[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: gmonstart / jvregisterclasses in tons of binaries with commands,malware?

On Wed, Dec 16, 2009 at 05:59:13PM -0500, whereislibertyandjustice@Safe-mail.net wrote:
> Whether I run 'strings' on the binary files or view with vim or gedit, here
> is what is always seen inside the binaries:
> __gmon_start__
> _Jv_RegisterClasses

They're put there by gcc and are perfectly harmless.  What makes you
suspicious of them in any way?

If you inspect these programs or libraries with objdump, you'll see
stuff like 

0000000000000000  w   D  *UND*  0000000000000000              __gmon_start__
0000000000000000  w   D  *UND*  0000000000000000              _Jv_RegisterClasses

that indicates that these are "weak" references, meaning that they don't
necessarily even do anything.  The symbols are basically stubs that can
optionally be filled in at linktime but don't need to be.  Digging into
the gcc source code, it's apparent that __gmon_start__ can be used by
some profiling libraries, while _Jv_RegisterClasses has something arcane
to do with calling C++ code from Java, or something like that.
(Remember that the gcc suite includes a Java compiler and related
tools.)  You can find all the source in the gcc source tree.

You may not see these symbols on OpenBSD systems because they don't
include Java or gprof support in the gcc builds.  That's just a guess,
though.  I don't know that for sure.

I'm all for some healthy paranoia, but really, when faced with the
possibilities "oh my god, the whole world has been pwned" or "I must be
misunderstanding something", go with the latter.


Attachment: signature.asc
Description: Digital signature

Reply to: