Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Clarification on Binary file (PE/COFF & ELF) formats & terminology

I'm confusing little in terminology.

A file that is given as input to the linker is called Object File. The linker produces an Image file, which in turn is used as input by the loader.

I got this from "MS PE & COFF Specification"

Q1. Image file is also referred to as Binary Image, Binary File or just Binary. Right?

Q2. So, according to the above stated terminology, the PE/ELF/COFF are the formats of Image File & not the Object File. right? But http://www.sco.com/developers/gabi/latest/ch4.intro.html says

This chapter describes the object file format, called ELF (Executable and Linking Format). There are three main types of object files.

  • A relocatable file holds code and data suitable for linking with other object files to create an executable or a shared object file.

  • An executable file holds a program suitable for execution; the file specifies how exec(BA_OS) creates a program's process image.

  • A shared object file holds code and data suitable for linking in two contexts. First, the link editor [see ld(BA_OS)] processes the shared object file with other relocatable and shared object files to create another object file. Second, the dynamic linker combines it with an executable file and other shared objects to create a process image.

contradictorily he is saying that both Object File & Image File are ELF formats & He is not at all differentiating between object & image files but referring them commonly as Object files. Isn't it wrong?

Q3. I know that PE is derived from COFF. But why does the Microsoft specifications of PE format is named Microsoft Portable Executable "and Common Object File Format Specification". Do they still support COFF? If they, in which OS? I thought PE completely replaced COFF long ago.

like image 877
claws Avatar asked Jan 31 '10 06:01

claws


People also ask

What is a Microsoft PE file?

The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bit and 64-bit versions of Windows operating systems. The PE format is a data structure that encapsulates the information necessary for the Windows OS loader to manage the wrapped executable code.

What is PE and non PE files?

dot) is NON-PE. This means the file is a file which does not contain a portable executable header i.e. . dot extension. Webroot is currently only capable of PE malware detection, however the program also contains a heuristics engine for some NON-PE files.

What is a PE file What are the file types associated with it?

As per Wikipedia, the portable executable (PE) format is a file format for executable, object code, DLLs, FON font files, and core dumps. The PE file format is a data structure that contains the information necessary for the Windows OS loader to manage the wrapped executable code.

What is offset in PE file?

The user can specify a different stub by using the /STUB linker option. At location 0x3c, the stub has the file offset to the PE signature. This information enables Windows to properly execute the image file, even though it has an MS-DOS stub. This file offset is placed at location 0x3c during linking.


2 Answers

There are no strict definitions for the terms 'binary file', 'image file', or 'object file'.

Particularly the term 'object file' might sometimes be used to mean an intermediate file output by the compiler for use by the linker, but in another context might mean an executable file.

Especially on different platforms they might be used for refer to different or similar things. Even when discussing issues on a single platform, one writer might use the terms somewhat differently than another.

As far as "PE" vs "COFF", my recollection is that Microsoft use the "COFF" specification as the starting point for the "PE" specification but extended it for their needs. So strictly speaking a "PE" file isn't a "COFF" file, but it's very similar in many ways.

like image 20
Michael Burr Avatar answered Sep 20 '22 06:09

Michael Burr


I'm the OP. Every one's answer is a partial answer. So, I'm combining all the other answers with what I learnt to complete the answer.

This is the "Generally" used terminology.

  • A file that is given as input to the linker (output of assembler) is called Object File or Relocatable File.

  • The linker produces an Image file, which in turn is used as input by the loader. Now, an Image file can either be an Executable file or Library file. These 'Library files' are of two kinds:

    1. Static Library (*.lib files for windows. *.a for linux)
    2. Shared/Dynamic libraries : DLL ( *.dll on windows) & Shared Object file( *.so in Linux)
  • The term Binary File / Binary can be used to refer to either an ObjectFile or an ImageFile. Undestand depending up on the context. It is a very general term.

  • Loader when loads the image file into memory. Then it is called Module (I'm not sure about Linux guys, but windows guys call it Module

http://www.gliffy.com/pubdoc/1978433/L.jpg alt text http://www.gliffy.com/pubdoc/1978433/L.jpg

As I said, these are "Generally" used terminology. There are no strict definitions for the terms 'binary file', 'image file', or 'object file'.

Particularly the term 'object file' might sometimes be used to mean an intermediate file output by the compiler for use by the linker, but in another context might mean an executable file.

Especially on different platforms they might be used for refer to different or similar things. Even when discussing issues on a single platform, one writer might use the terms somewhat differently than another.

  • Both ObjectFile & ImageFile are in PE Format in windows & ELF format in linux.
  • ELF is not only the format of the image file but is also the format of the object file.
  • Every ELF file starts with an ELF Header. The second field of an ELF Header is e_type; this fields lets us know whether the file is an object file (aka a relocatable in ELF parlance), or an image (which can be either an executable or a shared object) or something else (core file's are also ELF files).
  • I don't know if there is any bit in header that differentiates an Object file from Image file. It needs to be checked.

I know that PE is derived from COFF. But why does the Microsoft specifications of PE format is named Microsoft Portable Executable "and Common Object File Format Specification". Do they still support COFF? If they, in which OS? I thought PE completely replaced COFF long ago.

As far as "PE" vs "COFF", my recollection is that Microsoft use the "COFF" specification as the starting point for the "PE" specification but extended it for their needs. So strictly speaking a "PE" file isn't a "COFF" file, but it's very similar in many ways.

like image 149
2 revs Avatar answered Sep 21 '22 06:09

2 revs