You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SPI is current not able to find the callee of plt stubs if the function address is not bound.
Programs now use plt stubs to call exported functions. The plt stubs usually consist of three instructions:
indirect jump to an entry in the GOT
push an index onto stack
jump to the resolver function
When program calls an exported function, there are two cases. In the case when the exported function is already bound (meaning the exported function address is already resolved and saved in the GOT), it just calls the first instruction in the plt stub. In the other case where the exported function is not bound yet, it calls the second instruction in the plt stub, which calls the resolver function. The first case is the easy case, we can get the callee through computing the effective address and looking for function by address. In the second case, we are unable to recognize any function call in the plt stub, thus missing this callee.
The tentative fix is to instrument the resolver function directly. Inside the resolver function, it tries to find the exported function address, and calls that function. If we can correctly parse the resolver function and recognize the call instruction at the end, we will be able to find all exported functions that we missed the plt stub.
The text was updated successfully, but these errors were encountered:
SPI is current not able to find the callee of plt stubs if the function address is not bound.
Programs now use plt stubs to call exported functions. The plt stubs usually consist of three instructions:
When program calls an exported function, there are two cases. In the case when the exported function is already bound (meaning the exported function address is already resolved and saved in the GOT), it just calls the first instruction in the plt stub. In the other case where the exported function is not bound yet, it calls the second instruction in the plt stub, which calls the resolver function. The first case is the easy case, we can get the callee through computing the effective address and looking for function by address. In the second case, we are unable to recognize any function call in the plt stub, thus missing this callee.
The tentative fix is to instrument the resolver function directly. Inside the resolver function, it tries to find the exported function address, and calls that function. If we can correctly parse the resolver function and recognize the call instruction at the end, we will be able to find all exported functions that we missed the plt stub.
The text was updated successfully, but these errors were encountered: