I get some symbol and I get (a hexdump of) an ELF file. How can I know in which section this symbol appears?
What is the difference between .strtab and .shstrtab? Is there another array of symbol strings?
When I get an index for the symbol names table, is it an index in .strtab or in .shstrtab?
For the first question, we would need the hexedit of the elf file to understand properly.
For the second question - strtab stands for String Table shstrtab stands for Section Header String table.
When we read ELF header, we see that every ElfHeader structure contains a member called e_shstrndx. This is an index to the shstrtab. If you use this index and then read from shstrtab you can find the name of that section.
strtab, is the string table for all other references. When you read symbols from an ELF object, every SYmbol structure (Elf32_Sym) has a member called st_name. This is an index into strtab to get the string name of that symbol.
Can you please elaborate more on array of symbol strings? Also, what do you mean by names table?
You can refer to the following link - Reading ELF String Table on Linux from C
Hope this answers your question.
.strtab be used for all strings other than section names. In fact, that’s pretty commonly untrue: symbol names for dynamic linking are usually in a separate string table, .dynstr. In the case of a symbol table (section of type SHT_SYMTAB), the sh_link field of the section entry points you to the correct string table section. –
Haggadist I will take a stab at the first question since Samir answered the second one so well.
The symbol's name will be in one of the STRTAB sections, and then there will be an entry in the symbol table (one of the SYMTAB or DYNSYM sections) which references that string by an offset in the containing section. The entry in the symbol table can tell you the index of the section this symbol is found in, but not where it is used.
For that you need to check the relocation table, contained in sections of type REL; common names include .rel.dyn, .rel.plt. A relocation table lists all the references to symbol in one other code section, i.e. code and relocation sections are paired. Each entry in the table is one "usage" of a symbol, and contains the offset in the corresponding section where the usage is and the index of the symbol in the symbol table.
If you can use the readelf utility, you can easily use readelf -r <binary> | grep <symbol name> to get all the references to a symbol.
If you are set on using hexedit/cannot use readelf, then you would need to
Find the offset of the symbol name string in the binary, what section that is in, and then get the offset of that string in that section;
Look through all the entries in the symbol table and find which one(s) match that name (st_name == offset of string in the string section);
Look through all entries in each relocation table to find symbol usages of that symbol in the corresponding code section for that table. The r_info field of each entry contains the index of the symbol table entry it references (this index is bitmapped to part of r_info, and at different places for 32- and 64-bit).
All relocation entries matching that symbol table index are usages of your string somewhere.
More info:
© 2022 - 2024 — McMap. All rights reserved.