...

Formato degli Eseguibili e Strumenti Avanzati di Compilazione

by user

on
Category: Documents
24

views

Report

Comments

Transcript

Formato degli Eseguibili e Strumenti Avanzati di Compilazione
Dipartimento di Informatica e Sistemistica
Executable Format and
Advanced Compiling
Tools
Alessandro Pellegrini
[email protected]
http://www.dis.uniroma1.it/~pellegrini
Operating Systems II - Laurea Magistrale in Computer Engineering
Compiling Process
User-created files
Makefile
Make
C/C++ Sources
Sorgenti
C/C++
Header
e And
File Header
Files
assembler
Object File
Linker
Library File
Shared
Object
Linker
Script
File
preprocessor
compiler
Archive (ar)
Sorgenti
Assembly
Assembly
Sources
Relocatable
File
Executable
File
Link Map
File
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Object File Format
• For more than 20 years, *nix executable file format has
been a.out per oltre 20 anni (since 1975 to 1998).
• This format was made up of at most 7 sections:
 exec header: loading information;
 text segment: machine instructions;
 data segment: initialized data;
 text relocations: information to update pointers;
 data relocations: information to update pointers;
 symbol table: information on variables and functions;
 string table: names associated with symbols.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Object File Format
• This format's limits were:
cross-compiling;
dynamic linking;
creation of symple shared libaries;
support of initializers/finalizers (e.g. constructors
and destructors in C++).
• Linux has definitively replaced a.out with ELF
(Executable and Linkable Format) in version 1.2 (more or
less in 1995).
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
ELF Types of Files
ELF defines the format of binary executables. There are
four different categories:
●
➢
➢
➢
➢
●
Relocatabale (Created by compilers and assemblers. Must be processed by
the linker before being run).
Executable (All symbols are resolved, except for shared libraries’ symbols,
which are resolved at runtime).
Shared object (A library which is shared by different programs, contains all
the symbols’ information used by the linker, and the code to be executed at
runtime).
Core file (a core dump).
ELF files have a twofold nature
➢
➢
Compilers, assemblers and linkers handle them as a set of logical sections;
The system loader handles them as a set of segments.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
ELF File’s Structure
Relocatable File
Executable File
ELF Header
(optional, ignored)
Program
Header
Describes segments
Sections
Segments
Describes Sections
Section
Header
(optional, ignored)
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
ELF Header
#define EI_NIDENT (16)
typedef struct {
unsigned char e_ident[EI_NIDENT];/* Magic number and other info */
Elf32_Half
e_type;
/* Object file type */
Elf32_Half
e_machine;
/* Architecture */
Elf32_Word
e_version;
/* Object file version */
Elf32_Addr
e_entry;
/* Entry point virtual address */
Elf32_Off
e_phoff;
/* Program header table file offset */
Elf32_Off
e_shoff;
/* Section header table file offset */
Elf32_Word
e_flags;
/* Processor-specific flags */
Elf32_Half
e_ehsize;
/* ELF header size in bytes */
Elf32_Half
e_phentsize; /* Program header table entry size */
Elf32_Half
e_phnum;
/* Program header table entry count */
Elf32_Half
e_shentsize; /* Section header table entry size */
Elf32_Half
e_shnum;
/* Section header table entry count */
Elf32_Half
e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Relocatable File
A relocatable file or a shared object is a collection of
sections
● Each section contains a single kind of information, such
as exdecutable code, read-only data, read/write data,
relocation entries, or symbols.
● Each symbol’s address is defined in relation to the
section which contains it.
●
●
For example, a function’s entry point is defined in relation to
the section of the program which contains it.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Section Header
typedef struct {
Elf32_Word
sh_name;
Elf32_Word
sh_type;
Elf32_Word
sh_flags;
Elf32_Addr
sh_addr;
Elf32_Off
sh_offset;
Elf32_Word
sh_size;
Elf32_Word
sh_link;
Elf32_Word
sh_info;
Elf32_Word
sh_addralign;
Elf32_Word
sh_entsize;
} Elf32_Shdr;
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
Section name (string tbl index) */
Section type */
Section flags */
Section virtual addr at execution */
Section file offset */
Section size in bytes */
Link to another section */
Additional section information */
Section alignment */
Entry size if section holds table */
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Types and Flags in Section Header
PROGBITS: The section contains the program content (code, data,
debug information).
NOBITS: Same as PROGBITS, yet with a null size.
SYMTAB and DYNSYM: The section contains a symbol table.
STRTAB: The section contains a string table.
REL and RELA: The section contains relocation information.
DYNAMIC and HASH: The section contains dynamic linking
information.
WRITE: The section contais runtime-writeable data.
ALLOC: The section occupies memory at runtime.
