Linux下查看分析可执行文件的方式

转自:https://mp.weixin.qq.com/s/BpGphYGj12gvo6uMMzCL0Q

本文主要讲解可执行文件信息的查看方式和方法:readelf,ldd,nm,file,strip,size, strings,objdump

简单的实例代码:

#include 

int main(int argc, char *argv[])
{
        char *p = "hello";
        char ap[] = "hello";

        printf("p = %p ap = %p sizeof(p) = %d, sizeof(ap) = %d\n", p, ap, sizeo$
}

编译:sudo gcc -o test test.c

测试平台:raspberry pi cm3+(bcm2837)

执行:

pi@raspberrypi:~ $ ./test 
p = 0x104e0 ap = 0x7eed1274 sizeof(p) = 4, sizeof(ap) = 6

1.使用readelf查看可执行文件的头信息:

pi@raspberrypi:~ $ readelf -h test
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           ARM
  Version:                           0x1
  Entry point address:               0x10318
  Start of program headers:          52 (bytes into file)
  Start of section headers:          6820 (bytes into file)
  Flags:                             0x5000400, Version5 EABI, hard-float ABI
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         9
  Size of section headers:           40 (bytes)
  Number of section headers:         29
  Section header string table index: 28

Class展示了该程序的位数

Data展示了程序的大小端

Machine展示了程序的运行平台

查看只读取的内容:

pi@raspberrypi:~ $ readelf test -x .rodata

Hex dump of section '.rodata':
  0x000104dc 01000200 68656c6c 6f000000 70203d20 ....hello...p = 
  0x000104ec 25702061 70203d20 25702073 697a656f %p ap = %p sizeo
  0x000104fc 66287029 203d2025 642c2073 697a656f f(p) = %d, sizeo
  0x0001050c 66286170 29203d20 25640a00          f(ap) = %d..

2.使用ldd命令查看程序依赖的动态库:

pi@raspberrypi:~ $ ldd test
	linux-vdso.so.1 (0x7ef81000)
	/usr/lib/arm-linux-gnueabihf/libarmmem-${PLATFORM}.so => /usr/lib/arm-linux-gnueabihf/libarmmem-v7l.so (0x76ef7000)
	libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0x76d7c000)
	/lib/ld-linux-armhf.so.3 (0x76f0c000)

3.使用nm命令查看elf文件的符号表信息

pi@raspberrypi:~ $ nm test
         U abort@@GLIBC_2.4
0002102c B __bss_end__
0002102c B _bss_end__
00021028 B __bss_start
00021028 B __bss_start__
00010354 t call_weak_fn
00021028 b completed.10783
00021020 D __data_start
00021020 W data_start
00010378 t deregister_tm_clones
000103dc t __do_global_dtors_aux
00020f14 t __do_global_dtors_aux_fini_array_entry
00021024 D __dso_handle
00020f18 d _DYNAMIC
00021028 D _edata
0002102c B __end__
0002102c B _end
000104d4 T _fini
00010404 t frame_dummy
00020f10 t __frame_dummy_init_array_entry
00010520 r __FRAME_END__
00021000 d _GLOBAL_OFFSET_TABLE_
         w __gmon_start__
000102c8 T _init
00020f14 t __init_array_end
00020f10 t __init_array_start
000104dc R _IO_stdin_used
000104d0 T __libc_csu_fini
00010470 T __libc_csu_init
         U __libc_start_main@@GLIBC_2.4
00010408 T main
         U printf@@GLIBC_2.4
000103a4 t register_tm_clones
00010318 T _start
00021028 D __TMC_END__

4.使用file命令查看文件的信息信息,以及是否包含符号表

pi@raspberrypi:~ $ file test test: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=3779ccaf885035d737eaa63de6e7051a751be969, not stripped

如果使用file命令看到最后是not stripped,那么则含有符号表,一般线上的程序可能会选择去掉符号表信息,因为可以大大减少可执行文件的空间占用。

5.去掉符号表的方式:$ strip test

pi@raspberrypi:~ $ ls -al test
-rwxr-xr-x 1 root root 7980 Jul  2 21:07 test
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ strip test
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ nm test
nm: test: no symbols
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ ls -al test
-rwxr-xr-x 1 pi pi 5544 Jul  2 10:30 test
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ 
pi@raspberrypi:~ $ file test
test: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-armhf.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=3779ccaf885035d737eaa63de6e7051a751be969, stripped

6.使用size查看可执行文件的大小

pi@raspberrypi:~ $ size test
   text	   data	    bss	    dec	    hex	filename
    970	    280	      4	   1254	    4e6	test

如果data占用空间过大,那可能是你程序中用到了太多的全局变量和静态变量或常量。

7.strings查看可执行文件中的字符串

pi@raspberrypi:~ $ strings test
/lib/ld-linux-armhf.so.3
libc.so.6
abort
printf
__libc_start_main
GLIBC_2.4
__gmon_start__
hello
p = %p ap = %p sizeof(p) = %d, sizeof(ap) = %d
GCC: (Raspbian 8.3.0-6+rpi1) 8.3.0
aeabi
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.init
.text
.fini
.rodata
.ARM.exidx
.eh_frame
.init_array
.fini_array
.dynamic
.got
.data
.bss
.comment
.ARM.attributes

8.objdump反汇编所有代码

pi@raspberrypi:~ $ objdump -d test

test:     file format elf32-littlearm


Disassembly of section .init:

000102c8 <.init>:
   102c8:	e92d4008 	push	{r3, lr}
   102cc:	eb000020 	bl	10354 
   102d0:	e8bd8008 	pop	{r3, pc}

Disassembly of section .plt:

000102d4 :
   102d4:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
   102d8:	e59fe004 	ldr	lr, [pc, #4]	; 102e4 
   102dc:	e08fe00e 	add	lr, pc, lr
   102e0:	e5bef008 	ldr	pc, [lr, #8]!
   102e4:	00010d1c 	andeq	r0, r1, ip, lsl sp

000102e8 :
   102e8:	e28fc600 	add	ip, pc, #0, 12
   102ec:	e28cca10 	add	ip, ip, #16, 20	; 0x10000
   102f0:	e5bcfd1c 	ldr	pc, [ip, #3356]!	; 0xd1c

000102f4 <__libc_start_main@plt>:
   102f4:	e28fc600 	add	ip, pc, #0, 12
   102f8:	e28cca10 	add	ip, ip, #16, 20	; 0x10000
   102fc:	e5bcfd14 	ldr	pc, [ip, #3348]!	; 0xd14

00010300 <__gmon_start__@plt>:
   10300:	e28fc600 	add	ip, pc, #0, 12
   10304:	e28cca10 	add	ip, ip, #16, 20	; 0x10000
   10308:	e5bcfd0c 	ldr	pc, [ip, #3340]!	; 0xd0c

0001030c :
   1030c:	e28fc600 	add	ip, pc, #0, 12
   10310:	e28cca10 	add	ip, ip, #16, 20	; 0x10000
   10314:	e5bcfd04 	ldr	pc, [ip, #3332]!	; 0xd04

Disassembly of section .text:

