New articles - OurBigBook.com

Ciro Santilli 40 Updated 2025-07-16

 View more

We will get into more detail later, but it is good to have it in mind now:

section: exists before linking, in object files.
One ore more sections will be put inside a single segment by the linker.
Major information sections contain for the linker: is this section:
- raw data to be loaded into memory, e.g. .data, .text, etc.
- or metadata about other sections, that will be used by the linker, but disappear at runtime e.g. .symtab, .srttab, .rela.text
segment: exists after linking, in the executable file.
Contains information about how each segment should be loaded into memory by the OS, notably location and permissions.

See also:

 Read the full article

ELF Hello World Tutorial / ELF header by

Ciro Santilli 40 Updated 2025-07-16

 View more

Running:

readelf -h hello_world.o

outputs:

Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF64
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              REL (Relocatable file)
Machine:                           Advanced Micro Devices X86-64
Version:                           0x1
Entry point address:               0x0
Start of program headers:          0 (bytes into file)
Start of section headers:          64 (bytes into file)
Flags:                             0x0
Size of this header:               64 (bytes)
Size of program headers:           0 (bytes)
Number of program headers:         0
Size of section headers:           64 (bytes)
Number of section headers:         7
Section header string table index: 3

Running:

readelf -h hello_world.out

outputs:

Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class:                             ELF64
Data:                              2's complement, little endian
Version:                           1 (current)
OS/ABI:                            UNIX - System V
ABI Version:                       0
Type:                              EXEC (Executable file)
Machine:                           Advanced Micro Devices X86-64
Version:                           0x1
Entry point address:               0x4000b0
Start of program headers:          64 (bytes into file)
Start of section headers:          272 (bytes into file)
Flags:                             0x0
Size of this header:               64 (bytes)
Size of program headers:           56 (bytes)
Number of program headers:         2
Size of section headers:           64 (bytes)
Number of section headers:         6
Section header string table index: 3

Bytes in the object file:

00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  01 00 3e 00 01 00 00 00  00 00 00 00 00 00 00 00  |..>.............|
00000020  00 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000030  00 00 00 00 40 00 00 00  00 00 40 00 07 00 03 00  |....@.....@.....|

Executable:

00000000  7f 45 4c 46 02 01 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010  02 00 3e 00 01 00 00 00  b0 00 40 00 00 00 00 00  |..>.......@.....|
00000020  40 00 00 00 00 00 00 00  10 01 00 00 00 00 00 00  |@...............|
00000030  00 00 00 00 40 00 38 00  02 00 40 00 06 00 03 00  |....@.8...@.....|

Structure represented:

# define EI_NIDENT 16

typedef struct {
    unsigned char   e_ident[EI_NIDENT];
    Elf64_Half      e_type;
    Elf64_Half      e_machine;
    Elf64_Word      e_version;
    Elf64_Addr      e_entry;
    Elf64_Off       e_phoff;
    Elf64_Off       e_shoff;
    Elf64_Word      e_flags;
    Elf64_Half      e_ehsize;
    Elf64_Half      e_phentsize;
    Elf64_Half      e_phnum;
    Elf64_Half      e_shentsize;
    Elf64_Half      e_shnum;
    Elf64_Half      e_shstrndx;
} Elf64_Ehdr;

Manual breakdown:

0 0: EI_MAG = 7f 45 4c 46 = 0x7f 'E', 'L', 'F': ELF magic number
0 4: EI_CLASS = 02 = ELFCLASS64: 64 bit elf
0 5: EI_DATA = 01 = ELFDATA2LSB: little endian data
0 6: EI_VERSION = 01: format version
0 7: EI_OSABI (only in 2003 Update) = 00 = ELFOSABI_NONE: no extensions.
0 8: EI_PAD = 8x 00: reserved bytes. Must be set to 0.
1 0: e_type = 01 00 = 1 (big endian) = ET_REl: relocatable format
On the executable it is 02 00 for ET_EXEC.
Another important possibility for the executable is ET_DYN for PIE executables and shared libraries.
ET_DYN tells the Linux kernel that the code is position independent, and can loaded at a random memory location with ASLR.
This is explained further at:
- stackoverflow.com/questions/2463150/what-is-the-fpie-option-for-position-independent-executables-in-gcc-and-ld/51308031#51308031
- stackoverflow.com/questions/34519521/why-does-gcc-create-a-shared-object-instead-of-an-executable-binary-according-to/55704865#55704865
1 2: e_machine = 3e 00 = 62 = EM_X86_64: AMD64 architecture
1 4: e_version = 01 00 00 00: must be 1
1 8: e_entry = 8x 00: execution address entry point, or 0 if not applicable like for the object file since there is no entry point.
On the executable, it is b0 00 40 00 00 00 00 00. The kernel puts the RIP directly on that value when executing. It can be configured by the linker script or -e. But it will segfault if you set it too low: stackoverflow.com/questions/2187484/why-is-the-elf-execution-entry-point-virtual-address-of-the-form-0x80xxxxx-and-n
2 0: e_phoff = 8x 00: program header table offset, 0 if not present.
40 00 00 00 on the executable, i.e. it starts immediately after the ELF header.
2 8: e_shoff = 40 7x 00 = 0x40: section header table file offset, 0 if not present.
3 0: e_flags = 00 00 00 00 Arch specific. i386 docs say:
The Intel386 architecture defines no flags; so this member contains zero.
3 4: e_ehsize = 40 00: size of this elf header. TODO why this field needed? Isn't the size fixed?
3 6: e_phentsize = 00 00: size of each program header, 0 if not present.
38 00 on executable: it is 56 bytes long
3 8: e_phnum = 00 00: number of program header entries, 0 if not present.
02 00 on executable: there are 2 entries.
3 A: e_shentsize and e_shnum = 40 00 07 00: section header size and number of entries
3 E: e_shstrndx (Section Header STRing iNDeX) = 03 00: index of the .shstrtab section.

 Read the full article

ELF Hello World Tutorial / Sections by

Ciro Santilli 40 Updated 2025-07-16

 Read the full article

ELF Hello World Tutorial / Index 0 section by

Ciro Santilli 40 Updated 2025-07-16

 View more

Contained in bytes 0x40 to 0x7F.

The first section is always magic: www.sco.com/developers/gabi/2003-12-17/ch4.sheader.html says:

If the number of sections is greater than or equal to SHN_LORESERVE (0xff00), e_shnum has the value SHN_UNDEF (0) and the actual number of section header table entries is contained in the sh_size field of the section header at index 0 (otherwise, the sh_size member of the initial entry contains 0).

There are also other magic sections detailed in Figure 4-7: Special Section Indexes.

 Read the full article

ELF Hello World Tutorial / SHT_NULL by

Ciro Santilli 40 Updated 2025-07-16

 View more

In index 0, SHT_NULL is mandatory. Are there any other uses for it: stackoverflow.com/questions/26812142/what-is-the-use-of-the-sht-null-section-in-elf ?

 Read the full article

ELF Hello World Tutorial / .text section by

Ciro Santilli 40 Updated 2025-07-16

 View more

Now that we've done one section manually, let's graduate and use the readelf -S of the other sections:

  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 2] .text             PROGBITS         0000000000000000  00000210
       0000000000000027  0000000000000000  AX       0     0     16

.text is executable but not writable: if we try to write to it Linux segfaults. Let's see if we really have some code there:

objdump -d hello_world.o

gives:

hello_world.o:     file format elf64-x86-64


Disassembly of section .text:

0000000000000000 <_start>:
   0:       b8 01 00 00 00          mov    $0x1,%eax
   5:       bf 01 00 00 00          mov    $0x1,%edi
   a:       48 be 00 00 00 00 00    movabs $0x0,%rsi
  11:       00 00 00
  14:       ba 0d 00 00 00          mov    $0xd,%edx
  19:       0f 05                   syscall
  1b:       b8 3c 00 00 00          mov    $0x3c,%eax
  20:       bf 00 00 00 00          mov    $0x0,%edi
  25:       0f 05                   syscall

If we grep b8 01 00 00 on the hd, we see that this only occurs at 00000210, which is what the section says. And the Size is 27, which matches as well. So we must be talking about the right section.

