ELF Binary File Signature — Magic Bytes
Understand the ELF (Executable and Linkable Format) magic bytes 7F 45 4C 46. Learn how to identify Linux executables, shared libraries, and object files in hex.
Hex
7F 45 4C 46
ASCII
.ELF
Detailed Explanation
The ELF (Executable and Linkable Format) file signature is the four-byte sequence 7F 45 4C 46, which is the DEL character (0x7F) followed by the ASCII letters "ELF". This is the standard binary format for executables, shared libraries, object files, and core dumps on Linux, BSD, Solaris, and many other Unix-like operating systems.
Byte-by-byte breakdown:
| Offset | Hex | Meaning |
|---|---|---|
| 0 | 7F |
DEL character (non-printable) — prevents accidentally running the file as a text script |
| 1 | 45 |
ASCII 'E' |
| 2 | 4C |
ASCII 'L' |
| 3 | 46 |
ASCII 'F' |
ELF header fields after the magic bytes:
The bytes immediately following the signature contain critical information about the binary:
| Offset | Size | Field | Common Values |
|---|---|---|---|
| 4 | 1 byte | Class | 01 = 32-bit, 02 = 64-bit |
| 5 | 1 byte | Endianness | 01 = little-endian, 02 = big-endian |
| 6 | 1 byte | ELF version | 01 = current |
| 7 | 1 byte | OS/ABI | 00 = System V, 03 = Linux, 09 = FreeBSD |
| 8-15 | 8 bytes | Padding | Usually all zeros |
| 16-17 | 2 bytes | Object type | 02 00 = executable, 03 00 = shared object |
| 18-19 | 2 bytes | Machine | 3E 00 = x86-64, B7 00 = AArch64 |
Reading a typical Linux executable header:
A standard 64-bit x86_64 Linux executable begins with:
7F 45 4C 46 02 01 01 00 00 00 00 00 00 00 00 00
02 00 3E 00 01 00 00 00
This tells us: ELF magic, 64-bit, little-endian, version 1, System V ABI, executable type, x86-64 architecture.
Types of ELF files:
The type field at offset 16 reveals what kind of ELF file you are examining:
01 00— Relocatable object file (.o) — compiler output before linking02 00— Executable — a directly runnable program03 00— Shared object (.so) — a dynamic library04 00— Core dump — produced when a process crashes
Why this matters for security:
In penetration testing and malware analysis, identifying ELF binaries is a critical first step. An attacker might upload a disguised ELF binary with a non-standard extension (e.g., .txt, .jpg). Checking the magic bytes instantly reveals the true file type. Similarly, analyzing a suspicious process's core dump in a hex editor starts with confirming the ELF signature.
ELF vs. other executable formats:
- Windows uses PE format (magic:
4D 5A— "MZ") - macOS uses Mach-O format (magic:
FE ED FA CEorCF FA ED FE) - Java uses class files (magic:
CA FE BA BE)
Knowing these signatures lets you quickly identify the target platform of an unknown binary.
Use Case
ELF signature analysis is used in malware detection, binary reverse engineering, file type validation in CI/CD pipelines, and forensic analysis of Linux system compromises.