使用二进制工具分析Hello World程序 Linux

Hello World程序

#include int main(int argc, char *argv[]) { printf("Hello World\n"); return 0; }

编译

$ gcc -Wall -g hw.c

file — determine file type

$ file a.out a.out: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID[sha1]=0x1930c9696c86fe873a61d00a7b9c2febf013b444, not stripped

nm - list symbols from object files

$ nm a.out 080495a8 d _DYNAMIC 08049694 d _GLOBAL_OFFSET_TABLE_ 080484ac R _IO_stdin_used w _ITM_deregisterTMCloneTable w _ITM_registerTMCloneTable w _Jv_RegisterClasses 08048598 r __FRAME_END__ 080495a4 d __JCR_END__ 080495a4 d __JCR_LIST__ 080496b0 D __TMC_END__ 080496b0 A __bss_start 080496ac D __data_start 080483a0 t __do_global_dtors_aux 080495a0 t __do_global_dtors_aux_fini_array_entry 080484b0 R __dso_handle 0804959c t __frame_dummy_init_array_entry w __gmon_start__ 080495a0 t __init_array_end 0804959c t __init_array_start 08048490 T __libc_csu_fini 08048420 T __libc_csu_init U __libc_start_main@@GLIBC_2.0 08048324 T __x86.get_pc_thunk.bx 080496b0 A _edata 080496b4 A _end 08048494 T _fini 080484a8 R _fp_hw 08048290 T _init 08048300 T _start 080496b0 b completed.5745 080496ac W data_start 08048330 t deregister_tm_clones 080483d0 t frame_dummy 08048400 T main U puts@@GLIBC_2.0 08048360 t register_tm_clones

addr2line - convert addresses into file names and line numbers.

$ addr2line 08048400 -e a.out -f main /work/disk2/test/hw.c:4

readelf - Displays information about ELF files.

$ readelf -h a.out ELF Header: Magic:7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class:ELF32 Data:2's complement, little endian Version:1 (current) OS/ABI:UNIX - System V ABI Version:0 Type:EXEC (Executable file) Machine:Intel 80386 Version:0x1 Entry point address:0x8048300 Start of program headers:52 (bytes into file) Start of section headers:2644 (bytes into file) Flags:0x0 Size of this header:52 (bytes) Size of program headers:32 (bytes) Number of program headers:8 Size of section headers:40 (bytes) Number of section headers:35 Section header string table index: 32

$ readelf -S a.out There are 35 section headers, starting at offset 0xa54:Section Headers: [Nr] NameTypeAddrOffSizeES Flg Lk Inf Al [ 0]NULL00000000 000000 000000 00000 [ 1] .interpPROGBITS08048134 000134 000013 00A001 [ 2] .note.ABI-tagNOTE08048148 000148 000020 00A004 [ 3] .note.gnu.build-i NOTE08048168 000168 000024 00A004 [ 4] .gnu.hashGNU_HASH0804818c 00018c 000020 04A504 [ 5] .dynsymDYNSYM080481ac 0001ac 000050 10A614 [ 6] .dynstrSTRTAB080481fc 0001fc 00004a 00A001 [ 7] .gnu.versionVERSYM08048246 000246 00000a 02A502 [ 8] .gnu.version_rVERNEED08048250 000250 000020 00A614 [ 9] .rel.dynREL08048270 000270 000008 08A504 [10] .rel.pltREL08048278 000278 000018 08A5124 [11] .initPROGBITS08048290 000290 000023 00AX004 [12] .pltPROGBITS080482c0 0002c0 000040 04AX00 16 [13] .textPROGBITS08048300 000300 000194 00AX00 16 [14] .finiPROGBITS08048494 000494 000014 00AX004 [15] .rodataPROGBITS080484a8 0004a8 000018 00A004 [16] .eh_frame_hdrPROGBITS080484c0 0004c0 00002c 00A004 [17] .eh_framePROGBITS080484ec 0004ec 0000b0 00A004 [18] .init_arrayINIT_ARRAY0804959c 00059c 000004 00WA004 [19] .fini_arrayFINI_ARRAY080495a0 0005a0 000004 00WA004 [20] .jcrPROGBITS080495a4 0005a4 000004 00WA004 [21] .dynamicDYNAMIC080495a8 0005a8 0000e8 08WA604 [22] .gotPROGBITS08049690 000690 000004 04WA004 [23] .got.pltPROGBITS08049694 000694 000018 04WA004 [24] .dataPROGBITS080496ac 0006ac 000004 00WA004 [25] .bssNOBITS080496b0 0006b0 000004 00WA004 [26] .commentPROGBITS00000000 0006b0 00002c 01MS001 [27] .debug_arangesPROGBITS00000000 0006dc 000020 00001 [28] .debug_infoPROGBITS00000000 0006fc 0000bc 00001 [29] .debug_abbrevPROGBITS00000000 0007b8 00005e 00001 [30] .debug_linePROGBITS00000000 000816 000035 00001 [31] .debug_strPROGBITS00000000 00084b 0000c3 01MS001 [32] .shstrtabSTRTAB00000000 00090e 000146 00001 [33] .symtabSYMTAB00000000 000fcc 000470 1034494 [34] .strtabSTRTAB00000000 00143c 00024d 00001 Key to Flags: W (write), A (alloc), X (execute), M (merge), S (strings) I (info), L (link order), G (group), T (TLS), E (exclude), x (unknown) O (extra OS processing required) o (OS specific), p (processor specific)

