linux 反汇编分析变量地址并用gdb修改运行中的程序内存变量实验
2016-04-08 17:12
543 查看
准备样本文件:
a.c
编译可执行程序:
运行a.out输出:
开始分析变量a
1. gcc反汇编a.out
2. 查看main函数反汇编代码
或者直接看.data段
得到变量a地址:60103c
3. 得到进程id:
4. gdb 调式改进程,直接修改内存数据
5. 观察程序输出:
搞定。
a.c
#include <stdio.h> #include <unistd.h> unsigned int a=0xFFFFFFFF; unsigned int b=0xEEEEEEEE; void main(){ while(1){ printf("%x, %x\n", a, b); sleep(1); } }
编译可执行程序:
gcc -g a.c
运行a.out输出:
$ ./a.out ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee
开始分析变量a
1. gcc反汇编a.out
$ objdump -D a.out > a.S
2. 查看main函数反汇编代码
0000000000400586 <main>: 400586: 55 push %rbp 400587: 48 89 e5 mov %rsp,%rbp 40058a: 8b 15 b0 0a 20 00 mov 0x200ab0(%rip),%edx # 601040 <b> 400590: 8b 05 a6 0a 20 00 mov 0x200aa6(%rip),%eax # 60103c <a> 400596: 89 c6 mov %eax,%esi 400598: bf 50 06 40 00 mov $0x400650,%edi 40059d: b8 00 00 00 00 mov $0x0,%eax 4005a2: e8 a9 fe ff ff callq 400450 <printf@plt> 4005a7: bf 01 00 00 00 mov $0x1,%edi 4005ac: e8 cf fe ff ff callq 400480 <sleep@plt> 4005b1: eb d7 jmp 40058a <main+0x4> 4005b3: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 4005ba: 00 00 00 4005bd: 0f 1f 00 nopl (%rax)
或者直接看.data段
Disassembly of section .data: 0000000000601038 <__data_start>: 601038: 00 00 add %al,(%rax) ... 000000000060103c <a>: 60103c: ff (bad) 60103d: ff (bad) 60103e: ff (bad) 60103f: ff (bad) 0000000000601040 <b>: 601040: ee out %al,(%dx) 601041: ee out %al,(%dx) 601042: ee out %al,(%dx) 601043: ee out %al,(%dx)
得到变量a地址:60103c
3. 得到进程id:
$ ps aux | grep a.out yeqiang 22726 0.0 0.0 4172 688 pts/10 S+ 17:00 0:00 ./a.out
4. gdb 调式改进程,直接修改内存数据
$ gdb -p 22726 GNU gdb (GDB) Fedora 7.9.1-20.fc22 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word". Attaching to process 22726 Reading symbols from /tmp/a.out...done. Reading symbols from /lib64/libc.so.6...Reading symbols from /usr/lib/debug/usr/lib64/libc-2.21.so.debug...done. done. Reading symbols from /lib64/ld-linux-x86-64.so.2...Reading symbols from /usr/lib/debug/usr/lib64/ld-2.21.so.debug...done. done. 0x00007fd7f0192d20 in __nanosleep_nocancel () at ../sysdeps/unix/syscall-template.S:81 81 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS) (gdb) p/x *0x60103c $3 = 0xffffffff (gdb) set *0x60103c=1 (gdb) c Continuing.
5. 观察程序输出:
ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee ffffffff, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee 1, eeeeeeee
搞定。
相关文章推荐
- CentOS 7.1, 7.2 下安装dotnet core
- Linux内核编译的一个错误解决 ump/common/ump_kernel_common.o
- 三.linux学习笔记-文件搜索命令
- linux内核同步机制相关收集
- 6.1.2Linux下Socket编程
- Linux/UNIX线程(2)
- 在CentOS上安装Java环境:使用yum安装java
- linux添加网关和出接口不同网段的路由
- CentOS下载
- VMware虚拟的CENTOS系统中挂在CD/DVD驱动
- Linux内核及分析 第七周 可执行程序的装载
- Linux 应用编程
- linux之NAND FLASH驱动程序
- linux之keepalived详解
- [原创] ubuntu下安装scrapy报错 error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
- Linux命令
- linux下各种解压,压缩命令
- 卸载CentOS7-x64自带的OpenJDK并安装Sun的JDK8的方法
- CentOS6.5编译安装最新MySQL 5.7.11
- linux下Yum的$releasever和$basearch的取值