[原创]LINUX ELF文件动态加载调试-编程技术-看雪-安全社区|安全招聘|kanxue.com

[原创]LINUX ELF文件动态加载调试

发表于: 2013-8-30 17:53 8728

[原创]LINUX ELF文件动态加载调试

boywhp

2013-8-30 17:53

8728

ELF Header:
  Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
  Class:                            ELF64
  Data:                            2's complement, little endian
  Version:                         1 (current)
  OS/ABI:                         UNIX - System V
  ABI Version:                      0
  Type:                            EXEC (Executable file)
  Machine:                         Advanced Micro Devices X86-64
  Version:                         0x1
  Entry point address:             0x400620
  Start of program headers:       64 (bytes into file)
  Start of section headers:       5232 (bytes into file)
  Flags:                            0x0
  Size of this header:             64 (bytes)
  Size of program headers:          56 (bytes)
  Number of program headers:       9
  Size of section headers:          64 (bytes)
  Number of section headers:       38
  Section header string table index: 35

Section Headers:
  [Nr] Name             Type          Address          Offset
   Size             EntSize       Flags  Link  Info  Align
  [ 0]                NULL          0000000000000000  00000000
   0000000000000000  0000000000000000          0    0    0
  [ 1] .interp          PROGBITS       0000000000400238  00000238
   000000000000001c  0000000000000000 A    0    0    1
  [ 2] .note.ABI-tag    NOTE          0000000000400254  00000254
   0000000000000020  0000000000000000 A    0    0    4
  [ 3] .note.gnu.build-i NOTE          0000000000400274  00000274
   0000000000000024  0000000000000000 A    0    0    4
  [ 4] .hash          HASH          0000000000400298  00000298
   0000000000000044  0000000000000004 A    6    0    8
  [ 5] .gnu.hash       GNU_HASH       00000000004002e0  000002e0
   0000000000000038  0000000000000000 A    6    0    8
  [ 6] .dynsym          DYNSYM          0000000000400318  00000318
   0000000000000120  0000000000000018 A    7    1    8
  [ 7] .dynstr          STRTAB          0000000000400438  00000438
   00000000000000c6  0000000000000000 A    0    0    1
  [ 8] .gnu.version    VERSYM          00000000004004fe  000004fe
   0000000000000018  0000000000000002 A    6    0    2
  [ 9] .gnu.version_r VERNEED       0000000000400518  00000518
   0000000000000020  0000000000000000 A    7    1    8
  [10] .rela.dyn       RELA          0000000000400538  00000538
   0000000000000018  0000000000000018 A    6    0    8
  [11] .rela.plt       RELA          0000000000400550  00000550
   0000000000000060  0000000000000018 A    6 13    8
  [12] .init          PROGBITS       00000000004005b0  000005b0
   0000000000000018  0000000000000000  AX    0    0    4
  [13] .plt             PROGBITS       00000000004005c8  000005c8
   0000000000000050  0000000000000010  AX    0    0    4
  [14] .text          PROGBITS       0000000000400620  00000620
   0000000000000218  0000000000000000  AX    0    0    16
  [15] .fini          PROGBITS       0000000000400838  00000838
   000000000000000e  0000000000000000  AX    0    0    4
  [16] .rodata          PROGBITS       0000000000400848  00000848
   0000000000000019  0000000000000000 A    0    0    4
  [17] .eh_frame_hdr    PROGBITS       0000000000400864  00000864
   0000000000000024  0000000000000000 A    0    0    4
  [18] .eh_frame       PROGBITS       0000000000400888  00000888
   000000000000007c  0000000000000000 A    0    0    8
  [19] .ctors          PROGBITS       0000000000600dd8  00000dd8
   0000000000000010  0000000000000000  WA    0    0    8
  [20] .dtors          PROGBITS       0000000000600de8  00000de8
   0000000000000010  0000000000000000  WA    0    0    8
  [21] .jcr             PROGBITS       0000000000600df8  00000df8
   0000000000000008  0000000000000000  WA    0    0    8
  [22] .dynamic       DYNAMIC       0000000000600e00  00000e00
   00000000000001e0  0000000000000010  WA    7    0    8
  [23] .got             PROGBITS       0000000000600fe0  00000fe0
   0000000000000008  0000000000000008  WA    0    0    8
  [24] .got.plt       PROGBITS       0000000000600fe8  00000fe8
   0000000000000038  0000000000000008  WA    0    0    8
  [25] .data          PROGBITS       0000000000601020  00001020
   0000000000000010  0000000000000000  WA    0    0    8
  [26] .bss             NOBITS          0000000000601030  00001030
   0000000000000010  0000000000000000  WA    0    0    8
  [27] .comment       PROGBITS       0000000000000000  00001030
   0000000000000025  0000000000000001  MS    0    0    1
  [28] .debug_aranges PROGBITS       0000000000000000  00001055
   0000000000000030  0000000000000000          0    0    1
  [29] .debug_pubnames PROGBITS       0000000000000000  00001085
   000000000000001b  0000000000000000          0    0    1
  [30] .debug_info    PROGBITS       0000000000000000  000010a0
   00000000000000ad  0000000000000000          0    0    1
  [31] .debug_abbrev    PROGBITS       0000000000000000  0000114d
   0000000000000057  0000000000000000          0    0    1
  [32] .debug_line    PROGBITS       0000000000000000  000011a4
   000000000000006a  0000000000000000          0    0    1
  [33] .debug_str       PROGBITS       0000000000000000  0000120e
   00000000000000bc  0000000000000001  MS    0    0    1
  [34] .debug_loc       PROGBITS       0000000000000000  000012ca
   000000000000004c  0000000000000000          0    0    1
  [35] .shstrtab       STRTAB          0000000000000000  00001316
   0000000000000159  0000000000000000          0    0    1
  [36] .symtab          SYMTAB          0000000000000000  00001df0
   00000000000006f0  0000000000000018       37 54    8
  [37] .strtab          STRTAB          0000000000000000  000024e0
   000000000000020d  0000000000000000          0    0    1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings)
  I (info), L (link order), G (group), x (unknown)
  O (extra OS processing required) o (OS specific), p (processor specific)

There are no section groups in this file.

Program Headers:
  Type          Offset          VirtAddr          PhysAddr
               FileSiz          MemSiz             Flags  Align
  PHDR          0x0000000000000040 0x0000000000400040 0x0000000000400040
               0x00000000000001f8 0x00000000000001f8  R E 8
  INTERP       0x0000000000000238 0x0000000000400238 0x0000000000400238
               0x000000000000001c 0x000000000000001c  R    1
   [Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
  LOAD          0x0000000000000000 0x0000000000400000 0x0000000000400000
               0x0000000000000904 0x0000000000000904  R E 200000
  LOAD          0x0000000000000dd8 0x0000000000600dd8 0x0000000000600dd8
               0x0000000000000258 0x0000000000000268  RW    200000
  DYNAMIC       0x0000000000000e00 0x0000000000600e00 0x0000000000600e00
               0x00000000000001e0 0x00000000000001e0  RW    8
  NOTE          0x0000000000000254 0x0000000000400254 0x0000000000400254
               0x0000000000000044 0x0000000000000044  R    4
  GNU_EH_FRAME 0x0000000000000864 0x0000000000400864 0x0000000000400864
               0x0000000000000024 0x0000000000000024  R    4
  GNU_STACK    0x0000000000000000 0x0000000000000000 0x0000000000000000
               0x0000000000000000 0x0000000000000000  RW    8
  GNU_RELRO    0x0000000000000dd8 0x0000000000600dd8 0x0000000000600dd8
               0x0000000000000228 0x0000000000000228  R    1

