Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to execute binaries under Linux". The content is simple and clear. I hope it can help you solve your doubts. Let me lead you to study and learn this article "how to execute binaries under Linux".

Binaries are the types of files we deal with almost every day, but few people know how they work. The binaries we are talking about here refer to some executable files, including the Linux command you use every day, which is also a kind of binaries.

The Linux system provides us with a lot of tools for analyzing binaries, no matter what kind of work you do under Linux, knowing these tools will also give you a better understanding of your system.

In this article, I will introduce some of the most commonly used tools and commands for analyzing binaries, which can be used directly in most distributions or can be installed on their own if not directly.

The filefile command is used to analyze the type of file.

If you need to analyze the binaries, you can first use the file command to cut in. We know that under Linux, everything is a file, but not all files are executable. We also have a variety of files, such as text files, pipe files, linked files, socket files, and so on.

Before analyzing a file, we can first use the file command to analyze their types. Of course, in addition to that, we can also see some other information.

$file / bin/pwd/bin/pwd: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID [sha1] = 0d264bacf2adc568f0e21cbcc9576df434c44380, strippedldd

The ldd command can be used to analyze the dependencies of executable files.

When we use the file command to analyze an executable file, we can sometimes see the word dynamically linked in the output. What does this mean?

Most programs use third-party libraries so that you don't have to repeat wheels and save a lot of time. In the simplest way, if we write C program code, we will definitely use libc or glibc libraries. Of course, in addition to that, other libraries may be used.

Under what circumstances do we need the dependent library of the analysis program? There is a scene that you must have experienced. If you go to your colleague to copy the program written by him and run it in your own environment, sometimes you may not be able to run. Of course, there may be many reasons why you can't run, but one of them may be the lack of a corresponding dependency library.

At this point, ldd came in handy. It can analyze what dependent libraries the program needs, you just need to put the corresponding libraries in the corresponding location.

The function of $ldd / bin/pwd linux-vdso.so.1 = > (0x00007ffeb73e5000) libc.so.6 = > / lib64/libc.so.6 (0x00007f908b321000) / lib64/ld-linux-x86-64.so.2 (0x00007f908b6ef000) ltraceltrace is a library function call that can track the process.

We can use the ldd command to find the dependent library of the program, but there are as few as several functions in a library, so how do we know what functions the program is calling now?

The ltrace command is used to do this. In the following example, we can see the function called by the program and the parameters passed in, as well as the output of the function call.

$ltrace / bin/pwd__libc_start_main (0x401760, 1, 0x7ffff6524cc8, 0x404a00 getenv ("POSIXLY_CORRECT") = nilstrrchr ("/ bin/pwd",'/') = "/ pwd" setlocale (LC_ALL, ") =" en_US.utf8 "bindtextdomain (" coreutils ") "/ usr/share/locale") = "/ usr/share/locale" textdomain ("coreutils") = "coreutils" _ cxa_atexit (0x4022f0, 0,0, 0x736c6974756572) = 0getopt_long (1, 0x7ffff6524cc8, "LP", 0x606d00, nil) =-1getcwd (nil) 0) = "puts (" / home/alvin "/ home/alvin) = 12free (0x22bc030) = exit (0,0,64, 0x7f3048865eb0) = 0fileno (0x7f3048865400) = 1__freading (0x7f3048865400, 0,64, 0x7f3048865eb0) = 0__freading (0x7f3048865400, 02052) 0x7f3048865eb0) = 0fflush (0x7f3048865400) = 0fclose (0x7f3048865400) = 0__fpending (0x7f30488651c0, 03328, 0xfbad000c) = 0fileno (0x7f30488651c0) = 2__freading (0x7f30488651c0, 03328, 0xfbad000c) = 0__freading (0x7f30488651c0, 0,4) 0xfbad000c) = 0fflush (0x7f30488651c0) = 0fclose (0x7f30488651c0) = zero calls + exited (status 0) + stracestrace command can be used to track system calls and signals while the program is running.

