How can I examine contents of a data section of an ELF file on Linux?

Question

I\'ve been using objdump to look at assembly code in Linux ELF binaries.

Sometimes there is an indirect jump through a jump table that is stored in the

Answer 1

readelf -x .rodata hello_world.o

gives:

Hex dump of section '.rodata':
  0x00000000 48656c6c 6f20776f 726c6421 0a       Hello world!.

You should prefer readelf when possible since objdump simply does not show some sections like .symtab: Why does objdump not show .bss, .shstratab, .symtab and .strtab sections?

You can also extract the raw bytes with the techniques mentioned at: How do you extract only the contents of an ELF section and as mentioned by ysdx.

Answer 2

You can get the RAW (not hexdump-ed) ELF section with:

# To a file:
objcopy file /dev/null --dump-section .text=text.data
# To stdout:
objcopy file /dev/null --dump-section .text=/dev/stdout | cat

Here I'm using | cat in order to force stdout to be a pipe. /dev/stdout might work unexpectedly if stdout is a file. .text=- does not send to stdout but to the - file.

However objcopy and objdump have some deficiencies (because they are based on BFD which abstracts different executable formats).

Update: I wrote a tool to do this which does not rely on BFD.

Answer 3

objdump -s -j .rodata exefile

gives a side-by-side hex/printable ASCII dump of the contents of the rodata section like:

Contents of section .rodata:
 0000 67452301 efcdab89 67452301 efcdab89  gE#.....gE#.....
 0010 64636261 68676665 64636261 68676665  dcbahgfedcbahgfe

It doesn't look like there's anything in there to control formatting, but it's a start. You could always undump the hex and feed it to od, I suppose :)