AICollection Help

COFF (Common Object File Format)

COFF (Common Object File Format) is an older file format used for executables, object code, and shared libraries. It served as the foundation for modern formats like PE (Portable Executable) on Windows. Here's a breakdown of what the COFF header contains and how you can find where the code begins:

Structure of the COFF Header

The COFF header typically contains the following fields:

  1. Magic Number:

    • Identifies the file as a COFF executable.

    • Common values:

      • 0x014C: Intel 386 architecture.

      • 0x8664: AMD x64 architecture.

  2. Header Fields:

    • Machine (2 bytes):

      • Specifies the target architecture (e.g., IMAGE_FILE_MACHINE_I386, IMAGE_FILE_MACHINE_AMD64).

    • NumberOfSections (2 bytes):

      • Number of sections in the binary.

    • TimeDateStamp (4 bytes):

      • Timestamp of when the file was created.

    • PointerToSymbolTable (4 bytes):

      • Offset to the symbol table.

    • NumberOfSymbols (4 bytes):

      • Number of symbols in the symbol table.

    • SizeOfOptionalHeader (2 bytes):

      • Size of the optional header.

    • Characteristics (2 bytes):

      • Flags describing the attributes of the binary (e.g., executable, relocatable).

Sections in a COFF File

A COFF file is divided into several sections, each described by a section header:

  1. Text Section:

    • Contains the executable code.

  2. Data Section:

    • Contains initialized variables and constants.

  3. BSS Section:

    • Contains uninitialized variables.

  4. Relocation Section:

    • Stores information for relocating addresses during linking.

  5. Symbol Table:

    • Contains symbol definitions and references for linking and debugging.

Finding Where the Code Begins

To determine where the code starts in a COFF file:

  1. Check the Entry Point:

    • The entry point is specified in the optional header (if present).

  2. Locate the Text Section:

    • The text section contains the executable code.

    • Use the section header to determine the file offset and size of the text section.

  3. Disassemble the Code:

    • Use tools like objdump or gdb to disassemble the binary and verify the code.

Commands to Analyze COFF Files

  • objdump -f <file>: Displays the file header, including architecture and entry point.

  • objdump -h <file>: Displays section headers.

  • objdump -d <file>: Disassembles the text (code) section.

  • nm <file>: Lists symbols in the file.

Example

# Display header information objdump -f example # Display section headers objdump -h example # Disassemble to find the entry point objdump -d example # List symbols nm example

These tools can help you analyze the COFF structure and understand how the binary is organized and executed.

Last modified: 19 January 2025
a.out (Assembler Output Format)MZ (DOS Executable Format)