Create an account

Very important

  • To access the important data of the forums, you must be active in each forum and especially in the leaks and database leaks section, send data and after sending the data and activity, data and important content will be opened and visible for you.
  • You will only see chat messages from people who are at or below your level.
  • More than 500,000 database leaks and millions of account leaks are waiting for you, so access and view with more activity.
  • Many important data are inactive and inaccessible for you, so open them with activity. (This will be done automatically)

0Day Forums Coding Assembly .plt .plt.got what is different?

Thread Rating:
  • 765 Vote(s) - 3.54 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Options
.plt .plt.got what is different?

Offline cyntheayuoyyx


Member
*
Member
Posts: 0
Threads: 0
Joined: Aug 2016
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#1
07-24-2023, 03:09 AM
`.plt` : in RE able segment, have trampoline functioning at `plt[n]` except 0, have .got.plt resolver link at `plt[0]`

`.got` `.got.plt` : in RW able segment, just address

Which I learned from this post:

[To see links please register here]


Problem
=============
Actual Linux shell command gave me a different answer

$readelf -l /bin/bash

[![read elf -l result][1]][1]

got.plt is gone and what is .plt.got in 02 segment?
-------------------------------------------------

I dumped two section(plt, plt.got) and got this assembly

.plt is plt as i learned:
![.plt is plt as i learned][2]

.plt.got , what is this for?
![.plt.got , what is this for][3]

sorry for poor dumping, it was done by

```
objcopy -O binary --only-section=.plt.got /bin/bash ./pltgot
objcopy -O binary --only-section=.plt /bin/bash ./plt
```

Questions
===================
1. what is difference between .plt and .plt.got
2. why this difference happened?


[1]:

[2]:

[3]:
Reply

Offline courtroom304


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Jun 2021
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#2
07-24-2023, 03:17 AM
See answer to your questions. Hopefully it helps you.

1. > The difference is that .got.plt is runtime-writable, while .got is not if you enable a defense against GOT overwriting attacks called RELRO (relocations read-only). To enable RELRO, you use the ld option -z relro. RELRO places GOT entries that must be runtime-writable for lazy binding in .got.plt, and all others in the read-only .got section

2. The difference or this design rather has been there as part of the ELF common standard file format:
> ELF binaries often contain a separate GOT section called .got.plt for use in conjunction with .plt in the lazy binding process

***Q1 Ref Page 45:*** Andriesse, Dennis.Practical binary analysis : build your own Linux tools for binary instrumentation, analysis, and disassembly.San Francisco, No Starch Press, 2019

***Q2 Ref Page 45***: same book, see section "Lazy Binding and the PLT"
Reply

Offline motherer476781


Valued member
***
Valued member
Posts: 0
Threads: 0
Joined: Jan 2019
Reputation: 0
Level: inf [Level]
Total Points: inf
Rank nan / 1
100% to upload Level
Rank
Activity inf / 1
99% to upload your Rank
Activity
Experience nan
100% to upload Experience
Experience

Points: 50
#3
07-24-2023, 03:37 AM
The difference between `.plt` and `.plt.got` is that `.plt` uses lazy binding and `.plt.got` uses non-lazy binding.

Lazy binding is possible when all uses of a function are simple function calls. However, if anything requires the address of the function, then non-lazy binding must be used, since binding can only occur when the function is called, and we may need to know the address before the first call. Note that when obtaining the address, the GOT entry is accessed directly; only the function calls go via `.plt` and `.plt.got`.
If the `-fno-plt` compiler option is used, then neither `.plt` nor `.plt.got` are emitted, and function calls also directly access the GOT entry.

In the following examples, `objdump -d` is used for disassembly, and `readelf -r` is used to list relocations.


`.plt`
------

Using x64-64 as an example, `.plt` will contain entries such as:
```
0000000000014050 <_Unwind_Resume@plt>:
14050: ff 25 3a e6 0e 00 jmpq *0xee63a(%rip) # 102690 <_Unwind_Resume@GCC_3.0>
14056: 68 02 00 00 00 pushq $0x2
1405b: e9 c0 ff ff ff jmpq 14020 <.plt>
```
The first `jmpq` is to the GOT entry, and the second `jmpq` performs the lazy binding if the GOT entry hasn't been bound yet.

The relocations for `.plt`'s associated GOT entries are in the `.rela.plt` section and use `R_X86_64_JUMP_SLOT`, which lets the dynamic linker know these are lazy.
```
0000000000102690 0000004600000007 R_X86_64_JUMP_SLOT 0000000000000000 _Unwind_Resume@GCC_3.0 + 0
```

`.plt.got`
----------

`.plt.got` contains entries that only need a single `jmpq` since they aren't lazy:
```
0000000000014060 <memset@plt>:
14060: ff 25 5a ea 0e 00 jmpq *0xeea5a(%rip) # 102ac0 <memset@GLIBC_2.2.5>
14066: 66 90 xchg %ax,%ax
```

The relocations for `.plt.got`'s associated GOT entries are in the `.rela.dyn` section (along with the rest of the GOT relocations), which the dynamic linker binds immediately:
```
0000000000102ac0 0000004b00000006 R_X86_64_GLOB_DAT 0000000000000000 memset@GLIBC_2.2.5 + 0
```
Reply

« Next Oldest
Next Newest »


Forum Jump:


Users browsing this thread:
1 Guest(s)

©0Day  2016 - 2023 | All Rights Reserved.  Made with    for the community. Connected through