人體汽肛 - 風馳電掣, 人車一體: dynamic loader/linker 實作 (1)

我在很久以前學習組合語言時 (雖然很久之前就學, 不過並不表示我有學好, 事實上, 它還讓我產生不少挫折感), 就有一個疑問?

dos 執行檔和其他 os 執行檔有什麼分別, 為什麼不能拿來互相執行? 因為都是 intel cpu, machine code 應該都一樣。
ex:
nop 這指令, 在 dos, os/2, linux, win 3.1, win 95, winnt, winxp 不都是 0x90 嗎？為什麼不能在每個 os 平台執行這個執行檔。

別急 ... 我知道你可能有幾個答案, 但這可不是簡單就能回答的問題。這次介紹的範例程式就是要來突破這樣的限制, 不過不是載入/執行執行檔 (pe, elf), 而是 object file (coff, elf format), 我要在 linux 上載入/執行 windows coff object file。能載入 objet file 應該也能載入 pe file, 這我就沒實作過了, load/relocate/run object file 的練習對我來說已經足夠, 我已經滿足, 希望有人看到我這篇後, 實作出載入 pe 的版本。而為什麼我這麼說呢？因為要是不行, 那 wine 是怎麼做到的, 所以一定有辦法, 而難度我覺得比本範例要難上不少。

在自行 parse elf object file 之後, 我有了上述的想法, 因為原理都是一樣的, 只要能從 coff object file 找到一樣的資訊, 應該可以搞定, 能完成的話一定很酷。

流程大概是這樣:

load elf/coff object to memory.
do the relocation.
call the object hello function, hello will call func, func will call printf.
back to linux shell prompt.

所需要的知識:

程式設計師的自我修養 - 連結、載入、程式庫 chapter 3, 4, 6, 7。
Binary Hacks--駭客秘傳技巧一百招 #72

要看懂這個範例程式, 上述資料一定要看懂, 這個程式是我集合上面兩本的內容發展而來。

coff 可以參考:

我研究 machine code 就是為了要做 dynamic linker/loader, 因為要把 address 的部份找出來, 然後修改它; 而事實上, 事情比我想的更簡單, assembler 已經做好最難的苦工, 把要修改的位址, 該位址要填上的新值都已經紀錄在 object file, 程式只要去讀出來就好了, 不過研讀 machine code 還是沒有白費, 至少能看懂修改了什麼部份, 只是沒那麼重要就是。

來看看要載入的 object source code, 目的很簡單, 就是要去執行 hello() 然後返回呼叫端。

hello.c

 1 #include <stdio.h>
 2 
 3 int p=0x9876;
 4 int i=0x1234;
 5 
 6 void func(int *j)
 7 {
 8   *j = 0x56ef;
 9 #ifdef _MSC_VER
10   printf("vc i: %x\n", i);
11 #else
12   printf("gcc/linux i: %x\n", i);
13 #endif
14   return;
15 }
16 
17 void hello()
18 {
19   //puts("hello");
20   func(&i);
21 }

這次的工具除了 linux 上的開發工具還要準備 windows 上的開發工具 vc2010, 用來編譯出 coff object file, 你可能需要兩台電腦或是使用 vmware 這樣的虛擬機器。

env:
vc2010
windows xp
cl /c hello.c 產生 hello.obj (要載入的就是這個 object file)

程式最主要就是在 linux 載入由 windows vc2010 產生的 hello.obj, 先來分析這個 object file。
我用上的工具有:
dumpbin (vc2010)
objdump (mingw)
hexdump

GNU toolchain 我比較熟悉, 可惜 readelf 這個最有力的工具沒有 coff 版本, 使用 dumpbin 代替。

要怎麼開始呢？先來找出要 relocation 的地方吧, 看看 table 1 和 table 3 所標示的紅色部份。

總共有五處, 我有提到, 要是能看懂機械碼, 把這五處看出來會比較輕鬆, 若是看後面的組合語言部份, 應該也勉強可看出來, 這裡需要知道 c function call 轉成組合語言後的規則, 若不懂, 這裡可能會有點難理解 (這你得先克服, 我沒打算說明這部份, 請參考組合語言書籍和 c 連結的部分)。再來就是找出這五個地方的位址, 把 relocate 後的值填上。

