我正在尝试获取osx中已加载的dylib的基地址 [英] I'm trying to get the base address of loaded dylibs in osx
问题描述
好吧,很长一段时间以来,我一直在尝试在运行时运行Proccesses来获取Loaded OSX Dylibs的基本地址.
在使用task_info之后,我已经在运行时使用dyld_all_image_infos转储了所有附加的Dylib,并在那里找到了名称和ImageLoadADDRESS,mach_header和segment_command.
但是我在运行时无法到达那里的基址.
除了我对如何在运行时获取请求的图像的实际基址感到困惑之外,所有其他事情都工作得很好!另外,使用imageLoadAddress获取mach_header之后获得的我的幻数是"feedfacf".不应该是"feedface"吗?
搜索后,我发现"segment_command"中的"fileoff"应将我引向数据部分.这也不起作用.
我的输出看起来很棒,但是当我尝试在Cheat引擎中查看此内存区域时,则为空!
我的调试输出:
mach对象标头幻数feedfacfcputype 01000007-x86_64子类型00000003档案类型00000006ncmds 00000015尺寸厘米00000988旗00118085部分档案关闭45545f5fDYLIB:client.dylib 我的代码如下:
//mach_headermach_msg_type_number_t size4 = sizeof(mach_header);uint8_t * info_addr2 =readProcessMemory(此任务,(mach_vm_address_t)info [i] .imageLoadAddress,& size4);mach_header * info2 =(mach_header *)info_addr2;//部分mach_msg_type_number_t size5 = sizeof(segment_command);uint8_t * info_addr3 =readProcessMemory(此任务,(mach_vm_address_t)info [i] .imageLoadAddress + sizeof(info2),& size5);segment_command * info3 =(segment_command *)info_addr3;tmp_str = tmp_str.substr(tmp_str.find_last_of("/")+ 1,tmp_str.length());//printf(%i Debug:%s \ n",i,tmp_str.c_str());this-> dylibs [cc] .Name = tmp_str;this-> dylibs [cc] .imgHead = info2;//this-> dylibs [i] .tSize = this-> size_of_image((mach_header *)info [i] .imageLoadAddress);if(strcmp(tmp_str.c_str(),"client.dylib")== 0){这个->客户端= cc;printf(马赫对象标头\ n");printf(魔术数\ t%08x \ n",info2->魔术);printf("cputype \ t \ t%08x-%s \ n",info2-> cputype,cpu_type_name(info2-> cputype));//cputype_to_string(info2->文件类型)printf("subcputype \ t%08x \ n",info2-> cpusubtype);printf("filetype \ t%08x \ n",info2-> filetype);//filetype_to_string(info2-> filetype)printf("ncmds\t\t%08x\n", info2->ncmds);printf("sizeofcmds \ t%08x \ n",info2-> sizeofcmds);printf("flags \ t \ t%08x \ n",info2-> flags);printf("Segment \ n");printf("File Off \ t%x \ n",info3-> fileoff); 有人可以帮助我吗?会很感激的!(p.s:代码有点混乱,但是我已经工作了好几天了,而且无法正常工作,所以我现在不想以Niceer风格编写它!)
segment_command 结构(或 segment_command_64 的64-OS X位)是虚拟内存中段的地址.mach-o图像标题的结构(以dylib为例)如下:
|mach_header |load_command |load_command |... |load_command |
load_command结构的数量存储在 mach_header 的 ncmds 字段中.其中一些是 segment_command 结构,您可以使用 load_command 的 cmd 字段进行检查.如果 cmd 是64位的 LC_SEGMENT 或 LC_SEGMENT_64 -则是 segment_command 和 segment_command_64 64位.只需将 load_command 投射到 segment_command .
通常, mach_header 存储在dylib的第一段的第一字节中.因此,如果我理解正确的问题,那么您正在寻找 info [i] .imageLoadAddress .