00010318 <.text>:
   10318:	e3a0b000 	mov	fp, #0
   1031c:	e3a0e000 	mov	lr, #0
   10320:	e49d1004 	pop	{r1}		; (ldr r1, [sp], #4)
   10324:	e1a0200d 	mov	r2, sp
   10328:	e52d2004 	push	{r2}		; (str r2, [sp, #-4]!)
   1032c:	e52d0004 	push	{r0}		; (str r0, [sp, #-4]!)
   10330:	e59fc010 	ldr	ip, [pc, #16]	; 10348 
   10334:	e52dc004 	push	{ip}		; (str ip, [sp, #-4]!)
   10338:	e59f000c 	ldr	r0, [pc, #12]	; 1034c 
   1033c:	e59f300c 	ldr	r3, [pc, #12]	; 10350 
   10340:	ebffffeb 	bl	102f4 <__libc_start_main@plt>
   10344:	ebfffff0 	bl	1030c 
   10348:	000104d0 	ldrdeq	r0, [r1], -r0	; 
   1034c:	00010408 	andeq	r0, r1, r8, lsl #8
   10350:	00010470 	andeq	r0, r1, r0, ror r4
   10354:	e59f3014 	ldr	r3, [pc, #20]	; 10370 
   10358:	e59f2014 	ldr	r2, [pc, #20]	; 10374 
   1035c:	e08f3003 	add	r3, pc, r3
   10360:	e7932002 	ldr	r2, [r3, r2]
   10364:	e3520000 	cmp	r2, #0
   10368:	012fff1e 	bxeq	lr
   1036c:	eaffffe3 	b	10300 <__gmon_start__@plt>
   10370:	00010c9c 	muleq	r1, ip, ip
   10374:	0000001c 	andeq	r0, r0, ip, lsl r0
   10378:	e59f0018 	ldr	r0, [pc, #24]	; 10398 
   1037c:	e59f3018 	ldr	r3, [pc, #24]	; 1039c 
   10380:	e1530000 	cmp	r3, r0
   10384:	012fff1e 	bxeq	lr
   10388:	e59f3010 	ldr	r3, [pc, #16]	; 103a0 
   1038c:	e3530000 	cmp	r3, #0
   10390:	012fff1e 	bxeq	lr
   10394:	e12fff13 	bx	r3
   10398:	00021028 	andeq	r1, r2, r8, lsr #32
   1039c:	00021028 	andeq	r1, r2, r8, lsr #32
   103a0:	00000000 	andeq	r0, r0, r0
   103a4:	e59f0024 	ldr	r0, [pc, #36]	; 103d0 
   103a8:	e59f1024 	ldr	r1, [pc, #36]	; 103d4 
   103ac:	e0411000 	sub	r1, r1, r0
   103b0:	e1a01141 	asr	r1, r1, #2
   103b4:	e0811fa1 	add	r1, r1, r1, lsr #31
   103b8:	e1b010c1 	asrs	r1, r1, #1
   103bc:	012fff1e 	bxeq	lr
   103c0:	e59f3010 	ldr	r3, [pc, #16]	; 103d8 
   103c4:	e3530000 	cmp	r3, #0
   103c8:	012fff1e 	bxeq	lr
   103cc:	e12fff13 	bx	r3
   103d0:	00021028 	andeq	r1, r2, r8, lsr #32
   103d4:	00021028 	andeq	r1, r2, r8, lsr #32
   103d8:	00000000 	andeq	r0, r0, r0
   103dc:	e92d4010 	push	{r4, lr}
   103e0:	e59f4018 	ldr	r4, [pc, #24]	; 10400 
   103e4:	e5d43000 	ldrb	r3, [r4]
   103e8:	e3530000 	cmp	r3, #0
   103ec:	18bd8010 	popne	{r4, pc}
   103f0:	ebffffe0 	bl	10378 
   103f4:	e3a03001 	mov	r3, #1
   103f8:	e5c43000 	strb	r3, [r4]
   103fc:	e8bd8010 	pop	{r4, pc}
   10400:	00021028 	andeq	r1, r2, r8, lsr #32
   10404:	eaffffe6 	b	103a4 
   10408:	e92d4800 	push	{fp, lr}
   1040c:	e28db004 	add	fp, sp, #4
   10410:	e24dd020 	sub	sp, sp, #32
   10414:	e50b0018 	str	r0, [fp, #-24]	; 0xffffffe8
   10418:	e50b101c 	str	r1, [fp, #-28]	; 0xffffffe4
   1041c:	e59f3044 	ldr	r3, [pc, #68]	; 10468 
   10420:	e50b3008 	str	r3, [fp, #-8]
   10424:	e59f203c 	ldr	r2, [pc, #60]	; 10468 
   10428:	e24b3010 	sub	r3, fp, #16
   1042c:	e8920003 	ldm	r2, {r0, r1}
   10430:	e5830000 	str	r0, [r3]
   10434:	e2833004 	add	r3, r3, #4
   10438:	e1c310b0 	strh	r1, [r3]
   1043c:	e24b2010 	sub	r2, fp, #16
   10440:	e3a03006 	mov	r3, #6
   10444:	e58d3000 	str	r3, [sp]
   10448:	e3a03004 	mov	r3, #4
   1044c:	e51b1008 	ldr	r1, [fp, #-8]
   10450:	e59f0014 	ldr	r0, [pc, #20]	; 1046c 
   10454:	ebffffa3 	bl	102e8 
   10458:	e3a03000 	mov	r3, #0
   1045c:	e1a00003 	mov	r0, r3
   10460:	e24bd004 	sub	sp, fp, #4
   10464:	e8bd8800 	pop	{fp, pc}
   10468:	000104e0 	andeq	r0, r1, r0, ror #9
   1046c:	000104e8 	andeq	r0, r1, r8, ror #9
   10470:	e92d47f0 	push	{r4, r5, r6, r7, r8, r9, sl, lr}
   10474:	e1a07000 	mov	r7, r0
   10478:	e59f6048 	ldr	r6, [pc, #72]	; 104c8 
   1047c:	e59f5048 	ldr	r5, [pc, #72]	; 104cc 
   10480:	e08f6006 	add	r6, pc, r6
   10484:	e08f5005 	add	r5, pc, r5
   10488:	e0466005 	sub	r6, r6, r5
   1048c:	e1a08001 	mov	r8, r1
   10490:	e1a09002 	mov	r9, r2
   10494:	ebffff8b 	bl	102c8 
   10498:	e1b06146 	asrs	r6, r6, #2
   1049c:	08bd87f0 	popeq	{r4, r5, r6, r7, r8, r9, sl, pc}
   104a0:	e3a04000 	mov	r4, #0
   104a4:	e2844001 	add	r4, r4, #1
   104a8:	e4953004 	ldr	r3, [r5], #4
   104ac:	e1a02009 	mov	r2, r9
   104b0:	e1a01008 	mov	r1, r8
   104b4:	e1a00007 	mov	r0, r7
   104b8:	e12fff33 	blx	r3
   104bc:	e1560004 	cmp	r6, r4
   104c0:	1afffff7 	bne	104a4 
   104c4:	e8bd87f0 	pop	{r4, r5, r6, r7, r8, r9, sl, pc}
   104c8:	00010a8c 	andeq	r0, r1, ip, lsl #21
   104cc:	00010a84 	andeq	r0, r1, r4, lsl #21
   104d0:	e12fff1e 	bx	lr

