Other pages
Decompilers
Object Formats
Specifications
Tools
 
Also on this site...
Decompiler Design
REC Decompiler
RED Debugger

 

Object File Formats

Every reverse engineering tool needs to know about object file formats. The very basic tool for inspecting binary files is the hex editor.

   An exceptionally good hex editor for reverse engineering is available from SweetScape:
the 010 Editor - Hex Editor understands file format specifications in the form of templates, and makes it easy to impose a structure over binary files.

Several standard formats have specifications on the net.

A very good repository for object file format specifications used to be The Wotsit's Site. It now appears that its content has disappeared, so here are links to various file format specifications for executable files:

  • Microsoft CodeView Symbol and Type Information Spec., V1.0.

  • Portable Executable Format Specification for Windows, V1.0. The Portable Executable (PE) format is the format used by Windows NT and Windows 95 / XP / Vista executable files (.EXE, .DLL).
     
  • The PDB Program DataBase format. Microsoft's proprietary debug format generated by the Visual Studio suite of compilers. Very little is known about the internal structure of this format, since Microsoft has not published its specification.
     
  • DJGPP COFF format. The format used in the DJGPP 32-bit environment for DOS.

  • Relocatable Object Module Format (OMF), V1.1. This is the old Microsoft format for x86 executable files.

  • Executable and Linkable Format (ELF) V1.1. This is the format used by many UNIX System V Release 4 derivatives, including Solaris and Linux. A number of processor-specific addenda are available for different processors.

  • DWARF 3 Debug Information Format. The last revision of DWARF is version 3. Mostly compatible with DWARF 2, which is what most compilers generate, including gcc.

  • DWARF 1.1 Debug Information Format. This is the original definition of the Dwarf format, that is the portion of an ELF file (but could also be used with COFF) that describes symbolic information, like variable types. Introduced on UNIX System V Release 4 compliant systems had many limitations and gcc didn't adopt it as standard, preferring to emit the more established STABs format.

  • STABS: the BSD AOUT format, like COFF, does not have a separate debug info portion. Instead, special entries in the AOUT symbol table carry symbolic info and line numbers.




Translations:

  Polski
by Felicia Hoffmann