From Website:

Transcription

1 From Website: Hello World: C, Assembly, Object File and Executable By Dejan Lukan January 7th, 2013 Introduction Summary: In this article we ll take a look at the C program that prints Hello World! to the screen, which we ll assemble and compile. Then we ll compare the results and try to present what s happening beneath the curtains. Specifically, we will look at which sections are present in the transformation chain: from C code, to assembly code, to object file, to executable. Hello World Program: The Assembly First we need to write the hello world C program, which can be seen below: #include <stdio.h> int main() { printf("hello World!"); return 0; } It s a very simple program that doesn t actually do anything; we intentionally kept it this simple, so we will be able to focus on the bigger picture and not tons of code. We then need to compile the program to obtain the assembly code we don t want to do anything else right now. To do that we can use the -S option passed to the gcc program, which takes the source code of the program and generates the assembly instructions. We also want the masm Intel assembly source code and not some other format. We can achieve that by passing the -masm=intel to the gcc program. If we re on the 64- bit operating system, we also want to compile the program as 32-bit, which we can achieve by passing the -m32 argument to the gcc program. The whole gcc command that we re using can be seen in the output below: # gcc -m32 -masm=intel -S hello.c -o hello.s This command effectively takes the hello.c program and compiles it as 32-bit program into assembly instructions that are saved into the hello.s file. The hello.s file now looks like presented below:.file "hello.c".intel_syntax noprefix.section.rodata.lc0:.string "Hello World!".text.globl main.type main: push ebp

2 mov ebp, esp and esp, -16 sub esp, 16 mov eax, OFFSET FLAT:.LC0 mov DWORD PTR [esp], eax call printf mov eax, 0 leave ret.size main,.-main.ident "GCC: (Gentoo p1.0, pie-0.4.7) 4.5.4".section.note.GNU-stack,"",@progbits The.file directive states the original source file name that is normally used by debuggers. The.intel_syntax line specifies that we re using intel sytax assembly and not AT&T syntax. Afterwards we re defining the.rodata section, which is used for read-only data variables. In our case the.rodata section contains only the zero terminated string Hello World! that can be accessed with the LC0 variable. Then we re defining the.text section, which is used for the code of the program. First we must define the main function (notice the.type main,@function instruction), which is globally visible (notice the.globl main instruction). From the main: label till the ret instruction is the actual code of the program. That code first initializes the stack by pushing the value of the register EBP to the stack, moving the value of register ESP to EBP. The and esp,-16 is used for optimization because some operations can be performed faster if the stack pointer address is in a multiple of 16 bytes. That instruction is put in there because by default, gcc uses the optimization flag -O2. Then we re subtracting 16 bytes from the current ESP stack pointer register for local variables. Next, the address to the LC0 (our Hello World! string) is read into the register eax and moved to the top of the stack, which is the first and only parameter to the printf function that is called right after. The printf function prints that string on the screen and returns to the caller, which takes care of the stack and returns. The.size instruction sets the size of the main function. The.-main holds the exact size of the function main, which is written to the object file. The.ident instruction saves the GCC: (Gentoo p1.0, pie-0.4.7) string to the object file in order to save the information about the compiler which was used to compile the executable. Hello World Program: The Object File We ve seen the assembly code that was generated by the gcc directly from the corresponding C source code. But without the actual assembler and linker we can t run the executable. To assemble the executable into the object file, we must use the -c option with the gcc compiler, which only assembles/compiles the source file, but does not actually link it. To obtain the object file from the assembly code we need to run the command below: # gcc -m32 -masm=intel -c hello.s -o hello.o # file hello.o hello.o: ELF 32-bit LSB relocatable, Intel 80386, version 1 (SYSV), not stripped We can see that the hello.o is the object file that is actually an ELF 32-bit executable, which is not linked yet. If we want to run the executable, it will fail as noted below: # chmod +x hello.o #./hello.o bash:./hello.o: cannot execute binary file We can read the contents of the object file with the readelf program as follows:

