abelrguezr/relro-analysis
skills/binary-exploitation/common-binary-protections-and-bypasses/relro/SKILL.md
Analyze RELRO (Relocation Read-Only) protections in ELF binaries, check protection status, and understand bypass techniques. Use this skill whenever the user mentions binary protections, ELF analysis, GOT (Global Offset Table), relocation, checksec, readelf, binary exploitation, or security hardening. Trigger for any questions about Partial RELRO, Full RELRO, -z relro, -z now, BIND_NOW, or how to check/enable RELRO in compiled binaries.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills relro-analysisInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:09 AM18.2s2 files scanned
SKILL.md
- name:
- relro-analysis
- description:
- Analyze RELRO (Relocation Read-Only) protections in ELF binaries, check protection status, and understand bypass techniques. Use this skill whenever the user mentions binary protections, ELF analysis, GOT (Global Offset Table), relocation, checksec, readelf, binary exploitation, or security hardening. Trigger for any questions about Partial RELRO, Full RELRO, -z relro, -z now, BIND_NOW, or how to check/enable RELRO in compiled binaries.
RELRO Analysis Skill
This skill helps you understand, check, and work with RELRO (Relocation Read-Only) protections in ELF binaries.
Quick Reference
# Check RELRO status (requires checksec/pwntools)
checksec --file ./binary
# Check RELRO with readelf (always available)
readelf -l ./binary | grep GNU_RELRO
readelf -d ./binary | grep BIND_NOW
# Compile with Full RELRO
gcc -fPIE -pie -Wl,-z,relro,-z,now -o binary source.c
Understanding RELRO
RELRO (Relocation Read-Only) is a linker mitigation that makes the GOT (Global Offset Table) and related sections read-only after relocations are applied. This prevents attackers from overwriting function pointers via buffer overflows or arbitrary write primitives.
Two Protection Levels
| Level | Flags | GOT Protection | Bypass Possible |
|-------|-------|----------------|------------------|
| None | (default, old) | Writable | Yes - direct GOT overwrite |
| Partial | -Wl,-z,relro | Non-PLT GOT only | Yes - .got.plt still writable |
| Full | -Wl,-z,relro,-z,now | Entire GOT read-only | Harder - need other primitives |
Key insight: Full RELRO requires -z now (eager binding) so .got.plt never needs runtime writes and can be made read-only.
Checking RELRO Status
Method 1: checksec (Recommended)
checksec --file ./vuln
Output interpretation:
RELRO: Full→ Complete protectionRELRO: Partial→ GOT.plt still writableRELRO: No→ No protection
Method 2: readelf (Always available)
# Check for PT_GNU_RELRO segment
readelf -l ./binary | grep GNU_RELRO
# Check for BIND_NOW flag (indicates Full RELRO)
readelf -d ./binary | grep BIND_NOW
Interpretation:
GNU_RELROpresent +BIND_NOWabsent = Partial RELROGNU_RELROpresent +BIND_NOWpresent = Full RELROGNU_RELROabsent = No RELRO
Method 3: Check running process
# For a running process (e.g., setuid binary)
readelf -l /proc/$(pgrep process_name)/exe | grep GNU_RELRO
Enabling RELRO in Compilation
GCC/Clang
# Full RELRO with PIE and other hardenings
gcc -fPIE -pie -Wl,-z,relro,-z,now -Wl,--as-needed -D_FORTIFY_SOURCE=2 source.c -o binary
# Breakdown:
# -fPIE -pie → Position Independent Executable
# -Wl,-z,relro → Create PT_GNU_RELRO segment
# -Wl,-z,now → Eager binding (no lazy loading)
# -Wl,--as-needed → Only link required libraries
# -D_FORTIFY_SOURCE=2 → Buffer overflow protection
CMake (3.18+)
set(CMAKE_EXE_LINKER_FLAGS "-Wl,-z,relro,-z,now")
set(CMAKE_SHARED_LINKER_FLAGS "-Wl,-z,relro,-z,now")
set(CMAKE_POSITION_INDEPENDENT_CODE ON)
Makefile
LDFLAGS += -Wl,-z,relro,-z,now
CFLAGS += -fPIE
LDFLAGS += -pie
Bypass Techniques
When GOT is Writable (No/Partial RELRO)
- Direct GOT overwrite - Overwrite
.got.pltentry to redirect function calls - ret2dlresolve - Craft fake
Elf64_RelaandElf64_Rsymto call_dl_runtime_resolve - Function pointer overwrite - Target
.fini_array,.init_array, oratexit()handlers
When GOT is Read-Only (Full RELRO)
- Other writable pointers - C++ vtables,
__malloc_hook(glibc < 2.34),__free_hook, custom.datasections - Leak + ROP/SROP - Use relative read primitives to leak libc, then ROP into libc functions
- Format string attacks - Partial pointer overwrite without touching GOT
- Shared library GOT - libc's own GOT is only Partial RELRO; target it with arbitrary write
- LD_PRELOAD/DT_RPATH - Inject rogue shared objects (if environment is controllable)
Important Note
Even with Full RELRO, shared libraries like libc have only Partial RELRO because they're already mapped when the loader applies relocations. If you have an arbitrary write primitive targeting another shared object's pages, you can still pivot execution by overwriting libc's GOT entries.
Real-World Example
2024 CTF - pwn.college "enlightened"
- Binary had Full RELRO
- Exploit used off-by-one to corrupt heap chunk size
- Leaked libc via tcache poisoning
- Overwrote
__free_hook(outside RELRO segment) with one-gadget - No GOT write required
Recent Developments (2022-2025)
| Change | Impact |
|--------|--------|
| glibc 2.34+ - malloc/free hooks moved to libc_malloc_debug.so | Common Full RELRO bypass primitive removed |
| binutils 2.39+ - RELRO page alignment fix (bug 30612) | Closed "RELRO gap" on 64KB page systems |
| Debian 12, Fedora 35+ - Full RELRO default | Expect Full RELRO in most modern binaries |
Common Questions
"Why does my binary show Partial RELRO?"
You're missing -z now. Use both flags: -Wl,-z,relro,-z,now
"Can I still exploit Full RELRO binaries?"
Yes, but you need different primitives:
- Look for writable code pointers outside GOT
- Use format string or partial overwrite
- Target shared library GOT (libc's GOT is Partial RELRO)
- Exploit heap corruption to reach
__free_hookor similar
"What's the performance impact?"
- Partial RELRO: Negligible
- Full RELRO: Measurable startup overhead (all symbols resolved at launch), no runtime overhead
"Should I enable RELRO?"
Yes, always. Modern distributions ship with Full RELRO by default. It's a fundamental hardening measure with minimal cost.
References
- Why malloc hooks were removed from glibc
- Binutils bug 30612 - RELRO end alignment
- checksec documentation
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026