EXECINSTR: The section contains executable machine instructions.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Some Sections
.text: contains program’s instructions
●
➢
➢
Type: PROGBITS
Flags: ALLOC + EXECINSTR
.data: contains preinitialized read/write data
●
➢
➢
Type: PROGBITS
Flags: ALLOC + WRITE
.rodata: contains preinitialized read-only data
●
➢
➢
Type: PROGBITS
Flags: ALLOC
.bss: contains uninitialized data. The system will set them to zero
at program startup.
●
➢
➢
Type: NOBITS
Flags: ALLOC + WRITE
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
String Table
Sections keeping string tables contain sequence of nullterminated strings.
● Ojbect files use a string table to represent symbols’ and
sections’ names.
● A string is referred using an index in the table.
● Symbol table and symbol names are separated because there
is no limit in names’ length in C/C++
●
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Symbol Table
Symbol table keeps in an object file the information
necessary to identify and relocate symbolic definitions
in a program and its references.
●
typedef struct {
Elf32_Word
st_name;
Elf32_Addr
st_value;
Elf32_Word
st_size;
unsigned char st_info;
unsigned char st_other;
Elf32_Section st_shndx;
} Elf32_Sym;
/*
/*
/*
/*
/*
/*
Symbol name */
Symbol value */
Symbol size */
Symbol binding */
Symbol visibility */
Section index */
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Static Relocation Table
Relocation is the process which connects references to
symbols with definition of symbols.
● Relocatable files must keep information on how to
modify the contents of sections.
●
typedef struct {
Elf32_Addr
r_offset; /* Address */
Elf32_Word
r_info;
/* Relocation type and symbol index */
} Elf32_Rel;
typedef struct {
Elf32_Addr
r_offset; /* Address */
Elf32_Word
r_info;
/* Relocation type and symbol index */
Elf32_Sword
r_addend; /* Addend */
} Elf32_Rela;
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Executable Files
●
Usually, an executable file has only few segments::
A read-only segment for code.
➢ A read-only segment for read-only data.
➢ A read/write segment for other data.
➢
Any section marked with flag ALLOCATE are packed in
the proper segment, to that the operating system is able
to map the file to memory with few operations.
●
➢
For example, if .data and .bss sections are pesent, they are
placed within the same read/write segment.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Program Header
typedef struct {
Elf32_Word
p_type;
Elf32_Off
p_offset;
Elf32_Addr
p_vaddr;
Elf32_Addr
p_paddr;
Elf32_Word
p_filesz;
Elf32_Word
p_memsz;
Elf32_Word
p_flags;
Elf32_Word
p_align;
} Elf32_Phdr;
/*
/*
/*
/*
/*
/*
/*
/*
Segment
Segment
Segment
Segment
Segment
Segment
Segment
Segment
type */
file offset */
virtual address */
physical address */
size in file */
size in memory */
flags */
alignment */
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Linker’s Role
ELF Header
Section 1
Section 2
...
Section n
Sec. Header Table
ELF Header
Prog. Header Table
Segment 1
Segment
Segment
2 Data
2
Relocatable File 1
Segment 3
ELF Header
Section 1
Section 2
...
Section n
Sec. Header Table
Executable File
Relocatable File 2
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Static Relocation
1bc1: e8 fc ff ff ff
1bc6: 83 c4 10
1bc9: a1 00 00 00 00
call
add
mov
1bc2 <main+0x17fe>
$0x10,%esp
0x0,%eax
8054e59: e8 9a 55 00 00
8054e5e: 83 c4 10
8054e61: a1 f8 02 06 08
call
add
mov
805a3f8 <Foo>
$0x10,%esp
0x80602f8,%eax
Instructions’ position
Varliables’ addresses
Functions’ entry points
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Directives: Linker Script
• The simplest form of linker script contains only a
SECTIONS directive;
• The SECTIONS directive describes memory layout of
the linker-generated file.
