如何确定从二进制文件调用了哪个glibc函数? [英] How to determine which glibc function is called from binary?

问题描述

有什么办法可以说是从ARM elf二进制文件中调用了哪个glibc函数?例如，考虑以下分解:

Is there any way we could say which glibc function is called from ARM elf binary? For example, consider the following diassembly:

8300 <printf@plt-0x40>:
   ....
8320:   e28fc600    add ip, pc, #0, 12
8324:   e28cca08    add ip, ip, #8, 20  ; 0x8000
8328:   e5bcf344    ldr pc, [ip, #836]! ; 0x344

   ....
83fc <main>:
   ...
8424:ebffffbd   bl  8320 <_init+0x2c>

在这里，我们怎么能说BL 8320是对printf的调用?这些信息是否以ELF二进制文件存储在某个地方?

Here, how we can say that bl 8320 is a call to printf? Is this information stored in ELF binary somewhere?

推荐答案

TLDR:您必须计算GOT条目的地址(存储在IP中，但存储在PLT中)，并找到与该GOT条目相对应的重定位条目.此重定位条目(通过动态符号表和动态字符串表)引用符号名称.

TLDR: You have to compute the address of the GOT entry (stored in IP but the PLT) and find the relocation entry corresponding to this GOT entry. This relocation entry references the symbol name (through the dynamic symbol table and the dynamic string table).

此PLT条目计算IP寄存器中PLTGOT条目的地址:

This PLT entry computes the address of a PLTGOT entry in the IP register:

8320:   e28fc600    add ip, pc, #0, 12
8324:   e28cca08    add ip, ip, #8, 20  ; 0x8000
8328:   e5bcf344    ldr pc, [ip, #836]! ; 0x344

这将计算地址的GOT条目:0x8320 + 0x8 + 0x8000 + 0x344 = 0x1066c.重定位表中有一个重定位条目，它将此GOT条目绑定到给定的符号.

This computes the GOT entry of address: 0x8320 + 0x8 + 0x8000 + 0x344 = 0x1066c. There is a relocation entry in the relocation table which binds this GOT entry to a given symbol.

让我们从我的libc中获取此PLT条目:

Let's take this PLT entry from my libc:

00015b98 :
   15b98:       e28fc601        add     ip, pc, #1048576        ; 0x100000
   15b9c:       e28cca2f        add     ip, ip, #192512 ; 0x2f000
   15ba0:       e5bcf46c        ldr     pc, [ip, #1132]!        ; 0x46c

GOT条目的地址为:0x15b98 + 0x8 + 0x100000 + 0x2f000 + 0x46c = 0x14500c.

The address of the GOT entry is: 0x15b98 + 0x8 + 0x100000 + 0x2f000 + 0x46c = 0x14500c.

如果您想知道为什么"+ 0x8"，则为

If you want to know why "+ 0x8", this is because:

在ARM状态下，PC的值是当前地址 指令加上8个字节.

In ARM state, the value of the PC is the address of the current instruction plus 8 bytes.

让我们看一下重定位条目:

Let's look at the relocation entry:

 Offset     Info    Type            Sym.Value  Sym. Name
0014500c  0001e416 R_ARM_JUMP_SLOT   00077c28   realloc

因此，此PLT条目是realloc的PLT，这是我们期望得到的！ \ o/

So this PLT entry is a PLT to realloc which is what we expected to get! \o/

您可能想知道如何找到符号名称.在我的示例中，信息字段为0x0001e416:此重定位使用动态符号表(.dynsym)

You might want to know how the symbol name is found. In my example, the info field is 0x0001e416: this relocation uses the symbol entry 0x1e4 = 484 in the dynamic symbol table (.dynsym)

   Num:    Value  Size Type    Bind   Vis      Ndx Name
   484: 00077c28   760 FUNC    GLOBAL DEFAULT   11 realloc@@GLIBC_2.4

实际上，realloc字符串不是直接在符号表中找到，而是在字符串表(.dynstr)中.符号表将字符串的偏移量存储在字符串表中.

In fact, the realloc string is not found in the symbol table directly but in the string table (.dynstr). The symbol table stores the offset of the string within the string table.

这篇关于如何确定从二进制文件调用了哪个glibc函数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！