Strange ELF binary

Question

I have a strange ELF binary. I can run this binary in 32bit linux.

But if I open this binary with IDA disassembler, IDA says "invalid entry point".

Result of readelf is as below:

root@meltdown-VirtualBox:/home/meltdown# readelf -S -l SimpleVM 

There are no sections in this file.

Elf file type is EXEC (Executable file)
Entry point 0xc023dc
There are 2 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00c01000 0x00c01000 0x013c7 0x013c7 RWE 0x1000
  LOAD           0x00019c 0x0804b19c 0x0804b19c 0x00000 0x00000 RW  0x1000

There is no section. I thought this binary is packed. But, last virtual address of first LOAD segment is 0xc023c7. And virtual address of entry point is 0xc023dc which is out of range...

Can someone tell me whats going on?

Thank you in advance.

• /proc/PID/maps is as follows (two processes are created...)

  root@meltdown-VirtualBox:/proc/3510# cat maps
  00110000-00111000 rwxp 00000000 00:00 0 
  006c0000-006c1000 r-xp 00000000 00:00 0          [vdso]
  007d2000-007d4000 rwxp 00000000 00:00 0 
  00c01000-00c02000 rwxp 00000000 08:01 3801242    /home/meltdown/SimpleVM
  00ca4000-00e43000 r-xp 00000000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e43000-00e45000 r-xp 0019f000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e45000-00e46000 rwxp 001a1000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e46000-00e49000 rwxp 00000000 00:00 0 
  08048000-0804b000 r-xp 00000000 00:00 0 
  0804b000-0804c000 rwxp 00000000 00:00 0 
  b77a7000-b77c7000 r-xp 00000000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  b77c7000-b77c8000 r-xp 0001f000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  b77c8000-b77c9000 rwxp 00020000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  bfa90000-bfab1000 rwxp 00000000 00:00 0          [stack]
  
  root@meltdown-VirtualBox:/proc/3511# cat maps
  00110000-00111000 rwxp 00000000 00:00 0 
  006c0000-006c1000 r-xp 00000000 00:00 0          [vdso]
  007d2000-007d4000 rwxp 00000000 00:00 0 
  00c01000-00c02000 rwxp 00000000 08:01 3801242    /home/meltdown/SimpleVM
  00ca4000-00e43000 r-xp 00000000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e43000-00e45000 r-xp 0019f000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e45000-00e46000 rwxp 001a1000 08:01 17171359   /lib/i386-linux-gnu/libc-2.15.so
  00e46000-00e49000 rwxp 00000000 00:00 0 
  08048000-0804b000 r-xp 00000000 00:00 0 
  0804b000-0804c000 rwxp 00000000 00:00 0 
  b77a7000-b77c7000 r-xp 00000000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  b77c7000-b77c8000 r-xp 0001f000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  b77c8000-b77c9000 rwxp 00020000 08:01 17171339   /lib/i386-linux-gnu/ld-2.15.so
  bfa90000-bfab1000 rwxp 00000000 00:00 0          [stack]
  

Answer 1

It's probably because of the granularity of mapping length. The length of the mapping is going to be rounded up to be a multiple of the page size. On my system the page size is 4k so the mapping would be rounded up to 4k and encompass the entry point. Even with a page size of 1k the length would round up to 0x1400, enough to include the entry point. If the file is long enough then the extra bytes would probably come from the file instead of the page initialization.