0959df56e86b09156666ca073f25080007aa898c
explain/rtld.md
| ... | ... | @@ -71,6 +71,16 @@ We can read this address, to which we add an offset (to the instruction that |
| 71 | 71 | fetches the `link_map`, which is placed in a global variable) to decode the |
| 72 | 72 | offset to the `link_map`, and voila. |
| 73 | 73 | |
| 74 | + (`_dl_start_user` excerpt) |
|
| 75 | + |
|
| 76 | +The code that fetches the pointer to the `link_map` is then as follows: |
|
| 77 | + |
|
| 78 | + |
|
| 79 | + mov r12, [rsp - 8] ; return address of _dl_init |
|
| 80 | + mov ebx, dword [r12 - 20] ; decode part of 'mov rdi, [rel _rtld_global]' ('movq _rtld_global(%rip), %rdi') |
|
| 81 | + mov r12, [r12 + rbx - 16] ; ??? |
|
| 82 | + ; r12 is now the link_map pointer |
|
| 83 | + |
|
| 74 | 84 | Secondly, instead of iterating over the symbol tables (and having to compute |
| 75 | 85 | the hashes of every symbol), we can use the [internal `link_map` data in glibc |
| 76 | 86 | ](https://code.woboq.org/userspace/glibc/include/link.h.html#link_map) to access |