ELF Files Explained
ELF executable
ELF (Executable and Linkable Format) File Format
Overview
The ELF (Executable and Linkable Format) is a standard file format for executables, object code, shared libraries, and core dumps. Originally developed by Unix System Laboratories, ELF is now widely used across Unix-like operating systems including Linux, FreeBSD, and Solaris. It provides a flexible and extensible format for binary files.
Technical Details
File Characteristics
- Extension: Usually no extension (executable files)
- MIME Type:
application/x-executable - Category: Binary
- Format Type: Binary executable format
File Types
- Executable Files: Ready-to-run programs
- Relocatable Files: Object files for linking
- Shared Object Files: Dynamic libraries (.so files)
- Core Dump Files: Process memory snapshots
File Structure
ELF Header
// ELF Header Structure (simplified)
typedef struct {
unsigned char e_ident[16]; // File identification
uint16_t e_type; // Object file type
uint16_t e_machine; // Architecture
uint32_t e_version; // Object file version
uintptr_t e_entry; // Entry point address
uintptr_t e_phoff; // Program header offset
uintptr_t e_shoff; // Section header offset
uint32_t e_flags; // Processor flags
uint16_t e_ehsize; // ELF header size
uint16_t e_phentsize; // Program header size
uint16_t e_phnum; // Program header count
uint16_t e_shentsize; // Section header size
uint16_t e_shnum; // Section header count
uint16_t e_shstrndx; // String table index
} Elf_Ehdr;
File Organization
ELF File Layout:
├── ELF Header (file metadata)
├── Program Header Table (loading info)
├── Section Header Table (linking info)
└── Sections/Segments:
├── .text (executable code)
├── .data (initialized data)
├── .bss (uninitialized data)
├── .rodata (read-only data)
├── .symtab (symbol table)
└── .strtab (string table)
Magic Number
ELF Magic Bytes:
0x7F 'E' 'L' 'F' # File signature
Class: 32-bit/64-bit
Data: Little/Big endian
Version: Current (1)
OS/ABI: Linux, System V, etc.
Architecture Support
Processor Architectures
Supported Architectures:
- x86 (EM_386): Intel 80386
- x86-64 (EM_X86_64): AMD64/Intel 64
- ARM (EM_ARM): ARM processors
- AArch64 (EM_AARCH64): 64-bit ARM
- RISC-V (EM_RISCV): RISC-V processors
- PowerPC (EM_PPC): PowerPC family
- SPARC (EM_SPARC): SPARC processors
- MIPS (EM_MIPS): MIPS processors
Endianness Support
- Little Endian: x86, x86-64, ARM (common)
- Big Endian: PowerPC, SPARC, MIPS (some variants)
- Bi-endian: ARM, MIPS (configurable)
Sections and Segments
Common Sections
Standard ELF Sections:
.text # Executable instructions
.data # Initialized global variables
.bss # Uninitialized global variables
.rodata # Read-only data (constants)
.symtab # Symbol table
.strtab # String table
.shstrtab # Section header string table
.rel.text # Relocation information
.debug_* # Debugging information
Program Segments
Loadable Segments:
LOAD # Loadable program segment
DYNAMIC # Dynamic linking information
INTERP # Program interpreter
NOTE # Auxiliary information
PHDR # Program header table
TLS # Thread-local storage
Compilation and Linking
Building ELF Files
# Compile C source to object file
gcc -c program.c -o program.o
# Link object file to executable
gcc program.o -o program
# Create shared library
gcc -shared -fPIC library.c -o library.so
# Static linking
gcc -static program.c -o program
Cross-Compilation
# Cross-compile for ARM
arm-linux-gnueabihf-gcc program.c -o program-arm
# Cross-compile for 32-bit on 64-bit system
gcc -m32 program.c -o program-32bit
Analysis Tools
Command Line Tools
# Display ELF header information
readelf -h executable
# Show program headers
readelf -l executable
# Display section headers
readelf -S executable
# Show symbol table
readelf -s executable
# Disassemble executable
objdump -d executable
# Show file type
file executable
Detailed Analysis
# ELF file information
$ readelf -h /bin/ls
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x404390
Dynamic Linking
Shared Libraries
# List dynamic dependencies
ldd executable
# Show library loading
LD_DEBUG=libs ./executable
# Set library path
export LD_LIBRARY_PATH=/custom/path:$LD_LIBRARY_PATH
Runtime Linker
// Dynamic loading in C
#include <dlfcn.h>
void* handle = dlopen("library.so", RTLD_LAZY);
if (handle) {
void (*func)() = dlsym(handle, "function_name");
if (func) {
func();
}
dlclose(handle);
}
Security Features
Position Independent Code
# Generate position-independent executable
gcc -pie -fpie program.c -o program
# Check for PIE
readelf -h program | grep Type
Stack Protection
# Enable stack protection
gcc -fstack-protector-all program.c -o program
# Check for stack canaries
objdump -d program | grep __stack_chk
Security Mitigations
# Check security features
checksec --file=executable
# RELRO (RELocation Read-Only)
gcc -Wl,-z,relro,-z,now program.c -o program
# NX bit (No-eXecute)
gcc -Wl,-z,noexecstack program.c -o program
Debugging Information
Debug Symbols
# Compile with debug information
gcc -g program.c -o program
# Strip debug symbols
strip program
# Separate debug info
objcopy --only-keep-debug program program.debug
objcopy --strip-debug program
objcopy --add-gnu-debuglink=program.debug program
GDB Integration
# Debug with GDB
gdb ./program
# Core dump analysis
gdb ./program core
# Remote debugging
gdb -ex "target remote :1234" ./program
Common Use Cases
System Programming
- Operating System Kernels: Linux kernel modules
- Device Drivers: Hardware interface programs
- System Services: Daemons and background processes
- Command Line Tools: System utilities and applications
Application Development
- Desktop Applications: GUI and console programs
- Server Software: Web servers, databases, services
- Embedded Systems: Firmware and real-time applications
- Scientific Computing: High-performance computing applications
Best Practices
Development
- Use appropriate compiler flags for target architecture
- Include debug information during development
- Strip symbols for production releases
- Enable security features and hardening options
Distribution
- Test on target architectures and operating systems
- Provide static builds for compatibility
- Document library dependencies
- Include checksums for integrity verification
Performance
- Profile applications to identify bottlenecks
- Use link-time optimization (LTO) for release builds
- Consider profile-guided optimization (PGO)
- Minimize dynamic relocations for better startup time
The ELF format provides a robust foundation for executable files across Unix-like systems, supporting modern features like dynamic linking, debugging, and security enhancements while maintaining compatibility across diverse hardware architectures.
File Information
ELF executable
Binary
application/x-executable
Related File Types
Other file types in the Binary category you might also need:
Start Analyzing ELF Files Now
Use our free AI-powered tool to detect and analyze ELF executable files instantly with Google's Magika technology.
⚡Try File Detection Tool