How can I examine contents of a data section of an ELF file on Linux?
LinuxElfObjdumpObject CodeLinux Problem Overview
I've been using objdump
to look at assembly code in Linux ELF binaries.
Sometimes there is an indirect jump through a jump table that is stored in the rodata
(read-only data) section.
How to get objdump
or any other tool to show me the contents of this data section?
I could execute the program and examine the relevant addresses in the debugger, but I don't want to do that because it has to be done interactively.
The ideal answer will identify a tool that will not only show me the contents but will let me control the display format, much as od
does.
Linux Solutions
Solution 1 - Linux
objdump -s -j .rodata exefile
gives a side-by-side hex/printable ASCII dump of the contents of the rodata
section like:
Contents of section .rodata:
0000 67452301 efcdab89 67452301 efcdab89 gE#.....gE#.....
0010 64636261 68676665 64636261 68676665 dcbahgfedcbahgfe
It doesn't look like there's anything in there to control formatting, but it's a start. You could always undump the hex and feed it to od, I suppose :)
Solution 2 - Linux
readelf -x .rodata hello_world.o
gives:
Hex dump of section '.rodata':
0x00000000 48656c6c 6f20776f 726c6421 0a Hello world!.
You should prefer readelf
when possible since objdump
simply does not show some sections like .symtab
: https://stackoverflow.com/questions/22160621/why-does-objdump-not-show-bss-shstratab-symtab-and-strtab-sections
You can also extract the raw bytes with the techniques mentioned at: https://stackoverflow.com/questions/3925075/how-do-you-extract-only-the-contents-of-an-elf-section and as mentioned by ysdx.
Solution 3 - Linux
You can get the RAW (not hexdump-ed) ELF section with:
# To a file:
objcopy file /dev/null --dump-section .text=text.data
# To stdout:
objcopy file /dev/null --dump-section .text=/dev/stdout | cat
Here I'm using | cat
in order to force stdout to be a pipe. /dev/stdout
might work unexpectedly if stdout is a file. .text=-
does not send to stdout but to the -
file.
However objcopy and objdump have some deficiencies (because they are based on BFD which abstracts different executable formats).
Update: I wrote a tool to do this which does not rely on BFD.