Ciro Santilli ELF is the dominating file format for Linux. It competes with Mach-O for OS X and PE for Windows.
ELF supersedes
.coff, which supersedes a.out.ELF is specified by the LSB:
The LSB basically links to other standards with minor extensions, in particular:
- Generic (both by SCO):
- System V ABI 4.1 (1997) www.sco.com/developers/devspecs/gabi41.pdf, no 64 bit, although a magic number is reserved for it. Same for core files. This is the first document you should look at when searching for information.
- System V ABI Update DRAFT 17 (2003) www.sco.com/developers/gabi/2003-12-17/contents.html, adds 64 bit. Only updates chapters 4 and 5 of the previous document: the others remain valid and are still referenced.
- Architecture specific (by the processor vendor):
A handy summary can be found at:
man elfSpin like mad between:
- standards
- high level generators. We use the assembler
asand linkerld. - hexdumps
- file decompilers. We use
readelf. It makes it faster to read the ELF file by turning it into human readable output. But you must have seen one byte-by-byte example first, and think howreadelfoutput maps to the standard. - low-level generators: stand-alone libraries that let you control every field of the ELF files you generated. github.com/BR903/ELFkickers, github.com/sqall01/ZwoELF and many more on GitHub.
- consumer: the
execsystem call of the Linux kernel can parse ELF files to starts processes: github.com/torvalds/linux/blob/v4.11/fs/binfmt_elf.c, stackoverflow.com/questions/8352535/how-does-kernel-get-an-executable-binary-file-running-under-linux/31394861#31394861
The ELF standard specifies multiple file formats:
- Object files (
.o).Intermediate step to generating executables and other formats:Source code | | Compilation | v Object file | | Linking | v ExecutableObject files exist to make compilation faster: withmake, we only have to recompile the modified source files based on timestamps.We have to do the linking step every time, but it is much less expensive.
- Executable files (no standard Linux extension).This is what the Linux kernel can actually run.
- Archive files (
.a).Libraries meant to be embedded into executables during the Linking step.
- Shared object files (
.so).Libraries meant to be loaded when the executable starts running.
- Core dumps.Such files may be generated by the Linux kernel when the program does naughty things, e.g. segfault.They exist to help debugging the program.
In this tutorial, we consider only object and executable files.
- Compiler toolchains generate and read ELF files.Sane compilers should use a separate standalone library to do the dirty work. E.g., Binutils uses BFD (in-tree and canonical source).
- Operating systems read and run ELF files.Kernels cannot link to a library nor use the C stlib, so they are more likely to implement it themselves.This is the case of the Linux kernel 4.2 which implements it in th file
fs/binfmt_elf.c.
- Specialized libraries. Examples: