Elf core file

Change Language. Related Articles. Table of Contents. Improve Article. Save Article. Like Article. Last Updated : 17 May, It ensures that data is correctly interpreted during linking or execution.

To better understand the inner working of an ELF file, it is useful to know this header information is used. After the ELF type declaration, there is a Class field defined. This value determines the architecture for the file. The magic shows a 02, which is translated by the readelf command as an ELF64 file.

In other words, an ELF file using the bit architecture. Not surprising, as this particular machine contains a modern CPU. Next part is the data field. This particular value helps to interpret the remaining objects correctly within the file. This is important, as different types of processors deal differently with the incoming instructions and data structures. The effect of LSB becomes visible when using hexdump on a binary file. We can see that the value pairs are different, which is caused by the right interpretation of the byte order.

So nothing interesting to remember. Each operating system has a big overlap in common functions. In addition, each of them has specific ones, or at least minor differences between them. This way the operating system and applications both know what to expect and functions are correctly forwarded.

These two fields describe what ABI is used and the related version. In this case, the value is 00, which means no specific extension is used. The output shows this as System V. The type field tells us what the purpose of the file is.

There are a few common file types. While some of the fields could already be displayed via the magic value of the readelf output, there is more.

For example for what specific processor type the file is. Using hexdump we can see the full ELF header and its values. The highlighted field above is what defines the machine type. The value 3e is 62 in decimal, which equals to AMD To get an idea of all machine types, have a look at this ELF header file. While you can do a lot with a hexadecimal dump, it makes sense to let tools do the work for you.

The dumpelf tool can be helpful in this regard. It shows a formatted output very similar to the ELF header file. Great to learn what fields are used and their typical values. With all these fields clarified, it is time to look at where the real magic happens and move into the next headers! One uis to be used for the linker to allow execution segments.

The other one for categorizing instructions and data sections. So depending on the goal, the related header types are used. When the kernel sees these segments, it uses them to map them into virtual address space, using the mmap 2 system call. In other words, it converts predefined instructions into a memory image. If your ELF file is a normal binary, it requires these program headers. It uses these headers, with the underlying data structure, to form a process.

This process is similar for shared libraries. An overview of program headers in an ELF binary. We see in this example that there are 9 program headers.

When looking at it for the first time, it hard to understand what happens here. This is a sorted queue used by the GNU C compiler gcc.

It stores exception handlers. So when something goes wrong, it can use this area to deal correctly with it. This header is used to store stack information. The stack is a buffer, or scratch place, where items are stored, like local variables.

When a process function is started a block is reserved. When the function is finished, it will be marked as free again. ELF core file format Ask Question. Asked 10 years, 8 months ago. Active 5 months ago. Viewed 21k times. Can you elaborate a bit on what you mean by 'core file format'? Are you referring to the object code format that gcc produces or the format of the final executable, in which case that would be ELF, or something else?

A newer answer for this question is here. Add a comment. Active Oldest Votes. Rachid K. Sign up or log in Sign up using Google.

Sign up using Facebook. Sign up using Email and Password. Create a free Team What is Teams? Collectives on Stack Overflow. Learn more. Retrieve executable from core dump Ask Question. Asked 1 year, 7 months ago. Active 1 year, 7 months ago. Viewed times. Did you ask the system administrator of your Linux computer? Provide some minimal reproducible example in your question please and give much more details. Create a standard core dump using kill PID.

The PID can be of a docker container which we are suppose to crash. But the weird thing is that the above solution using file package works for some cores and not for others. Thanks BasileStarynkevitch for your inputs. Add a comment.