Section to Segment mapping:
  Segment Sections...
00
01    .interp
02    .interp .note.ABI-tag .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03    .ctors .dtors .jcr .dynamic .got .got.plt .data .bss
04    .dynamic
05    .note.ABI-tag .note.gnu.build-id
06    .eh_frame_hdr
07
08    .ctors .dtors .jcr .dynamic .got

Dynamic section at offset 0xe00 contains 25 entries:
  Tag       Type                      Name/Value
0x0000000000000001 (NEEDED)          Shared library: [./so_test.so]
0x0000000000000001 (NEEDED)          Shared library: [libstdc++.so.6]
0x0000000000000001 (NEEDED)          Shared library: [libm.so.6]
0x0000000000000001 (NEEDED)          Shared library: [libgcc_s.so.1]
0x0000000000000001 (NEEDED)          Shared library: [libc.so.6]
0x000000000000000c (INIT)             0x4005b0
0x000000000000000d (FINI)             0x400838
0x0000000000000004 (HASH)             0x400298
0x000000006ffffef5 (GNU_HASH)          0x4002e0
0x0000000000000005 (STRTAB)          0x400438
0x0000000000000006 (SYMTAB)          0x400318
0x000000000000000a (STRSZ)             198 (bytes)
0x000000000000000b (SYMENT)          24 (bytes)
0x0000000000000015 (DEBUG)             0x0
0x0000000000000003 (PLTGOT)          0x600fe8
0x0000000000000002 (PLTRELSZ)          96 (bytes)
0x0000000000000014 (PLTREL)          RELA
0x0000000000000017 (JMPREL)          0x400550
0x0000000000000007 (RELA)             0x400538 <-----此元素包含重定位表的地址 Elf32/64_Rela
0x0000000000000008 (RELASZ)          24 (bytes)
0x0000000000000009 (RELAENT)          24 (bytes)
0x000000006ffffffe (VERNEED)          0x400518
0x000000006fffffff (VERNEEDNUM)       1
0x000000006ffffff0 (VERSYM)          0x4004fe
0x0000000000000000 (NULL)             0x0

Relocation section '.rela.dyn' at offset 0x538 contains 1 entries:
  Offset       Info          Type          Sym. Value Sym. Name + Addend
000000600fe0  000200000006 R_X86_64_GLOB_DAT 0000000000000000 __gmon_start__ + 0

Relocation section '.rela.plt' at offset 0x550 contains 4 entries:
  Offset       Info          Type          Sym. Value Sym. Name + Addend
000000601000  000100000007 R_X86_64_JUMP_SLO 0000000000000000 printf + 0
000000601008  000400000007 R_X86_64_JUMP_SLO 0000000000000000 __libc_start_main + 0
000000601010  000500000007 R_X86_64_JUMP_SLO 0000000000000000 test_so_call2 + 0 <--------------
000000601018  000600000007 R_X86_64_JUMP_SLO 0000000000000000 test_so_call + 0 <--------------

There are no unwind sections in this file.

Symbol table '.dynsym' contains 12 entries:
Num: Value       Size Type Bind Vis    Ndx Name
   0: 0000000000000000    0 NOTYPE  LOCAL  DEFAULT  UND
   1: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND printf@GLIBC_2.2.5 (2)
   2: 0000000000000000    0 NOTYPE  WEAK DEFAULT  UND __gmon_start__
   3: 0000000000000000    0 NOTYPE  WEAK DEFAULT  UND _Jv_RegisterClasses
   4: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND __libc_start_main@GLIBC_2.2.5 (2)
   5: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND test_so_call2
   6: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND test_so_call <----------------
   7: 0000000000601040    0 NOTYPE  GLOBAL DEFAULT  ABS _end
   8: 0000000000601030    0 NOTYPE  GLOBAL DEFAULT  ABS _edata
   9: 0000000000601030    0 NOTYPE  GLOBAL DEFAULT  ABS __bss_start
10: 00000000004005b0    0 FUNC GLOBAL DEFAULT 12 _init
11: 0000000000400838    0 FUNC GLOBAL DEFAULT 15 _fini

Symbol table '.symtab' contains 74 entries:
Num: Value       Size Type Bind Vis    Ndx Name
   0: 0000000000000000    0 NOTYPE  LOCAL  DEFAULT  UND
   1: 0000000000400238    0 SECTION LOCAL  DEFAULT 1
   2: 0000000000400254    0 SECTION LOCAL  DEFAULT 2
   3: 0000000000400274    0 SECTION LOCAL  DEFAULT 3
   4: 0000000000400298    0 SECTION LOCAL  DEFAULT 4
   5: 00000000004002e0    0 SECTION LOCAL  DEFAULT 5
   6: 0000000000400318    0 SECTION LOCAL  DEFAULT 6
   7: 0000000000400438    0 SECTION LOCAL  DEFAULT 7
   8: 00000000004004fe    0 SECTION LOCAL  DEFAULT 8
   9: 0000000000400518    0 SECTION LOCAL  DEFAULT 9
10: 0000000000400538    0 SECTION LOCAL  DEFAULT 10
11: 0000000000400550    0 SECTION LOCAL  DEFAULT 11
12: 00000000004005b0    0 SECTION LOCAL  DEFAULT 12
13: 00000000004005c8    0 SECTION LOCAL  DEFAULT 13
14: 0000000000400620    0 SECTION LOCAL  DEFAULT 14
15: 0000000000400838    0 SECTION LOCAL  DEFAULT 15
16: 0000000000400848    0 SECTION LOCAL  DEFAULT 16
17: 0000000000400864    0 SECTION LOCAL  DEFAULT 17
18: 0000000000400888    0 SECTION LOCAL  DEFAULT 18
19: 0000000000600dd8    0 SECTION LOCAL  DEFAULT 19
20: 0000000000600de8    0 SECTION LOCAL  DEFAULT 20
21: 0000000000600df8    0 SECTION LOCAL  DEFAULT 21
22: 0000000000600e00    0 SECTION LOCAL  DEFAULT 22
23: 0000000000600fe0    0 SECTION LOCAL  DEFAULT 23
24: 0000000000600fe8    0 SECTION LOCAL  DEFAULT 24
25: 0000000000601020    0 SECTION LOCAL  DEFAULT 25
26: 0000000000601030    0 SECTION LOCAL  DEFAULT 26
27: 0000000000000000    0 SECTION LOCAL  DEFAULT 27
28: 0000000000000000    0 SECTION LOCAL  DEFAULT 28
29: 0000000000000000    0 SECTION LOCAL  DEFAULT 29
30: 0000000000000000    0 SECTION LOCAL  DEFAULT 30
31: 0000000000000000    0 SECTION LOCAL  DEFAULT 31
32: 0000000000000000    0 SECTION LOCAL  DEFAULT 32
33: 0000000000000000    0 SECTION LOCAL  DEFAULT 33
34: 0000000000000000    0 SECTION LOCAL  DEFAULT 34
35: 000000000040064c    0 FUNC LOCAL  DEFAULT 14 call_gmon_start
36: 0000000000000000    0 FILE LOCAL  DEFAULT  ABS crtstuff.c
37: 0000000000600dd8    0 OBJECT  LOCAL  DEFAULT 19 __CTOR_LIST__
38: 0000000000600de8    0 OBJECT  LOCAL  DEFAULT 20 __DTOR_LIST__
39: 0000000000600df8    0 OBJECT  LOCAL  DEFAULT 21 __JCR_LIST__
40: 0000000000400670    0 FUNC LOCAL  DEFAULT 14 __do_global_dtors_aux
41: 0000000000601030    1 OBJECT  LOCAL  DEFAULT 26 completed.7382
42: 0000000000601038    8 OBJECT  LOCAL  DEFAULT 26 dtor_idx.7384
43: 00000000004006e0    0 FUNC LOCAL  DEFAULT 14 frame_dummy
44: 0000000000000000    0 FILE LOCAL  DEFAULT  ABS crtstuff.c
45: 0000000000600de0    0 OBJECT  LOCAL  DEFAULT 19 __CTOR_END__
46: 0000000000400900    0 OBJECT  LOCAL  DEFAULT 18 __FRAME_END__
47: 0000000000600df8    0 OBJECT  LOCAL  DEFAULT 21 __JCR_END__
48: 0000000000400800    0 FUNC LOCAL  DEFAULT 14 __do_global_ctors_aux
49: 0000000000000000    0 FILE LOCAL  DEFAULT  ABS main.c
50: 0000000000600fe8    0 OBJECT  LOCAL  HIDDEN 24 _GLOBAL_OFFSET_TABLE_
51: 0000000000600dd4    0 NOTYPE  LOCAL  HIDDEN 19 __init_array_end
52: 0000000000600dd4    0 NOTYPE  LOCAL  HIDDEN 19 __init_array_start
53: 0000000000600e00    0 OBJECT  LOCAL  HIDDEN 22 _DYNAMIC
54: 0000000000601020    0 NOTYPE  WEAK DEFAULT 25 data_start
55: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND printf@@GLIBC_2.2.5
56: 0000000000400760    2 FUNC GLOBAL DEFAULT 14 __libc_csu_fini
57: 0000000000400620    0 FUNC GLOBAL DEFAULT 14 _start
58: 0000000000000000    0 NOTYPE  WEAK DEFAULT  UND __gmon_start__
59: 0000000000000000    0 NOTYPE  WEAK DEFAULT  UND _Jv_RegisterClasses
60: 0000000000400838    0 FUNC GLOBAL DEFAULT 15 _fini
61: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND __libc_start_main@@GLIBC_
62: 0000000000400848    4 OBJECT  GLOBAL DEFAULT 16 _IO_stdin_used
63: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND test_so_call2 <--------------
64: 0000000000601020    0 NOTYPE  GLOBAL DEFAULT 25 __data_start
65: 0000000000601028    0 OBJECT  GLOBAL HIDDEN 25 __dso_handle
66: 0000000000600df0    0 OBJECT  GLOBAL HIDDEN 20 __DTOR_END__
67: 0000000000400770 137 FUNC GLOBAL DEFAULT 14 __libc_csu_init
68: 0000000000601030    0 NOTYPE  GLOBAL DEFAULT  ABS __bss_start
69: 0000000000000000    0 FUNC GLOBAL DEFAULT  UND test_so_call <--------------
70: 0000000000601040    0 NOTYPE  GLOBAL DEFAULT  ABS _end
71: 0000000000601030    0 NOTYPE  GLOBAL DEFAULT  ABS _edata
72: 0000000000400704 84 FUNC GLOBAL DEFAULT 14 main
73: 00000000004005b0    0 FUNC GLOBAL DEFAULT 12 _init

