WHAT HAPPENS WHEN OPEN() IS CALLED
AXIOMATIC INVESTIGATION: PRE-SYSCALL EXECUTION PATH
1. echo 'int main() { open("somefile", O_RDWR); }' > test.c
2. gcc -c test.c -o test.o
3. file test.o
4. readelf -r test.o | grep open
UND = undefined. Symbol resolution deferred to link time.
5. gcc test.o -o test
6. ldd test
7. objdump -d test | grep -A5 -B5 call
0x1050
Binary jumps to PLT trampoline, not directly to open().
8. gdb test
9. info functions | grep open
0x7ffff7d1b150
Open address varies with ASLR. Base changes each execution.
10. readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep -E "FUNC.*open"
0x11b150
Symbol has fixed offset within library. Address = library_base + offset.
11. gdb test
12. print open
0x7ffff7d1b150
0x7ffff7e00000 + 0x11b150 = 0x7ffff7d1b150
Verification: base + offset = final address.
13. gdb test
14. x/10gx 0x555555557fd0
0x7ffff7d1b150
GOT contains resolved open address. PLT jump → GOT → libc confirmed.
15. gdb test
16. info registers rdi rsi rdx
O_RDWR = 2 = 0x02. O_CREAT = 0x40.
2 & 0x40 = 0x00. Zero flag set.
No mode argument needed. Fast path selected.
17. gdb test
18. mov $0xffffff9c,%edi
0xffffff9c
-100 = 0x63. ~0x63 = 0x9C. +1 = 0x9D.
Sign-extend: 0xFFFFFF9C = -100 (AT_FDCWD).
19. mov $0x101,%eax
0x101
RAX = 257 (__NR_openat). Confirmed with system header.
20. info registers rax rdi rsi rdx
RAX=257 ✓ RDI=-100 ✓ RSI=filename ✓ RDX=2 ✓
All registers ready for openat() syscall.
21. cat /proc/self/maps | grep test
.text r-xp, .data rw-p (writable GOT), .bss rw-p
PLT in executable segment, GOT in data segment.
COMPLETE AXIOMATIC INVESTIGATION
From compilation through syscall preparation
Every address mathematically derived
All transformations observed and verified
Pre-syscall execution path fully documented