Timeline for ELF - The start address of .got section is different from the entry point address of the GOT(global offset table)
Current License: CC BY-SA 4.0
12 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 27, 2018 at 16:41 | history | edited | IvanaGyro | CC BY-SA 4.0 | edited title |
| Sep 26, 2018 at 16:32 | vote | accept | IvanaGyro | ||
| Sep 20, 2018 at 19:23 | answer | added | Igor Skochinsky♦ | timeline score: 2 | |
| Sep 20, 2018 at 9:27 | comment | added | IvanaGyro | @IgorSkochinsky Sorry, I have not explained it clearly. The term, "entry point of GOT", means the address follows the tag, PLTGOT, in the .dynamic section. The address is also as the same as the address of GOT[0] in most of the specifications of the ELF. | |
| Sep 20, 2018 at 9:23 | comment | added | perror | Okay, I was missing the context. But, you have to take into consideration that 'static only analysis' are missing quite a lot of information (sometimes it even render the analysis too complex to be done). So, this has to be taken into account. | |
| Sep 20, 2018 at 9:20 | comment | added | IvanaGyro | @perror The program I disassembled is a malware. It is a little hard to execute it, but I will try to run it in an isolated environment. | |
| Sep 19, 2018 at 9:14 | comment | added | Igor Skochinsky♦ | what do you mean by "entry point of GOT"? AFAIK there is no such term | |
| Sep 19, 2018 at 8:06 | comment | added | perror | Okay, I better understand your question. But, you should try to look at the .dynamic section at runtime. It may change a lot of things... As the name suggest, it must be initialized only at start time (when the linker has performed his job). My guess is that you will see the addresses of all the listed variables set once at runtime. | |
| Sep 19, 2018 at 7:50 | comment | added | IvanaGyro | I know why PLT address repeatedly stored in the GOT. Each of the addresses stores the address of its corresponding external function or external variable. I am curious about the usage of the block before the entry point of the GOT. | |
| Sep 19, 2018 at 7:42 | history | edited | IvanaGyro | CC BY-SA 4.0 | added 364 characters in body |
| Sep 19, 2018 at 6:56 | comment | added | perror | Well, in fact, it is normal that a fresh GOT (without resolution of addresses) is filled of pointers linking the start of the PLT. This is needed for the first initialization of the GOT (remember, the first time you encounter the function@plt, you need to execute the program which is located at the very beginning of the PLT). So, this explain why you have the PLT address repeatedly stored in the GOT (one address per library function that is used in the binary). | |
| Sep 18, 2018 at 19:31 | history | asked | IvanaGyro | CC BY-SA 4.0 |