3 # readelf -a hello.o ELF Header: Magic: 7f 45 4c Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: REL (Relocatable file) Machine: Intel Version: 0x1 Entry point address: Start of program headers: 0 (bytes into file) Start of section headers: 224 (bytes into file) Flags: Size of this header: 52 (bytes) Size of program headers: 0 (bytes) Number of program headers: 0 Size of section headers: 40 (bytes) Number of section headers: 11 Section header string table index: 8 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL [ 1].text PROGBITS d 00 AX [ 2].rel.text REL [ 3].data PROGBITS WA [ 4].bss NOBITS WA [ 5].rodata PROGBITS d 00 A [ 6].comment PROGBITS b 01 MS [ 7].note.GNU-stack PROGBITS c [ 8].shstrtab STRTAB c [ 9].symtab SYMTAB a [10].strtab STRTAB Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file. There are no program headers in this file. Relocation section '.rel.text' at offset 0x350 contains 2 entries: Offset Info Type Sym.Value Sym. Name a R_386_ rodata R_386_PC printf There are no unwind sections in this file. Symbol table '.symtab' contains 10 entries: Num: Value Size Type Bind Vis Ndx Name 0: NOTYPE LOCAL DEFAULT UND

4 1: FILE LOCAL DEFAULT ABS hello.c 2: SECTION LOCAL DEFAULT 1 3: SECTION LOCAL DEFAULT 3 4: SECTION LOCAL DEFAULT 4 5: SECTION LOCAL DEFAULT 5 6: SECTION LOCAL DEFAULT 7 7: SECTION LOCAL DEFAULT 6 8: FUNC GLOBAL DEFAULT 1 main 9: NOTYPE GLOBAL DEFAULT UND printf No version information found in this file. We can see that the file is an ELF object file that has 11 section headers. The first section header is null. The second section header is.text, which contains the executable instructions of the program. The.rel.text holds the relocation information of the.text section. The relocation entries must be present, as our program instructions call external functions, whose function pointers must be updated upon the program execution. In the output above, we can see that the.rel.text holds two relocation entries: the.rodata and printf. The.data section holds the initialized data, while the.bss section holds uninitialized data that the program uses. The.rodata holds read-only data that can be used by the program; this is where our Hello World! string is stored. The.comment section holds version control information and the.note.gnu-stack holds some additional data that I won t describe here. The.shstrtab holds section names, while the.strtab holds section strings and the.symtab holds the symbol table. We can quickly figure out that in the assembly code there was only the.rodata and.text sections defined, but when we translated the assembly code into the object file, quite some sections were added to the file. Those sections are needed to successfully link the executable and properly execute the program. Hello World Program: The Executable The last step is to actually link the object file to make an executable. To do that, we must execute the command below: # gcc -m32 hello.o -o hello #./hello Hello World! We ve linked the object file hello.o into the executable./hello and executed it. Upon execution of the program, the program outputted the Hello World! string as it should. If we take a look at the ELF again, we can see that there is a lot of other information and file sections added to the executable, which can be seen below: $ readelf -a hello ELF Header: Magic: 7f 45 4c Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: Intel Version: 0x1 Entry point address: 0x

5 Start of program headers: 52 (bytes into file) Start of section headers: 4392 (bytes into file) Flags: Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 10 Size of section headers: 40 (bytes) Number of section headers: 30 Section header string table index: 27 Section Headers: [Nr] Name Type Addr Off Size ES Flg Lk Inf Al [ 0] NULL [ 1].interp PROGBITS A [ 2].note.ABI-tag NOTE A [ 3].hash HASH a8 0001a A [ 4].gnu.hash GNU_HASH d0 0001d A [ 5].dynsym DYNSYM f0 0001f A [ 6].dynstr STRTAB c 00 A [ 7].gnu.version VERSYM c 00028c 00000a 02 A [ 8].gnu.version_r VERNEED A [ 9].rel.dyn REL b8 0002b A [10].rel.plt REL c0 0002c A [11].init PROGBITS d8 0002d AX [12].plt PROGBITS f0 0002f AX [13].text PROGBITS c 00 AX [14].fini PROGBITS cc 0004cc 00001c 00 AX [15].rodata PROGBITS e8 0004e A [16].eh_frame_hdr PROGBITS A [17].eh_frame PROGBITS A [18].ctors PROGBITS 08049f0c 000f0c WA [19].dtors PROGBITS 08049f14 000f WA [20].jcr PROGBITS 08049f1c 000f1c WA [21].dynamic DYNAMIC 08049f20 000f d0 08 WA [22].got PROGBITS 08049ff0 000ff WA [23].got.plt PROGBITS 08049ff4 000ff WA [24].data PROGBITS 0804a00c 00100c WA [25].bss NOBITS 0804a WA [26].comment PROGBITS a 01 MS [27].shstrtab STRTAB e 0000e [28].symtab SYMTAB d [29].strtab STRTAB d Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific) There are no section groups in this file.

