Unlocking Android's ELF Files: A Beginner's Guide to the Binary Format

ELF file format is a crucial foundation for native hooking, reverse engineering, and low‑level Android development. Learning ELF helps you understand how the linker works and lets you inspect the contents of .so files.

What Is an ELF File?

Executable and Linking Format (ELF) is a common object file format on x86 Linux systems, with three primary types: Relocatable file – can be linked with other objects to create executables or shared objects. Executable file – provides a process image for execution. Shared object file – can be linked with other objects and combined by the dynamic linker to form a running process.

In simple terms, ELF is the Linux counterpart to Windows' PE format used by .exe and .dll files.

Unlike Windows, Linux does not rely on file extensions to determine executability; a file must both conform to the ELF format and have executable permission.

The three ELF‑based file categories are:

Relocatable file (e.g., .o files generated from C/C++ source).

Executable file (similar to Windows .exe, produced by linking one or more .o files).

Shared object file (similar to Windows .dll; Android NDK generates .so files of this type).

In the context of Android development, the ELF format refers specifically to the .so files used by native code.

ELF Structure Overview

ELF files consist of:

ELF header

Section header table / Program header table

Sections and segments

The ELF header, located at the file start, is a fixed‑size binary block (0x34 bytes) beginning with the magic bytes 0x7F 45 4C 46, which allows the system to recognize the file as ELF.

Sections store the actual content (code, data, strings, etc.). For linking, the linker reads the section header table to locate each section; for execution, the program header table is used to map segments into memory.

Tools for Inspecting ELF Files

Android NDK provides utilities such as: arm-linux-androideabi-readelf – displays ELF header information. arm-linux-androideabi-objdump – disassembles sections, showing defined functions and assembly code.

Further detailed format explanations will be covered in subsequent articles.