Disassembly of section .fini:

000104d4 <.fini>:
   104d4:	e92d4008 	push	{r3, lr}
   104d8:	e8bd8008 	pop	{r3, pc}
pi@raspberrypi:~/sharedir/study $ 

9.反汇编特定函数(如main函数)

先按照地址顺序输出符号表信息:

pi@raspberrypi:~ $ nm -n test | grep main -A 1
         U __libc_start_main@@GLIBC_2.4
         U printf@@GLIBC_2.4
--
00010408 T main
00010470 T __libc_csu_init

我们得到main的开始地址为0x00010408,结束地址为0x00010470。

反汇编main函数:

pi@raspberrypi:~ $ objdump -d test --start-address=0x00010408 --stop-address=0x00010470

test:     file format elf32-littlearm


Disassembly of section .text:

00010408 
: 10408: e92d4800 push {fp, lr} 1040c: e28db004 add fp, sp, #4 10410: e24dd020 sub sp, sp, #32 10414: e50b0018 str r0, [fp, #-24] ; 0xffffffe8 10418: e50b101c str r1, [fp, #-28] ; 0xffffffe4 1041c: e59f3044 ldr r3, [pc, #68] ; 10468 10420: e50b3008 str r3, [fp, #-8] 10424: e59f203c ldr r2, [pc, #60] ; 10468 10428: e24b3010 sub r3, fp, #16 1042c: e8920003 ldm r2, {r0, r1} 10430: e5830000 str r0, [r3] 10434: e2833004 add r3, r3, #4 10438: e1c310b0 strh r1, [r3] 1043c: e24b2010 sub r2, fp, #16 10440: e3a03006 mov r3, #6 10444: e58d3000 str r3, [sp] 10448: e3a03004 mov r3, #4 1044c: e51b1008 ldr r1, [fp, #-8] 10450: e59f0014 ldr r0, [pc, #20] ; 1046c 10454: ebffffa3 bl 102e8 10458: e3a03000 mov r3, #0 1045c: e1a00003 mov r0, r3 10460: e24bd004 sub sp, fp, #4 10464: e8bd8800 pop {fp, pc} 10468: 000104e0 .word 0x000104e0 1046c: 000104e8 .word 0x000104e8

 

 

 

 

 

 

你可能感兴趣的:(linux命令,shell,bug调试,linux,内核,文件系统,网络)