Function calling
Nicolas Cormier
n.cormier at gmail.com
Wed Apr 5 15:35:14 UTC 2006
On 4/4/06, Lutz Boehne <lboehne at damogran.de> wrote:
> Hi,
>
> > But when the program uses the libc I have more RET than call ...
> > What's the good way to find function calls and return ?
>
> I'm doing something similar at the moment, utilizing the Branch Single
> Stepping feature available in most x86 CPUs and came across that same problem.
>
> While debugging the issue, I found out that the dynamic linker "calls"
> requested functions by returning to them. I believe this is done because this
> is a (the only) generic way to "call" a variable addresses without destroying
> register contents. Any further info or a confirmation of that guess would be
> much appreciated.
>
> --- the code in /usr/src/libexec/rtld-elf/i386/rtld_start.S:
> /*
> * Binder entry point. Control is transferred to here by code in the PLT.
> * On entry, there are two arguments on the stack. In ascending address
> * order, they are (1) "obj", a pointer to the calling object's Obj_Entry,
> * and (2) "reloff", the byte offset of the appropriate relocation entry
> * in the PLT relocation table.
> *
> * We are careful to preserve all registers, even the the caller-save
> * registers. That is because this code may be invoked by low-level
> * assembly-language code that is not ABI-compliant.
> */
> .align 4
> .globl _rtld_bind_start
> .type _rtld_bind_start, at function
> _rtld_bind_start:
> pushf # Save eflags
> pushl %eax # Save %eax
> pushl %edx # Save %edx
> pushl %ecx # Save %ecx
> pushl 20(%esp) # Copy reloff argument
> pushl 20(%esp) # Copy obj argument
>
> call _rtld_bind at PLT # Transfer control to the binder
> /* Now %eax contains the entry point of the function being called. */
>
> addl $8,%esp # Discard binder arguments
> movl %eax,20(%esp) # Store target over obj argument
> popl %ecx # Restore %ecx
> popl %edx # Restore %edx
> popl %eax # Restore %eax
> popf # Restore eflags
> leal 4(%esp),%esp # Discard reloff, do not change eflags
> ret # "Return" to target address
> ---
>
> Lutz
>
>
>
Thanks for your answer, it's more difficult than I thought :(
More information about the freebsd-hackers
mailing list