objdump与readelf.docx
- 文档编号:27053272
- 上传时间:2023-06-26
- 格式:DOCX
- 页数:21
- 大小:21.45KB
objdump与readelf.docx
《objdump与readelf.docx》由会员分享,可在线阅读,更多相关《objdump与readelf.docx(21页珍藏版)》请在冰豆网上搜索。
objdump与readelf
objdump与readelf
对比objdump与readelfobjdump和readelf都可以用来查看二进制文件的一些内部信息.区别在于objdump
借助BFD而更加通用一些,可以应付不同文件格式,readelf则并不借助BFD,
而是直接读取ELF格式文件的信息,按readelf手册页上所说,得到的信息也略细致一些.
几个功能对比.1.反汇编代码
查看源代码被翻译成的汇编代码,大概有3种方法,
1)通过编译器直接从源文件生成,如gcc-S
2)对目标代码反汇编,一种是静态反汇编,就是使用objdump
3)另外一种就是对运行时的代码反汇编,一般通过gdb
readelf并不提供反汇编功能.objdump可以指定反汇编哪个节,一般只有对包含指令的节反汇编才有意义.而对于一些
其他的类型的节,objdump也可以将特殊节的数据以解析后的形式呈现出来,
例如对于.plt,输出如下:
[qtl@courierlib]$objdump-d-j.pltlibfoobar.solibfoobar.so:
fileformatelf32-i386Disassemblyofsection.plt:
000003a4<__gmon_start__@plt-0x10>:
3a4:
ffb304000000pushl0x4(%ebx)
3aa:
ffa308000000jmp*0x8(%ebx)
3b0:
0000add%al,(%eax)
...000003b4<__gmon_start__@plt>:
3b4:
ffa30c000000jmp*0xc(%ebx)
3ba:
6800000000push$0x0
3bf:
e9e0ffffffjmp3a4<_init+0x18>000003c4<cos@plt>:
3c4:
ffa310000000jmp*0x10(%ebx)
3ca:
6808000000push$0x8
3cf:
e9d0ffffffjmp3a4<_init+0x18>000003d4<fwrite@plt>:
3d4:
ffa314000000jmp*0x14(%ebx)
3da:
6810000000push$0x10
3df:
e9c0ffffffjmp3a4<_init+0x18>000003e4<fprintf@plt>:
3e4:
ffa318000000jmp*0x18(%ebx)
3ea:
6818000000push$0x18
3ef:
e9b0ffffffjmp3a4<_init+0x18>000003f4<__cxa_finalize@plt>:
3f4:
ffa31c000000jmp*0x1c(%ebx)
3fa:
6820000000push$0x20
3ff:
e9a0ffffffjmp3a4<_init+0x18>2.显示relocation节的条目
-r参数显示elf文件的类型为REL的节的信息,使用-S参数可以列出elf文件的
所有节的信息,其中也就包括了REL节.对于可重定位文件两者显示条目一致,最重要的offset和type以及Sym.Name都有.
下面是两者输出的对比.[qtl@courierlib]$readelf-rbar.oRelocationsection'.rel.text'atoffset0x4bccontains6entries:
OffsetInfoTypeSym.ValueSym.Name
0000000800000b02R_386_PC3200000000__i686.get_pc_thunk.bx
0000000e00000c0aR_386_GOTPC00000000_GLOBAL_OFFSET_TABLE_
0000002500000d04R_386_PLT3200000000cos
0000002e00000e03R_386_GOT3200000000stdout
0000004400000509R_386_GOTOFF00000000.rodata
0000005000000f04R_386_PLT3200000000fprintf[qtl@courierlib]$objdump-rbar.obar.o:
fileformatelf32-i386RELOCATIONRECORDSFOR[.text]:
OFFSETTYPEVALUE
00000008R_386_PC32__i686.get_pc_thunk.bx
0000000eR_386_GOTPC_GLOBAL_OFFSET_TABLE_
00000025R_386_PLT32cos
0000002eR_386_GOT32stdout
00000044R_386_GOTOFF.rodata
00000050R_386_PLT32fprintf对于共享库,[qtl@courierlib]$readelf-rlibfoobar.soRelocationsection'.rel.dyn'atoffset0x334contains6entries:
OffsetInfoTypeSym.ValueSym.Name
0000160800000008R_386_RELATIVE
0000170400000008R_386_RELATIVE
000016d400000106R_386_GLOB_DAT00000000__gmon_start__
000016d800000206R_386_GLOB_DAT00000000_Jv_RegisterClasses
000016dc00000606R_386_GLOB_DAT00000000stdout
000016e000000706R_386_GLOB_DAT00000000__cxa_finalizeRelocationsection'.rel.plt'atoffset0x364contains5entries:
