From: Glynn Clements <glynn@gclements.plus.com>
To: Daniel Souza <thehazard@gmail.com>
Cc: linux-c-programming@vger.kernel.org
Subject: Re: x86 and linux stack layout
Date: Mon, 22 Nov 2004 03:50:16 +0000 [thread overview]
Message-ID: <16801.25080.296482.584911@cerise.gclements.plus.com> (raw)
In-Reply-To: <e1e1d5f404112115076e67ff03@mail.gmail.com>
Daniel Souza wrote:
> Tks Gkynn... Good... well, there's a way to 'recover' stripped
> binaries ? any fingerprint that identifies where a function starts in
> an executable (like you mentioned, a sequence of stack pushing and esp
> decreasing) ? there's a safer way to 'detect' functions ?
Exported functions exist in the symbol table regardless of whether the
executable has been stripped. Stripping removes the debug information,
but exported functions must still be identifiable in case they are
required for linking.
Note that "nm" normally displays the debug information, while "nm -D"
displays the symbol table used for linking.
As for detecting function boundaries, any address which is the target
of a CALL instruction is likely to be the start of a function. I don't
think that there's a more reliable way to detect the end of a
function.
> How runtime loadable libraries are linked to the executable ? the
> functions used from that libraries needs to be realocatted ?
Calls to functions in shared libraries are implemented using indirect
jumps, so only the table of addresses needs to be relocated.
Performing relocations directly on the text sections would prevent the
memory from being shared between multiple processes.
The situation is complicated by lazy binding, where the addresses
initially point into the loader; the first time that a function is
called, the loader finds the actual address then replaces the indirect
address.
If you want the exact details, use "objdump -d ..." to disassemble the
binary, or use gdb's "disassemble" command (and the "stepi"
instruction to step by machine code instructions rather than by C
statements).
> PS: elf sessions are sessions within a elf binary, like, .ctors,
> .dtors, etc, ( like, rum "objdump -d /bin/cat", or with the argument
> to display all info, that i cant remember right now)
Those are called "sections" (or sometimes "segments").
--
Glynn Clements <glynn@gclements.plus.com>
prev parent reply other threads:[~2004-11-22 3:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-21 13:33 x86 and linux stack layout Daniel Souza
2004-11-21 15:13 ` Justinas
2004-11-21 19:08 ` Glynn Clements
2004-11-21 20:07 ` Daniel Souza
2004-11-21 21:00 ` Glynn Clements
2004-11-21 23:07 ` Daniel Souza
2004-11-22 3:50 ` Glynn Clements [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=16801.25080.296482.584911@cerise.gclements.plus.com \
--to=glynn@gclements.plus.com \
--cc=linux-c-programming@vger.kernel.org \
--cc=thehazard@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).