SECTIONS
{
. = 0x10000;
.text : { *(.text) }
. = 0x8000000;
.data : { *(.data) }
.bss : { *(.bss) }
}
Sets location counter’s value
Places all input files’s .text sections
in the output file’s .text section at the
address specified by the location counter.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: C code
#include <stdio.h>
int xx, yy;
int main(void) {
xx = 1;
yy = 2;
printf ("xx %d yy %d\n", xx, yy);
}
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: ELF Header
$ objdump -x esempio-elf
esempio-elf:
file format elf32-i386
architecture: i386, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x08048310
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: Program Header
PHDR off
filesz
INTERP off
filesz
LOAD off
filesz
LOAD off
filesz
DYNAMIC off
filesz
NOTE off
filesz
STACK off
filesz
RELRO off
filesz
0x00000034
0x00000100
0x00000134
0x00000013
0x00000000
0x000004f4
0x00000f0c
0x00000108
0x00000f20
0x000000d0
0x00000148
0x00000020
0x00000000
0x00000000
0x00000f0c
0x000000f4
vaddr
memsz
vaddr
memsz
vaddr
memsz
vaddr
memsz
vaddr
memsz
vaddr
memsz
vaddr
memsz
vaddr
memsz
0x08048034
0x00000100
0x08048134
0x00000013
0x08048000
0x000004f4
0x08049f0c
0x00000118
0x08049f20
0x000000d0
0x08048148
0x00000020
0x00000000
0x00000000
0x08049f0c
0x000000f4
paddr
flags
paddr
flags
paddr
flags
paddr
flags
paddr
flags
paddr
flags
paddr
flags
paddr
flags
0x08048034
r-x
0x08048134
r-0x08048000
r-x
0x08049f0c
rw0x08049f20
rw0x08048148
r-0x00000000
rw0x08049f0c
r--
align 2**2
align 2**0
align 2**12
align 2**12
align 2**2
align 2**2
align 2**2
align 2**0
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: Dynamic Section
NEEDED
INIT
FINI
HASH
STRTAB
SYMTAB
STRSZ
SYMENT
DEBUG
PLTGOT
PLTRELSZ
PLTREL
JMPREL
libc.so.6
0x08048298
0x080484bc
0x08048168
0x08048200
0x080481b0
0x0000004c
0x00000010
0x00000000
0x08049ff4
0x00000018
0x00000011
0x08048280
There is the need to link to this
shared library to use printf()
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: Sections Header
Idx Name
2
.hash
10 .init
11 .plt
12 .text
13 .fini
14 .rodata
22 .data
23 .bss
Size
00000028
CONTENTS,
00000030
CONTENTS,
00000040
CONTENTS,
000001ac
CONTENTS,
0000001c
CONTENTS,
00000015
CONTENTS,
00000008
CONTENTS,
00000010
ALLOC
VMA
LMA
File off
08048168 08048168 00000168
ALLOC, LOAD, READONLY, DATA
08048298 08048298 00000298
ALLOC, LOAD, READONLY, CODE
080482c8 080482c8 000002c8
ALLOC, LOAD, READONLY, CODE
08048310 08048310 00000310
ALLOC, LOAD, READONLY, CODE
080484bc 080484bc 000004bc
ALLOC, LOAD, READONLY, CODE
080484d8 080484d8 000004d8
ALLOC, LOAD, READONLY, ATA
0804a00c 0804a00c 0000100c
ALLOC, LOAD, DATA
0804a014 0804a014 00001014
Algn
2**2
2**2
2**2
2**4
2**2
2**2
2**2
2**2
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Example: Symbol Table
...
00000000
08049f0c
08049f0c
08049f20
0804a00c
08048420
08048310
00000000
...
08049f18
08048430
00000000
0804a01c
0804a014
0804a024
0804a014
0804848a
080483c4
08048298
0804a020
l
l
l
l
w
g
g
w
g
g
g
g
g
g
g
g
g
g
df *ABS*
.ctors
.ctors
O .dynamic
.data
F .text
F .text
*UND*
O
F
F
O
F
F
F
O
.dtors
.text
*UND*
.bss
*ABS*
*ABS*
*ABS*
.text
.text
.init
.bss
00000000
00000000
00000000
00000000
00000000
00000005
00000000
00000000
00000000
0000005a
00000000
00000004
00000000
00000000
00000000
00000000
0000004d
00000000
00000004
esempio-elf.c
.hidden __init_array_end
.hidden __init_array_start
.hidden _DYNAMIC
data_start
__libc_csu_fini
_start
__gmon_start__
.hidden __DTOR_END__
__libc_csu_init
printf@@GLIBC_2.0
yy
__bss_start
_end
_edata
.hidden __i686.get_pc_thunk.bx
main
_init
xx
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Symbols Visibility
●
●
weak symbols:
➢ More module can have a simbol with the same name of a weak one;
➢ The declared entity cannot be overloaded by other modules;
➢ It is useful for libraries which want to avoid conflicts with user
programs.
gcc version 4.0 gives the command line option -fvisibility:
➢ default: normal behaviour, the symbol is seen by other modules;
➢ hidden: two declarations of an object refer the same object only if
they are in the same shared object;
➢ internal: an entity declared in a module cannot be referenced even
by pointer;
➢ protected: the symbol is weak;
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Symbols Visibility (2)
int variable __attribute__ ((visibility (“hidden”)));
#pragma GCC visibility push(hidden)
int variable;
int increment(void) {
return ++variable;
}
#pragma GCC visibility pop
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Linux Loader
●
In fs/exec.c:
➢ do_execve():
About 50 lines of code;
Performs some error checks and fill the structure struct
linux_binprm;
Looks for a binary file handler.
➢
●
search_binary_handler():
Scans a list of binary file hanlders registered in the kernel;
If no handler is able to recognize the image format, syscall returs
the ENOEXEC error (“Exec Format Error”);
In fs/binfmt_elf.c:
➢ load_elf_binary():
Load image file to memory using mmap;
Reads the program header and sets permissions accordingly
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter an ELF: Reordering
ELF Header
ELF Header
Section 1
Section 2
Sec. Header Table
Section n
Section 3
...
Section 4
Section 4
...
