我试图在libc中找到函数的地址。
我知道我可以在C中做这样的事情:
printf("%x", (int) system);
但是我不知道这是否给了我libc中系统函数的基地址。我假设它在程序中提供了某种间接指针?
我正在运行gdb并且做了:
info files
在运行程序时,但它给了我很多段,我不知道在哪里看,除了那些有libc.so的那些?
编辑:
这是我在gdb中得到的,我想知道在这里我能找到类似“system”,“printf”,“exit”等的东西。我检查了rodata并且能够在那里找到系统,但我不知道这是否是功能本身:
0x08048154 - 0x08048167 is .interp
0x08048168 - 0x08048188 is .note.ABI-tag
0x08048188 - 0x080481ac is .note.gnu.build-id
0x080481ac - 0x080481d0 is .gnu.hash
0x080481d0 - 0x08048290 is .dynsym
0x08048290 - 0x08048326 is .dynstr
0x08048326 - 0x0804833e is .gnu.version
0x08048340 - 0x08048380 is .gnu.version_r
0x08048380 - 0x08048388 is .rel.dyn
0x08048388 - 0x080483d8 is .rel.plt
0x080483d8 - 0x080483fb is .init
0x08048400 - 0x080484b0 is .plt
0x080484b0 - 0x08048892 is .text
0x08048894 - 0x080488a8 is .fini
0x080488a8 - 0x08048994 is .rodata
0x08048994 - 0x080489c8 is .eh_frame_hdr
0x080489c8 - 0x08048a98 is .eh_frame
0x08049f08 - 0x08049f0c is .init_array
0x08049f0c - 0x08049f10 is .fini_array
0x08049f10 - 0x08049f14 is .jcr
---Type <return> to continue, or q <return> to quit---
0x08049f14 - 0x08049ffc is .dynamic
0x08049ffc - 0x0804a000 is .got
0x0804a000 - 0x0804a034 is .got.plt
0x0804a034 - 0x0804a03c is .data
0x0804a03c - 0x0804a054 is .bss
0xb7fde114 - 0xb7fde138 is .note.gnu.build-id in /lib/ld-linux.so.2
0xb7fde138 - 0xb7fde1f8 is .hash in /lib/ld-linux.so.2
0xb7fde1f8 - 0xb7fde2dc is .gnu.hash in /lib/ld-linux.so.2
0xb7fde2dc - 0xb7fde4ac is .dynsym in /lib/ld-linux.so.2
0xb7fde4ac - 0xb7fde642 is .dynstr in /lib/ld-linux.so.2
0xb7fde642 - 0xb7fde67c is .gnu.version in /lib/ld-linux.so.2
0xb7fde67c - 0xb7fde744 is .gnu.version_d in /lib/ld-linux.so.2
0xb7fde744 - 0xb7fde7b4 is .rel.dyn in /lib/ld-linux.so.2
0xb7fde7b4 - 0xb7fde7e4 is .rel.plt in /lib/ld-linux.so.2
0xb7fde7f0 - 0xb7fde860 is .plt in /lib/ld-linux.so.2
0xb7fde860 - 0xb7ff67ac is .text in /lib/ld-linux.so.2
0xb7ff67c0 - 0xb7ffa7a0 is .rodata in /lib/ld-linux.so.2
0xb7ffa7a0 - 0xb7ffae24 is .eh_frame_hdr in /lib/ld-linux.so.2
0xb7ffae24 - 0xb7ffd71c is .eh_frame in /lib/ld-linux.so.2
0xb7ffecc0 - 0xb7ffef34 is .data.rel.ro in /lib/ld-linux.so.2
0xb7ffef34 - 0xb7ffefec is .dynamic in /lib/ld-linux.so.2
0xb7ffefec - 0xb7ffeff8 is .got in /lib/ld-linux.so.2
0xb7fff000 - 0xb7fff024 is .got.plt in /lib/ld-linux.so.2
---Type <return> to continue, or q <return> to quit---
0xb7fff040 - 0xb7fff878 is .data in /lib/ld-linux.so.2
0xb7fff878 - 0xb7fff938 is .bss in /lib/ld-linux.so.2
0xb7e16174 - 0xb7e16198 is .note.gnu.build-id in /lib/i386-linux-gnu/libc.so.6
0xb7e16198 - 0xb7e161b8 is .note.ABI-tag in /lib/i386-linux-gnu/libc.so.6
0xb7e161b8 - 0xb7e19ec8 is .gnu.hash in /lib/i386-linux-gnu/libc.so.6
0xb7e19ec8 - 0xb7e23438 is .dynsym in /lib/i386-linux-gnu/libc.so.6
0xb7e23438 - 0xb7e2915e is .dynstr in /lib/i386-linux-gnu/libc.so.6
