Merge pull request #1944 from HackTricks-wiki/research_update_src_binary-exploitation_basic-stack-binary-exploitation-methodology_elf-tricks_20260225_131935

Research Update Enhanced src/binary-exploitation/basic-stack...

Author: carlospolop

src/binary-exploitation/basic-stack-binary-exploitation-methodology/elf-tricks.md

@@ -218,6 +218,11 @@ Each symbol entry contains:
 - **Value** (address sin memory)
 - **Size**
 
+#### GNU IFUNC (indirect functions)
+
+- GCC can emit `STT_GNU_IFUNC` symbols with the `__attribute__((ifunc("resolver")))` extension. The dynamic loader calls the resolver at load time to select the concrete implementation (commonly CPU dispatch).
+- Quick triage: `readelf -sW ./bin | rg -i "IFUNC"`
+
 #### GNU Symbol Versioning (dynsym/dynstr/gnu.version)
 
 Modern glibc uses symbol versions. You will see entries in `.gnu.version` and `.gnu.version_r` and symbol names like `strlen@GLIBC_2.17`. The dynamic linker can require a specific version when resolving a symbol. When crafting manual relocations (e.g. ret2dlresolve) you must supply the correct version index, otherwise resolution fails.
@@ -354,6 +359,11 @@ Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
 00000001ffa8  003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
 ```
 
+#### Packed relative relocations (RELR)
+
+- Modern linkers can emit compact **relative** relocations with `-z pack-relative-relocs`. This adds `DT_RELR`, `DT_RELRSZ`, and `DT_RELRENT` entries to the dynamic section for PIEs/shared libraries (it is ignored for non-PIE executables).
+- Recon: `readelf -d ./bin | egrep -i "DT_RELR|RELRSZ|RELRENT"`
+
 ### Static Relocations
 
 If the **program is loaded in a place different** from the preferred address (usually 0x400000) because the address is already used or because of **ASLR** or any other reason, a static relocation **corrects pointers** that had values expecting the binary to be loaded in the preferred address.
@@ -420,11 +430,11 @@ Note that these global variables are located in `.data` or `.bss` but in the lis
 From C code it's possible to obtain the same result using the GNU extensions :
 
 ```c
-__attributte__((constructor)) //Add a constructor to execute before
-__attributte__((destructor)) //Add to the destructor list
+__attribute__((constructor)) //Add a constructor to execute before
+__attribute__((destructor)) //Add to the destructor list
 ```
 
-From a compiler perspective, to execute these actions before and after the `main` function is executed, it's possible to create a `init` function and a `fini` function which would be referenced in the dynamic section as **`INIT`** and **`FIN`**. and are placed in the `init` and `fini` sections of the ELF.
+From a compiler perspective, to execute these actions before and after the `main` function is executed, it's possible to create a `init` function and a `fini` function which would be referenced in the dynamic section as **`INIT`** and **`FINI`**. and are placed in the `init` and `fini` sections of the ELF.
 
 The other option, as mentioned, is to reference the lists **`__CTOR_LIST__`** and **`__DTOR_LIST__`** in the **`INIT_ARRAY`** and **`FINI_ARRAY`** entries in the dynamic section and the length of these are indicated by **`INIT_ARRAYSZ`** and **`FINI_ARRAYSZ`**. Each entry is a function pointer that will be called without arguments.
 
@@ -491,6 +501,8 @@ Leaking `AT_RANDOM` gives you the canary value if you can dereference that point
 
 ## References
 
+- GCC Common Function Attributes (ifunc / STT_GNU_IFUNC): https://gcc.gnu.org/onlinedocs/gcc-14.3.0/gcc/Common-Function-Attributes.html
+- GNU ld `-z pack-relative-relocs` / `DT_RELR` docs: https://sourceware.org/binutils/docs/ld.html
 - ld.so(8) – Dynamic Loader search order, RPATH/RUNPATH, secure-execution rules (AT_SECURE): https://man7.org/linux/man-pages/man8/ld.so.8.html
 - getauxval(3) – Auxiliary vector and AT_* constants: https://man7.org/linux/man-pages/man3/getauxval.3.html
 {{#include ../../banners/hacktricks-training.md}}