
Elf Hello World - rocky1138
http://www.cirosantilli.com/elf-hello-world/
======
CalChris
This tutorial should be read alongside his _Address Relocation_ answer from
Stack Overflow:

[http://stackoverflow.com/questions/12122446/how-does-c-
linki...](http://stackoverflow.com/questions/12122446/how-does-c-linking-work-
in-practice/30507725#30507725)

And then you might want to skim through _An Evil Copy: How the Loader Betrays
You_ :

[https://www.microsoft.com/en-us/research/publication/evil-
co...](https://www.microsoft.com/en-us/research/publication/evil-copy-loader-
betrays)

~~~
theoh
That new CoRev paper is interesting. I haven't had time to read it in detail
but it sounds like an intriguing case for compiler/linker buffs.

Slightly OT, there was a very fun ActionScript exploit published by Mark Dowd
of IBM in 2008. I'm reminded of it because it's about memory protection
vulnerabilities.

"Application-Specific Attacks: Leveraging the ActionScript Virtual Machine"

[https://www.cs.utexas.edu/~shmat/courses/cs6431/dowd.pdf](https://www.cs.utexas.edu/~shmat/courses/cs6431/dowd.pdf)

------
tonyg
My favourite page on ELF executables of all time:
[http://www.muppetlabs.com/~breadbox/software/tiny/teensy.htm...](http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html),
"A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux (or,
'Size Is Everything')"

~~~
zmodem
That one is awesome and inspired me to write [http://www.hanshq.net/making-
executables.html](http://www.hanshq.net/making-executables.html)

~~~
10165
I like your page about making Android executables, especially the quote from
Carmac and comment about the vurtues of being control freak. Have you tried to
do the same thing for iOS? What is the current file and directory count for
Xcode?

------
bogomipz
If you enjoyed this you might also like the following article:

[http://nullprogram.com/blog/2016/11/17/](http://nullprogram.com/blog/2016/11/17/)

------
molticrystal
In elftoolchain you'll see some elfs having a size of 52 instead of 64

[https://github.com/sergev/elftoolchain/search?utf8=%E2%9C%93...](https://github.com/sergev/elftoolchain/search?utf8=%E2%9C%93&q=e_ehsize&type=)

Also it is interesting that the powerpc elf loader verifies that the e_ehsize
is the same size as the allocated buffer, perhaps they had an issue at one
point.

[https://github.com/torvalds/linux/blob/ba6d973f78eb62ffebb32...](https://github.com/torvalds/linux/blob/ba6d973f78eb62ffebb32f6ef3334fc9a3b33d22/arch/powerpc/kernel/kexec_elf_64.c#L175)

------
wyldfire
It's great, thanks!

Thoughts for chapter 2: stuff that often confuses me: PLT, GOT, FDE/CIE.

~~~
rocky1138
I love the fact that it's all on one page and uses HTML anchors to get around.
It makes it super simple to archive and read up later if the site ever goes
down.

~~~
cirosantilli
Well, you can also fork and git clone it:
[https://github.com/cirosantilli/cirosantilli.github.io/blob/...](https://github.com/cirosantilli/cirosantilli.github.io/blob/master/elf-
hello-world.md) :-)

~~~
rocky1138
Thanks for the article! I'm really enjoying learning this stuff. One thing
that came up which doesn't appear very clear is why `ld` continues to set the
entrypoint for executables at 0x08048000 when that seems like such an
arbitrary number held over from a version of Unix made decades ago. Wouldn't
it be better to just get rid of that and start programs at 0x00000001?
(leaving 0x0 open for NUL).

~~~
kdunwoody
Definitely not. In rough order of importance:

1\. Space for NULL should be big enough for at least a medium-sized structure,
otherwise (*NULL)->field = blah will overwrite your code. 2\. Because of (1),
Linux (for example) doesn't even allow processes to map the first page or so
of memory. 3\. On many platforms the PC needs to be aligned to a word
boundary.

~~~
rocky1138
I see. I've obviously got a lot more to learn. Thanks :)

One more question, though: how much space should be safe to leave for NULL? Is
128MB enough? Why not only as much as required?

I suppose it doesn't really matter anyway since the entry point location is
virtual at this point anyway.

~~~
Ded7xSEoPKYNsDd
It's impossible to know how much exactly is required. (While structures are
fixed size, arrays indices are not.)

Linux allows you to configure the limit at /proc/sys/vm/mmap_min_addr.

------
sgmansfield
Fantastic article. I noticed a couple of TODO's around, though. Does this hint
at a second installment? :)

~~~
cirosantilli
If I need it for work at some point :-) Not in forseeable future :-( But you
can send PRs or fork it:
[https://github.com/cirosantilli/cirosantilli.github.io/blob/...](https://github.com/cirosantilli/cirosantilli.github.io/blob/master/elf-
hello-world.md)

------
sigjuice
Impressive work.

Anyone know of something equivalent for Mach-o?

------
muzster
Great article...

Makes you wonder how ELF's brother (PE) and daughter (WASM) are doing.

------
laser
Is it just me, or are the author's ears slightly pointed?

~~~
cirosantilli
You've uncovered my secret: I'm an ELF!!! :-)

~~~
laser
I knew it!! :P

