[slightly ot] ELF loader process

From: Russell Miller
Date: Fri Dec 17 2004 - 23:11:36 EST

Hi, I have a question that isn't directly kernel related, but I can't seem to
find a good forum to ask this question, so feel free to point me to a more
appropriate place. Also, this is pretty deep in the linux internals...

I'm trying to reverse engineer a trojan that some idiot left on a machine
after cracking it. I've run readelf. It states that the entry point is:

Entry point address: 0x804b06c

But that address seems to not be mapped anywhere in the executable. There is:

Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x00406c 0x0804c06c 0x0804c06c 0x001d4 0x00338 RW 0x1000

which is exactly 0x1000 above the entry point address. 0x0804c06c is also the
location of the _start symbol.

So, my question is (for any of you that will be willing to humor me and answer
the question even though it's a little unrelated): Why does the entry point
address not match the _start symbol? And if this is truly an error, what
would happen if you tried to run the binary under linux?

Thanks. You can feel free to email me privately with an answer if you don't
want to post it here.



Russell Miller - rmiller@xxxxxxxxxxxx - Le Mars, IA
Duskglow Consulting - Helping companies just like you to succeed for ~ 10 yrs.
http://www.duskglow.com - 712-546-5886
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/