readelf
전문보기
더보기
더보기
--all -a -- show all tables
--archive-index -c -- show symbol/file index in an archive
--arch-specific -A -- show architecture specific information (if any)
--ctf -- display compact C type format info from section
--ctf-parent -- use specified section as the CTF parent
--ctf-strings -- use specified section as the CTF external string table
--ctf-symbols -- use specified section as the CTF external symbol table
--debug-dump -w -- show the contents of DWARF2 debug sections
--dwarf-depth -- don't show DIEs at greater than specified depth
--dwarf-start -- show DIEs starting at specified depth or deeper
--dynamic -d -- show dynamic section (if present)
--dyn-syms -- show dynamic symbol table
--file-header -h -- show file header
--headers -e -- show file, program and sections headers
--help -H -- display help information
--hex-dump -x -- dump contents of specified section as bytes
--histogram -I -- show histogram of bucket list lengths
--notes -n -- show core notes (if present)
--program-headers --segments -l -- show program headers
--relocated-dump -R -- dump contents of specified section as relocated bytes
--relocs -r -- show relocations (if present)
--section-details -t -- show section details
--section-groups -g -- show section groups
--section-headers --sections -S -- show sections header
--string-dump -p -- dump contents of specified section as strings
--symbols --syms -s -- show symbol table
--unwind -u -- show unwind info (if present)
--use-dynamic -D -- use dynamic section info when showing symbols
--version -v -- display version information
--version-info -V -- show version sections (if present)
--wide -W -- allow output width to exceed 80 characters
ELF파일 Symbol (not stripped) 확인하기
readelf -s binary
더보기
더보기
readelf -s rop
Symbol table '.dynsym' contains 11 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@GLIBC_2.2.5 (2)
2: 0000000000000000 0 FUNC GLOBAL DEFAULT UND write@GLIBC_2.2.5 (2)
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __[...]@GLIBC_2.4 (3)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND read@GLIBC_2.2.5 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2)
7: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND [...]@GLIBC_2.2.5 (2)
9: 0000000000601060 8 OBJECT GLOBAL DEFAULT 24 [...]@GLIBC_2.2.5 (2)
10: 0000000000601070 8 OBJECT GLOBAL DEFAULT 24 stdin@GLIBC_2.2.5 (2)
Symbol table '.symtab' contains 68 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000400238 0 SECTION LOCAL DEFAULT 1 .interp
2: 0000000000400254 0 SECTION LOCAL DEFAULT 2 .note.ABI-tag
3: 0000000000400274 0 SECTION LOCAL DEFAULT 3 .note.gnu.build-id
4: 0000000000400298 0 SECTION LOCAL DEFAULT 4 .gnu.hash
5: 00000000004002c0 0 SECTION LOCAL DEFAULT 5 .dynsym
6: 00000000004003c8 0 SECTION LOCAL DEFAULT 6 .dynstr
7: 0000000000400448 0 SECTION LOCAL DEFAULT 7 .gnu.version
8: 0000000000400460 0 SECTION LOCAL DEFAULT 8 .gnu.version_r
9: 0000000000400490 0 SECTION LOCAL DEFAULT 9 .rela.dyn
10: 00000000004004f0 0 SECTION LOCAL DEFAULT 10 .rela.plt
11: 0000000000400580 0 SECTION LOCAL DEFAULT 11 .init
12: 00000000004005a0 0 SECTION LOCAL DEFAULT 12 .plt
13: 0000000000400610 0 SECTION LOCAL DEFAULT 13 .text
14: 0000000000400864 0 SECTION LOCAL DEFAULT 14 .fini
15: 0000000000400870 0 SECTION LOCAL DEFAULT 15 .rodata
16: 00000000004008ac 0 SECTION LOCAL DEFAULT 16 .eh_frame_hdr
17: 00000000004008e8 0 SECTION LOCAL DEFAULT 17 .eh_frame
18: 0000000000600e10 0 SECTION LOCAL DEFAULT 18 .init_array
19: 0000000000600e18 0 SECTION LOCAL DEFAULT 19 .fini_array
20: 0000000000600e20 0 SECTION LOCAL DEFAULT 20 .dynamic
21: 0000000000600ff0 0 SECTION LOCAL DEFAULT 21 .got
22: 0000000000601000 0 SECTION LOCAL DEFAULT 22 .got.plt
23: 0000000000601048 0 SECTION LOCAL DEFAULT 23 .data
24: 0000000000601060 0 SECTION LOCAL DEFAULT 24 .bss
25: 0000000000000000 0 SECTION LOCAL DEFAULT 25 .comment
26: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
27: 0000000000400650 0 FUNC LOCAL DEFAULT 13 deregister_tm_clones
28: 0000000000400680 0 FUNC LOCAL DEFAULT 13 register_tm_clones
29: 00000000004006c0 0 FUNC LOCAL DEFAULT 13 __do_global_dtors_aux
30: 0000000000601078 1 OBJECT LOCAL DEFAULT 24 completed.7698
31: 0000000000600e18 0 OBJECT LOCAL DEFAULT 19 __do_global_dtor[...]
