ELF loading

How is a binary executable organized? Let’s explore it!

http://www.cirosantilli.com/elf-hello-world/

Source code
    |
    | Compilation
    |
    v
Object file
    |
    | Linking
    |
    v
Executable

How elf is loaded in memory
https://github.com/corkami/pics/blob/28cb0226093ed57b348723bc473cea0162dad366/binary/elf101/elf101.pdf

How does kernel get an executable binary file running under linux?
https://stackoverflow.com/a/31394861/8516247

How does the Linux kernel run a program
https://github.com/0xAX/linux-insides/blob/master/SysCall/syscall-4.md

Executable and Linkable Format (64-bit)
https://github.com/0xAX/linux-insides/blob/master/Theory/ELF.md

+--------------------+  <--- 0xFFFFFFFF  (= 4 GiB)
|    Kernel space    |
|                    |
|====================|  <--- 0xC0000000  (= 3 GiB) -- CONFIG_PAGE_OFFSET
|--------------------|  <--- Stack offset (random for security reasons)
| stack (grows down) |
|--------------------|
|                    |
|--------------------|  <--- random mmap offset
| memory mapping     |  <--- file mappings
|    (grows down)    |
|--------------------|
|                    |
//   free memory    //
|                    |
|--------------------|
|     (grows up)     |  <--- Runtime heap (malloc)
|   HEAP segment     |
|--------------------|  <--- Random brk offeset
|--------------------|
|   BSS segment      |  <--- ELF non initialized data
|--------------------|
|   Data segment     |  <--- ELF initialized data
|--------------------|
|   Text segment     |  <--- ELF code
|--------------------|  <--- 0x08048000 (32 bit) / 0x00400000 (64 bit)
|                    |
+--------------------+  <--- 0x00000000

from https://www.quora.com/On-Linux-why-does-the-text-segment-start-at-0x08048000-What-is-stored-below-that-address

Why does ELF default to 0x08048000? Likely because it borrowed that address from the System V i386 ABI.

Why then did System V use 0x08048000? Because, by placing the text segment at that address and the stack just below it (but above 0x08000000), a process could consume only a single second-level page table. In other words, you’ve got to pick a default, and that address offers a potential performance win, as minimizing page table footprint means optimizing TLB hit rate.

https://stackoverflow.com/a/14317855/8516247 <—– for 64 bit !!!!!!

The start address is usually set by a linker script. For example, on GNU/Linux, looking at /usr/lib/ldscripts/elf_x86_64.x we see:

  PROVIDE (__executable_start = SEGMENT_START("text-segment", 0x400000)); . = SEGMENT_START("text-segment", 0x400000) + SIZEOF_HEADERS;   

The value 0x400000 is the default value for the SEGMENT_START() function on this platform.

also https://stackoverflow.com/questions/18296276/base-address-of-elf

Anatomy of a Program in Memory
http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
https://gist.github.com/CMCDragonkai/10ab53654b2aa6ce55c11cfc5b2432a4

(nice memory map…)
https://www.quora.com/In-reference-to-Linux-Kernel-what-is-the-difference-between-high-memory-and-normal-memory

Object file
https://en.wikipedia.org/wiki/Object_file

text Segment (code segment)
https://en.wikipedia.org/wiki/Code_segment

data Segment
https://en.wikipedia.org/wiki/Data_segment

Memory Layout of C Programs
http://www.geeksforgeeks.org/memory-layout-of-c-program/

ELF
https://en.wikipedia.org/wiki/Executable_and_Linkable_Format

ELF Sections & Segments and Linux VMA Mappings
http://nairobi-embedded.org/040_elf_sec_seg_vma_mappings.html

ELF Support (tool-chain)
http://nairobi-embedded.org/category/elf-support.html

The ELF format - how programs look from the inside
https://greek0.net/elf.html

How statically linked programs run on Linux
http://eli.thegreenplace.net/2012/08/13/how-statically-linked-programs-run-on-linux/

How does the Linux kernel run a program
https://0xax.gitbooks.io/linux-insides/content/SysCall/syscall-4.html

What happens when you run a program?
https://stackoverflow.com/questions/1204078/what-happens-when-you-run-a-program

How does kernel get an executable binary file running under linux?
https://stackoverflow.com/questions/8352535/how-does-kernel-get-an-executable-binary-file-running-under-linux

Static, Shared Dynamic and Loadable Linux Libraries
http://www.yolinux.com/TUTORIALS/LibraryArchives-StaticAndDynamic.html

Which parts of an ELF executable get loaded into memory, and where?
https://unix.stackexchange.com/questions/70506/which-parts-of-an-elf-executable-get-loaded-into-memory-and-where

which part of ELF file must be loaded into the memory?
https://stackoverflow.com/questions/10417312/which-part-of-elf-file-must-be-loaded-into-the-memory

How programs get run
https://lwn.net/Articles/630727/

How programs get run: ELF binaries
https://lwn.net/Articles/631631/

readelf manpage
http://man.yolinux.com/cgi-bin/man2html?cgi_command=readelf