Quiz Entry - updated: 2026.07.06
What are the GOT and PLT and how do external function calls work?
The PLT is a per-function trampoline you call for external functions; it jumps through the GOT, which the dynamic linker fills in with the real address on first use.
* Lazy binding: first call resolves via the linker and patches the GOT; later calls jump direct. *
# Calling printf (external)
call <printf@PLT>
What happens:
call <printf@PLT>jumps to a PLT stub- The stub jumps to the address stored in the GOT entry for
printf - First call: GOT entry points back to the dynamic linker, which resolves the real address and patches the GOT
- Subsequent calls: GOT already has the real address — direct jump
In GDB:
# See PLT stub
(gdb) disas 0x401030
# See GOT entry
(gdb) x/a 0x601018
# After first call, GOT has the real address
(gdb) x/a 0x601018
0x601018: 0x7ffff7a62800 <printf>
Forensic relevance: Malware may overwrite GOT entries to hijack function calls (GOT overwrite attack). If a GOT entry points somewhere unexpected, that's suspicious.
Go deeper: