Lazy Binding
Most binaries are linked dynamically to reduce file size. Unlike static binaries, dynamic binaries do not include their library dependencies as part of the executable, but instead rely on the host system to provide the necessary libraries.
To further improve performance, symbol lookup (resolution of function names to the actual code in memory) in dynamic binaries is done lazily. In lazy binding, the symbol lookup is only carried out the first time the function is called and stored for later use. This way, library functions that are never used by the binary are never loaded or resolved.
The mechanism behind lazy binding mainly relies on two program sections: the Global Offset Table (GOT) and the Procedure Linkage Table (PLT). There is also a third section, got.plt, that stores references to addresses in the PLT.
The lazy binding process can be visualized with GDB. In the below examples, the GOT and got.plt are listed before and then after the callme_one function has been called.
-
Viewing the PLT:
| pwndbg> plt
Section .plt 0x4006c0-0x400760:
0x4006d0: puts@plt
0x4006e0: printf@plt
0x4006f0: callme_three@plt
0x400700: memset@plt
0x400710: read@plt
0x400720: callme_one@plt
0x400730: setvbuf@plt
0x400740: callme_two@plt
0x400750: exit@plt
|
-
GOT before the call to callme_one:
| pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)
State of the GOT of /home/admin/sboxshare/ropemporium/03-callme/callme:
GOT protection: Partial RELRO | Found 9 GOT entries passing the filter
[0x601018] puts@GLIBC_2.2.5 -> 0x7f374806aaa0 (puts) ◂— endbr64
[0x601020] printf@GLIBC_2.2.5 -> 0x7f3748042b40 (printf) ◂— endbr64
[0x601028] callme_three -> 0x4006f6 (callme_three@plt+6) ◂— push 2
[0x601030] memset@GLIBC_2.2.5 -> 0x7f3748155480 (__memset_avx2_unaligned_erms) ◂— endbr64
[0x601038] read@GLIBC_2.2.5 -> 0x7f37480f4980 (read) ◂— endbr64
[0x601040] callme_one -> 0x400726 (callme_one@plt+6) ◂— push 5
[0x601048] setvbuf@GLIBC_2.2.5 -> 0x7f374806b250 (setvbuf) ◂— endbr64
[0x601050] callme_two -> 0x400746 (callme_two@plt+6) ◂— push 7
[0x601058] exit@GLIBC_2.2.5 -> 0x400756 (exit@plt+6) ◂— push 8
pwndbg> disass 'callme_one@got.plt'
Dump of assembler code for function callme_one@got.plt:
0x0000000000400720 <+0>: jmp QWORD PTR [rip+0x20091a] # 0x601040 <callme_one@got.plt>
0x0000000000400726 <+6>: push 0x5
0x000000000040072b <+11>: jmp 0x4006c0
End of assembler dump.
|
0x5 in the case above and jump back to the top of the PLT. The entire PLT can be disassembled from the target address on the last line:
| pwndbg> x/30i 0x4006c0
0x4006c0: push QWORD PTR [rip+0x200942] # 0x601008
0x4006c6: jmp QWORD PTR [rip+0x200944] # 0x601010
0x4006cc: nop DWORD PTR [rax+0x0]
0x4006d0 <puts@plt>: jmp QWORD PTR [rip+0x200942] # 0x601018 <puts@got.plt>
0x4006d6 <puts@plt+6>: push 0x0
0x4006db <puts@plt+11>: jmp 0x4006c0
0x4006e0 <printf@plt>: jmp QWORD PTR [rip+0x20093a] # 0x601020 <printf@got.plt>
0x4006e6 <printf@plt+6>: push 0x1
0x4006eb <printf@plt+11>: jmp 0x4006c0
0x4006f0 <callme_three@plt>: jmp QWORD PTR [rip+0x200932] # 0x601028 <callme_three@got.plt>
0x4006f6 <callme_three@plt+6>: push 0x2
0x4006fb <callme_three@plt+11>: jmp 0x4006c0
0x400700 <memset@plt>: jmp QWORD PTR [rip+0x20092a] # 0x601030 <memset@got.plt>
0x400706 <memset@plt+6>: push 0x3
0x40070b <memset@plt+11>: jmp 0x4006c0
0x400710 <read@plt>: jmp QWORD PTR [rip+0x200922] # 0x601038 <read@got.plt>
0x400716 <read@plt+6>: push 0x4
0x40071b <read@plt+11>: jmp 0x4006c0
0x400720 <callme_one@plt>: jmp QWORD PTR [rip+0x20091a] # 0x601040 <callme_one@got.plt>
0x400726 <callme_one@plt+6>: push 0x5
0x40072b <callme_one@plt+11>: jmp 0x4006c0
...