32: 00000000004006f0 0 FUNC LOCAL DEFAULT 13 frame_dummy
33: 0000000000600e10 0 OBJECT LOCAL DEFAULT 18 __frame_dummy_in[...]
34: 0000000000000000 0 FILE LOCAL DEFAULT ABS rop.c
35: 0000000000000000 0 FILE LOCAL DEFAULT ABS crtstuff.c
36: 00000000004009e4 0 OBJECT LOCAL DEFAULT 17 __FRAME_END__
37: 0000000000000000 0 FILE LOCAL DEFAULT ABS
38: 0000000000600e18 0 NOTYPE LOCAL DEFAULT 18 __init_array_end
39: 0000000000600e20 0 OBJECT LOCAL DEFAULT 20 _DYNAMIC
40: 0000000000600e10 0 NOTYPE LOCAL DEFAULT 18 __init_array_start
41: 00000000004008ac 0 NOTYPE LOCAL DEFAULT 16 __GNU_EH_FRAME_HDR
42: 0000000000601000 0 OBJECT LOCAL DEFAULT 22 _GLOBAL_OFFSET_TABLE_
43: 0000000000400860 2 FUNC GLOBAL DEFAULT 13 __libc_csu_fini
44: 0000000000601060 8 OBJECT GLOBAL DEFAULT 24 stdout@@GLIBC_2.2.5
45: 0000000000601048 0 NOTYPE WEAK DEFAULT 23 data_start
46: 0000000000000000 0 FUNC GLOBAL DEFAULT UND puts@@GLIBC_2.2.5
47: 0000000000601070 8 OBJECT GLOBAL DEFAULT 24 stdin@@GLIBC_2.2.5
48: 0000000000000000 0 FUNC GLOBAL DEFAULT UND write@@GLIBC_2.2.5
49: 0000000000601058 0 NOTYPE GLOBAL DEFAULT 23 _edata
50: 0000000000400864 0 FUNC GLOBAL DEFAULT 14 _fini
51: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __stack_chk_fail[...]
52: 0000000000000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.2.5
53: 0000000000000000 0 FUNC GLOBAL DEFAULT UND read@@GLIBC_2.2.5
54: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_mai[...]
55: 0000000000601048 0 NOTYPE GLOBAL DEFAULT 23 __data_start
56: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
57: 0000000000601050 0 OBJECT GLOBAL HIDDEN 23 __dso_handle
58: 0000000000400870 4 OBJECT GLOBAL DEFAULT 15 _IO_stdin_used
59: 00000000004007f0 101 FUNC GLOBAL DEFAULT 13 __libc_csu_init
60: 0000000000601080 0 NOTYPE GLOBAL DEFAULT 24 _end
61: 0000000000400640 2 FUNC GLOBAL HIDDEN 13 _dl_relocate_sta[...]
62: 0000000000400610 43 FUNC GLOBAL DEFAULT 13 _start
63: 0000000000601058 0 NOTYPE GLOBAL DEFAULT 24 __bss_start
64: 00000000004006f7 236 FUNC GLOBAL DEFAULT 13 main
65: 0000000000000000 0 FUNC GLOBAL DEFAULT UND setvbuf@@GLIBC_2.2.5
66: 0000000000601058 0 OBJECT GLOBAL HIDDEN 23 __TMC_END__
67: 0000000000400580 0 FUNC GLOBAL DEFAULT 11 _init
ELF 헤더 확인하기
readelf -h binary
더보기
더보기
readelf -h rop
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x400610
Start of program headers: 64 (bytes into file)
Start of section headers: 6728 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 9
Size of section headers: 64 (bytes)
Number of section headers: 29
Section header string table index: 28
ELF Section Header 보기
readelf -S binary
더보기
더보기
readelf -S rop
There are 29 section headers, starting at offset 0x1a48:
Section Headers:
[Nr] Name Type Address Offset
Size EntSize Flags Link Info Align
[ 0] NULL 0000000000000000 00000000
0000000000000000 0000000000000000 0 0 0
[ 1] .interp PROGBITS 0000000000400238 00000238
000000000000001c 0000000000000000 A 0 0 1
[ 2] .note.ABI-tag NOTE 0000000000400254 00000254
0000000000000020 0000000000000000 A 0 0 4
[ 3] .note.gnu.bu[...] NOTE 0000000000400274 00000274
0000000000000024 0000000000000000 A 0 0 4
[ 4] .gnu.hash GNU_HASH 0000000000400298 00000298
0000000000000028 0000000000000000 A 5 0 8
[ 5] .dynsym DYNSYM 00000000004002c0 000002c0
0000000000000108 0000000000000018 A 6 1 8
[ 6] .dynstr STRTAB 00000000004003c8 000003c8
000000000000007f 0000000000000000 A 0 0 1
[ 7] .gnu.version VERSYM 0000000000400448 00000448
0000000000000016 0000000000000002 A 5 0 2
[ 8] .gnu.version_r VERNEED 0000000000400460 00000460
0000000000000030 0000000000000000 A 6 1 8
[ 9] .rela.dyn RELA 0000000000400490 00000490
0000000000000060 0000000000000018 A 5 0 8
[10] .rela.plt RELA 00000000004004f0 000004f0
0000000000000090 0000000000000018 AI 5 22 8
[11] .init PROGBITS 0000000000400580 00000580
0000000000000017 0000000000000000 AX 0 0 4
[12] .plt PROGBITS 00000000004005a0 000005a0
0000000000000070 0000000000000010 AX 0 0 16
[13] .text PROGBITS 0000000000400610 00000610
0000000000000252 0000000000000000 AX 0 0 16
[14] .fini PROGBITS 0000000000400864 00000864
0000000000000009 0000000000000000 AX 0 0 4
[15] .rodata PROGBITS 0000000000400870 00000870
0000000000000039 0000000000000000 A 0 0 4
[16] .eh_frame_hdr PROGBITS 00000000004008ac 000008ac
000000000000003c 0000000000000000 A 0 0 4
[17] .eh_frame PROGBITS 00000000004008e8 000008e8
0000000000000100 0000000000000000 A 0 0 8
[18] .init_array INIT_ARRAY 0000000000600e10 00000e10
0000000000000008 0000000000000008 WA 0 0 8
[19] .fini_array FINI_ARRAY 0000000000600e18 00000e18
0000000000000008 0000000000000008 WA 0 0 8
[20] .dynamic DYNAMIC 0000000000600e20 00000e20
00000000000001d0 0000000000000010 WA 6 0 8
[21] .got PROGBITS 0000000000600ff0 00000ff0
0000000000000010 0000000000000008 WA 0 0 8
[22] .got.plt PROGBITS 0000000000601000 00001000
0000000000000048 0000000000000008 WA 0 0 8
[23] .data PROGBITS 0000000000601048 00001048
0000000000000010 0000000000000000 WA 0 0 8
[24] .bss NOBITS 0000000000601060 00001058
0000000000000020 0000000000000000 WA 0 0 16
[25] .comment PROGBITS 0000000000000000 00001058
0000000000000029 0000000000000001 MS 0 0 1
[26] .symtab SYMTAB 0000000000000000 00001088
0000000000000660 0000000000000018 27 43 8
[27] .strtab STRTAB 0000000000000000 000016e8
0000000000000258 0000000000000000 0 0 1
[28] .shstrtab STRTAB 0000000000000000 00001940
0000000000000103 0000000000000000 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
D (mbind), l (large), p (processor specific)
ELF Dynamic Session 보기
readelf -d binary
더보기
더보기
readelf -d rop
Dynamic section at offset 0xe20 contains 24 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x000000000000000c (INIT) 0x400580
0x000000000000000d (FINI) 0x400864
0x0000000000000019 (INIT_ARRAY) 0x600e10
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x600e18
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x400298
0x0000000000000005 (STRTAB) 0x4003c8
0x0000000000000006 (SYMTAB) 0x4002c0
0x000000000000000a (STRSZ) 127 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x601000
0x0000000000000002 (PLTRELSZ) 144 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0x4004f0
0x0000000000000007 (RELA) 0x400490
0x0000000000000008 (RELASZ) 96 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000006ffffffe (VERNEED) 0x400460
0x000000006fffffff (VERNEEDNUM) 1
0x000000006ffffff0 (VERSYM) 0x400448
0x0000000000000000 (NULL) 0x0
ELF 문자열 dump 띄우기 (strings 대체)
readelf -p .bss binary
readelf -p .data binary
readelf -p .dynamic binary
readelf -p .dynsym binary
readelf -p .got binary
readelf -p .interp binary
readelf -p .shstrtab binary
readelf -p .symtab binary
readelf -p .text binary
더보기
더보기
readelf -p .dynamic rop
String dump of section '.dynamic':
[ 1a] @
[ 28] d^H@
[ 3a] `
[ 5a] `
[ 73] o
[ 7a] @
[ 8a] @
[ 9a] @
[ da] `
[ 10a] @
[ 11a] @
[ 128] `
[ 143] o
[ 148] `^D@
[ 153] o
[ 163] o
[ 168] H^D@
Objdump
전문보기
더보기
더보기
-a, --archive-headers Display archive header information
-f, --file-headers Display the contents of the overall file header
-p, --private-headers Display object format specific file header contents
-P, --private=OPT,OPT... Display object format specific contents
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers Display the contents of all headers
-d, --disassemble Display assembler contents of executable sections
-D, --disassemble-all Display assembler contents of all sections
--disassemble=<sym> Display assembler contents from <sym>
-S, --source Intermix source code with disassembly
--source-comment[=<txt>] Prefix lines of source code with <txt>
-s, --full-contents Display the full contents of all sections requested
-g, --debugging Display debug information in object file
-e, --debugging-tags Display debug information using ctags style
-G, --stabs Display (in raw form) any STABS info in the file
-W, --dwarf[a/=abbrev, A/=addr, r/=aranges, c/=cu_index, L/=decodedline,
f/=frames, F/=frames-interp, g/=gdb_index, i/=info, o/=loc,
m/=macro, p/=pubnames, t/=pubtypes, R/=Ranges, l/=rawline,
s/=str, O/=str-offsets, u/=trace_abbrev, T/=trace_aranges,
U/=trace_info]
Display the contents of DWARF debug sections
-Wk,--dwarf=links Display the contents of sections that link to
separate debuginfo files
-WK,--dwarf=follow-links
Follow links to separate debug info files (default)
-WN,--dwarf=no-follow-links
Do not follow links to separate debug info files
-L, --process-links Display the contents of non-debug sections in
separate debuginfo files. (Implies -WK)
--ctf[=SECTION] Display CTF info from SECTION, (default `.ctf')
-t, --syms Display the contents of the symbol table(s)
-T, --dynamic-syms Display the contents of the dynamic symbol table
-r, --reloc Display the relocation entries in the file
-R, --dynamic-reloc Display the dynamic relocation entries in the file
@<file> Read options from <file>
-v, --version Display this program's version number
-i, --info List object formats and architectures supported
-H, --help Display this information
소스부분만 코드조각 출력 -> 응용으로 ROP 가젯 찾기
objdump -S랑 -d 랑 거의 같은 출력문을 내놓습니다.
