Section Header Table

Section Header Table

1.What is the section header table?
  A section is not a segment.Segments are necessary for program execution, and within each segment, there is either code or data divided up into sections.
  A section header table exists to reference the location and size of these sections and is primarily for linking and debugging purposes. Section headers are not necessary for program execution, and a program will execute just fne without having a section header table. This is because the section header table doesn’t describe the program memory layout. That is the responsibility of the program header table. The section headers are really just complimentary to the program headers.

2.The role of the section
  Every ELF object has sections, but not all ELF objects have section headers, primarily when someone has deliberately removed the section header table, which is not the default.
  Usually, this is because the executable has been tampered with (for example, the section headers have been stripped so that debugging is harder). All of GNU’s binutils such as objcopy, objdump, and other tools such as gdb rely on the section headers to locate symbol information that is stored in the sections specifc to containing symbol data. Without section headers, tools such as gdb and objdump are nearly useless.

3.To get all the headers from an a.out:

albert$ readelf -SW a.out

4.Each section different fields as shown below:

[Nr] Name Type Address Offset Size EntSize Flags Link Info Align

• Nr： The index of each section.

• Name： The name of each section.

  • .text：holds all the compiled code of a program.
  • .data：holds the initialized data of a program. Since the data are initialized with actual values, gcc allocates the section with actual byte in the executable binary.
  • .rodata：holds read-only data, such as fixed-size strings in a program, e.g. “Hello World”, and others.
  • .bss：shorts for Block Started by Symbol, holds uninitialized data of a program. Unlike other sections, no space is allocated for this section in the image of the executable binary on disk.The section is allocated only when the program is loaded into main memory.

• Type ：This field (in a section header) identifies the type of each section, which tells the linker something about the structure of a section’s contents.

  • PROGBITS：contain program data,such as machine instructions or constants.
  • SYMTAB：static symbol tables，it may not be present if the binary is stripped.
  • DYNSYM：symbol tables used by the dynamic linker.
  • STRTAB： string tables.
  • DYNAMIC： contain information needed for dynamic linking.
  • REL/RELA：contain relocation entries, which the linker can parse to perform the necessary relocations in other sections. Each relocation entry tells the linker about a particular location in the binary where a relocation is needed and which symbol the relocation should be resolved to.

• Address： The starting virtual address of each section. Note that the addresses are virtual only when a program runs in an OS with support for virtual memory enabled.

• Offset： From the first byte of a file to the start of an object, such as a section or a segment in the context of an ELF binary file.

• Size: The size in bytes of each section.

• EntSize: Some sections hold a table of fixed-size entries, such as a symbol table.

• Flags: Describes attributes of a section, together with a type defines the purpose of a section.

• Link and Info: Numbers that references the indexes of sections, symbol table entries, hash table entries. Link field only holds the index of a section, while Info field holds an index of a section, a symbol table entry or a hash table entry, depends on the type of a section.

• Align： Value that enforces the offset of a section should be divisible
  by the value. Only 0 and positive integral powers of two are allowed.
  Values 0 and 1 mean the section has no alignment constraint.

5.Example: the .text section:

[14] .text PROGBITS 00000000004003e0 000003e0
0000000000000192 0000000000000000 AX 0 0 16

• Nr is 14.
• Type is PROGBITS, which means this section is part of the program.
• Address is 0x00000000004003e0, which means the program is loaded
  at this virtual memory address at runtime.
• Offset is 0x000003e0 bytes into file.
• Size is 0x0000000000000192 in bytes.
• EntSize is 0, which means this section does not have any fixed-size
  entry.
• Flags are A (Allocatable) and X (Executable), which means this section consumes memory and can be executed as code at runtime.
• Info and Link are 0 and 0, which means this section links to no section or entry in any table.
• Align is 16, which means the starting address of the section should
  be divisible by 16, or 0x10. Indeed, it is: 0x3e0/0x10 = 0x3e

6.To read the content of text section as a hexdump:
  $ readelf -x <section name|section number> < file>

albert$ readelf -x 14 a.out
Hex dump of section ‘.text’:
0x00400440 31ed4989 d15e4889 e24883e4 f0505449 1.I…^H…H…PTI
0x00400450 c7c0c005 400048c7 c1500540 0048c7c7 …@.H…P.@.H…
0x00400460 2d054000 e8b7ffff fff4660f 1f440000 -.@…f…D…
0x00400470 b8471060 0055482d 40106000 4883f80e .G..UH-@..H…
0x00400480 4889e577 025dc3b8 00000000 4885c074 H…w.]…H…t
0x00400490 f45dbf40 106000ff e00f1f80 00000000 .].@........... 0x004004a0 b8401060 0055482d 40106000 48c1f803 .@..UH-@..H... 0x004004b0 4889e548 89c248c1 ea3f4801 d048d1f8 H..H..H..?H..H.. 0x004004c0 75025dc3 ba000000 004885d2 74f45d48 u.]......H..t.]H 0x004004d0 89c6bf40 106000ff e20f1f80 00000000 ...@.…
0x004004e0 803d590b 20000075 11554889 e5e87eff .=Y. …u.UH…~.
0x004004f0 ffff5dc6 05460b20 0001f3c3 0f1f4000 …]…F. …@.
0x00400500 48833d18 09200000 741eb800 00000048 H.=… …t…H
0x00400510 85c07414 55bf200e 60004889 e5ffd05d …t.U. .`.H…]
0x00400520 e97bffff ff0f1f00 e973ffff ff554889 .{…s…UH.
0x00400530 e54883ec 10897dfc 488975f0 bfd40540 .H…}.H.u…@
0x00400540 00e8cafe ffffb800 000000c9 c30f1f00 …
0x00400550 41574189 ff415649 89f64155 4989d541 AWA…AVI…AUI…A
0x00400560 544c8d25 a8082000 55488d2d a8082000 TL.%… .UH.-… .
0x00400570 534c29e5 31db48c1 fd034883 ec08e85d SL).1.H…H…]
0x00400580 feffff48 85ed741e 0f1f8400 00000000 …H…t…
0x00400590 4c89ea4c 89f64489 ff41ff14 dc4883c3 L…L…D…A…H…
0x004005a0 014839eb 75ea4883 c4085b5d 415c415d .H9.u.H…[]A\A]
0x004005b0 415e415f c366662e 0f1f8400 00000000 A^A_.ff…
0x004005c0 f3c3

