|
Gordon Messmer
1fe27f303f
Add RPM spec file for Fedora/RHEL packaging
- Full RPM spec file for building distribution packages - Includes proper dependencies (cmake, gcc-c++, elfutils-libelf-devel) - Installs binary, man page, and documentation - Changelog documenting v1.0.0 release - License and documentation properly packaged Build instructions: rpmbuild -ba got-audit.spec Install from SRPM: dnf builddep got-audit.spec rpmbuild -ba got-audit.spec sudo dnf install ~/rpmbuild/RPMS/x86_64/got-audit-1.0.0-1.*.rpm Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> |
||
|---|---|---|
| .claude | Initial commit: C++ port of GEF got-audit command | |
| .github/workflows | Add GitHub Actions CI/CD workflow | |
| include | Fix duplicate symbol detection when using --all flag | |
| src | Fix duplicate symbol detection when using --all flag | |
| tests | Initial commit: C++ port of GEF got-audit command | |
| .gitignore | Initial commit: C++ port of GEF got-audit command | |
| build.sh | Initial commit: C++ port of GEF got-audit command | |
| CMakeLists.txt | Initial commit: C++ port of GEF got-audit command | |
| CONTRIBUTING.md | Initial commit: C++ port of GEF got-audit command | |
| DEVELOPMENT.md | Initial commit: C++ port of GEF got-audit command | |
| got-audit.1 | Initial commit: C++ port of GEF got-audit command | |
| got-audit.spec | Add RPM spec file for Fedora/RHEL packaging | |
| LICENSE | Initial commit: C++ port of GEF got-audit command | |
| README.md | Initial commit: C++ port of GEF got-audit command | |
| ROADMAP.md | Initial commit: C++ port of GEF got-audit command | |
GOT Audit Tool
A C++ port of the GEF got-audit command that audits the Global Offset Table (GOT) of running Linux processes to detect potential security issues.
Overview
This tool attaches to a running process and examines its Global Offset Table to identify:
- Symbols resolving to unexpected memory regions
- Duplicate symbol definitions across libraries
- Symbols not exported by the target library
- GOT protection status (Full RelRO, Partial RelRO, or No RelRO)
This can help detect namespace tampering, symbol hijacking, and other security vulnerabilities.
Features
- Process Attachment: Uses
ptraceto attach to running processes - ELF Parsing: Parses ELF files using
libelfto extract GOT entries and symbol tables - Memory Analysis: Reads process memory to determine actual GOT values
- Duplicate Detection: Identifies symbols defined in multiple libraries (with known exceptions)
- Export Verification: Checks that resolved symbols are actually exported by their target libraries
- Flexible Auditing: Audit just the main executable or all loaded ELF objects
Requirements
- Linux kernel with
ptracesupport - CMake 3.15 or higher
- C++17 compatible compiler (GCC 7+ or Clang 5+)
- libelf development headers
Installing Dependencies
Fedora/RHEL:
sudo dnf install cmake gcc-c++ elfutils-libelf-devel
Debian/Ubuntu:
sudo apt-get install cmake g++ libelf-dev
Building
mkdir build
cd build
cmake ..
make
Optional install:
sudo make install
This will install:
- Binary to
/usr/local/bin/got-audit - Man page to
/usr/local/share/man/man1/got-audit.1
Testing
Run the test suite:
cd tests
./run_tests.sh
Or use CMake's test runner:
cd build
make test
The test suite verifies:
- Binary compilation and basic functionality
- Correct handling of command-line arguments
- Ability to attach and audit processes
- Output format and content
- No false positive duplicate symbol warnings
- Man page validity
Man Page
View the manual page:
man ./got-audit.1
After installation:
man got-audit
Usage
got-audit [OPTIONS] <PID>
Options
--all,-a: Audit GOT for all mapped ELF objects (not just the main executable)--help,-h: Show help message
Arguments
<PID>: Process ID to audit
Examples
Audit the main executable of process 1234:
sudo ./got-audit 1234
Audit all ELF objects loaded by process 1234:
sudo ./got-audit --all 1234
Example Output
Successfully attached to process 1234
════════════════════════════════════════════════════════════════
/usr/bin/bash
════════════════════════════════════════════════════════════════
GOT protection: Full RelRO | GOT functions: 231
endgrent : /usr/lib64/libc.so.6
__ctype_toupper_loc : /usr/lib64/libc.so.6
free : /usr/lib64/libc.so.6
strcpy : /usr/lib64/libc.so.6
printf : /usr/lib64/libc.so.6
tputs : /usr/lib64/libtinfo.so.6.5
...
Detached from process 1234
Color coding:
- 🟢 Green: Resolved symbols (pointing to external libraries)
- 🟡 Yellow: Unresolved symbols (still pointing to PLT stubs)
- 🔴 Red: Warnings (duplicate symbols or export mismatches)
How It Works
- Attaches to the process and reads its memory layout
- Parses GOT entries and builds a symbol index from loaded libraries
- Checks each GOT entry for unexpected resolutions or duplicates
For technical details, see DEVELOPMENT.md.
Output Format
The tool produces a report for each audited ELF object:
════════════════════════════════════════════════════════════════
/path/to/executable
════════════════════════════════════════════════════════════════
GOT protection: Full RelRO | GOT functions: 42
read : /usr/lib64/libc.so.6
write : /usr/lib64/libc.so.6
printf : /usr/lib64/libc.so.6
malloc : /usr/lib64/libc.so.6
...
Color Coding
- Green: Resolved symbols (pointing outside the executable's own memory)
- Yellow: Unresolved symbols (still pointing to PLT stubs)
- Red: Warnings (duplicate symbols or export mismatches)
Warnings
Duplicate Symbol Warning:
symbol_name : /lib/library.so :: ERROR symbol_name found in multiple paths (/lib/library1.so, /lib/library2.so)
Export Mismatch Warning:
symbol_name : /lib/library.so :: ERROR symbol_name not exported by /lib/library.so
Limitations
- Requires root privileges (or appropriate
CAP_SYS_PTRACEcapability) - Target process is temporarily paused while attached
- Only supports ELF binaries
- Only tested on x86_64, i386, and aarch64 architectures
Architecture
For technical details about the architecture, module breakdown, data flow, and key classes, see DEVELOPMENT.md.
Security Considerations
This tool attaches to running processes using ptrace, which requires elevated privileges. Use with caution and only on processes you own or have permission to inspect.
Origin
This tool is a machine-generated C++ port of the got-audit command from GEF (GDB Enhanced Features), a GDB plugin. The original implementation was written in Python and integrated with GDB.
Original GEF Project:
- Repository: https://github.com/hugsy/gef
- Copyright (c) 2013-2025 crazy rabbidz
- License: MIT
This Port:
- Created by Claude (Anthropic AI) in 2026
- Based on GEF's GotAuditCommand implementation in gef/gef.py
- Implemented using standard libelf API and ptrace system calls
License
This project is licensed under the MIT License - see the LICENSE file for details.
This is a machine-generated port of work from GEF (GDB Enhanced Features), which is also MIT licensed. The port was created by Claude (Anthropic AI) based on the original GotAuditCommand implementation.
Reference materials:
- GEF (GDB Enhanced Features) - got-audit command implementation (gef/gef.py)
- Standard libelf API documentation
- Linux ptrace system call documentation
- ELF format specification