type
Post
status
Published
date
Jul 2, 2021
slug
summary
tags
category
icon
password
正文
DEMO
下面统一用这个简单的so作为说明示例
常用工具
工欲善其事必先利其器,先说说用到的工具
llvm-readelf / IDA / 010editer
llvm-readelf 展开细说
- --section-headers Display section headers -S Alias for --section-headers
(base) PS C:\Users\admin> llvm-readelf -S libemulator_check.so There are 24 section headers, starting at offset 0x21e0: Section Headers: [Nr] Name Type Address Off Size ES Flg Lk Inf Al [ 0] NULL 0000000000000000 000000 000000 00 0 0 0 [ 1] .note.gnu.build-id NOTE 0000000000000200 000200 000024 00 A 0 0 4 [ 2] .hash HASH 0000000000000228 000228 0000c4 04 A 4 0 8 [ 3] .gnu.hash GNU_HASH 00000000000002f0 0002f0 0000a8 00 A 4 0 8 [ 4] .dynsym DYNSYM 0000000000000398 000398 0002d0 18 A 5 3 8 [ 5] .dynstr STRTAB 0000000000000668 000668 00013a 00 A 0 0 1 [ 6] .gnu.version VERSYM 00000000000007a2 0007a2 00003c 02 A 4 0 2 [ 7] .gnu.version_r VERNEED 00000000000007e0 0007e0 000020 00 A 5 1 8 [ 8] .rela.dyn RELA 0000000000000800 000800 0000f0 18 A 4 0 8 [ 9] .rela.plt RELA 00000000000008f0 0008f0 0000f0 18 AI 4 19 8 [10] .plt PROGBITS 00000000000009e0 0009e0 0000c0 10 AX 0 0 16 [11] .text PROGBITS 0000000000000aa0 000aa0 000514 00 AX 0 0 4 [12] .rodata PROGBITS 0000000000000fb4 000fb4 000163 00 A 0 0 4 [13] .eh_frame_hdr PROGBITS 0000000000001118 001118 000044 00 A 0 0 4 [14] .eh_frame PROGBITS 0000000000001160 001160 000100 00 A 0 0 8 [15] .note.android.ident NOTE 0000000000001260 001260 000098 00 A 0 0 4 [16] .fini_array FINI_ARRAY 0000000000002d68 001d68 000010 08 WA 0 0 8 [17] .data.rel.ro PROGBITS 0000000000002d78 001d78 000008 00 WA 0 0 8 [18] .dynamic DYNAMIC 0000000000002d80 001d80 0001f0 10 WA 5 0 8 [19] .got PROGBITS 0000000000002f70 001f70 000090 08 WA 0 0 8 [20] .data PROGBITS 0000000000003000 002000 000020 00 WA 0 0 8 [21] .bss NOBITS 0000000000003020 002020 0000b0 00 WA 0 0 8 [22] .comment PROGBITS 0000000000000000 002020 0000dc 01 MS 0 0 1 [23] .shstrtab STRTAB 0000000000000000 0020fc 0000dd 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), R (retain), p (processor specific)
- --headers Equivalent to setting: --file-header, --program-headers, --section-headers -e Alias for --headers ( 查看基础头信息一般情况直接使用这个就可以了 )
llvm-readelf -e libemulator_check.so
(base) PS C:\Users\admin> llvm-readelf -e libemulator_check.so ELF Header: Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 Class: ELF64 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: DYN (Shared object file) Machine: AArch64 Version: 0x1 Entry point address: 0xAA0 Start of program headers: 64 (bytes into file) Start of section headers: 8672 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 8 Size of section headers: 64 (bytes) Number of section headers: 24 Section header string table index: 23 There are 24 section headers, starting at offset 0x21e0: Section Headers: [Nr] Name Type Address Off Size ES Flg Lk Inf Al [ 0] NULL 0000000000000000 000000 000000 00 0 0 0 [ 