-d : code of executable sections
-S : source code with disassembly
objdump -S binary | grep gadget
objdump -d binary | grep gadget
더보기
더보기
objdump -S rop | grep "pop"
400615: 5e pop %rsi
40066b: 5d pop %rbp
400678: 5d pop %rbp
4006ad: 5d pop %rbp
4006b8: 5d pop %rbp
4006d9: 5d pop %rbp
4006f4: 5d pop %rbp
40084a: 5b pop %rbx
40084b: 5d pop %rbp
40084c: 41 5c pop %r12
40084e: 41 5d pop %r13
400850: 41 5e pop %r14
400852: 41 5f pop %r15
objdump -S rop | grep "ret"
400596: c3 ret
400640: f3 c3 repz ret
400679: c3 ret
4006b9: c3 ret
4006da: c3 ret
4006e0: f3 c3 repz ret
4007e2: c3 ret
400854: c3 ret
400860: f3 c3 repz ret
40086c: c3 ret
파일 전체 disassemble 출력
objdump -D binary
dwarf 출력 .eh_frame
objdump -W binary
더보기
더보기
objdump -W rop
rop: file format elf64-x86-64
Contents of the .eh_frame section:
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 1
Data alignment factor: -8
Return address column: 16
Augmentation data: 1b
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_offset: r16 (rip) at cfa-8
DW_CFA_undefined: r16 (rip)
00000018 0000000000000010 0000001c FDE cie=00000000 pc=0000000000400610..000000000040063b
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
0000002c 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 1
Data alignment factor: -8
Return address column: 16
Augmentation data: 1b
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_offset: r16 (rip) at cfa-8
DW_CFA_nop
DW_CFA_nop
00000044 0000000000000010 0000001c FDE cie=0000002c pc=0000000000400640..0000000000400642
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000058 0000000000000024 00000030 FDE cie=0000002c pc=00000000004005a0..0000000000400610
DW_CFA_def_cfa_offset: 16
DW_CFA_advance_loc: 6 to 00000000004005a6
DW_CFA_def_cfa_offset: 24
DW_CFA_advance_loc: 10 to 00000000004005b0
DW_CFA_def_cfa_expression (DW_OP_breg7 (rsp): 8; DW_OP_breg16 (rip): 0; DW_OP_lit15; DW_OP_and; DW_OP_lit11; DW_OP_ge; DW_OP_lit3; DW_OP_shl; DW_OP_plus)
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000080 000000000000001c 00000058 FDE cie=0000002c pc=00000000004006f7..00000000004007e3
DW_CFA_advance_loc: 1 to 00000000004006f8
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r6 (rbp) at cfa-16
DW_CFA_advance_loc: 3 to 00000000004006fb
DW_CFA_def_cfa_register: r6 (rbp)
DW_CFA_advance_loc1: 231 to 00000000004007e2
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_nop
DW_CFA_nop
000000a0 0000000000000044 00000078 FDE cie=0000002c pc=00000000004007f0..0000000000400855
DW_CFA_advance_loc: 2 to 00000000004007f2
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r15 (r15) at cfa-16
DW_CFA_advance_loc: 2 to 00000000004007f4
DW_CFA_def_cfa_offset: 24
DW_CFA_offset: r14 (r14) at cfa-24
DW_CFA_advance_loc: 5 to 00000000004007f9
DW_CFA_def_cfa_offset: 32
DW_CFA_offset: r13 (r13) at cfa-32
DW_CFA_advance_loc: 2 to 00000000004007fb
DW_CFA_def_cfa_offset: 40
DW_CFA_offset: r12 (r12) at cfa-40
DW_CFA_advance_loc: 8 to 0000000000400803
DW_CFA_def_cfa_offset: 48
DW_CFA_offset: r6 (rbp) at cfa-48
DW_CFA_advance_loc: 8 to 000000000040080b
DW_CFA_def_cfa_offset: 56
DW_CFA_offset: r3 (rbx) at cfa-56
DW_CFA_advance_loc: 13 to 0000000000400818
DW_CFA_def_cfa_offset: 64
DW_CFA_advance_loc: 50 to 000000000040084a
DW_CFA_def_cfa_offset: 56
DW_CFA_advance_loc: 1 to 000000000040084b
DW_CFA_def_cfa_offset: 48
DW_CFA_advance_loc: 1 to 000000000040084c
DW_CFA_def_cfa_offset: 40
DW_CFA_advance_loc: 2 to 000000000040084e
DW_CFA_def_cfa_offset: 32
DW_CFA_advance_loc: 2 to 0000000000400850
DW_CFA_def_cfa_offset: 24
DW_CFA_advance_loc: 2 to 0000000000400852
DW_CFA_def_cfa_offset: 16
DW_CFA_advance_loc: 2 to 0000000000400854
DW_CFA_def_cfa_offset: 8
DW_CFA_nop
000000e8 0000000000000010 000000c0 FDE cie=0000002c pc=0000000000400860..0000000000400862
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
000000fc ZERO terminator
Symbol Table 출력
readelf -s 와 겹치는 기능입니다.
