HackMDDynamic library support for shecc
黎詠哲, 李協儒
Motivation
Currently, shecc can only generate statically-linked ELF executables. This results in inefficient space utilization. Therefore, your task is to provide an option to produce dynamically-linked ELF executables that link to glibc.
Methodology
The two ELF's "views" are as follows:
+-----------------+
+----| ELF File Header |----+
| +-----------------+ |
v v
+-----------------+ +-----------------+
| Program Headers | | Section Headers |
+-----------------+ +-----------------+
|| ||
|| ||
|| ||
|| +------------------------+ ||
+--> | Contents (Byte Stream) |<--+
+------------------------+
In reality, the layout of a typical ELF executable binary on a disk file is like this:
+-------------------------------+
| ELF File Header |
+-------------------------------+
| Program Header for segment #1 |
+-------------------------------+
| Program Header for segment #2 |
+-------------------------------+
| ... |
+-------------------------------+
| Contents (Byte Stream) |
| ... |
+-------------------------------+
| Section Header for section #1 |
+-------------------------------+
| Section Header for section #2 |
+-------------------------------+
| ... |
+-------------------------------+
| ".shstrtab" section |
+-------------------------------+
| ".symtab" section |
+-------------------------------+
| ".strtab" section |
+-------------------------------+
To support dynamic link, we need to add headers and sections to ELF file. We need to follow the sequence of above ELF views and write necessary data one by one to output ELF file. Below is the list of headers and sections that we need to write to ELF file.
Program headers
DYNAMIC: For dynamic binaries, this segment hold dynamic linking information and is usually the same as.dynamicsection in ELF's linking view.INTERP: For dynamic binaries, this holds the full pathname of runtime linkerld.so. This segement is the same as.interpsection in ELF's linking view.
Section headers
.dynamic: For dynamic binaries, this section holds dynamic linking information used byld.so..dynstr: NULL-terminated strings of names of symbols in.dynsymsection..dynsym: Runtime/Dynamic symbol table. For dynamic binaries, this section is the symbol table of globally visible symbols. For example, if a dynamic link library wants to export its symbols, these symbols will be stored here. On the other hand, if a dynamic executable binary uses symbols from a dynamic link library, then these symbols are stored here too. The symbol names (as NULL-terminated strings) are stored in .dynstr section..got: For dynamic binaries, this Global Offset Table holds the addresses of variables which are relocated upon loading..got.plt: For dynamic binaries, this Global Offset Table holds the addresses of functions in dynamic libraries. They are used by trampoline code in.pltsection. If.got.pltsection is present, it contains at least three entries, which have special meanings..interp: For dynamic binaries, this holds the full pathname of runtime linkerld.so..plt: For dynamic binaries, this Procedure Linkage Table holds the trampoline/linkage code..rela.dyn: Runtime/Dynamic relocation table. For dynamic binaries, this relocation table holds information of variables which must be relocated upon loading. Each entry in this table is a structElf64_Rela(see/usr/include/elf.h)..rela.plt: Runtime/Dynamic relocation table. This relocation table is similar to the one in.rela.dynsection; the difference is this one is for functions, not variables.
Current Progress (Updated in read time)
- Wrote the program header
INTERPto ELF file but it made section headers broken. - Listed all the necessay headers and sections for dynamic link.
- We know what headers and sections
SHECCneed to write to ELF file. But we still struggled to figure out the detail of each headers and sections when we tried to put these data to ELF. So now we try to write these headers to ELF file one by one and make sure it won't make other headers broken. - It will take some time for implementation and test. We will keep updating the progress.
Implementation Records
Record 01: Tried to write data to generate dynamically-linked ELF but failed.
We tried to write necessary data to ELF file and use readelf -a command to check if data is written to the file correctly. Below is the part of ELF file we made SHECC generated.
Entry point address: 0x10068
Start of program headers: 52 (bytes into file)
Start of section headers: 12627 (bytes into file)
Flags: 0x5000200, Version5 EABI, soft-float ABI
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 6
Section header string table index: 5
...
