Deducting printf

From ThorstensHome
Jump to: navigation, search

In this article I want to show how to deduct programs written in C. As an example I use Linux.

Let's first write a program main.c that is intended to be small so it is easier to analyze:

#include <stdio.h>
int main()
{
printf("helloworld");
}

Now let's compile this program using gcc:

gcc main.c

And test its execution:

./a.out
helloworld

It works! Now, to analyze this program we have 3 options:

  • disassembling with objdump
  • run-time syscall analysis with strace
  • analysis of the source libraries

Analysis of source libraries

/usr/include/stdio.h defines printf as extern:

extern int printf (__const char *__restrict __format, ...);

An example of C's keyword extern can be found here. It means printf is drawn from a dynamically-loadable library. What a luck there are not too many:

# ldd a.out
linux-vdso.so.1 => (0x00007fff98f95000)
libc.so.6 => /lib64/libc.so.6 (0x00007fdbf34b9000)
/lib64/ld-linux-x86-64.so.2 (0x00007fdbf3848000)

And in /lib64/libc.so.6 we find printf:

nm --extern-only libc.so.6 | grep printf
[...]
000000000004eee0 T printf
[...]

And this libc.so.6 is part of glibc:

rpm -qf libc.so.6
glibc-2.14.1-14.12.5.x86_64

Ok, so printf gets its code from glibc. The source code is not available on a default installation.