raghu2383

I compiled a program without the main routine in it.
Then I compiled it using : user@user-desktop:~/Dir$ gcc -c blank.c -o blank.o
then I did a relocatable ld on it: user@user-desktop:~/Dir$ ld -r blank.o
Then I took its objdump: user@user-Desktop:~/Dir$ objdump -d blank.o | more

blank.o: file format elf32-i386
Disassembly of section .text:
00000000 <blank>:
0: 55 push %ebp
1: 89 e5 mov %esp,%ebp
3: 83 ec 08 sub $0x8,%esp
6: c7 04 24 00 00 00 00 movl $0x0,(%esp)
d: e8 fc ff ff ff call e <blank+0xe>
12: c9 leave
13: c3 ret

Is there anyway I can make the function start at a specific address, for example <ld -Ttext 08040000 blank.o> would make the "_start" of the binary start at the specified address. Here since I do not have a _start (because I do not have a main() routine) this command fails.

brewbuck

By definition a .o file is "relocatable" and therefore there is no way to force a specific symbol to load at a specific address. This can only be accomplished at link time when the object gets linked into a fully-located image.

You could write a linker script to cause the linker to place the object at a specified address, but it would no longer be an object file, and could not participate in any further linking. If you are trying to make the object load somewhere specific, you have to do this when it is linked into a complete, working program.

Your "-r" option did not accomplish anything. However, you can use "-r" to merge multiple .o files into a single .o file.

__________________
"Congratulations on your purchase. To begin using your quantum computer, set the power switch to both off and on simultaneously." -- raftpeople@slashdot

raghu2383

Hey thanks for replying. What I am trying to do is Inject this code (well not this code but a different code without any function calls like printf) during run-time into a running process. The reason why I am looking to make the code start at a specific address is that I will be injecting it at that location in the different process. I know all jumps generated by the compiler are relative by default, however, I learnt it the hard way to never trust a compiler. So it might happen that the compiler generates an absolute jump which will cause my application to crash.

Can you point me to a sample loader/linker script or compiler command to make the function bytecode start at a particular address?

Thanks in advance.

CornedBee

Sounds evil. Why do you need to trick the program this way?

__________________
All the buzzt!
CornedBee

"There is not now, nor has there ever been, nor will there ever be, any programming language in which it is the least bit difficult to write bad code."
- Flon's Law

raghu2383

Its part of a long code that is meant to prevent evil.

brewbuck

Why not compile and link for position-independent code, so that the code no longer depends on having any particular load address? Then you can place it anywhere in memory and it should work (apart from some complexities if you have static data, i.e. global or static variables)

__________________
"Congratulations on your purchase. To begin using your quantum computer, set the power switch to both off and on simultaneously." -- raftpeople@slashdot

Sebastiani

>> Its part of a long code that is meant to prevent evil.

somehow, I have a hard time believing that. can you give a more convincing argument that what you are trying is really legitimate?

raghu2383

Ok, its tough for me to explain that what I am doing is legitimate. It is part of a long code that is meant to find if there are any issues in the system. The threat model I have in hand is forcing me to do it this way.

raghu2383

As in I would Have to explain an entire topic of security research on this thread in order to explain that I am trying to do something legitimate. However I can give one argument which may or may not convince everyone: a process to inject code in this fashion needs to have high elevation. Which will not be possible in case it is a remote program being utilized by a cracker.

raghu2383

How do I do that? As in what gcc options do I give to ensure that it does not generate absolute jumps?

raghu2383

Do I use gcc -pie -fpie option?

CornedBee

Yes, but the GCC must support this option. Not all do.

__________________
All the buzzt!
CornedBee

"There is not now, nor has there ever been, nor will there ever be, any programming language in which it is the least bit difficult to write bad code."
- Flon's Law

raghu2383

Hey thanks for replying. I was actually worried about a class of JMP instructions which are
1) FF : JMP (near) absolute to address given in operand (16 or 32 bit)
2) EA : JMP (far) absolute address given in operand

These two will jump to absolute addresses , the normal JMP instruction is EB or E9 which are relative jumps. So if FF & EA get generated during gcc, then I would have a problem inserting the new code. Which was why I was asking whether I can give an absolute address for a function while doing ld or any way in which I can ensure that these class of instructions do not come in the byte code.

Thanks in Advance.

matsp

-fpic should work to avoid absolute jumps and calls.

--
Mats

__________________
Compilers can produce warnings - make the compiler programmers happy: Use them!
Please don't PM me for help - and no, I don't do help over instant messengers.