9

I found ".dynsym" in String Table, got index. Then I found section with sh_name = index && sh_type = SHT_DYNSYM. So I got sh_offset = 464 and sh_size = 64. But you can see in the attached picture, that on the offset 464 there are only zeros.

I suppose that Import Table starts on offset 528. Question is: how calculate it %)

enter image description here

fedorqui
  • 275,237
  • 103
  • 548
  • 598
Qwerty
  • 153
  • 1
  • 9

1 Answers1

8

But you can see in the attached picture, that on the offset 464 there are only zeros.

Wrong: 01, 20, 29, 12 etc. are not "only zeros" last time I checked.

I suppose that Import Table starts on offset 528

No, it does not. For some reason you are expecting to find a Microsoft PE-style import table in an ELF file. It's not there.

An equivalent of an import table in ELF is contained in two tables. One contains Elf{32,64}_Sym fixed-size records:

typedef struct
{
  Elf32_Word    st_name;                /* Symbol name (string tbl index) */
  Elf32_Addr    st_value;               /* Symbol value */
  Elf32_Word    st_size;                /* Symbol size */
  unsigned char st_info;                /* Symbol type and binding */
  unsigned char st_other;               /* Symbol visibility */
  Elf32_Section st_shndx;               /* Section index */
} Elf32_Sym;

and is contained in the .dynsym section.

The other table is contained in .dynstr section (which, in your file starts at offset 528), and has just the (variable-size) strings separated by NUL character.

The .st_name in the first table refers to offset in .dynstr.

Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • спасибо за ответ. But on the offset 464 there is no Elf32_Sym record. sh_offset = 464 I got from header of .dynsym section. Weirdly that sh_size = 64 and in the same time sizeof(Elf32_Sym) = 16. – Qwerty Jun 13 '13 at 07:15
  • I just have caught a thought. May be those 64 bytes are 4 records (Elf32_Sym)? – Qwerty Jun 13 '13 at 07:44