說來簡單, 要怎麼找呢？從 coff object file 本身就可以得到這五個地方的位址。

relocate _func:
找出 .text section 的 offset (因為 _func 在 .text section), table 1 L92 得知, .text offset 是 0x165
L117 0x39
0x165+0x39 = 0x19e
Table 2 0x19e 將 00000000 (4 bytes) 填上正確的值就完成了。
那正確的值是多少呢？
_func 這個 symbol 在記憶體上的位置是多少, 就是那個值了。所以先找到 _func 在檔案中的 offset, 在加上整個 hello.obj 被載入到記憶體的位置就搞定。

talbe 1 L133 可以查到 _func 在 SEC4 (L87 得到 .text, offset 0x165), symbol 那欄是 0, 所以 0x165 + 0 = 0x165 就是 _func 所在檔案 offset。Table 2 藍色部份就是 _func。

搞定了嗎？還沒, e8 是 call 指令, 感覺填上要位址就是要 call 的位址, 但是 call 指令並不是這麼直覺, 它是這樣的:
假設要 call 0x100 的位址, 實際上的指令是 (0x100, 0x110, 0x115 為記憶體位址)
0x100
...
...
0x110 call ???
0x115 nop
??? 是 0x100 - 0x115 = -0x15 -> call -0x15 才會去 call 0x100 的位址。

所以這個值得要用 _func - cal 下一個指令的位址 (ref TABLE 0x1a2) -> 0x165 - 0x1a2 = 0xffffffc3 (十進位 -61), 填上就對了。

來看看 _hello 的 offset:
Talbe 1 L133 可以查到 _func 在 SEC4 (L87 得到 .text, offset 0x165), symbol 那欄是 0x30, 所以 0x165 + 0 = 0x190 就是 _hello 所在檔案 offset。Table 2 綠色部份就是 _hello。

relocate _i:
步驟都一樣, 從 Table 1 L192 找出 _i 在 SEC3, SEC3 offset (0x153)+ _i SYMOBL 值是 4 = 0x157。
那個地方要改成 0x157 呢？

table 1 L113 (0xe), L116 (0x34)

relocate $SG2641: 這是 printf 傳入的字串, hello.c L10 or L12, 道理一樣, 自己試試看。

relocate _printf, 這個最簡單了, printf 已經被我使用 static link 連結到主程式中, 怎麼得到他的位址?
printf_addr = &printf;
出乎意料之外的簡單吧, 想辦法把這位址放在 call printf 這邊就對了, 和 _func 一樣的作法。而這個就是 windows coff 可以正常在 linux 環境執行的關鍵, 把 windows printf 的位址換成 linux printf 即可, 秘密說穿了, 很簡單吧！

最後提一下這個語法, 很嚇人吧！
(*(void(*)())(hello_addr + text_offset + hello_val) )();
把 hello() 的位址當成 function pointer 來執行, 如果你看不懂, 就先背起來, 搞懂那一堆 relocation value 應該已經昏頭了。

