Excuse the ads! We need some help to keep our site up.
List
PIC(Position Independent Code)
Description
해당 기술은 보호 기술은 아닙니다. PIE를 이해하기 전에 참고하기 위해 설명합니다.
PIC(Position Independent Code)은 주기억 장치의 어딘가에 배치되어 절대 주소와 관계없이 모든 메모리 주소에서 수정없이 실행되는 기계 코드입니다.
PIC는 일반적으로 공유 라이브러리에서 사용되며, 동일한 라이브러리 코드는 각 프로그램의 메모리 영역에 로드됩니다
각 프로세서 들은 PIC를 서로 다른 주소에서 실행 할 수 있으며, 실행 시 재배치가 필요 없습니다.
공유 라이브러리를 만들 때 -fPIC 옵션을 이용하여 소스를 컴파일 합니다.
Relocatable code
Relocatable code는 말 그대로 재배치가 필요한 코드를 의미합니다.
재배치 과정은 동적 링커에 의해 코드에 생성 된 label과 symbol의 주소를 수정하는 것입니다.
Example
Source code
#include <stdio.h> void lazenca(int a){ printf("Lazenca.0x%d\n",a); }
Build
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gcc -mcmodel=large -shared -o libNonPIC.so lazenca.c lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gcc -fPIC -shared -o libPIC.so lazenca.c lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gcc -fPIC -nostartfiles -shared -o libNoStartPIC.so lazenca.c
Compare files(Non-PIC vs PIC vs NoStart) - Section Headers
- 다음과 같이 PIC가 적용되 파일과 적용되지 않은 파일이 다릅니다.
- PIC가 적용된 바이너리에는 ".rela.plt" 섹션이 추가 되어 있습니다.
- PIC와 nostartfiles 옵션이 적용된 바이너리에는 ".rela.dyn", ".init", ".plt.got", ".fini", ".init_array", ".fini_array", ".jcr", ".got", ".data", ".bss" 섹션이 없습니다.
Non-PIC | PIC | NoStartPIC |
---|---|---|
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -S libNonPIC.so | lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -S libPIC.so | lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -S libNoStartPIC.so |
Compare files(Non-PIC vs PIC vs NoStart) - Dynamic section
- 다음과 같이 PIC가 적용되 파일과 적용되지 않은 파일이 다릅니다.
PIC가 적용되지 않은 파일에는 TEXTREL 섹션이 존재하며, PLTRELSZ, PLTREL, JMPREL 섹션은 존재하지 않습니다.
- PIC가 적용된 파일에는 PLTRELSZ, PLTREL, JMPREL 섹션이 존재하며, TEXTREL 섹션은 존재하지 않습니다.
- PIC와 nostartfiles 옵션이 적용된 파일에는 PLTRELSZ, PLTREL, JMPREL 섹션이 존재하며, INIT, FINI, INIT_ARRAY, INIT_ARRAYSZ, FINI_ARRAY, FINI_ARRAYSZ, RELA, RELASZ, RELAENT, RELACOUNT 섹션은 존재하지 않습니다.
NonPIC | PIC | NoStartPIC |
---|---|---|
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -d libNonPIC.so | lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -d libPIC.so | lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ readelf -d libNoStartPIC.so |
- 여기서 중요한 내용은 또 있습니다. RELA, RELASZ, RELAENT, RELACOUNT 입니다.
- 각 바이너리는 다음과 같은 재배치 정보를 포함하고 있습니다.
- PIC가 적용되지 않은 라이브러리의 경우 재배치가 필요합니다.
- PIC가 적용된 라이브러리의 경우도 재배치가 필요합니다.
- 하지만 -nostartfiles 옵션이 적용된 파일의 경우 재배치가 필요없습니다.
NonPIC | PIC | NoStartPIC | |
---|---|---|---|
RELA | 0x470 | 0x470 | X |
RELASZ | 240 | 192 | X |
RELAENT | 24 | 24 | X |
RELACOUNT | 4 | 3 | X |
해당 섹션들은 재배치와 관련된 섹션입니다.
- RELA : 상대주소 재배치 테이블 주소
- RELASZ : 상대주소 재배치 테이블 크기
- RELAENT : 상대 주소 재배치 엔트리 크기
- RELACOUNT : 재배치 횟수
Compare files(Non-PIC vs PIC) - Code
NonPIC
- 다음과 같이 PIC가 적용되지 않은 바이너리의 경우 함수를 호출 할 때 rdx 레지스터에 저장된 주소를 호출합니다.
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gdb -q ./libNonPIC.so Reading symbols from ./libNonPIC.so...(no debugging symbols found)...done. gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca: 0x00000000000006a0 <+0>: push rbp 0x00000000000006a1 <+1>: mov rbp,rsp 0x00000000000006a4 <+4>: sub rsp,0x10 0x00000000000006a8 <+8>: mov DWORD PTR [rbp-0x4],edi 0x00000000000006ab <+11>: mov eax,DWORD PTR [rbp-0x4] 0x00000000000006ae <+14>: mov esi,eax 0x00000000000006b0 <+16>: movabs rdi,0x6d9 0x00000000000006ba <+26>: mov eax,0x0 0x00000000000006bf <+31>: movabs rdx,0x0 0x00000000000006c9 <+41>: call rdx 0x00000000000006cb <+43>: nop 0x00000000000006cc <+44>: leave 0x00000000000006cd <+45>: ret End of assembler dump. gdb-peda$ info file Symbols from "/home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so". Local exec file: `/home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so', file type elf64-x86-64. Entry point: 0x5a0 0x00000000000001c8 - 0x00000000000001ec is .note.gnu.build-id 0x00000000000001f0 - 0x000000000000022c is .gnu.hash 0x0000000000000230 - 0x0000000000000380 is .dynsym 0x0000000000000380 - 0x0000000000000432 is .dynstr 0x0000000000000432 - 0x000000000000044e is .gnu.version 0x0000000000000450 - 0x0000000000000470 is .gnu.version_r 0x0000000000000470 - 0x0000000000000560 is .rela.dyn 0x0000000000000560 - 0x000000000000057a is .init 0x0000000000000580 - 0x0000000000000590 is .plt 0x0000000000000590 - 0x00000000000005a0 is .plt.got 0x00000000000005a0 - 0x00000000000006ce is .text 0x00000000000006d0 - 0x00000000000006d9 is .fini 0x00000000000006d9 - 0x00000000000006e7 is .rodata 0x00000000000006e8 - 0x0000000000000704 is .eh_frame_hdr 0x0000000000000708 - 0x000000000000076c is .eh_frame 0x0000000000200e20 - 0x0000000000200e28 is .init_array 0x0000000000200e28 - 0x0000000000200e30 is .fini_array 0x0000000000200e30 - 0x0000000000200e38 is .jcr 0x0000000000200e38 - 0x0000000000200fd8 is .dynamic 0x0000000000200fd8 - 0x0000000000201000 is .got 0x0000000000201000 - 0x0000000000201018 is .got.plt 0x0000000000201018 - 0x0000000000201020 is .data 0x0000000000201020 - 0x0000000000201028 is .bss gdb-peda$ x/s 0x6d9 0x6d9: "Lazenca.0x%d\n" gdb-peda$
- 다음과 같이 디버깅을 통해 함수 호출을 분석할 수 있습니다.
- main 함수는 lazenca 함수를 호출하기 위해 0x400570(lazenca@plt)영역을 호출합니다.
0x400699 영역에 Break point를 설정 후 프로그램을 실행합니다.
lazenca 함수의 실제 주소가 0x601020영역에 재배치됩니다.
- 공유 라이브러리가 프로그램에 로드되어 lazenca 함수를 Disassemble 할 수 있습니다.
- rdx 레지스터에 0x7ffff7860800이 저장되고, 호출됩니다.
