0

I read in this SO answer that

When you statically link a file into an executable, the contents of that file are included at link time. In other words, the contents of the file are physically inserted into the executable that you will run.

I was wondering if, in the general case, this code is in a contiguous area. I learned from another SO answer that this may not be always the case:

This assumption is probably true in simple cases, but in no way is guaranteed.

Say I have a stripped binary and no source code. Yet I know that the executable was build using a certain statically linked library.

  • Is it possible to find out if the code from a statically linked library is in a contiguous area in the executable? If it is impossible in the general case, are any there heuristics or indicators?
  • Why would the linker place the code of a library at different places in the executable? I guess these would be rare edge cases, right?
Community
  • 1
  • 1
langlauf.io
  • 3,009
  • 2
  • 28
  • 45
  • 1
    The second link in your question seems to answer the second question (Why would the linker reorder the code?). In general, it will do that for efficiency if you ask it to; normally, you'll need to provide profiling information for the linker to be able to perform this optimization. See the `gcc` documentation for `-freorder-functions` – rici Jun 20 '16 at 16:37

1 Answers1

1

If you want to analyse the executable, you can use decompilation and code viewing tools. The people here might help you better with that: https://reverseengineering.stackexchange.com/

As for why, it could be an optimization, mostly for executable size, to move this region around or split it up into conveniently sized holes. Another major reason would be to prevent jump to library attacks. Basically, execute protection on memory prevents an attacker writing arbitrary code to a data buffer and executing it. In response, crackers sometimes string attacks together out of library code, so the library positions are randomized. That's not what you're trying to do, right?

Community
  • 1
  • 1
robot1208
  • 191
  • 1
  • 7
  • Thank you for your answer. I got an idea why the library code may not be in a contiguous area. As for the first question (how to find out if it is in a cont. area) I will try to ask more precise questions on reverseengineering.stackexchange.com – langlauf.io Jul 02 '16 at 08:28