7

I am working on Linux X86_64.

I have a need to determine the address of a specific PLT entry in an ELF file given the name of the dynamic function that the entry represents. I can figure out the file offset from the address, but I need to be able to determine the address.

If I disassemble the ELF file using objdump -D -z elffile I see that objdump uses symbolic names for each entry in the PLT. (Where does objdump obtain the relationship between these addresses and the symbol names?)

example:

0000000000000041a2b0 fileno@plt:

If I use objdump -T elffile | grep fileno I get something like this:

0000000000000   DF *UND*  00000000000000000   GLIBC_2.2.5 fileno

What I need to be able to do from "C" is find the PLT entry in the ELF file for a specific dynamic function and obtain the address.

The background is that I am patching an existing ELF file and need to redirect a function call to a different dynamic function. I have manually patched an ELF file using addresses gathered from objdump disassembly and proven that this will work for my specific application, I just need to be able to do it from a program. I am hoping not to have to crawl through objdump disassembler code to figure out how it gets the PLT entry symbols and addresses.

Employed Russian
  • 199,314
  • 34
  • 295
  • 362
codemonkey
  • 161
  • 1
  • 9
  • Interestingly there doesn't seem to be a way to do this from assembly. Intuitively `movq someFunc@PLT, %rax` should do it, but that `@PLT` reference seems to imply linker modifications that mess up the `movq`, which seems to make these `someFunc@PLT` references only usable with the call instruction. – Petr Skocik Dec 11 '19 at 14:25

1 Answers1

8

I figured this out: You have to parse the relocation table in the rela.plt section. Those entries contain a string table index that can be used to lookup the function name by indexing into the dynamic symbol section. Each entry in the dynamic symbol section contains a dynamic string table offset that can be used to pull out the function name. When you find the corresponding function, the index into the relocation table (+1) corresponds to the index into the .plt section for the functions PLT entry. So to calculate the address for a specific entry it is just: .plt.sec address + ((relocation_index + 1) * .plt entry size)

This method works for x86. It does not work for PPC which has a completely different format for the .plt section. If anyone has any info on doing this for PPC please post.

codemonkey
  • 161
  • 1
  • 9
  • Note for i386, the PLT entry size is not reported correctly. You can either multiply the reported plt entry size by 4, or use 16 for the entry size. – codemonkey Jun 06 '17 at 18:32
  • I don't understand how to get the index into the relocation table. could you please add the code for this? – Mahwish Sep 29 '22 at 15:48