Can't find a section .dtors

StackOverflow https://stackoverflow.com/questions/22147996

Question

I am following some tutorials about format string bugs exploitation and at some point they talk about overwriting the dtors table. But here is what I find when I use nm :

080495a8 d _DYNAMIC
0804969c d _GLOBAL_OFFSET_TABLE_
080484cc R _IO_stdin_used
         w _ITM_deregisterTMCloneTable
         w _ITM_registerTMCloneTable
         w _Jv_RegisterClasses
08048594 r __FRAME_END__
080495a4 d __JCR_END__
080495a4 d __JCR_LIST__
080496bc D __TMC_END__
080496bc A __bss_start
080496b4 D __data_start
080483c0 t __do_global_dtors_aux (*)
0804959c t __do_global_dtors_aux_fini_array_entry (*)
080496b8 D __dso_handle
08049598 t __frame_dummy_init_array_entry
         w __gmon_start__
080484aa T __i686.get_pc_thunk.bx
0804959c t __init_array_end
08049598 t __init_array_start
08048440 T __libc_csu_fini
08048450 T __libc_csu_init
         U __libc_start_main@@GLIBC_2.0
080496bc A _edata
080496c0 A _end
080484b0 T _fini
080484c8 R _fp_hw
080482b8 T _init
08048320 T _start
08048428 t clean
080496bc b completed.5730
080496b4 W data_start
08048350 t deregister_tm_clones
080483e0 t frame_dummy
0804840c T main
         U puts@@GLIBC_2.0
08048380 t register_tm_clones

Instead of having something like:

080494ac d __CTOR_END__
080494a8 d __CTOR_LIST__
080494b8 d __DTOR_END__
080494b0 d __DTOR_LIST__

I have those two lines with an asterisk (*) that I don't know of. What's the meaning of those lines and why isn't there anymore CTOR_END, DTOR_END, etc .... ? And lastly why when I objdump my executable I can't find a .dtors section ?

The executable code is :

#include <stdio.h>

static void clean(void) __attribute__ ((destructor));

int main() {

    printf("Function main\n");

    return 0;

}
void clean(void)
{

    printf("call to destructor\n");

}
Was it helpful?

Solution

On systems where it is supported an alternative mechanism is used that puts the destructors into the .fini_array section. The symbols denoting the start and the end are __fini_array_start and __fini_array_end, respectively, but they are marked as hidden. You can look at the section header to find the destructor table:

$ objdump -h -j .fini_array a.out

a.out:     file format elf32-i386

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
 19 .fini_array   00000008  0804959c  0804959c  0000059c  2**2
                  CONTENTS, ALLOC, LOAD, DATA

__do_global_dtors_aux_fini_array_entry is an entry in this .fini_array section that points to __do_global_dtors_aux which does some libc cleanup. This function also runs the destructors on systems where the .fini_array mechanism is not used.

TL;DR: the table is in the .fini_array section, do whatever you want with it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top