stackoom
  简体   繁体   中英

In ELF or DWARF, how can I get .PLT section values? — Trying to get the address of a function on where an instrumentation tool is in

 原文  2012-11-06 01:02:47       c/ debugging/ gdb/ elf/ instrumentation

Question

I am working in obtaining all the data of a program using its ELF and DWARF info and by hooking a pin tool to a process that is currently running -- It is kind of a debugger using a Pin tool.

For getting the local variables from the stack I am working with the registers EIP, EBP and ESP which I have access to from Pin.

What stroke me as weird is that I was expecting EIP to be pointing to the current function that was running when the pin tool was attached to the process, but instead EIP is pointing to the section .PLT. In other words, if the pin tool was hooked into the process when Foo() was running, then I was expecting EIP to be pointing to some address inside the Foo function. However it is pointing to the beginning of the .PLT section.

What I need to know is which function the process is currently in -- Is there any way to get the address of the function using the .PLT section? Is there any other ways to get the address of the function from the stack or using Pin? I hope I was clear enough, let me know if there are any questions though.

1 answers

solution1
 0  2012-11-06 06:24:53

I might not be understanding exactly what is going on here...is the instruction pointer really in the .plt section or are you just getting a garbage value from Pin ?

You name the instruction pointer you are reading EIP, which might be a problem if you are running on a 64bit system, is that the case ? You see the instruction pointer register is a 32bit value on a 32bit system, and a 64bit value on a 64bit system. So Pin actually provides 3 REG_* names for the instruction pointer: EIP, RIP and GBP. EIP is always the lower 32bit half of the register, RIP the 64bit value, and GBP one of the two depending on your architecture. Asking for EIP on a 64bit system gives you garbage, same for asking RIP on a 32bit one.

Otherwise, a quick look on Google gives me this . Quoting a bit:

By default the .plt entries are all initialized by the linker not to point to the correct target functions, but instead to point to the dynamic loader itself. Thus, the first time you call any given function, the dynamic loader looks up the function and fixes the target of the .plt so that the next time this .plt slot is used we call the correct function.

And more importantly:

It is possible to instruct the dynamic loader to bind addresses to all of the .plt slots before transferring control to the application—this is done by setting the environment variable LD_BIND_NOW=1 before running the program. This turns out to be useful in some cases when you are debugging a program, for example.

Hope that helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Read plt section of ELF binary and print function virtual address How to make the dwarf sections get loaded into memory in an elf file? Why can I get the elf entry without the help of a base address? how to get heap start address of a elf binary How do I convert an elf file from dwarf to stabs format? How can I know where function ends in memory(get the address)- c/c++ How do you get the start and end addresses of a custom ELF section? How to get a pointer to a specific section of a dynamic library (Linux ELF)? How can I get address of literals? How can I get the address of a struct in C?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM