HackTricks
ELF 基本信息
Tip
学习和实践 AWS 黑客技术:
HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。
程序头 (Program Headers)
它们向加载器描述如何将 ELF 加载到内存中:
readelf -lW lnstat
Elf file type is DYN (Position-Independent Executable file)
Entry point 0x1c00
There are 9 program headers, starting at offset 64
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000040 0x0000000000000040 0x0000000000000040 0x0001f8 0x0001f8 R 0x8
INTERP 0x000238 0x0000000000000238 0x0000000000000238 0x00001b 0x00001b R 0x1
[Requesting program interpreter: /lib/ld-linux-aarch64.so.1]
LOAD 0x000000 0x0000000000000000 0x0000000000000000 0x003f7c 0x003f7c R E 0x10000
LOAD 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x000528 0x001190 RW 0x10000
DYNAMIC 0x00fc58 0x000000000001fc58 0x000000000001fc58 0x000200 0x000200 RW 0x8
NOTE 0x000254 0x0000000000000254 0x0000000000000254 0x0000e0 0x0000e0 R 0x4
GNU_EH_FRAME 0x003610 0x0000000000003610 0x0000000000003610 0x0001b4 0x0001b4 R 0x4
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RW 0x10
GNU_RELRO 0x00fc48 0x000000000001fc48 0x000000000001fc48 0x0003b8 0x0003b8 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .note.gnu.build-id .note.ABI-tag .note.package .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame
03 .init_array .fini_array .dynamic .got .data .bss
04 .dynamic
05 .note.gnu.build-id .note.ABI-tag .note.package
06 .eh_frame_hdr
07
08 .init_array .fini_array .dynamic .got
The previous program has 9 program headers, then, the segment mapping indicates in which program header (from 00 to 08) each section is located.
PHDR - 程序头 (Program HeaDeR)
Contains the program header tables and metadata itself.
INTERP
Indicates the path of the loader to use to load the binary into memory.
Tip: Statically linked or static-PIE binaries won’t have an
INTERPentry. In those cases there is no dynamic loader involved, which disables techniques that rely on it (e.g.,ret2dlresolve).
LOAD
These headers are used to indicate how to load a binary into memory.
Each LOAD header indicates a region of memory (size, permissions and alignment) and indicates the bytes of the ELF binary to copy in there.
For example, the second one has a size of 0x1190, should be located at 0x1fc48 with permissions read and write and will be filled with 0x528 from the offset 0xfc48 (it doesn’t fill all the reserved space). This memory will contain the sections .init_array .fini_array .dynamic .got .data .bss.
DYNAMIC
This header helps to link programs to their library dependencies and apply relocations. Check the .dynamic section.
NOTE
This stores vendor metadata information about the binary.
- On x86-64,
readelf -nwill showGNU_PROPERTY_X86_FEATURE_1_*flags inside.note.gnu.property. If you seeIBTand/orSHSTK, the binary was built with CET (Indirect Branch Tracking and/or Shadow Stack). This impacts ROP/JOP because indirect branch targets must start with anENDBR64instruction and returns are checked against a shadow stack. See the CET page for details and bypass notes.
GNU_EH_FRAME
Defines the location of the stack unwind tables, used by debuggers and C++ exception handling-runtime functions.
GNU_STACK
Contains the configuration of the stack execution prevention defense. If enabled, the binary won’t be able to execute code from the stack.
- Check with
readelf -l ./bin | grep GNU_STACK. To forcibly toggle it during tests you can useexecstack -s|-c ./bin.
GNU_RELRO
Indicates the RELRO (Relocation Read-Only) configuration of the binary. This protection will mark as read-only certain sections of the memory (like the GOT or the init and fini tables) after the program has loaded and before it begins running.
In the previous example it’s copying 0x3b8 bytes to 0x1fc48 as read-only affecting the sections .init_array .fini_array .dynamic .got .data .bss.
Note that RELRO can be partial or full, the partial version do not protect the section .plt.got, which is used for lazy binding and needs this memory space to have write permissions to write the address of the libraries the first time their location is searched.
For exploitation techniques and up-to-date bypass notes, check the dedicated page:
TLS
Defines a table of TLS entries, which stores info about thread-local variables.
