在p59-0x08中看了如何在运行期获取进程的link_map地址,然后在Android上进行尝试。x86下,可执行程序入口的虚拟地址是0x0804800 所以在这个地址开始查找ELF头部,进一步找程序头部……最后找到link_map 地址但是,在Android下 入口虚拟地址是多少? 小弟也不知道发在这里对不对,希望能找到高人解答。附上代码:void read_data(pid_t pid, ulong addr, void *vptr, int len)
{
int i, count, remain, size;
long word;
ulong *ptr = (ulong *)vptr; size = sizeof(long);
count = len / size;
remain = len % size; for (i = 0; i < count; i++) {
word = ptrace(PTRACE_PEEKTEXT, pid, addr + i * size, NULL);
ptr[i] = word;
}
if (remain > 0) {
word = ptrace(PTRACE_PEEKTEXT, pid, addr + count * size, NULL);
ptr[i] = word;
}
}struct link_map * locate_linkmap(pid_t pid)
{
Elf32_Ehdr *ehdr = malloc(sizeof(Elf32_Ehdr));
Elf32_Phdr *phdr = malloc(sizeof(Elf32_Phdr));
Elf32_Dyn *dyn = malloc(sizeof(Elf32_Dyn));
Elf32_Word got;
struct link_map *lmap = malloc(sizeof(struct link_map));
ulong phdr_addr, dyn_addr, map_addr; // What is the fucking IMAGE ADDRESS ?!
read_data(pid, IMAGE_ADDR, ehdr, sizeof(Elf32_Ehdr)); phdr_addr = IMAGE_ADDR + ehdr->e_phoff;
printf("[D] program header at %p\n", phdr_addr); read_data(pid, phdr_addr, phdr, sizeof(Elf32_Phdr)); printf("[D] read data of phdr successfully.\n"); while ( phdr->p_type != PT_DYNAMIC ) {
read_data(pid, phdr_addr += sizeof(Elf32_Phdr), phdr, \
sizeof(Elf32_Phdr));
printf("[D] finding PT_DYNAMIC...\n");
}
dyn_addr = phdr->p_vaddr;
printf("[D] dynamic sections start at %x\n", dyn_addr);
read_data(pid, dyn_addr, dyn, sizeof(Elf32_Dyn));
while ( dyn->d_tag != DT_PLTGOT ) {
read_data(pid, dyn_addr += sizeof(Elf32_Dyn), dyn, \
sizeof(Elf32_Dyn));
} got = (Elf32_Word) dyn->d_un.d_ptr;
got += 4; read_data(pid, (ulong)got, &map_addr, 4);
printf("[D] link_map at %x\n", map_addr);
read_data(pid, map_addr, lmap, sizeof(struct link_map)); free(ehdr);
free(phdr);
free(dyn);
return lmap;
}
{
int i, count, remain, size;
long word;
ulong *ptr = (ulong *)vptr; size = sizeof(long);
count = len / size;
remain = len % size; for (i = 0; i < count; i++) {
word = ptrace(PTRACE_PEEKTEXT, pid, addr + i * size, NULL);
ptr[i] = word;
}
if (remain > 0) {
word = ptrace(PTRACE_PEEKTEXT, pid, addr + count * size, NULL);
ptr[i] = word;
}
}struct link_map * locate_linkmap(pid_t pid)
{
Elf32_Ehdr *ehdr = malloc(sizeof(Elf32_Ehdr));
Elf32_Phdr *phdr = malloc(sizeof(Elf32_Phdr));
Elf32_Dyn *dyn = malloc(sizeof(Elf32_Dyn));
Elf32_Word got;
struct link_map *lmap = malloc(sizeof(struct link_map));
ulong phdr_addr, dyn_addr, map_addr; // What is the fucking IMAGE ADDRESS ?!
read_data(pid, IMAGE_ADDR, ehdr, sizeof(Elf32_Ehdr)); phdr_addr = IMAGE_ADDR + ehdr->e_phoff;
printf("[D] program header at %p\n", phdr_addr); read_data(pid, phdr_addr, phdr, sizeof(Elf32_Phdr)); printf("[D] read data of phdr successfully.\n"); while ( phdr->p_type != PT_DYNAMIC ) {
read_data(pid, phdr_addr += sizeof(Elf32_Phdr), phdr, \
sizeof(Elf32_Phdr));
printf("[D] finding PT_DYNAMIC...\n");
}
dyn_addr = phdr->p_vaddr;
printf("[D] dynamic sections start at %x\n", dyn_addr);
read_data(pid, dyn_addr, dyn, sizeof(Elf32_Dyn));
while ( dyn->d_tag != DT_PLTGOT ) {
read_data(pid, dyn_addr += sizeof(Elf32_Dyn), dyn, \
sizeof(Elf32_Dyn));
} got = (Elf32_Word) dyn->d_un.d_ptr;
got += 4; read_data(pid, (ulong)got, &map_addr, 4);
printf("[D] link_map at %x\n", map_addr);
read_data(pid, map_addr, lmap, sizeof(struct link_map)); free(ehdr);
free(phdr);
free(dyn);
return lmap;
}
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货