OffsetInfoTypeSym.ValueSym.Name
000016f000000107R_386_JUMP_SLOT00000000__gmon_start__
000016f400000307R_386_JUMP_SLOT00000000cos
000016f800000407R_386_JUMP_SLOT00000000fwrite
000016fc00000507R_386_JUMP_SLOT00000000fprintf
0000170000000707R_386_JUMP_SLOT00000000__cxa_finalize[qtl@courierlib]$objdump-Rlibfoobar.solibfoobar.so:
fileformatelf32-i386DYNAMICRELOCATIONRECORDS
OFFSETTYPEVALUE
00001608R_386_RELATIVE*ABS*
00001704R_386_RELATIVE*ABS*
000016d4R_386_GLOB_DAT__gmon_start__
000016d8R_386_GLOB_DAT_Jv_RegisterClasses
000016dcR_386_GLOB_DATstdout
000016e0R_386_GLOB_DAT__cxa_finalize
000016f0R_386_JUMP_SLOT__gmon_start__
000016f4R_386_JUMP_SLOTcos
000016f8R_386_JUMP_SLOTfwrite
000016fcR_386_JUMP_SLOTfprintf
00001700R_386_JUMP_SLOT__cxa_finalize有上面可以看出,readelf的显示分节,而objdump则将两个节合在一起.readelf的
显示更加清晰一些.3.显示动态重定位条目(或者可以认为是动态链接相关的重定位条目)
(按objdump的manpage说明,只对dynamicobject有效,如某些类型的共享库)
readelf和objdump等价的命令为readelf-D-rfile和objdump-Rfile.对readelf使用-r和-D-r的区别,对于共享库在于数据的呈现方式略有不同.这两种
都将数据解析后呈现出来.前者显示的是相对于基地址的偏移,后者则显示绝对偏移量.
前者显示条目数,后者显示字节数.两者输出对比:
[qtl@courierlib]$readelf-D-rlibfoobar.so'REL'relocationsectionatoffset0x334contains48bytes:
OffsetInfoTypeSym.ValueSym.Name
0000160800000008R_386_RELATIVE
0000170400000008R_386_RELATIVE
000016d400000106R_386_GLOB_DAT00000000__gmon_start__
000016d800000206R_386_GLOB_DAT00000000_Jv_RegisterClasses
000016dc00000606R_386_GLOB_DAT00000000stdout
000016e000000706R_386_GLOB_DAT00000000__cxa_finalize'PLT'relocationsectionatoffset0x364contains40bytes:
OffsetInfoTypeSym.ValueSym.Name
000016f000000107R_386_JUMP_SLOT00000000__gmon_start__
000016f400000307R_386_JUMP_SLOT00000000cos
000016f800000407R_386_JUMP_SLOT00000000fwrite
000016fc00000507R_386_JUMP_SLOT00000000fprintf
0000170000000707R_386_JUMP_SLOT00000000__cxa_finalize[qtl@courierlib]$objdump-Rlibfoobar.solibfoobar.so:
fileformatelf32-i386DYNAMICRELOCATIONRECORDS
OFFSETTYPEVALUE
00001608R_386_RELATIVE*ABS*00001704R_386_RELATIVE*ABS*
000016d4R_386_GLOB_DAT__gmon_start__
000016d8R_386_GLOB_DAT_Jv_RegisterClasses
000016dcR_386_GLOB_DATstdout
000016e0R_386_GLOB_DAT__cxa_finalize
000016f0R_386_JUMP_SLOT__gmon_start__
000016f4R_386_JUMP_SLOTcos
000016f8R_386_JUMP_SLOTfwrite
000016fcR_386_JUMP_SLOTfprintf
00001700R_386_JUMP_SLOT__cxa_finalize另外有必要说明的是如果对可重定位文件(.o文件)应用这两个命令是无效的,
错误提示如下:
[qtl@courierlib]$readelf-D-rbar.oTherearenodynamicrelocationsinthisfile.[qtl@courierlib]$objdump-Rbar.obar.o:
fileformatelf32-i386objdump:
bar.o:
notadynamicobject
objdump:
bar.o:
Invalidoperation4.显示节信息:
readelf-S和objdump-h
对于可重定位文件,objdump-h不能显示.rel开头的节和.shstrtab,.symtab,.strtab.
而readelf的显示有一个.group节,其内容为节的group,可以用-g参数查看.