-------------------------------实际调试执行情况----------------------------------------------

0x40070c mov esi,0x2
0x400711 mov edi,0x1
0x400716 mov eax,0x0
0x40071b call 0x400608 <test_so_call@plt>

x/10i 0x400608
0x400608 <test_so_call@plt>: jmp QWORD PTR [rip+0x200a0a]       # 0x601018 <_GLOBAL_OFFSET_TABLE_+48>
0x40060e <test_so_call@plt+6>: push 0x3 <---GOT表第一次指向位置
0x400613 <test_so_call@plt+11>: jmp 0x4005c8

0x601018: 0e 06 40 00 00 00 00 00|00 00 00 00 00 00 00 00 -> 0x40060e

0x4005c8 = elf .plt section
0x4005c8: push QWORD PTR [rip+0x200a22]       # 0x600ff0 <_GLOBAL_OFFSET_TABLE_+8> 0x7ffff7ffe128
0x4005ce: jmp QWORD PTR [rip+0x200a24]       # 0x600ff8 <_GLOBAL_OFFSET_TABLE_+16>  0x7ffff7df2330
伪码如下：
PUSH GOT[1]
JMP GOT[2] -> rtld function

//.plt过程链接表
//GOT[0 1 2]
http://s.eresi-project.org/inc/articles/elf-rtld.txt
Q) I dont understand this Global Offset Table design !

