Ld : _start address ?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Ld : _start address ?

SandeepKsinha
Hello everyone,
Can somebody please tell me where does the loader takes the program
entry point address from. Its not e_entry of the elf header coz even
after overwriting it with some other valid address , the flow of
control doesn't changes.
Does the loader takes the address of _start from the symbol table ?
Then what in the case of stripped binaries.

Please help.
--
Regards,
Sandeep





A candle loses nothing if it is used to light another one!
Reply | Threaded
Open this post in threaded view
|

Re: Ld : _start address ?

Ramana Radhakrishnan
The loader does take the entry point address from e_entry in the
elf_header. This is the actual entry point for the program . When are
you doing this overwriting ?

cheers
Ramana

On 12/29/05, Sandeep Kumar <[hidden email]> wrote:

> Hello everyone,
> Can somebody please tell me where does the loader takes the program
> entry point address from. Its not e_entry of the elf header coz even
> after overwriting it with some other valid address , the flow of
> control doesn't changes.
> Does the loader takes the address of _start from the symbol table ?
> Then what in the case of stripped binaries.
>
> Please help.
> --
> Regards,
> Sandeep
>
>
>
>
>
> A candle loses nothing if it is used to light another one!
>


--
Ramana Radhakrishnan
Reply | Threaded
Open this post in threaded view
|

Re: Ld : _start address ?

Mike Frysinger
In reply to this post by SandeepKsinha
On Thursday 29 December 2005 02:50, Sandeep Kumar wrote:
> Can somebody please tell me where does the loader takes the program
> entry point address from. Its not e_entry of the elf header coz even
> after overwriting it with some other valid address , the flow of
> control doesn't changes.

your problem is that you're trying to hack too late ... the kernel parses the
elf e_entry value, sticks it in the array of elf auxiliary vectors on the
stack (AT_ENTRY), and then transfers control to userspace ... the dynamic
loader then pulls the entry value off of the stack
-mike
Reply | Threaded
Open this post in threaded view
|

Re: Ld : _start address ?

SandeepKsinha
In reply to this post by Ramana Radhakrishnan
On 12/29/05, Ramana Radhakrishnan <[hidden email]> wrote:
> The loader does take the entry point address from e_entry in the
> elf_header. This is the actual entry point for the program . When are
> you doing this overwriting ?
>

>
>
> --
> Ramana Radhakrishnan
>

I am trying to overwrite the e_entry on an executable's elf header and
change the flow of control with the following piece of code :


              Elf32_Ehdr *self = (Elf32_Ehdr *)0x8048000;
              printf("%x",(self)->e_entry);
              (self)->e_entry = (Elf32_Addr)0x00000000;


This piece of code is present in a pre loaaded shared library.


executing as :


#LD_PRELOAD="./lib1.so" ./a.out


But the problem is that even after changing the address of the
e_entry, the actual main function of the executable a.out is getting
executed. But if the address of this e_entry is getting changed then
how the control is finally reaching _lib_start_main and finally to
main().
I tried overwriting it with 0x0000000 still it worked.



Where does the loader takes the address of _start before passing
control to it ?



> cheers
> Ramana
>
> On 12/29/05, Sandeep Kumar <[hidden email]> wrote:
> > Hello everyone,
> > Can somebody please tell me where does the loader takes the program
> > entry point address from. Its not e_entry of the elf header coz even
> > after overwriting it with some other valid address , the flow of
> > control doesn't changes.
> > Does the loader takes the address of _start from the symbol table ?
> > Then what in the case of stripped binaries.
> >
> > Please help.