typedef struct{ Elf32_Word sh_name; //节区名,是节区头部字符串表节区(Section Header String Table Section)的索引。名字是一个 NULL 结尾的字符串。 Elf32_Word sh_type; //为节区类型 Elf32_Word sh_flags; //节区标志 Elf32_Addr sh_addr; //如果节区将出现在进程的内存映像中,此成员给出节区的第一个字节应处的位置。否则,此字段为 0。 Elf32_Off sh_offset; //此成员的取值给出节区的第一个字节与文件头之间的偏移。 Elf32_Word sh_size; //此 成 员 给 出 节 区 的 长 度 ( 字 节 数 )。 Elf32_Word sh_link; //此成员给出节区头部表索引链接。其具体的解释依赖于节区类型。 Elf32_Word sh_info; //此成员给出附加信息,其解释依赖于节区类型。 Elf32_Word sh_addralign; //某些节区带有地址对齐约束. Elf32_Word sh_entsize; //某些节区中包含固定大小的项目,如符号表。对于这类节区,此成员给出每个表项的长度字节数。 }Elf32_Shdr;
readelf是Linux下的分析ELF文件的命令,这个命令在分析ELF文件格式时非常有用.在提取so文件我们也用到了这个工具.
你可以在这里下载到:http://download.csdn.net/detail/grace_0642/8562495
下面在这里简单介绍一下它的用法:
1.显示ELF Header文件头信息
readelf -h file
===================================
2. 查看文件的程序头表信息
readelf -I file
===================================
3. 显示文件的节信息
readelf -S file
====================================
4.显示 Dynamic Section 信息
readelf -d file
==================================
1.awk的用法
你可以参考这篇文章,写的很好 链接:http://coolshell.cn/articles/9070.html
''' @Author : Chicho @Date : 2014-12-5 @Function : elf parser @Running : pyhton ELF_Extract.py /path/to/so ''' import os import sys if (len(sys.argv)<2): print("*Usage : python ELF_Extract.py /path/to/so") else: path = sys.argv[1] fileList = os.listdir(path) ''' we will put the readelf file in the path of so files so that we can extract the features of ELF ''' for filename in fileList: portion = os.path.splitext(filename) # find the .so file if portion[1]==".so": os.system("./moreelf_finefeatures_extract.sh " + filename ) print "The end"
#!/bin/bash INPUT=$1 if [ $# -lt 1 ]; then echo "Usage: $0 /path/to/libXXX.so" exit 1 fi READELF=./readelf entry_point_addr=$($READELF -h $INPUT| grep "Entry point address:" | egrep -o "0x[0-9A-Za-z]*") start_section_headers=$($READELF -h $INPUT | grep "Start of section headers:" | egrep -o "[0-9]*") num_programs=$($READELF -h $INPUT | grep "Number of program headers:" | egrep -o "[0-9]*") size_section_headers=$($READELF -h $INPUT | grep "Size of section headers:" | egrep -o "[0-9]*") num_section_headers=$($READELF -h $INPUT | grep "Number of section headers:" | egrep -o "[0-9]*") string_table_index=$($READELF -h $INPUT | grep "Section header string table index:" | egrep -o "[0-9]*") dynamic_section=$($READELF -d $INPUT | grep "Dynamic section at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") dynsym_entries=$($READELF -s $INPUT | grep "Symbol table '.dynsym' contains" | egrep -o "[0-9]*") num_rel_dyn=$($READELF -r $INPUT | grep "Relocation section '.rel.dyn' at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") num_rel_plt=$($READELF -r $INPUT | grep "Relocation section '.rel.plt' at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") echo $entry_point_addr $start_section_headers $num_programs $size_section_headers $num_section_headers $string_table_index $dynamic_section $dynsym_entries $num_rel_dyn $num_rel_plt $label>> more_finefeatures_result.txt
#!/bin/bash INPUT=$1 if [ $# -lt 1 ]; then echo "Usage: $0 /path/to/libXXX.so" exit 1 fi READELF=./readelf entry_point_addr=$($READELF -h $INPUT| grep "Entry point address:" | egrep -o "0x[0-9A-Za-z]*") start_section_headers=$($READELF -h $INPUT | grep "Start of section headers:" | egrep -o "[0-9]*") num_programs=$($READELF -h $INPUT | grep "Number of program headers:" | egrep -o "[0-9]*") size_section_headers=$($READELF -h $INPUT | grep "Size of section headers:" | egrep -o "[0-9]*") num_section_headers=$($READELF -h $INPUT | grep "Number of section headers:" | egrep -o "[0-9]*") string_table_index=$($READELF -h $INPUT | grep "Section header string table index:" | egrep -o "[0-9]*") dynamic_section=$($READELF -d $INPUT | grep "Dynamic section at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") dynsym_entries=$($READELF -s $INPUT | grep "Symbol table '.dynsym' contains" | egrep -o "[0-9]*") num_rel_dyn=$($READELF -r $INPUT | grep "Relocation section '.rel.dyn' at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") num_rel_plt=$($READELF -r $INPUT | grep "Relocation section '.rel.plt' at" | egrep -o "[0-9]* entries" | egrep -o "[0-9]*") if [[ "$1" =~ "libsecmain"* ]] then label="Bangcle1" elif [[ "$1" =~ "libsecexe"* ]] then label="Bangcle2" elif [[ "$1" =~ "libtup"* ]] then label="Tencent" elif [[ "$1" =~ "libprotectClass"* ]] then label="Qihoo" elif [[ "$1" =~ "libexecmain"* ]] then label="ijiami1" elif [[ "$1" =~ "libexec"* ]] then label="ijiami2" elif [[ "$1" =~ "libapkprotect"* ]] then label="APKProtect1" elif [[ "$1" =~ "libcube-jni"* ]] then label="APKProtect2" elif [[ "$1" =~ "libminimapv320"* ]] then label="APKProtect3" elif [[ "$1" =~ "libswiperctrl"* ]] then label="APKProtect4" else label="unknow" fi echo $entry_point_addr $start_section_headers $num_programs $size_section_headers $num_section_headers $string_table_index $dynamic_section $dynsym_entries $num_rel_dyn $num_rel_plt $label>> more_finefeatures_result.txt
原文:http://blog.csdn.net/chichoxian/article/details/44859439