6

I want to see how the plt stubs are being resolved at run time when lazy linking is used and how the GOT is changed along the way. How can I dump the GOT with gdb?

Improve this question

1 Answer 1

Reset to default
7

There are a couple of options for this.

  • Use pwndbg or gef. They have a command called got which looks like this
gef➤ got GOT protection: Partial RelRO | GOT functions: 4 [0x555555755018] free@GLIBC_2.2.5 → 0x555555554606 [0x555555755020] puts@GLIBC_2.2.5 → 0x555555554616 [0x555555755028] malloc@GLIBC_2.2.5 → 0x555555554626 [0x555555755030] sprintf@GLIBC_2.2.5 → 0x555555554636 
pwndbg> got GOT protection: Partial RELRO | GOT functions: 4 [0x555555755018] free@GLIBC_2.2.5 -> 0x555555554606 (free@plt+6) ◂— push 0 /* 'h' */ [0x555555755020] puts@GLIBC_2.2.5 -> 0x555555554616 (puts@plt+6) ◂— push 1 [0x555555755028] malloc@GLIBC_2.2.5 -> 0x555555554626 (malloc@plt+6) ◂— push 2 [0x555555755030] sprintf@GLIBC_2.2.5 -> 0x555555554636 (sprintf@plt+6) ◂— push 3
  • According to their sources both use readelf as such to display this information
$ readelf --relocs ll Relocation section '.rela.dyn' at offset 0x4a0 contains 9 entries: Offset Info Type Sym. Value Sym. Name + Addend 000000200dd8 000000000008 R_X86_64_RELATIVE 750 000000200de0 000000000008 R_X86_64_RELATIVE 710 000000201040 000000000008 R_X86_64_RELATIVE 201040 000000200fd0 000200000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_deregisterTMClone + 0 000000200fd8 000400000006 R_X86_64_GLOB_DAT 0000000000000000 __libc_start_main@GLIBC_2.2.5 + 0 000000200fe0 000500000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0 000000200fe8 000700000006 R_X86_64_GLOB_DAT 0000000000000000 _Jv_RegisterClasses + 0 000000200ff0 000900000006 R_X86_64_GLOB_DAT 0000000000000000 _ITM_registerTMCloneTa + 0 000000200ff8 000a00000006 R_X86_64_GLOB_DAT 0000000000000000 __cxa_finalize@GLIBC_2.2.5 + 0 Relocation section '.rela.plt' at offset 0x578 contains 4 entries: Offset Info Type Sym. Value Sym. Name + Addend 000000201018 000100000007 R_X86_64_JUMP_SLO 0000000000000000 free@GLIBC_2.2.5 + 0 000000201020 000300000007 R_X86_64_JUMP_SLO 0000000000000000 puts@GLIBC_2.2.5 + 0 000000201028 000600000007 R_X86_64_JUMP_SLO 0000000000000000 malloc@GLIBC_2.2.5 + 0 000000201030 000800000007 R_X86_64_JUMP_SLO 0000000000000000 sprintf@GLIBC_2.2.5 + 0

And then use this output to dump GOT while debugging.

  • Another method is to use plt symbols to resolve got
pwndbg> disass 'puts@plt' Dump of assembler code for function puts@plt: 0x0000555555554610 <+0>: jmp QWORD PTR [rip+0x200a0a] # 0x555555755020 0x0000555555554616 <+6>: push 0x1 0x000055555555461b <+11>: jmp 0x5555555545f0 End of assembler dump. pwndbg> tele 0x555555755020 00:0000│ 0x555555755020 (_GLOBAL_OFFSET_TABLE_+32) —▸ 0x7ffff7aa2f90 (puts) ◂— push r13 01:0008│ 0x555555755028 (_GLOBAL_OFFSET_TABLE_+40) —▸ 0x7ffff7ab4f10 (malloc) ◂— push rbp 02:0010│ 0x555555755030 (_GLOBAL_OFFSET_TABLE_+48) —▸ 0x7ffff7a892d0 (sprintf) ◂— sub rsp, 0xd8 03:0018│ 0x555555755038 (data_start) ◂— 0x0 04:0020│ 0x555555755040 (__dso_handle) ◂— 0x555555755040 /* '@PuUUU' */ 05:0028│ 0x555555755048 (completed) ◂— 0x0 ... ↓ pwndbg> print puts $13 = {<text variable, no debug info>} 0x7ffff7aa2f90 <_IO_puts>
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.