stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6be4a25d178319a8f79ecea48434cff0174482d3
git.stella-ops.org/docs/features/checked/scanner/plt-iat-resolution-and-dynamic-loading-detection-for-binary-analysis.md
master e9aeadc040 save checkpoint
2026-02-14 09:11:48 +02:00

3.0 KiB
Raw Blame History

PLT/IAT Resolution and Dynamic Loading Detection for Binary Analysis

Module

Scanner

Status

VERIFIED

Description

Enhanced binary call graph extraction using x86 and ARM64 disassembly to resolve PLT stubs to GOT entries and IAT thunks to actual import targets, plus heuristic detection of dynamic loading patterns (dlopen/LoadLibrary) for more complete binary reachability analysis.

Implementation Details

  • Disassembly Engines:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/X86Disassembler.cs - X86Disassembler disassembles x86/x64 code to resolve PLT stubs to GOT entries and extract call targets
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/Arm64Disassembler.cs - Arm64Disassembler disassembles ARM64 code for PLT/IAT resolution
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/DirectCallExtractor.cs - DirectCallExtractor extracts direct call targets from disassembled instruction streams
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/BinaryTextSectionReader.cs - Reads .text sections for disassembly
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Disassembly/BinaryDisassemblyModels.cs - Models for disassembly results
  • Dynamic Loading Detection:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Analysis/BinaryDynamicLoadDetector.cs - BinaryDynamicLoadDetector detects dlopen/LoadLibrary/dlsym patterns for dynamic library loading
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/Analysis/BinaryStringLiteralScanner.cs - BinaryStringLiteralScanner scans string literals to identify dynamically loaded library names
  • Binary Call Graph Integration:
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/BinaryCallGraphExtractor.cs - BinaryCallGraphExtractor integrates disassembly and dynamic load detection into call graph extraction
    • src/Scanner/__Libraries/StellaOps.Scanner.CallGraph/Extraction/Binary/FunctionBoundaryDetector.cs - Detects function boundaries for accurate call graph construction

E2E Test Plan

  • Scan a container with ELF binaries containing PLT stubs and verify PLT-to-GOT resolution identifies the actual imported functions
  • Scan a container with PE binaries and verify IAT thunk resolution maps to actual import targets
  • Verify x86/x64 disassembly correctly extracts direct call instructions and their targets
  • Verify ARM64 disassembly correctly handles ADRP+ADD patterns for PLT resolution
  • Verify dynamic loading detection identifies dlopen/LoadLibrary calls and extracts library name strings
  • Verify the binary call graph includes both statically linked and dynamically loaded library references

Verification

Check Result
Tier 0 - Source files exist PASS
Tier 1 - Build + code review PASS
Tier 2 - Integration tests PASS
Verified 2026-02-13T18:10:00Z