Unable to find callee when the library functions are not bound #22
Description
SPI is current not able to find the callee of plt stubs if the function address is not bound.
Programs now use plt stubs to call exported functions. The plt stubs usually consist of three instructions:
- indirect jump to an entry in the GOT
- push an index onto stack
- jump to the resolver function
When program calls an exported function, there are two cases. In the case when the exported function is already bound (meaning the exported function address is already resolved and saved in the GOT), it just calls the first instruction in the plt stub. In the other case where the exported function is not bound yet, it calls the second instruction in the plt stub, which calls the resolver function. The first case is the easy case, we can get the callee through computing the effective address and looking for function by address. In the second case, we are unable to recognize any function call in the plt stub, thus missing this callee.
The tentative fix is to instrument the resolver function directly. Inside the resolver function, it tries to find the exported function address, and calls that function. If we can correctly parse the resolver function and recognize the call instruction at the end, we will be able to find all exported functions that we missed the plt stub.