How to get pointer to elf .symtab in runtime?

1
votes

I need to access .symtab symbol table by parsing memory of the process.

At the moment, my algorithm is:

  1. Get Dynamic segment (Program's header p_type == PT_DYNAMIC) and follow p_vaddr
  2. Search in this Dynamic Section for the DT_SYMTAB d_tag and take ptr from +4 offset (d_ptr), which should be our actual .symtab Symbol Table.

However, instead of .symtab, for some reason, I'm receiving .dynsym, which is proved by comparing symbol names and other info retrieved from readelf -Ws.

So, how to get the actual .symtab ptr? Thank you.

For reference, I'm using:

  1. https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#Program_header
  2. http://labmaster.mi.infn.it/Laboratorio2/CompilerCD/clang/l1/ELF.html

More good resources are appreciated.

1
runtimeelfsegment

1 Answers

1
votes

I need to access .symtab symbol table by parsing memory of the process.

This is generally impossible because .symtab is normally not loaded into the process memory at all.

E.g.

readelf -WS foo.o | egrep ' \.(data|text|symtab)'
  [ 1] .text             PROGBITS        0000000000000000 000040 00001b 00  AX  0   0  1
  [ 5] .data             PROGBITS        0000000000000000 0000d0 000000 00  WA  0   0  1
  [ 9] .symtab           SYMTAB          0000000000000000 000130 000120 18     10  10  8

Notice that .data and .text have A (allocatable) flag, while .symtab doesn't.

However, instead of .symtab, for some reason, I'm receiving .dynsym

.dynsym is the only symbol table used at runtime, and is the only symbol table you can get without reading the executable on disk.

P.S. Also note that a fully-stripped binary will not have a .symtab at all, while still being perfectly runnable.