ELF Files Explained

ELF executable

📂Binary
🎯application/x-executable

ELF (Executable and Linkable Format) File Format

Overview

The ELF (Executable and Linkable Format) is a standard file format for executables, object code, shared libraries, and core dumps. Originally developed by Unix System Laboratories, ELF is now widely used across Unix-like operating systems including Linux, FreeBSD, and Solaris. It provides a flexible and extensible format for binary files.

Technical Details

File Characteristics

  • Extension: Usually no extension (executable files)
  • MIME Type: application/x-executable
  • Category: Binary
  • Format Type: Binary executable format

File Types

  • Executable Files: Ready-to-run programs
  • Relocatable Files: Object files for linking
  • Shared Object Files: Dynamic libraries (.so files)
  • Core Dump Files: Process memory snapshots

File Structure

ELF Header

// ELF Header Structure (simplified)
typedef struct {
    unsigned char e_ident[16];    // File identification
    uint16_t      e_type;         // Object file type
    uint16_t      e_machine;      // Architecture
    uint32_t      e_version;      // Object file version
    uintptr_t     e_entry;        // Entry point address
    uintptr_t     e_phoff;        // Program header offset
    uintptr_t     e_shoff;        // Section header offset
    uint32_t      e_flags;        // Processor flags
    uint16_t      e_ehsize;       // ELF header size
    uint16_t      e_phentsize;    // Program header size
    uint16_t      e_phnum;        // Program header count
    uint16_t      e_shentsize;    // Section header size
    uint16_t      e_shnum;        // Section header count
    uint16_t      e_shstrndx;     // String table index
} Elf_Ehdr;

File Organization

ELF File Layout:
├── ELF Header (file metadata)
├── Program Header Table (loading info)
├── Section Header Table (linking info)
└── Sections/Segments:
    ├── .text (executable code)
    ├── .data (initialized data)
    ├── .bss (uninitialized data)
    ├── .rodata (read-only data)
    ├── .symtab (symbol table)
    └── .strtab (string table)

Magic Number

ELF Magic Bytes:
0x7F 'E' 'L' 'F'  # File signature
Class: 32-bit/64-bit
Data: Little/Big endian
Version: Current (1)
OS/ABI: Linux, System V, etc.

Architecture Support

Processor Architectures

Supported Architectures:
- x86 (EM_386): Intel 80386
- x86-64 (EM_X86_64): AMD64/Intel 64
- ARM (EM_ARM): ARM processors
- AArch64 (EM_AARCH64): 64-bit ARM
- RISC-V (EM_RISCV): RISC-V processors
- PowerPC (EM_PPC): PowerPC family
- SPARC (EM_SPARC): SPARC processors
- MIPS (EM_MIPS): MIPS processors

Endianness Support

  • Little Endian: x86, x86-64, ARM (common)
  • Big Endian: PowerPC, SPARC, MIPS (some variants)
  • Bi-endian: ARM, MIPS (configurable)

Sections and Segments

Common Sections

Standard ELF Sections:
.text      # Executable instructions
.data      # Initialized global variables
.bss       # Uninitialized global variables
.rodata    # Read-only data (constants)
.symtab    # Symbol table
.strtab    # String table
.shstrtab  # Section header string table
.rel.text  # Relocation information
.debug_*   # Debugging information

Program Segments

Loadable Segments:
LOAD    # Loadable program segment
DYNAMIC # Dynamic linking information
INTERP  # Program interpreter
NOTE    # Auxiliary information
PHDR    # Program header table
TLS     # Thread-local storage

Compilation and Linking

Building ELF Files

# Compile C source to object file
gcc -c program.c -o program.o

# Link object file to executable
gcc program.o -o program

# Create shared library
gcc -shared -fPIC library.c -o library.so

# Static linking
gcc -static program.c -o program

Cross-Compilation

# Cross-compile for ARM
arm-linux-gnueabihf-gcc program.c -o program-arm

# Cross-compile for 32-bit on 64-bit system
gcc -m32 program.c -o program-32bit

Analysis Tools

Command Line Tools

# Display ELF header information
readelf -h executable

# Show program headers
readelf -l executable

# Display section headers
readelf -S executable

# Show symbol table
readelf -s executable

# Disassemble executable
objdump -d executable

# Show file type
file executable

Detailed Analysis

# ELF file information
$ readelf -h /bin/ls
ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x404390

Dynamic Linking

Shared Libraries

# List dynamic dependencies
ldd executable

# Show library loading
LD_DEBUG=libs ./executable

# Set library path
export LD_LIBRARY_PATH=/custom/path:$LD_LIBRARY_PATH

Runtime Linker

// Dynamic loading in C
#include <dlfcn.h>

void* handle = dlopen("library.so", RTLD_LAZY);
if (handle) {
    void (*func)() = dlsym(handle, "function_name");
    if (func) {
        func();
    }
    dlclose(handle);
}

Security Features

Position Independent Code

# Generate position-independent executable
gcc -pie -fpie program.c -o program

# Check for PIE
readelf -h program | grep Type

Stack Protection

# Enable stack protection
gcc -fstack-protector-all program.c -o program

# Check for stack canaries
objdump -d program | grep __stack_chk

Security Mitigations

# Check security features
checksec --file=executable

# RELRO (RELocation Read-Only)
gcc -Wl,-z,relro,-z,now program.c -o program

# NX bit (No-eXecute)
gcc -Wl,-z,noexecstack program.c -o program

Debugging Information

Debug Symbols

# Compile with debug information
gcc -g program.c -o program

# Strip debug symbols
strip program

# Separate debug info
objcopy --only-keep-debug program program.debug
objcopy --strip-debug program
objcopy --add-gnu-debuglink=program.debug program

GDB Integration

# Debug with GDB
gdb ./program

# Core dump analysis
gdb ./program core

# Remote debugging
gdb -ex "target remote :1234" ./program

Common Use Cases

System Programming

  • Operating System Kernels: Linux kernel modules
  • Device Drivers: Hardware interface programs
  • System Services: Daemons and background processes
  • Command Line Tools: System utilities and applications

Application Development

  • Desktop Applications: GUI and console programs
  • Server Software: Web servers, databases, services
  • Embedded Systems: Firmware and real-time applications
  • Scientific Computing: High-performance computing applications

Best Practices

Development

  • Use appropriate compiler flags for target architecture
  • Include debug information during development
  • Strip symbols for production releases
  • Enable security features and hardening options

Distribution

  • Test on target architectures and operating systems
  • Provide static builds for compatibility
  • Document library dependencies
  • Include checksums for integrity verification

Performance

  • Profile applications to identify bottlenecks
  • Use link-time optimization (LTO) for release builds
  • Consider profile-guided optimization (PGO)
  • Minimize dynamic relocations for better startup time

The ELF format provides a robust foundation for executable files across Unix-like systems, supporting modern features like dynamic linking, debugging, and security enhancements while maintaining compatibility across diverse hardware architectures.

File Information

File Description

ELF executable

Category

Binary

Extensions

MIME Type

application/x-executable

Related File Types

Other file types in the Binary category you might also need:

Start Analyzing ELF Files Now

Use our free AI-powered tool to detect and analyze ELF executable files instantly with Google's Magika technology.

Try File Detection Tool