COMS 4995 Advanced Systems Programming

Introduction to ELF

ELF (Executable and Linkable Format) is the standard executable and object file format in Linux.

CSAPP Figure 7.13 depicts the layout of an executable file:


ELF files can be broken down into segments and sections. Segments and sections may overlap (i.e., several sections may compose a single segment). This is because ELF offers two views of the executable files:

See also this other webpage with a colorful diagram.

The readelf command-line utility allows you to view everything about an ELF file. See man elf for the C programming interface for working with ELF files.

ELF Header

All ELF files begin with a header that contains metadata for the ELF file, including:

Section Header Table

The section header table is an array of Elf64_Shdr structs. Each entry contains metadata about a section in the ELF file, including the offset into the ELF file at which the section is laid out and the section’s name. The section’s name isn’t stored directly in Elf64_Shdr. Instead, the struct has a “name” field which is an index into a dedicated string table section. This is usually how ELF stores strings. The string table for the section names is stored in the .shstrtab section (not shown in the figure above). The ELF header stores the index of this section in the header table for ease of lookup.

Symbol Table

The ELF symbol table (stored at the .symtab section) is a list of all symbols referred to by the executable, namely functions and static variables. It also contains symbols that are referred to in the program by not actually defined by it, such as C library functions like printf().

The symbol table is an array of Elf64_Sym structs, defined as follows:

typedef struct {
    uint32_t      st_name;
    unsigned char st_info;
    unsigned char st_other;
    uint16_t      st_shndx;
    Elf64_Addr    st_value;
    uint64_t      st_size;
} Elf64_Sym;

A few notes about some fields of interest:

Last updated: 2024-03-26