Is the variable elf_entry in the kernel function load_elf_binary the entry point i get with readelf -h
https://stackoverflow.com/questions/8790040
-
15-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need to find the entry point of an elf file running in a virtual environment (debian x86). On the host machine i can determine the current instruction pointer and all the other cpu registers. So it's possible to determine kernel function calls.
The function load_elf_binary calls the function start_thread with the following parameters:
start_thread(regs, elf_entry, bprm->p);
So I should be able to receive elf_entry from the cpu registers, but when I dump the registers, I get this output:
EAX=0xc61bffb4
EBX=0xc61bffb4
ECX=0xbff29430
EDX=0xb78ae850
ESI=0xc78f9500
EDI=0xbff29fec
EBP=0xbff29488
ESP=0xc61bfeb4
EIP=0xc1001f82
CR2=0xb78ca840
No register has a value starting with 0x8xxxxxxx, so I'm not sure if I made a mistake or the elf_entry isn't the entry point I'm looking for.
The essence question: Is the variable elf_entry in the kernel function load_elf_binary the entry point i get with readelf -h?
Solution
elf_entry on that function corresponds to the ELF entry point only for static binaries, for dynamic binaries it corresponds to the entry point of the dynamic linker (which should finally call the binary's entry point), see http://lxr.free-electrons.com/source/fs/binfmt_elf.c?v=2.6.32#L888.
OTHER TIPS
After compiling a new kernel with printk I learned that new_ip is always starting with 0xb78xxxxxx, so elf_entry and the entry point of an elf file isn't the same.