1] .note.gnu.build-id NOTE 0000000000000200 000200 000024 00 A 0 0 4 [ 2] .hash HASH 0000000000000228 000228 0000c4 04 A 4 0 8 [ 3] .gnu.hash GNU_HASH 00000000000002f0 0002f0 0000a8 00 A 4 0 8 [ 4] .dynsym DYNSYM 0000000000000398 000398 0002d0 18 A 5 3 8 [ 5] .dynstr STRTAB 0000000000000668 000668 00013a 00 A 0 0 1 [ 6] .gnu.version VERSYM 00000000000007a2 0007a2 00003c 02 A 4 0 2 [ 7] .gnu.version_r VERNEED 00000000000007e0 0007e0 000020 00 A 5 1 8 [ 8] .rela.dyn RELA 0000000000000800 000800 0000f0 18 A 4 0 8 [ 9] .rela.plt RELA 00000000000008f0 0008f0 0000f0 18 AI 4 19 8 [10] .plt PROGBITS 00000000000009e0 0009e0 0000c0 10 AX 0 0 16 [11] .text PROGBITS 0000000000000aa0 000aa0 000514 00 AX 0 0 4 [12] .rodata PROGBITS 0000000000000fb4 000fb4 000163 00 A 0 0 4 [13] .eh_frame_hdr PROGBITS 0000000000001118 001118 000044 00 A 0 0 4 [14] .eh_frame PROGBITS 0000000000001160 001160 000100 00 A 0 0 8 [15] .note.android.ident NOTE 0000000000001260 001260 000098 00 A 0 0 4 [16] .fini_array FINI_ARRAY 0000000000002d68 001d68 000010 08 WA 0 0 8 [17] .data.rel.ro PROGBITS 0000000000002d78 001d78 000008 00 WA 0 0 8 [18] .dynamic DYNAMIC 0000000000002d80 001d80 0001f0 10 WA 5 0 8 [19] .got PROGBITS 0000000000002f70 001f70 000090 08 WA 0 0 8 [20] .data PROGBITS 0000000000003000 002000 000020 00 WA 0 0 8 [21] .bss NOBITS 0000000000003020 002020 0000b0 00 WA 0 0 8 [22] .comment PROGBITS 0000000000000000 002020 0000dc 01 MS 0 0 1 [23] .shstrtab STRTAB 0000000000000000 0020fc 0000dd 00 0 0 1 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings), I (info), L (link order), O (extra OS processing required), G (group), T (TLS), C (compressed), x (unknown), o (OS specific), E (exclude), R (retain), p (processor specific) Elf file type is DYN (Shared object file) Entry point 0xaa0 There are 8 program headers, starting at offset 64 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x0012f8 0x0012f8 R E 0x1000 LOAD 0x001d68 0x0000000000002d68 0x0000000000002d68 0x0002b8 0x000368 RW 0x1000 DYNAMIC 0x001d80 0x0000000000002d80 0x0000000000002d80 0x0001f0 0x0001f0 RW 0x8 NOTE 0x000200 0x0000000000000200 0x0000000000000200 0x000024 0x000024 R 0x4 NOTE 0x001260 0x0000000000001260 0x0000000000001260 0x000098 0x000098 R 0x4 GNU_EH_FRAME 0x001118 0x0000000000001118 0x0000000000001118 0x000044 0x000044 R 0x4 GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10 GNU_RELRO 0x001d68 0x0000000000002d68 0x0000000000002d68 0x000298 0x000298 R 0x1 Section to Segment mapping: Segment Sections... 00 .note.gnu.build-id .hash .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .plt .text .rodata .eh_frame_hdr .eh_frame .note.android.ident 01 .fini_array .data.rel.ro .dynamic .got .data .bss 02 .dynamic 03 .note.gnu.build-id 04 .note.android.ident 05 .eh_frame_hdr 06 07 .fini_array .data.rel.ro .dynamic .got None .comment .shstrtab
- --relocs Display the relocation entries in the file -relocations Alias for --relocs -r Alias for --relocs ( 重定位表 )( IDA视图 )
