Login/Register
find address of PLT stub
Asked Answered
linuxx86-64elfpltgot
R

1

7

I am working on Linux X86_64.

I have a need to determine the address of a specific PLT entry in an ELF file given the name of the dynamic function that the entry represents. I can figure out the file offset from the address, but I need to be able to determine the address.

If I disassemble the ELF file using objdump -D -z elffile I see that objdump uses symbolic names for each entry in the PLT. (Where does objdump obtain the relationship between these addresses and the symbol names?)

example:

0000000000000041a2b0 fileno@plt:

If I use objdump -T elffile | grep fileno I get something like this:

0000000000000   DF *UND*  00000000000000000   GLIBC_2.2.5 fileno

What I need to be able to do from "C" is find the PLT entry in the ELF file for a specific dynamic function and obtain the address.

The background is that I am patching an existing ELF file and need to redirect a function call to a different dynamic function. I have manually patched an ELF file using addresses gathered from objdump disassembly and proven that this will work for my specific application, I just need to be able to do it from a program. I am hoping not to have to crawl through objdump disassembler code to figure out how it gets the PLT entry symbols and addresses.

Radicalism answered 3/5, 2017 at 21:54 Comment(1)
Interestingly there doesn't seem to be a way to do this from assembly. Intuitively movq someFunc@PLT, %rax should do it, but that @PLT reference seems to imply linker modifications that mess up the movq, which seems to make these someFunc@PLT references only usable with the call instruction.Interradial
R
8

I figured this out: You have to parse the relocation table in the rela.plt section. Those entries contain a string table index that can be used to lookup the function name by indexing into the dynamic symbol section. Each entry in the dynamic symbol section contains a dynamic string table offset that can be used to pull out the function name. When you find the corresponding function, the index into the relocation table (+1) corresponds to the index into the .plt section for the functions PLT entry. So to calculate the address for a specific entry it is just: .plt.sec address + ((relocation_index + 1) * .plt entry size)

This method works for x86. It does not work for PPC which has a completely different format for the .plt section. If anyone has any info on doing this for PPC please post.

Radicalism answered 24/5, 2017 at 20:16 Comment(2)
Note for i386, the PLT entry size is not reported correctly. You can either multiply the reported plt entry size by 4, or use 16 for the entry size.Radicalism
I don't understand how to get the index into the relocation table. could you please add the code for this?Cayes

© 2022 - 2024 — McMap. All rights reserved.