PLT Example Explanation

←itset Brief Introduction to the implementation of –with-abi and –with-arch in gcc → PLT Example ExplanationPosted on May, from admin

by XMJ, Yao

First, x86 ABI Handbook original and translation

Original digest from System V application BINARY INTERFACE.

Figure 5-7: Position-independent Procedure Linkage Table

. PLT0:PUSHL 4 (%EBX)
       jmp *8 (%EBX)
       nop; NOP
       nop; NOP
. PLT1:JMP *name1@got (%EBX)
       pushl $offset
       jmp. PLT0@PC
. PLT2:JMP *name2@got (%EBX)
       pushl $offset
       jmp. Plt0@pc ...

Following the steps below, the dynamic linker and the program "cooperate" to resolve symbolic references through the pro Cedure linkage table and the global offset table.

Dynamic linker and programs, follow the steps below to collaborate on parsing of symbolic references through the process linking table and the global offset table.

1. When first creating the memory image of the program, the dynamic linker sets the second and the third entries in the Globa L Offset table to special values. Steps below explain more about these values.

When the dynamic linker starts to create a memory image of the program, it sets the second, three items in the Global offset table to a specific value. These values are explained in detail in the following steps.

2. If The procedure linkage table is position-independent, the address of the global offset table must reside in%EBX. Each of the shared object file in the process image have its own procedure linkage table, and control transfers to a procedure Lin Kage table entry only from within the same object file. Consequently, the calling function is responsible for setting the global offset table base register before calling the Pro Cedure Linkage table entry.

If the process link table is location-independent, the address of the global offset table must exist in%EBX. Each shared destination file in the process image has its own procedure-linked table and can only be converted from the same destination file to the table entry for the procedure-linked table. Therefore, the calling function needs to set the base register of the global offset table before calling the procedure to link the table entry.

3. For illustration, assume the program calls NAME1, which transfers control to the label. PLT1.

For example, suppose the program calls NAME1, which converts the control to a label. PLT1.

4. The first instruction jumps to the address on the Global offset table entry for name1. Initially, the Global offset table holds the address of the following
PUSHL instruction, not the real address of name1.

The first instruction jumps to the address of the name1 in the Global offset table entry. Initially, the Global offset table holds the address after the PUSHL instruction, not the actual address of the name1.

5. Consequently, the program pushes a relocation offset (offset) on the stack. The relocation offset is a 32-bit, non-negative byte offset into the relocation table. The designated relocation entry would have a type r_386_jmp_slot, and its offset would specify the global offset table entry U Sed in the previous jmp instruction. The relocation entry also contains a symbol table index, thus telling the dynamic linker what symbol is being referenced, Name1 in the case.

Therefore, the program presses a reposition offset (offset) into the stack. The relocation offset is a 32-bit, non-negative, relocation of the table's byte offsets. The relocation item that it specifies will have the R_386_jmp_slot type, and its offset specifies the global offset table entry that was used in the previous JMP directive. The relocation item also contains a symbol table index, so it tells the dynamic linker which symbol is being referenced. In this example, for name1.

6. After pushing the relocation offset, the program then jumps to. PLT0, the first entry in the procedure linkage table. The PUSHL instruction places the value of the second Global Offset table entry (Got_plus_4 or 4 (%EBX)) on the stack, thus Giving the dynamic linker one word of identifying information. The program then jumps to the address in the Third Global Offset table entry (Got_plus_8 or 8 (%EBX)), which transfers cont Rol to the dynamic linker.

After pressing in the relocation offset, the program then jumps to. PLT0, the first item of the Procedure link table. The PUSHL directive presses the second table entry in the Global offset table (Got_plus_4 or 4 (%EBX)) into the stack, thus giving the dynamic linker a word identifying information. The program then jumps to the address of the third table entry in the Global offset table (Got_plus_8 or 8 (%EBX)), which converts the control to a dynamic linker.

7. When the dynamic linker receives control, it unwinds the stack, looks at the designated relocation entry, finds the symbol ' s value, stores the ' real ' address for name1 in IT global offset table entry, and transfers control to the desired des Tination.

When the dynamic linker gets control, it expands the stack, looks at the specified relocation item, discovers the value of the symbol, stores the "actual" address of the name1 in its Global offset table entry, and then transforms the control to the desired destination.

8. Subsequent executions of the procedure Linkage table entry would transfer directly to name1, without calling the dynamic Li Nker a second time. That's, the jmp instruction at. PLT1 would transfer to name1, instead of "falling through" to the PUSHL instruction.

Subsequent execution of the Procedure Link table entry will be converted directly to name1 without the need to invoke the dynamic linker again. In other words, the JMP directive in. PLT1 jumps directly to the name1, without sequentially executing to the PUSHL directive.

Second, the case analysis

1, in order to help understand these boring documents, we combine a practical example to analyze.

The example is simple,

#include 

int
main (void)
{
 printf ("hellogcc\n");

 return 0;
}

2, behind we will see some assembler and some address, in order to understand the meaning of these addresses, we first listed some of the paragraph address range,

(GDB) Maintenance Info Sections Exec file: '/home/yao/sourcecode/plt.exe ', file type elf32-i386. 0x80481d4->0x8048224 at 0x000001d4:. Dynsym ALLOC LOAD READONLY DATA has_contents 0x8048224->0x804826e at 0x00000 224:. dynstr ALLOC load READONLY DATA has_contents 0x8048298->0x80482a0 at 0x00000298:. Rel.dyn ALLOC Load READONLY Data has_contents 0x80482a0->0x80482b8 at 0x000002a0:. Rel.plt ALLOC LOAD READONLY DATA has_contents 0X80482B8-&G T;0x80482e8 at 0x000002b8:. Init ALLOC LOAD READONLY CODE has_contents 0x80482e8->0x8048328 at 0x000002e8:. Plt ALLO
   C load READONLY code has_contents 0x8048330->0x804849c at 0x00000330:. Text ALLOC LOAD READONLY CODE has_contents 0x804849c->0x80484b8 at 0x0000049c:. Fini ALLOC LOAD READONLY CODE has_contents 0x80484b8->0x80484c9 at 0x000004 B8:. Rodata ALLOC load READONLY DATA has_contents 0x80484cc->0x80484d0 at 0x000004cc:. Eh_frame ALLOC Load READONLY DATA has_contents 0X8049F0C->0X8049F14 at 0x00000f0c:. ctors ALLOC Load Data has_contents 0x8049f14->0x8049f1c at 0x00000f14:. dtors ALLOC Load Data has_ CONTENTS 0x8049f1c->0x8049f20 at 0x00000f1c:. JCR ALLOC LOAD DATA has_contents 0x8049f20->0x8049ff0 at 0x00000
   F20:. Dynamic ALLOC Load Data has_contents 0x8049ff0->0x8049ff4 at 0x00000ff0:. Got ALLOC Load Data has_contents 0x8049ff4->0x804a00c at 0x00000ff4:. Got.plt ALLOC LOAD DATA has_contents 0x804a00c->0x804a014 at 0x0000100c:. Da Ta ALLOC LOAD DATA has_contents 0x804a014->0x804a01c at 0x00001014:. BSS ALLOC

3, we look at the actual program, our PLT section inside the content is what.

(GDB) Disassemble 0x80482e8,0x8048328
Dump of assembler code from 0X80482E8 to 0x8048328:
  0x080482e8:  PUSHL  0x8049ff8
  0x080482ee:  jmp    *0x8049ffc
  0x080482f4:  add    %al, (%eax)
  0x080482f6:  add    %al, (%eax)
  0x080482f8:  jmp    *0x804a000
  0x080482fe:  push   $0x0
  0x08048303:  jmp    0x80482e8
  0x08048308:  jmp    *0x804a004
  0x0804830e:  push   $0x8
  0x08048313:  jmp    0x80482e8
  0x08048318:  jmp    *0x804a008
  0x0804831e:  Push   $0x10
  0x08048323:  jmp    0x80482e8

We see that the puts PLT entry, the PLT 3, the front 0 1 and 2 are already occupied. These are the systems
The reserved entry. Different architectures, here may occupy different bibliography of entry. The PLT 0 will be described in this article
To, but the effects of PLT 1 and 2, are not described in this document.

4. The first instruction jumps to the address of the name1 in the Global offset table entry. Initially, the Global offset table holds the address after the PUSHL instruction, not the actual address of the name1.

  0x08048318:     jmp    *0x804a008//-JMP * (_global_offset_table_+20)
  0x0804831e:     push   $0x10      //Push relocation offset.

We can see the 0x804a008 fall in the range of the. GOT.PLT,

   0x8049ff4->0x804a00c at 0x00000ff4:. Got.plt ALLOC LOAD DATA has_contents

(gdb) x/4x 0x804a008
0x804a008: c10/>0x0804831e      0x00000000 0x00000000 0x00000000      

5. Therefore, the program presses a relocation offset (offset) into the stack (see the INSN on 0x0804831e:push 0x10). The relocation offset is a 32-bit, non-negative, relocation of the table's byte offsets. The relocation item that it specifies will have the R_386_jmp_slot type, and its offset specifies the global offset table entry that was used in the previous JMP directive.

Relocation section '. Rel.plt ' at offset 0x2a0 contains 3 entries:
 offset     Info    Type            sym.value  Sym. Name
0804a000  00000107 r_386_jump_slot   00000000   __gmon_start__
0804a004  00000207 r_386_ Jump_slot   00000000   __libc_start_main
0804a008  00000307 r_386_jump_slot   00000000   Puts

We can see that there is a reloc r_386_jump_slot, the corresponding address is 0x804a008, in fact, puts corresponding. GOT.PLT entry.

The relocation item also contains a symbol table index, so it tells the dynamic linker which symbol is being referenced. In this example, for name1.

This offset (0x10) refers to the offset of the REL.PLT segment, which is the third

0804a008  00000307 r_386_jump_slot   00000000   puts

As can be seen here, each of the. Rel.plt is 8 bytes, and this ABI manual in my hand is older and does not introduce the size of this segment and each item.

The relocation item R_386_jump_slot contains the Offset,info,type,symbol information. where offset (0x0804a008) specifies the Global offset table entry used in the previous JMP directive, the symbol information tells the dynamic linker which symbol is being referenced. What the dynamic linker does is to fill in the actual value of the symbol (that is, the value of name1) into the Global offset table entry with an offset of 0x0804a008, which is to update the Global offset table entry for name1.

6. After pressing in the relocation offset, the program then jumps to. PLT0, the first item of the Procedure link table.

  0x08048323
:    jmp    0x80482e8  //Jump to start of the. plt

section. PLT0:
  0x080482e8:  pushl  0x8049ff8
  0x080482ee:  jmp    *0X8049FFC

The PUSHL directive pushes the second table entry of the. GOT.PLT (Got_plus_4 or 4 (%EBX)) into the stack, thus giving the dynamic linker a word identifying information.

  0x8049ff4->0x804a00c at 0x00000ff4:. Got.plt ALLOC LOAD DATA has_contents

The program then jumps to the address of the third table entry in. GOT.PLT (Got_plus_8 or 8 (%EBX)), which converts the control to a dynamic linker.

(gdb) x/x 0x8049ffc
0X8049FFC:    0x00123270
(gdb) disassemble 0x00123270,0x00123280
Dump of Assembler Code from 0x123270 to 0x123280:
  0x00123270:  push   %eax
  0x00123271:  push   %ecx
  0x00123272:  push   %edx
  0x00123273:  mov    0x10 (%esp),%edx
  0x00123277:  mov    0XC (%ESP),%eax
  0x0012327b:call   0x11d5a0

As you can see, ' jmp *0x8049ffc ' jumps to _dl_runtime_resolve, the portal for dynamic linker.

7. When the dynamic linker gets control, it expands the stack, looks at the specified relocation item, discovers the value of the symbol, stores the "actual" address of the name1 in its Global offset table entry, and then transforms the control to the desired destination.

0x804a008:   0x0804831e

Let's see how dynamic linker modifies this, and we set up a hardware on the 0x804a008 watchpoint

(gdb) Watch *0x804a008
Hardware watchpoint 2: *0x804a008
(GDB) C
continuing.
Hardware Watchpoint 2: *0x804a008 old

value = 134513438
New value = 1616016
_dl_fixup (l=, reloc_arg=) at Dl-r untime.c:155
155     dl-runtime.c:no such file or directory.
       In dl-runtime.c

We can see that the content on the address 0x804a008 changed from 134513438 to 1616016,

(GDB) p/x 134513438 $
= 0x804831e
(gdb) p/x 1616016 $
= 0x18a890

Let's see what this new address (1616016 0x18a890) is.

(GDB) Disassemble 0x18a890,0x18a8a0
Dump of assembler code from 0x18a890 to 0x18a8a0:
  0x0018a890:     push   %EBP
  0x0018a891:     mov    %esp,%ebp
  0x0018a893:     Sub    $0x20,%esp
  0x0018a896:     mov    %ebx,-0xc (%EBP)
  0x0018a899:     mov    0x8 (%EBP),%eax
  0x0018a89c:    call   0x143a0f

yay!, we can see that the content on the address 0x804a008 has changed to be the address in the actual glibc.

(GDB) bt
#0  _dl_fixup (l=, reloc_arg=) at dl-runtime.c:155
#1  0x00123280 in _dl_runtime_resolve () At.. /sysdeps/i386/dl-trampoline. s:37
#2  0x080483f9 in Main () at Plt.c:6

This entry is posted in technical article. Bookmark the permalink. ←itset Brief Introduction to the implementation of –with-abi and –with-arch in gcc → Leave a Reply

You must be logged in to post a comment.