Section 3
Section n
Sec. Header Table
Section 2
Section 1
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter an ELF: Reordering
#include
#include
#include
#include
#include
#include
<stdio.h>
<stdlib.h>
<string.h>
<unistd.h>
<fcntl.h>
<elf.h>
To access structures describing
and ELF file
int main(int argc, char **argv) {
int elf_src, elf_dst, file_size, i;
char *src_image, *dst_image, *ptr;
Elf32_Ehdr *ehdr_src, *ehdr_dst;
Elf32_Shdr *shdr_src, *shdr_dst;
if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1);
if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1);
file_size = lseek(elf_src, 0L, SEEK_END);
lseek(elf_src, 0L, SEEK_SET);
src_image = malloc(file_size);
ptr = dst_image = malloc(file_size);
read(elf_src, src_image, file_size);
ehdr_src = (Elf32_Ehdr *)src_image;
The
ehdr_dst = (Elf32_Ehdr *)dst_image;
memcpy(ptr, src_image, sizeof(Elf32_Ehdr));
ptr += sizeof(Elf32_Ehdr);
two ELF header are (mostly)
the same
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Modificare un ELF: Riordino
shdr_dst = (Elf32_Shdr *)ptr;
shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff);
ehdr_dst->e_shoff = sizeof(Elf32_Ehdr);
ptr += ehdr_src->e_shnum * ehdr_dst->e_shentsize;
Corrects the header position in the file
memcpy(shdr_dst, shdr_src, sizeof(Elf32_Shdr));
Copies sections and headers
for(i = ehdr_src->e_shnum - 1; i > 0; i--) {
memcpy(shdr_dst + ehdr_src->e_shnum - i, shdr_src + i, sizeof(Elf32_Shdr));
memcpy(ptr, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size);
shdr_dst[ehdr_src->e_shnum - i].sh_offset = ptr - dst_image;
if(shdr_src[i].sh_link > 0)
shdr_dst[ehdr_src->e_shnum - i].sh_link = ehdr_src->e_shnum - shdr_src[i].sh_link;
if(shdr_src[i].sh_info > 0)
shdr_dst[ehdr_src->e_shnum - i].sh_info = ehdr_src->e_shnum - shdr_src[i].sh_info;
ptr += shdr_src[i].sh_size;
}
ehdr_dst->e_shstrndx = ehdr_src->e_shnum - ehdr_src->e_shstrndx;
write(elf_dst, dst_image, file_size);
close(elf_src);
close(elf_dst);
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: Reordering
$ readelf -S esempio-elf.o
There are 11 section headers, starting at offset 0x108:
Section Headers:
[Nr] Name
[ 0]
[ 1] .text
[ 2] .rel.text
[ 3] .data
[ 4] .bss
[ 5] .rodata
[ 6] .comment
[ 7] .note.GNU-stack
[ 8] .shstrtab
[ 9] .symtab
[10] .strtab
Type
NULL
PROGBITS
REL
PROGBITS
NOBITS
PROGBITS
PROGBITS
PROGBITS
STRTAB
SYMTAB
STRTAB
Addr
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
Off
000000
000034
0003a4
000084
000084
000084
000091
0000b6
0000b6
0002c0
000380
Size
000000
00004d
000030
000000
000000
00000d
000025
000000
000051
0000c0
000021
ES Flg Lk Inf Al
00
0
0 0
00 AX 0
0 4
08
9
1 4
00 WA 0
0 4
00 WA 0
0 4
00
A 0
0 1
00
0
0 1
00
0
0 1
00
0
0 1
10
10
8 4
00
0
0 1
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: Reordering
$ readelf -S riordinato.o
There are 11 section headers, starting at offset 0x34:
Section Headers:
[Nr] Name
[ 0]
[ 1] .strtab
[ 2] .symtab
[ 3] .shstrtab
[ 4] .note.GNU-stack
[ 5] .comment
[ 6] .rodata
[ 7] .bss
[ 8] .data
[ 9] .rel.text
[10] .text
Type
NULL
STRTAB
SYMTAB
STRTAB
PROGBITS
PROGBITS
PROGBITS
NOBITS
PROGBITS
REL
PROGBITS
Addr
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
00000000
Off
000000
0001ec
00020d
0002cd
00031e
00031e
000343
000350
000350
000350
000380
Size
000000
000021
0000c0
000051
000000
000025
00000d
000000
000000
000030
00004d
ES Flg Lk Inf Al
00
0
0 0
00
0
0 1
10
1
3 4
00
0
0 1
00
0
0 1
00
0
0 1
00
A 0
0 1
00 WA 0
0 4
00 WA 0
0 4
08
2 10 4
00 AX 0
0 4
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: nop
ELF Header
Sezione 1
Sezione 2
Sezione 3
Sezione 4
...
ELF Header
Sezione 1
Sezione 2
Sezione 3
nop
Sezione 4
...
Sezione n
Tabella Header Sez.