您还提到了关于魔术值 feedfacf 和 feedface 的其他内容.实际上, feedface 是 MH_MAGIC ,而 feedfacf 是 MH_MAGIC_64 .所有现代的Macbook,iMac和Mac mini均为64位.
Well, i am trying to get the baseadresses for Loaded OSX Dylibs in running Proccesses on run time since a longtime now.
Ive dumped all attached Dylibs on runtime using dyld_all_image_infos after using task_info, got there name and ImageLoadADDRESS,mach_header and segment_command.
But i can't get there Baseaddress On runtime..
Everything works great except that i'm confused on how to get the actual Baseaddress of the requested Image in runtime! Also my Magic number which i got after Getting the mach_header using my imageLoadAddress is "feedfacf" . Shouldn't it be "feedface"?
After searching i found that "fileoff" in "segment_command" should lead me to the data section. This isn't working either.
My output is Looking great but when i try to view this Memory Region in Cheat engine for example it is empty!
My Debug output:
mach object header
magic number feedfacf
cputype 01000007 - x86_64
subcputype 00000003
filetype 00000006
ncmds 00000015
sizeofcmds 00000988
flags 00118085
Segment
File Off 45545f5f
DYLIB: client.dylib
My Code is the following:
// mach_header
mach_msg_type_number_t size4 = sizeof(mach_header);
uint8_t* info_addr2 =
readProcessMemory(this->task, (mach_vm_address_t) info[i].imageLoadAddress, &size4);
mach_header *info2 = (mach_header*) info_addr2;
// segment
mach_msg_type_number_t size5 = sizeof(segment_command);
uint8_t* info_addr3 =
readProcessMemory(this->task, (mach_vm_address_t) info[i].imageLoadAddress + sizeof(info2), &size5);
segment_command *info3 = (segment_command*) info_addr3;
tmp_str = tmp_str.substr(tmp_str.find_last_of("/") + 1, tmp_str.length());
//printf("%i Debug: %s\n", i, tmp_str.c_str());
this->dylibs[cc].Name = tmp_str;
this->dylibs[cc].imgHead = info2;
// this->dylibs[i].tSize = this->size_of_image((mach_header*)info[i].imageLoadAddress);
if(strcmp(tmp_str.c_str(), "client.dylib") == 0){
this->client = cc;
printf("mach object header\n");
printf("magic number\t%08x\n", info2->magic);
printf("cputype\t\t%08x - %s\n", info2->cputype,cpu_type_name(info2->cputype));//cputype_to_string(info2->filetype)
printf("subcputype\t%08x\n", info2->cpusubtype);
printf("filetype\t%08x\n", info2->filetype);// filetype_to_string(info2->filetype)
printf("ncmds\t\t%08x\n", info2->ncmds);
printf("sizeofcmds\t%08x\n", info2->sizeofcmds);
printf("flags\t\t%08x\n", info2->flags);
printf("Segment\n");
printf("File Off\t%x\n", info3->fileoff );
could anyone may help me? Would appreciate it! ( p.s: Code is a bit confusing, but i am working around since days and can't get it to work, so i didn't want to write it in an Nicer style right now! )
vmaddr field of the segment_command structure (or segment_command_64 for 64-bit OS X) is address of segment in the virtual memory.
Structure of mach-o image header (dylib as particular example) is following:
| mach_header | load_command | load_command | ... | load_command |
Count of load_command structures is stored in the ncmds field of the mach_header. Some of them are segment_command structures, you can check it with cmd field of load_command. If cmd is LC_SEGMENT or LC_SEGMENT_64 for 64 bit - it's segment_command and segment_command_64 for 64 bit. Just cast load_command to the segment_command.
Usually, mach_header is stored in the first bytes of first segment of dylib. So, info[i].imageLoadAddress is what are you looking for if I understand your question right.
Other thing, you mentioned about magic values feedfacf and feedface. Actually, feedface is MH_MAGIC, while feedfacf is MH_MAGIC_64. All modern macbooks, iMacs and mac mini are 64 bit.
这篇关于我正在尝试获取osx中已加载的dylib的基地址的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
