readelf 用来查看 ELF(excutable and linking format) 格式文件的信息
介绍
- ELF文件可分为三种:
- 可重定位对象文件(Relocatable File)- 
- Linux下的 .o文件,Windows 的.obj文件
 
- 可执行对象文件(Excutable File)
- 可被共享的对象文件(Shared Object File)- 
- Linux下的 .a和.so文件,Windows 的.dll文件
 
- 核心转储文件(Core Dump File)
 
- ELF Header前16个字节为- 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00- 
- 前 4 个字节为 ELF 文件的魔数,固定的格式
- 第 5 个字节为 0x02代表的是 64 位 ELF,如果是 32 位的话,该字节为0x01
- 第 6 个字节为字节序,0x01为little endian,0x02为big endian
- 第 7 个字节为 ELF 文件的主版本号,后面 9 个字节一般为 0
- 第 18 个字符标识为架构?x86 or arm
 
help
  
  
    
      $ readelf -h
readelf: Warning: Nothing to do.
Usage: readelf <option(s)> elf-file(s)
 Display information about the contents of ELF format files
 Options are:
  -a --all               Equivalent to: -h -l -S -s -r -d -V -A -I
  -h --file-header       Display the ELF file header
  -l --program-headers   Display the program headers
     --segments          An alias for --program-headers
  -S --section-headers   Display the sections' header
     --sections          An alias for --section-headers
  -g --section-groups    Display the section groups
  -t --section-details   Display the section details
  -e --headers           Equivalent to: -h -l -S
  -s --syms              Display the symbol table
     --symbols           An alias for --syms
  --dyn-syms             Display the dynamic symbol table
  -n --notes             Display the core notes (if present)
  -r --relocs            Display the relocations (if present)
  -u --unwind            Display the unwind info (if present)
  -d --dynamic           Display the dynamic section (if present)
  -V --version-info      Display the version sections (if present)
  -A --arch-specific     Display architecture specific information (if any)
  -c --archive-index     Display the symbol/file index in an archive
  -D --use-dynamic       Use the dynamic section info when displaying symbols
  -x --hex-dump=<number|name>
                         Dump the contents of section <number|name> as bytes
  -p --string-dump=<number|name>
                         Dump the contents of section <number|name> as strings
  -R --relocated-dump=<number|name>
                         Dump the contents of section <number|name> as relocated bytes
  -z --decompress        Decompress section before dumping it
  -w[lLiaprmfFsoRtUuTgAckK] or
  --debug-dump[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,
               =frames-interp,=str,=loc,=Ranges,=pubtypes,
               =gdb_index,=trace_info,=trace_abbrev,=trace_aranges,
               =addr,=cu_index,=links,=follow-links]
                         Display the contents of DWARF debug sections
  --dwarf-depth=N        Do not display DIEs at depth N or greater
  --dwarf-start=N        Display DIEs starting with N, at the same depth
                         or deeper
  --ctf=<number|name>    Display CTF info from section <number|name>
  --ctf-parent=<number|name>
                         Use section <number|name> as the CTF parent
  --ctf-symbols=<number|name>
                         Use section <number|name> as the CTF external symtab
  --ctf-strings=<number|name>
                         Use section <number|name> as the CTF external strtab
  -I --histogram         Display histogram of bucket list lengths
  -W --wide              Allow output width to exceed 80 characters
  @<file>                Read options from <file>
  -H --help              Display this information
  -v --version           Display the version number of readelf
     
   
 
常用命令
# 查看 header 头信息
readelf -h core-xxx
# 符号表 中的信息只包括全局变量和函数名
readelf -s
# 查看 ELF 文件依赖的动态文件
readelf -d /usr/bin/mysql
# 查看链接信息
readelf -s /usr/bin/mysql
扩展
ELF 文件也可以使用 objdump 查看