Global Offset Table (GOT) and Procedure Linkage Table (PLT) - bin 0x12
HTML-код
- Опубликовано: 8 сен 2024
- In this video we will introduce how shared libraries like libc are used by C programs. Specifically we will look at the Global Offset Table and the Procedure Linkage Table.
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Website: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
=[ 📄 P.S. ]=
All links with "*" are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Keep going bro , you're best professor in the whole channel about hacking
I'm just joking here, but he's the only person in the channel XD. But yeah, I got it haha. And I agree. This is wonderful.
Please continue making these awesome tuts. Very much appreciated!
This is the best channel I’ve come across
Simple and straightforward. Thank you very much LiveOverflow
GOAT. Global offset at table
best channel in the whole youtube
Thanks for doing these awesome videos!
7 min video and took me 5 hour to try and figure out what exactly happened!!
Awesome video! Keep going, I'm really enjoying all of your videos and will keep following I'm sure with time many more will join!
Maybe somebody could explain me, At 3:48, how exactly does it happen that we go to the next line (0x400456 "push 0x0")? Shouldn't we jump to 0x602000, that is where [puts@GOT] is pointing?
Thanks!
We do jump to whatever ds:puts@GOT is pointing to. It just points to the instruction right after the jmp. When the program memory is set up and the GOT is created, the real libs addresses are not filled in yet. instead the address of the next instruction after the jmp is in there.
I think you got the address 0x602000 from looking at it in hopper statically?
If you run the program instead, you should see 0x400456 instead. I think it’s just that statically the disassembler knows that it’s an external symbol and points it to somewhere else. but if you run it it should be different.
Would there be a way to discover it statically? Or it isn't possible because the GOT is created dynamically each time the binary is run?
Nice
thank you so much
Fun fact, ldd allows arbitrary code execution with well crafted executables
please don't stop
Das was Du beschreibst ist Faulbinden. Oder eben "lazy binding".
before calling the ld.so to resolve the addresses why is there a push instruction, I mean why does it push a value on to the stack before calling the ld.so library.
jmp qword [ds:puts@GOT]
push 0x0
i can only guess too, but it looks like an index of the table to me, so when 0x5 is pushed on the stack (as an argument), the function will make a lookup at index 5 at the GOT; correct me if im wrong
That's right, it's the table index. It's part of the system that allows imports to be resolved at run time vs resolving them all at ELF load time.
When an API call is first made the JMP the address (in the ".got.plt" I think) points back to just below the jump (to that PUSH, JMP combo) which points to a common ld.so routine that replaces the table entry with the actual API function for the next time, then chains to it.
Apparently a performence and resource optimization so that the system doesn't need to load .so's that never get called.
When resolving the external symbol on the first call to puts, we first push the first entry of got onto the stack and jump to the address stores in the second entry, but what exactly are those two? The second entry seems to store the address of the function that resolves the reference, but the first is kinda magic. Does this hold the base address of some table, which them combined with the index pushed before (for example 0x0) gives the slot address, at which a pointer to the function will be stored?
The value pushed when you call an external function for the first time (0x1 in the case of puts, see video at 1m 50s) is basically an ID so that the dynamic linker knows which function it should load. Each external function has it's own unique ID, this ID will vary by program (i.e. in program "a" puts has the ID 0x1 but in program "b" it might have the ID 0xa).
Hi, in your plt[1] there is push $1 and plt[2] push $2. I am in 32 bits linux, in my plt[1] i saw push $0 and plt [2] i saw push $0x8. Which doesn't make sense.
sorry I don't quite understand what you mean. You can send me a more extensive writeup and explanation via gmail. Then I can try to figure it out.
Hast du twitter? Ich meine nicht als RUclipsr liveoverflow sondern einfach nur so als Nerd?
Another great video, did you get my email/PM? Pretty important
Narrator voice: *he did NOT get that email/PM.*
@@EvilSapphireR he did ;) we started talking back in 2016 to this day we’re still friends
Why don't you make a playlist on writing own shellcode?
Do please..
just haven't gotten around doing that... it's on my TODO list :)
LiveOverflow
Could you please let me contact you?
you just contacted me?
LiveOverflow
I mean personally like email or WhatsApp..!
I'm not stopping you from writing me a mail ;) you just have to spend 1 minute and look for my mail and use it.
Can we intercept any API using this method on Android? I read somewhere there is some limitation with bionic libc of Android? Can someone clarify?
Frida
please make a tutorial about how to create a C program that does something.. it will help us a lot