This looks like the right code: a write followed by an exit.

The most interesting part is line a which does:

movabs $0x0,%rsi

to pass the address of the string to the system call. Currently, the 0x0 is just a placeholder. After linking happens, it will be modified to contain:

4000ba: 48 be d8 00 60 00 00    movabs $0x6000d8,%rsi

This modification is possible because of the data of the .rela.text section.

 Read the full article

ELF Hello World Tutorial / SHT_STRTAB by

Ciro Santilli 40 Updated 2025-07-16

 View more

Sections with sh_type == SHT_STRTAB are called string tables.

They hold a null separated array of strings.

Such sections are used by other sections when string names are to be used. The using section says:

which string table they are using
what is the index on the target string table where the string starts

So for example, we could have a string table containing:

Data: \0 a b c \0 d e f \0
Index: 0 1 2 3  4 5 6 7  8

The first byte must be a 0. TODO rationale?

And if another section wants to use the string d e f, they have to point to index 5 of this section (letter d).

Notable string table sections:

.shstrtab
.strtab

 Read the full article

ELF Hello World Tutorial / .shstrtab by

Ciro Santilli 40 Updated 2025-07-16

 View more

Section type: sh_type == SHT_STRTAB.

Common name: "section header string table".

The section name .shstrtab is reserved. The standard says:

This section holds section names.

This section gets pointed to by the e_shstrnd field of the ELF header itself.

String indexes of this section are are pointed to by the sh_name field of section headers, which denote strings.

This section does not have SHF_ALLOC marked, so it will not appear on the executing program.

readelf -x .shstrtab hello_world.o

outputs:

Hex dump of section '.shstrtab':
  0x00000000 002e6461 7461002e 74657874 002e7368 ..data..text..sh
  0x00000010 73747274 6162002e 73796d74 6162002e strtab..symtab..
  0x00000020 73747274 6162002e 72656c61 2e746578 strtab..rela.tex
  0x00000030 7400                                t.

The data in this section has a fixed format: www.sco.com/developers/gabi/2003-12-17/ch4.strtab.html

If we look at the names of other sections, we see that they all contain numbers, e.g. the .text section is number 7.

Then each string ends when the first NUL character is found, e.g. character 12 is \0 just after .text\0.

 Read the full article

ELF Hello World Tutorial / .symtab by

Ciro Santilli 40 Updated 2025-07-16

 View more

Section type: sh_type == SHT_SYMTAB.

Common name: "symbol table".

First the we note that:

sh_link = 5
sh_info = 6

For SHT_SYMTAB sections, those numbers mean that:

strings that give symbol names are in section 5, .strtab
the relocation data is in section 6, .rela.text

A good high level tool to disassemble that section is:

nm hello_world.o

which gives:

0000000000000000 T _start
0000000000000000 d hello_world
000000000000000d a hello_world_len

This is however a high level view that omits some types of symbols and in which the symbol types . A more detailed disassembly can be obtained with:

readelf -s hello_world.o

which gives:

Symbol table '.symtab' contains 7 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND
     1: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS hello_world.asm
     2: 0000000000000000     0 SECTION LOCAL  DEFAULT    1
     3: 0000000000000000     0 SECTION LOCAL  DEFAULT    2
     4: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT    1 hello_world
     5: 000000000000000d     0 NOTYPE  LOCAL  DEFAULT  ABS hello_world_len
     6: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT    2 _start

The binary format of the table is documented at www.sco.com/developers/gabi/2003-12-17/ch4.symtab.html

The data is:

readelf -x .symtab hello_world.o

which gives:

Hex dump of section '.symtab':
  0x00000000 00000000 00000000 00000000 00000000 ................
  0x00000010 00000000 00000000 01000000 0400f1ff ................
  0x00000020 00000000 00000000 00000000 00000000 ................
  0x00000030 00000000 03000100 00000000 00000000 ................
  0x00000040 00000000 00000000 00000000 03000200 ................
  0x00000050 00000000 00000000 00000000 00000000 ................
  0x00000060 11000000 00000100 00000000 00000000 ................
  0x00000070 00000000 00000000 1d000000 0000f1ff ................
  0x00000080 0d000000 00000000 00000000 00000000 ................
  0x00000090 2d000000 10000200 00000000 00000000 -...............
  0x000000a0 00000000 00000000                   ........