-T 로 넣으시면 dynamic symbol만 출력됩니다.
objdump -t binary
objdump -T binary
더보기
더보기
rop: file format elf64-x86-64
SYMBOL TABLE:
0000000000400238 l d .interp 0000000000000000 .interp
0000000000400254 l d .note.ABI-tag 0000000000000000 .note.ABI-tag
0000000000400274 l d .note.gnu.build-id 0000000000000000 .note.gnu.build-id
0000000000400298 l d .gnu.hash 0000000000000000 .gnu.hash
00000000004002c0 l d .dynsym 0000000000000000 .dynsym
00000000004003c8 l d .dynstr 0000000000000000 .dynstr
0000000000400448 l d .gnu.version 0000000000000000 .gnu.version
0000000000400460 l d .gnu.version_r 0000000000000000 .gnu.version_r
0000000000400490 l d .rela.dyn 0000000000000000 .rela.dyn
00000000004004f0 l d .rela.plt 0000000000000000 .rela.plt
0000000000400580 l d .init 0000000000000000 .init
00000000004005a0 l d .plt 0000000000000000 .plt
0000000000400610 l d .text 0000000000000000 .text
0000000000400864 l d .fini 0000000000000000 .fini
0000000000400870 l d .rodata 0000000000000000 .rodata
00000000004008ac l d .eh_frame_hdr 0000000000000000 .eh_frame_hdr
00000000004008e8 l d .eh_frame 0000000000000000 .eh_frame
0000000000600e10 l d .init_array 0000000000000000 .init_array
0000000000600e18 l d .fini_array 0000000000000000 .fini_array
0000000000600e20 l d .dynamic 0000000000000000 .dynamic
0000000000600ff0 l d .got 0000000000000000 .got
0000000000601000 l d .got.plt 0000000000000000 .got.plt
0000000000601048 l d .data 0000000000000000 .data
0000000000601060 l d .bss 0000000000000000 .bss
0000000000000000 l d .comment 0000000000000000 .comment
0000000000000000 l df *ABS* 0000000000000000 crtstuff.c
0000000000400650 l F .text 0000000000000000 deregister_tm_clones
0000000000400680 l F .text 0000000000000000 register_tm_clones
00000000004006c0 l F .text 0000000000000000 __do_global_dtors_aux
0000000000601078 l O .bss 0000000000000001 completed.7698
0000000000600e18 l O .fini_array 0000000000000000 __do_global_dtors_aux_fini_array_entry
00000000004006f0 l F .text 0000000000000000 frame_dummy
0000000000600e10 l O .init_array 0000000000000000 __frame_dummy_init_array_entry
0000000000000000 l df *ABS* 0000000000000000 rop.c
0000000000000000 l df *ABS* 0000000000000000 crtstuff.c
00000000004009e4 l O .eh_frame 0000000000000000 __FRAME_END__
0000000000000000 l df *ABS* 0000000000000000
0000000000600e18 l .init_array 0000000000000000 __init_array_end
0000000000600e20 l O .dynamic 0000000000000000 _DYNAMIC
0000000000600e10 l .init_array 0000000000000000 __init_array_start
00000000004008ac l .eh_frame_hdr 0000000000000000 __GNU_EH_FRAME_HDR
0000000000601000 l O .got.plt 0000000000000000 _GLOBAL_OFFSET_TABLE_
0000000000400860 g F .text 0000000000000002 __libc_csu_fini
0000000000601060 g O .bss 0000000000000008 stdout@@GLIBC_2.2.5
0000000000601048 w .data 0000000000000000 data_start
0000000000000000 F *UND* 0000000000000000 puts@@GLIBC_2.2.5
0000000000601070 g O .bss 0000000000000008 stdin@@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 write@@GLIBC_2.2.5
0000000000601058 g .data 0000000000000000 _edata
0000000000400864 g F .fini 0000000000000000 _fini
0000000000000000 F *UND* 0000000000000000 __stack_chk_fail@@GLIBC_2.4
0000000000000000 F *UND* 0000000000000000 printf@@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 read@@GLIBC_2.2.5
0000000000000000 F *UND* 0000000000000000 __libc_start_main@@GLIBC_2.2.5
0000000000601048 g .data 0000000000000000 __data_start
0000000000000000 w *UND* 0000000000000000 __gmon_start__
0000000000601050 g O .data 0000000000000000 .hidden __dso_handle
0000000000400870 g O .rodata 0000000000000004 _IO_stdin_used
00000000004007f0 g F .text 0000000000000065 __libc_csu_init
