Deducting printf

From ThorstensHome
Jump to: navigation, search

In this article I want to show how to deduct programs written in C. As an example I use Linux.

Let's first write a program main.c that is intended to be small so it is easier to analyze:

#include <stdio.h>
int main()

Now let's compile this program using gcc:

gcc main.c

And test its execution:


It works! Now, to analyze this program we have 3 options:

  • disassembling with objdump
  • run-time syscall analysis with strace
  • analysis of the source libraries

Analysis of source libraries

/usr/include/stdio.h defines printf as extern:

extern int printf (__const char *__restrict __format, ...);

An example of C's keyword extern can be found here. It means printf is drawn from a dynamically-loadable library. What a luck there are not too many:

# ldd a.out => (0x00007fff98f95000) => /lib64/ (0x00007fdbf34b9000)
/lib64/ (0x00007fdbf3848000)

And in /lib64/ we find printf:

nm --extern-only | grep printf
000000000004eee0 T printf

And this is part of glibc:

rpm -qf

Ok, so printf gets its code from glibc. The source code is not available on a default installation.