How to interpret the dynamic symbol table in an ELF executable?
I was looking at interpreting the dynamic symbol table (.dynsym) of an ELF executable file. I could successfully interpret the symbol table .symtab (16 bytes for each symbol) using the value attribute to denote the address of the symbol and name attribute to denote the offset of the start of string in .strtab section. But I'm unable to interpret the dynamic symbol table (.dynsym) using the same method. I used Ali's blog [1] for reference.
I looked at another blog of Ali's [2] but I'm not understand as to how to interpret the dynamic symbol table using the hash table. Clearly it isn't the same mapping as used by the symbol table. How should I interpret the dynamic symbol table (.dynsym)?
Also, the ELF executable which I'm looking at has two sections, namely .hash and .gnu.hash. Which section do I refer for the hash values?
[1] http://blogs.oracle.com/ali/entry/inside_elf_symbol_tables
[2] http://blogs.oracle.com/ali/entry/gnu_hash_elf_sections
Answer
From ELF specification, each symbol is defined using the following structure:
typedef struct {
Elf32_Word
Elf32_Addr
Elf32_Word
unsigned char
unsigned char
Elf32_Half
} Elf32_Sym;
So in general this will be 16 bytes. The dynamic and static symbol table use the same structure, so parsing this table is just the same for static and linking. Of course the meaning of the values aren't always the same.
You can reach a symbol in the symbol table by two means. First, if you already know the symbol index you can just go to that index. But some times you doesn't have the symbol index, you have only a symbol name and in fact you wanna check if the symbol table has a definition for a symbol with that name. In this second situation you use the hash sections. Those are used to quick check if a symbol is present in a symbol table: symbol-name -> hash -> symb_index -> check if symbol_table[symb_index] == symbol-name.