Sezione n
Tabella Header Sez.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: nop (2)
#include
#include
#include
#include
#include
#include
<stdio.h>
<stdlib.h>
<string.h>
<unistd.h>
<fcntl.h>
<elf.h>
#define NOP_NUM 10
#define NOP_CODE 0x90 // 1 byte
#define SEC_NUM 1
int main(int argc, char **argv) {
int elf_src, elf_dst, file_size, i;
char *src_image, *dst_image;
Elf32_Ehdr *ehdr_src;
Elf32_Shdr *shdr_src, *shdr_dst;
if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1);
if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1);
file_size = lseek(elf_src, 0L, SEEK_END);
lseek(elf_src, 0L, SEEK_SET);
src_image = malloc(file_size);
dst_image = malloc(file_size + NOP_NUM);
read(elf_src, src_image, file_size);
ehdr_src = (Elf32_Ehdr *)src_image;
shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff);
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: nop (3)
shdr_dst = (Elf32_Shdr *)(dst_image + ehdr_src->e_shoff + NOP_NUM);
Inserts nops
memcpy(dst_image, src_image, sizeof(Elf32_Ehdr));
((Elf32_Ehdr *)dst_image)->e_shoff += NOP_NUM;
for(i = 0; i <= SEC_NUM; i++)
memcpy(dst_image + shdr_src[i].sh_offset, src_image + shdr_src[i].sh_offset,
shdr_src[i].sh_size);
memset(dst_image + shdr_src[SEC_NUM].sh_offset + shdr_src[SEC_NUM].sh_size, NOP_CODE, NOP_NUM);
for(i = SEC_NUM + 1; i < ehdr_src->e_shnum; i++)
memcpy(dst_image + shdr_src[i].sh_offset + NOP_NUM, src_image + shdr_src[i].sh_offset,
shdr_src[i].sh_size);
for(i = 0; i <= SEC_NUM; i++)
memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr));
shdr_dst[SEC_NUM].sh_size += NOP_NUM;
Corrects section’s size
for(i = SEC_NUM + 1; i < ehdr_src->e_shnum; i++) {
memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr));
shdr_dst[i].sh_offset += NOP_NUM;
}
write(elf_dst, dst_image, file_size + NOP_NUM);
close(elf_src);
close(elf_dst);
Moves forward
other sections
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: nop (4)
$ objdump -S esempio-elf.o
Disassembly of section .text:
00000000 <main>:
0:
8d 4c 24 04
lea
4:
83 e4 f0
and
7:
ff 71 fc
pushl
a:
55
push
[...]
38:
c7 04 24 00 00 00 00 movl
3f:
e8 fc ff ff ff
call
44:
83 c4 14
add
47:
59
pop
48:
5d
pop
49:
8d 61 fc
lea
4c:
c3
ret
0x4(%esp),%ecx
$0xfffffff0,%esp
-0x4(%ecx)
%ebp
$0x0,(%esp)
40 <main+0x40>
$0x14,%esp
%ecx
%ebp
-0x4(%ecx),%esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Alter and ELF: nop (5)
$ objdump -S nop.o
Disassembly of section .text:
00000000 <main>:
0:
8d 4c 24 04
lea
4:
83 e4 f0
and
7:
ff 71 fc
pushl
a:
55
push
[...]
38:
c7 04 24 00 00 00 00 movl
3f:
e8 fc ff ff ff
call
44:
83 c4 14
add
47:
59
pop
48:
5d
pop
49:
8d 61 fc
lea
4c:
c3
ret
4d:
90
nop
4e:
90
nop
4f:
90
nop
50:
90
nop
[...]
0x4(%esp),%ecx
$0xfffffff0,%esp
-0x4(%ecx)
%ebp
$0x0,(%esp)
40 <main+0x40>
$0x14,%esp
%ecx
%ebp
-0x4(%ecx),%esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Lin/Glaurung.676/666
• Its an appending virus;
• Changes the fiels EI_PAD at offset (0x0007-0x000f) changing its
value from 0 to 21;
• File’s entry value is the position of the injected code (0x08049bd4
instead of 0x8048320);
• Infects every ELF file found in PWD and in /bin;
• The analyzed infected file passed from 3028 bytes (0x0bd3) to 3694
bytes (0xe6e), an increment of 666 bytes (0x29a).
0x0000
0x0000
• ELF file’s size is incremented
Entry
.ELF
.ELF
point
(p_filesize and p_memsize
Codice Prog.
become 0x0a1e instead of
Codice Prog.
