How can I examine contents of a data section of an ELF file on Linux?

Question

I've been using objdump to look at assembly code in Linux ELF binaries.

Sometimes there is an indirect jump through a jump table that is stored in the rodata (read-only data) section.

How to get objdump or any other tool to show me the contents of this data section?

I could execute the program and examine the relevant addresses in the debugger, but I don't want to do that because it has to be done interactively.

The ideal answer will identify a tool that will not only show me the contents but will let me control the display format, much as od does.

score 127 · Accepted Answer · edited Oct 22 '15 at 09:09

127

objdump -s -j .rodata exefile

gives a side-by-side hex/printable ASCII dump of the contents of the rodata section like:

Contents of section .rodata:
 0000 67452301 efcdab89 67452301 efcdab89  gE#.....gE#.....
 0010 64636261 68676665 64636261 68676665  dcbahgfedcbahgfe

It doesn't look like there's anything in there to control formatting, but it's a start. You could always undump the hex and feed it to od, I suppose :)

edited Oct 22 '15 at 09:09

Ciro Santilli OurBigBook.com

347,512
102
1,199
985

answered Nov 06 '09 at 04:58

hobbs

223,387
19
210
288

3

How can you get the data dumped in binary format from an ELF section? Something like objdump -s -j -binary
would be great.
– Bogatyr Oct 26 '12 at 09:42
@Bogatyr: cf. my answer. – ysdx Aug 21 '15 at 11:18

score 47 · Answer 2 · edited May 23 '17 at 12:34

readelf -x .rodata hello_world.o

gives:

Hex dump of section '.rodata':
  0x00000000 48656c6c 6f20776f 726c6421 0a       Hello world!.

You should prefer readelf when possible since objdump simply does not show some sections like .symtab: Why does objdump not show .bss, .shstratab, .symtab and .strtab sections?

You can also extract the raw bytes with the techniques mentioned at: How do you extract only the contents of an ELF section and as mentioned by ysdx.

score 20 · Answer 3 · edited May 23 '17 at 11:54

20

You can get the RAW (not hexdump-ed) ELF section with:

# To a file:
objcopy file /dev/null --dump-section .text=text.data
# To stdout:
objcopy file /dev/null --dump-section .text=/dev/stdout | cat

Here I'm using | cat in order to force stdout to be a pipe. /dev/stdout might work unexpectedly if stdout is a file. .text=- does not send to stdout but to the - file.

However objcopy and objdump have some deficiencies (because they are based on BFD which abstracts different executable formats).

Update: I wrote a tool to do this which does not rely on BFD.

edited May 23 '17 at 11:54

Community

1
1

answered Aug 21 '15 at 11:17

ysdx

8,889
1
38
51

`--dump-section` is a bit recent. It was added at: http://sourceware-org.1504.n7.nabble.com/Commit-objcopy-Add-dump-section-option-td256052.html Why is it better than `--only-section`? – Ciro Santilli OurBigBook.com Sep 04 '15 at 13:20
2

@CiroSantilli六四事件法轮功纳米比亚威视, well the `objcopy -j` creates a whole ELF file (which a ELF header, a section heaer table with a .shstrtab section, a program header table) whereas `objcopy --dump-section` dumps the content of a section (and nothing else) to a file. – ysdx Sep 05 '15 at 07:40
Very good solution. Additionally, especially for `.modinfo` section, to print each parameter and its value line by line, we can use `... | xargs --null -n1 -I{} echo {};` as each pair ends with a `0x00` byte value as inspected from original output. PS: It's my habit to use `-n1` but it's redundant in such mentioned command. – haxpor Sep 11 '21 at 12:21
@hapor, it might depend on which version of sed you are using (?) but with GNU sed you can use `sed 's/\x0/\n/g'` – ysdx Oct 05 '22 at 19:21

How can I examine contents of a data section of an ELF file on Linux?

3 Answers3

Linked

Related