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] <no-strings> LOPROC+0x274732 00000000 000000 000000 00 XMSIOxxxo 0 0 0
[ 1] <no-strings> NULL 0000000b 000001 000007 00 65620 84 12388
[ 2] <no-strings> RELA 00000011 000001 000003 0c 78008 12472 96
[ 3] <no-strings> RELA 00000017 000002 000000 0c 0 12568 0
[ 4] <no-strings> RELA 0000001f 000003 000000 0c M 0 12568 0
[ 5] <no-strings> PROGBITS 00000001 000003 000000 00 0 12568 39
...
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
INTERP 0x000054 0x00010054 0x00010054 0x00014 0x00014 R 0x4
[Requesting program interpreter: ]
LOAD 0x000054 0x00010054 0x00010054 0x030c4 0x030c4 RWE 0x4
We wrote program header INTERP to ELF file successfully but we also made section headers broken. The reason might be that we didn't set the ELF header Start of section headers correctly.
Prepare skeleton code like listing.s and tweak the RISC-V- code generation of shecc to adapt ELF headers and sections.
Record 02: ELF Header Modifications
We modified the elf_generate_header() function to support dynamic linking by implementing conditional ELF type selection:elf_generate_header and ELF file we made SHECC generated.
void elf_generate_header(int dynamic_linking_enabled) {
// ELF Magic number and identification
elf_write_header_int(0x464c457f); // Magic: 0x7F followed by ELF
elf_write_header_byte(1); // 32-bit
elf_write_header_byte(1); // little-endian
elf_write_header_byte(1); // EI_VERSION
elf_write_header_byte(0); // System V
// Key modification: Conditional ELF type selection
elf_write_header_int(dynamic_linking_enabled ? 3 : 2); // ET_DYN or ET_EXEC
}
Verification of the header modification showed successful type change to DYN
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: None
Version: 0x1002800
Entry point address: 0x54000000
Record 03: Dynamic Linking Section Implementation
Section String Table Additions
Added the following dynamic linking related sections to the string table:
.dynstr.dynsym.dynamic.interp.rela.plt.plt.got
shstr section table
/* shstr section; len = 39(static), 93(dynamic) */
elf_write_section_byte(0);
elf_write_section_str(".shstrtab", 9);
elf_write_section_byte(0);
elf_write_section_str(".text", 5);
elf_write_section_byte(0);
elf_write_section_str(".data", 5);
elf_write_section_byte(0);
if (dynamic_linking_enabled) {
elf_write_section_str(".dynstr", 7);
elf_write_section_byte(0);
elf_write_section_str(".dynsym", 7);
elf_write_section_byte(0);
elf_write_section_str(".dynamic", 8);
elf_write_section_byte(0);
elf_write_section_str(".interp", 8);
elf_write_section_byte(0);
elf_write_section_str(".rela.plt", 9);
elf_write_section_byte(0);
elf_write_section_str(".plt", 4);
elf_write_section_byte(0);
elf_write_section_str(".got", 4);
elf_write_section_byte(0);
}
elf_write_section_str(".symtab", 7);
elf_write_section_byte(0);
elf_write_section_str(".strtab", 7);
elf_write_section_byte(0);
Implemented section headers following the ELF32_Shdr structure:
ELF32_Shdr
typedef struct {
Elf32_Word sh_name;
Elf32_Word sh_type;
Elf32_Word sh_flags;
Elf32_Addr sh_addr;
Elf32_Off sh_offset;
Elf32_Word sh_size;
Elf32_Word sh_link;
Elf32_Word sh_info;
Elf32_Word sh_addralign;
Elf32_Word sh_entsize;
}ELF32_Shdr
Dynamic Sections Generation
if (dynamic_linking_enabled) {
/* .interp section header */
elf_write_section_int(48);
elf_write_section_int(1);
elf_write_section_int(2);
elf_write_section_int(ELF_START + elf_header_len);
elf_write_section_int(elf_header_len);
elf_write_section_int(19);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(1);
elf_write_section_int(0);
/* .dynsym section header */
elf_write_section_int(31);
elf_write_section_int(11);
elf_write_section_int(2);
elf_write_section_int(ELF_START + elf_header_len + 19);
elf_write_section_int(elf_header_len + 19);
elf_write_section_int(33);
elf_write_section_int(4);
elf_write_section_int(1);
elf_write_section_int(4);
elf_write_section_int(16);
/* .dynstr section header */
elf_write_section_int(23);
elf_write_section_int(3);
elf_write_section_int(2);
elf_write_section_int(ELF_START + elf_header_len + 19 + 33);
elf_write_section_int(elf_header_len + 19 + 33);
elf_write_section_int(10);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(1);
elf_write_section_int(0);
/* .dynamic section header */
elf_write_section_int(39);
elf_write_section_int(6);
elf_write_section_int(3);
elf_write_section_int(ELF_START + elf_header_len + 62);
elf_write_section_int(elf_header_len + 62);
elf_write_section_int(16);
elf_write_section_int(4);
elf_write_section_int(0);
elf_write_section_int(4);
elf_write_section_int(8);
/* .rela.plt section header */
elf_write_section_int(57);
elf_write_section_int(4);
elf_write_section_int(66);
elf_write_section_int(ELF_START + elf_header_len + 78);
elf_write_section_int(elf_header_len + 78);
elf_write_section_int(12);
elf_write_section_int(2);
elf_write_section_int(8);
elf_write_section_int(4);
elf_write_section_int(12);
/* .plt section header */
elf_write_section_int(67);
elf_write_section_int(1);
elf_write_section_int(6);
elf_write_section_int(ELF_START + elf_header_len + 90);
elf_write_section_int(elf_header_len + 90);
elf_write_section_int(12);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(4);
elf_write_section_int(16);
/* .got section header */
elf_write_section_int(72);
elf_write_section_int(1);
elf_write_section_int(3);
elf_write_section_int(ELF_START + elf_header_len + 102);
elf_write_section_int(elf_header_len + 102);
elf_write_section_int(12);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(4);
elf_write_section_int(4);
}
Next, we Implemented elf_generate_dynamic_sections() to create:
.dynamicsection withDT_NEEDEDentries.interpsection pointing to "/lib/ld-linux.so.3".dynstrsection containing "libc.so.6".dynsymsection with global symbol entries.rela.pltsection for relocation entries.pltsection with ARM32 PLT entries.gotsection with three global offset tables
void elf_generate_dynamic_sections()
void elf_generate_dynamic_sections() {
/* .dynamic section*/
elf_write_section_int(1); /* DT_NEEDED */
elf_write_section_int(elf_strtab_index); /* offset in .dynstr */
elf_write_section_int(0); /* DT_NULL */
elf_write_section_int(0); /* End of .dynamic */
/* .interp section */
elf_write_section_str("/lib/ld-linux.so.3", 18); /* interpreter */
elf_write_section_int(0); /* End of .interp */
/* .dynstr section */
elf_write_section_str("libc.so.6", 9); /* dynamic linked library */
elf_write_section_byte(0); /* End of .dynsym */
/* dynsym section*/
elf_write_section_int(0); /* NULL entry */
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_byte(0);
elf_write_section_byte(0);
elf_write_section_byte(0 & 0xFF);
elf_write_section_byte(0 >> 8 & 0xFF); /* SHN_UNDEF*/
elf_write_section_int(1); /* offset to "libc.so.6" */
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_byte(0x10); /* STB_GLOBAL | STT_OBJECT */
elf_write_section_byte(0);
elf_write_section_byte(0 & 0xFF);
elf_write_section_byte(0 >> 8 & 0xFF); /* SHN_UNDEF */
elf_write_section_int(0); /* End of .dynsym*/
/* .rela.plt section */
elf_write_section_int(0);
elf_write_section_int(0x16); /* R_ARM_JUMP_SLOT */
elf_write_section_int(0); /* r_addend*/
/* .plt section */
/* ARM32 PLT entry */
elf_write_code_int(0xe28fc600); /* add ip, pc, #0 */
elf_write_code_int(0xe28cca00); /* add ip, ip, #0 */
elf_write_code_int(0xe5bcf000); /* ldr pc, [ip, #0]! */
/* .got section */
elf_write_section_int(0); /* GOT[0]: Reserved */
elf_write_section_int(0); /* GOT[1]: Reserved */
elf_write_section_int(0); /* GOT[2]: "libc.so.6" entry */
}
and when the init of the void elf_generate_sections, the compiler would generate the dynamic sections first.
void elf_generate_sections
void elf_generate_sections(int dynamic_linking_enabled) {
if (dynamic_linking_enabled) {
elf_generate_dynamic_sections();
}
/* existing code ... */
Current Issues
- Build Failures
The implementation currently produces build errors in stage 2:
$ make
GEN out/libc.inc
CC out/src/main.o
LD out/shecc
SHECC out/shecc-stage1.elf
SHECC out/shecc-stage2.elf
qemu-arm: out/shecc-stage1.elf: Invalid ELF image for this architecture
make: *** [Makefile:114: out/shecc-stage2.elf] Error 255
- ELF Validation Errors
readelfanalysis reveals several critical issues
$ readelf -a
readelf: Error: Too many program headers - 0x2000 - the file is not that big
readelf: Warning: The e_shentsize field in the ELF header is larger than the size of an ELF section header
readelf: Error: Reading 2621440 bytes extends past end of file for section headers
readelf: Error: Section headers are not available!
readelf: Error: Too many program headers - 0x2000 - the file is not that big
readelf: Error: Too many program headers - 0x2000 - the file is not that big
it indicates that:
- Invalid program header count (0x2000)
- Incorrect
e_shentsizein ELF header - Section header offset extends beyond file size
- Incorrect section count (10240)
- ELF file
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: None
Version: 0x1002800
Entry point address: 0x54000000
Start of program headers: 872415488 (bytes into file)
Start of section headers: 1056964608 (bytes into file)
Flags: 0x31
Size of this header: 2 (bytes)
Size of program headers: 13317 (bytes)
Number of program headers: 8192
Size of section headers: 256 (bytes)
Number of section headers: 10240
Section header string table index: 1536
There is no dynamic section in this file.
It seems that the elf doesn't get the right programs and sections header both in size and numbers
Next Steps
To fix these problems, we need to correct calculation of:
- Program header count and size
- Section header count and size
- File offsets for all sections
Action Items
- 先利用簡單的方法產生正確有效的執行檔。
- 判斷 section 是否有存在的必要,確認是哪一些 elf section 是有必要的
.plt相當於 cache 去幫忙.got,也像 cache 一樣會有替換 symbol 的情形(用於完整的 elf loader),.got建立 symbol name 的 的關聯.shtab是必要的rela.plt會需要使用機械碼是因為 __libc_start_main() 進入點需要將 argc, argv, 推進 stack (calling convention).rel做 relocation 要怎麼做(參閱規格書),alignment 對齊問題。 "__libc_start_main" 的 relocation 要做對- page alignment (參考
amacc/amacc.c#2013)
Record 04: Dynamic Linking Section Implementation
According to the previous action item, I generate the right and effective ELF file through gcc and then that shecc genertate the right ELF header and add .dynamic section in program header table and section header table, But the current problem is that the section header name couldn't show right name in the table.
- ELF generated by
shecc
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: ARM
Version: 0x1
Entry point address: 0x10054
Start of program headers: 52 (bytes into file)
Start of section headers: 12664 (bytes into file)
Flags: 0x5000200, Version5 EABI, soft-float ABI
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 7
Section header string table index: 6
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] ree detected^J NULL 00000000 000000 000000 00 0 0 0
[ 1] d^J PROGBITS 00010054 000054 003064 00 WAX 0 0 4
[ 2] PROGBITS 000130b8 0030b8 000060 00 WA 0 0 4
[ 3] World^J DYNAMIC 00000000 000000 000010 08 WA 4 0 4
[ 4] ^A SYMTAB 00000000 003118 000000 10 4 0 4
[ 5] STRTAB 00000000 003128 000000 00 0 0 1
[ 6] ee detected^J STRTAB 00000000 003118 000030 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), y (purecode), p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000054 0x00010054 0x00010054 0x030c4 0x030c4 RWE 0x4
DYNAMIC 0x003118 0x00013118 0x00013118 0x00010 0x00010 RW 0x4
Section to Segment mapping:
Segment Sections...
00 d^J
01
Dynamic section at offset 0x3118 contains 2 entries:
Tag Type Name/Value
0x20656572 (<unknown>: 20656572) 0x65746564
0x64657463 (Operating System specific: 64657463) 0x6425000a
There are no relocations in this file.
Symbol table '^A' contains 0 entries:
Num: Value Size Type Bind Vis Ndx Name
No version information found in this file.
void elf_generate_header() {
/* ELF header */
elf_write_header_int(0x464c457f); /* Magic: 0x7F followed by ELF */
elf_write_header_byte(1); /* 32-bit */
@@ -76,14 +65,14 @@ void elf_generate_header()
elf_write_header_byte(0); /* System V */
elf_write_header_int(0); /* EI_ABIVERSION */
elf_write_header_int(0); /* EI_PAD: unused */
- elf_write_header_byte(2); /* ET_EXEC */
+ elf_write_header_byte(3); /* ET_EXEC */
elf_write_header_byte(0);
elf_write_header_byte(ELF_MACHINE);
elf_write_header_byte(0);
elf_write_header_int(1); /* ELF version */
elf_write_header_int(ELF_START + elf_header_len); /* entry point */
- elf_write_header_int(0x34); /* program header offset */
- elf_write_header_int(elf_header_len + elf_code_idx + elf_data_idx + 39 +
+ elf_write_header_int(0x34); /* program header offset */
+ elf_write_header_int(elf_header_len + elf_code_idx + elf_data_idx + 48 + 32 + 16 +
elf_symtab_index +
elf_strtab_index); /* section header offset */
/* flags */
@@ -92,13 +81,13 @@ void elf_generate_header()
elf_write_header_byte(0);
elf_write_header_byte(0x20); /* program header size */
elf_write_header_byte(0);
- elf_write_header_byte(1); /* number of program headers */
+ elf_write_header_byte(2); /* number of program headers */
elf_write_header_byte(0);
elf_write_header_byte(0x28); /* section header size */
elf_write_header_byte(0);
- elf_write_header_byte(6); /* number of sections */
+ elf_write_header_byte(7); /* number of sections */
elf_write_header_byte(0);
- elf_write_header_byte(5); /* section index with names */
+ elf_write_header_byte(6); /* section index with names */
elf_write_header_byte(0);
/* program header - code and data combined */
@@ -110,10 +99,26 @@ void elf_generate_header()
elf_write_header_int(elf_code_idx + elf_data_idx); /* size in memory */
elf_write_header_int(7); /* flags */
elf_write_header_int(4); /* alignment */
+ /* program header - dynamic segment */
+ elf_write_header_int(2); /* PT_DYNAMIC */
+ elf_write_header_int(elf_header_len + elf_code_idx + elf_data_idx); /* offset of segment */
+ elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx); /* virtual address */
+ elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx); /* physical address */
+ elf_write_header_int(16); /* size in file */
+ elf_write_header_int(16); /* size in memory */
+ elf_write_header_int(6); /* flags */
+ elf_write_header_int(4); /* alignment */
}
void elf_generate_sections() {
+ /* .dynamic section*/
+ elf_write_section_int(1); /* DT_NEEDED */
+ elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx +
+ elf_symtab_index + 16); /* offset in .dynstr */
+ elf_write_section_int(0); /* DT_NULL */
+ elf_write_section_int(0); /* End of .dynamic */
+
/* symtab section */
for (int b = 0; b < elf_symtab_index; b++)
elf_write_section_byte(elf_symtab[b]);
@@ -130,6 +135,8 @@ void elf_generate_sections()
elf_write_section_byte(0);
elf_write_section_str(".data", 5);
elf_write_section_byte(0);
+ elf_write_section_str(".dynamic", 8);
+ elf_write_section_byte(0);
elf_write_section_str(".symtab", 7);
elf_write_section_byte(0);
elf_write_section_str(".strtab", 7);
@@ -173,8 +180,20 @@ void elf_generate_sections()
elf_write_section_int(4);
elf_write_section_int(0);
+ /* .dynamic section header */
+ elf_write_section_int(23);
+ elf_write_section_int(6);
+ elf_write_section_int(3);
+ elf_write_section_int(0); // sh_addr
+ elf_write_section_int(0); // sh_offset
+ elf_write_section_int(16);
+ elf_write_section_int(4);
+ elf_write_section_int(0);
+ elf_write_section_int(4);
+ elf_write_section_int(8);
+
/* .symtab */
- elf_write_section_int(0x17);
+ elf_write_section_int(32);
elf_write_section_int(2);
elf_write_section_int(0);
elf_write_section_int(0);
@@ -186,12 +205,12 @@ void elf_generate_sections()
elf_write_section_int(16);
/* .strtab */
- elf_write_section_int(0x1f);
+ elf_write_section_int(40);
elf_write_section_int(3);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx +
- elf_symtab_index);
+ elf_symtab_index + 16);
elf_write_section_int(elf_strtab_index); /* size */
elf_write_section_int(0);
elf_write_section_int(0);
@@ -205,15 +224,14 @@ void elf_generate_sections()
elf_write_section_int(0);
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx +
elf_symtab_index + elf_strtab_index);
- elf_write_section_int(39);
+ elf_write_section_int(48);
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(1);
elf_write_section_int(0);
}
Another action item is that deciding the necessary sections, the neccessary added sections for dynamic linked feature are .dynamic, .interp, .got, .rela.plt and .rela
Record 04: Generate Correct Dynamic Program Header and Section Table
Github Repo
Goal: Add PT_INTERP and PT_DYNAMIC entries to the program header and define the corresponding .interp and .dynamic sections, so the generated ELF file is properly linked to the shared library libc.so.6 and uses the dynamic linker /lib/ld-linux.so.3.
