In our previous article, we looked at the different phases of gcc compilation and different type of output generated by gcc compiler .
In this article we will examine the contents of both object and binary/executable file and the difference between static and dynamic libraries.
Object File:
Object file contains machine code/instructions that are executable by the processor.
However there is a bit of work to do before it can be executed by the processor.
One main difference between object and binary file is that reference to both static and dynamic links are resolved or not known.
These references are not resolved because files are compiled independently(by the assembler) from each other.
We can view different sections of on object file using objdump tool.
Usage: objdump<option(s)> <file(s)>
Display information from object <file(s)>.
Objdump tool can be used to disassemble a binary/executable file as well as extract section from an object file.
This command simply instruct the objdump
tool to show read-only section from the object file(in ELF format).
objdump -sj .rodata example.o
example.o: file format elf64-x86-64
Contents of section .rodata:
0000 48656c6c 6f2c2077 6f726c64 2100 Hello, world!.
The .rodata section stores only constant values. Inside the .rodata section, we have the string value "Hello, World!"
We can also use the objdump
tool to disassemble all the code in an object file in Intel syntax as shown below
objdump -M intel -d example.o
compilation_example.o: file format elf64-x86-64
Disassembly of section .text:
00 0000 000 000 0000
As you can see, it has only one main function. You can check on wikipedia for in-depth information on assembly language.
Binary File:
Linker or the link editor is responsible for relocating or linking all object files to a particular/specific memory address. This process creates a binary executable file.
In a binary file, symbolic references to static libraries are resolved. Whilst references to dynamic libraries are resolved during runtime or when the binary file is loaded into memory.
The following command disassembles a binary file with objdump
tool:
objdump -M intel -d a.out
a.out: file format elf64-x86-64
Disassembly of section .init:
Disassembly of section .init:
0000000000001000 <_init>:
1000: 48 83 ec 08 sub rsp,0x8
1004: 48 8b 05 dd 2f 00 00 mov rax,QWORD PTR [rip+0x2fdd] # 3fe8 <__gmon_start__>
100b: 48 85 c0 test rax,rax
100e: 74 02 je 1012 <_init+0x12>
1010: ff d0 call rax
1012: 48 83 c4 08 add rsp,0x8
1016: c3 ret
Disassembly of section .fini:
0000000011c4 <_fini>:
11c4: 48 83 ec 08 sub rsp,0x8
11c8: 48 83 c4 08 add rsp,0x8
11cc: c3 ret
This not the complete content of a disassembled binary file. As you can see there are more sections in a binary file than in an object file.
We will need these sections to do a static analysis of an infection file.
In our next article, we will learn how to examine an infectious file via the static analysis method.
Sign up our newsletter for update information, insight and promotion.