From the above introduction, we know that the ltrace command is used to track function calls. The strace command is similar, but it tracks system calls. What is a system call? To put it simply, we can interact with the kernel through system calls to accomplish the tasks we want.

For example, if we want to print certain characters on the screen, we can use the printf or puts functions, both of which are library functions of libc, and at a lower level, they both call the system call write.

$strace-f / bin/pwdexecve ("/ bin/pwd", ["/ bin/pwd"], [/ * 24 vars * /]) = 0brk (NULL) = 0xbc9000mmap (NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS,-1,0) = 0x7f918ba69000access ("/ etc/ld.so.preload", R_OK) =-1 ENOENT (No such file or directory) open ("/ etc/ld.so.cache") O_RDONLY | O_CLOEXEC) = 3fstat (3, {st_mode=S_IFREG | 0644, st_size=38684,...}) = 0mmap (NULL, 38684, PROT_READ, MAP_PRIVATE, 3,0) = 0x7f918ba5f000close (3) = 0open ("/ lib64/libc.so.6", O_RDONLY | O_CLOEXEC) = 3read (3) "\ 177ELF\ 2\ 1\ 3\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 0\ 3\ 0 >\ 0\ 0\ 0\ 0\ 0 >\ 0\ 0\ 0\ 20 &\ 2\ 0\ 0\ 0\ 0\ 0"... 832) = 832fstat (3, {st_mode=S_IFREG | 0755, st_size=2156160,...}) = 0mmap (NULL, 3985888, PROT_READ | PROT_EXEC, MAP_PRIVATE | MAP_DENYWRITE, 3,0) = 0x7f918b47b000mprotect (0x7f918b63e000, 2097152, PROT_NONE) = 0mmap (0x7f918b83e000, 24576) PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_DENYWRITE, 3, 0x1c3000) = 0x7f918b83e000mmap (0x7f918b844000, 16864, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,-1,0) = 0x7f918b844000close (3). The + + exited with 0 + hexdumphexdump command is used to view the hexadecimal encoding of a binary file, but it can actually view any file, not just a binary file.

A binary file, if you open it directly with a text editor, you will see a pile of garbled code. At this point, you can use the hexdump command to view its contents.

The display format of hexdump is: the byte serial number on the left, the hexadecimal encoding of the file in the middle, and if it is a printable character, it will be displayed on the right.

By using this command, we can get a general idea of what is in the binary file and what is more convenient to do later.

$hexdump-C / bin/pwd | head00000000 7f 45 4c 46 02 01 00000000 00 00 | .ELF. | 00000010 02 00 3e 0001 000000 17 19 40 00000000 00 |.. >. @. | 00000020 4000000000000 50 7a 00000000 0000 | @ .Pz. | 0000003000000000 40 00 38 00 09 00 40 00 1e 00 1D 00 |. @ .8. @. | 00000040 06 000000 05 00000040 000000 000000 000 |. | 00000050 40 0040000000400000400040000000000 | @. | 00000060 f8 01 000000000 |. . | 00000070 08 000000 000000 00 03 000000 04 000000 |. | 00000080 38 02 000000000000 38 02 40000000000000 38 02 40 000000000000. | 8.00009038 02 40000000000000 1c 000000000000000000000. | the stringsstrings command can be used to print characters that can be displayed in binary files.

What are displayable characters? To put it simply, the characters you see on the monitor are displayable characters, such as abcABC,.:.

We know that a binary file contains a lot of non-display characters, so it cannot be opened directly with a text processor. When the program is developed, we often add some debugging information, such as debug log, warn log, error log, and so on. This information can be seen using the strings command.

$strings / bin/pwd | head/lib64/ld-linux-x86-64.so.2libc.so.6fflushstrcpy__printf_chkreaddirsetlocalembrtowcstrncmpoptindreadelfreadelf is generally used to view file information in ELF format.