- 0x7ffff7860800 영역은 "/lib/x86_64-linux-gnu/libc.so.6"의 .text 영역 입니다. (0x7ffff782a8b0 - 0x7ffff797dac4)
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gdb -q ./test Reading symbols from ./test...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400686 <+0>: push rbp 0x0000000000400687 <+1>: mov rbp,rsp 0x000000000040068a <+4>: mov esi,0xa 0x000000000040068f <+9>: mov edi,0xa 0x0000000000400694 <+14>: mov eax,0x0 0x0000000000400699 <+19>: call 0x400570 <lazenca@plt> 0x000000000040069e <+24>: nop 0x000000000040069f <+25>: pop rbp 0x00000000004006a0 <+26>: ret End of assembler dump. gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca@plt: 0x0000000000400570 <+0>: jmp QWORD PTR [rip+0x200aaa] # 0x601020 0x0000000000400576 <+6>: push 0x1 0x000000000040057b <+11>: jmp 0x400550 End of assembler dump. gdb-peda$ b *0x0000000000400699 Breakpoint 1 at 0x400699 gdb-peda$ r Starting program: /home/lazenca0x0/Documents/Definition/protection/PIC/test Breakpoint 1, 0x0000000000400699 in main () gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca: 0x00007ffff7bd56a0 <+0>: push rbp 0x00007ffff7bd56a1 <+1>: mov rbp,rsp 0x00007ffff7bd56a4 <+4>: sub rsp,0x10 0x00007ffff7bd56a8 <+8>: mov DWORD PTR [rbp-0x4],edi 0x00007ffff7bd56ab <+11>: mov eax,DWORD PTR [rbp-0x4] 0x00007ffff7bd56ae <+14>: mov esi,eax 0x00007ffff7bd56b0 <+16>: movabs rdi,0x7ffff7bd56d9 0x00007ffff7bd56ba <+26>: mov eax,0x0 0x00007ffff7bd56bf <+31>: movabs rdx,0x7ffff7860800 0x00007ffff7bd56c9 <+41>: call rdx 0x00007ffff7bd56cb <+43>: nop 0x00007ffff7bd56cc <+44>: leave 0x00007ffff7bd56cd <+45>: ret End of assembler dump. gdb-peda$ x/i 0x7ffff7860800 0x7ffff7860800 <__printf>: sub rsp,0xd8 gdb-peda$ info file Symbols from "/home/lazenca0x0/Documents/Definition/protection/PIC/test". Native process: Using the running image of child process 4525. While running this, GDB does not access memory from... Local exec file: `/home/lazenca0x0/Documents/Definition/protection/PIC/test', file type elf64-x86-64. Entry point: 0x400590 0x0000000000400238 - 0x0000000000400254 is .interp 0x0000000000400254 - 0x0000000000400274 is .note.ABI-tag 0x0000000000400274 - 0x0000000000400298 is .note.gnu.build-id 0x0000000000400298 - 0x00000000004002d0 is .gnu.hash 0x00000000004002d0 - 0x00000000004003f0 is .dynsym 0x00000000004003f0 - 0x00000000004004ab is .dynstr 0x00000000004004ac - 0x00000000004004c4 is .gnu.version 0x00000000004004c8 - 0x00000000004004e8 is .gnu.version_r 0x00000000004004e8 - 0x0000000000400500 is .rela.dyn 0x0000000000400500 - 0x0000000000400530 is .rela.plt 0x0000000000400530 - 0x000000000040054a is .init 0x0000000000400550 - 0x0000000000400580 is .plt 0x0000000000400580 - 0x0000000000400588 is .plt.got 0x0000000000400590 - 0x0000000000400722 is .text 0x0000000000400724 - 0x000000000040072d is .fini 0x0000000000400730 - 0x0000000000400734 is .rodata 0x0000000000400734 - 0x0000000000400768 is .eh_frame_hdr 0x0000000000400768 - 0x000000000040085c is .eh_frame 0x0000000000600e00 - 0x0000000000600e08 is .init_array 0x0000000000600e08 - 0x0000000000600e10 is .fini_array 0x0000000000600e10 - 0x0000000000600e18 is .jcr 0x0000000000600e18 - 0x0000000000600ff8 is .dynamic 0x0000000000600ff8 - 0x0000000000601000 is .got 0x0000000000601000 - 0x0000000000601028 is .got.plt 0x0000000000601028 - 0x0000000000601038 is .data 0x0000000000601038 - 0x0000000000601040 is .bss 0x00007ffff7dd71c8 - 0x00007ffff7dd71ec is .note.gnu.build-id in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd71f0 - 0x00007ffff7dd72b0 is .hash in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd72b0 - 0x00007ffff7dd7390 is .gnu.hash in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7390 - 0x00007ffff7dd7648 is .dynsym in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7648 - 0x00007ffff7dd77ef is .dynstr in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd77f0 - 0x00007ffff7dd782a is .gnu.version in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7830 - 0x00007ffff7dd78d4 is .gnu.version_d in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd78d8 - 0x00007ffff7dd79f8 is .rela.dyn in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd79f8 - 0x00007ffff7dd7a58 is .rela.plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7a60 - 0x00007ffff7dd7ab0 is .plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7ab0 - 0x00007ffff7dd7ab8 is .plt.got in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7ac0 - 0x00007ffff7df5810 is .text in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df5820 - 0x00007ffff7df98e0 is .rodata in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df98e0 - 0x00007ffff7df98e1 is .stapsdt.base in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df98e4 - 0x00007ffff7df9f20 is .eh_frame_hdr in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df9f20 - 0x00007ffff7dfc3b8 is .eh_frame in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffcbc0 - 0x00007ffff7ffce6c is .data.rel.ro in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffce70 - 0x00007ffff7ffcfe0 is .dynamic in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffcfe0 - 0x00007ffff7ffcff0 is .got in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffd000 - 0x00007ffff7ffd038 is .got.plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffd040 - 0x00007ffff7ffdfc0 is .data in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffdfc0 - 0x00007ffff7ffe168 is .bss in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffa120 - 0x00007ffff7ffa160 is .hash in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa160 - 0x00007ffff7ffa1a8 is .gnu.hash in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa1a8 - 0x00007ffff7ffa2b0 is .dynsym in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa2b0 - 0x00007ffff7ffa30e is .dynstr in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa30e - 0x00007ffff7ffa324 is .gnu.version in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa328 - 0x00007ffff7ffa360 is .gnu.version_d in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa360 - 0x00007ffff7ffa470 is .dynamic in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa470 - 0x00007ffff7ffa7f8 is .rodata in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa7f8 - 0x00007ffff7ffa834 is .note in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa834 - 0x00007ffff7ffa870 is .eh_frame_hdr in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa870 - 0x00007ffff7ffa998 is .eh_frame in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa9a0 - 0x00007ffff7ffaee9 is .text in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffaee9 - 0x00007ffff7ffaf1d is .altinstructions in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffaf1d - 0x00007ffff7ffaf29 is .altinstr_replacement in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7bd51c8 - 0x00007ffff7bd51ec is .note.gnu.build-id in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd51f0 - 0x00007ffff7bd522c is .gnu.hash in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5230 - 0x00007ffff7bd5380 is .dynsym in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5380 - 0x00007ffff7bd5432 is .dynstr in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5432 - 0x00007ffff7bd544e is .gnu.version in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5450 - 0x00007ffff7bd5470 is .gnu.version_r in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5470 - 0x00007ffff7bd5560 is .rela.dyn in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5560 - 0x00007ffff7bd557a is .init in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5580 - 0x00007ffff7bd5590 is .plt in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5590 - 0x00007ffff7bd55a0 is .plt.got in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd55a0 - 0x00007ffff7bd56ce is .text in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd56d0 - 0x00007ffff7bd56d9 is .fini in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd56d9 - 0x00007ffff7bd56e7 is .rodata in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd56e8 - 0x00007ffff7bd5704 is .eh_frame_hdr in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7bd5708 - 0x00007ffff7bd576c is .eh_frame in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd5e20 - 0x00007ffff7dd5e28 is .init_array in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd5e28 - 0x00007ffff7dd5e30 is .fini_array in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd5e30 - 0x00007ffff7dd5e38 is .jcr in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd5e38 - 0x00007ffff7dd5fd8 is .dynamic in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd5fd8 - 0x00007ffff7dd6000 is .got in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd6000 - 0x00007ffff7dd6018 is .got.plt in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd6018 - 0x00007ffff7dd6020 is .data in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff7dd6020 - 0x00007ffff7dd6028 is .bss in /home/lazenca0x0/Documents/Definition/protection/PIC/libNonPIC.so 0x00007ffff780b270 - 0x00007ffff780b294 is .note.gnu.build-id in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780b294 - 0x00007ffff780b2b4 is .note.ABI-tag in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780b2b8 - 0x00007ffff780ed80 is .gnu.hash in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780ed80 - 0x00007ffff781bff8 is .dynsym in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff781bff8 - 0x00007ffff78219d7 is .dynstr in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff78219d8 - 0x00007ffff7822b62 is .gnu.version in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822b68 - 0x00007ffff7822edc is .gnu.version_d in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822ee0 - 0x00007ffff7822f10 is .gnu.version_r in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822f10 - 0x00007ffff782a680 is .rela.dyn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a680 - 0x00007ffff782a7b8 is .rela.plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a7c0 - 0x00007ffff782a8a0 is .plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a8a0 - 0x00007ffff782a8b0 is .plt.got in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a8b0 - 0x00007ffff797dac4 is .text in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff797dad0 - 0x00007ffff797ffed is __libc_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff797fff0 - 0x00007ffff79802b2 is __libc_thread_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79802c0 - 0x00007ffff79a1610 is .rodata in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a1610 - 0x00007ffff79a1611 is .stapsdt.base in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a1620 - 0x00007ffff79a163c is .interp in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a163c - 0x00007ffff79a6af8 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a6af8 - 0x00007ffff79c738c is .eh_frame in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79c738c - 0x00007ffff79c77cd is .gcc_except_table in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79c77d0 - 0x00007ffff79caad0 is .hash in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7c0 - 0x00007ffff7bcb7d0 is .tdata in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7d0 - 0x00007ffff7bcb838 is .tbss in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7d0 - 0x00007ffff7bcb7e0 is .init_array in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7e0 - 0x00007ffff7bcb8d8 is __libc_subfreeres in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb8d8 - 0x00007ffff7bcb8e0 is __libc_atexit in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb8e0 - 0x00007ffff7bcb900 is __libc_thread_subfreeres in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb900 - 0x00007ffff7bceba0 is .data.rel.ro in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bceba0 - 0x00007ffff7bced80 is .dynamic in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bced80 - 0x00007ffff7bceff0 is .got in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcf000 - 0x00007ffff7bcf080 is .got.plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcf080 - 0x00007ffff7bd0720 is .data in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bd0720 - 0x00007ffff7bd49a0 is .bss in /lib/x86_64-linux-gnu/libc.so.6 gdb-peda$
PIC
- 다음과 같이 PIC가 적용된 바이너리는 함수를 호출 할 때 .plt 영역의 해당 함수의 주소를 호출합니다.
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gdb -q ./libNoStartPIC.so Reading symbols from ./libNoStartPIC.so...(no debugging symbols found)...done. gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca: 0x0000000000000380 <+0>: push rbp 0x0000000000000381 <+1>: mov rbp,rsp 0x0000000000000384 <+4>: sub rsp,0x10 0x0000000000000388 <+8>: mov DWORD PTR [rbp-0x4],edi 0x000000000000038b <+11>: mov eax,DWORD PTR [rbp-0x4] 0x000000000000038e <+14>: mov esi,eax 0x0000000000000390 <+16>: lea rdi,[rip+0xd] # 0x3a4 0x0000000000000397 <+23>: mov eax,0x0 0x000000000000039c <+28>: call 0x370 <printf@plt> 0x00000000000003a1 <+33>: nop 0x00000000000003a2 <+34>: leave 0x00000000000003a3 <+35>: ret End of assembler dump. gdb-peda$ info file Symbols from "/home/lazenca0x0/Documents/Definition/protection/PIC/libNoStartPIC.so". Local exec file: `/home/lazenca0x0/Documents/Definition/protection/PIC/libNoStartPIC.so', file type elf64-x86-64. Entry point: 0x380 0x00000000000001c8 - 0x00000000000001ec is .note.gnu.build-id 0x00000000000001f0 - 0x0000000000000224 is .gnu.hash 0x0000000000000228 - 0x00000000000002d0 is .dynsym 0x00000000000002d0 - 0x000000000000030e is .dynstr 0x000000000000030e - 0x000000000000031c is .gnu.version 0x0000000000000320 - 0x0000000000000340 is .gnu.version_r 0x0000000000000340 - 0x0000000000000358 is .rela.plt 0x0000000000000360 - 0x0000000000000380 is .plt 0x0000000000000380 - 0x00000000000003a4 is .text 0x00000000000003a4 - 0x00000000000003b2 is .rodata 0x00000000000003b4 - 0x00000000000003d0 is .eh_frame_hdr 0x00000000000003d0 - 0x0000000000000430 is .eh_frame 0x0000000000200ed0 - 0x0000000000201000 is .dynamic 0x0000000000201000 - 0x0000000000201020 is .got.plt gdb-peda$ x/s 0x3a4 0x3a4: "Lazenca.0x%d\n" gdb-peda$
- 다음과 같이 디버깅을 통해 함수 호출을 분석할 수 있습니다.
