其他分享
首页 > 其他分享> > binary hacks读数笔记(堆、栈 VMA的分布)

binary hacks读数笔记(堆、栈 VMA的分布)

作者:互联网

一、首先看一个简单的程序:

   #include<stdlib.h>
   
   int main()
   {
          while(1)
           {
                  sleep(1000);
          }
          return 0;
 }

gcc -static SectionMapping.c -o SectionMapping.elf
/usr/bin/ld: cannot find -lc

yum install glibc-static 

查看一下静态链接之后,SectionMapping.elf的段分布情况

readelf -S SectionMapping.elf

There are 34 section headers, starting at offset 0xd0aa0:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [ 0]                   NULL             0000000000000000  00000000
       0000000000000000  0000000000000000           0     0     0
  [ 1] .note.ABI-tag     NOTE             0000000000400190  00000190
       0000000000000020  0000000000000000   A       0     0     4
  [ 2] .note.gnu.build-i NOTE             00000000004001b0  000001b0
       0000000000000024  0000000000000000   A       0     0     4
  [ 3] .rela.plt         RELA             00000000004001d8  000001d8
       0000000000000108  0000000000000018  AI       0    25     8
  [ 4] .init             PROGBITS         00000000004002e0  000002e0
       000000000000001a  0000000000000000  AX       0     0     4
  [ 5] .plt              PROGBITS         0000000000400300  00000300
       00000000000000b0  0000000000000000  AX       0     0     16
  [ 6] .text             PROGBITS         00000000004003b0  000003b0
       0000000000091916  0000000000000000  AX       0     0     16
  [ 7] __libc_thread_fre PROGBITS         0000000000491cd0  00091cd0
       00000000000000b2  0000000000000000  AX       0     0     16
  [ 8] __libc_freeres_fn PROGBITS         0000000000491d90  00091d90
       0000000000001aef  0000000000000000  AX       0     0     16
  [ 9] .fini             PROGBITS         0000000000493880  00093880
       0000000000000009  0000000000000000  AX       0     0     4
  [10] .rodata           PROGBITS         00000000004938a0  000938a0
       00000000000196f8  0000000000000000   A       0     0     32
  [11] .stapsdt.base     PROGBITS         00000000004acf98  000acf98
       0000000000000001  0000000000000000   A       0     0     1
  [12] __libc_thread_sub PROGBITS         00000000004acfa0  000acfa0
       0000000000000008  0000000000000000   A       0     0     8
  [13] __libc_subfreeres PROGBITS         00000000004acfa8  000acfa8
       0000000000000050  0000000000000000   A       0     0     8
  [14] __libc_IO_vtables PROGBITS         00000000004ad000  000ad000
       00000000000006a8  0000000000000000   A       0     0     32
  [15] __libc_atexit     PROGBITS         00000000004ad6a8  000ad6a8
       0000000000000008  0000000000000000   A       0     0     8
  [16] .eh_frame         PROGBITS         00000000004ad6b0  000ad6b0
       000000000000e234  0000000000000000   A       0     0     8
  [17] .gcc_except_table PROGBITS         00000000004bb8e4  000bb8e4
       0000000000000105  0000000000000000   A       0     0     1
  [18] .tdata            PROGBITS         00000000006bbeb0  000bbeb0
       0000000000000020  0000000000000000 WAT       0     0     16
  [19] .tbss             NOBITS           00000000006bbed0  000bbed0
       0000000000000038  0000000000000000 WAT       0     0     16
  [20] .init_array       INIT_ARRAY       00000000006bbed0  000bbed0
       0000000000000010  0000000000000008  WA       0     0     8
  [21] .fini_array       FINI_ARRAY       00000000006bbee0  000bbee0
       0000000000000010  0000000000000008  WA       0     0     8
  [22] .jcr              PROGBITS         00000000006bbef0  000bbef0
       0000000000000008  0000000000000000  WA       0     0     8
  [23] .data.rel.ro      PROGBITS         00000000006bbf00  000bbf00
       00000000000000e4  0000000000000000  WA       0     0     32
  [24] .got              PROGBITS         00000000006bbfe8  000bbfe8
       0000000000000008  0000000000000008  WA       0     0     8
  [25] .got.plt          PROGBITS         00000000006bc000  000bc000
       0000000000000070  0000000000000008  WA       0     0     8
  [26] .data             PROGBITS         00000000006bc080  000bc080
       0000000000001690  0000000000000000  WA       0     0     32
  [27] .bss              NOBITS           00000000006bd720  000bd710
       0000000000002158  0000000000000000  WA       0     0     32
  [28] __libc_freeres_pt NOBITS           00000000006bf878  000bd710
       0000000000000030  0000000000000000  WA       0     0     8
  [29] .comment          PROGBITS         0000000000000000  000bd710
       000000000000002d  0000000000000001  MS       0     0     1
  [30] .note.stapsdt     NOTE             0000000000000000  000bd740
       0000000000000f88  0000000000000000           0     0     4
  [31] .symtab           SYMTAB           0000000000000000  000be6c8
       000000000000b9e8  0000000000000018          32   815     8
  [32] .strtab           STRTAB           0000000000000000  000ca0b0
       0000000000006870  0000000000000000           0     0     1
  [33] .shstrtab         STRTAB           0000000000000000  000d0920
       000000000000017b  0000000000000000           0     0     1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  l (large), p (processor specific)

