Hacker News new | comments | show | ask | jobs | submit login
Elf Hello World (cirosantilli.com)
334 points by rocky1138 on May 17, 2017 | hide | past | web | favorite | 30 comments

This tutorial should be read alongside his Address Relocation answer from Stack Overflow:


And then you might want to skim through An Evil Copy: How the Loader Betrays You:


That new CoRev paper is interesting. I haven't had time to read it in detail but it sounds like an intriguing case for compiler/linker buffs.

Slightly OT, there was a very fun ActionScript exploit published by Mark Dowd of IBM in 2008. I'm reminded of it because it's about memory protection vulnerabilities.

"Application-Specific Attacks: Leveraging the ActionScript Virtual Machine"


My favourite page on ELF executables of all time: http://www.muppetlabs.com/~breadbox/software/tiny/teensy.htm..., "A Whirlwind Tutorial on Creating Really Teensy ELF Executables for Linux (or, 'Size Is Everything')"

ELF is pretty generally applicable to all NIX and NIX-like platforms, so I often refer to the Solaris Libraries and Linkers guide which has a lot of generally useful information and guidance:


Heya! I followed a long and made a 64 bit version a while back. Great resource for learning ELF.


That one is awesome and inspired me to write http://www.hanshq.net/making-executables.html

I like your page about making Android executables, especially the quote from Carmac and comment about the vurtues of being control freak. Have you tried to do the same thing for iOS? What is the current file and directory count for Xcode?

An interesting read, thanks a lot!

If you enjoyed this you might also like the following article:


In elftoolchain you'll see some elfs having a size of 52 instead of 64


Also it is interesting that the powerpc elf loader verifies that the e_ehsize is the same size as the allocated buffer, perhaps they had an issue at one point.


It's great, thanks!

Thoughts for chapter 2: stuff that often confuses me: PLT, GOT, FDE/CIE.

Eli Bandersky wrote an excellent series on load-time relocation and position independent code (PIC), including details regarding PLT/GOT:



I love the fact that it's all on one page and uses HTML anchors to get around. It makes it super simple to archive and read up later if the site ever goes down.

Well, you can also fork and git clone it: https://github.com/cirosantilli/cirosantilli.github.io/blob/... :-)

Thanks for the article! I'm really enjoying learning this stuff. One thing that came up which doesn't appear very clear is why `ld` continues to set the entrypoint for executables at 0x08048000 when that seems like such an arbitrary number held over from a version of Unix made decades ago. Wouldn't it be better to just get rid of that and start programs at 0x00000001? (leaving 0x0 open for NUL).

Definitely not. In rough order of importance:

1. Space for NULL should be big enough for at least a medium-sized structure, otherwise (*NULL)->field = blah will overwrite your code. 2. Because of (1), Linux (for example) doesn't even allow processes to map the first page or so of memory. 3. On many platforms the PC needs to be aligned to a word boundary.

I see. I've obviously got a lot more to learn. Thanks :)

One more question, though: how much space should be safe to leave for NULL? Is 128MB enough? Why not only as much as required?

I suppose it doesn't really matter anyway since the entry point location is virtual at this point anyway.

It's impossible to know how much exactly is required. (While structures are fixed size, arrays indices are not.)

Linux allows you to configure the limit at /proc/sys/vm/mmap_min_addr.

I know PLT and GOT but am unfamiliar with the acronyms FDE/CIE. Can you say what those are?

FDE: Frame Description Entry, CIE: Common Information Entry. AFAIR, they're used to unwind the stack in exceptions.

I think it's specified by itanium C++ ABI (which sounds archaic but actually many other processors use the same one).

I don't recall if these things are ELF features or if the ELF only knows about the "eh_frame" section. It's interesting and kinda sorta related low-level stuff IMO.

Interesting, I wasn't familiar with this standard. It sounds like this has been adopted by some other architectures besides Itanium as well:


Fantastic article. I noticed a couple of TODO's around, though. Does this hint at a second installment? :)

If I need it for work at some point :-) Not in forseeable future :-( But you can send PRs or fork it: https://github.com/cirosantilli/cirosantilli.github.io/blob/...

Impressive work.

Anyone know of something equivalent for Mach-o?

Great article...

Makes you wonder how ELF's brother (PE) and daughter (WASM) are doing.

Is it just me, or are the author's ears slightly pointed?

You've uncovered my secret: I'm an ELF!!! :-)

I knew it!! :P

I don't know about that, but I did notice the author's photo looks like a passport pic (strict, formal). An unusual thing to include on a personal site, maybe.

Yeah, standard booth pic for document format. I don't think I used it in any documents however.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact