1

My goal is explained in this question HERE

Is it possible to locate the address of a symbol's entry in the dynamic symbol table loaded into a program? If we can locate it, can we edit it somehow? For example if the app made the call to a function named original_func then the control should actually come to my hook_func and from there I call the original_func.

Update:

Some code according to the answer by 'Employed Russian':

extern Elf32_Dyn    _DYNAMIC[];

int i=0;
uint32_t DST_base_addr;
Elf32_Dyn *dyn;
for (dyn = _DYNAMIC; dyn->d_tag != DT_NULL; ++dyn)
{

    if(dyn->d_tag==DT_SYMTAB)
    {
        DST_base_addr=dyn->d_un.d_ptr;

        LOGE("Base address of dynamic symbol table is; 0x%x",  DST_base_addr);
        break;
    }

}

Output: 0x148

1- Not sure what that 0x148 means. It's definitely not an absolute address.

2- Also, where can I find good listing of these useful pre-defined variables such as _DYNAMIC[] _GLOBAL_OFFSET_TABLE_ etc.? I wasn't very aware of such variables even when I went through ELF notes here and there.

Community
  • 1
  • 1
Usman.3D
  • 1,791
  • 3
  • 16
  • 27
  • 1
    So why you are creating new questoion ?? – Panther Apr 20 '15 at 03:51
  • This question is more specific, while my previous question covered broader range. What I asked in this question, if that's not possible then my previous question still stands; i.e. finding a solution without editing Dynamic Symbol Table. – Usman.3D Apr 20 '15 at 05:06

1 Answers1

1

Is it possible to locate the address of a symbol's entry in the dynamic symbol table loaded into a program?

Yes, it's pretty easy: iterate over elements of the _DYNAMIC[] array, until you find an element with .d_tag == DT_SYMTAB. The .d_un.d_ptr of that entry will point to the dynamic symbol table in memory.

To find a specific symbol, you will also need to refer to DT_STRTAB.

If we can locate it, can we edit it somehow?

Sure: it's just a memory location. You may need to mprotect it to be writable, but once you do, you can modify it to your heart's content.

However, most modifications will either have no effect, or cause your program to crash later.

For example if the app made the call to a function named original_func then the control should actually come to my hook_func and from there I call the original_func.

It's pretty difficult to achieve your stated goal using this particular method, and much easier methods exist.

Perhaps you are looking for this?

Employed Russian
  • 199,314
  • 34
  • 295
  • 362
  • Thanks. Is_DYNAMIC[] array already defined there in the C program? Or will I have to read the data into it by parsing through ELF header? – Usman.3D Apr 23 '15 at 01:17
  • @Usman.3D It's already defined, and initialized to overlap the `.dynamic` section of the executable. – Employed Russian Apr 23 '15 at 03:25
  • Thanks, I updated my question. Also, I thought 'sections' only belonged to the shared library while the loaded program only had segments? – Usman.3D Apr 23 '15 at 09:38