I’m trying to brush up on UNIX viruses and one text I’m reading mentions that parasitic code can be inserted in the padding between the text and the data segment, supposedly up to 2MB in size on x86-64 systems. But when I compile a simple hello world program with gcc -no-pie… …and inspect its segment headers with readelf -W -l
Tag: elf
How to calculate the total basic block number in a Linux ELF binary
I’m trying to see how many code blocks are not necessary for common software under common usage scenarios. Is there a static binary analysis tool that can calculate the total basic block number of a Linux ELF that? Answer Okay, I wrote a script using Angr to obtain all the basic blocks:
what is segment 00 in my Linux executable program (64 bits)
Here is a very simple assembly program, just return 12 after executed. It can be built and executed correctly: But the size of a.out is big, it is more than 4k: I try to understand it by reading elf content: it is strange, segment 00 is aligned by 0x1000, I think it means such segment at least will occupy 4096
Overlapping mappings for loaded ELF segments
I’d like to understand a detail of how the dynamic loader creates mappings for ELF segments. Consider a tiny shared library linked with GNU ld. The program headers are: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x00095c 0x00095c R E 0x200000 LOAD 0x000df8 0x0000000000200df8 0x0000000000200df8 0x000250 0x000258 RW 0x200000 DYNAMIC 0x000e08 0x0000000000200e08 0x0000000000200e08 0x0001d0 0x0001d0
How does the ELF64 loader know to update the initial addresses in .got.plt?
Consider the following program hello.c: The file is compiled with gcc -o hello -Og -g hello.c and then loaded with gdb hello. Inspecting the GOT for the call to printf with p ‘printf@got.plt’ gives which is the offset of the second instruction in the corresponding PLT entry relative to the start of the section. After starting and linking the program
Relocation addend in ELF files – Elf64_Rel vs Elf64_Rela?
ELF files contain two structures to handle relocations: Elf64_Rel: and Elf64_Rela: I want to take peek at the relocation entries but I’m not sure which one to use. The manual pages are quite cryptic about this. Is there a specific usage for each? Answer This depends on the target. Most targets use only one of the two forms. The Relocation
What is the state of page tables after kexec’ing into an ELF x86_64 binary?
I’m kexec’ing into a binary i wrote compiled to an x86_64 ELF. It runs fine. Since it’s a 64-bit binary, i know the processor must be in 64-bit long mode. Which requires paging to be used, so I know paging must be turned on. My question is, what is the state of these page tables? Is there some area, such
why virtual address of LOAD program header and runtime virtual address shown by gdb is different?
I’ve been trying to understand elf file format and on elf format documentation, VirtAddr of LOAD header should be the virtual address of the loaded segment. But gdb memmap shows segments to be loaded at different virt address. gdb memmap Answer VirtAddr of LOAD header should be the virtual address of the loaded segment. This is only true for ELF
Linux readelf shows object sizes with different numeral system (Hex and Dec)
I’m investigating some objects inside ELF file and using readelf for that purpose. This sample of readelf shows the size (bytes) of the objects on column 3, On large objects, readelf prints in Hex instead of dec, This breaks my size sorting attempts. (sorting ignores hex value) I tried translating all hex to dec like this: and got The size
Segmentation fault when using memory with custom ELF file
I am trying to program a small ELF program with a custom ELF header but have a segmentation fault whenever i am writing to memory. Why would that code trigger a segmentation fault ? %assign LOAD_ADDRESS 0x08048000 BITS 32 org LOAD_ADDRESS ; load address ehdr: ; Elf32_Ehdr db 0x7F, “ELF”, 1, 1, 1 ; e_ident times 9 db 0 ;