本文介绍了如何通过DT_DEBUG在Linux下获取动态链接库的基址,包括解析动态链接表、查找r_debug结构体和link_map链表,从而找到目标库如ld-linux.so的基址。
最近,在学习BCTF和0CTF的writeup时,注意到了一种通过DT_DEBUG来获得库的基址的方式:BCTF里的pattern用这一方法来获得ld-linux.so的地址,0CTF里的sandbox用这一方法来获得sandbox.so的基址。之前面对ASLR,我只知道可以通过GOT来获取libc.so的地址,而其他库的地址还不清楚应该怎样取得。于是,我稍微研究了下,在此记录。
首先,通过readelf -d,可以得到.dynamic的信息。而有些二进制文件里的.dynamic里包含DT_DEBUG:
Dynamic section at offset 0x7c8 contains 20 entries:
Tag Type Name/Value
...
0x0000000000000015 (DEBUG) 0x0
...
这里DT_DEBUG的值是0。在实际运行时,DT_DEBUG的值是指向struct r_debug的指针。其定义如下:
/* Rendezvous structure used by the run-time dynamic linker to communicate
details of shared object loading to the debugger. If the executable's
dynamic section has a DT_DEBUG element, the run-time linker sets that
element's value to the address where this structure can be found. */
struct r_debug
{
int r_version; /* Version number for this protocol. */
struct link_map *r_map; /* Head of the chain of loaded objects. */
/* This is the address of a function internal to the run-time linker,
that will always be called when the linker begins to map in a
library or unmap it, and again when the mapping change is complete.
The debugger can set a breakpoint at this address if it wants to
notice shared object mappi
最低0.47元/天 解锁文章
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
