Why doesn't `strip` remove section headers from ELF executables?

executable elf strip
5,981

The documentation for GNU binutils strip alludes to the reason, but is not explicit, mentioning in the description of --only-keep-debug that

Note - the section headers of the stripped sections are preserved, including their sizes, but the contents of the section are discarded. The section headers are preserved so that other tools can match up the debuginfo file with the real executable, even if that executable has been relocated to a different address space.

That is, unless told to explicitly via the -R option, strip will retain section headers to help other programs (including gdb) do their job.

The page Correct use of the strip command (part of Reverse Engineering using the Linux Operating System) notes

Running the strip command on an executable is the most common program protection method. In its default operation, the strip command removes the symbol table and any debugging information from an executable. This is how it is typically used. However, there is still useful information that is not removed.

and goes on to enumerate several useful things that might be left behind — for analysis of a "stripped" executable.

In Learning Linux Binary Analysis, this is reiterated, commenting that section headers are normally only missing when someone has deliberately removed them, and that without section headers, gdb and objdump are nearly useless.

Share:
5,981

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    A minimal ELF executable only requires the ELF header and at least one program header in order to be functional. However, when I run strip on a short executable, it decides not to throw out the section header table or the section strings section, keeping them around although they have no purpose (as far as I know) for the program's execution.

    Is there a reason why these aren't removed by strip? Is there another utility which removes everything which isn't required for the executable to run? I've tried manually editing the code-golfing executable I was making to remove the section headers, and it appears to work fine, and be much smaller.

    • Admin
      Admin about 8 years
      It isn't stripped probably because it may break some programs/runtimes

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to strip executables thoroughly
What is the difference in byte code like Java bytecode and files and machine code executables like ELF?
Getting the error: bash: (program): cannot execute binary file: Exec format error, on both 32-bit and 64-bit Windows
How does bash execute an ELF file?
How to find executable filetypes?
When can I edit strings in an executable binary?
What are stripped and not-stripped executables in Unix?
Can we get compiler information from an elf binary?
What does "LSB" mean when referring to executable files in the output of /bin/file?
Usage differences between. a.out, .ELF, .EXE, and .COFF