How to Use the 'readelf' Command (with examples)
- Linux
- December 17, 2024
The readelf
command is a powerful utility in Unix-based systems designed to display information about ELF (Executable and Linkable Format) files. ELF is a common standard file format for executables, object code, shared libraries, and core dumps in Unix-like operating systems. By using readelf
, developers and system administrators can dissect and analyze these ELF files, gaining insights into their structure and contents. This command is particularly useful for debugging, development, and system auditing tasks.
Display All Information About the ELF File
Code:
readelf -all path/to/binary
Motivation:
The command readelf -all path/to/binary
is used when you need a comprehensive overview of an ELF file. If you’re dealing with debugging processes or conducting an in-depth analysis, being aware of every aspect of the ELF file can help in understanding how the file is structured, what components it comprises, and how it’s supposed to function within the system.
Explanation:
readelf
: This is the command used to read and interpret ELF files.-all
: This option tellsreadelf
to display all available information about the ELF file. It is a comprehensive switch that encompasses all the various sections and elements of the ELF file.
Example Output:
ELF Header:
Magic: 7f 45 4c 46 ...
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: Advanced Micro Devices X86-64
...
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] .interp PROGBITS 0000000000000258 00000258
000000000000001c 0000000000000000 A 0 0 1
...
Display All the Headers Present in the ELF File
Code:
readelf --headers path/to/binary
Motivation:
Sometimes you only need the file headers to gain insight into the ELF file’s organization without the clutter of additional information from sections and segments. The --headers
option is ideal for quickly checking the structural metadata of an ELF file to ensure it’s correctly formatted or to identify specific headers for closer examination.
Explanation:
readelf
: The command to interpret ELF files.--headers
: This option provides a unified view of both the ELF header and the program header table, offering an overview of the executable image layout.
Example Output:
ELF Header:
Magic: 7f 45 4c 46 ...
Class: ELF64
...
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x00000040 0x00400040 0x00400040
0x00000038 0x00000038 R E 8
...
Display the Entries in Symbol Table Section of the ELF File
Code:
readelf --symbols path/to/binary
Motivation:
When you’re debugging or optimizing, understanding where and how symbols are used in your ELF file can be crucial. Symbols represent functions or variables found within the source code. Using --symbols
can help you see all the symbols defined in the symbol table, which can aid in static analysis or when you’re trying to match symbols to specific code definitions.
Explanation:
readelf
: The command to access ELF files.--symbols
: This option specifically extracts and displays entries from the ELF file’s symbol table, showing names, addresses, and other attributes associated with each symbol.
Example Output:
Symbol table '.symtab' contains 64 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000004003c8 0 SECTION LOCAL DEFAULT 1
2: 00000000004003e8 0 SECTION LOCAL DEFAULT 2
...
Display ELF Header Information
Code:
readelf --file-header path/to/binary
Motivation:
If you’re interested in the fundamental metadata about the ELF file, the --file-header
option provides essential information such as the file type, machine architecture, entry point address, and other vital startup information. This data is particularly useful for verifying the target platform compatibility and confirming the nature of the ELF file.
Explanation:
readelf
: Accesses the ELF file to provide detailed insights.--file-header
: Displays the ELF file header, which includes basic details about the file type and architecture.
Example Output:
ELF Header:
Magic: 7f 45 4c 46 ...
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
...
Display ELF Section Header Information
Code:
readelf --section-headers path/to/binary
Motivation:
Each ELF file consists of sections, and understanding these sections can be key to knowing how data and code are organized. The --section-headers
option is used for viewing the section headers, which include information about individual sections like their size, type, and location within the file. This is valuable when you want to analyze the nature of each section or trace errors in specific parts of the file.
Explanation:
readelf
: The command for accessing ELF data.--section-headers
: This option extracts and displays information about the file’s sections, including each section’s offset, address, size, and name.
Example Output:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] .interp PROGBITS 0000000000000258 00000258
000000000000001c 0000000000000000 A 0 0 1
[ 1] .note.ABI-tag NOTE 0000000000000274 00000274
0000000000000020 0000000000000000 A 0 0 4
...
Conclusion
The readelf
command offers critical insight into ELF files by providing a variety of ways to scrutinize their structure and contents. Whether you’re assessing the overall file integrity, diving into symbol tables, or inspecting specific headers, readelf
is an indispensable tool for developers and analysts working with UNIX-based systems. Through these examples, you should have a better understanding of how to leverage readelf
for comprehensive binary analysis.