readelf Command in Linux

Introduction to readelf on Linux

In this hands-on lab, you'll delve into the Linux readelf command and its practical applications in systemadmin tasks. The readelf command is an indispensable tool for examining ELF (Executable and Linkable Format) files. These files are the backbone of Linux and Unix-like systems, serving as the standard binary format for executables, shared libraries, and object files. This lab provides a comprehensive exploration of readelf's core functionalities, enabling you to analyze ELF file headers and sections effectively. Master this tool to enhance your skills in debugging, reverse engineering, and gaining a deep understanding of binary file structures.

Understanding the Role and Functionality of the readelf Command

This section focuses on the purpose and functionality of the readelf command within a Linux environment. As a systemadmin, understanding this command is crucial. The readelf utility allows for detailed analysis of ELF (Executable and Linkable Format) files, the fundamental binary format used for executables, shared libraries, and object files on Linux and related operating systems.

readelf offers a wealth of information about ELF files, including their headers, sections, segments, and symbols. This detailed insight is invaluable for tasks such as debugging software, reverse engineering compiled code, and gaining a thorough comprehension of binary file structure. A systemadmin can use this information for security analysis, performance tuning, and ensuring system stability.

Let's begin by examining the fundamental usage of the readelf command:

readelf -h /bin/ls

Example output:

ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x4047e0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          6472 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         28
  Section header string table index: 27

The output presents a comprehensive overview of the ELF file header, providing key details like the file type, architecture, entry point, and other essential metadata. A skilled systemadmin can leverage this information to diagnose issues, understand program behavior, and verify file integrity.

In the subsequent step, we will delve deeper into the basic usage of the readelf command.

Mastering the Basic Usage of the readelf Command

This section focuses on the fundamental usage of the readelf command and teaches you how to extract diverse types of information from ELF files. As a systemadmin, proficiency in these techniques is essential for effective system management.

Let's begin by exploring the basic options available with the readelf command:

readelf --help

This command displays a comprehensive list of available options and their descriptions. Some of the most commonly used options include:

• -h: Displays the ELF file header information. Essential for understanding the file's overall structure.
• -S: Displays the sections within the ELF file. Vital for examining code, data, and other segments.
• -l: Displays the program headers. Important for understanding how the program is loaded into memory.
• -s: Displays the symbol table. Crucial for debugging and understanding function names and variables.
• -d: Displays the dynamic section. Shows information about shared libraries and dynamic linking.
• -r: Displays the relocation entries. Reveals how addresses are adjusted during linking.

Now, let's apply some of these options to a sample ELF file, such as the /bin/ls binary:

readelf -S /bin/ls

Example output:

There are 28 section headers, starting at offset 0x1998:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .interp           PROGBITS         0000000000400238  00000238
       000000000000001c  0000000000000000   A       0     0     1
  [ 2] .note.gnu.build-i NOTE             0000000000400254  00000254
       0000000000000024  0000000000000000   A       0     0     4
  ...

This command shows the section headers of the /bin/ls ELF file, providing details about each section, including its name, type, address, and size. Understanding these sections is critical for a systemadmin to analyze program behavior and potential security vulnerabilities.

You can also utilize the readelf command to display other information, such as program headers, the dynamic section, and the symbol table. Try the following commands:

readelf -l /bin/ls
readelf -d /bin/ls
readelf -s /bin/ls

Examine the output of these commands to understand the various types of information that can be extracted from an ELF file using the readelf command. This knowledge is invaluable for a systemadmin in tasks such as debugging, performance analysis, and security auditing.

Deep Dive: Analyzing ELF File Headers and Sections Using readelf

This section focuses on using the readelf command to conduct a detailed analysis of the headers and sections of ELF files. As a systemadmin, mastering this skill allows for advanced troubleshooting and security analysis.

Let's start by examining the ELF file header of the /bin/ls binary:

readelf -h /bin/ls

Example output:

ELF Header:
  Magic:   7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                             ELF64
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Advanced Micro Devices X86-64
  Version:                           0x1
  Entry point address:               0x4047e0
  Start of program headers:          64 (bytes into file)
  Start of section headers:          6472 (bytes into file)
  Flags:                             0x0
  Size of this header:               64 (bytes)
  Size of program headers:           56 (bytes)
  Number of program headers:         9
  Size of section headers:           64 (bytes)
  Number of section headers:         28
  Section header string table index: 27

This output provides detailed information about the ELF file header, including the file class, data encoding, type, machine architecture, and various offsets and sizes. A systemadmin can use this information to verify file compatibility, identify potential corruption, and understand the target architecture of the binary.

Next, let's explore the sections of the ELF file:

readelf -S /bin/ls

Example output:

There are 28 section headers, starting at offset 0x1998:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .interp           PROGBITS         0000000000400238  00000238
       000000000000001c  0000000000000000   A       0     0     1
  [ 2] .note.gnu.build-i NOTE             0000000000400254  00000254
       0000000000000024  0000000000000000   A       0     0     4
  ...

This command displays the section headers, providing information about the various sections in the ELF file, such as their names, types, addresses, sizes, and other attributes. A skilled systemadmin can analyze these sections to understand the layout of the program in memory, identify code and data segments, and detect potential security vulnerabilities such as buffer overflows.

You can further explore the sections by using the readelf -e command, which displays the full ELF file information, including program headers, section headers, and the symbol table:

readelf -e /bin/ls

This command provides a comprehensive view of the ELF file, enabling you to understand its structure and contents in detail. This is invaluable for a systemadmin performing in-depth analysis of program behavior, security auditing, and reverse engineering.

Summary: Mastering readelf for System Administration

In this lab, you've gained a solid understanding of the purpose and functionality of the readelf command in Linux. You've learned that readelf is an essential tool for any systemadmin tasked with analyzing ELF (Executable and Linkable Format) files, the standard binary format for executables, shared libraries, and object files on Linux and Unix-like systems. You've explored the fundamental usage of the readelf command and learned how to analyze ELF file headers and sections effectively. This knowledge empowers you to tackle tasks such as debugging, reverse engineering, and gaining a deep understanding of binary file structures, making you a more effective and knowledgeable systemadmin.

Tác giả

Tôi là một chuyên gia System Administrator (SysAdmin) & DevOps Engineer với hơn 10 năm kinh nghiệm trong lĩnh vực quản trị hệ thống, bảo mật mạng, và tối ưu hạ tầng Cloud. Tôi đã từng làm việc tại các tập đoàn công nghệ lớn và tham gia triển khai nhiều hệ thống High Availability (HA), Load Balancing, Database, container và CI/CD giúp doanh nghiệp hoạt động ổn định với hiệu suất cao. Bài này tôi viết với thời gian đọc khoảng 6 phút. I also wrote a Vietnamese version.