$ readelf -l a.out Elf file type is EXEC (Executable file) Entry point 0x8048300 There are 8 program headers, starting at offset 52Program Headers: TypeOffsetVirtAddrPhysAddrFileSiz MemSizFlg Align PHDR0x000034 0x08048034 0x08048034 0x00100 0x00100 R E 0x4 INTERP0x000134 0x08048134 0x08048134 0x00013 0x00013 R0x1 [Requesting program interpreter: /lib/ld-linux.so.2] LOAD0x000000 0x08048000 0x08048000 0x0059c 0x0059c R E 0x1000 LOAD0x00059c 0x0804959c 0x0804959c 0x00114 0x00118 RW0x1000 DYNAMIC0x0005a8 0x080495a8 0x080495a8 0x000e8 0x000e8 RW0x4 NOTE0x000148 0x08048148 0x08048148 0x00044 0x00044 R0x4 GNU_EH_FRAME0x0004c0 0x080484c0 0x080484c0 0x0002c 0x0002c R0x4 GNU_STACK0x000000 0x00000000 0x00000000 0x00000 0x00000 RW0x4 Section to Segment mapping: Segment Sections... 00 01.interp 02.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 03.init_array .fini_array .jcr .dynamic .got .got.plt .data .bss 04.dynamic 05.note.ABI-tag .note.gnu.build-id 06.eh_frame_hdr 07

$ readelf -r a.outRelocation section '.rel.dyn' at offset 0x270 contains 1 entries: OffsetInfoTypeSym.ValueSym. Name 0804969000000206 R_386_GLOB_DAT00000000__gmon_start__Relocation section '.rel.plt' at offset 0x278 contains 3 entries: OffsetInfoTypeSym.ValueSym. Name 080496a000000107 R_386_JUMP_SLOT00000000puts 080496a400000207 R_386_JUMP_SLOT00000000__gmon_start__ 080496a800000307 R_386_JUMP_SLOT00000000__libc_start_main

size - list section sizes and total size.

$ size a.out textdatabssdechex filename 111427641394572 a.out

objdump - display information from object files.

$ objdump -f a.out a.out:file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x08048300

$ objdump -s a.out a.out:file format elf32-i386Contents of section .interp: 8048134 2f6c6962 2f6c642d 6c696e75 782e736f/lib/ld-linux.so 8048144 2e3200.2. Contents of section .note.ABI-tag: 8048148 04000000 10000000 01000000 474e5500............GNU. 8048158 00000000 02000000 06000000 20000000............ ... Contents of section .note.gnu.build-id: 8048168 04000000 14000000 03000000 474e5500............GNU. 8048178 69c93019 87fe866c 0ad0613a eb2f9c7bi.0....l..a:./.{ 8048188 44b413f0D... Contents of section .gnu.hash: 804818c 02000000 04000000 01000000 05000000................ 804819c 00200020 00000000 04000000 ad4be3c0. . .........K.. Contents of section .dynsym: 80481ac 00000000 00000000 00000000 00000000................ 80481bc 29000000 00000000 00000000 12000000)............... 80481cc 01000000 00000000 00000000 20000000............ ... 80481dc 2e000000 00000000 00000000 12000000................ 80481ec 1a000000 ac840408 04000000 11000f00................ Contents of section .dynstr: 80481fc 005f5f67 6d6f6e5f 73746172 745f5f00.__gmon_start__. 804820c 6c696263 2e736f2e 36005f49 4f5f7374libc.so.6._IO_st 804821c 64696e5f 75736564 00707574 73005f5fdin_used.puts.__ 804822c 6c696263 5f737461 72745f6d 61696e00libc_start_main. 804823c 474c4942 435f322e 3000GLIBC_2.0. Contents of section .gnu.version: 8048246 00000200 00000200 0100.......... Contents of section .gnu.version_r: 8048250 01000100 10000000 10000000 00000000................ 8048260 1069690d 00000200 40000000 00000000.ii.....@....... Contents of section .rel.dyn: 8048270 90960408 06020000........ Contents of section .rel.plt: 8048278 a0960408 07010000 a4960408 07020000................ 8048288 a8960408 07030000........ Contents of section .init: 8048290 5383ec08 e88b0000 0081c3fb 1300008bS............... 80482a0 83fcffff ff85c074 05e83200 000083c4.......t..2..... 80482b0 085bc3.[. Contents of section .plt: 80482c0 ff359896 0408ff25 9c960408 00000000.5.....%........ 80482d0 ff25a096 04086800 000000e9 e0ffffff.%....h......... 80482e0 ff25a496 04086808 000000e9 d0ffffff.%....h......... 80482f0 ff25a896 04086810 000000e9 c0ffffff.%....h......... Contents of section .text: 8048300 31ed5e89 e183e4f0 50545268 908404081.^.....PTRh.... 8048310 68208404 08515668 00840408 e8cfffffh ...QVh........ 8048320 fff46690 8b1c24c3 0f1f8400 00000000..f...$......... 8048330 b8b39604 082db096 040883f8 067701c3.....-.......w.. 8048340 b8000000 0085c074 f65589e5 8d6424e8.......t.U...d$. 8048350 c70424b0 960408ff d0c9c390 8d742600..$..........t&. 8048360 b8b09604 082db096 0408c1f8 0289c2c1.....-.......... 8048370 ea1f01d0 d1f87501 c3ba0000 000085d2......u......... 8048380 74f65589 e58d6424 e8894424 04c70424t.U...d$..D$...$ 8048390 b0960408 ffd2c9c3 908db426 00000000...........&.... 80483a0 803db096 04080075 185589e5 8d6424f8.=.....u.U...d$. 80483b0 e87bffff ffc605b0 96040801 90909090.{.............. 80483c0 c9c38db4 26000000 008dbc27 00000000....&......'.... 80483d0 a1a49504 0885c074 1fb80000 000085c0.......t........ 80483e0 74165589 e58d6424 e8c70424 a4950408t.U...d$...$.... 80483f0 ffd0c9e9 68ffffff e963ffff ff0f1f00....h....c...... 8048400 5589e583 e4f083ec 10c70424 b4840408U..........$.... 8048410 e8bbfeff ffb80000 0000c9c3 0f1f4000..............@. 8048420 555731ff 5653e8f9 feffff81 c3691200UW1.VS.......i.. 8048430 0083ec1c 8b6c2430 8db30cff ffffe84d.....l$0.......M 8048440 feffff8d 8308ffff ff29c6c1 fe0285f6.........)...... 8048450 74278db6 00000000 8b442438 892c2489t'.......D$8.,$. 8048460 4424088b 44243489 442404ff 94bb08ffD$..D$4.D$...... 8048470 ffff83c7 0139f775 df83c41c 5b5e5f5d.....9.u....[^_] 8048480 c3eb0d90 90909090 90909090 90909090................ 8048490 f3c36690..f. Contents of section .fini: 8048494 5383ec08 e887feff ff81c3f7 11000083S............... 80484a4 c4085bc3..[. Contents of section .rodata: 80484a8 03000000 01000200 00000000 48656c6c............Hell 80484b8 6f20576f 726c6400o World. Contents of section .eh_frame_hdr: 80484c0 011b033b 28000000 04000000 00feffff...; (........... 80484d0 44000000 40ffffff 68000000 60ffffffD...@...h...`... 80484e0 88000000 d0ffffff c4000000............ Contents of section .eh_frame: 80484ec 14000000 00000000 017a5200 017c0801.........zR..