- main 함수는 lazenca 함수를 호출하기 위해 0x400570(lazenca@plt)영역을 호출합니다.
0x400699 영역에 Break point를 설정 후 프로그램을 실행합니다.
lazenca 함수의 실제 주소가 0x601020영역에 재배치됩니다.
- 공유 라이브러리가 프로그램에 로드되어 lazenca 함수를 Disassemble 할 수 있습니다.
- lazenca 함수는 printf함수를 호출하기 위해 0x7ffff7bd5580 영역을 호출합니다.
0x7ffff7bd5580 영역은 "/home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so"의 .plt 영역 입니다. (0x7ffff7bd5570 - 0x00007ffff7bd5590)
lazenca0x0@ubuntu:~/Documents/Definition/protection/PIC$ gdb -q ./testPIC Reading symbols from ./testPIC...(no debugging symbols found)...done. gdb-peda$ disassemble main Dump of assembler code for function main: 0x0000000000400686 <+0>: push rbp 0x0000000000400687 <+1>: mov rbp,rsp 0x000000000040068a <+4>: mov esi,0xa 0x000000000040068f <+9>: mov edi,0xa 0x0000000000400694 <+14>: mov eax,0x0 0x0000000000400699 <+19>: call 0x400570 <lazenca@plt> 0x000000000040069e <+24>: nop 0x000000000040069f <+25>: pop rbp 0x00000000004006a0 <+26>: ret End of assembler dump. gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca@plt: 0x0000000000400570 <+0>: jmp QWORD PTR [rip+0x200aaa] # 0x601020 0x0000000000400576 <+6>: push 0x1 0x000000000040057b <+11>: jmp 0x400550 End of assembler dump. gdb-peda$ b *0x0000000000400699 Breakpoint 1 at 0x400699 gdb-peda$ r Starting program: /home/lazenca0x0/Documents/Definition/protection/PIC/testPIC Breakpoint 1, 0x0000000000400699 in main () gdb-peda$ disassemble lazenca Dump of assembler code for function lazenca: 0x00007ffff7bd56a0 <+0>: push rbp 0x00007ffff7bd56a1 <+1>: mov rbp,rsp 0x00007ffff7bd56a4 <+4>: sub rsp,0x10 0x00007ffff7bd56a8 <+8>: mov DWORD PTR [rbp-0x4],edi 0x00007ffff7bd56ab <+11>: mov eax,DWORD PTR [rbp-0x4] 0x00007ffff7bd56ae <+14>: mov esi,eax 0x00007ffff7bd56b0 <+16>: lea rdi,[rip+0x16] # 0x7ffff7bd56cd 0x00007ffff7bd56b7 <+23>: mov eax,0x0 0x00007ffff7bd56bc <+28>: call 0x7ffff7bd5580 <printf@plt> 0x00007ffff7bd56c1 <+33>: nop 0x00007ffff7bd56c2 <+34>: leave 0x00007ffff7bd56c3 <+35>: ret End of assembler dump. gdb-peda$ info file Symbols from "/home/lazenca0x0/Documents/Definition/protection/PIC/testPIC". Native process: Using the running image of child process 4632. While running this, GDB does not access memory from... Local exec file: `/home/lazenca0x0/Documents/Definition/protection/PIC/testPIC', file type elf64-x86-64. Entry point: 0x400590 0x0000000000400238 - 0x0000000000400254 is .interp 0x0000000000400254 - 0x0000000000400274 is .note.ABI-tag 0x0000000000400274 - 0x0000000000400298 is .note.gnu.build-id 0x0000000000400298 - 0x00000000004002d0 is .gnu.hash 0x00000000004002d0 - 0x00000000004003f0 is .dynsym 0x00000000004003f0 - 0x00000000004004a8 is .dynstr 0x00000000004004a8 - 0x00000000004004c0 is .gnu.version 0x00000000004004c0 - 0x00000000004004e0 is .gnu.version_r 0x00000000004004e0 - 0x00000000004004f8 is .rela.dyn 0x00000000004004f8 - 0x0000000000400528 is .rela.plt 0x0000000000400528 - 0x0000000000400542 is .init 0x0000000000400550 - 0x0000000000400580 is .plt 0x0000000000400580 - 0x0000000000400588 is .plt.got 0x0000000000400590 - 0x0000000000400722 is .text 0x0000000000400724 - 0x000000000040072d is .fini 0x0000000000400730 - 0x0000000000400734 is .rodata 0x0000000000400734 - 0x0000000000400768 is .eh_frame_hdr 0x0000000000400768 - 0x000000000040085c is .eh_frame 0x0000000000600e00 - 0x0000000000600e08 is .init_array 0x0000000000600e08 - 0x0000000000600e10 is .fini_array 0x0000000000600e10 - 0x0000000000600e18 is .jcr 0x0000000000600e18 - 0x0000000000600ff8 is .dynamic 0x0000000000600ff8 - 0x0000000000601000 is .got 0x0000000000601000 - 0x0000000000601028 is .got.plt 0x0000000000601028 - 0x0000000000601038 is .data 0x0000000000601038 - 0x0000000000601040 is .bss 0x00007ffff7dd71c8 - 0x00007ffff7dd71ec is .note.gnu.build-id in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd71f0 - 0x00007ffff7dd72b0 is .hash in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd72b0 - 0x00007ffff7dd7390 is .gnu.hash in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7390 - 0x00007ffff7dd7648 is .dynsym in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7648 - 0x00007ffff7dd77ef is .dynstr in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd77f0 - 0x00007ffff7dd782a is .gnu.version