-
Adjusting the ELF Header Length
In src/globals.c, we increase elf_header_len from 0x54 to 0x94. The reason is that each program header entry is 32 bytes, and we need two additional entries (for PT_INTERP and PT_DYNAMIC).
src/globals.c
/* Existing Code */
/* ELF sections */
char *elf_code;
int elf_code_idx = 0;
char *elf_data;
int elf_data_idx = 0;
char *elf_header;
int elf_header_idx = 0;
- int elf_header_len = 0x54; /* ELF fixed: 0x34 + 1 * 0x20 */
+int elf_header_len = 0x94; /* ELF fixed: 0x34 + 3 * 0x20 */
int elf_code_start;
int elf_data_start;
char *elf_symtab;
char *elf_strtab;
char *elf_section;
/* Existing Code */
-
Adding the
PT_INTERPandPT_DYNAMICSegmentsNext, we add the two new program header entries immediately after the existing
PT_LOADentry. This ensures that the ELF loader knows:- Which dynamic linker to invoke (
PT_INTERP). - How to handle dynamic linking information (
PT_DYNAMIC).
- Which dynamic linker to invoke (
/* program header - interpreter segment */
elf_write_header_int(3); /* PT_INTERP */
elf_write_header_int(elf_header_len + elf_code_idx + elf_data_idx); /* p_offset */
elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx); /* p_vaddr */
elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx); /* p_paddr */
elf_write_header_int(22); /* p_filesz */
elf_write_header_int(22); /* p_memsz */
elf_write_header_int(4); /* p_flags */
elf_write_header_int(4); /* p_align */
/* program header - dynamic segment */
elf_write_header_int(2); /* PT_DYNAMIC */
elf_write_header_int(elf_header_len + elf_code_idx + elf_data_idx + 22); /* p_offset */
elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx + 22); /* p_vaddr */
elf_write_header_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx + 22); /* p_paddr */
elf_write_header_int(40); /* p_filesz */
elf_write_header_int(16); /* p_memsz */
elf_write_header_int(6); /* p_flags */
elf_write_header_int(4); /* p_align */
-
Defining the
.interpand.dynamicSectionsWe also need to create the corresponding sections in the section header table. The
.interpsection holds the path to the dynamic linker (/lib/ld-linux.so.3), and the.dynamicsection holds the runtime link information, including the necessary reference tolibc.so.6.
void elf_generate_sections() {
/* .interp section (length = 22) */
elf_write_section_str("/lib/ld-linux.so.3", 18);
elf_write_section_int(0);
/* .dynamic section (length = 40) */
elf_write_section_int(6); /* DT_SYMTAB */
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx + 22 + 40 + 28);
elf_write_section_int(5); /* DT_STRTAB */
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx + 22 + 40);
elf_write_section_int(11); /* DT_SYMENT */
elf_write_section_int(16); /* Symbol entry size */
elf_write_section_int(1); /* DT_NEEDED */
elf_write_section_int(1); /* Offset in .dynstr */
elf_write_section_int(0); /* DT_NULL */
elf_write_section_int(0); /* End of .dynamic */
/* .dynstr section (length = 28) */
elf_write_section_byte(0); /* NULL terminator */
elf_write_section_str("libc.so.6", 9);
elf_write_section_byte(0);
elf_write_section_str("__libc_start_main", 17);
}
/* Existing Code */
/* Add to .shstr tab and its string */
elf_write_section_str(".interp", 7);
elf_write_section_byte(0);
elf_write_section_str(".dynamic", 8);
elf_write_section_byte(0);
elf_write_section_str(".dynstr", 7);
/* .interp section header */
elf_write_section_int(23); /* .sh_name offset in .shstrtab */
elf_write_section_int(1); /* SHT_PROGBITS */
elf_write_section_int(2); /* SHF_ALLOC */
elf_write_section_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx); /* sh_addr */
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx); /* sh_offset */
elf_write_section_int(22); /* sh_size */
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(1); /* sh_addralign */
elf_write_section_int(0);
/* .dynamic section header */
elf_write_section_int(31); /* .sh_name offset in .shstrtab */
elf_write_section_int(6); /* SHT_DYNAMIC */
elf_write_section_int(3); /* SHF_ALLOC | SHF_WRITE */
elf_write_section_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx + 22); /* sh_addr */
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx + 22); /* sh_offset */
elf_write_section_int(40); /* sh_size */
elf_write_section_int(5); /* sh_link = .dynstr */
elf_write_section_int(0);
elf_write_section_int(4); /* sh_addralign */
elf_write_section_int(0);
/* .dynstr section header */
elf_write_section_int(40); /* .sh_name offset */
elf_write_section_int(3); /* SHT_STRTAB */
elf_write_section_int(2); /* SHF_ALLOC */
elf_write_section_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx + 22 + 40);
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx + 22 + 40);
elf_write_section_int(28); /* sh_size */
elf_write_section_int(0);
elf_write_section_int(0);
elf_write_section_int(1); /* sh_addralign */
elf_write_section_int(0);
-
Verifying with
readelfAfter compiling and generating this ELF, running
readelf -aconfirms the presence of the additional segments and sections:
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 ...
Class: ELF32
Data: 2's complement, little endian
...
Type: DYN (Shared object file)
Machine: ARM
...
Entry point address: 0x10094
Start of program headers: 52 (bytes into file)
Start of section headers: 12777 (bytes into file)
...
Size of program headers: 32 (bytes)
Number of program headers: 3
...
Section Headers:
[ 3] .interp PROGBITS 00013160 003160 00001d 00 A 0 0 1
[ 4] .dynamic DYNAMIC 0001317d 00317d 000010 00 WA 5 0 4
[ 5] .dynstr STRTAB 0001318d 00318d 00001c 00 A 0 0 1
...
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000094 0x00010094 0x00010094 ...
INTERP 0x003160 0x00013160 0x00013160 ...
[Requesting program interpreter: /lib/ld-linux.so.3]
DYNAMIC 0x00317d 0x0001317d 0x0001317d ...
Dynamic section at offset 0x317d contains 2 entries:
Tag Type Name/Value
0x00000001 (NEEDED) Shared library: [libc.so.6]
...
As shown, the .interp section correctly specifies /lib/ld-linux.so.3, and the dynamic section indicates it needs libc.so.6. These entries verify that the ELF is now dynamically linked and will load the shared library and dynamic linker at runtime.
Below is an improved version of the report, formatted in Markdown, that clearly explains the changes made to create .dynstb (presumably .dynsym) and .dynstr sections, the resulting output from readelf, and the next steps.
Record 05: Generating .dynsym and .dynstr Sections, and Issues with Adding .got, .plt, and rel.plt
In this stage, we add .dynstr and .dynsym sections to the ELF. While these sections appear correctly in readelf, there is a lingering issue where the .strtab entry in the section header appears as <corrupt>.