0xbd3
0x00e0 e 0x00f8, respectively)
0x0bd3
0xbd4
Codice Virus
0xe6e
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Lin/Glaurung.676/666 (2)
00000000
00000010
00000020
00000030
00000040
00000050
00000060
00000070
00000080
00000090
000000A0
000000B0
000000C0
000000D0
000000E0
000000F0
00000100
7F
02
EC
19
34
04
F4
01
00
00
50
00
90
04
08
01
78
45
00
07
00
80
00
80
00
00
10
94
10
94
00
81
00
2E
4C
03
00
18
04
00
04
00
04
00
04
00
04
00
04
00
73
46
00
00
00
08
00
08
00
00
00
08
00
08
00
08
00
6F
01
01
00
00
C0
03
13
01
50
01
1E
02
A0
04
20
2F
2E
01
00
00
06
00
00
00
00
04
00
0A
00
00
00
00
6C
32
01
00
00
00
00
00
00
00
00
00
00
00
00
00
00
69
00
21
00
00
00
00
00
00
00
00
00
00
00
00
00
00
62
00
00
D4
34
34
C0
F4
13
00
50
50
1E
90
A0
08
20
2F
04
00
9B
00
00
00
00
00
00
04
04
0A
04
00
01
00
6C
00
00
04
20
00
00
00
00
00
00
00
00
00
00
00
00
64
00
00
08
00
00
00
00
00
00
00
00
00
00
00
00
00
2D
00
00
34
06
34
05
F4
C4
C0
05
50
C6
90
C6
C8
C4
6C
10
00
00
00
80
00
80
00
80
00
94
C0
94
00
81
00
69
00
00
00
20
04
00
04
00
04
00
04
00
04
00
04
00
6E
00
00
00
00
08
00
08
00
08
00
08
00
08
00
08
00
75
00
▌ELF...!........
........Ô▌..4...
i.......4.....(.
........4...4▌..
4▌..À...À.......
........ô...ô▌..
ô▌..............
.............▌..
.▌..P...P.......
........P...P▌..
P▌..............
........▌...▌▌..
▌▌..............
.............▌..
.▌..............
..../lib/ld-linu
x.so.2..........
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Code Instrumentation
• If it is possible to alter an ELF file’s structure, then it is possible to
modify the original behavior of the code: this technique is called
instrumentation.
• Problems of this technique:
• Must work at machine-code level: it is necessary to insert in an
ELF file a byte stream which corresponds to particular assembly
instructions;
• To instrument transparently to the the user, it is important to
keep references coherence in the code;
• It is necessary as well the ability to interpret the original
program’s code, to find the right positions in the code where to
inject instrumentation code.
• This technique is highly used in debugging and in vulnerability
assessment.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Instruction Set i386
Prefixes
Opcode
Up to 4,
1 byte
each
1, 2 or 3 byte
Mod
7
ModR/M
SIB
1 byte
(if present)
Reg /
Opcode
6 5
Displacement Immediate
1 byte
0, 1, 2 or 4 byte 0, 1, 2 or 4 byte
(if present)
R/M
3 2
Scale
0
7
Index
6 5
Base
3 2
0
Instructions are therefore of variable length
(with an upper bound of 15 bytes):
85
75
c7
eb
8b
8d
0f
c0
09
45
59
45
4c
b7
ec 00 00 00 00
08
24 04
40 2e
test
jnz
movl
jmp
mov
lea
movzwl
%eax,%eax
4c
$0x0,-0x14(%ebp)
a5
0x8(%ebp),%eax
0x4(%esp),%ecx
0x2e(%eax),%eax
Opcode,
ModR/M,
SIB,
Displacement,
Immediate
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Instruction Set i386 (2)
R/M fields in ModR/M byte and Scale /Index fields in SIB
byte identify registers;
●
General purpose registers are numbered from da 0 a 7 in
this order: eax (000), ecx (001), edx (010), ebx (011), esp
(100), ebp (101), esi (110), edi (111).
●
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
ELF File Altering: an Example
• Section Header Table is scanned looking for sections
containing code (type: PROGBITS, flag: EXECINSTR);
• Each section is parsed one byte by one;
• Using an opcode-family table the instructions are
disassembled, identifying the instructions which have as
destination operand a memory location (global variables or
dynamically allocated memory);
• Destination operand is decomposed in base, indice, scale and
offset.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Instruction Table Generation
• To add a minimal overhead to the program, two choices are
made:
• Monitoring routine is written directly in assembly;
• No runtime intepretation of instruction is made.
• During th parsing phase, interesting information is cached in a table:
struct insn_entry {
unsigned long ret_addr;
unsigned int size;
char flags;
char base;
char idx;
char scala;
long offset;
};
• This table can be searched using a binary search in O(log n) time.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Monitor Hooking
• Monitoring routine is hooked by injecting before any memory-write
instruction a call to a routine called monitor;
a1 90 60 04 08
83 c0 01
a3 90 60 04 08
mov
add
mov
0x8046090,%eax
$0x1,%eax
%eax,0x8046090
a1
83
e8
a3
90
c0
fc
90
60 04 08
01
ff ff ff
60 04 08
mov
add
call
mov
0x8046090,%eax
$0x1,%eax
monitor
%eax,0x8046090
• We use a call instead of a less costly jump because, by relying on th
ereturn value, it is possible to know which original instruction caused the
invocation of the monitor;
• Due to this calls insertion, the original sections must be resized (using
techniques previously seen) and relocation tables must be corrected.