in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7830 - 0x00007ffff7dd78d4 is .gnu.version_d in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd78d8 - 0x00007ffff7dd79f8 is .rela.dyn in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd79f8 - 0x00007ffff7dd7a58 is .rela.plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7a60 - 0x00007ffff7dd7ab0 is .plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7ab0 - 0x00007ffff7dd7ab8 is .plt.got in /lib64/ld-linux-x86-64.so.2 0x00007ffff7dd7ac0 - 0x00007ffff7df5810 is .text in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df5820 - 0x00007ffff7df98e0 is .rodata in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df98e0 - 0x00007ffff7df98e1 is .stapsdt.base in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df98e4 - 0x00007ffff7df9f20 is .eh_frame_hdr in /lib64/ld-linux-x86-64.so.2 0x00007ffff7df9f20 - 0x00007ffff7dfc3b8 is .eh_frame in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffcbc0 - 0x00007ffff7ffce6c is .data.rel.ro in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffce70 - 0x00007ffff7ffcfe0 is .dynamic in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffcfe0 - 0x00007ffff7ffcff0 is .got in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffd000 - 0x00007ffff7ffd038 is .got.plt in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffd040 - 0x00007ffff7ffdfc0 is .data in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffdfc0 - 0x00007ffff7ffe168 is .bss in /lib64/ld-linux-x86-64.so.2 0x00007ffff7ffa120 - 0x00007ffff7ffa160 is .hash in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa160 - 0x00007ffff7ffa1a8 is .gnu.hash in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa1a8 - 0x00007ffff7ffa2b0 is .dynsym in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa2b0 - 0x00007ffff7ffa30e is .dynstr in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa30e - 0x00007ffff7ffa324 is .gnu.version in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa328 - 0x00007ffff7ffa360 is .gnu.version_d in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa360 - 0x00007ffff7ffa470 is .dynamic in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa470 - 0x00007ffff7ffa7f8 is .rodata in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa7f8 - 0x00007ffff7ffa834 is .note in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa834 - 0x00007ffff7ffa870 is .eh_frame_hdr in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa870 - 0x00007ffff7ffa998 is .eh_frame in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffa9a0 - 0x00007ffff7ffaee9 is .text in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffaee9 - 0x00007ffff7ffaf1d is .altinstructions in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7ffaf1d - 0x00007ffff7ffaf29 is .altinstr_replacement in system-supplied DSO at 0x7ffff7ffa000 0x00007ffff7bd51c8 - 0x00007ffff7bd51ec is .note.gnu.build-id in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd51f0 - 0x00007ffff7bd522c is .gnu.hash in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5230 - 0x00007ffff7bd5380 is .dynsym in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5380 - 0x00007ffff7bd5432 is .dynstr in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5432 - 0x00007ffff7bd544e is .gnu.version in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5450 - 0x00007ffff7bd5470 is .gnu.version_r in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5470 - 0x00007ffff7bd5530 is .rela.dyn in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5530 - 0x00007ffff7bd5548 is .rela.plt in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5548 - 0x00007ffff7bd5562 is .init in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5570 - 0x00007ffff7bd5590 is .plt in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd5590 - 0x00007ffff7bd55a0 is .plt.got in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd55a0 - 0x00007ffff7bd56c4 is .text in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd56c4 - 0x00007ffff7bd56cd is .fini in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd56cd - 0x00007ffff7bd56db is .rodata in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd56dc - 0x00007ffff7bd56f8 is .eh_frame_hdr in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7bd56f8 - 0x00007ffff7bd575c is .eh_frame in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd5e00 - 0x00007ffff7dd5e08 is .init_array in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd5e08 - 0x00007ffff7dd5e10 is .fini_array in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd5e10 - 0x00007ffff7dd5e18 is .jcr in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd5e18 - 0x00007ffff7dd5fd8 is .dynamic in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd5fd8 - 0x00007ffff7dd6000 is .got in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd6000 - 0x00007ffff7dd6020 is .got.plt in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd6020 - 0x00007ffff7dd6028 is .data in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff7dd6028 - 0x00007ffff7dd6030 is .bss in /home/lazenca0x0/Documents/Definition/protection/PIC/libPIC.so 0x00007ffff780b270 - 0x00007ffff780b294 is .note.gnu.build-id in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780b294 - 0x00007ffff780b2b4 is .note.ABI-tag in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780b2b8 - 0x00007ffff780ed80 is .gnu.hash in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff780ed80 - 0x00007ffff781bff8 is .dynsym in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff781bff8 - 0x00007ffff78219d7 is .dynstr in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff78219d8 - 0x00007ffff7822b62 is .gnu.version in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822b68 - 0x00007ffff7822edc is .gnu.version_d in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822ee0 - 0x00007ffff7822f10 is .gnu.version_r in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7822f10 - 0x00007ffff782a680 is .rela.dyn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a680 - 0x00007ffff782a7b8 is .rela.plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a7c0 - 0x00007ffff782a8a0 is .plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a8a0 - 0x00007ffff782a8b0 is .plt.got in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff782a8b0 - 0x00007ffff797dac4 is .text in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff797dad0 - 0x00007ffff797ffed is __libc_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff797fff0 - 0x00007ffff79802b2 is __libc_thread_freeres_fn in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79802c0 - 0x00007ffff79a1610 is .rodata in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a1610 - 0x00007ffff79a1611 is .stapsdt.base in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a1620 - 0x00007ffff79a163c is .interp in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a163c - 0x00007ffff79a6af8 is .eh_frame_hdr in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79a6af8 - 0x00007ffff79c738c is .eh_frame in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79c738c - 0x00007ffff79c77cd is .gcc_except_table in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff79c77d0 - 0x00007ffff79caad0 is .hash in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7c0 - 0x00007ffff7bcb7d0 is .tdata in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7d0 - 0x00007ffff7bcb838 is .tbss in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7d0 - 0x00007ffff7bcb7e0 is .init_array in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb7e0 - 0x00007ffff7bcb8d8 is __libc_subfreeres in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb8d8 - 0x00007ffff7bcb8e0 is __libc_atexit in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb8e0 - 0x00007ffff7bcb900 is __libc_thread_subfreeres in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcb900 - 0x00007ffff7bceba0 is .data.rel.ro in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bceba0 - 0x00007ffff7bced80 is .dynamic in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bced80 - 0x00007ffff7bceff0 is .got in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcf000 - 0x00007ffff7bcf080 is .got.plt in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bcf080 - 0x00007ffff7bd0720 is .data in /lib/x86_64-linux-gnu/libc.so.6 0x00007ffff7bd0720 - 0x00007ffff7bd49a0 is .bss in /lib/x86_64-linux-gnu/libc.so.6 gdb-peda$
Related information
- N/a