6 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align PHDR R E 0x4 INTERP R 0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD R E 0x1000 LOAD 00f0c 8049f0c 8049f0c RW 0x1000 DYNAMIC 00f f f20 00d0 00d0 RW 0x4 NOTE R 0x4 GNU_EH_FRAME R 0x4 GNU_STACK RW 0x4 GNU_RELRO 00f0c 8049f0c 8049f0c 00f4 00f4 R 0x1 PAX_FLAGS x4 Section to Segment mapping: Segment Sections interp 02.interp.note.ABI-tag.hash.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.plt.text.fini.rodata.eh_frame_hdr.eh_frame 03.ctors.dtors.jcr.dynamic.got.got.plt.data.bss 04.dynamic 05.note.ABI-tag 06.eh_frame_hdr ctors.dtors.jcr.dynamic.got 09 Dynamic section at offset 0xf20 contains 21 entries: Tag Type Name/Value (NEEDED) Shared library: [libc.so.6] c (INIT) 0x80482d d (FINI) 0x80484cc (HASH) 0x80481a8 0x6ffffef5 (GNU_HASH) 0x80481d (STRTAB) 0x (SYMTAB) 0x80481f a (STRSZ) 76 (bytes) b (SYMENT) 16 (bytes) (DEBUG) (PLTGOT) 0x8049ff (PLTRELSZ) 24 (bytes) (PLTREL) REL (JMPREL) 0x80482c (REL) 0x80482b (RELSZ) 8 (bytes) (RELENT) 8 (bytes)

7 0x6ffffffe (VERNEED) 0x x6fffffff (VERNEEDNUM) 1 0x6ffffff0 (VERSYM) 0x804828c (NULL) Relocation section '.rel.dyn' at offset 0x2b8 contains 1 entries: Offset Info Type Sym.Value Sym. Name 08049ff R_386_GLOB_DAT gmon_start Relocation section '.rel.plt' at offset 0x2c0 contains 3 entries: Offset Info Type Sym.Value Sym. Name 0804a R_386_JUMP_SLOT printf 0804a R_386_JUMP_SLOT gmon_start 0804a R_386_JUMP_SLOT libc_start_main There are no unwind sections in this file. Symbol table '.dynsym' contains 5 entries: Num: Value Size Type Bind Vis Ndx Name 0: NOTYPE LOCAL DEFAULT UND 1: FUNC GLOBAL DEFAULT UND printf@glibc_2.0 (2) 2: NOTYPE WEAK DEFAULT UND gmon_start 3: FUNC GLOBAL DEFAULT UND libc_start_main@glibc_2.0 (2) 4: ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used Symbol table '.symtab' contains 52 entries: Num: Value Size Type Bind Vis Ndx Name 0: NOTYPE LOCAL DEFAULT UND 1: SECTION LOCAL DEFAULT 1 2: SECTION LOCAL DEFAULT 2 3: a8 0 SECTION LOCAL DEFAULT 3 4: d0 0 SECTION LOCAL DEFAULT 4 5: f0 0 SECTION LOCAL DEFAULT 5 6: SECTION LOCAL DEFAULT 6 7: c 0 SECTION LOCAL DEFAULT 7 8: SECTION LOCAL DEFAULT 8 9: b8 0 SECTION LOCAL DEFAULT 9 10: c0 0 SECTION LOCAL DEFAULT 10 11: d8 0 SECTION LOCAL DEFAULT 11 12: f0 0 SECTION LOCAL DEFAULT 12 13: SECTION LOCAL DEFAULT 13 14: cc 0 SECTION LOCAL DEFAULT 14 15: e8 0 SECTION LOCAL DEFAULT 15 16: SECTION LOCAL DEFAULT 16 17: SECTION LOCAL DEFAULT 17 18: 08049f0c 0 SECTION LOCAL DEFAULT 18 19: 08049f14 0 SECTION LOCAL DEFAULT 19 20: 08049f1c 0 SECTION LOCAL DEFAULT 20

