1
0
Fork
You've already forked got-audit
0
No description
  • C++ 75.3%
  • Shell 15.3%
  • Roff 5.7%
  • CMake 2%
  • C 1.7%
Gordon Messmer 1fe27f303f Add RPM spec file for Fedora/RHEL packaging
- Full RPM spec file for building distribution packages
- Includes proper dependencies (cmake, gcc-c++, elfutils-libelf-devel)
- Installs binary, man page, and documentation
- Changelog documenting v1.0.0 release
- License and documentation properly packaged
Build instructions:
 rpmbuild -ba got-audit.spec
Install from SRPM:
 dnf builddep got-audit.spec
 rpmbuild -ba got-audit.spec
 sudo dnf install ~/rpmbuild/RPMS/x86_64/got-audit-1.0.0-1.*.rpm
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026年05月27日 12:00:36 -07:00
.claude Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
.github/workflows Add GitHub Actions CI/CD workflow 2026年05月27日 12:00:29 -07:00
include Fix duplicate symbol detection when using --all flag 2026年05月27日 11:29:43 -07:00
src Fix duplicate symbol detection when using --all flag 2026年05月27日 11:29:43 -07:00
tests Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
.gitignore Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
build.sh Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
CMakeLists.txt Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
CONTRIBUTING.md Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
DEVELOPMENT.md Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
got-audit.1 Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
got-audit.spec Add RPM spec file for Fedora/RHEL packaging 2026年05月27日 12:00:36 -07:00
LICENSE Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
README.md Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00
ROADMAP.md Initial commit: C++ port of GEF got-audit command 2026年05月27日 11:29:38 -07:00

GOT Audit Tool

A C++ port of the GEF got-audit command that audits the Global Offset Table (GOT) of running Linux processes to detect potential security issues.

Overview

This tool attaches to a running process and examines its Global Offset Table to identify:

  • Symbols resolving to unexpected memory regions
  • Duplicate symbol definitions across libraries
  • Symbols not exported by the target library
  • GOT protection status (Full RelRO, Partial RelRO, or No RelRO)

This can help detect namespace tampering, symbol hijacking, and other security vulnerabilities.

Features

  • Process Attachment: Uses ptrace to attach to running processes
  • ELF Parsing: Parses ELF files using libelf to extract GOT entries and symbol tables
  • Memory Analysis: Reads process memory to determine actual GOT values
  • Duplicate Detection: Identifies symbols defined in multiple libraries (with known exceptions)
  • Export Verification: Checks that resolved symbols are actually exported by their target libraries
  • Flexible Auditing: Audit just the main executable or all loaded ELF objects

Requirements

  • Linux kernel with ptrace support
  • CMake 3.15 or higher
  • C++17 compatible compiler (GCC 7+ or Clang 5+)
  • libelf development headers

Installing Dependencies

Fedora/RHEL:

sudo dnf install cmake gcc-c++ elfutils-libelf-devel

Debian/Ubuntu:

sudo apt-get install cmake g++ libelf-dev

Building

mkdir build
cd build
cmake ..
make

Optional install:

sudo make install

This will install:

  • Binary to /usr/local/bin/got-audit
  • Man page to /usr/local/share/man/man1/got-audit.1

Testing

Run the test suite:

cd tests
./run_tests.sh

Or use CMake's test runner:

cd build
make test

The test suite verifies:

  • Binary compilation and basic functionality
  • Correct handling of command-line arguments
  • Ability to attach and audit processes
  • Output format and content
  • No false positive duplicate symbol warnings
  • Man page validity

Man Page

View the manual page:

man ./got-audit.1

After installation:

man got-audit

Usage

got-audit [OPTIONS] <PID>

Options

  • --all, -a: Audit GOT for all mapped ELF objects (not just the main executable)
  • --help, -h: Show help message

Arguments

  • <PID>: Process ID to audit

Examples

Audit the main executable of process 1234:

sudo ./got-audit 1234

Audit all ELF objects loaded by process 1234:

sudo ./got-audit --all 1234

Example Output

Successfully attached to process 1234
════════════════════════════════════════════════════════════════
/usr/bin/bash
════════════════════════════════════════════════════════════════
GOT protection: Full RelRO | GOT functions: 231
endgrent : /usr/lib64/libc.so.6
__ctype_toupper_loc : /usr/lib64/libc.so.6
free : /usr/lib64/libc.so.6
strcpy : /usr/lib64/libc.so.6
printf : /usr/lib64/libc.so.6
tputs : /usr/lib64/libtinfo.so.6.5
...
Detached from process 1234

Color coding:

  • 🟢 Green: Resolved symbols (pointing to external libraries)
  • 🟡 Yellow: Unresolved symbols (still pointing to PLT stubs)
  • 🔴 Red: Warnings (duplicate symbols or export mismatches)

How It Works

  1. Attaches to the process and reads its memory layout
  2. Parses GOT entries and builds a symbol index from loaded libraries
  3. Checks each GOT entry for unexpected resolutions or duplicates

For technical details, see DEVELOPMENT.md.

Output Format

The tool produces a report for each audited ELF object:

════════════════════════════════════════════════════════════════
/path/to/executable
════════════════════════════════════════════════════════════════
GOT protection: Full RelRO | GOT functions: 42
read : /usr/lib64/libc.so.6
write : /usr/lib64/libc.so.6
printf : /usr/lib64/libc.so.6
malloc : /usr/lib64/libc.so.6
...

Color Coding

  • Green: Resolved symbols (pointing outside the executable's own memory)
  • Yellow: Unresolved symbols (still pointing to PLT stubs)
  • Red: Warnings (duplicate symbols or export mismatches)

Warnings

Duplicate Symbol Warning:

symbol_name : /lib/library.so :: ERROR symbol_name found in multiple paths (/lib/library1.so, /lib/library2.so)

Export Mismatch Warning:

symbol_name : /lib/library.so :: ERROR symbol_name not exported by /lib/library.so

Limitations

  • Requires root privileges (or appropriate CAP_SYS_PTRACE capability)
  • Target process is temporarily paused while attached
  • Only supports ELF binaries
  • Only tested on x86_64, i386, and aarch64 architectures

Architecture

For technical details about the architecture, module breakdown, data flow, and key classes, see DEVELOPMENT.md.

Security Considerations

This tool attaches to running processes using ptrace, which requires elevated privileges. Use with caution and only on processes you own or have permission to inspect.

Origin

This tool is a machine-generated C++ port of the got-audit command from GEF (GDB Enhanced Features), a GDB plugin. The original implementation was written in Python and integrated with GDB.

Original GEF Project:

This Port:

  • Created by Claude (Anthropic AI) in 2026
  • Based on GEF's GotAuditCommand implementation in gef/gef.py
  • Implemented using standard libelf API and ptrace system calls

License

This project is licensed under the MIT License - see the LICENSE file for details.

This is a machine-generated port of work from GEF (GDB Enhanced Features), which is also MIT licensed. The port was created by Claude (Anthropic AI) based on the original GotAuditCommand implementation.

Reference materials:

  • GEF (GDB Enhanced Features) - got-audit command implementation (gef/gef.py)
  • Standard libelf API documentation
  • Linux ptrace system call documentation
  • ELF format specification