The entries are of type:

typedef struct {
    Elf64_Word  st_name;
    unsigned char   st_info;
    unsigned char   st_other;
    Elf64_Half  st_shndx;
    Elf64_Addr  st_value;
    Elf64_Xword st_size;
} Elf64_Sym;

Like in the section table, the first entry is magical and set to a fixed meaningless values.

 Read the full article

ELF Hello World Tutorial / STT_FILE by

Ciro Santilli 40 Updated 2025-07-16

 View more

Entry 1 has ELF64_R_TYPE == STT_FILE. ELF64_R_TYPE is continued inside of st_info.

Byte analysis:

10 8: st_name = 01000000 = character 1 in the .strtab, which until the following \0 makes hello_world.asm
This piece of information file may be used by the linker to decide on which segment sections go: e.g. in ld linker script we write:
```
segment_name :
{
    file(section)
}
```
to pick a section from a given file.
Most of the time however, we will just dump all sections with a given name together with:
```
segment_name :
{
    *(section)
}
```
10 12: st_info = 04
Bits 0-3 = ELF64_R_TYPE = Type = 4 = STT_FILE: the main purpose of this entry is to use st_name to indicate the name of the file which generated this object file.
Bits 4-7 = ELF64_ST_BIND = Binding = 0 = STB_LOCAL. Required value for STT_FILE.
10 13: st_shndx = Symbol Table Section header Index = f1ff = SHN_ABS. Required for STT_FILE.
20 0: st_value = 8x 00: required for value for STT_FILE
20 8: st_size = 8x 00: no allocated size

Now from the readelf, we interpret the others quickly.

 Read the full article

ELF Hello World Tutorial / STT_SECTION by

Ciro Santilli 40 Updated 2025-07-16

 View more

There are two such entries, one pointing to .data and the other to .text (section indexes 1 and 2).

Num:    Value          Size Type    Bind   Vis      Ndx Name
  2: 0000000000000000     0 SECTION LOCAL  DEFAULT    1
  3: 0000000000000000     0 SECTION LOCAL  DEFAULT    2

TODO what is their purpose?

 Read the full article

ELF Hello World Tutorial / STT_NOTYPE by

Ciro Santilli 40 Updated 2025-07-16

 View more

Then come the most important symbols:

Num:    Value          Size Type    Bind   Vis      Ndx Name
  4: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT    1 hello_world
  5: 000000000000000d     0 NOTYPE  LOCAL  DEFAULT  ABS hello_world_len
  6: 0000000000000000     0 NOTYPE  GLOBAL DEFAULT    2 _start

hello_world string is in the .data section (index 1). It's value is 0: it points to the first byte of that section.

_start is marked with GLOBAL visibility since we wrote:

global _start

in NASM. This is necessary since it must be seen as the entry point. Unlike in C, by default NASM labels are local.

 Read the full article

ELF Hello World Tutorial / SHN_ABS by

Ciro Santilli 40 Updated 2025-07-16

 View more

hello_world_len points to the special st_shndx == SHN_ABS == 0xF1FF.

0xF1FF is chosen so as to not conflict with other sections.

st_value == 0xD == 13 which is the value we have stored there on the assembly: the length of the string Hello World!.

This means that relocation will not affect this value: it is a constant.

This is small optimization that our assembler does for us and which has ELF support.

If we had used the address of hello_world_len anywhere, the assembler would not have been able to mark it as SHN_ABS, and the linker would have extra relocation work on it later.

