Starting
The question is simple: how does linux execute my main()?
Through this document, I’ll use the following simple C program to illustrate how it works. It’s called “simple.c”
main()
{
return(0);
}
Build
gcc -o simple simple.c
What’s in the executable?
To see what’s in the executable, let’s use a tool “objdump”
objdump -f simple simple: file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x080482d0
The output gives us some critical information about the executable.
First of all, the file is “ELF32″ format. Second of all, the start address is “0x080482d0″
What’s ELF?
ELF is acronym for Executable and Linking Format. It’s one of several object and executable file formats used on Unix systems. For our discussion, the interesting thing about ELF is its header format. Every ELF executable has ELF header, which is the following.
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
In the above structure, there is “e_entry” field, which is starting address of an executable.
What’s at address “0x080482d0″, that is, starting address?
For this question, let’s disassemble “simple”. There are several tools to disassemble an executable. I’ll use objdump for this purpose.
objdump --disassemble simple
The output is a little bit long so I’ll not paste all the output from objdump. Our intention is see what’s at address 0x080482d0. Here is the output.
080482d0 <_start>: 80482d0: 31 ed xor %ebp,%ebp 80482d2: 5e pop %esi 80482d3: 89 e1 mov %esp,%ecx 80482d5: 83 e4 f0 and $0xfffffff0,%esp 80482d8: 50 push %eax 80482d9: 54 push %esp 80482da: 52 push %edx 80482db: 68 20 84 04 08 push $0x8048420 80482e0: 68 74 82 04 08 push $0x8048274 80482e5: 51 push %ecx 80482e6: 56 push %esi 80482e7: 68 d0 83 04 08 push $0x80483d0 80482ec: e8 cb ff ff ff call 80482bc <_init+0x48> 80482f1: f4 hlt 80482f2: 89 f6 mov %esi,%esi
Looks like some kind of starting routine called “_start” is at the starting address. What it does is clear a register, push some values into stack and call a function. According to this instruction, the stack frame should look like this.
Stack Top ------------------- 0x80483d ------------------- esi ------------------- ecx ------------------- 0x8048274 ------------------- 0x8048420 ------------------- edx ------------------- esp ------------------- eax ------------------- hope u find it useful...thanx
thanks,this explained a lot extent about elf,
the stack frame is according to u or there is some command to check (confirm )this ?..
and apart form it what these symbol esi,ecx,edx,eaxand esp repersents..?
These symbols represent registers of our processor.
;
i exactly dont remembr d command… But u should try this…
Objdump -x a.out
I have one query about the Elf magic number,
Elf magic number is: 0x7f ‘E’ ‘L’ ‘F’,
0x7f represents DEL, what is the purpose of using it in magic number?