5

I saw many similar stuff like this:

open("/lib64/libpthread.so.0", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260W \0242\0\0\0"..., 832) = 832

What's there in the beginning 832 bytes?

mu is too short
  • 426,620
  • 70
  • 833
  • 800
new_perl
  • 7,345
  • 11
  • 42
  • 72
  • 1
    http://en.wikipedia.org/wiki/Executable_and_Linkable_Format and there are links to more authoritative references at the bottom of the Wikipedia page. – mu is too short Jun 23 '11 at 06:59
  • @mu is too short ,sorry,but I don't find the answer there,`ELF` can contain lots of things,I just want to know which of them are being looked up. – new_perl Jun 23 '11 at 09:49

1 Answers1

3

If the listing above was captured at program startup, then it is likely that you are seeing the runtime loader in action, as it brings in shared libraries and resolves symbols prior to launching the program.

As for the initial contents being read, every ELF file starts with an ELF header which describes the layout and contents of the rest of the file---please see the tutorial "libelf by Example" for more information.

jkoshy
  • 1,793
  • 15
  • 23
  • so the ELF header is always less than `832` bytes? – new_perl Jun 27 '11 at 02:11
  • Yes: Elf32_Ehdr is 52 bytes long; Elf64_Ehdr is 64 bytes. As to why it reads 832 bytes, and not just 64; the answer is here: http://repo.or.cz/w/glibc.git/blob/HEAD:/elf/dl-load.c#l111 – Employed Russian Jul 05 '11 at 00:46