|.. 80484fc 1b0c0404 88010000 20000000 1c000000........ ....... 804850c b4fdffff 40000000 000e0846 0e0c4a0f....@......F..J. 804851c 0b740478 003f1a3b 2a322422 1c000000.t.x.?.; *2$".... 804852c 40000000 d0feffff 1c000000 00410e08@............A.. 804853c 8502420d 0558c50c 04040000 38000000..B..X......8... 804854c 60000000 d0feffff 61000000 00410e08`.......a....A.. 804855c 8502410e 0c870343 0e108604 410e1483..A....C....A... 804856c 054e0e30 02480e14 41c30e10 41c60e0c.N.0.H..A...A... 804857c 41c70e08 41c50e04 10000000 9c000000A...A........... 804858c 04ffffff 02000000 00000000 00000000................ Contents of section .init_array: 804959c d0830408.... Contents of section .fini_array: 80495a0 a0830408.... Contents of section .jcr: 80495a4 00000000.... Contents of section .dynamic: 80495a8 01000000 10000000 0c000000 90820408................ 80495b8 0d000000 94840408 19000000 9c950408................ 80495c8 1b000000 04000000 1a000000 a0950408................ 80495d8 1c000000 04000000 f5feff6f 8c810408...........o.... 80495e8 05000000 fc810408 06000000 ac810408................ 80495f8 0a000000 4a000000 0b000000 10000000....J........... 8049608 15000000 00000000 03000000 94960408................ 8049618 02000000 18000000 14000000 11000000................ 8049628 17000000 78820408 11000000 70820408....x.......p... 8049638 12000000 08000000 13000000 08000000................ 8049648 feffff6f 50820408 ffffff6f 01000000...oP......o.... 8049658 f0ffff6f 46820408 00000000 00000000...oF........... 8049668 00000000 00000000 00000000 00000000................ 8049678 00000000 00000000 00000000 00000000................ 8049688 00000000 00000000........ Contents of section .got: 8049690 00000000.... Contents of section .got.plt: 8049694 a8950408 00000000 00000000 d6820408................ 80496a4 e6820408 f6820408........ Contents of section .data: 80496ac 00000000.... Contents of section .comment: 0000 4743433a 2028474e 55292034 2e372e32GCC: (GNU) 4.7.2 0010 20323031 32303932 31202852 6564204820120921 (Red H 0020 61742034 2e372e32 2d322900at 4.7.2-2). Contents of section .debug_aranges: 0000 1c000000 02000000 00000400 00000000................ 0010 00840408 1c000000 00000000 00000000................ Contents of section .debug_info: 0000 b8000000 04000000 00000401 38000000............8... 0010 01950000 009a0000 00008404 081c8404................ 0020 08000000 00020407 18000000 02010825...............% 0030 00000002 02078200 00000204 07130000................ 0040 00020106 27000000 020205ab 00000003....'........... 0050 0405696e 74000208 05000000 00020807..int........... 0060 0e000000 02040505 00000002 0407b500................ 0070 00000404 78000000 0201062e 00000005....x........... 0080 33000000 01034f00 00000084 04081c843.....O......... 0090 0408019c b5000000 067d0000 0001034f.........}.....O 00a0 00000002 910006be 00000001 03b50000................ 00b0 00029104 00040472 00000000.......r.... Contents of section .debug_abbrev: 0000 01110125 0e130b03 0e1b0e11 01120110...%............ 0010 17000002 24000b0b 3e0b030e 00000324....$...>......$ 0020 000b0b3e 0b030800 00040f00 0b0b4913...>..........I. 0030 0000052e 013f1903 0e3a0b3b 0b271949.....?...:.; .'.I 0040 13110112 01401896 42190113 00000605.....@..B....... 0050 00030e3a 0b3b0b49 13021800 0000...:.; .I...... Contents of section .debug_line: 0000 31000000 02001b00 00000101 fb0e0d001............... 0010 01010101 00000001 00000100 68772e63............hw.c 0020 00000000 00000502 00840408 1591bb59...............Y 0030 02020001 01..... Contents of section .debug_str: 0000 6c6f6e67 206c6f6e 6720696e 74006c6flong long int.lo 0010 6e67206c 6f6e6720 756e7369 676e6564ng long unsigned 0020 20696e74 00756e73 69676e65 64206368int.unsigned ch 0030 6172006d 61696e00 474e5520 4320342ear.main.GNU C 4. 0040 372e3220 32303132 30393231 202852657.2 20120921 (Re 0050 64204861 7420342e 372e322d 3229202dd Hat 4.7.2-2) - 0060 6d74756e 653d6765 6e657269 63202d6dmtune=generic -m 0070 61726368 3d693638 36202d67 00617267arch=i686 -g.arg 0080 63007368 6f727420 756e7369 676e6564c.short unsigned 0090 20696e74 0068772e 63002f77 6f726b2fint.hw.c./work/ 00a0 6469736b 322f7465 73740073 686f7274disk2/test.short 00b0 20696e74 0073697a 65747970 65006172int.sizetype.ar 00c0 677600gv.

strings - print the strings of printable characters in files.

$ strings - a.out /lib/ld-linux.so.2 __gmon_start__ libc.so.6 _IO_stdin_used puts __libc_start_main GLIBC_2.0 PTRh [^_] Hello World ; *2$" GCC: (GNU) 4.7.2 20120921 (Red Hat 4.7.2-2) hw.c long long int long long unsigned int unsigned char main GNU C 4.7.2 20120921 (Red Hat 4.7.2-2) -mtune=generic -march=i686 -g argc short unsigned int hw.c /work/disk2/test short int sizetype argv .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .jcr .dynamic .got .got.plt .data .bss .comment .debug_aranges .debug_info .debug_abbrev .debug_line .debug_str crtstuff.c __JCR_LIST__ deregister_tm_clones register_tm_clones __do_global_dtors_aux completed.5745 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry hw.c __FRAME_END__ __JCR_END__ __init_array_end _DYNAMIC __init_array_start _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable __x86.get_pc_thunk.bx data_start _edata _fini __data_start puts@@GLIBC_2.0 __gmon_start__ __dso_handle _IO_stdin_used __libc_start_main@@GLIBC_2.0 __libc_csu_init _end _start _fp_hw __bss_start main _Jv_RegisterClasses __TMC_END__ _ITM_registerTMCloneTable _init

【使用二进制工具分析Hello World程序】
strip - Discard symbols from object files.

$ strip a.out $ nm a.out nm: a.out: no symbols

ldd - print shared library dependencies

$ ldd -v a.out linux-gate.so.1 =>(0x00e50000) libc.so.6 => /lib/libc.so.6 (0x4dd92000) /lib/ld-linux.so.2 (0x4dd6f000)Version information: ./a.out: libc.so.6 (GLIBC_2.0) => /lib/libc.so.6 /lib/libc.so.6: ld-linux.so.2 (GLIBC_2.3) => /lib/ld-linux.so.2 ld-linux.so.2 (GLIBC_PRIVATE) => /lib/ld-linux.so.2 ld-linux.so.2 (GLIBC_2.1) => /lib/ld-linux.so.2