search

gimli-rs / object

A unified interface for reading and writing object file formats
https://docs.rs/object/
Apache License 2.0
673 stars 157 forks source link

Symbol data #670

Closed Cr0a3 closed 7 months ago

Cr0a3 commented 7 months ago

Hello, How can i get the data stored inside a symbol? I know how to get the data inside a section via section.data(), but gcc stores its functions inside symbols, which i need to read.

I am looking for a function like symbol.data() or symbol.bytes() or something like that

Bye

Cr0a3 commented 7 months ago

Maybe there is a function in ObjectFile which gets the bytes from a adress range? Then this code would be possible:

let adr_start = symbol.adress();
let adr_end = adr_start + symbol.size();

let data = file.super_cool_data_getting_function(adr_start, adr_end);
bjorn3 commented 7 months ago

You can use file.get_section_by_name(section_name).data() to get the data of the section which contains the symbol and then take the subset of the section that you actually need.

but gcc stores its functions inside symbols

It does not. In object files functions are stored inside sections (often a single .text section with all functions concatenated, but -ffunction-sections will put each function in their own section)and symbols are pointers inside a section. A section has a certain size, but for symbols the size field is merely a hint and is often an incorrect value like 0. The linker is free to reorder sections as a whole and even drop them when --gc-sections is passed and a section is unused, but within a section, the linker is not allowed to reorder symbols. A symbol can be in the middle of a function. For example when you write assembly, the labels you write end up as symbols prefixed with .L in the object file. In executables functions are stored inside segments with all segments having fixed locations relative to each other (often there is a single segment for all code and several others for various types of data) and both sections and symbols are entirely ignored by anything but debuggers and other inspection tools. Malware frequently intentionally contains wrong sections and symbols to make reverse engineering them harder.

philipc commented 7 months ago

You can also use something like

if let Some(section_index) = symbol.section_index() {
    let section = file.section_by_index(section_index);
    let data = section.data_range(symbol.address(), symbol.size());
}

But do make sure you understand what bjorn3 wrote.

Cr0a3 commented 7 months ago

Thx