0000000000601080 g .bss 0000000000000000 _end
0000000000400640 g F .text 0000000000000002 .hidden _dl_relocate_static_pie
0000000000400610 g F .text 000000000000002b _start
0000000000601058 g .bss 0000000000000000 __bss_start
00000000004006f7 g F .text 00000000000000ec main
0000000000000000 F *UND* 0000000000000000 setvbuf@@GLIBC_2.2.5
0000000000601058 g O .data 0000000000000000 .hidden __TMC_END__
0000000000400580 g F .init 0000000000000000 _init
dynamic relocation 확인 (GOT 뽑기)
record 확인
objdump -R binary
symbol 확인
objdump -T binary
더보기
더보기
objdump -R rop
rop: file format elf64-x86-64
DYNAMIC RELOCATION RECORDS
OFFSET TYPE VALUE
0000000000600ff0 R_X86_64_GLOB_DAT __libc_start_main@GLIBC_2.2.5
0000000000600ff8 R_X86_64_GLOB_DAT __gmon_start__
0000000000601060 R_X86_64_COPY stdout@GLIBC_2.2.5
0000000000601070 R_X86_64_COPY stdin@GLIBC_2.2.5
0000000000601018 R_X86_64_JUMP_SLOT puts@GLIBC_2.2.5
0000000000601020 R_X86_64_JUMP_SLOT write@GLIBC_2.2.5
0000000000601028 R_X86_64_JUMP_SLOT __stack_chk_fail@GLIBC_2.4
0000000000601030 R_X86_64_JUMP_SLOT printf@GLIBC_2.2.5
0000000000601038 R_X86_64_JUMP_SLOT read@GLIBC_2.2.5
0000000000601040 R_X86_64_JUMP_SLOT setvbuf@GLIBC_2.2.5
objdump -T rop
rop: file format elf64-x86-64
DYNAMIC SYMBOL TABLE:
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) puts
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) write
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.4) __stack_chk_fail
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) printf
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) read
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) __libc_start_main
0000000000000000 w D *UND* 0000000000000000 __gmon_start__
0000000000000000 DF *UND* 0000000000000000 (GLIBC_2.2.5) setvbuf
0000000000601060 g DO .bss 0000000000000008 (GLIBC_2.2.5) stdout
0000000000601070 g DO .bss 0000000000000008 (GLIBC_2.2.5) stdin
라이브러리 의존성 확인
objdump -P binary
objdump -p binary
더보기
더보기
objdump -p rop
rop: file format elf64-x86-64
Program Header:
PHDR off 0x0000000000000040 vaddr 0x0000000000400040 paddr 0x0000000000400040 align 2**3
filesz 0x00000000000001f8 memsz 0x00000000000001f8 flags r--
INTERP off 0x0000000000000238 vaddr 0x0000000000400238 paddr 0x0000000000400238 align 2**0
filesz 0x000000000000001c memsz 0x000000000000001c flags r--
LOAD off 0x0000000000000000 vaddr 0x0000000000400000 paddr 0x0000000000400000 align 2**21
filesz 0x00000000000009e8 memsz 0x00000000000009e8 flags r-x
LOAD off 0x0000000000000e10 vaddr 0x0000000000600e10 paddr 0x0000000000600e10 align 2**21
filesz 0x0000000000000248 memsz 0x0000000000000270 flags rw-
DYNAMIC off 0x0000000000000e20 vaddr 0x0000000000600e20 paddr 0x0000000000600e20 align 2**3
filesz 0x00000000000001d0 memsz 0x00000000000001d0 flags rw-
NOTE off 0x0000000000000254 vaddr 0x0000000000400254 paddr 0x0000000000400254 align 2**2
filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--
EH_FRAME off 0x00000000000008ac vaddr 0x00000000004008ac paddr 0x00000000004008ac align 2**2
filesz 0x000000000000003c memsz 0x000000000000003c flags r--
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
RELRO off 0x0000000000000e10 vaddr 0x0000000000600e10 paddr 0x0000000000600e10 align 2**0
filesz 0x00000000000001f0 memsz 0x00000000000001f0 flags r--
Dynamic Section:
NEEDED libc.so.6
INIT 0x0000000000400580
FINI 0x0000000000400864
INIT_ARRAY 0x0000000000600e10
INIT_ARRAYSZ 0x0000000000000008
FINI_ARRAY 0x0000000000600e18
FINI_ARRAYSZ 0x0000000000000008
GNU_HASH 0x0000000000400298
STRTAB 0x00000000004003c8
SYMTAB 0x00000000004002c0
STRSZ 0x000000000000007f
SYMENT 0x0000000000000018
DEBUG 0x0000000000000000
