
  • Executable and Linkable Format (ELF)

– Used by Unix‐like systems

  • Portable Executable (PE)

– Used by Windows

2

slide-3
SLIDE 3

ELF Overview

  • Standard executable file format used in most Unix

systems

– Format for executable files, object code (.o), shared libraries (.so), and core dumps

  • Support different processors and data encodings
  • Replaced older executable formats (a.out and

COFF formats)

  • Official documentation

– http://www.skyfree.org/linux/references/ELF_Format. pdf

3

slide-4
SLIDE 4

Types of ELF Files

  • Three main types

– Relocatable files (.o): code and data to be linked with other object files

  • gcc ‐c test.c ‐o test.o

– Shared object files (.so): libraries

  • gcc ‐c ‐fPIC shared.c
  • gcc ‐shared ‐o libshared.so shared.o

– Executable files

  • gcc test.o ‐o test

4

slide-5
SLIDE 5

Two Views of Executables

  • Execution view

– The objective file used for code execution

  • Linking view

– The objective file needs to be linked with other

  • bjective files (e.g., libraries)

5

slide-6
SLIDE 6

ELF File Layout

  • An ELF header
  • Program header table

– For execution view – Viewing the file as a series of segments

  • Section header table

– For linking view – Viewing the file as a series of sections

6

* From Wiki

slide-7
SLIDE 7

ELF Header

  • Info about

– whether 32 or 64 bit format, – whether big or small endianness, – ISA (x86, x64, SPARC, …) – execution entry point, – info about the program header table and section header table (their offsets in the file and sizes of entries) – …

7

slide-8
SLIDE 8

Program Header Table

  • For execution

– Tell the system how to create a process in memory

  • The file divided into segments and each has

– Type; requested mem location; permissions; size (in file and memory) – E.g.,

  • code segment (readable and executable)
  • data segments (readable and writable, or just readable)
  • The loader uses this table

– To load ELF segments into memory and assign permission bits

8

slide-9
SLIDE 9

Segment Types

9

LOAD Portion of file to be loaded into memory INTERP Pointer to dynamic linker for this executable (.interp section) DYNAMIC Pointer to dynamic linking information (.dynamic section)

slide-10
SLIDE 10

Example (readelf ‐l /bin/ls)

10

slide-11
SLIDE 11

Loading and Executing an ELF Executable

  • 1. Open the file
  • 2. Map LOAD segments into memory and assign

permission bits

  • 3. Call the dynamic linker (specified in the INTERP

segment) and pass info about the executable

– Retrieve info from the DYNAMIC segment – Load required libraries into memory – … – Transfer control to the execution entry point to start program execution

11

slide-12
SLIDE 12

Section Header Table

  • For the linking view

– Contains info that describes the file’s sections

  • Sections have

– Name and type – Requested memory location at run time – Permissions

12

slide-13
SLIDE 13

Important Sections

13

.interp Path name of program interpreter (Dynamic linker) .text Code (executable instructions) of a program .data Initialized data .bss Uninitilized data .init Executable instruction for process initilization .fini Executalbe intructions for process termination .plt Holds the procedure linkage table .re.<x> Relocation information for section <x> .dynamic Dynamic linking information

slide-14
SLIDE 14

Example (readelf ‐S /bin/ls)

14

slide-15
SLIDE 15

The Process of Static Linking

  • Take multiple object files
  • Merge sections of the same type into the

result object file

– E.g., merge the text sections into one text section

  • Relocate code/data

– Through the help of relocation information

15

slide-16
SLIDE 16

Static Linking Example

16

int x = 5; extern int function(); int main() { int r = x +function (); exit (0); } int v = 10; int u = 32; int z; int function() { return v+u; }

file 2 file 1

slide-17
SLIDE 17

Static Linking Example

17

System Code System Data main () int x = 5 funtion () int v = 10 int u = 32 int y

Relocatable Object files

Headers System code main () a () System Code System Data int x = 5 int v = 10 int u = 32

Uninitialized data

  • thers

.text .data .bss

slide-18
SLIDE 18

Dynamically Linked Libraries

  • Need to be compiled position independent

(PIC)

– ‘‐fPIC’ in gcc

  • The main executable

– Uses the Procedure Linkage Table (PLT) for calling functions in a library – Uses a Global Offset table (GOT) with pointers to variables created at compile and linking time – Some performance cost through PLT/GOT calls

18

slide-19
SLIDE 19

Static and Dynamic Linking

19

Relocatable File 1 Relocatable File N Executable Object File DLLs Execution Dynamic Linker Static Linking

slide-20
SLIDE 20

Key Take‐Away

  • Supports both execution and linking views
  • Great support for static/dynamic linking,

cross‐compilation and others

20