ELF Structures
Last updated
Last updated
Shameless plug
This course is given to you for free by The Perkins Cybersecurity Educational Fund: https://perkinsfund.org/ in collaboration with the Malcore team: https://m4lc.io/courses/register
Please consider donating to The Perkins Cybersecurity Educational Fund and registering for Malcore. You can also join the Malcore Discord server here: https://m4lc.io/courses/discord
Malcore offers free threat intel in our Discord via their custom designed Discord bot. Join the Discord to discuss this course in further detail or to ask questions.
You can also support The Perkins Cybersecurity Educational Fund by buying them a coffee
The executable and linkable format (ELF) is a standard file format for executables, object code, shared libraries, and core dumps. ELF format is widely used on Unix based operating systems. It is designed to be flexible and extensible.
To visualize the file format we have created a basic ascii representation of the file
The header is located at the beginning of the file:
Contained within this header are multiple pieces of information. This information provides essential data to tell the system what kind of ELf file this is.
e_ident
Contains the magic number to identify the file as an ELF, also holds info on the class/architecture (32 or 64), encoding, and ELF version
16 bytes long
Magic number (7F 45 4C 46 -> .ELF)
Class (or architecture)
0x02 == 64bit
0x01 == 32bit
Data encoding
0x01 == little endian
0x02 == big endian
ELF version (usually 0x01)
Padding bytes
e_type
Specifies the file type, such as: relocatable, executable, shared object, or core.
Possible types:
0x00
System V
0x01
HP-UX
0x02
NetBSD
0x03
Linux
0x04
GNU Hurd
0x06
Solaris
0x07
AIX (Monterey)
0x08
IRIX
0x09
FreeBSD
0x0A
Tru64
0x0B
Novell Modesto
0x0C
OpenBSD
0x0D
OpenVMS
0x0E
NonStop Kernel
0x0F
AROS
0x10
FenixOS
0x11
Nuxi CloudABI
0x12
Stratus Technologies OpenVOS
e_machines
Indicates what class/architecture the ELF files is
Most common types:
e_machine Value
Constant
Description
0x00
EM_NONE
No machine
0x02
EM_M32
AT&T WE 32100
0x03
EM_SPARC
SPARC
0x07
EM_68K
Motorola 68000
0x08
EM_88K
Motorola 88000
0x14
EM_860
Intel 80860
0x16
EM_R3000
MIPS I Architecture (R3000)
0x28
EM_ARM
ARM
0x2A
EM_SUPERH
Hitachi SH
0x32
EM_IA_64
Intel Itanium
0x3E
EM_X86_64
AMD x86-64 (x64)
0xB7
EM_AARCH64
ARM 64-bit (AArch64)
0xF3
EM_RISCV
RISC-V
Other notable types:
e_machine Value
Constant
Description
0x13
EM_386
Intel 80386
0x15
EM_PARISC
HP/PA RISC
0x2B
EM_ECOG2
Cyan Technology eCOG2
0x42
EM_ALPHA
DEC Alpha
0x8C
EM_AVR
Atmel AVR
0xA2
EM_MSP430
Texas Instruments MSP430
0xA3
EM_BLACKFIN
Analog Devices Blackfin
0xDC
EM_TI_C6000
Texas Instruments TMS320C6000 DSP family
0xF7
EM_BPF
Berkeley Packet Filter
e_version
This indicates the version of ELF that is being used. There are really only two different version:
0x00000000
EV_NONE
Invalid version
0x00000001
EV_CURRENT
Current version (original version 1)
