elf | 易学教程

CMake: Embed ELF into executable

阅读更多关于 CMake: Embed ELF into executable

问题 I have a project that needs access to an ELF file embedded into the executable in a special section. I was handcrafting Makefiles before and simply had a shell script where I used objcopy to copy the target I wanted to embed into an .o file, then link to this file in the executable. # Create a new section and copy the binary there ($1=input $2=output name) objcopy --input-target binary --output-target elf64-x86-64 \ --binary-architecture i386 $1 $2.o Now I want to get rid of the custom

手动查找elf导出表函数

阅读更多关于手动查找elf导出表函数

char * find_module_by_name ( char * name ) { FILE * fp = fopen ( "/proc/self/maps" , "r" ) ; char line [ 1024 ] = { 0 } ; char * ptr = NULL ; if ( fp ) { while ( fgets ( line , 1024 , fp ) ) { if ( strstr ( line , name ) ) { sscanf ( line , "%p-%*p %*s %*s %*s %*s %*s" , & ptr ) ; break ; } } fclose ( fp ) ; } return ptr ; } void * my_dlsym ( char * path , char * name ) { char * base = find_module_by_name ( path ) ; Elf32_Ehdr * elf_head = ( Elf32_Ehdr * ) base ; Elf32_Phdr * phead_table = ( Elf32_Phdr * ) ( base + elf_head -> e_phoff ) ; struct LoadableSegment { size_t num = 0 ; size_t max

Why Linux/gnu linker chose address 0x400000?

阅读更多关于 Why Linux/gnu linker chose address 0x400000?

问题 I'm experimenting with ELF executables and the gnu toolchain on Linux x86_64: I've linked and stripped (by hand) a "Hello World" test.s: .global _start .text _start: mov $1, %rax ... into a 267 byte ELF64 executable... 0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............ 0000010: 0200 3e00 0100 0000 d400 4000 0000 0000 ..>.......@..... 0000020: 4000 0000 0000 0000 0000 0000 0000 0000 @............... 0000030: 0000 0000 4000 3800 0100 4000 0000 0000 ....@.8...@..... 0000040: 0100

Why Linux/gnu linker chose address 0x400000?

阅读更多关于 Why Linux/gnu linker chose address 0x400000?

Struct layout in apcs-gnu ABI

阅读更多关于 Struct layout in apcs-gnu ABI

问题 For this code: struct S { unsigned char ch[2]; }; int main(void) { _Static_assert( sizeof(struct S) == 2, "size was not 2"); } using GCC (various versions) for ARM with the ABI apcs-gnu (aka. OABI, or EABI version 0), I get the assertion fails. It turns out the size of the struct is 4 . I can work around this by using __attribute__((packed)) ; but my questions are: What is the rationale for making this struct size 4 ? Is there any documentation specifying the layout of structs in this ABI? On

Editing ELF binary call instruction

阅读更多关于 Editing ELF binary call instruction

问题 I am playing around with manipulating a binary's call functions. I have the below code: #include <stdio.h> #include <stdlib.h> #include <string.h> void myfunc2(char *str2, char *str1); enter code here void myfunc(char *str2, char *str1) { memcpy(str2 + strlen(str2), str1, strlen(str1)); } int main(int argc, char **argv) { char str1[4] = "tim"; char str2[10] = "hello "; myfunc((char *)&str2, (char *)&str1); printf("%s\n", str2); myfunc2((char *)&str2, (char *)&str1); printf("%s\n", str2);

IDA Pro7.0使用技巧总结

阅读更多关于 IDA Pro7.0使用技巧总结

俗话说，工欲善其事，必先利其器，在二进制安全的学习中，使用工具尤为重要，而IDA又是玩二进制的神器，以前在使用IDA的时候，只是用几个比较常用的功能，对于IDA的其他功能没有去研究，于是本着学习的精神，参考着《IDA pro权威指南》(第二版)，写下这篇文章，记录自己的学习心得，下面的记录都是在Windows平台下的IDA pro7.0进行的一些二进制工具在《IDA pro权威指南》的开篇一两章中，先是介绍了几款常用于二进制研究的工具，我这里简单的记了几个，介绍一波： C++filt：可以用于显示出c++中复杂的重载后的函数名称 PE tools：是一组用于分析Windows系统中正在运行的进程和可执行文件的工具 string：可以用于直接搜索出elf文件中的所有字符串参数-a 表示搜索整个文件，参数-t 可以显示出每一个字符串的偏移，参数-e 可以用于搜索更多的字符编码的字符串，如Unicode编码 strip：可用于elf去符号，去符号后仍然保持正常功能但增加了逆向的难度，出题恶人必备开发了IDA的天才是Ilfak，他的个人博客有很多IDA的教程 https://www.hexblog.com/ IDA目录结构在IDA的安装根目录下有许多文件夹，各个文件夹存储不同的内容 cfg：包含各种配置文件，基本IDA配置文件ida.cfg,GUI配置文件idagui

How convert address in elf to physical address

阅读更多关于 How convert address in elf to physical address

问题 I know os will load elf in physical memory. When execute jmp elf-address ,system will check tlb and convert the elf-address to physical address. I am confused that elf-address does not have segment num and page num? How os convert elf-address to what MMU need. I'm really confused that. I know linux will read header of elf and map elf. When page fault happened,kernel will load elf in memory and refresh page table. But you konw elf address is like 0x0804900. If we want to exe jmp elf-address

解决/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory报错

阅读更多关于解决/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory报错

/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory 今天在搭建一台新服务器的java环境，配置完环境变量后输入java -version没有正常显示版本号，反而报了一个 /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory 的错误，结果发现新机需要安装一个底层api( glibc包 )。安装jdk并且配置好环境变量后，如果出现这个问题如下安装 glibc包 sudo yum install glibc . i686 glibc是GNU发布的libc库，即c运行库。glibc是linux系统中最底层的api，几乎其它任何运行库都会依赖于glibc。glibc除了封装linux操作系统所提供的系统服务外，它本身也提供了许多其它一些必要功能服务的实现。由于 glibc 囊括了几乎所有的 UNIX 通行的标准，可以想见其内容包罗万象。而就像其他的 UNIX 系统一样，其内含的档案群分散于系统的树状目录结构中，像一个支架一般撑起整个操作系统。来源： CSDN 作者：念淅链接： https://blog.csdn.net/NianXii/article/details/103820406

CPU dependent code: how to avoid function pointers?

阅读更多关于 CPU dependent code: how to avoid function pointers?

问题 I have performance critical code written for multiple CPUs. I detect CPU at run-time and based on that I use appropriate function for the detected CPU. So, now I have to use function pointers and call functions using these function pointers: void do_something_neon(void); void do_something_armv6(void); void (*do_something)(void); if(cpu == NEON) { do_something = do_something_neon; }else{ do_something = do_something_armv6; } //Use function pointer: do_something(); ... Not that it matters, but I