ELF (Executable and Linkable Format) executable connection file format is a relatively complex file format, but it is widely used. When you use the file command to find out that a file is an ELF file, you can use the readelf command to read the file's information.

$readelf-h / bin/pwdELF Header: Magic: 7f 45 4c 46 02 01 00 00 00 Class: ELF64 Data: 2's complement Little endian Version: 1 (current) OS/ABI: UNIX-System V ABI Version: 0 Type: EXEC (Executable file) Machine: Advanced Micro Devices X86-64 Version: 0x1 Entry point address : 0x401917 Start of program headers: 64 (bytes into file) Start of section headers: 31312 (bytes into file) Flags: 0x0 Size of this header: 64 (bytes) Size of program headers: 56 (bytes) Number of program headers: 9 Size of section headers: 64 (bytes) Number of section headers: 30 Section header string table index: 29objdumpobjdump is a GCC tool that looks at the object file or the composition of the executable object file.

We know that after the program is developed, it needs to be compiled before it can generate binaries that can be recognized by the computer. The code we write cannot be executed directly by the computer. It needs to be compiled into an assembler before the computer can execute it in turn.

The objdump command reads the executable file and then prints out the assembly instructions. So if you want to understand the results of objdump, you need to have some assembly base.

❝

2020 selected Ali / Tencent and other front-line companies to interview, resume, advanced, e-book official account "Liangxu Linux" backstage reply "information" free of charge

$objdump-d/bin/pwd | head/bin/pwd: file format elf64-x86-64Disassembly of section .init: 00000000401350: 401350: 48 83 ec 08 sub $0x8 sub% RSP 401354: 48 8b 05 6d 5c 2000 mov 0x205c6d (% rip),% rax # 606fc8 40135b: 48 85 c0 test% rax The% raxnmnm command mainly lists the symbols of the target file (to put it bluntly, some functions, global variables, etc.).

If you compile a program that does not pass strip, the nm command can uncover important secrets hidden in executable files. It can help you list the variables and functions in the file, which is of great significance for us to reverse the operation.

Let's explain the purpose of the nm command through a short simple program. When compiling this program, we added the-g option, which makes the compiled file contain more valid information.

$cat hello.c#include int main () {printf ("Hello world!"); return 0 } $$gcc-g hello.c-ohello $$file hellohello: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.32, BuildID [sha1] = 3de46c8efb98bce4ad525d3328121568ba3d8a5d Not stripped$$. / helloHello worldview records $nm hello | tail0000000000600e20 d _ _ JCR_END__0000000000600e20 d _ JCR_LIST__00000000004005b0 statistics _ libc_csu_fini0000000000400540 statistics _ libc_csu_init U _ _ libc_start_main@@GLIBC_2.2.5000000000040051d T main U printf@@GLIBC_2.2.50000000000400490 t register_tm_clones0000000000400430 T _ start0000000000601030 dating _ TMC_END__$gdbgdb is the so-called GNU debugger.

Everyone has heard of gdb more or less. When we use some IDE to write code, we can debug by breaking points, stepping, looking at the values of variables, and so on. In fact, the underlying IDE calls gdb.

You can write a lot about the use of gdb, so this article won't go any further. Let's start with a short demonstration of the most basic functions of gdb.

$gdb-Q. / helloReading symbols from / home/flash/hello...done. (gdb) break mainBreakpoint 1 at 0x400521: file hello.c, line 4. (gdb) info breakNum Type Disp Enb Address What1 breakpoint keep y 0x0000000000400521 in main at hello.c:4 (gdb) runStarting program: / home/flash/./helloBreakpoint 1, main () at hello.c:44 printf ("Hello world!") Missing separate debuginfos, use: debuginfo-install glibc-2.17-260.el7_6.6.x86_64 (gdb) bt#0 main () at hello.c:4 (gdb) cContinuing.Hello world! [Inferior 1 (process 29620) exited normally] (gdb) q$ is all the contents of this article "how to execute binaries under Linux". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.