PLTGOT 0x0000000000601000
PLTRELSZ 0x0000000000000090
PLTREL 0x0000000000000007
JMPREL 0x00000000004004f0
RELA 0x0000000000400490
RELASZ 0x0000000000000060
RELAENT 0x0000000000000018
VERNEED 0x0000000000400460
VERNEEDNUM 0x0000000000000001
VERSYM 0x0000000000400448
Version References:
required from libc.so.6:
0x0d696914 0x00 03 GLIBC_2.4
0x09691a75 0x00 02 GLIBC_2.2.5
쓸 일은 없겠지만, strings로 ELF 파일 내 텍스트 추출
strings binary > file.txt
더보기
더보기
/lib64/ld-linux-x86-64.so.2
libc.so.6
puts
__stack_chk_fail
stdin
printf
read
stdout
setvbuf
__libc_start_main
write
GLIBC_2.4
GLIBC_2.2.5
__gmon_start__
AWAVI
AUATL
[]A\A]A^A_
[1] Leak Canary
Buf:
Buf: %s
[2] Input ROP payload
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7698
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
rop.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
stdout@@GLIBC_2.2.5
puts@@GLIBC_2.2.5
stdin@@GLIBC_2.2.5
write@@GLIBC_2.2.5
_edata
__stack_chk_fail@@GLIBC_2.4
printf@@GLIBC_2.2.5
read@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
_dl_relocate_static_pie
__bss_start
main
setvbuf@@GLIBC_2.2.5
__TMC_END__
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got
.got.plt
.data
.bss
.comment
strace
지금은 gdb가 있어서 유용하진 않겠지만, 바이너리 파일이 구동되는걸 실시간으로 분석할 수 있다.
strace ./binary
더보기
더보기
strace ./rop
execve("./rop", ["./rop"], 0x7ffcf13700e0 /* 38 vars */) = 0
brk(NULL) = 0x8e1000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff0a428cc0) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f037dc20000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=34111, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 34111, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f037dc17000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\237\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0 \0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0"..., 48, 848) = 48
pread64(3, "\4\0\0\0\24\0\0\0\3\0\0\0GNU\0\226 \25\252\235\23<l\274\3731\3540\5\226\327"..., 68, 896) = 68
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=2220400, ...}, AT_EMPTY_PATH) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 2264656, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f037d9ee000
mprotect(0x7f037da16000, 2023424, PROT_NONE) = 0
mmap(0x7f037da16000, 1658880, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x28000) = 0x7f037da16000
mmap(0x7f037dbab000, 360448, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bd000) = 0x7f037dbab000
mmap(0x7f037dc04000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x215000) = 0x7f037dc04000
mmap(0x7f037dc0a000, 52816, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f037dc0a000
close(3) = 0
mmap(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f037d9eb000
arch_prctl(ARCH_SET_FS, 0x7f037d9eb740) = 0
set_tid_address(0x7f037d9eba10) = 16442
set_robust_list(0x7f037d9eba20, 24) = 0
rseq(0x7f037d9ec0e0, 0x20, 0, 0x53053053) = 0
mprotect(0x7f037dc04000, 16384, PROT_READ) = 0
mprotect(0x600000, 4096, PROT_READ) = 0
mprotect(0x7f037dc5a000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f037dc17000, 34111) = 0
write(1, "[1] Leak Canary", 15[1] Leak Canary) = 15
write(1, "\n", 1
) = 1
write(1, "Buf: ", 5Buf: ) = 5
read(0, test
"test\n", 256) = 5
write(1, "Buf: test\n\177\n", 12Buf: test
) = 12
write(1, "[2] Input ROP payload", 21[2] Input ROP payload) = 21
write(1, "\n", 1
) = 1
'etc > pruning' 카테고리의 다른 글
윈도우 원격 데스크톱 RDP 다중 접속 및 암호화 세팅 (2) | 2024.09.21 |
---|---|
[시간 절약하기] 시스템해킹 문제풀때 주의해야할 것들 (0) | 2024.06.28 |
리눅스 파이썬 TorRequest를 사용하기 위한 초기세팅 (0) | 2024.06.17 |
리눅스 파이썬 구버전 빠른 설치 최신화 (2.7.18 등) (0) | 2024.06.17 |
[Synology] 외부에서 접속할 수 있는 홈 VPN 구축 (0) | 2024.05.20 |