除了使用 vs 2010 compile 這個 hello.o, 我還測試了 cygwin gcc, mingw gcc, 本程式都可以正常載入並執行。

table x 是程式執行結果, 也歡迎自己 git clone 把程式 compile 起來試試。

table 1: dumpbin /ALL hello.obj > hello.obj.txt

  1 Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
  2 Copyright (C) Microsoft Corporation.  All rights reserved.
  3 
  4 
  5 Dump of file hello.obj
  6 
  7 File Type: COFF OBJECT
  8 
  9 FILE HEADER VALUES
 10              14C machine (x86)
 11                4 number of sections
 12         51D224BB time date stamp Tue Jul 02 08:54:19 2013
 13              1D9 file pointer to symbol table
 14               10 number of symbols
 15                0 size of optional header
 16                0 characteristics
 17 
 18 SECTION HEADER #1
 19 .drectve name
 20        0 physical address
 21        0 virtual address
 22       2F size of raw data
 23       B4 file pointer to raw data (000000B4 to 000000E2)
 24        0 file pointer to relocation table
 25        0 file pointer to line numbers
 26        0 number of relocations
 27        0 number of line numbers
 28   100A00 flags
 29          Info
 30          Remove
 31          1 byte align
 32 
 33 RAW DATA #1
 34   00000000: 20 20 20 2F 44 45 46 41 55 4C 54 4C 49 42 3A 22     /DEFAULTLIB:"
 35   00000010: 4C 49 42 43 4D 54 22 20 2F 44 45 46 41 55 4C 54  LIBCMT" /DEFAULT
 36   00000020: 4C 49 42 3A 22 4F 4C 44 4E 41 4D 45 53 22 20     LIB:"OLDNAMES" 
 37 
 38    Linker Directives
 39    -----------------
 40    /DEFAULTLIB:"LIBCMT"
 41    /DEFAULTLIB:"OLDNAMES"
 42 
 43 SECTION HEADER #2
 44 .debug$S name
 45        0 physical address
 46        0 virtual address
 47       70 size of raw data
 48       E3 file pointer to raw data (000000E3 to 00000152)
 49        0 file pointer to relocation table
 50        0 file pointer to line numbers
 51        0 number of relocations
 52        0 number of line numbers
 53 42100040 flags
 54          Initialized Data
 55          Discardable
 56          1 byte align
 57          Read Only
 58 
 59 RAW DATA #2
 60   00000000: 04 00 00 00 F1 00 00 00 64 00 00 00 26 00 01 11  ....n...d...&...
 61   00000010: 00 00 00 00 43 3A 5C 67 69 74 5C 70 72 6F 67 73  ....C:\git\progs
 62   00000020: 5C 6C 6F 61 64 5F 6F 62 6A 5C 68 65 6C 6C 6F 2E  \load_obj\hello.
 63   00000030: 6F 62 6A 00 3A 00 3C 11 00 22 00 00 07 00 10 00  obj.:.<.."......
 64   00000040: 00 00 6F 76 01 00 10 00 00 00 6F 76 01 00 4D 69  ..ov......ov..Mi
 65   00000050: 63 72 6F 73 6F 66 74 20 28 52 29 20 4F 70 74 69  crosoft (R) Opti
 66   00000060: 6D 69 7A 69 6E 67 20 43 6F 6D 70 69 6C 65 72 00  mizing Compiler.
 67 
 68 SECTION HEADER #3
 69    .data name
 70        0 physical address
 71        0 virtual address
 72       12 size of raw data
 73      153 file pointer to raw data (00000153 to 00000164)
 74        0 file pointer to relocation table
 75        0 file pointer to line numbers
 76        0 number of relocations
 77        0 number of line numbers
 78 C0300040 flags
 79          Initialized Data
 80          4 byte align
 81          Read Write
 82 
 83 RAW DATA #3
 84   00000000: 76 98 00 00 34 12 00 00 76 63 20 69 3A 20 25 78  v...4...vc i: %x
 85   00000010: 0A 00                                            ..
 86 
 87 SECTION HEADER #4
 88    .text name
 89        0 physical address
 90        0 virtual address
 91       42 size of raw data
 92      165 file pointer to raw data (00000165 to 000001A6)
 93      1A7 file pointer to relocation table
 94        0 file pointer to line numbers
 95        5 number of relocations
 96        0 number of line numbers
 97 60500020 flags
 98          Code
 99          16 byte align
100          Execute Read
101 
102 RAW DATA #4
103   00000000: 55 8B EC 8B 45 08 C7 00 EF 56 00 00 8B 0D 00 00  U.i.E.C.iV......
104   00000010: 00 00 51 68 00 00 00 00 E8 00 00 00 00 83 C4 08  ..Qh....e.....A.
105   00000020: 5D C3 CC CC CC CC CC CC CC CC CC CC CC CC CC CC  ]AIIIIIIIIIIIIII
106   00000030: 55 8B EC 68 00 00 00 00 E8 00 00 00 00 83 C4 04  U.ih....e.....A.
107   00000040: 5D C3                                            ]A
108 
109 RELOCATIONS #4
110                                                 Symbol    Symbol
111  Offset    Type              Applied To         Index     Name
112  --------  ----------------  -----------------  --------  ------
113  0000000E  DIR32                      00000000         9  _i
114  00000014  DIR32                      00000000         A  $SG2641
115  00000019  REL32                      00000000         E  _printf
116  00000034  DIR32                      00000000         9  _i
117  00000039  REL32                      00000000         D  _func
118 
119 COFF SYMBOL TABLE
120 000 00AA766F ABS    notype       Static       | @comp.id
121 001 00000001 ABS    notype       Static       | @feat.00
122 002 00000000 SECT1  notype       Static       | .drectve
123     Section length   2F, #relocs    0, #linenums    0, checksum        0
124 004 00000000 SECT2  notype       Static       | .debug$S
125     Section length   70, #relocs    0, #linenums    0, checksum        0
126 006 00000000 SECT3  notype       Static       | .data
127     Section length   12, #relocs    0, #linenums    0, checksum C0D84B87
128 008 00000000 SECT3  notype       External     | _p
129 009 00000004 SECT3  notype       External     | _i
130 00A 00000008 SECT3  notype       Static       | $SG2641
131 00B 00000000 SECT4  notype       Static       | .text
132     Section length   42, #relocs    5, #linenums    0, checksum 3672F956
133 00D 00000000 SECT4  notype ()    External     | _func
134 00E 00000000 UNDEF  notype ()    External     | _printf
135 00F 00000030 SECT4  notype ()    External     | _hello
136 
137 String Table Size = 0x0 bytes
138 
139   Summary
140 
141           12 .data
142           70 .debug$S
143           2F .drectve
144           42 .text

table 2 - hexdump -C hello.obj

00000000  4c 01 04 00 bb 24 d2 51  d9 01 00 00 10 00 00 00  |L....$.Q........|
00000010  00 00 00 00 2e 64 72 65  63 74 76 65 00 00 00 00  |.....drectve....|
00000020  00 00 00 00 2f 00 00 00  b4 00 00 00 00 00 00 00  |..../...........|
00000030  00 00 00 00 00 00 00 00  00 0a 10 00 2e 64 65 62  |.............deb|
00000040  75 67 24 53 00 00 00 00  00 00 00 00 70 00 00 00  |ug$S........p...|
00000050  e3 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  40 00 10 42 2e 64 61 74  61 00 00 00 00 00 00 00  |@..B.data.......|
00000070  00 00 00 00 12 00 00 00  53 01 00 00 00 00 00 00  |........S.......|
00000080  00 00 00 00 00 00 00 00  40 00 30 c0 2e 74 65 78  |........@.0..tex|
00000090  74 00 00 00 00 00 00 00  00 00 00 00 42 00 00 00  |t...........B...|
000000a0  65 01 00 00 a7 01 00 00  00 00 00 00 05 00 00 00  |e...............|
000000b0  20 00 50 60 20 20 20 2f  44 45 46 41 55 4c 54 4c  | .P`   /DEFAULTL|
000000c0  49 42 3a 22 4c 49 42 43  4d 54 22 20 2f 44 45 46  |IB:"LIBCMT" /DEF|
000000d0  41 55 4c 54 4c 49 42 3a  22 4f 4c 44 4e 41 4d 45  |AULTLIB:"OLDNAME|
000000e0  53 22 20 04 00 00 00 f1  00 00 00 64 00 00 00 26  |S" ........d...&|
000000f0  00 01 11 00 00 00 00 43  3a 5c 67 69 74 5c 70 72  |.......C:\git\pr|
00000100  6f 67 73 5c 6c 6f 61 64  5f 6f 62 6a 5c 68 65 6c  |ogs\load_obj\hel|
00000110  6c 6f 2e 6f 62 6a 00 3a  00 3c 11 00 22 00 00 07  |lo.obj.:.<.."...|
00000120  00 10 00 00 00 6f 76 01  00 10 00 00 00 6f 76 01  |.....ov......ov.|
00000130  00 4d 69 63 72 6f 73 6f  66 74 20 28 52 29 20 4f  |.Microsoft (R) O|
00000140  70 74 69 6d 69 7a 69 6e  67 20 43 6f 6d 70 69 6c  |ptimizing Compil|
00000150  65 72 00 76 98 00 00 34  12 00 00 76 63 20 69 3a  |er.v...4...vc i:|
00000160  20 25 78 0a 00 55 8b ec  8b 45 08 c7 00 ef 56 00  | %x..U...E....V.|
00000170  00 8b 0d 00 00 00 00 51  68 00 00 00 00 e8 00 00  |.......Qh.......|
00000180  00 00 83 c4 08 5d c3 cc  cc cc cc cc cc cc cc cc  |.....]..........|
00000190  cc cc cc cc cc 55 8b ec  68 00 00 00 00 e8 00 00  |.....U..h.......|
000001a0  00 00 83 c4 04 5d c3 0e  00 00 00 09 00 00 00 06  |.....]..........|
000001b0  00 14 00 00 00 0a 00 00  00 06 00 19 00 00 00 0e  |................|
000001c0  00 00 00 14 00 34 00 00  00 09 00 00 00 06 00 39  |.....4.........9|
000001d0  00 00 00 0d 00 00 00 14  00 40 63 6f 6d 70 2e 69  |.........@comp.i|
000001e0  64 6f 76 aa 00 ff ff 00  00 03 00 40 66 65 61 74  |dov........@feat|
000001f0  2e 30 30 01 00 00 00 ff  ff 00 00 03 00 2e 64 72  |.00...........dr|
00000200  65 63 74 76 65 00 00 00  00 01 00 00 00 03 01 2f  |ectve........../|
00000210  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000220  00 2e 64 65 62 75 67 24  53 00 00 00 00 02 00 00  |..debug$S.......|
00000230  00 03 01 70 00 00 00 00  00 00 00 00 00 00 00 00  |...p............|
00000240  00 00 00 00 00 2e 64 61  74 61 00 00 00 00 00 00  |......data......|
00000250  00 03 00 00 00 03 01 12  00 00 00 00 00 00 00 87  |................|
00000260  4b d8 c0 00 00 00 00 00  00 5f 70 00 00 00 00 00  |K........_p.....|
00000270  00 00 00 00 00 03 00 00  00 02 00 5f 69 00 00 00  |..........._i...|
00000280  00 00 00 04 00 00 00 03  00 00 00 02 00 24 53 47  |.............$SG|
00000290  32 36 34 31 00 08 00 00  00 03 00 00 00 03 00 2e  |2641............|
000002a0  74 65 78 74 00 00 00 00  00 00 00 04 00 00 00 03  |text............|
000002b0  01 42 00 00 00 05 00 00  00 56 f9 72 36 00 00 00  |.B.......V.r6...|
000002c0  00 00 00 5f 66 75 6e 63  00 00 00 00 00 00 00 04  |..._func........|
000002d0  00 20 00 02 00 5f 70 72  69 6e 74 66 00 00 00 00  |. ..._printf....|
000002e0  00 00 00 20 00 02 00 5f  68 65 6c 6c 6f 00 00 30  |... ..._hello..0|
000002f0  00 00 00 04 00 20 00 02  00 04 00 00 00           |..... .......|
000002fd

mingw objdump 2.23.1

table 3 objdump -d hello.obj

 1 
 2 hello.obj:     file format pe-i386
 3 
 4 
 5 Disassembly of section .text:
 6 
 7 00000000 <_func>:
 8    0: 55                    push   %ebp
 9    1: 8b ec                 mov    %esp,%ebp
10    3: 8b 45 08              mov    0x8(%ebp),%eax
11    6: c7 00 ef 56 00 00     movl   $0x56ef,(%eax)
12    c: 8b 0d 00 00 00 00     mov    0x0,%ecx
13   12: 51                    push   %ecx
14   13: 68 00 00 00 00        push   $0x0
15   18: e8 00 00 00 00        call   1d <_func+0x1d>
16   1d: 83 c4 08              add    $0x8,%esp
17   20: 5d                    pop    %ebp
18   21: c3                    ret    
19   22: cc                    int3   
20   23: cc                    int3   
21   24: cc                    int3   
22   25: cc                    int3   
23   26: cc                    int3   
24   27: cc                    int3   
25   28: cc                    int3   
26   29: cc                    int3   
27   2a: cc                    int3   
28   2b: cc                    int3   
29   2c: cc                    int3   
30   2d: cc                    int3   
31   2e: cc                    int3   
32   2f: cc                    int3   
33 
34 00000030 <_hello>:
35   30: 55                    push   %ebp
36   31: 8b ec                 mov    %esp,%ebp
37   33: 68 00 00 00 00        push   $0x0
38   38: e8 00 00 00 00        call   3d <_hello+0xd>
39   3d: 83 c4 04              add    $0x4,%esp
40   40: 5d                    pop    %ebp
41   41: c3                    ret

