Got and PLT of dynamic link of Linux

We know that the function name is a memory address that points to the entry of the function. The calling function is the push-in parameter, saves the return address, and jumps to the code that the function name points to. The problem is that if the function is in a shared library, the address of the shared library is not deterministic and the function address is not deterministic, so how do I invoke a function in a shared library? This is the answer to this article.

Let's look at a small piece of code (TEST.C):

#include <stdio.h>
void Hello_world (void) {     printf ("Hello world!\n");
    Return }
int main (int argc, char* argv[]) {     hello_world ();
    return 0; }

Compile and disassemble:

Gcc-g test.c-o Test objdump-s test

void Hello_world (void) {80483b4:55 push%ebp 80483b5:89 e5 mov  %ESP,%EBP 80483b7:83 EC, sub $0x8,%esp printf ("Hello world!\n"); 80483BA:C7 b4 movl $0x80484b4, (%ESP) 80483C1:E8 2a FF FF call 80482f0 &LT ; [Email protected]>
Return } 80483c6:c9 leave 80483C7:C3 ret
080483c8 <main>:
int main (int argc, char* argv[]) {80483c8:8d 4c, Lea 0x4 (%ESP),%ecx 80483cc:83 e4 f0                      and $0xfffffff0,%esp 80483cf:ff FC pushl-0x4 (%ECX) 80483d2:55                      Push%ebp 80483d3:89 e5 mov%esp,%ebp 80483d5:51  Push%ecx 80483d6:83 EC $0x4,%esp Hello_world (); 80483d9:e8 d6 FF FF FF call 80483B4 return 0; 80483de:b8 xx xx $0x0,%eax}

When calling Hello_world, the assembly code corresponds to the call 80483b4

When calling printf, the assembly code corresponds to the call 80482f0 <[email Protected]>, which is an absolute address. But the function name is [email protected], what's going on? [Email protected] Obviously a compiler plus an intermediate function, we look at this function corresponding assembly code:

080482f0 <[email protected]>:  80482f0:   FF 2c,       jmp    *0x804962c  80482f6:   68 10 00 XX-   $0x10  80482fb:   e9 c0 FF FF FF          <_init+0x30> jmp     

Now let's analyze it with a debugger:

GDB test

(GDB) B main breakpoint 1 at 0x80483d9:file test.c, line 12. (GDB) R starting program:/root/test/plt/test

Breakpoint 1, Main () at Test.c:12 Hello_world ();

[email protected] first jump to *0x804962c, let's see what's in *0x804962c? (GDB) x 0x804962c 0x804962c <_global_offset_table_+20>: 0x080482f6

*0x804962c equals 0x080482f6, which is the address of the second line of assembly code in [email protected]. That means [email protected] The entire function executes sequentially until it jumps to 0x80482c0.

Take a look at what's in the 0x80482c0, which can be seen through the assembly: FF-Geneva, JMP *0x8049620

Jumped to the *0x8049620, turn a lot of bends, it's okay, we look at *0x8049620: (gdb) x 0x8049620 0x8049620 <_global_offset_table_+8>: 0x009ce4c0 (gdb ) X/wa 0x009ce4c0 0x9ce4c0 <_dl_runtime_resolve>: 0x8b525150

In order to call the function _dl_runtime_resolve, the function of _dl_runtime_resolve is to find the address of the function (puts) to be called.

Why not call _dl_runtime_resolve directly, but to turn so many circles?

Execute this function First Hello_world: (GDB) n

Look back at the first line of the [email protected] Code:

80482F0:FF 2c JMP *0x804962c

(GDB) x 0x804962c 0x804962c <_global_offset_table_+20>: 0xa39a60 <puts> contrast Front: (gdb) x 0x804962c 0x804962c & Lt;_global_offset_table_+20>: 0x080482f6

That is, the first time execution, through the _dl_runtime_resolve resolution to the function address, and save the puts address to 0x804962c, the subsequent execution of the direct call.

Transferred from: http://apps.hi.baidu.com/share/detail/24654313

--------------------------------------------

/* if it is the first function call, the route it takes is the one I marked with the red line in, and if it is called after the second time, it is indicated by the Blue line. */

Finally, we discuss the dynamic connection mechanism of elf files. Each externally defined symbol has a corresponding entry in the Global offset table GOT, and if the symbol is a function there are also entries in the Procedure Connection table (Procedure Linkage table PLT). and a PLT entry corresponds to a got entry. The parsing of an externally defined function may be the most complex of the entire ELF file specification, and the following is a description of the function symbol parsing process.

1: The code calls the external function func, the statement form call 0XAABBCCDD, the address 0XAABBCCDD is actually the symbol func in the PLT table corresponding entry address (assuming the address is labeled. PLT2).

The form of the 2:PLT table is as follows

. The address of PLT0:PUSHL 4 (%EBX)/* Got table is saved in register EBX */jmp *8 (%EBX) NOP; NOP NOP; NOP. PLT1:JMP *[email protected](%EBX) PUSHL $offset jmp[email protected]. PLT2:JMP *[email protected](%EBX) PUSHL $offset jmp[email protected]

3: View the label. The PLT2 statement, in effect, jumps to the corresponding entry in the Got table of the symbolic func.

4: The address of this symbol in the Got table is labeled before the symbol is relocated. The next statement of PLT2, which is PUSHLOFFse t , its Offset, where
Offset is the relocation offset of the symbolic func. Note that this is a two-time jump.

5: After the reposition offset of the symbol func pushes the stack, the control jumps to the first entry (. PLT0) of the PLT table, pushes the contents of the got[1] (placing the code that identifies the particular library), and jumps to got[2] corresponding address.

6:GOT[2] corresponds to the code of the dynamic symbolic parsing function, after parsing the address of the symbolic Func, the address of Func in memory will be set to the entry in the GOT table corresponding to this symbol.

7: When this symbol is called the second time, the corresponding entry in the Got table already contains the address of the symbol, which can be called directly without the need to jump with the PLT table.

Dynamic connections are more complex, but the cost of flexibility is often complexity. The ultimate goal is to modify the value of the entry in the Got table to the real address of the symbol, which also explains the section. Got is included in a readable writable segment.

Got and PLT of dynamic link of Linux