ELF Executable Analysis in Detail

In everyday, we run some kind of programs to handle our works. There are many type of programs, GUIs, CLIs, TUIs or so on. But at low level, there are two kind of program formats: PE (Portable Executable) for Windows and ELF (Executable and Linkable Format) for Linux. In this tutorial, I will explain the ELF executables in detail. Firstly, let's start with the overall layout: As you see, an ELF executable consists of four layers: Executable Header Program Headers Sections Section Headers Executable Header Every ELF file starts with an executable header , which is just a structured series of bytes telling you that it's an ELF file, what kind of ELF file it is, and where in the file to find all the other contents. It's defined as follow in /usr/include/elf.h: In here: e_ident : The executable header starts with a 16-byte array. First 4-byte, magic value, identifying the file as an ELF binary. e_type : The type of the executable. For example REL means relocatable object file, EXEC means e