readelf
1. What readelf is originally for
readelf is a tool from GNU binutils used to inspect the internal structure of ELF files.
ELF stands for Executable and Linkable Format. It is the standard binary format commonly used on Unix-like systems for:
- executable files
- relocatable object files (.o)
- shared libraries (.so)
- core files
The original purpose of readelf is not to execute programs or disassemble instructions, but to read and display ELF metadata and layout.
Its main job is to help users understand:
- what kind of ELF file they are looking at
- how the file is organized
- how it is linked
- how it is loaded into memory
- what symbols, relocations, and dynamic linking information it contains
A useful way to think about it:
readelffocuses on ELF structureobjdumpis a more general binary analysis tool
Another important point is that readelf reads ELF information directly, and is often used when one wants a clear view of ELF-specific metadata.
2. Main things readelf is commonly used for
2.1. Inspecting the basic identity of an ELF file
This includes:
- whether the file is 32-bit or 64-bit
- whether it is little-endian or big-endian
- whether it is executable, relocatable, or a shared object
- which machine architecture it targets
Typical command:
readelf -h file
This prints the ELF header, which is the top-level header of the file.
2.2. Viewing section headers
Sections describe how the file is logically divided for linking and analysis.
Examples of common sections:
- .text
- .data
- .bss
- .rodata
- .symtab
- .strtab
- .dynsym
Typical command:
readelf -S file
This shows:
- section names
- file offsets
- virtual addresses
- sizes
- flags
2.3. Viewing program headers
Program headers describe how the operating system loader maps the ELF file into memory.
Typical command:
readelf -l file
This shows:
- loadable segments
- memory permissions
- interpreter path
- mapping between sections and segments
This is especially useful for understanding how the binary is loaded at runtime.
2.4. Inspecting symbol tables
Symbols include:
- function names
- global variables
- undefined references
- exported entries
Typical command:
readelf -s file
For dynamic symbols only:
readelf --dyn-syms file
This is very useful when studying linking behavior or library exports.
2.5. Inspecting dynamic linking information
Typical command:
readelf -d file
This displays the dynamic section, including information such as:
- required shared libraries (
NEEDED) SONAMERPATH/RUNPATH- pointers to dynamic tables
This is commonly used to analyze runtime library dependencies.
2.6. Viewing relocation entries
Typical command:
readelf -r file
This shows:
- where relocations are needed
- which relocation type is used
- which symbol each relocation refers to
This is particularly useful for object files and for studying the linker.
2.7. Viewing notes
Typical command:
readelf -n file
This can show:
- build ID
- ABI information
- note sections
- note segments
2.8. Viewing debugging information
If the binary contains debug data, readelf can inspect DWARF-related content.
Example:
readelf --debug-dump=info file
This is more relevant for compiler, debugger, and reverse engineering work.