objdump -x hello.obj

 1 
 2 hello.obj:     file format pe-i386
 3 hello.obj
 4 architecture: i386, flags 0x0000003d:
 5 HAS_RELOC, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS
 6 start address 0x00000000
 7 
 8 Characteristics 0x0
 9 
10 Time/Date  Tue Jul 02 08:54:19 2013
11 Magic   0000
12 MajorLinkerVersion 0
13 MinorLinkerVersion 0
14 SizeOfCode  00000000
15 SizeOfInitializedData 00000000
16 SizeOfUninitializedData 00000000
17 AddressOfEntryPoint 00000000
18 BaseOfCode  00000000
19 BaseOfData  00000000
20 ImageBase  00000000
21 SectionAlignment 00000000
22 FileAlignment  00000000
23 MajorOSystemVersion 0
24 MinorOSystemVersion 0
25 MajorImageVersion 0
26 MinorImageVersion 0
27 MajorSubsystemVersion 0
28 MinorSubsystemVersion 0
29 Win32Version  00000000
30 SizeOfImage  00000000
31 SizeOfHeaders  00000000
32 CheckSum  00000000
33 Subsystem  00000000 (unspecified)
34 DllCharacteristics 00000000
35 SizeOfStackReserve 00000000
36 SizeOfStackCommit 00000000
37 SizeOfHeapReserve 00000000
38 SizeOfHeapCommit 00000000
39 LoaderFlags  00000000
40 NumberOfRvaAndSizes 00000000
41 
42 The Data Directory
43 Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
44 Entry 1 00000000 00000000 Import Directory [parts of .idata]
45 Entry 2 00000000 00000000 Resource Directory [.rsrc]
46 Entry 3 00000000 00000000 Exception Directory [.pdata]
47 Entry 4 00000000 00000000 Security Directory
48 Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
49 Entry 6 00000000 00000000 Debug Directory
50 Entry 7 00000000 00000000 Description Directory
51 Entry 8 00000000 00000000 Special Directory
52 Entry 9 00000000 00000000 Thread Storage Directory [.tls]
53 Entry a 00000000 00000000 Load Configuration Directory
54 Entry b 00000000 00000000 Bound Import Directory
55 Entry c 00000000 00000000 Import Address Table Directory
56 Entry d 00000000 00000000 Delay Import Directory
57 Entry e 00000000 00000000 CLR Runtime Header
58 Entry f 00000000 00000000 Reserved
59 
60 Sections:
61 Idx Name          Size      VMA               LMA               File off  Algn
62   0 .drectve      0000002f  00000000  00000000  000000b4  2**0
63                   CONTENTS, READONLY, DEBUGGING, EXCLUDE
64   1 .debug$S      00000070  00000000  00000000  000000e3  2**0
65                   CONTENTS, READONLY, DEBUGGING
66   2 .data         00000012  00000000  00000000  00000153  2**2
67                   CONTENTS, ALLOC, LOAD, DATA
68   3 .text         00000042  00000000  00000000  00000165  2**4
69                   CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
70 SYMBOL TABLE:
71 [  0](sec -1)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00aa766f @comp.id
72 [  1](sec -1)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000001 @feat.00
73 [  2](sec  1)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .drectve
74 AUX scnlen 0x2f nreloc 0 nlnno 0
75 [  4](sec  2)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .debug$S
76 AUX scnlen 0x70 nreloc 0 nlnno 0
77 [  6](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .data
78 AUX scnlen 0x12 nreloc 0 nlnno 0 checksum 0xc0d84b87 assoc 0 comdat 0
79 [  8](sec  3)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000 _p
80 [  9](sec  3)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000004 _i
81 [ 10](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000008 $SG2641
82 [ 11](sec  4)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .text
83 AUX scnlen 0x42 nreloc 5 nlnno 0 checksum 0x3672f956 assoc 0 comdat 0
84 [ 13](sec  4)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000000 _func
85 [ 14](sec  0)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000000 _printf
86 [ 15](sec  4)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000030 _hello
87 
88 
89 RELOCATION RECORDS FOR [.text]:
90 OFFSET   TYPE              VALUE 
91 0000000e dir32             _i-0x00000004
92 00000014 dir32             $SG2641-0x00000008
93 00000019 DISP32            _printf
94 00000034 dir32             _i-0x00000004
95 00000039 DISP32            _func
96 
97

cygwin objdump 2.22.52

objdump.d

 1 
 2 hello.obj:     file format pe-i386
 3 
 4 
 5 Disassembly of section .text:
 6 
 7 00000000 <_func>:
 8    0: 55                    push   %ebp
 9    1: 8b ec                 mov    %esp,%ebp
10    3: 8b 45 08              mov    0x8(%ebp),%eax
11    6: c7 00 ef 56 00 00     movl   $0x56ef,(%eax)
12    c: 8b 0d 00 00 00 00     mov    0x0,%ecx
13   12: 51                    push   %ecx
14   13: 68 00 00 00 00        push   $0x0
15   18: e8 00 00 00 00        call   1d <_func+0x1d>
16   1d: 83 c4 08              add    $0x8,%esp
17   20: 5d                    pop    %ebp
18   21: c3                    ret    
19   22: cc                    int3   
20   23: cc                    int3   
21   24: cc                    int3   
22   25: cc                    int3   
23   26: cc                    int3   
24   27: cc                    int3   
25   28: cc                    int3   
26   29: cc                    int3   
27   2a: cc                    int3   
28   2b: cc                    int3   
29   2c: cc                    int3   
30   2d: cc                    int3   
31   2e: cc                    int3   
32   2f: cc                    int3   
33 
34 00000030 <_hello>:
35   30: 55                    push   %ebp
36   31: 8b ec                 mov    %esp,%ebp
37   33: 68 00 00 00 00        push   $0x0
38   38: e8 00 00 00 00        call   3d <_hello+0xd>
39   3d: 83 c4 04              add    $0x4,%esp
40   40: 5d                    pop    %ebp
41   41: c3                    ret

objdump.x

 1 
 2 hello.obj:     file format pe-i386
 3 hello.obj
 4 architecture: i386, flags 0x0000003d:
 5 HAS_RELOC, HAS_LINENO, HAS_DEBUG, HAS_SYMS, HAS_LOCALS
 6 start address 0x00000000
 7 
 8 Characteristics 0x0
 9 
10 Time/Date  Tue Jul  2 08:54:19 2013
11 Magic   0000
12 MajorLinkerVersion 0
13 MinorLinkerVersion 0
14 SizeOfCode  00000000
15 SizeOfInitializedData 00000000
16 SizeOfUninitializedData 00000000
17 AddressOfEntryPoint 00000000
18 BaseOfCode  00000000
19 BaseOfData  00000000
20 ImageBase  00000000
21 SectionAlignment 00000000
22 FileAlignment  00000000
23 MajorOSystemVersion 0
24 MinorOSystemVersion 0
25 MajorImageVersion 0
26 MinorImageVersion 0
27 MajorSubsystemVersion 0
28 MinorSubsystemVersion 0
29 Win32Version  00000000
30 SizeOfImage  00000000
31 SizeOfHeaders  00000000
32 CheckSum  00000000
33 Subsystem  00000000 (unspecified)
34 DllCharacteristics 00000000
35 SizeOfStackReserve 00000000
36 SizeOfStackCommit 00000000
37 SizeOfHeapReserve 00000000
38 SizeOfHeapCommit 00000000
39 LoaderFlags  00000000
40 NumberOfRvaAndSizes 00000000
41 
42 The Data Directory
43 Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
44 Entry 1 00000000 00000000 Import Directory [parts of .idata]
45 Entry 2 00000000 00000000 Resource Directory [.rsrc]
46 Entry 3 00000000 00000000 Exception Directory [.pdata]
47 Entry 4 00000000 00000000 Security Directory
48 Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
49 Entry 6 00000000 00000000 Debug Directory
50 Entry 7 00000000 00000000 Description Directory
51 Entry 8 00000000 00000000 Special Directory
52 Entry 9 00000000 00000000 Thread Storage Directory [.tls]
53 Entry a 00000000 00000000 Load Configuration Directory
54 Entry b 00000000 00000000 Bound Import Directory
55 Entry c 00000000 00000000 Import Address Table Directory
56 Entry d 00000000 00000000 Delay Import Directory
57 Entry e 00000000 00000000 CLR Runtime Header
58 Entry f 00000000 00000000 Reserved
59 
60 Sections:
61 Idx Name          Size      VMA       LMA       File off  Algn
62   0 .drectve      0000002f  00000000  00000000  000000b4  2**0
63                   CONTENTS, READONLY, DEBUGGING, EXCLUDE
64   1 .debug$S      00000070  00000000  00000000  000000e3  2**0
65                   CONTENTS, READONLY, DEBUGGING
66   2 .data         00000012  00000000  00000000  00000153  2**2
67                   CONTENTS, ALLOC, LOAD, DATA
68   3 .text         00000042  00000000  00000000  00000165  2**4
69                   CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
70 SYMBOL TABLE:
71 [  0](sec -1)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00aa766f @comp.id
72 [  1](sec -1)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000001 @feat.00
73 [  2](sec  1)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .drectve
74 AUX scnlen 0x2f nreloc 0 nlnno 0
75 [  4](sec  2)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .debug$S
76 AUX scnlen 0x70 nreloc 0 nlnno 0
77 [  6](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .data
78 AUX scnlen 0x12 nreloc 0 nlnno 0 checksum 0xc0d84b87 assoc 0 comdat 0
79 [  8](sec  3)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000000 _p
80 [  9](sec  3)(fl 0x00)(ty   0)(scl   2) (nx 0) 0x00000004 _i
81 [ 10](sec  3)(fl 0x00)(ty   0)(scl   3) (nx 0) 0x00000008 $SG2641
82 [ 11](sec  4)(fl 0x00)(ty   0)(scl   3) (nx 1) 0x00000000 .text
83 AUX scnlen 0x42 nreloc 5 nlnno 0 checksum 0x3672f956 assoc 0 comdat 0
84 [ 13](sec  4)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000000 _func
85 [ 14](sec  0)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000000 _printf
86 [ 15](sec  4)(fl 0x00)(ty  20)(scl   2) (nx 0) 0x00000030 _hello
87 
88 
89 RELOCATION RECORDS FOR [.text]:
90 OFFSET   TYPE              VALUE 
91 0000000e dir32             _i+0xfffffffc
92 00000014 dir32             $SG2641+0xfffffff8
93 00000019 DISP32            _printf
94 00000034 dir32             _i+0xfffffffc
95 00000039 DISP32            _func

table x - ./m vc2010/hello.obj

  1 printf addr: 804a320
  2 hello addr: 0x976e810
  3 align addr: 976e810
  4 align 0x1000 hello addr: 0x976f000
  5 load win coff object: vc2010/hello.obj
  6 Machine: 0x14c
...
173 vc i: 56ef

source code:
https://github.com/descent/progs/tree/master/load_obj

ref:
Code Injection into Running Linux Application 中文版
Code Injection into Running Linux Application
Dynamic Test Runner
It's a PE! No, It's an ELF!

人體汽肛 - 風馳電掣, 人車一體

blog 文章

2013年7月27日星期六

dynamic loader/linker 實作 (1) - 自行載入 object file win32 coff 篇

沒有留言:

張貼留言

blog 文章

2013年7月27日 星期六

dynamic loader/linker 實作 (1) - 自行載入 object file win32 coff 篇

沒有留言:

張貼留言

2013年7月27日星期六