I’m trying to brush up on UNIX viruses and one text I’m reading mentions that parasitic code can be inserted in the padding between the text and the data segment, supposedly up to 2MB in size on x86-64 systems. But when I compile a simple hello world program with gcc -no-pie… …and insp…
Tag: elf
How to calculate the total basic block number in a Linux ELF binary
I’m trying to see how many code blocks are not necessary for common software under common usage scenarios. Is there a static binary analysis tool that can calculate the total basic block number of a Linux ELF that? Answer Okay, I wrote a script using Angr to obtain all the basic blocks:
what is segment 00 in my Linux executable program (64 bits)
Here is a very simple assembly program, just return 12 after executed. It can be built and executed correctly: But the size of a.out is big, it is more than 4k: I try to understand it by reading elf content: it is strange, segment 00 is aligned by 0x1000, I think it means such segment at least will occupy 409…
Overlapping mappings for loaded ELF segments
I’d like to understand a detail of how the dynamic loader creates mappings for ELF segments. Consider a tiny shared library linked with GNU ld. The program headers are: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x00095c 0x00095c R E 0x2000…
How does the ELF64 loader know to update the initial addresses in .got.plt?
Consider the following program hello.c: The file is compiled with gcc -o hello -Og -g hello.c and then loaded with gdb hello. Inspecting the GOT for the call to printf with p ‘printf@got.plt’ gives which is the offset of the second instruction in the corresponding PLT entry relative to the start o…
Relocation addend in ELF files – Elf64_Rel vs Elf64_Rela?
ELF files contain two structures to handle relocations: Elf64_Rel: and Elf64_Rela: I want to take peek at the relocation entries but I’m not sure which one to use. The manual pages are quite cryptic about this. Is there a specific usage for each? Answer This depends on the target. Most targets use only …
What is the state of page tables after kexec’ing into an ELF x86_64 binary?
I’m kexec’ing into a binary i wrote compiled to an x86_64 ELF. It runs fine. Since it’s a 64-bit binary, i know the processor must be in 64-bit long mode. Which requires paging to be used, so I know paging must be turned on. My question is, what is the state of these page tables? Is there so…
why virtual address of LOAD program header and runtime virtual address shown by gdb is different?
I’ve been trying to understand elf file format and on elf format documentation, VirtAddr of LOAD header should be the virtual address of the loaded segment. But gdb memmap shows segments to be loaded at different virt address. gdb memmap Answer VirtAddr of LOAD header should be the virtual address of th…
Linux readelf shows object sizes with different numeral system (Hex and Dec)
I’m investigating some objects inside ELF file and using readelf for that purpose. This sample of readelf shows the size (bytes) of the objects on column 3, On large objects, readelf prints in Hex instead of dec, This breaks my size sorting attempts. (sorting ignores hex value) I tried translating all h…
Segmentation fault when using memory with custom ELF file
I am trying to program a small ELF program with a custom ELF header but have a segmentation fault whenever i am writing to memory. Why would that code trigger a segmentation fault ? %assign LOAD_ADDRESS 0x08048000 BITS 32 org LOAD_ADDRESS ; load address ehdr: ; Elf32_Ehdr db 0x7F, “ELF”, 1, 1, 1 ;…