Section Headers
Section headers gives a more detailed view of the ELF binary
objdump lnstat -h
lnstat: file format elf64-littleaarch64
Sections:
Idx Name Size VMA LMA File off Algn
0 .interp 0000001b 0000000000000238 0000000000000238 00000238 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
1 .note.gnu.build-id 00000024 0000000000000254 0000000000000254 00000254 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .note.ABI-tag 00000020 0000000000000278 0000000000000278 00000278 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
3 .note.package 0000009c 0000000000000298 0000000000000298 00000298 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .gnu.hash 0000001c 0000000000000338 0000000000000338 00000338 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000498 0000000000000358 0000000000000358 00000358 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .dynstr 000001fe 00000000000007f0 00000000000007f0 000007f0 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .gnu.version 00000062 00000000000009ee 00000000000009ee 000009ee 2**1
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .gnu.version_r 00000050 0000000000000a50 0000000000000a50 00000a50 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .rela.dyn 00000228 0000000000000aa0 0000000000000aa0 00000aa0 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
10 .rela.plt 000003c0 0000000000000cc8 0000000000000cc8 00000cc8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
11 .init 00000018 0000000000001088 0000000000001088 00001088 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
12 .plt 000002a0 00000000000010a0 00000000000010a0 000010a0 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
13 .text 00001c34 0000000000001340 0000000000001340 00001340 2**6
CONTENTS, ALLOC, LOAD, READONLY, CODE
14 .fini 00000014 0000000000002f74 0000000000002f74 00002f74 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
15 .rodata 00000686 0000000000002f88 0000000000002f88 00002f88 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
16 .eh_frame_hdr 000001b4 0000000000003610 0000000000003610 00003610 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
17 .eh_frame 000007b4 00000000000037c8 00000000000037c8 000037c8 2**3
CONTENTS, ALLOC, LOAD, READONLY, DATA
18 .init_array 00000008 000000000001fc48 000000000001fc48 0000fc48 2**3
CONTENTS, ALLOC, LOAD, DATA
19 .fini_array 00000008 000000000001fc50 000000000001fc50 0000fc50 2**3
CONTENTS, ALLOC, LOAD, DATA
20 .dynamic 00000200 000000000001fc58 000000000001fc58 0000fc58 2**3
CONTENTS, ALLOC, LOAD, DATA
21 .got 000001a8 000000000001fe58 000000000001fe58 0000fe58 2**3
CONTENTS, ALLOC, LOAD, DATA
22 .data 00000170 0000000000020000 0000000000020000 00010000 2**3
CONTENTS, ALLOC, LOAD, DATA
23 .bss 00000c68 0000000000020170 0000000000020170 00010170 2**3
ALLOC
24 .gnu_debugaltlink 00000049 0000000000000000 0000000000000000 00010170 2**0
CONTENTS, READONLY
25 .gnu_debuglink 00000034 0000000000000000 0000000000000000 000101bc 2**2
CONTENTS, READONLY
它还指示位置、偏移和权限,以及该节包含的 数据类型。
元节
- 字符串表: 它包含 ELF 文件所需的所有字符串(但不一定是程序实际使用的那些)。例如它包含像
.text或.data这样的节名称。如果.text在字符串表中的偏移是 45,那么在 name 字段中会使用数字 45。 - 为了找到字符串表的位置,ELF 包含指向字符串表的指针。
- 符号表: 它包含关于符号的信息,例如名称(在字符串表中的偏移)、地址、大小以及更多关于符号的元数据。
主要节
.text: 程序要执行的指令。.data: 程序中有定义值的全局变量。.bss: 未初始化(或初始化为零)的全局变量。这里的变量会被自动初始化为零,因此避免在二进制中加入无用的零。.rodata: 常量全局变量(只读节)。.tdata和.tbss: 当使用线程局部变量时,类似于.data和.bss(__thread_local在 C++ 中或__thread在 C 中)。.dynamic: 见下文。
符号
符号是程序中有名称的位置,可能是函数、全局数据对象、线程局部变量等。
readelf -s lnstat
Symbol table '.dynsym' contains 49 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000001088 0 SECTION LOCAL DEFAULT 12 .init
2: 0000000000020000 0 SECTION LOCAL DEFAULT 23 .data
3: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strtok@GLIBC_2.17 (2)
4: 0000000000000000 0 FUNC GLOBAL DEFAULT UND s[...]@GLIBC_2.17 (2)
5: 0000000000000000 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.17 (2)
6: 0000000000000000 0 FUNC GLOBAL DEFAULT UND fputs@GLIBC_2.17 (2)
7: 0000000000000000 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.17 (2)
8: 0000000000000000 0 FUNC GLOBAL DEFAULT UND _[...]@GLIBC_2.34 (3)
9: 0000000000000000 0 FUNC GLOBAL DEFAULT UND perror@GLIBC_2.17 (2)
10: 0000000000000000 0 NOTYPE WEAK DEFAULT UND _ITM_deregisterT[...]
