Listing symbol information with nm
The nm utility is used to list symbols from an object (binary) file. This command produces a list of symbols along with their addresses (if applicable) and symbol type. Some of the more prevalent types are shown in Table 10.1. Generally speaking, lowercase symbols denote local symbols and uppercase symbols represent external (global) scope. The output from nm can give some insight into the unknown file, by providing called library functions, local function names, and variable names. Naturally, if these symbols have been stripped using the strip command, nm produces no output. Partial output from running nm against the xingyi_bindshell file is shown in Figure 10.7. Several suspicious function and variable names can be seen in the figure.
Table 10.1. Common nm symbol types.
| Type | Description |
|---|---|
| A | Absolute (will not change) |
| B | Uninitialized data section (BSS) |
| C | Common symbol (uninitialized data) |
| D | Symbol is in the initialized data section |
| G | Symbol is in an initialized data section for small objects |
| N | Symbol is a debugging symbol |
| R | Symbol is in read-only data section |
| S | Symbol is in uninitialized data section for small objects |
| T | Symbol is in the code (text) section |
| U | Symbol is undefined. Usually this means it is external (from a library) |
| V, W | Weak symbol (can be overridden) |
| ? | Unknown symbol type |
FIGURE 10.7
Partial output from running nm against xingyi_bindshell.