0xb7e2915e - 0xb7e2a40c is .gnu.version in /lib/i386-linux-gnu/libc.so.6
0xb7e2a40c - 0xb7e2a898 is .gnu.version_d in /lib/i386-linux-gnu/libc.so.6
0xb7e2a898 - 0xb7e2a8d8 is .gnu.version_r in /lib/i386-linux-gnu/libc.so.6
0xb7e2a8d8 - 0xb7e2d2e8 is .rel.dyn in /lib/i386-linux-gnu/libc.so.6
0xb7e2d2e8 - 0xb7e2d348 is .rel.plt in /lib/i386-linux-gnu/libc.so.6
0xb7e2d350 - 0xb7e2d420 is .plt in /lib/i386-linux-gnu/libc.so.6
0xb7e2d420 - 0xb7f5eb6e is .text in /lib/i386-linux-gnu/libc.so.6
0xb7f5eb70 - 0xb7f5fafb is __libc_freeres_fn in /lib/i386-linux-gnu/libc.so.6
0xb7f5fb00 - 0xb7f5fcfe is __libc_thread_freeres_fn in /lib/i386-linux-gnu/libc.so.6
---Type <return> to continue, or q <return> to quit---
0xb7f5fd00 - 0xb7f81754 is .rodata in /lib/i386-linux-gnu/libc.so.6
0xb7f81754 - 0xb7f81767 is .interp in /lib/i386-linux-gnu/libc.so.6
0xb7f81768 - 0xb7f88c0c is .eh_frame_hdr in /lib/i386-linux-gnu/libc.so.6
0xb7f88c0c - 0xb7fb9f68 is .eh_frame in /lib/i386-linux-gnu/libc.so.6
0xb7fb9f68 - 0xb7fba3c6 is .gcc_except_table in /lib/i386-linux-gnu/libc.so.6
0xb7fba3c8 - 0xb7fbd928 is .hash in /lib/i386-linux-gnu/libc.so.6
0xb7fbe1d4 - 0xb7fbe1dc is .tdata in /lib/i386-linux-gnu/libc.so.6
0xb7fbe1dc - 0xb7fbe220 is .tbss in /lib/i386-linux-gnu/libc.so.6
0xb7fbe1dc - 0xb7fbe1e8 is .init_array in /lib/i386-linux-gnu/libc.so.6
0xb7fbe1e8 - 0xb7fbe260 is __libc_subfreeres in /lib/i386-linux-gnu/libc.so.6
0xb7fbe260 - 0xb7fbe264 is __libc_atexit in /lib/i386-linux-gnu/libc.so.6
0xb7fbe264 - 0xb7fbe274 is __libc_thread_subfreeres in /lib/i386-linux-gnu/libc.so.6
0xb7fbe280 - 0xb7fbfda8 is .data.rel.ro in /lib/i386-linux-gnu/libc.so.6
0xb7fbfda8 - 0xb7fbfe98 is .dynamic in /lib/i386-linux-gnu/libc.so.6
0xb7fbfe98 - 0xb7fbfff4 is .got in /lib/i386-linux-gnu/libc.so.6
0xb7fc0000 - 0xb7fc003c is .got.plt in /lib/i386-linux-gnu/libc.so.6
0xb7fc0040 - 0xb7fc0ebc is .data in /lib/i386-linux-gnu/libc.so.6
答案 0 :(得分:1)
这是您可以找到映射到可执行文件中的函数的地址。
$ gdb program
Reading symbols from ...done.
(gdb) print main
$1 = {int (int, char **)} 0x400d61 <main>
(gdb) print exit
$2 = {<text variable, no debug info>} 0x400910 <exit@plt>
答案 1 :(得分:0)
它可能是特定于实现的。我专注于Linux。你可能想要
printf("system@%p\n", (void*)system);
这确实为您提供了system函数的地址。您可以将其存储在函数指针中:
int (*funptr)(const char*) = system;
然后稍后对(*funptr)("date")的调用与system("date")的行为相同,因此system(或funptr内的值) {{} 3}} libc的功能。
讽刺的是,C标准并不保证函数指针符合通用void*(因此严格意义上的printf可能是错误的);实际上,在Linux和POSIX上,它确实适合。
如果您希望以编程方式在运行时从其名称中找到某个函数的地址,请使用system(3),也许在通过将NULL传递给{{获得的程序句柄上3}}(在使用GNU libc的Linux上,dlsym(3)正在进行相反的转换)。您可能希望将自己的计划与-rdynamic相关联,并详细了解dlopen(3)和dladdr(3)。
但是(在Linux上),plugins可能(通常是)共享库(dynamic loading共享对象)libc.so,而system可能指向C standard library条目(参见Levine关于连接器和装载器的书籍的ELF ); PLT条目是跳转到函数的第一个实际指令。请参阅Procedure Linkage Table答案和有关ELF共享对象的参考资料。