Hehe, here it is :

- the first entry is the address of the .dynamic section for the object
- the second entry is the link_map pointer structure associated with the
  actual ELF object .
- the third is the address of the runtime mapping function in LD.SO .

GOT[0]= the address of the .dynamic section
GOT[1]= struct link_map * 枚举模块基地址！！！
GOT[2]= LD.SO 动态加载函数    _dl_runtime_resolve

0x600ff0: 28 e1 ff f7 ff 7f 00 00 | 30 23 df f7 ff 7f 00 00
GOT[1]=0x7ffff7ffe128 GOT[2]=0x7ffff7df2330 = _dl_runtime_resolve

反汇编 0x7ffff7df2330 -->
0x7ffff7df2330: sub rsp,0x38
0x7ffff7df2334: mov QWORD PTR [rsp],rax
0x7ffff7df2338: mov QWORD PTR [rsp+0x8],rcx
0x7ffff7df233d: mov QWORD PTR [rsp+0x10],rdx
0x7ffff7df2342: mov QWORD PTR [rsp+0x18],rsi
0x7ffff7df2347: mov QWORD PTR [rsp+0x20],rdi
0x7ffff7df234c: mov QWORD PTR [rsp+0x28],r8
0x7ffff7df2351: mov QWORD PTR [rsp+0x30],r9
0x7ffff7df2356: mov rsi,QWORD PTR [rsp+0x40]
0x7ffff7df235b: mov rdi,QWORD PTR [rsp+0x38]
0x7ffff7df2360: call 0x7ffff7deb6e0
0x7ffff7df2365: mov r11,rax
0x7ffff7df2368: mov r9,QWORD PTR [rsp+0x30]
0x7ffff7df236d: mov r8,QWORD PTR [rsp+0x28]
0x7ffff7df2372: mov rdi,QWORD PTR [rsp+0x20]
0x7ffff7df2377: mov rsi,QWORD PTR [rsp+0x18]
0x7ffff7df237c: mov rdx,QWORD PTR [rsp+0x10]
0x7ffff7df2381: mov rcx,QWORD PTR [rsp+0x8]
0x7ffff7df2386: mov rax,QWORD PTR [rsp]
0x7ffff7df238a: add rsp,0x48
0x7ffff7df2330: sub rsp,0x38
0x7ffff7df2334: mov QWORD PTR [rsp],rax
0x7ffff7df2338: mov QWORD PTR [rsp+0x8],rcx
0x7ffff7df233d: mov QWORD PTR [rsp+0x10],rdx
0x7ffff7df2342: mov QWORD PTR [rsp+0x18],rsi
0x7ffff7df2347: mov QWORD PTR [rsp+0x20],rdi
0x7ffff7df234c: mov QWORD PTR [rsp+0x28],r8
0x7ffff7df2351: mov QWORD PTR [rsp+0x30],r9
0x7ffff7df2356: mov rsi,QWORD PTR [rsp+0x40]
0x7ffff7df235b: mov rdi,QWORD PTR [rsp+0x38]
0x7ffff7df2360: call 0x7ffff7deb6e0
0x7ffff7df2365: mov r11,rax
0x7ffff7df2368: mov r9,QWORD PTR [rsp+0x30]
0x7ffff7df236d: mov r8,QWORD PTR [rsp+0x28]
0x7ffff7df2372: mov rdi,QWORD PTR [rsp+0x20]
0x7ffff7df2377: mov rsi,QWORD PTR [rsp+0x18]
0x7ffff7df237c: mov rdx,QWORD PTR [rsp+0x10]
0x7ffff7df2381: mov rcx,QWORD PTR [rsp+0x8]
0x7ffff7df2386: mov rax,QWORD PTR [rsp]
0x7ffff7df238a: add rsp,0x48
0x7ffff7df238e: jmp r11

IDA64静态分析结果如下：
.text:0000000000400704                push rbp
.text:0000000000400705                mov    rbp, rsp
.text:0000000000400708                sub    rsp, 10h
.text:000000000040070C                mov    esi, 2
.text:0000000000400711                mov    edi, 1
.text:0000000000400716                mov    eax, 0
.text:000000000040071B                call _test_so_call

.plt:00000000004005F8 _test_so_call2  proc near             ; CODE XREF: main+45
.plt:00000000004005F8                jmp    cs:off_601010
.plt:00000000004005F8 _test_so_call2  endp
.plt:00000000004005F8
.plt:00000000004005F8 ; ---------------------------------------------------------------------------
.plt:00000000004005FE                dw ? 运行时 push 0x2 -> .rela.plt 符号表偏移
.plt:0000000000400600                dq ? jmp 0x4005c8
.plt:0000000000400608
.plt:0000000000400608 ; =============== S U B R O U T I N E =======================================
.plt:0000000000400608
.plt:0000000000400608 ; Attributes: thunk
.plt:0000000000400608
.plt:0000000000400608 _test_so_call proc near             ; CODE XREF: main+17
.plt:0000000000400608                jmp    cs:off_601018
.plt:0000000000400608 _test_so_call endp
.plt:0000000000400608
.plt:0000000000400608 ; ---------------------------------------------------------------------------
.plt:000000000040060E                dw ? 运行时 push 0x3 -> .rela.plt 符号表偏移
.plt:0000000000400610                dq ? jmp 0x4005c8
.plt:0000000000400610 _plt          ends

GOT = 0x600fe8
.got.plt:0000000000600FE8 _GLOBAL_OFFSET_TABLE_ db ? ; 保留0x18 = 24 = 8*3 GOT[0-2] 保留
.got.plt:0000000000600FE9                db ? ;
.got.plt:0000000000600FEA                db ? ;
.got.plt:0000000000600FEB                db ? ;
.got.plt:0000000000600FEC                db ? ;
.got.plt:0000000000600FED                db ? ;
.got.plt:0000000000600FEE                db ? ;
.got.plt:0000000000600FEF                db ? ;
.got.plt:0000000000600FF0                db ? ;
.got.plt:0000000000600FF1                db ? ;
.got.plt:0000000000600FF2                db ? ;
.got.plt:0000000000600FF3                db ? ;
.got.plt:0000000000600FF4                align 10h
.got.plt:0000000000601000 off_601000    dq offset printf       ; DATA XREF: _printf
.got.plt:0000000000601008 off_601008    dq 601054h             ; DATA XREF: .plt:___libc_start_main
.got.plt:0000000000601010 off_601010    dq 601048h             ; DATA XREF: .plt:_test_so_call2
.got.plt:0000000000601018 off_601018    dq 60104Ch             ; DATA XREF: .plt:_test_so_call

linux LAZY加载机制，一旦执行一次后，GOT地址指向实际函数地址

[课程]FART 脱壳王！加量不加价！FART作者讲授！

上传的附件：

ELF文件格式.png （1.61MB，142次下载）

收藏・9

免费・5

支持

最新回复 (1)
Eniac 雪币： 208 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 33 粉丝 0 关注私信	Eniac 2 楼楼主，你这个图是哪个软件做的？ 2013-9-9 13:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

boywhp

发帖

595

回帖

750

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
Eniac 雪币： 208 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 33 粉丝 0 关注私信	Eniac 2 楼楼主，你这个图是哪个软件做的？ 2013-9-9 13:52 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复