11: 0000000000000000 0 FUNC WEAK DEFAULT UND _[...]@GLIBC_2.17 (2)
12: 0000000000000000 0 FUNC GLOBAL DEFAULT UND putc@GLIBC_2.17 (2)
[...]
Each symbol entry contains:
- 名称
- 绑定属性 (weak, local or global):本地符号只能被程序自身访问,而 global 符号则在程序外部也可见。weak 对象例如可以被不同实现覆盖的函数。
- 类型: NOTYPE(未指定类型)、OBJECT(全局数据变量)、FUNC(函数)、SECTION(节)、FILE(调试器的源代码文件)、TLS(线程局部变量)、GNU_IFUNC(用于重定位的间接函数)
- 节 索引(所在节)
- 值(内存中的地址)
- 大小
GNU IFUNC (indirect functions)
- GCC 可以用
__attribute__((ifunc("resolver")))扩展生成STT_GNU_IFUNC符号。动态加载器在加载时调用 resolver 以选择具体实现(通常用于 CPU 分派)。 - 快速排查:
readelf -sW ./bin | rg -i "IFUNC"
GNU Symbol Versioning (dynsym/dynstr/gnu.version)
现代 glibc 使用符号版本。你会在 .gnu.version 和 .gnu.version_r 中看到条目,以及像 strlen@GLIBC_2.17 这样的符号名。动态链接器在解析符号时可能要求特定版本。在手工构造重定位(例如 ret2dlresolve)时,必须提供正确的版本索引,否则解析会失败。
动态段
readelf -d lnstat
Dynamic section at offset 0xfc58 contains 28 entries:
Tag Type Name/Value
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x0000000000000001 (NEEDED) Shared library: [ld-linux-aarch64.so.1]
0x000000000000000c (INIT) 0x1088
0x000000000000000d (FINI) 0x2f74
0x0000000000000019 (INIT_ARRAY) 0x1fc48
0x000000000000001b (INIT_ARRAYSZ) 8 (bytes)
0x000000000000001a (FINI_ARRAY) 0x1fc50
0x000000000000001c (FINI_ARRAYSZ) 8 (bytes)
0x000000006ffffef5 (GNU_HASH) 0x338
0x0000000000000005 (STRTAB) 0x7f0
0x0000000000000006 (SYMTAB) 0x358
0x000000000000000a (STRSZ) 510 (bytes)
0x000000000000000b (SYMENT) 24 (bytes)
0x0000000000000015 (DEBUG) 0x0
0x0000000000000003 (PLTGOT) 0x1fe58
0x0000000000000002 (PLTRELSZ) 960 (bytes)
0x0000000000000014 (PLTREL) RELA
0x0000000000000017 (JMPREL) 0xcc8
0x0000000000000007 (RELA) 0xaa0
0x0000000000000008 (RELASZ) 552 (bytes)
0x0000000000000009 (RELAENT) 24 (bytes)
0x000000000000001e (FLAGS) BIND_NOW
0x000000006ffffffb (FLAGS_1) Flags: NOW PIE
0x000000006ffffffe (VERNEED) 0xa50
0x000000006fffffff (VERNEEDNUM) 2
0x000000006ffffff0 (VERSYM) 0x9ee
0x000000006ffffff9 (RELACOUNT) 15
0x0000000000000000 (NULL) 0x0
The NEEDED 目录表示程序 需要加载提到的库 才能继续。NEEDED 目录在共享 库完全可用并准备好 后完成。
动态加载器搜索顺序 (RPATH/RUNPATH, $ORIGIN)
The entries DT_RPATH (deprecated) and/or DT_RUNPATH influence where the dynamic loader searches for dependencies. Rough order:
LD_LIBRARY_PATH(对于 setuid/sgid 或其他 “secure-execution” 程序会被忽略)DT_RPATH(仅当DT_RUNPATH不存在时)DT_RUNPATHld.so.cache- default directories like
/lib64,/usr/lib64, etc.
$ORIGIN 可在 RPATH/RUNPATH 中使用,用于指代主对象的目录。从攻击者的角度来看,当你控制文件系统布局或环境时这点很重要。对于加固的二进制(AT_SECURE),加载器会忽略大多数环境变量。
- Inspect with:
readelf -d ./bin | egrep -i 'r(path|unpath)' - Quick test:
LD_DEBUG=libs ./bin 2>&1 | grep -i find(显示搜索路径决策)
Priv-esc tip: 优先滥用可写的 RUNPATHs 或者归你所有但配置错误的
$ORIGIN相对路径。LD_PRELOAD/LD_AUDIT 在 secure-execution(setuid)上下文中会被忽略。
Relocations
加载器在加载依赖项后还必须对其进行重定位。这些重定位在重定位表中以 REL 或 RELA 格式标注,重定位数量在动态段 RELSZ 或 RELASZ 中给出。
readelf -r lnstat
Relocation section '.rela.dyn' at offset 0xaa0 contains 23 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fc48 000000000403 R_AARCH64_RELATIV 1d10
00000001fc50 000000000403 R_AARCH64_RELATIV 1cc0
00000001fff0 000000000403 R_AARCH64_RELATIV 1340
000000020008 000000000403 R_AARCH64_RELATIV 20008
000000020010 000000000403 R_AARCH64_RELATIV 3330
000000020030 000000000403 R_AARCH64_RELATIV 3338
000000020050 000000000403 R_AARCH64_RELATIV 3340
000000020070 000000000403 R_AARCH64_RELATIV 3348
000000020090 000000000403 R_AARCH64_RELATIV 3350
0000000200b0 000000000403 R_AARCH64_RELATIV 3358
0000000200d0 000000000403 R_AARCH64_RELATIV 3360
0000000200f0 000000000403 R_AARCH64_RELATIV 3370
000000020110 000000000403 R_AARCH64_RELATIV 3378
000000020130 000000000403 R_AARCH64_RELATIV 3380
000000020150 000000000403 R_AARCH64_RELATIV 3388
00000001ffb8 000a00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_deregisterTM[...] + 0
00000001ffc0 000b00000401 R_AARCH64_GLOB_DA 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001ffc8 000f00000401 R_AARCH64_GLOB_DA 0000000000000000 stderr@GLIBC_2.17 + 0
00000001ffd0 001000000401 R_AARCH64_GLOB_DA 0000000000000000 optarg@GLIBC_2.17 + 0
00000001ffd8 001400000401 R_AARCH64_GLOB_DA 0000000000000000 stdout@GLIBC_2.17 + 0
00000001ffe0 001e00000401 R_AARCH64_GLOB_DA 0000000000000000 __gmon_start__ + 0
00000001ffe8 001f00000401 R_AARCH64_GLOB_DA 0000000000000000 __stack_chk_guard@GLIBC_2.17 + 0
00000001fff8 002e00000401 R_AARCH64_GLOB_DA 0000000000000000 _ITM_registerTMCl[...] + 0
Relocation section '.rela.plt' at offset 0xcc8 contains 40 entries:
Offset Info Type Sym. Value Sym. Name + Addend
00000001fe70 000300000402 R_AARCH64_JUMP_SL 0000000000000000 strtok@GLIBC_2.17 + 0
00000001fe78 000400000402 R_AARCH64_JUMP_SL 0000000000000000 strtoul@GLIBC_2.17 + 0
00000001fe80 000500000402 R_AARCH64_JUMP_SL 0000000000000000 strlen@GLIBC_2.17 + 0
00000001fe88 000600000402 R_AARCH64_JUMP_SL 0000000000000000 fputs@GLIBC_2.17 + 0
00000001fe90 000700000402 R_AARCH64_JUMP_SL 0000000000000000 exit@GLIBC_2.17 + 0
00000001fe98 000800000402 R_AARCH64_JUMP_SL 0000000000000000 __libc_start_main@GLIBC_2.34 + 0
00000001fea0 000900000402 R_AARCH64_JUMP_SL 0000000000000000 perror@GLIBC_2.17 + 0
00000001fea8 000b00000402 R_AARCH64_JUMP_SL 0000000000000000 __cxa_finalize@GLIBC_2.17 + 0
00000001feb0 000c00000402 R_AARCH64_JUMP_SL 0000000000000000 putc@GLIBC_2.17 + 0
00000001fec0 000e00000402 R_AARCH64_JUMP_SL 0000000000000000 fputc@GLIBC_2.17 + 0
00000001fec8 001100000402 R_AARCH64_JUMP_SL 0000000000000000 snprintf@GLIBC_2.17 + 0
00000001fed0 001200000402 R_AARCH64_JUMP_SL 0000000000000000 __snprintf_chk@GLIBC_2.17 + 0
00000001fed8 001300000402 R_AARCH64_JUMP_SL 0000000000000000 malloc@GLIBC_2.17 + 0
00000001fee0 001500000402 R_AARCH64_JUMP_SL 0000000000000000 gettimeofday@GLIBC_2.17 + 0
00000001fee8 001600000402 R_AARCH64_JUMP_SL 0000000000000000 sleep@GLIBC_2.17 + 0
00000001fef0 001700000402 R_AARCH64_JUMP_SL 0000000000000000 __vfprintf_chk@GLIBC_2.17 + 0
00000001fef8 001800000402 R_AARCH64_JUMP_SL 0000000000000000 calloc@GLIBC_2.17 + 0
00000001ff00 001900000402 R_AARCH64_JUMP_SL 0000000000000000 rewind@GLIBC_2.17 + 0
00000001ff08 001a00000402 R_AARCH64_JUMP_SL 0000000000000000 strdup@GLIBC_2.17 + 0
00000001ff10 001b00000402 R_AARCH64_JUMP_SL 0000000000000000 closedir@GLIBC_2.17 + 0
00000001ff18 001c00000402 R_AARCH64_JUMP_SL 0000000000000000 __stack_chk_fail@GLIBC_2.17 + 0
00000001ff20 001d00000402 R_AARCH64_JUMP_SL 0000000000000000 strrchr@GLIBC_2.17 + 0
00000001ff28 001e00000402 R_AARCH64_JUMP_SL 0000000000000000 __gmon_start__ + 0
00000001ff30 002000000402 R_AARCH64_JUMP_SL 0000000000000000 abort@GLIBC_2.17 + 0
00000001ff38 002100000402 R_AARCH64_JUMP_SL 0000000000000000 feof@GLIBC_2.17 + 0
00000001ff40 002200000402 R_AARCH64_JUMP_SL 0000000000000000 getopt_long@GLIBC_2.17 + 0
00000001ff48 002300000402 R_AARCH64_JUMP_SL 0000000000000000 __fprintf_chk@GLIBC_2.17 + 0
00000001ff50 002400000402 R_AARCH64_JUMP_SL 0000000000000000 strcmp@GLIBC_2.17 + 0
00000001ff58 002500000402 R_AARCH64_JUMP_SL 0000000000000000 free@GLIBC_2.17 + 0
00000001ff60 002600000402 R_AARCH64_JUMP_SL 0000000000000000 readdir64@GLIBC_2.17 + 0
00000001ff68 002700000402 R_AARCH64_JUMP_SL 0000000000000000 strndup@GLIBC_2.17 + 0
00000001ff70 002800000402 R_AARCH64_JUMP_SL 0000000000000000 strchr@GLIBC_2.17 + 0
00000001ff78 002900000402 R_AARCH64_JUMP_SL 0000000000000000 fwrite@GLIBC_2.17 + 0
00000001ff80 002a00000402 R_AARCH64_JUMP_SL 0000000000000000 fflush@GLIBC_2.17 + 0
00000001ff88 002b00000402 R_AARCH64_JUMP_SL 0000000000000000 fopen64@GLIBC_2.17 + 0
00000001ff90 002c00000402 R_AARCH64_JUMP_SL 0000000000000000 __isoc99_sscanf@GLIBC_2.17 + 0
00000001ff98 002d00000402 R_AARCH64_JUMP_SL 0000000000000000 strncpy@GLIBC_2.17 + 0
00000001ffa0 002f00000402 R_AARCH64_JUMP_SL 0000000000000000 __assert_fail@GLIBC_2.17 + 0
00000001ffa8 003000000402 R_AARCH64_JUMP_SL 0000000000000000 fgets@GLIBC_2.17 + 0
压缩的相对重定位 (RELR)
- 现代 linker 可以用
-z pack-relative-relocs生成紧凑的相对重定位。这会在动态段为 PIEs/共享库添加DT_RELR、DT_RELRSZ和DT_RELRENT条目(对非-PIE 可执行文件会被忽略)。 - Recon:
readelf -d ./bin | egrep -i "DT_RELR|RELRSZ|RELRENT"
静态重定位
如果程序被加载到与首选地址(通常为 0x400000)不同的位置,因为该地址已被占用或由于 ASLR 或其他原因,静态重定位会修正那些原本期望二进制被加载到首选地址的指针值。
例如,任何类型为 R_AARCH64_RELATIV 的重定位应该修改位于重定位偏移处加上 addend 的地址。
动态重定位和 GOT
重定位也可能引用外部符号(比如来自依赖库的函数)。例如来自 libC 的 malloc。加载器在加载 libC 时会检查 malloc 函数被加载到何处,并会把该地址写入 GOT(Global Offset Table)(由重定位表指示),GOT 中应包含 malloc 的地址。
Procedure Linkage Table
PLT 段允许执行 lazy binding,这意味着函数位置的解析会在首次访问时进行。
因此,当程序调用 malloc 时,实际调用的是 PLT 中对应的 malloc@plt。首次调用时会解析 malloc 的地址并存储,这样下次调用 malloc 时就会使用该地址而不是 PLT 代码。
影响利用的现代链接行为
-z now(Full RELRO) 禁用 lazy binding;PLT 条目仍然存在但 GOT/PLT 被映射为只读,因此像 GOT overwrite 和 ret2dlresolve 之类的技术将无法对主二进制生效(库可能仍部分是 RELRO)。参见:
-
-fno-plt使得编译器直接通过 GOT entry 调用外部函数,而不是通过 PLT stub。你会看到类似 mov reg, [got]; call reg 的调用序列,而不是 call func@plt。这减少了投机执行滥用,并稍微改变了围绕 PLT stub 的 ROP gadget 搜索。 -
PIE vs static-PIE: PIE (ET_DYN with INTERP) 需要 dynamic loader 并支持常见的 PLT/GOT 机制。Static-PIE (ET_DYN without INTERP) 的重定位由内核 loader 应用且没有 ld.so;在运行时预计不会有 PLT 解析。
If GOT/PLT is not an option, pivot to other writeable code-pointers or use classic ROP/SROP into libc.
程序初始化
程序加载完成后,就会开始运行。然而,最先被执行的代码并不总是 main 函数。这是因为例如在 C++ 中,如果一个 全局变量是类的一个对象,这个对象必须在 main 运行之前被初始化,比如:
#include <stdio.h>
// g++ autoinit.cpp -o autoinit
class AutoInit {
public:
AutoInit() {
printf("Hello AutoInit!\n");
}
~AutoInit() {
printf("Goodbye AutoInit!\n");
}
};
AutoInit autoInit;
int main() {
printf("Main\n");
return 0;
}
注意这些全局变量位于 .data 或 .bss,但在列表 __CTOR_LIST__ 和 __DTOR_LIST__ 中,为了记录需要被初始化和析构的对象,它们以顺序存储。
在 C 代码中可以使用 GNU extensions 获得相同的结果:
__attribute__((constructor)) //Add a constructor to execute before
__attribute__((destructor)) //Add to the destructor list
From a compiler perspective, to execute these actions before and after the main function is executed, it’s possible to create a init function and a fini function which would be referenced in the dynamic section as INIT and FINI. and are placed in the init and fini sections of the ELF.
The other option, as mentioned, is to reference the lists __CTOR_LIST__ and __DTOR_LIST__ in the INIT_ARRAY and FINI_ARRAY entries in the dynamic section and the length of these are indicated by INIT_ARRAYSZ and FINI_ARRAYSZ. Each entry is a function pointer that will be called without arguments.
Moreover, it’s also possible to have a PREINIT_ARRAY with pointers that will be executed before the INIT_ARRAY pointers.
利用说明
-
Under Partial RELRO these arrays live in pages that are still writable before
ld.soflipsPT_GNU_RELROto read-only. If you get an arbitrary write early enough or you can target a library’s writable arrays, you can hijack control flow by overwriting an entry with a function of your choice. Under Full RELRO they are read-only at runtime. -
For lazy binding abuse of the dynamic linker to resolve arbitrary symbols at runtime, see the dedicated page:
初始化顺序
- The program is loaded into memory, static global variables are initialized in
.dataand unitialized ones zeroed in.bss. - All dependencies for the program or libraries are initialized and the the dynamic linking is executed.
PREINIT_ARRAYfunctions are executed.INIT_ARRAYfunctions are executed.- If there is a
INITentry it’s called. - If a library, dlopen ends here, if a program, it’s time to call the real entry point (
mainfunction).
线程局部存储 (TLS)
They are defined using the keyword __thread_local in C++ or the GNU extension __thread.
Each thread will maintain a unique location for this variable so only the thread can access its variable.
When this is used the sections .tdata and .tbss are used in the ELF. Which are like .data (initialized) and .bss (not initialized) but for TLS.
Each variable will have an entry in the TLS header specifying the size and the TLS offset, which is the offset it will use in the thread’s local data area.
The __TLS_MODULE_BASE is a symbol used to refer to the base address of the thread local storage and points to the area in memory that contains all the thread-local data of a module.
辅助向量 (auxv) 和 vDSO
The Linux kernel passes an auxiliary vector to processes containing useful addresses and flags for the runtime:
AT_RANDOM: points to 16 random bytes used by glibc for the stack canary and other PRNG seeds.AT_SYSINFO_EHDR: base address of the vDSO mapping (handy to find__kernel_*syscalls and gadgets).AT_EXECFN,AT_BASE,AT_PAGESZ, etc.
As an attacker, if you can read memory or files under /proc, you can often leak these without an infoleak in the target process:
# Show the auxv of a running process
cat /proc/$(pidof target)/auxv | xxd
# From your own process (helper snippet)
#include <sys/auxv.h>
#include <stdio.h>
int main(){
printf("AT_RANDOM=%p\n", (void*)getauxval(AT_RANDOM));
printf("AT_SYSINFO_EHDR=%p\n", (void*)getauxval(AT_SYSINFO_EHDR));
}
泄露 AT_RANDOM 会在你能解引用该指针时得到 canary 值;AT_SYSINFO_EHDR 则会提供一个 vDSO 基址,可用于挖掘 gadgets 或直接调用快速 syscalls。
参考资料
- GCC 常见函数属性 (ifunc / STT_GNU_IFUNC): https://gcc.gnu.org/onlinedocs/gcc-14.3.0/gcc/Common-Function-Attributes.html
- GNU ld
-z pack-relative-relocs/DT_RELR文档: https://sourceware.org/binutils/docs/ld.html - ld.so(8) – 动态加载器搜索顺序、RPATH/RUNPATH、安全执行规则 (AT_SECURE): https://man7.org/linux/man-pages/man8/ld.so.8.html
- getauxval(3) – 辅助向量和 AT_* 常量: https://man7.org/linux/man-pages/man3/getauxval.3.html
Tip
学习和实践 AWS 黑客技术:
学习和实践 GCP 黑客技术:支持 HackTricks
- 查看 订阅计划!
- 加入 💬 Discord 群组 或 Telegram 群组 或 在 Twitter 🐦 上关注我们 @hacktricks_live.
- 通过向 HackTricks 和 HackTricks Cloud GitHub 仓库提交 PR 来分享黑客技巧。