From: Daniel Souza <thehazard@gmail.com>
To: linux-c-programming@vger.kernel.org
Subject: Re: x86 and linux stack layout
Date: Sun, 21 Nov 2004 20:07:20 -0300 [thread overview]
Message-ID: <e1e1d5f404112115076e67ff03@mail.gmail.com> (raw)
In-Reply-To: <16801.475.290968.318682@cerise.gclements.plus.com>
Tks Gkynn... Good... well, there's a way to 'recover' stripped
binaries ? any fingerprint that identifies where a function starts in
an executable (like you mentioned, a sequence of stack pushing and esp
decreasing) ? there's a safer way to 'detect' functions ?
How runtime loadable libraries are linked to the executable ? the
functions used from that libraries needs to be realocatted ? like...
supose that:
/home/daniel/example1.c
void main(void)
{
libfoo_init();
}
is compiled and linked to use a runtime library like /lib/libfoo.so.
The executable code of example1 will look like
.....
0x80de4fe8 CALL 0xd3ff483e <libfoo_init>
......
as the executable code will need to be build with a fixed function
address in the CALL opcode... and lets suppose that the address was
0xd3ff483e. Running the same binary in another system, with the same
version of libfoo, but another compilation (i.e., the size of library
and addresses are different), the program will run sucessfuly. The
question is: who realocates the addresses of CALLs ? (if things really
works like that way that im supposing to work)
The addresses along the executable code needs to be rewriten by
something, or there is a "table" where the program finds the desired
function address, and only that table needs to be "reallocated" or
readressable ? like... instead of
.....
0x80de4fe8 CALL 0xd3ff483e <libfoo_init>
......
we have
.....
0x80de4fe8 CALL libfoo_init <libfoo+0x3ef>
......
and a table that tells that libfoo_init is at address 0xYYYYYYYY in
libfoo, or, something else ? when the program starts, something before
the main() (ld.linux) loads all external libraries in the process
address space by mmap'ing the libraries. So, lets supose that libfoo
got mapped at some address AFTER 0xd3ff483e, that is the address in
CALLs. Who will tell the CALLs that libfoo_init() is in another
address ? where these 'tables' are stored on ?
PS: elf sessions are sessions within a elf binary, like, .ctors,
.dtors, etc, ( like, rum "objdump -d /bin/cat", or with the argument
to display all info, that i cant remember right now)
Tks a lot =)
Daniel
next prev parent reply other threads:[~2004-11-21 23:07 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-11-21 13:33 x86 and linux stack layout Daniel Souza
2004-11-21 15:13 ` Justinas
2004-11-21 19:08 ` Glynn Clements
2004-11-21 20:07 ` Daniel Souza
2004-11-21 21:00 ` Glynn Clements
2004-11-21 23:07 ` Daniel Souza [this message]
2004-11-22 3:50 ` Glynn Clements
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e1e1d5f404112115076e67ff03@mail.gmail.com \
--to=thehazard@gmail.com \
--cc=linux-c-programming@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).