From ELF Files to Linux Processes: Understanding ELF Structure and Process Creation

1. What is an ELF file?

ELF (Executable and Linkable Format) is a binary file format used on Linux for executables, object files, shared libraries and core dumps. It includes several file types: executable files, relocatable object files (.o), shared objects (.so) and core dump files.

2. ELF file structure

An ELF file consists of an ELF header, a program header table, sections, and a section header table.

ELF header

The ELF header contains basic information such as class (32‑ or 64‑bit), data encoding, version, OS/ABI, file type, machine, entry point address, offsets and sizes of the program and section header tables, and flags.

root@raspberrypi:/home/mfn# readelf -h a.out
ELF Header:
  Magic: 7f 45 4c 46 02 01 01 00 ...
  Class: ELF64
  Data: 2's complement, little endian
  Version: 1 (current)
  OS/ABI: UNIX - System V
  Type: DYN (Position‑Independent Executable file)
  Machine: AArch64
  Entry point address: 0x600
  Start of program headers: 64 (bytes into file)
  Start of section headers: 68504 (bytes into file)
  ...

Program header table

The program header table describes the segments that the loader will map into memory. Each entry includes the segment type (e.g., PT_PHDR, PT_LOAD, PT_DYNAMIC, PT_INTERP, PT_NOTE), file offset, virtual address, physical address, file size, memory size, flags (R, W, X) and alignment.

Sections

Sections are the logical units inside the file, such as .text, .data, .rodata, .bss, .symtab, .strtab, .dynamic, etc. They hold code, initialized data, read‑only data, uninitialized data, symbol tables and other metadata.

Section header table

The section header table provides the name, type, address, offset, size, and flags for each section, enabling linkers and loaders to locate and interpret them.

3. From ELF to a Linux process

Creating a new Linux process involves two steps: (1) the parent process clones a child process using fork(), and (2) the child loads an ELF file with execve() to replace its address space.

3.1 fork – creating the child

When fork() is called, the kernel clones key resources from the parent: the open file table, filesystem information, signal‑handling tables, the memory layout (code and data are identical in virtual address space, but physical pages are separate), and namespace information. The child is then placed on the CPU run queue.

3.2 execve – loading the ELF

execve()

replaces the child’s address space with the contents of the specified ELF file. The kernel opens the file, reads the ELF header, parses the program header table, and maps the .text, .data and .bss sections into the new memory space. Mapping avoids copying and improves performance. All information inherited from the parent that is no longer needed is discarded.

After execve() the process runs the entry point defined in the ELF header, completing the transformation from an ELF file to a running Linux process.

Conclusion

Understanding ELF file structure and the fork/execve workflow provides deeper insight into Linux program execution and aids debugging and development.