(base) PS C:\Users\admin> llvm-readelf -r libemulator_check.so Relocation section '.rela.dyn' at offset 0x800 contains 10 entries: Offset Info Type Symbol's Value Symbol's Name + Addend 0000000000002d68 0000000000000403 R_AARCH64_RELATIVE ab0 0000000000002d70 0000000000000403 R_AARCH64_RELATIVE aa0 0000000000002d78 0000000000000403 R_AARCH64_RELATIVE 2d78 0000000000003008 0000000000000403 R_AARCH64_RELATIVE 1035 0000000000003010 0000000000000403 R_AARCH64_RELATIVE 103d 0000000000002fe0 0000001800000401 R_AARCH64_GLOB_DAT 0000000000003028 asmcheck + 0 0000000000002fe8 0000000f00000401 R_AARCH64_GLOB_DAT 0000000000003000 a + 0 0000000000002ff0 0000001100000401 R_AARCH64_GLOB_DAT 0000000000000adc my_sigaction + 0 0000000000002ff8 0000001a00000401 R_AARCH64_GLOB_DAT 0000000000003030 old_handlers + 0 0000000000003018 0000001900000101 R_AARCH64_ABS64 0000000000000c24 detect + 0 Relocation section '.rela.plt' at offset 0x8f0 contains 10 entries: Offset Info Type Symbol's Value Symbol's Name + Addend 0000000000002f88 0000000300000402 R_AARCH64_JUMP_SLOT 0000000000000000 __cxa_finalize@LIBC + 0 0000000000002f90 0000000400000402 R_AARCH64_JUMP_SLOT 0000000000000000 __stack_chk_fail@LIBC + 0 0000000000002f98 0000000500000402 R_AARCH64_JUMP_SLOT 0000000000000000 __android_log_print + 0 0000000000002fa0 0000000600000402 R_AARCH64_JUMP_SLOT 0000000000000000 sigaction@LIBC + 0 0000000000002fa8 0000000700000402 R_AARCH64_JUMP_SLOT 0000000000000000 mmap@LIBC + 0 0000000000002fb0 0000000800000402 R_AARCH64_JUMP_SLOT 0000000000000000 getpagesize@LIBC + 0 0000000000002fb8 0000000900000402 R_AARCH64_JUMP_SLOT 0000000000000000 exit@LIBC + 0 0000000000002fc0 0000000a00000402 R_AARCH64_JUMP_SLOT 0000000000000000 munmap@LIBC + 0 0000000000002fc8 0000000b00000402 R_AARCH64_JUMP_SLOT 0000000000000000 fopen@LIBC + 0 0000000000002fd0 0000000c00000402 R_AARCH64_JUMP_SLOT 0000000000000000 __cxa_atexit@LIBC + 0
- --symbols Display the symbol table. Also display the dynamic symbol table when using GNU output style for ELF -syms Alias for --symbols -s Alias for --symbols (符号表)
(base) PS C:\Users\admin> llvm-readelf -s libemulator_check.so Symbol table '.dynsym' contains 30 entries: Num: Value Size Type Bind Vis Ndx Name 0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND 1: 0000000000000aa0 0 SECTION LOCAL DEFAULT 11 .text 2: 0000000000002d78 0 SECTION LOCAL DEFAULT 17 .data.rel.ro 3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __cxa_finalize@LIBC 4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail@LIBC 5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __android_log_print 6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND sigaction@LIBC 7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND mmap@LIBC 8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND getpagesize@LIBC 9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@LIBC 10: 0000000000000000 0 FUNC GLOBAL