检索.rodata和.rodata1中的偏移量，字符串和虚拟地址 [英] Retrieving Offsets, Strings and Virtual Address in .rodata and .rodata1

问题描述

我正在尝试获取.rodata和.rodata1部分中的偏移量/虚拟地址，字符串.

I am trying to get offsets/virtual addresses, strings in .rodata and .rodata1 sections.

例如:

#include <cstdio>

void myprintf(const char* ptr) {
        printf("%p\n", ptr);
}

int main() {
        myprintf("hello world");
        myprintf("\0\0");
        myprintf("ab\0cde");
}

上面的程序每个 readelf -a 的输出都有.rodata:

Above program has .rodata per readelf -a's output:

Section Headers:
  [Nr] Name              Type             Address           Offset
       Size              EntSize          Flags  Link  Info  Align
  [16] .rodata           PROGBITS         0000000000400600  00000600

然后 readelf -W -p .rodata 为我提供了偏移量和相关的 non 空字符串:

And readelf -W -p .rodata gives me the offsets and the associated non null strings:

String dump of section '.rodata':
  [    10]  %p^J
  [    14]  hello world
  [    23]  ab
  [    26]  cde

我想编写一个C或C ++代码来检索:

I would like to write a C or C++ code to retrieve:

1. 所有字符串文字的偏移量(例如，上面的10、14、23和"\ 0 \ 0"缺少的字符串)

1. The offsets of all the string literals (e.g. 10, 14, 23 above and the missing one for "\0\0")

字符串文字(例如上面的％p \ n"，"hello wolrd"，"\ 0 \ 0")

The string literals (e.g. "%p\n", "hello wolrd", "\0\0" above)

.rodata文件的偏移量(例如，上面的400600；是否保证是虚拟内存地址?至少我看到上面的测试代码中的所有字符串文字都是这种情况.)

The offset to the file for .rodata (e.g. 400600 above; is it guaranteed to be the virtual memory address? At least I see it is the case for all the string literal in my test code above.)

因为我的最终目标是编写C/C ++代码以读取可执行文件并接受用户输入作为偏移量/虚拟内存地址，如果输入与任何字符串文字的偏移量/虚拟内存地址匹配，请使用 printf()进行打印.否则，请忽略.(感谢@Armali帮助我阐明问题)

Because my end goal is to write a C/C++ code to read in an executable and accept user's input as the offset/virtual memory address, if the input matches the offset/virtual memory address of any string literal, then use printf() to print it out. Otherwise, ignore. (Thanks @Armali for helping me clarify)

我已阅读这篇文章.我可以访问 .rodata 中的整个字符串表，但不能访问字符串表索引".本文提到字符串表索引"，但未指定如何检索索引.

I have read this article. I am able to access the entire string table in .rodata but not "string table indexes". The article mentions "string table indexes" but it doesn't specify how to retrieve indexes.

提示?

此外，我不知道为什么会有一个名为 .rodata1 的部分.根据精灵手册:

Also, I wonder why there could be a section called .rodata1. According to elf manpage:

.rodata1

.rodata1

本节包含只读数据，这些数据通常会在过程映像中构成不可写的段.此部分的类型为SHT_PROGBITS.使用的属性是SHF_ALLOC.

This section holds read-only data that typically contributes to a nonwritable segment in the process image. This section is of type SHT_PROGBITS. The attribute used is SHF_ALLOC.

它的描述与 .rodata 完全相同.然后，为什么要有 .rodata1 ?

It has exactly the same description as .rodata. Then, why do we have .rodata1?

谢谢！

推荐答案

我正在尝试获取.rodata和.rodata1部分中的偏移量，字符串和虚拟地址.

I am trying to get offsets, strings and virtual addresses in .rodata and .rodata1 sections.

我想编写一个C或C ++代码来检索:

I would like to write a C or C++ code to retrieve:

1. 所有字符串文字的偏移量(例如，上面的10、14、23和"\ 0 \ 0"缺少的字符串)

1. The offsets of all the string literals (e.g. 10, 14, 23 above and the missing one for "\0\0")

字符串文字(例如上面的％p \ n"，"hello wolrd"，"\ 0 \ 0")

The string literals (e.g. "%p\n", "hello wolrd", "\0\0" above)

字符串文字是用双引号引起来的一系列字符.实际上，我们无法分辨ELF数据节中的字符串文字表示形式.考虑将这些行添加到您的 main():

A string literal is a sequence of characters enclosed in double-quotes. We practically cannot tell what in an ELF data section is a representation of a string literal. Consider these lines added to your main():

        static const int s = '\0fg\0';
        myprintf((char *)&s);

尽管没有字符串文字，但 readelf -p .rodata…可能会输出类似e的行.g.

Although there is no string literal, readelf -p .rodata … may output a line like e. g.

  [    21]  gf

因此，要真正识别数据部分中字符串文字的表示形式，有必要将数据与源代码标记(困难)或汇编代码(可能更容易)相关联.

So, to truly recognize representations of string literals in a data section, it would be necessary to correlate the data with source code tokens (difficult) or assembler code (perhaps easier).

如果 .rodata

这很容易发生.考虑:

        static char hello[] = "Hi";
        myprintf(hello);

由于字符串文字用于初始化必须可修改的字符数组，因此它可以进入 .data 而不是 .rodata 部分，例如 readelf -p .data…可能会显示.

Since the string literal is used to initialize a character array, which has to be modifiable, it can go into the .data instead of the .rodata section, as readelf -p .data … may show.

如果ELF部分包含所有有效的偏移量，为什么不使用它们呢?

if the ELF sections contain all the valid offsets, why not using them?

有效偏移量不会在可方便访问的任何地方收集，因此出于实际目的，我们可以说 ELF节不包含字符串文字的偏移量/索引>.

The valid offsets are not collected anywhere where they can conveniently be accessed, so for practical purposes we can say ELF sections don't contain offsets/indexes to the string literals.

我能够访问 .rodata 中的整个字符串表，但不能访问字符串表索引".本文提到字符串表索引"，但未指定如何检索索引.

I am able to access the entire string table in .rodata but not "string table indexes". The article mentions "string table indexes" but it doesn't specify how to retrieve indexes.

字符串表索引与 .rodata 无关，但与字符串表部分 .strtab :

此部分包含字符串，最常见的是代表相关名称的字符串带有符号表条目.

This section holds strings, most commonly the strings that represent the names associated with symbol table entries.

这篇关于检索.rodata和.rodata1中的偏移量，字符串和虚拟地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！