Graphics Programs Reference
In-Depth Information
0x357
Detours with .dtors
In binary programs compiled with the GNU C compiler, special table sections
called
.dtors
and
.ctors
are made for destructors and constructors, respectively.
Constructor functions are executed before the
main()
function is executed,
and destructor functions are executed just before the
main()
function exits
with an exit system call. The destructor functions and the
.dtors
table section
are of particular interest.
A function can be declared as a destructor function by defining the
destructor attribute, as seen in dtors_sample.c.
dtors_sample.c
#include <stdio.h>
#include <stdlib.h>
static void cleanup(void) __attribute__ ((destructor));
main() {
printf("Some actions happen in the main() function..\n");
printf("and then when main() exits, the destructor is called..\n");
exit(0);
}
void cleanup(void) {
printf("In the cleanup function now..\n");
}
In the preceding code sample, the
cleanup()
function is defined with the
destructor attribute, so the function is automatically called when the
main()
function exits, as shown next.
reader@hacking:~/booksrc $ gcc -o dtors_sample dtors_sample.c
reader@hacking:~/booksrc $ ./dtors_sample
Some actions happen in the main() function..
and then when main() exits, the destructor is called..
In the cleanup() function now..
r
eader@hacking:~/booksrc $
This behavior of automatically executing a function on exit is controlled by
the
.dtors
table section of the binary. This section is an array of 32-bit addresses
terminated by a NULL address. The array always begins with
0xffffffff
and ends with the NULL address of
0x00000000
. Between these two are the
addresses of all the functions that have been declared with the destructor
attribute.
The
nm
command can be used to find the address of the
cleanup()
function, and
objdump
can be used to examine the sections of the binary.