liminfo

ELF Format Reference

Free reference guide: ELF Format Reference

25 results

About ELF Format Reference

The ELF Format Reference is a structured, searchable guide to the Executable and Linkable Format (ELF) used in Linux, BSD, and other Unix-like operating systems. It covers ELF headers (e_ident, e_type, e_machine, e_entry), sections (.text, .data, .bss, .rodata, .plt, .got), segments (PT_LOAD, PT_DYNAMIC, PT_INTERP, PT_GNU_STACK), symbol tables (.symtab, .dynsym), dynamic linking (DT_NEEDED, DT_RPATH, LD_PRELOAD), and relocation entries (JUMP_SLOT, GLOB_DAT, RELRO).

Built for reverse engineers, security researchers, systems programmers, and embedded developers, this reference provides real readelf, objdump, and nm command examples alongside C struct definitions. Whether you are analyzing malware, debugging linker issues, or studying binary internals, this tool gives you instant access to the ELF specification details you need.

All content is rendered client-side in your browser with no server processing. The interface supports dark mode and is fully responsive across desktop, tablet, and mobile devices.

Key Features

  • Complete ELF header field reference with e_ident, e_type, e_machine, and e_entry explanations
  • Section reference covering .text, .data, .bss, .rodata, .plt, .got, and Section Header Table structs
  • Segment reference for PT_LOAD, PT_DYNAMIC, PT_INTERP, PT_GNU_STACK with Program Header structs
  • Symbol table details for .symtab and .dynsym including binding types (LOCAL, GLOBAL, WEAK)
  • Dynamic linking reference with DT_NEEDED, DT_RPATH, DT_RUNPATH, and LD_PRELOAD hooking examples
  • Relocation entries including R_X86_64_GLOB_DAT, R_X86_64_JUMP_SLOT, and RELRO protection levels
  • Practical readelf, objdump, nm, and checksec command examples for every entry
  • Category-based filtering across Header, Sections, Segments, Symbols, Dynamic Linking, and Relocation

Frequently Asked Questions

What is the ELF binary format?

ELF (Executable and Linkable Format) is the standard binary format for executables, shared libraries, object files, and core dumps on Linux and Unix-like systems. An ELF file begins with a magic byte sequence (0x7F followed by "ELF") and contains headers describing the file type, target architecture, entry point, and layouts of sections and segments used by the linker and loader.

What is the difference between ELF sections and segments?

Sections (.text, .data, .bss, .rodata, .plt, .got) are used at link time to organize code, data, and metadata. Segments (PT_LOAD, PT_DYNAMIC, PT_INTERP) are used at runtime by the OS loader to map the binary into memory. Multiple sections can be grouped into a single segment. Use "readelf -S" for sections and "readelf -l" for segments.

How do PLT and GOT work in dynamic linking?

The Procedure Linkage Table (.plt) contains small code stubs that redirect function calls, while the Global Offset Table (.got/.got.plt) holds the actual resolved addresses of external functions. On the first call, the dynamic linker resolves the symbol and patches the GOT entry (lazy binding). Full RELRO makes the entire GOT read-only after resolution, preventing GOT overwrite attacks.

What do readelf and objdump show for ELF files?

"readelf -h" displays the ELF header (magic, class, type, entry point). "readelf -S" lists section headers. "readelf -l" shows program headers (segments). "readelf -s" lists symbol tables. "readelf -d" shows dynamic section entries. "objdump -d" disassembles the .text section. These tools are essential for binary analysis and debugging linker issues.

What is RELRO and why does it matter for security?

RELRO (Relocation Read-Only) is a security hardening technique. Partial RELRO makes the .got section read-only but leaves .got.plt writable. Full RELRO resolves all dynamic symbols at startup and makes the entire GOT read-only, preventing GOT overwrite attacks used in exploits. Check RELRO status with "checksec binary".

How does LD_PRELOAD work for function hooking?

LD_PRELOAD is an environment variable that forces a shared library to be loaded before all others. This allows you to override (hook) any function in the target binary. Using dlsym(RTLD_NEXT, "function_name"), you can call the original function after adding custom logic. This technique is used for debugging, profiling, and security research.

What are symbol binding types in ELF?

ELF symbols have binding types: STB_LOCAL (visible only within the object file), STB_GLOBAL (visible across all object files and must be unique), and STB_WEAK (like global but can be overridden by a global symbol of the same name). Symbol types include STT_FUNC (function), STT_OBJECT (data), STT_SECTION (section), and STT_FILE (source file name).

How can I analyze an ELF binary for security properties?

Use "checksec binary" to check NX (non-executable stack via PT_GNU_STACK), RELRO level, stack canaries, PIE (Position Independent Executable, e_type=ET_DYN), and FORTIFY_SOURCE. Use "readelf -d" to check for RUNPATH/RPATH. Use "nm -D" to list dynamic symbols. These checks reveal the binary's attack surface and hardening level.