如何从编译的elf文件中提取所有函数,即使函数没有符号 [英] How to extract all functions out of a compiled elf file,even the function has no symbol
问题描述
IDA可以做到这一点:某些没有符号的功能将以 sub_address命名。
如何在运行时执行此操作。
IDA can do this:some function with no symbol will named with 'sub_address'. How can I do this at runtime.
推荐答案
如何提取所有功能在编译的elf文件中,即使函数没有符号
How to extract all functions out of a compiled elf file,even the function has no symbol
您也没有为您定义什么功能(
You don't define what is a function for you (and you really should).
请注意,如果编译器具有 内联 一个函数,即使它存在于源代码中,它也不会出现在ELF文件中(整个程序可以通过链接时优化来构建,例如 g ++ -flto -O2 在编译和链接时;然后您将具有许多内联函数,包括 not 标记为<$ c $的多个函数c> inline 在源代码中)。
Notice that if the compiler has inlined a function, it does not appear in the ELF file, even if of course it exists in the source code (the entire program could have been built with link-time optimization, e.g. g++ -flto -O2 at both compile and link time; then you would have many inlined functions, including several which are not marked inline in the source code).
原始源代码可能已经编译具有可见性技巧。
The original source code could have been compiled with visibility tricks.
软件版本可能使用了代码混淆技术。
The software build might have used some code obfuscation techniques.
如果某些函数间接地称为 (以C ++中的虚拟方法为例,则总是通过某些 vtable ;或想到某些 static 函数,其地址放在某个函数指针变量或 struct 字段中),那么您实际上无法检测到它,因为要可靠地对二进制可执行文件执行此操作,需要对某个寄存器或内存位置的所有可能的(函数指针)值进行精确分析(即无法确定,请参见米定理)。
If some function is called only indirectly (think of a virtual method in C++, always called thru some vtable; or think of some static function whose address is put into some function pointer variable or struct field) then you practically cannot detect it, since to reliably do that on the binary executable requires a precise analysis of all the possible (function pointer) values of some register or memory location (and that is undecidable, see Rice's theorem).
程序还可以加载插件在运行时(例如使用 dlopen )并在其中调用函数。它在运行时还可能生成一些机器代码(例如,在GNU lightning ,< a href = https://github.com/asmjit/asmjit rel = nofollow noreferrer> asmjit , libgccjit 等)并调用这样一个生成的函数。
A program can also load a plugin at runtime (e.g. using dlopen) and call functions in it. It could also generate some machine code when running (e.g. with the help of GNU lightning, asmjit, libgccjit, etc...) and call such a generated function.
因此,通常您无法实现目标(尤其是如果您假设您的对手(软件编写者)使用巧妙的技术来使函数提取变得困难)。通常,反编译是不可能的(如果您希望它精确而完整的话)。
So in general you cannot achieve your goal (especially if you assume that your "adversary", the software writer, use clever techniques to make that function extraction difficult). In general, decompilation is impossible (if you want it to be precise and complete).
但是,箭头的答案提出了一些粗略且不完整的近似值。您需要确定是否足够(甚至IDA都给出了近似结果)。
However, arrowd's answer is proposing some crude and incomplete approximation. You need to decide if that is enough (and even IDA is giving approximate results).
最后,在某些法律系统中,反编译或反向工程,是二进制可执行文件(即使在技术上可行);检查 EULA 或与您的二进制软件和您的情况有关的合同(或法律)。您真的应该验证您尝试做的事情是合法的(可能不合法,在某些情况下您可能会面临入狱的风险。)
At last, in some legal systems, decompilation or reverse engineering of a binary executable is forbidden (even when technically possible); check the EULA or contract (or law) related to your binary software and your situation. You really should verify that what you are trying to do is legal (and it might not be, and in some cases you could risk jail).
BTW,所有这些原因这就是为什么我更喜欢始终使用免费软件的原因,该软件的源代码已发布并且可以研究并改善。我愿意避免使用专有软件。
BTW, all these reasons is why I prefer to always use free software, whose source code is published and can be studied and improved. I am willingly avoiding proprietary software.
这篇关于如何从编译的elf文件中提取所有函数,即使函数没有符号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
