Menu
I want to write a program which reads the string table of a binary. Binary is in ELF running on REDHAT linux 32. I did the following -
Below is the output of my progam.
Entry Address of Binary - 0x8048340
Start of Program Header - 52
Start of section header - 3272
Size of header - 52
Number of section headers - 36
Size of each section headers - 40
Number of section headers - 36
Section header Offset - 3272
string tbl index for section[0] is 0
string tbl index for section[1] is 27
string tbl index for section[7] is 35
string tbl index for section[1879048182] is 49
string tbl index for section[11] is 59
string tbl index for section[3] is 67
string tbl index for section[1879048191] is 75
string tbl index for section[1879048190] is 88
string tbl index for section[9] is 103
string tbl index for section[9] is 112
string tbl index for section[1] is 121
string tbl index for section[1] is 116
string tbl index for section[1] is 127
string tbl index for section[1] is 133
string tbl index for section[1] is 139
string tbl index for section[1] is 147
string tbl index for section[1] is 157
string tbl index for section[1] is 164
string tbl index for section[1] is 171
string tbl index for section[6] is 176
string tbl index for section[1] is 185
string tbl index for section[1] is 190
string tbl index for section[1] is 199
string tbl index for section[8] is 205
string tbl index for section[1] is 210
string tbl index for section[1] is 219
string tbl index for section[1] is 234
string tbl index for section[1] is 250
string tbl index for section[1] is 262
string tbl index for section[1] is 276
string tbl index for section[1] is 288
string tbl index for section[1] is 301
string tbl index for section[1] is 312
string tbl index for section[3] is 17
string tbl index for section[2] is 1
string tbl index for section[3] is 9
I understand that sh_name in Elf32_Shdr is basically an index to String table which actually contains a NULL terminated String. I want to display this null terminated String. I have a question here -
Upon printing the Elf32_Shdr for sections having sh_type = 3 i get the following output -
Section header Offset - 3272
sh_name - 67
sh_type - 3
sh_flags - 2
sh_addr - 80481e8
sh_offset - 488
sh_size - 94
sh_link - 0
sh_info - 0
sh_addralign - 1
sh_entsize - 0
--------------------------------------------------------------
sh_name - 17
sh_type - 3
sh_flags - 0
sh_addr - 0
sh_offset - 2948
sh_size - 323
sh_link - 0
sh_info - 0
sh_addralign - 1
sh_entsize - 0
--------------------------------------------------------------
sh_name - 9
sh_type - 3
sh_flags - 0
sh_addr - 0
sh_offset - 6008
sh_size - 664
sh_link - 0
sh_info - 0
sh_addralign - 1
sh_entsize - 0
--------------------------------------------------------------
369
I was able to find out the answer myself :). Although it took a lot of time to code. Here is how it is done if someone wants to refer it for future - Each Binary generally contains three String tables -
1. .dynstr
2. .shstrtab
3. .strtab
IN the above question we are concerned with .shstrtab which when expanded stands for - Section Header STRing TABle. Upon reading the ELF header we find the following field in ELF header - e_shstrndx. This is the index where we can find .shstrtab. Following formula can be used to calculate how it will be done -
offset = ((elfHdr.e_shstrndx)*elfHdr.e_shentsize)+elfHdr.e_shoff
Meaning of each parameter -
elfHdr.e_shstrndx = index where we can find .shstrtab
elfHdr.e_shentsize = Size of each Section Header
elfHdr.e_shoff = Offset at which section header starts.
In brief, the e_shstrndx field of ELF Executable Header contains the index of the ELF string table holding section names.
The "libelf by Example" tutorial has a lengthier explanation, along with example code showing how to retrieve section names using the functions in the ELF(3) API.
41
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
