0x15A8~0x15AB是sh_addr，4个字节，sh_addr = 0xC0 00 15 00，表示该节在内存中的起始地址，节映射到虚拟地址空间中的位置；
0x15AC~0x15AF是sh_offset，4个字节，sh_offset = 0x00 00 15 00，表示该节在文件中的起始位置；
0x15B0~0x15B3是sh_size，4个字节，sh_size = 0x00 00 00 10，表示该节的大小；
0x15B4~0x15B7是sh_link，4个字节，sh_link = 00 00 00 00
0x15B8~0x15BB是sh_info，4个字节，sh_info = 0x00 00 00 00
0x15BC~0x15BF是sh_addralign，4个字节，sh_addralign = 0x00 00 00 04，表示该节的数据在内存中以16字节对齐；
0x15C0~0x15C3是sh_entsize，4个字节，sh_entsize = 0x00 00 00 00
 
以后各节的解析省略；
 
5.4 readelf查看结果 
1) 显示程序的ELF文件头
 
$ readelf -h kernel.binELF Header:Magic:7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00Class:ELF32Data:2's complement, big endianVersion:1 (current)OS/ABI:UNIX - System VABI Version:0Type:EXEC (Executable file)Machine:PowerPCVersion:0x1Entry point address:0xc0001500Start of program headers:52 (bytes into file)Start of section headers:5492 (bytes into file)Flags:0x0Size of this header:52 (bytes)Size of program headers:32 (bytes)Number of program headers:2Size of section headers:40 (bytes)Number of section headers:6Section header string table index: 3 
2) 显示程序所有的程序头
 
$ readelf -l kernel.binElf file type is EXEC (Executable file)Entry point 0xc0001500There are 2 program headers, starting at offset 52Program Headers:TypeOffsetVirtAddrPhysAddrFileSizMemSizFlgAlignLOAD0x00000000 0xc0000000 0xc00000000x00001510 0x00001510 R E0x10000GNU_STACK0x00000000 0x00000000 0x000000000x00000000 0x00000000 RW0x4Section to Segment mApping:Segment Sections...00.text01 
3) 显示程序所有的节头
 
$ readelf -S kernel.binThere are 6 section headers, starting at offset 0x1574:Section Headers:[Nr] NameTypeAddrOffSizeES Flg Lk Inf Al[ 0]NULL00000000 000000000000 00000[ 1] .textPROGBITSc0001500 001500000010 00AX004[ 2] .commentPROGBITS00000000 001510000038 00001[ 3] .shstrtabSTRTAB00000000 00154800002a 00001[ 4] .symtabSYMTAB00000000 001664000080 10544[ 5] .strtabSTRTAB00000000 0016e4000025 00001Key to Flags:W (write), A (alloc), X (execute), M (merge), S (strings)I (info),L (link order), G (group), T (TLS), E (exclude), x (unknown)O (extra OS processing required) o (OS specific), p (processor specific) 
4) 综合显示程序所有的头信息，包含ELF文件头、程序头、节头信息；
 
$ readelf -e kernel.binELF Header:Magic:7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00Class:ELF32Data:2's complement, big endianVersion:1 (current)OS/ABI:UNIX - System VABI Version:0Type:EXEC (Executable file)Machine:PowerPCVersion:0x1Entry point address:0xc0001500Start of program headers:52 (bytes into file)Start of section headers:5492 (bytes into file)Flags:0x0Size of this header:52 (bytes)Size of program headers:32 (bytes)Number of program headers:2Size of section headers:40 (bytes)Number of section headers:6Section header string table index: 3There are 6 section headers, starting at offset 0x1574:Section Headers:[Nr] NameTypeAddrOffSizeES Flg Lk Inf Al[ 0]NULL00000000 000000000000 00000[ 1] .textPROGBITSc0001500 001500000010 00AX004[ 2] .commentPROGBITS00000000 001510000038 00001[ 3] .shstrtabSTRTAB00000000 00154800002a 00001[ 4] .symtabSYMTAB00000000 001664000080 10544[ 5] .strtabSTRTAB00000000 0016e4000025 00001Key to Flags:W (write), A (alloc), X (execute), M (merge), S (strings)I (info),L (link order), G (group), T (TLS), E (exclude), x (unknown)O (extra OS processing required) o (OS specific), p (processor specific)Elf file type is EXEC (Executable file)Entry point 0xc0001500There are 2 program headers, starting at offset 52Program Headers:TypeOffsetVirtAddrPhysAddrFileSizMemSizFlgAlignLOAD0x00000000 0xc0000000 0xc00000000x00001510 0x00001510 R E0x10000GNU_STACK0x00000000 0x00000000 0x000000000x00000000 0x00000000 RW0x4Section to Segment mapping:Segment Sections...00.text01 
通过readelf命令查看的结果，和按照ELF文件分析的结果，对比结果一致；
 
6. 总结 
在Linux系统的可执行文件（ELF文件）中，开头是一个文件头，用来描述程序的布局，整个文件的属性等信息，包括文件是否可执行、静态还是动态链接及入口地址等信息；生成的文件不是纯碎的二进制可执行文件了，因为包含的程序头不是可执行代码；将这种包含程序头的文件读入到内存后，从程序头中读取入口地址，跳转到入口地址执行；
 
参考资料 
《操作系统真象还原》
程序编译-汇编-链接的理解！—03-ELF头和节头表
ELF文件-节和节头