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
References Correction
• Due to the insertion of instructions, references between portions
of code/data are now inconsistent;
• We must therefore:
 Correct functions entry points;
 Correct every branch instruction
• Intra-segment jumps in i386 are expressed as offsets starting from
the current value of eip register, when executing the instruction;
• To correct them, it is necessary to scan the program text a second
time and apply a correction to this offest, depending on the
amount of bytes inserted in the code;
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Dynamic Branch Correction
• A particular type of branch (indirect branch, or register branch)
allows to specify a branch destination by the value stored in a
particular register or in a memory location;
• This instruction’s sematic depends of the actual exectuion flow: it
cannot be corrected statically;
• These instructions are handled as memory-write instructions: they
are replaced with a function call (correct_branch) that, using
the information stored in two tables, creates a correct jump.
8b 04 95 2c 00 00 00
ff e0
mov
jmp
0x2c(,%edx,4),%eax
*%eax
8b 04 95 2c 00 00 00
e8 fc ff ff ff
e9 00 00 00 00
mov
call
jmp
0x2c(,%edx,4),%eax
correct_branch
?? ?? ?? ??
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
applicazione
EAX: ?????????????
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: ?????????????
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: ?????????????
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp corrente
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp originale
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp originale
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp originale
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: ?????????????
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp originale
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
push
push
push
push
mov
sub
add
mov
push
push
push
pushfw
mov
sub
mov
%eax
%ecx
%edx
%ebx
%esp, %eax
$4, %esp
$16, %eax
%eax, (%esp)
%ebp
%esi
%edi
14(%esp), %ebp
$4, %ebp
4(%ebp), %esi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: esp originale
EBX: low
ECX: high
EDX: ?????????????
monitor
applicazione
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
xor
%ebx, %ebx
mov
$DIM, %ecx
jmp
.Cerca
.HighHalf: lea
0x1(%edx), %ebx
cmp
%ecx, %ebx
jae
.Trovato
.Cerca: lea
(%ecx,%ebx,1), %edx
shr
%edx
mov
%edx, %eax
shl
$0x4,%eax
cmp
%esi, insn_table(%eax)
jb
.HighHalf
.LowHalf: mov
%edx, %ecx
cmp
%ecx, %ebx
jb
.Cerca
.Trovato:
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: offset nella tab.
EBX: low
ECX: high
EDX: mediano
monitor
applicazione
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
xor
%ebx, %ebx
mov
$DIM, %ecx
jmp
.Cerca
.HighHalf: lea
0x1(%edx), %ebx
cmp
%ecx, %ebx
jae
.Trovato
.Cerca: lea
(%ecx,%ebx,1), %edx
shr
%edx
mov
%edx, %eax
shl
$0x4,%eax
cmp
%esi, insn_table(%eax)
jb
.HighHalf
.LowHalf: mov
%edx, %ecx
cmp
%ecx, %ebx
jb
.Cerca
.Trovato:
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: offset nella tab.
EBX: low
ECX: high
EDX: nuovo low
monitor
applicazione
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
xor
%ebx, %ebx
mov
$DIM, %ecx
jmp
.Cerca
.HighHalf: lea
0x1(%edx), %ebx
cmp
%ecx, %ebx
jae
.Trovato
.Cerca: lea
(%ecx,%ebx,1), %edx
shr
%edx
mov
%edx, %eax
shl
$0x4,%eax
cmp
%esi, insn_table(%eax)
jb
.HighHalf
.LowHalf: mov
%edx, %ecx
cmp
%ecx, %ebx
jb
.Cerca
.Trovato:
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: offset nella tab.
EBX: low
ECX: nuovo high
EDX: mediano
monitor
applicazione
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
xor
%ebx, %ebx
mov
$DIM, %ecx
jmp
.Cerca
.HighHalf: lea
0x1(%edx), %ebx
cmp
%ecx, %ebx
jae
.Trovato
.Cerca: lea
(%ecx,%ebx,1), %edx
shr
%edx
mov
%edx, %eax
shl
$0x4,%eax
cmp
%esi, insn_table(%eax)
jb
.HighHalf
.LowHalf: mov
%edx, %ecx
cmp
%ecx, %ebx
jb
.Cerca
.Trovato:
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: campo flags
EBX: low
ECX: nuovo high
EDX: offset tabella
monitor
applicazione
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
monitor:
lea
shl
movsbl
xor
testb
jz
movsbl
negl
movl
movsbl
imul
ESI: chiave di ricerca
EDI: ?????????????
EBP:indirizzo eax orig.
ESP:?????????????
(,%ecx,4), %edx
$0x2, %edx
insn_table+8(%edx),%eax
%edi, %edi
$4, %al
.NoIndex
insn_table+10(%edx),%ecx
%ecx
(%ebp, %ecx, 4), %edi
insn_table+11(%edx),%ecx
%ecx, %edi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: campo flags
EBX: low
ECX: - reg. indice
EDX: offset tabella
monitor
applicazione
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
monitor:
lea
shl
movsbl
xor
testb
jz
movsbl
negl
movl
movsbl
imul
ESI: chiave di ricerca
EDI: idx
EBP:indirizzo eax orig.