8 21: 08049f20 0 SECTION LOCAL DEFAULT 21 22: 08049ff0 0 SECTION LOCAL DEFAULT 22 23: 08049ff4 0 SECTION LOCAL DEFAULT 23 24: 0804a00c 0 SECTION LOCAL DEFAULT 24 25: 0804a014 0 SECTION LOCAL DEFAULT 25 26: SECTION LOCAL DEFAULT 26 27: FILE LOCAL DEFAULT ABS hello.c 28: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 init_array_end 29: 08049f20 0 OBJECT LOCAL DEFAULT 21 _DYNAMIC 30: 08049f0c 0 NOTYPE LOCAL DEFAULT 18 init_array_start 31: 08049ff4 0 OBJECT LOCAL DEFAULT 23 _GLOBAL_OFFSET_TABLE_ 32: FUNC GLOBAL DEFAULT 13 libc_csu_fini 33: FUNC GLOBAL HIDDEN 13 i686.get_pc_thunk.bx 34: 0804a00c 0 NOTYPE WEAK DEFAULT 24 data_start 35: FUNC GLOBAL DEFAULT UND printf@@glibc_2.0 36: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS _edata 37: cc 0 FUNC GLOBAL DEFAULT 14 _fini 38: 08049f18 0 OBJECT GLOBAL HIDDEN 19 DTOR_END 39: 0804a00c 0 NOTYPE GLOBAL DEFAULT 24 data_start 40: NOTYPE WEAK DEFAULT UND gmon_start 41: 0804a010 0 OBJECT GLOBAL HIDDEN 24 dso_handle 42: ec 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used 43: FUNC GLOBAL DEFAULT UND libc_start_main@@glibc_ 44: FUNC GLOBAL DEFAULT 13 libc_csu_init 45: 0804a01c 0 NOTYPE GLOBAL DEFAULT ABS _end 46: FUNC GLOBAL DEFAULT 13 _start 47: e8 4 OBJECT GLOBAL DEFAULT 15 _fp_hw 48: 0804a014 0 NOTYPE GLOBAL DEFAULT ABS bss_start 49: FUNC GLOBAL DEFAULT 13 main 50: NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses 51: d8 0 FUNC GLOBAL DEFAULT 11 _init Histogram for bucket list length (total of 3 buckets): Length Number % of total Coverage 0 0 ( 0.0%) 1 2 ( 66.7%) 50.0% 2 1 ( 33.3%) 100.0% Histogram for `.gnu.hash' bucket list length (total of 2 buckets): Length Number % of total Coverage 0 1 ( 50.0%) 1 1 ( 50.0%) 100.0% Version symbols section '.gnu.version' contains 5 entries: Addr: c Offset: 0028c Link: 5 (.dynsym) 000: 0 (*local*) 2 (GLIBC_2.0) 0 (*local*) 2 (GLIBC_2.0) 004: 1 (*global*)

9 Version needs section '.gnu.version_r' contains 1 entries: Addr: Offset: Link: 6 (.dynstr) : Version: 1 File: libc.so.6 Cnt: 1 010: Name: GLIBC_2.0 Flags: none Version: 2 Notes at offset with length : Owner Data size Description GNU NT_GNU_ABI_TAG (ABI version tag) OS: Linux, ABI: Conclusion We ve now seen how a simple program written in C is converted into the assembly code, the object file and finally the executable file. While in the C code, the program didn t have any sections, it had two sections in assembly dialect: the.rodata and.text. When we compiled it into an object file and finally into the executable, the file had more and more sections that are needed for the program to be executed successfully.