[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-kernel
Subject:    [slightly ot] ELF loader process
From:       Russell Miller <rmiller () duskglow ! com>
Date:       2004-12-18 4:12:56
Message-ID: 200412172212.56546.rmiller () duskglow ! com
[Download RAW message or body]

Hi, I have a question that isn't directly kernel related, but I can't seem to 
find a good forum to ask this question, so feel free to point me to a more 
appropriate place.  Also, this is pretty deep in the linux internals...

I'm trying to reverse engineer a trojan that some idiot left on a machine 
after cracking it.  I've run readelf.  It states that the entry point is:

  Entry point address:               0x804b06c

But that address seems to not be mapped anywhere in the executable.  There is:

  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x00406c 0x0804c06c 0x0804c06c 0x001d4 0x00338 RW  0x1000

which is exactly 0x1000 above the entry point address.  0x0804c06c is also the 
location of the _start symbol.

So, my question is (for any of you that will be willing to humor me and answer 
the question even though it's a little unrelated):  Why does the entry point 
address not match the _start symbol?  And if this is truly an error, what 
would happen if you tried to run the binary under linux?

Thanks.  You can feel free to email me privately with an answer if you don't 
want to post it here.

--Russell

-- 

Russell Miller - rmiller@duskglow.com - Le Mars, IA
Duskglow Consulting - Helping companies just like you to succeed for ~ 10 yrs.
http://www.duskglow.com - 712-546-5886
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/
[prev in list] [next in list] [prev in thread] [next in thread]