7.To read the content of symbol section:

albert$ readelf -s a.out
Symbol table ‘.dynsym’ contains 4 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (2)
3: 0000000000000000 0 NOTYPE WEAK DEFAULT UND gmon_start
Symbol table ‘.symtab’ contains 65 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000400238 0 SECTION LOCAL DEFAULT 1
2: 0000000000400254 0 SECTION LOCAL DEFAULT 2
3: 0000000000400274 0 SECTION LOCAL DEFAULT 3

• Num is the index of an entry in a table.
• Value is the virtual memory address where the symbol is located.
• Size is the size of the entity associated with a symbol.
• Type is a symbol type according to table.
  • NOTYPE: The type of a symbol is not specified.
  • OBJECT: The symbol is associated with a data object. In C, any variable definition is of OBJECT type.
  • FUNC: The symbol is associated with a function or other executable code.
  • SECTION: The symbol is associated with a section, and exists primarily for relocation.
  • FILE: The symbol is the name of a source file associated with an executable binary.
  • COMMON: The symbol labels an uninitialized variable. That is, when a variable in C is defined as global variable without an initial value, or as an external variable using the extern keyword. In other words, these variables stay in .bss section.
• Bind is the scope of a symbol.
  • LOCAL are symbols that are only visible in the object files that defined them. In C, the static modifier marks a symbol (e.g. a variable/function) as local to only the file that defines it.
  • GLOBAL are symbols that are accessible by other object files when
    linking together. These symbols are primarily non-static functions and non-static global data. The extern modifier marks a symbol as externally defined elsewhere but is accessible in the final executable binary, so an extern variable is also considered GLOBAL.
  • WEAK are symbols whose definitions can be redefined. Normally, a symbol with multiple definitions are reported as an error by a compiler. However, this constraint is lax when a definition is explicitly marked as weak, which means the default implementation can be replaced by a different definition at link time.
• Ndx is the index of a section that the symbol is in. Aside from fixed index numbers that represent section indexes, index has these special values:
  • ABS The index will not be changed by any symbol relocation.
  • COM The index refers to an unallocated common block.
  • UND The symbol is undefined in the current object file, which means the symbol depends on the actual definition in another file. Undefined symbols appears when the object file refers to symbols that are available at runtime, from shared library.
  • LORESERVE/HIRESERVE
    • LORESERVE is the lower boundary of the reserve indexes. Its value is 0xff00.
    • HIREVERSE is the upper boundary of the reserve indexes. Its value is 0xffff.The operating system reserves exclusive indexes between LORESERVE and HIRESERVE,which do not map to any actual section header.

8.To read the type of “STRTAB” section:
  STRTAB hold a table of null-terminated strings, called string table. The first and last byte of this section is always a NULL character. A string table section exists because a string can be reused by more than one section to represent symbol and section names, so a program like readelf or objdump can display various objects in a program, e.g. variable, functions, section names, in a human-readable text instead of its raw hex address.

albert$ readelf -S hello
There are 30 section headers, starting at offset 0x1178:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
…
[27] .shstrtab STRTAB 00000000 001072 000106 00 0 0 1
[29] .strtab STRTAB 00000000 001a78 000273 00 0 0 1

• .shstrtab holds all the section names.
• .strtab holds the symbols e.g. variable names, function names, struct
  names, etc., in a C program, but not fixed-size null-terminated C strings;
  the C strings are kept in .rodata section.

The output shows all the section names:

$readelf -p 27 hello

9.INIT_ARRAY/FINI_ARRAY type

albert$ readelf -a hello |grep “INIT_ARRAY”
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[18] .init_array INIT_ARRAY 08049f08 000f08 000004 00 WA 0 0 4
[19] .fini_array FINI_ARRAY 08049f0c 000f0c 000004 00 WA 0 0 4

• INIT_ARRAY is an array of function pointers for program initialization.When an application program runs, before getting to main(), initialization code in .init and this section are executed first. The first element in this array is an ignored function pointer.
• FINI_ARRAY is an array of function pointers for program termination,
  called after exiting main(). If the application terminate abnormally,
  such as through abort() call or a crash, the .finit_array is ignored.