|
-
GOT after the call to callme_one:
| pwndbg> got
Filtering out read-only entries (display them with -r or --show-readonly)
State of the GOT of /home/admin/sboxshare/ropemporium/03-callme/callme:
GOT protection: Partial RELRO | Found 9 GOT entries passing the filter
[0x601018] puts@GLIBC_2.2.5 -> 0x7f374806aaa0 (puts) ◂— endbr64
[0x601020] printf@GLIBC_2.2.5 -> 0x7f3748042b40 (printf) ◂— endbr64
[0x601028] callme_three -> 0x4006f6 (callme_three@plt+6) ◂— push 2
[0x601030] memset@GLIBC_2.2.5 -> 0x7f3748155480 (__memset_avx2_unaligned_erms) ◂— endbr64
[0x601038] read@GLIBC_2.2.5 -> 0x7f37480f4980 (read) ◂— endbr64
[0x601040] callme_one -> 0x7f374820081a (callme_one) ◂— push rbp
[0x601048] setvbuf@GLIBC_2.2.5 -> 0x7f374806b250 (setvbuf) ◂— endbr64
[0x601050] callme_two -> 0x400746 (callme_two@plt+6) ◂— push 7
[0x601058] exit@GLIBC_2.2.5 -> 0x400756 (exit@plt+6) ◂— push 8
|
Once the callme_one function is called and resolved, the address on the GOT is updated to point to the callme_one function code. The code can be found by disassembling from the highlighted address above, or by repeating the disassembly from got.plt from earlier:
-
got.plt after the call to callme_one:
| pwndbg> disass 'callme_one@got.plt'
Dump of assembler code for function callme_one:
0x00007f374820081a <+0>: push rbp
0x00007f374820081b <+1>: mov rbp,rsp
0x00007f374820081e <+4>: sub rsp,0x30
0x00007f3748200822 <+8>: mov QWORD PTR [rbp-0x18],rdi
0x00007f3748200826 <+12>: mov QWORD PTR [rbp-0x20],rsi
0x00007f374820082a <+16>: mov QWORD PTR [rbp-0x28],rdx
0x00007f374820082e <+20>: movabs rax,0xdeadbeefdeadbeef
0x00007f3748200838 <+30>: cmp QWORD PTR [rbp-0x18],rax
0x00007f374820083c <+34>: jne 0x7f3748200912 <callme_one+248>
0x00007f3748200842 <+40>: movabs rax,0xcafebabecafebabe
0x00007f374820084c <+50>: cmp QWORD PTR [rbp-0x20],rax
...
|
callme_two, that hasn't been called yet will have the same function stub in both the PLT and got.plt:
| pwndbg> disass 'callme_two@plt'
Dump of assembler code for function callme_two@plt:
0x0000000000400740 <+0>: jmp QWORD PTR [rip+0x20090a] # 0x601050 <callme_two@got.plt>
0x0000000000400746 <+6>: push 0x7
0x000000000040074b <+11>: jmp 0x4006c0
End of assembler dump.
pwndbg> disass 'callme_two@got.plt'
Dump of assembler code for function callme_two@plt:
0x0000000000400740 <+0>: jmp QWORD PTR [rip+0x20090a] # 0x601050 <callme_two@got.plt>
0x0000000000400746 <+6>: push 0x7
0x000000000040074b <+11>: jmp 0x4006c0
End of assembler dump.
|