Add demo on GOT (and PLT) analysis

razvand · razvand · commit 2c3dfb3e010e · 2020-11-29T13:52:48.000+02:00
There are two source code files (`main.c` and `basket.c`), a header file
(`basket.h`) and a `Makefile`. The `bascket.c` file will be compiled
into a shared library (`libbasket.so`). The `main.c` will be compiled
and linked against the shared library, resulting in an executable
`main`. We investigate the resulting files: the `main` executable and
the `libbasket.so` library.

We used `nm`, `objdump` and `readelf` for static analysis and GDB for
dynamic analysis.
diff --git a/got-plt/.gitignore b/got-plt/.gitignore
@@ -0,0 +1,2 @@
+/main
+/libbasket.so
diff --git a/got-plt/Makefile b/got-plt/Makefile
@@ -0,0 +1,25 @@
+CFLAGS = -fPIC -fno-stack-protector -Wall -Wextra
+LDFLAGS = -pie
+LDLIBS = -lbasket
+
+.DEFAULT_GOAL := all
+
+.PHONY: all clean
+
+all: main
+
+main: main.o libbasket.so
+	$(CC) $(LDFLAGS) -Wl,-rpath=. -o $@ main.o -L. $(LDLIBS)
+
+main.o: main.c basket.h
+
+libbasket.so: basket.o
+	$(CC) -shared -o $@ $^
+
+basket.o: basket.c basket.h
+
+clean:
+	-rm -f basket.o main.o
+	-rm -f main
+	-rm -f libbasket.so
+	-rm -f *~
diff --git a/got-plt/README.md b/got-plt/README.md
diff --git a/got-plt/basket.c b/got-plt/basket.c
@@ -0,0 +1,6 @@
+unsigned long basket_size = 3;
+
+void flowers(void)
+{
+	basket_size = 55;
+}
diff --git a/got-plt/basket.h b/got-plt/basket.h
@@ -0,0 +1,8 @@
+#ifndef BASKET_H_
+#define BASKET_H_	1
+
+extern unsigned long basket_size;
+
+void flowers(void);
+
+#endif
diff --git a/got-plt/main.c b/got-plt/main.c
@@ -0,0 +1,9 @@
+#include "basket.h"
+
+int main(void)
+{
+	flowers();
+	basket_size = 99;
+
+	return 0;
+}
diff --git a/got-plt/nostdlib/.gitignore b/got-plt/nostdlib/.gitignore
@@ -0,0 +1,2 @@
+/main
+/libbasket.so
diff --git a/got-plt/nostdlib/Makefile b/got-plt/nostdlib/Makefile
@@ -0,0 +1,30 @@
+CFLAGS = -fPIC -fno-stack-protector -Wall -Wextra
+LDFLAGS = -nostdlib -nostdinc -pie
+LDLIBS = -lbasket
+LD.SO = /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+
+.DEFAULT_GOAL := all
+
+.PHONY: all clean
+
+all: main
+
+main: start.o main.o libbasket.so
+	$(LD) -e_start -pie -dynamic-linker=$(LD.SO) -rpath=. -o $@ start.o main.o -L. $(LDLIBS)
+#	$(CC) $(LDFLAGS) -Wl,-e_start -o $@ start.o main.o -L. $(LDLIBS)
+
+start.o: start.s
+
+main.o: main.c basket.h
+
+libbasket.so: basket.o
+	$(LD) -shared -o $@ $^
+#	$(CC) $(LDFLAGS) -shared -o $@ $^
+
+basket.o: basket.c basket.h
+
+clean:
+	-rm -f start.o basket.o main.o
+	-rm -f main
+	-rm -f libbasket.so
+	-rm -f *~
diff --git a/got-plt/nostdlib/basket.c b/got-plt/nostdlib/basket.c
@@ -0,0 +1 @@
+../basket.c
diff --git a/got-plt/nostdlib/basket.h b/got-plt/nostdlib/basket.h
@@ -0,0 +1 @@
+../basket.h
diff --git a/got-plt/nostdlib/main.c b/got-plt/nostdlib/main.c
@@ -0,0 +1 @@
+../main.c
diff --git a/got-plt/nostdlib/start.s b/got-plt/nostdlib/start.s
@@ -0,0 +1,26 @@
+    .text
+
+.globl _start
+
+# /usr/include/x86_64-linux-gnu/asm/unistd_64.h
+.equ __NR_exit, 60
+
+_start:
+    call main
+
+    # Call __NR_exit(main_return_value) (system call).
+    #
+    # Use x86_64 Linux system call convention.
+    # https://blog.rchapman.org/posts/Linux_System_Call_Table_for_x86_64/
+    #
+    # rdi stores the first system call argument.
+    # rax stores the system call id.
+
+    # rax is main return value. Store it in rdi.
+    movq %rax, %rdi
+
+    # Store the exit system call id in rax.
+    movq $__NR_exit, %rax
+
+    # Do system call.
+    syscall