 可执行文件中共有33个段。

 

readelf -l SectionMapping.elf: 查看elf文件的Segment 即程序头。它描述ELF文件该如何被映射到进程的虚拟地址空间

Elf file type is EXEC (Executable file)
Entry point 0x400ecd
There are 6 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000400000 0x0000000000400000
                 0x00000000000bb9e9 0x00000000000bb9e9  R E    200000
  LOAD           0x00000000000bbeb0 0x00000000006bbeb0 0x00000000006bbeb0
                 0x0000000000001860 0x00000000000039f8  RW     200000
  NOTE           0x0000000000000190 0x0000000000400190 0x0000000000400190
                 0x0000000000000044 0x0000000000000044  R      4
  TLS            0x00000000000bbeb0 0x00000000006bbeb0 0x00000000006bbeb0
                 0x0000000000000020 0x0000000000000058  R      10
  GNU_STACK      0x0000000000000000 0x0000000000000000 0x0000000000000000
                 0x0000000000000000 0x0000000000000000  RW     10
  GNU_RELRO      0x00000000000bbeb0 0x00000000006bbeb0 0x00000000006bbeb0
                 0x0000000000000150 0x0000000000000150  R      1

 Section to Segment mapping:
  Segment Sections...
   00     .note.ABI-tag .note.gnu.build-id .rela.plt .init .plt .text __libc_thread_freeres_fn __libc_freeres_fn .fini .rodata .stapsdt.base __libc_thread_subfreeres __libc_subfreeres __libc_IO_vtables __libc_atexit .eh_frame .gcc_except_table 
   01     .tdata .init_array .fini_array .jcr .data.rel.ro .got .got.plt .data .bss __libc_freeres_ptrs 
   02     .note.ABI-tag .note.gnu.build-id 
   03     .tdata .tbss 
   04     
   05     .tdata .init_array .fini_array .jcr .data.rel.ro .got 

  

二、堆和栈

在操作系统中,VMA除了被用来映射可执行文件中的各个"segment"以外,他还可以有其他作用。操作系统通过使用VMA来管理进程的地址空间。程序执行时,要用到栈和堆,事实上,它们也是以VMA的形式存在。一般情况,一个进程中的栈和堆分别都有一个对应的VMA。在Linux中可以由/proc查看:

./SectionMapping.elf &
[1] 59117
[root@tlinux /]# cat /proc/59117/maps

 

00400000-004bc000 r-xp 00000000 08:05 4456                               /SectionMapping.elf
006bb000-006be000 rw-p 000bb000 08:05 4456                               /SectionMapping.elf
006be000-006c0000 rw-p 00000000 00:00 0 
017e1000-01804000 rw-p 00000000 00:00 0                                  [heap]
7ffc12ce6000-7ffc12d07000 rw-p 00000000 00:00 0                          [stack]
7ffc12db7000-7ffc12db9000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

 

输出中:第一列是VMA地址范围,第二列是VMA权限,“p”表示私有,“s”表示共享。第三列是偏移。表示VMA对应的Segment在映像文件中的偏移。第四列是映像文件的主设备号与次设备号。第五列表示文件结点。

 

标签:__,binary,00,PROGBITS,WA,libc,hacks,0000000000000000,VMA
来源: https://www.cnblogs.com/wsw-seu/p/10740921.html