DEFAULT UND munmap@LIBC 11: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fopen@LIBC 12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __cxa_atexit@LIBC 13: 00000000000030d0 0 NOTYPE GLOBAL DEFAULT ABS _bss_end__ 14: 0000000000003020 0 NOTYPE GLOBAL DEFAULT ABS __bss_start__ 15: 0000000000003000 4 OBJECT GLOBAL DEFAULT 20 a 16: 0000000000003020 0 NOTYPE GLOBAL DEFAULT ABS __bss_start 17: 0000000000000adc 44 FUNC GLOBAL DEFAULT 11 my_sigaction 18: 00000000000030d0 0 NOTYPE GLOBAL DEFAULT ABS __end__ 19: 00000000000030d0 0 NOTYPE GLOBAL DEFAULT ABS _end 20: 0000000000000fc8 4 OBJECT GLOBAL DEFAULT 12 handledSignalsNum 21: 0000000000000e74 192 FUNC GLOBAL DEFAULT 11 JNI_OnLoad 22: 0000000000003020 0 NOTYPE GLOBAL DEFAULT ABS _edata 23: 0000000000000fb4 20 OBJECT GLOBAL DEFAULT 12 handledSignals 24: 0000000000003028 8 OBJECT GLOBAL DEFAULT 21 asmcheck 25: 0000000000000c24 592 FUNC GLOBAL DEFAULT 11 detect 26: 0000000000003030 160 OBJECT GLOBAL DEFAULT 21 old_handlers 27: 00000000000030d0 0 NOTYPE GLOBAL DEFAULT ABS __bss_end__ 28: 0000000000000b08 176 FUNC GLOBAL DEFAULT 11 load 29: 0000000000000bb8 108 FUNC GLOBAL DEFAULT 11 getArch
- -dynamic-table Display the dynamic section table -d Alias for --dynamic-table
llvm-readelf -d libemulator_check.so Dynamic section at offset 0x1d80 contains 27 entries: Tag Type Name/Value 0x0000000000000001 (NEEDED) Shared library: [liblog.so] 0x0000000000000001 (NEEDED) Shared library: [libm.so] 0x0000000000000001 (NEEDED) Shared library: [libdl.so] 0x0000000000000001 (NEEDED) Shared library: [libc.so] 0x000000000000000e (SONAME) Library soname: [libemulator_check.so] 0x000000000000001a (FINI_ARRAY) 0x2d68 0x000000000000001c (FINI_ARRAYSZ) 16 (bytes) 0x0000000000000004 (HASH) 0x228 0x000000006ffffef5 (GNU_HASH) 0x2f0 0x0000000000000005 (STRTAB) 0x668 0x0000000000000006 (SYMTAB) 0x398 0x000000000000000a (STRSZ) 314 (bytes) 0x000000000000000b (SYMENT) 24 (bytes) 0x0000000000000003 (PLTGOT) 0x2f70 0x0000000000000002 (PLTRELSZ) 240 (bytes) 0x0000000000000014 (PLTREL) RELA 0x0000000000000017 (JMPREL) 0x8f0 0x0000000000000007 (RELA) 0x800 0x0000000000000008 (RELASZ) 240 (bytes) 0x0000000000000009 (RELAENT) 24 (bytes) 0x000000000000001e (FLAGS) BIND_NOW 0x000000006ffffffb (FLAGS_1) NOW 0x000000006ffffffe (VERNEED) 0x7e0 0x000000006fffffff (VERNEEDNUM) 1 0x000000006ffffff0 (VERSYM) 0x7a2 0x000000006ffffff9 (RELACOUNT) 5 0x0000000000000000 (NULL) 0x0
下面是IDA中看到的符号表
它对应的符号表如下
// toolchains\llvm\prebuilt\windows-x86_64\sysroot\usr\include\linux\elf.h typedef struct { 2 Elf64_Word st_name; // 符号名称的字符串表偏移 3 unsigned char st_info; // 符号类型和绑定信息 4 unsigned char st_other; // 保留,为将来使用 5 Elf64_Half st_shndx; // 符号所在的节(Section)索引 6 Elf64_Addr st_value; // 符号的值(如地址) 7 Elf64_Xword st_size; // 符号的大小(以字节为单位) 8} Elf64_Sym; st_name 记录的是一个偏移值
- 作者:axhlzy
- 链接:https://github.com/axhlzy/article/e36dccb1-5fb5-4c78-b741-9d060f6bd774
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
