Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

find address of PLT stub

Tags:

linux

x86-64

intel

elf

got

plt

I am working on Linux X86_64.

I have a need to determine the address of a specific PLT entry in an ELF file given the name of the dynamic function that the entry represents. I can figure out the file offset from the address, but I need to be able to determine the address.

If I disassemble the ELF file using objdump -D -z elffile I see that objdump uses symbolic names for each entry in the PLT. (Where does objdump obtain the relationship between these addresses and the symbol names?)

example:

0000000000000041a2b0 fileno@plt:

If I use objdump -T elffile | grep fileno I get something like this:

0000000000000   DF *UND*  00000000000000000   GLIBC_2.2.5 fileno

What I need to be able to do from "C" is find the PLT entry in the ELF file for a specific dynamic function and obtain the address.

The background is that I am patching an existing ELF file and need to redirect a function call to a different dynamic function. I have manually patched an ELF file using addresses gathered from objdump disassembly and proven that this will work for my specific application, I just need to be able to do it from a program. I am hoping not to have to crawl through objdump disassembler code to figure out how it gets the PLT entry symbols and addresses.

like image 315
codemonkey Avatar asked May 03 '17 21:05

codemonkey

1 Answers

I figured this out: You have to parse the relocation table in the rela.plt section. Those entries contain a string table index that can be used to lookup the function name by indexing into the dynamic symbol section. Each entry in the dynamic symbol section contains a dynamic string table offset that can be used to pull out the function name. When you find the corresponding function, the index into the relocation table (+1) corresponds to the index into the .plt section for the functions PLT entry. So to calculate the address for a specific entry it is just: .plt.sec address + ((relocation_index + 1) * .plt entry size)

This method works for x86. It does not work for PPC which has a completely different format for the .plt section. If anyone has any info on doing this for PPC please post.

like image 50
codemonkey Avatar answered Oct 02 '22 15:10

codemonkey
Sign in to Comment

Related questions

How to get this simple assembly to run?
How are LDT and GDT used differently in intel x86?
Segmentation fault with array of __m256i when using clang/g++
What does .byte mean in this asm line?
TLB structure in intel
error in backend: 32-bit absolute addressing is not supported in 64-bit mode
Installing R `forecast` package on a Linux Cluster: compiler issues?
Would having the call stack grow upward make buffer overruns safer?
BIOS Disk - Read Sectors Into Memory (int 0x13, ah=0x02) blocking
access violation _mm_store_si128 SSE Intrinsics
AVX scalar operations are much faster
_InterlockedCompareExchange optimization
Real mode BIOS routine and Protected Mode
How do I add contents of text file as a section in an ELF file?
How can I execute MIPS assembly programs on an x86 linux?
Undefined symbols for architecture i386 [duplicate]
How to invoke a system call via syscall or sysenter in inline assembly?
Can I load a 32 bit DLL into a 64 bit process on Windows?
Fast method to copy memory with translation - ARGB to BGR
How do I disassemble raw 16-bit x86 machine code?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!