It seems for ELF non-pie binaries with a standard C runtime, main isn't discovered by panopticon, as the address is edited into the _start prolog at static link time, e.g., main is at 0x400586, which is given to rdi (to be passed to __libc_start_main) in _start here:
but panopticon only finds start and the plt jump stub for __libc_start_main. Of course we can cheat and try to use the strippable symbol table or debug information, but that only works when they're present.
Also, lack of discovery is sort of expected, as we'd need to know the function called with argument rdi expects a function pointer in order to guess that the mov $0x400586,%rdi is a function address, instead of a regular constant.
There are several approaches I think:
(fragile, quicker to implement) Hard code some kind of pattern recognition for prologs that look like _start, and then hard-code a __libc_start_main esque pattern to know that the mov is main's address,
(cooler, slower to implement, but future extensible) start working on function parameter type inference, to go from callq -> arguments -> (analyze function at callq address site) -> infer arguments -> check if any arguments are function pointer (e.g., somewhere in body of callq address site it is callq'd or jumped to in a "function-y" manner), and then disassemble the address at that pointer, and add to call targets as usual
Another approach, e.g. maybe the abstract interpretation approach can help here?
It seems for ELF non-pie binaries with a standard C runtime, main isn't discovered by panopticon, as the address is edited into the
_start
prolog at static link time, e.g., main is at0x400586
, which is given tordi
(to be passed to__libc_start_main
) in_start
here:but panopticon only finds
start
and the plt jump stub for__libc_start_main
. Of course we can cheat and try to use the strippable symbol table or debug information, but that only works when they're present.Also, lack of discovery is sort of expected, as we'd need to know the function called with argument
rdi
expects a function pointer in order to guess that themov $0x400586,%rdi
is a function address, instead of a regular constant.There are several approaches I think:
_start
, and then hard-code a__libc_start_main
esque pattern to know that the mov is main's address,