Lab 03 - Executables. Static Analysis
5 stars based on
This page is a copy of the Archive. It is kept here online as a reference only. System V Application Binary Interface.
The gen on function calling conventions. Solaris Linker and Libraries Guide. Prelink by Jakub Jelinek and prelink man page. Usually there is another kind of header called Section Header, which describe attributes of an ELF section e. The Program Headers are used during execution ELF's " execution view " ; it tells the kernel or the runtime linker ld.
The Section Headers are used during compile-time linking ELF's " linking view " ; it tells the link editor ld how binary analysis why are got and plt still present in linux static stripped binaries resolve symbols, and how to group similar byte streams from different ELF binary objects.
Each Program Header describes a "segment": It contains the permissions Readable, Writeable, or Executableoffset of the "segment" which is just a byte stream into the file, and the size of the "segment".
The following table shows the binary analysis why are got and plt still present in linux static stripped binaries of special segments.
This segment is usually the same as. This segment usually appears in a dynamic link library and it contains. This segment does not have any content; it is just an indicator. Likewise, each Section Header contains the file offset of its corresponding "content" and the size of the "content".
The following table shows the purposes of some special sections. Most information here comes from LSB specification. Depending on the compilers, uninitialized global variables could be stored in a nameness section called COMMON named after Fortran 77's "common blocks".
To wit, consider the following code:. If one wants globalVar to reside in the. Using -fno-common is encouraged, as the following example shows:. See binary analysis why are got and plt still present in linux static stripped binaries for details. This feature is supported since GCC 4. See here for its structure and the hash algorithm. The runtime linker ld. See hereherehereand here for details of symbol versioning.
For dynamic binaries, this relocation table holds information of variables which must be relocated upon loading. This relocation table is similar to the one in.
For programs compiled with -c option, this section provides information to the link editor ld where and how to "patch" executable code in. When the shell makes an execvc system call to run an executable binary, the Linux kernel responds as follows see here and here for more details in sequence:. The System V Application Binary Interface specifies, the operating system, instead of running the user's executable binary, should run this "interpreter".
This interpreter should binary analysis why are got and plt still present in linux static stripped binaries the binding of user's executable binary to its dependencies. This link provides general tips for building Glibc. To compile Glibc ld. For example, to print the address, one would need to use. If we put another breakpoint at main and continue, then when it stops, the memory map would change to this:.
Note that there are two memory regions of KB with null permissions. As mentioned earlier, the ELF's 'execution view' is concerned with how to load an executable binary into memory.
Also note that each of libc The two [anon] memory segments at 0x and 0x are for sections which do not take space in the ELF binary files. For example, readelf -t xxx. The above debugging information does not show mmap and mprotect calls. However, we can use strace. If we run the user program again with.
For the compiler part, GCC uses different prolog and epilog files, depending on the compiler command-line options. To see them, execute gcc -dumpspecand one can see. Similarly, if -shared compiler command-line option is not used, then always include Glibc's crt1.
Next, include Glibc's crti. Finally, include either crtbeginT. So, for example, if a program is compiled using dynamic linking which is defaultno profiling, no fast math optimizations, then the linking will include the following files in the following order:.
It initializes gprof related data structures. It is not advisable to put a code in. Similarly, it is not advisable to put a code in. To see this, run gcc with -v command, and the last line would be something like:. Of course, if the user program calls exit or abortthen exit will gets called. If one tries to build a program which does not contain mainthen one should see the following error:. From above analysis, it's possible to find out the address of main which is NOT the "Entry point address" seen from the output of readelf -h a.
On bit x86the calling convention requires that the first argument goes to RDI registerso the address can be extracted by. According to Chapter 3. The readelf -d a. What does this prelink do? It changes the base address of a dynamic library to the actual address in the user program's address space when it is loaded into memory.
Normally, a dynamic library is built as position independent codei. For example, a normal libc. How to disable prelinking at runtime? First to be processed is the. If prelink is used, i. The next to be processed by ld. This time, the address returned is the runtime address of foo in libfoo. As mentioned earlier, this address holds the initial value of foo.
The above example also illustrates the difference between. For the runtime linker ld. Since the relocation of both bar and printf are in. So how does ld. So it has to be relocated and patched as b0.
This usually happens when the dynamic binary in question is built using newer version of GCC. The solution is to recompile the code with either -static compiler command-line option to create a static binaryor the following option:. According to ld documentation herethe old-school. For example, the GCC which is version 4. For more information, see here. Other members of pthread struct which are of interest: Since pthread struct is opaque, how can one obtain the above information, or more precisely, how can one obtain the offsets of these members within the pthread struct?
Block started by symbol. The uninitialized data segment containing statically-allocated variables. For dynamic binaries, this segment hold dynamic linking information and is usually the same as. This segment indicates the memory region which should be made Read-Only after relocation is done. The permission flag of this segment indicates whether the stack is executable or not. For dynamic binaries, this holds the full pathname of runtime linker ld. Only segments of this type are loaded into memory during execution.
Uninitialized global data "Block Started by Binary analysis why are got and plt still present in linux static stripped binaries. To wit, consider the following code: Using -fno-common is encouraged, as the following example shows: However, if one uses -fno-commonthe compiler will complain: For dynamic binaries, this section holds dynamic linking information used by ld.
NULL-terminated strings of names of symbols in. One can use commands such as readelf -p. For dynamic binaries, this section is the symbol table of globally visible symbols.
For example, if a dynamic link library wants to export its symbols, these symbols will be stored here.