adding local types to ELF?

[saidelike]

Hi,

ida-syms2elf supports exporting function names, label, etc. I was able to import the symbols in gdb which is really cool. Would it be possible to add local types as well? Eg in GDB, it is then possible to import them using "add-symbol-file", the same method I use to import function names, label, etc.

For example, if we have the following type:

// sample.h
struct sample {
  int i;
  struct sample *less;
  struct sample *more;
};

In GDB, we don't have the type by default:

(gdb) p (struct sample *)0x7fffffffd6b0
No struct type named sample.

After importing the file containing the local types, we would be able to print the structure elements:

(gdb) add-symbol-file sample.o 0
add symbol table from file "sample.o" at
    .text_addr = 0x0
(gdb) p (struct sample *)0x7fffffffd6b0
$1 = (struct sample *) 0x7fffffffd6b0
(gdb) p *$1
$2 = {i = 42, less = 0x7fffffffd6b0, more = 0x7fffffffd6b0}

Regards
saidelike

[1] http://stackoverflow.com/questions/7272558/can-we-define-a-new-data-type-in-a-gdb-session

[danigargu]

Hi saidelike!

I'll study if exists any form to add local types in the .symtab section, and in in that case, try to export types from IDA and radare2, but I think it is not possible (https://refspecs.linuxbase.org/elf/gabi4+/ch4.symtab.html).

Many thanks for you issue! :)

Regards

[saidelike]

Hi danigargu,

Thanks for the answer. I looked as well and as you said it is not in the .symtab but instead in the .debug_info.

As a reference, this is how I listed a specific type in an ELF using pahole [2]:

$ pahole libc.so -C pthread_internal_t
struct pthread_internal_t {
    struct pthread_internal_t * next;                /*     0     4 */
    struct pthread_internal_t * * pref;              /*     4     4 */
    pthread_attr_t             attr;                 /*     8    24 */
    pid_t                      kernel_id;            /*    32     4 */
    pthread_cond_t             join_cond;            /*    36     4 */
    int                        join_count;           /*    40     4 */
    void *                     return_value;         /*    44     4 */
    int                        intern;               /*    48     4 */
    __pthread_cleanup_t *      cleanup_stack;        /*    52     4 */
    void * *                   tls;                  /*    56     4 */

    /* size: 60, cachelines: 1, members: 10 */
    /* last cacheline: 60 bytes */
};

To list them all and save the result in a file, we can use the following command:

$ pahole libc.so > lib.txt

Alternatively, objdump can be used to parse the .debug_info section:

$ objdump --dwarf libc.so > libc_objdump.txt

We get something like that. I only show the 2 first members (next and pref) of the pthread_internal_t structure below:

 <1><309>: Abbrev Number: 9 (DW_TAG_structure_type)
    <30a>   DW_AT_name        : (indirect string, offset: 0x29e): pthread_internal_t
    <30e>   DW_AT_byte_size   : 60
    <30f>   DW_AT_decl_file   : 11
    <310>   DW_AT_decl_line   : 36
    <311>   DW_AT_sibling     : <0x3a2>
 <2><315>: Abbrev Number: 10 (DW_TAG_member)
    <316>   DW_AT_name        : (indirect string, offset: 0xd6): next
    <31a>   DW_AT_decl_file   : 11
    <31b>   DW_AT_decl_line   : 37
    <31c>   DW_AT_type        : <0x3a2>
    <320>   DW_AT_data_member_location: 2 byte block: 23 0  (DW_OP_plus_uconst: 0)
 <2><323>: Abbrev Number: 10 (DW_TAG_member)
    <324>   DW_AT_name        : (indirect string, offset: 0x17d): pref
    <328>   DW_AT_decl_file   : 11
    <329>   DW_AT_decl_line   : 38
    <32a>   DW_AT_type        : <0x3a8>
    <32e>   DW_AT_data_member_location: 2 byte block: 23 4  (DW_OP_plus_uconst: 4)
...

I honestly don't know if the ELF parser you used (based on ROPgadget) supports parsing the .debug_info section but I wanted to share what I found in case you find it interesting and want to look further.

[2] http://stackoverflow.com/questions/5954140/dumping-c-structure-sizes-from-elf-object-file