ESP:?????????????
(,%ecx,4), %edx
$0x2, %edx
insn_table+8(%edx),%eax
%edi, %edi
$4, %al
.NoIndex
insn_table+10(%edx),%ecx
%ecx
(%ebp, %ecx, 4), %edi
insn_table+11(%edx),%ecx
%ecx, %edi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: campo flags
EBX: low
ECX: scala
EDX: offset tabella
monitor
applicazione
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
monitor:
lea
shl
movsbl
xor
testb
jz
movsbl
negl
movl
movsbl
imul
ESI: chiave di ricerca
EDI: idx * scala
EBP:indirizzo eax orig.
ESP:?????????????
(,%ecx,4), %edx
$0x2, %edx
insn_table+8(%edx),%eax
%edi, %edi
$4, %al
.NoIndex
insn_table+10(%edx),%ecx
%ecx
(%ebp, %ecx, 4), %edi
insn_table+11(%edx),%ecx
%ecx, %edi
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: campo flags
EBX: low
ECX: - reg. base
EDX: offset tabella
monitor
applicazione
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
ESI: chiave di ricerca
EDI: base + idx * scala
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
.NoIndex:
testb
jz
movsbl
negl
addl
$2, %al
.NoBase
insn_table+9(%edx), %ecx
%ecx
(%ebp, %ecx, 4), %edi
.NoBase:
add
movsbl
insn_table+12(%edx),%edi
insn_table+4(%edx),%esi
push
push
call
addl
%esi
%edi
dirty_mem
$8, %esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: campo flags
EBX: low
ECX: - reg. base
EDX: mediano
monitor
applicazione
EBP
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
ESI: taglia
EDI: bs + idx * scl + off
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
.NoIndex:
testb
jz
movsbl
negl
addl
$2, %al
.NoBase
insn_table+9(%edx), %ecx
%ecx
(%ebp, %ecx, 4), %edi
.NoBase:
add
movsbl
insn_table+12(%edx),%edi
insn_table+4(%edx),%esi
push
push
call
addl
%esi
%edi
dirty_mem
$8, %esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
monitor
memory_trace
applicazione
EBP
Destination
Size
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
EAX: campo flags
EBX: low
ECX: - reg. base
EDX: mediano
ESI: taglia
EDI: bs + idx * scl + off
EBP:indirizzo eax orig.
ESP:?????????????
monitor:
.NoIndex:
testb
jz
movsbl
negl
addl
$2, %al
.NoBase
insn_table+9(%edx), %ecx
%ecx
(%ebp, %ecx, 4), %edi
.NoBase:
add
movsbl
insn_table+12(%edx),%edi
insn_table+4(%edx),%esi
push
push
call
addl
%esi
%edi
dirty_mem
$8, %esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: ?????????????
EBX: ?????????????
ECX: ?????????????
EDX: ?????????????
monitor
applicazione
EBP
Destinazione
Taglia
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESP
ESI: ?????????????
EDI: ?????????????
EBP:?????????????
ESP:?????????????
monitor:
.NoIndex:
testb
jz
movsbl
negl
addl
$2, %al
.NoBase
insn_table+9(%edx), %ecx
%ecx
(%ebp, %ecx, 4), %edi
.NoBase:
add
movsbl
insn_table+12(%edx),%edi
insn_table+4(%edx),%esi
push
push
call
addl
%esi
%edi
dirty_mem
$8, %esp
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
EAX: eax originale
EBX: ebx originale
ECX: ecx originale
EDX: edx originale
monitor
applicazione
EBP
Destinazione
Taglia
EFLAGS
EDI
ESI
EBP
ESP
EBX
EDX
ECX
EAX
Return Value
ESI: esi originale
EDI: edi originale
EBP:ebp originale
ESP:?????????????
monitor:
popfw
pop
pop
pop
add
pop
pop
pop
pop
ret
%edi
%esi
%ebp
$4, %esp
%ebx
%edx
%ecx
%eax
ESP
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Memory Trace Execution
CPU
…
call monitor
mov %eax, i
…
controllo
EAX: eax originale
EBX: ebx originale
ECX: ecx originale
EDX: edx originale
ESI: esi originale
EDI: edi originale
EBP:ebp originale
ESP:esp originale
applicazione
monitor:
popfw
pop
pop
pop
add
pop
pop
pop
pop
ret
%edi
%esi
%ebp
$4, %esp
%ebx
%edx
%ecx
%eax
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Summary
preprocessor
compiler
assembler
C/C++ Soruces
Sorgenti
C/C++
e and
File Header
Header
Files
Relocatable
Object File
Parser &
Instrumentor
Instruction
Table
Instrumented
Object File
Monitoring
Module
Linker
Executable
File
HPDCS Research Group
http://www.dis.uniroma1.it/~hpdcs
Operating Systems II - Laurea Magistrale in Computer Engineering
Fly UP