 Read the full article

ELF Hello World Tutorial / SHT_SYMTAB on the executable by

Ciro Santilli 40 Updated 2025-07-16

 View more

By default, NASM places a .symtab on the executable as well.

This is only used for debugging. Without the symbols, we are completely blind, and must reverse engineer everything.

You can strip it with objcopy, and the executable will still run. Such executables are called "stripped executables".

 Read the full article

ELF Hello World Tutorial / .strtab by

Ciro Santilli 40 Updated 2025-07-16

 View more

Holds strings for the symbol table.

This section has sh_type == SHT_STRTAB.

It is pointed to by sh_link == 5 of the .symtab section.

readelf -x .strtab hello_world.o

outputs:

Hex dump of section '.strtab':
  0x00000000 0068656c 6c6f5f77 6f726c64 2e61736d .hello_world.asm
  0x00000010 0068656c 6c6f5f77 6f726c64 0068656c .hello_world.hel
  0x00000020 6c6f5f77 6f726c64 5f6c656e 005f7374 lo_world_len._st
  0x00000030 61727400                            art.

This implies that it is an ELF level limitation that global variables cannot contain NUL characters.

 Read the full article

ELF Hello World Tutorial / .rela.text by

Ciro Santilli 40 Updated 2025-07-16

 View more

Section type: sh_type == SHT_RELA.

Common name: "relocation section".

.rela.text holds relocation data which says how the address should be modified when the final executable is linked. This points to bytes of the text area that must be modified when linking happens to point to the correct memory locations.

Basically, it translates the object text containing the placeholder 0x0 address:

   a:       48 be 00 00 00 00 00    movabs $0x0,%rsi
  11:       00 00 00

to the actual executable code containing the final 0x6000d8:

4000ba: 48 be d8 00 60 00 00    movabs $0x6000d8,%rsi
4000c1: 00 00 00

It was pointed to by sh_info = 6 of the .symtab section.

readelf -r hello_world.o outputs:

Relocation section '.rela.text' at offset 0x3b0 contains 1 entries:
  Offset          Info           Type           Sym. Value    Sym. Name + Addend
00000000000c  000200000001 R_X86_64_64       0000000000000000 .data + 0

The section does not exist in the executable.

The actual bytes are:

00000370  0c 00 00 00 00 00 00 00  01 00 00 00 02 00 00 00  |................|
00000380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

The struct represented is:

typedef struct {
    Elf64_Addr  r_offset;
    Elf64_Xword r_info;
    Elf64_Sxword    r_addend;
} Elf64_Rela;

So:

370 0: r_offset = 0xC: address into the .text whose address this relocation will modify
370 8: r_info = 0x200000001. Contains 2 fields:
- ELF64_R_TYPE = 0x1: meaning depends on the exact architecture.
- ELF64_R_SYM = 0x2: index of the section to which the address points, so .data which is at index 2.
The AMD64 ABI says that type 1 is called R_X86_64_64 and that it represents the operation S + A where:
- S: the value of the symbol on the object file, here 0 because we point to the 00 00 00 00 00 00 00 00 of movabs $0x0,%rsi
- A: the addend, present in field r_added
This address is added to the section on which the relocation operates.
This relocation operation acts on a total 8 bytes.
380 0: r_addend = 0

So in our example we conclude that the new address will be: S + A = .data + 0, and thus the first thing in the data section.

 Read the full article

ELF Hello World Tutorial / .rel.text by

Ciro Santilli 40 Updated 2025-07-16

 View more

Besides sh_type == SHT_RELA, there also exists SHT_REL, which would have section name .text.rel (not present in this object file).

Those represent the same struct, but without the addend, e.g.:

typedef struct {
    Elf64_Addr  r_offset;
    Elf64_Xword r_info;
} Elf64_Rela;

The ELF standard says that in many cases the both can be used, and it is just a matter of convenience.

 Read the full article

ELF Hello World Tutorial / Dynamic linking sections by

Ciro Santilli 40 Updated 2025-07-16

 View more

This program did not have certain dynamic linking related sections because we linked it minimally with ld.

