Reputation: 1218
In elf binary, Is there any simple method to get memory address from offset?
In elf binary, assuming that I know the offset of binary.
In that case, how can I know the virtual address of that region of offset?
In more detail, here is binary my_binary
...and I found the data "the_key_string" in the offset of 0x204 in binary.
In this case, 0x204 is mapped in 0x0804204 when it loaded at memory.
Question:
What is the simplest way I get the address info 0x0804204 from 0x204?
Could you recommend me any useful shortcut in tools(010editor or hxd..)
...or can I do this with combination of objdump command?
Upvotes: 3
Views: 2888
Answers (1)
Reputation: 33747
ELF programs have a program header, which lists PT_LOAD segments (struct Elf32_Phdr or struct Elf64_Phdr). These have both a file offset and length (p_offset and p_filesz members) and a virtual address and length (p_vaddr and p_memsz). The point is that the the region identified by the the file offset and length becomes available at run time at the specified virtual address. The virtual address is relative to the base address of the object in memory.
You can view the program headers using readelf -l:
Elf file type is DYN (Shared object file)
Entry point 0x1670
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
PHDR 0x0000000000000040 0x0000000000000040 0x0000000000000040
0x00000000000001f8 0x00000000000001f8 R E 0x8
INTERP 0x0000000000000238 0x0000000000000238 0x0000000000000238
0x000000000000001c 0x000000000000001c R 0x1
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
0x000000000000627c 0x000000000000627c R E 0x200000
LOAD 0x0000000000006d68 0x0000000000206d68 0x0000000000206d68
0x00000000000004b8 0x0000000000000658 RW 0x200000
…
In this case, there are two load segments, one readable and executable (the program code), and one readable and writable (data and relocations).
Not all parts of the binary are covered by PT_LOAD segments and thus mapped by the loader at run time. If the data is in an unallocated section, it will just not be in memory (unless you read it from disk by other means).
But if the data is allocated, then it will fall into one of the load segments, and once you have the base address, you can use the information in the load segment to compute the virtual address from the file offset.
Upvotes: 3
Related Questions
- How to find the memory address offsets from IDA in binary file
- How do you get the start and end addresses of a custom ELF section?
- Calculate the entry point of an ELF file as a physical address (offset from 0)
- Getting difference between virtual address and Offset in an ELF file
- How do I find symbol offset in .so from runtime address
- How do I get the file offset in an ELF binary corresponding to a label outputted by objdump?
- Locating the Global Offset Table in an ELF file
- Get elf sections offsets
- How convert address in elf to physical address
- Retrieving Memory Offset Address Using Assembly