How to Find the Main Function's Entry Point of Elf Executable File Without Any Symbolic Information

In an ELF file, how does the address for _start get detemined?

The _start symbol may be defined in any object file. Normally it is generated automatically (it corresponds to main in C). You can generate it yourself, for instance in an assembler source file:

.globl _start
_start:
    // assembly here

When the linker has processed all object files it looks for the _start symbol and puts its value in the e_entry field of the elf header. The loader takes the address from this field and makes a call to it after it has finished loading all sections in memory and is ready to execute the file.

Under what circumstances, if any, would an executable ELF file (type == EXEC) not have section headers?

Under what circumstances would it be omitted?

Section info is not needed at execution time, and traditionally is only kept for debugging (e.g. you can get a backtrace for a crash from an executable compiled without any debugging info).

You should be able to remove them with e.g. strip --strip-all, but that doesn't appear to work.

You could also binary-patch the the file -- e.g. zero out .e_shoff and .e_shnum in the ELF header.

Related answer.

How to get user defined function range (begin and end address) in elf file?

nm -S a.out will show the symbol size (if available). Then you can get the 'end address' from the start address and size.

---

Related Topics