However, if you compile a C hello world with GCC 8.2:

gcc -o main.out main.c

some other interesting sections would appear.

 Read the full article

ELF Hello World Tutorial / PT_INTERP by

Ciro Santilli 40 Updated 2025-07-16

 View more

Contains the path to the dynamic loader, i.e. /lib64/ld-linux-x86-64.so.2 in Ubuntu 18.10. Explained at: stackoverflow.com/questions/8040631/checking-if-a-binary-compiled-with-static/55664341#55664341

 Read the full article

ELF Hello World Tutorial / DF_1_PIE by

Ciro Santilli 40 Updated 2025-07-16

 View more

Determines if an executable is a position independent executable (PIE).

Seems to be informational only, since not used by Linux kernel 5.0 or glibc 2.29.

file 5.36 however does use it to display file type as explained at: stackoverflow.com/questions/34519521/why-does-gcc-create-a-shared-object-instead-of-an-executable-binary-according-to/55704865#55704865

 Read the full article

 Pinned article: Introduction to the OurBigBook Project

Welcome to the OurBigBook Project! Our goal is to create the perfect publishing platform for STEM subjects, and get university-level students to write the best free STEM tutorials ever.

Everyone is welcome to create an account and play with the site: ourbigbook.com/go/register. We belive that students themselves can write amazing tutorials, but teachers are welcome too. You can write about anything you want, it doesn't have to be STEM or even educational. Silly test content is very welcome and you won't be penalized in any way. Just keep it legal!

Video 1.

Intro to OurBigBook

. Source.

We have two killer features:

topics: topics group articles by different users with the same title, e.g. here is the topic for the "Fundamental Theorem of Calculus" ourbigbook.com/go/topic/fundamental-theorem-of-calculus
Articles of different users are sorted by upvote within each article page. This feature is a bit like:
- a Wikipedia where each user can have their own version of each article
- a Q&A website like Stack Overflow, where multiple people can give their views on a given topic, and the best ones are sorted by upvote. Except you don't need to wait for someone to ask first, and any topic goes, no matter how narrow or broad
This feature makes it possible for readers to find better explanations of any topic created by other writers. And it allows writers to create an explanation in a place that readers might actually find it.
Figure 1.
Screenshot of the "Derivative" topic page
. View it live at: ourbigbook.com/go/topic/derivative
Video 2.
OurBigBook Web topics demo
. Source.
local editing: you can store all your personal knowledge base content locally in a plaintext markup format that can be edited locally and published either:
- to OurBigBook.com to get awesome multi-user features like topics and likes
- as HTML files to a static website, which you can host yourself for free on many external providers like GitHub Pages, and remain in full control
This way you can be sure that even if OurBigBook.com were to go down one day (which we have no plans to do as it is quite cheap to host!), your content will still be perfectly readable as a static site.
Figure 2.
You can publish local OurBigBook lightweight markup files to either https://OurBigBook.com or as a static website
.
Figure 3.
Visual Studio Code extension installation
.
Figure 4.
Visual Studio Code extension tree navigation
.
Figure 5.
Web editor
. You can also edit articles on the Web editor without installing anything locally.
Video 3.
Edit locally and publish demo
. Source. This shows editing OurBigBook Markup and publishing it using the Visual Studio Code extension.
Video 4.
OurBigBook Visual Studio Code extension editing and navigation demo
. Source.
Internal cross file references done right:
Infinitely deep tables of contents:
Figure 6.
Dynamic article tree with infinitely deep table of contents
.
Live URL: ourbigbook.com/cirosantilli/chordate
Descendant pages can also show up as toplevel e.g.: ourbigbook.com/cirosantilli/chordate-subclade

All our software is open source and hosted at: github.com/ourbigbook/ourbigbook

Further documentation can be found at: docs.ourbigbook.com

Feel free to reach our to us for any help or suggestions: docs.ourbigbook.com/#contact

 Site settings

 Pinned article: Introduction to the OurBigBook Project  Hide

 Pinned article: Introduction to the OurBigBook Project