Why are my libraries linked twice?


Take this gdb output for example:

(gdb) info proc mappings
process 3975
cmdline = '/mnt/hw6/rop-exploit'
cwd = '/mnt/hw6'
exe = '/mnt/hw6/rop-exploit'
Mapped address spaces:

    Start Addr   End Addr       Size     Offset objfile
     0x8048000  0x8049000     0x1000          0         /mnt/hw6/rop-exploit
     0x8049000  0x804a000     0x1000          0         /mnt/hw6/rop-exploit
     0x804a000  0x806b000    0x21000  0x804a000           [heap]
    0xb7d51000 0xb7e84000   0x133000          0      /lib/libc-2.7.so
    0xb7e84000 0xb7e85000     0x1000   0x133000      /lib/libc-2.7.so
    0xb7e85000 0xb7e87000     0x2000   0x134000      /lib/libc-2.7.so
    0xb7e87000 0xb7e8b000     0x4000 0xb7e87000        
    0xb7e8b000 0xb7fd4000   0x149000          0      /lib/tls/i686/cmov/libc-2.7.so
    0xb7fd4000 0xb7fd5000     0x1000   0x149000      /lib/tls/i686/cmov/libc-2.7.so
    0xb7fd5000 0xb7fd7000     0x2000   0x14a000      /lib/tls/i686/cmov/libc-2.7.so
    0xb7fd7000 0xb7fda000     0x3000 0xb7fd7000        
    0xb7fda000 0xb7fdc000     0x2000          0      /lib/tls/i686/cmov/libdl-2.7.so
    0xb7fdc000 0xb7fde000     0x2000     0x1000      /lib/tls/i686/cmov/libdl-2.7.so
    0xb7fe1000 0xb7fe3000     0x2000 0xb7fe1000        
    0xb7fe3000 0xb7fe4000     0x1000 0xb7fe3000           [vdso]
    0xb7fe4000 0xb7ffe000    0x1a000          0      /lib/ld-2.7.so
    0xb7ffe000 0xb8000000     0x2000    0x19000      /lib/ld-2.7.so
    0xbffeb000 0xc0000000    0x15000 0xbffeb000           [stack]
(gdb) list
13  }
15  int main(int argc, char** argv) {
16    void* libc = dlopen("/lib/libc-2.7.so", RTLD_NOW);
17    void* address = dlsym( libc, "__libc_init_first");
18    printf("Address of <__libc_init_first>: %p\n", address);
19    if(argc > 1) {
20      foo(argv[1]);
21    }
22    printf("Done.\n");
(gdb) x libc
0x804a020:  0xb7d51000
(gdb) print address 
$4 = (void *) 0xb7d672a0

You can see that three libraries are dynamically linked with the binary. libc-2.7, libc2-7.so (from a different location, maybe this is done automatically) and libdl-2.7.so

I dont understand why there are two to three entries in this list per library, I want to know what is going on there, and why they are separate entries.

I dont have any assumptions what is going on there and I dont know how I can explain any of this.

Take the first linked library for example:

The first section I assume is the library itself, it has the ELF header so I am convinced that it truly is the libc I have linked.

When I peek into the second entry of /lib/libc-2.7-so I just get lots of NULL bytes, dont know whats going on here.

(gdb) x/100x 0xb7e84000
0xb7e84000: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7e84010: 0x00000000  0x00000000  0x00000000  0x00000000
0xb7e84020: 0x00000000  0x00000000  0x00000000  0x00000000

When I peek into the third entry of /lib/libc-2.6.so I get addresses to instructions (gadgets or functions maybe).

(gdb) x/100x 0xb7e85000
0xb7e85000: 0x0000006f  0xb7e671dc  0xb7e671e0  0xb7e671e4
0xb7e85010: 0xb7e671e8  0xb7e671ec  0xb7e671f0  0xb7e671f4
0xb7e85020: 0xb7e671f8  0xb7e671ff  0xb7e67206  0xb7e6720e

This is the example output I get from one of the addresses, seems pretty convincing that this could be usable code.

(gdb) x/10i 0xb7e671e8
0xb7e671e8: push   %edi
0xb7e671e9: add    %dl,%fs:%gs:0x75(%eax,%ebp,2)
0xb7e671ef: add    %al,0x72(%esi)
0xb7e671f2: imul   $0x746153,(%eax),%eax
0xb7e671f8: push   %ebx
0xb7e671f9: jne    0xb7e67269
0xb7e671fb: fs
0xb7e671fc: popa   
0xb7e671fd: jns    0xb7e671ff
0xb7e671ff: dec    %ebp

My questions are, what are these three sections doing each ? Why are they split up like that ? What happens in the area where no corresponding label exists but is still mapped ?

asked on Stack Overflow May 26, 2017 by zython • edited May 26, 2017 by zython

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0