-
Code Changes
Below is the relevant code that creates the
.dynsymentries inelf_generate_sections():
/* First entry must be NULL */
void elf_generate_sections() {
/* Existing Code ... */
elf_write_section_int(0); // st_name
elf_write_section_int(0); // st_value
elf_write_section_int(0); // st_size
elf_write_section_byte(0); // st_info
elf_write_section_byte(0); // st_other
elf_write_section_byte(0); // st_shndx
elf_write_section_byte(0);
/* Second entry is the libc.so.6 */
elf_write_section_int(1); // st_name
elf_write_section_int(0); // st_value
elf_write_section_int(0); // st_size
elf_write_section_byte(0x12); // st_info
elf_write_section_byte(0); // st_other
elf_write_section_byte(0); // st_shndx
elf_write_section_byte(0);
/* Third entry is __libc_start_main */
elf_write_section_int(11); // st_name
elf_write_section_int(0); // st_value
elf_write_section_int(0); // st_size
elf_write_section_byte(0x12); // st_info
elf_write_section_byte(0); // st_other
elf_write_section_byte(0); // st_shndx
elf_write_section_byte(0);
/* Existing Code */
/* Add to .shstr tab and its string */
elf_write_section_str(".dynsym", 7);
elf_write_section_byte(0);
/* .dynsym section header */
elf_write_section_int(48);
elf_write_section_int(11);
elf_write_section_int(0);
elf_write_section_int(ELF_START + elf_header_len + elf_code_idx + elf_data_idx
+ 22 + 40 + 28); // sh_addr
elf_write_section_int(elf_header_len + elf_code_idx + elf_data_idx
+ 22 + 40 + 28); // sh_offset
elf_write_section_int(48);
elf_write_section_int(5);
elf_write_section_int(2);
elf_write_section_int(4);
elf_write_section_int(16);
/* Existing Code */
}
-
Verifying with
readelfAfter compiling and generating this ELF, running
readelf -ashows the following (truncated for brevity):
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
...
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 3
Size of section headers: 40 (bytes)
Number of section headers: 10
Section header string table index: 9
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00
[ 1] .text PROGBITS 00010094 000094 003064 00 WAX
[ 2] .data PROGBITS 000130f8 0030f8 000068 00 WA
[ 3] .interp PROGBITS 00013160 003160 000016 00 A
[ 4] .dynamic DYNAMIC 00013176 003176 000028 00 WA
[ 5] .dynstr STRTAB 0001319e 00319e 00001c 00 A
[ 6] .dynsym DYNSYM 000131ba 0031ba 000030 10
[ 7] .symtab SYMTAB 00000000 0031ea 000000 10
[ 8] <corrupt> STRTAB 00000000 0031ea 000000 00
[ 9] .shstrtab STRTAB 00000000 0031ea 000040 00
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
...
INTERP 0x003160 0x00013160 0x00013160 0x00016 0x00016 R 0x4
[Requesting program interpreter: /lib/ld-linux.so.3]
DYNAMIC 0x003176 0x00013176 0x00013176 0x00028 0x00010 RW 0x4
Dynamic section at offset 0x3176 contains 5 entries:
Tag Type Name/Value
0x00000006 (SYMTAB) 0x31ba
0x00000005 (STRTAB) 0x319e
0x0000000b (SYMENT) 16 (bytes)
0x00000001 (NEEDED) Shared library: [libc.so.6]
0x00000000 (NULL) 0x0
Symbol table '.dynsym' contains 3 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 00000000 0 FUNC GLOBAL DEFAULT UND libc.so.6
2: 00000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main
Observation:
The .dynsym table is correct and references the strings in .dynstr. However, section header entry [8] is displayed as <corrupt>. This suggests there might be an error in how the .strtab or other string tables are being appended to the ELF, causing the section header data to be misaligned or overwritten.
-
Next Steps
-
Investigate
.strtabCorruption- Check how the
.symtaband.strtabsections are being added to the ELF. There might be a miscalculation in offsets or lengths, leading to overwriting existing data. - Verify the sizes and offsets for all sections after
.dynsymto ensure they do not overlap each other.
- Check how the
-
Implement External Symbol Handling
- Create a function to load external function names and sizes. This will help populate
.dynstr,.dynsym,.got, and.plt.
- Create a function to load external function names and sizes. This will help populate
-
Implement
rel.plt- Use
R_ARM_JUMP_SLOTrelocations inrel.plt. - Provide a
pltstub for__libc_start_main()(and any other external functions) to handle calling conventions and symbol resolution at runtime.
- Use
-