输出如下:
[qtl@courierlib]$readelf-Sbar.o
Thereare13sectionheaders,startingatoffset0x150:
SectionHeaders:
[Nr]NameTypeAddrOffSizeESFlgLkInfAl
[0]NULL0000000000000000000000000
[1].groupGROUP000000000000340000080411114
[2].textPROGBITS0000000000003c00005c00AX004
[3].rel.textREL000000000004bc000030081124
[4].dataPROGBITS0000000000009800000000WA004
[5].bssNOBITS0000000000009800000000WA004
[6].rodataPROGBITS0000000000009800000e00A001
[7].commentPROGBITS000000000000a600002e00001
[8].text.__i686.get_PROGBITS000000000000d400000400AXG001
[9].note.GNU-stackPROGBITS000000000000d800000000001
[10].shstrtabSTRTAB000000000000d800007500001
[11].symtabSYMTAB000000000003580001101012104
[12].strtabSTRTAB0000000000046800005300001
KeytoFlags:
W(write),A(alloc),X(execute),M(merge),S(strings)
I(info),L(linkorder),G(group),x(unknown)
O(extraOSprocessingrequired)o(OSspecific),p(processorspecific)[qtl@courierlib]$objdump-hbar.obar.o:
fileformatelf32-i386Sections:
IdxNameSizeVMALMAFileoffAlgn
0__i686.get_pc_thunk.bx000000080000000000000000000000342**2
CONTENTS,READONLY,EXCLUDE,GROUP,LINK_ONCE_DISCARD
1.text0000005c00000000000000000000003c2**2
CONTENTS,ALLOC,LOAD,RELOC,READONLY,CODE
2.data000000000000000000000000000000982**2
CONTENTS,ALLOC,LOAD,DATA
3.bss000000000000000000000000000000982**2
ALLOC
4.rodata0000000e0000000000000000000000982**0
CONTENTS,ALLOC,LOAD,READONLY,DATA
5.comment0000002e0000000000000000000000a62**0
CONTENTS,READONLY
6.text.__i686.get_pc_thunk.bx000000040000000000000000000000d42**0
CONTENTS,ALLOC,LOAD,READONLY,CODE
7.note.GNU-stack000000000000000000000000000000d82**0
CONTENTS,READONLY对于共享库,objdump-h仍然不能显示.shstrtab,.symtab,.strtab三个节,另外还有
一个区别在于readelf从一个NULL类型的节开始,而objdump的输出去掉了这个空的节.
[qtl@courierlib]$readelf-Slibfoobar.so
Thereare27sectionheaders,startingatoffset0x8f0:
SectionHeaders:
[Nr]NameTypeAddrOffSizeESFlgLkInfAl
[0]NULL0000000000000000000000000
[1].gnu.hashGNU_HASH000000b40000b400004804A204
[2].dynsymDYNSYM000000fc0000fc00011010A314
[3].dynstrSTRTAB0000020c00020c0000b300A001
[4].gnu.versionVERSYM000002c00002c000002202A202
[5].gnu.version_rVERNEED000002e40002e400005000A324
[6].rel.dynREL0000033400033400003008A204
[7].rel.pltREL0000036400036400002808A294
[8].initPROGBITS0000038c00038c00001700AX004
[9].pltPROGBITS000003a40003a400006004AX004
[10].textPROGBITS000004100004100001a400AX0016
[11].finiPROGBITS000005b40005b400001c00AX004
[12].rodataPROGBITS000005d00005d000001d00A001
[13].eh_framePROGBITS000005f00005f000000400A004
[14].ctorsPROGBITS000015f40005f400000800WA004
[15].dtorsPROGBITS000015fc0005fc00000800WA004
[16].jcrPROGBITS0000160400060400000400WA004
[17].data.rel.roPROGBITS0000160800060800000400WA004
[18].dynamicDYNAMIC0000160c00060c0000c808WA304
[19].gotPROGBITS000016d40006d400001004WA004
[20].got.pltPROGBITS000016e40006e400002004WA004
[21].dataPROGBITS0000170400070400000400WA004
[22].bssNOBITS0000170800070800001000WA004
[23].commentPROGBITS0000000000070800011400001
[24].shstrtabSTRTAB0000000000081c0000d200001
[25].symtabSYMTAB00000000000d280003d01026454
[26].strtabSTRTAB000000000010f80001d700001
KeytoFlags:
W(write),A(alloc),X(execute),M(merge),S(strings)
I(info),L(linkorder),G(group),x(unknown)
O(extraOSprocessingrequired)o(OSspecific),p(processorspecific)[qtl@courierlib]$objdump-hlibfoobar.solibfoobar.so:
fileformatelf32-i386Sections:
IdxNameSizeVMALMAFileoffAlgn
0.gnu.hash00000048000000b4000000b4000000b42**2
CONTENTS,ALLOC,LOAD,READONLY,
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- objdump readelf
![提示](https://static.bdocx.com/images/bang_tan.gif)