Formato degli Eseguibili e Strumenti Avanzati di Compilazione
by user
Comments
Transcript
Formato degli Eseguibili e Strumenti Avanzati di Compilazione
Dipartimento di Informatica e Sistemistica Executable Format and Advanced Compiling Tools Alessandro Pellegrini [email protected] http://www.dis.uniroma1.it/~pellegrini Operating Systems II - Laurea Magistrale in Computer Engineering Compiling Process User-created files Makefile Make C/C++ Sources Sorgenti C/C++ Header e And File Header Files assembler Object File Linker Library File Shared Object Linker Script File preprocessor compiler Archive (ar) Sorgenti Assembly Assembly Sources Relocatable File Executable File Link Map File HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Object File Format • For more than 20 years, *nix executable file format has been a.out per oltre 20 anni (since 1975 to 1998). • This format was made up of at most 7 sections: exec header: loading information; text segment: machine instructions; data segment: initialized data; text relocations: information to update pointers; data relocations: information to update pointers; symbol table: information on variables and functions; string table: names associated with symbols. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Object File Format • This format's limits were: cross-compiling; dynamic linking; creation of symple shared libaries; support of initializers/finalizers (e.g. constructors and destructors in C++). • Linux has definitively replaced a.out with ELF (Executable and Linkable Format) in version 1.2 (more or less in 1995). HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering ELF Types of Files ELF defines the format of binary executables. There are four different categories: ● ➢ ➢ ➢ ➢ ● Relocatabale (Created by compilers and assemblers. Must be processed by the linker before being run). Executable (All symbols are resolved, except for shared libraries’ symbols, which are resolved at runtime). Shared object (A library which is shared by different programs, contains all the symbols’ information used by the linker, and the code to be executed at runtime). Core file (a core dump). ELF files have a twofold nature ➢ ➢ Compilers, assemblers and linkers handle them as a set of logical sections; The system loader handles them as a set of segments. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering ELF File’s Structure Relocatable File Executable File ELF Header (optional, ignored) Program Header Describes segments Sections Segments Describes Sections Section Header (optional, ignored) HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering ELF Header #define EI_NIDENT (16) typedef struct { unsigned char e_ident[EI_NIDENT];/* Magic number and other info */ Elf32_Half e_type; /* Object file type */ Elf32_Half e_machine; /* Architecture */ Elf32_Word e_version; /* Object file version */ Elf32_Addr e_entry; /* Entry point virtual address */ Elf32_Off e_phoff; /* Program header table file offset */ Elf32_Off e_shoff; /* Section header table file offset */ Elf32_Word e_flags; /* Processor-specific flags */ Elf32_Half e_ehsize; /* ELF header size in bytes */ Elf32_Half e_phentsize; /* Program header table entry size */ Elf32_Half e_phnum; /* Program header table entry count */ Elf32_Half e_shentsize; /* Section header table entry size */ Elf32_Half e_shnum; /* Section header table entry count */ Elf32_Half e_shstrndx; /* Section header string table index */ } Elf32_Ehdr; HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Relocatable File A relocatable file or a shared object is a collection of sections ● Each section contains a single kind of information, such as exdecutable code, read-only data, read/write data, relocation entries, or symbols. ● Each symbol’s address is defined in relation to the section which contains it. ● ● For example, a function’s entry point is defined in relation to the section of the program which contains it. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Section Header typedef struct { Elf32_Word sh_name; Elf32_Word sh_type; Elf32_Word sh_flags; Elf32_Addr sh_addr; Elf32_Off sh_offset; Elf32_Word sh_size; Elf32_Word sh_link; Elf32_Word sh_info; Elf32_Word sh_addralign; Elf32_Word sh_entsize; } Elf32_Shdr; /* /* /* /* /* /* /* /* /* /* Section name (string tbl index) */ Section type */ Section flags */ Section virtual addr at execution */ Section file offset */ Section size in bytes */ Link to another section */ Additional section information */ Section alignment */ Entry size if section holds table */ HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Types and Flags in Section Header PROGBITS: The section contains the program content (code, data, debug information). NOBITS: Same as PROGBITS, yet with a null size. SYMTAB and DYNSYM: The section contains a symbol table. STRTAB: The section contains a string table. REL and RELA: The section contains relocation information. DYNAMIC and HASH: The section contains dynamic linking information. WRITE: The section contais runtime-writeable data. ALLOC: The section occupies memory at runtime. EXECINSTR: The section contains executable machine instructions. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Some Sections .text: contains program’s instructions ● ➢ ➢ Type: PROGBITS Flags: ALLOC + EXECINSTR .data: contains preinitialized read/write data ● ➢ ➢ Type: PROGBITS Flags: ALLOC + WRITE .rodata: contains preinitialized read-only data ● ➢ ➢ Type: PROGBITS Flags: ALLOC .bss: contains uninitialized data. The system will set them to zero at program startup. ● ➢ ➢ Type: NOBITS Flags: ALLOC + WRITE HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering String Table Sections keeping string tables contain sequence of nullterminated strings. ● Ojbect files use a string table to represent symbols’ and sections’ names. ● A string is referred using an index in the table. ● Symbol table and symbol names are separated because there is no limit in names’ length in C/C++ ● HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Symbol Table Symbol table keeps in an object file the information necessary to identify and relocate symbolic definitions in a program and its references. ● typedef struct { Elf32_Word st_name; Elf32_Addr st_value; Elf32_Word st_size; unsigned char st_info; unsigned char st_other; Elf32_Section st_shndx; } Elf32_Sym; /* /* /* /* /* /* Symbol name */ Symbol value */ Symbol size */ Symbol binding */ Symbol visibility */ Section index */ HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Static Relocation Table Relocation is the process which connects references to symbols with definition of symbols. ● Relocatable files must keep information on how to modify the contents of sections. ● typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ } Elf32_Rel; typedef struct { Elf32_Addr r_offset; /* Address */ Elf32_Word r_info; /* Relocation type and symbol index */ Elf32_Sword r_addend; /* Addend */ } Elf32_Rela; HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Executable Files ● Usually, an executable file has only few segments:: A read-only segment for code. ➢ A read-only segment for read-only data. ➢ A read/write segment for other data. ➢ Any section marked with flag ALLOCATE are packed in the proper segment, to that the operating system is able to map the file to memory with few operations. ● ➢ For example, if .data and .bss sections are pesent, they are placed within the same read/write segment. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Program Header typedef struct { Elf32_Word p_type; Elf32_Off p_offset; Elf32_Addr p_vaddr; Elf32_Addr p_paddr; Elf32_Word p_filesz; Elf32_Word p_memsz; Elf32_Word p_flags; Elf32_Word p_align; } Elf32_Phdr; /* /* /* /* /* /* /* /* Segment Segment Segment Segment Segment Segment Segment Segment type */ file offset */ virtual address */ physical address */ size in file */ size in memory */ flags */ alignment */ HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Linker’s Role ELF Header Section 1 Section 2 ... Section n Sec. Header Table ELF Header Prog. Header Table Segment 1 Segment Segment 2 Data 2 Relocatable File 1 Segment 3 ELF Header Section 1 Section 2 ... Section n Sec. Header Table Executable File Relocatable File 2 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Static Relocation 1bc1: e8 fc ff ff ff 1bc6: 83 c4 10 1bc9: a1 00 00 00 00 call add mov 1bc2 <main+0x17fe> $0x10,%esp 0x0,%eax 8054e59: e8 9a 55 00 00 8054e5e: 83 c4 10 8054e61: a1 f8 02 06 08 call add mov 805a3f8 <Foo> $0x10,%esp 0x80602f8,%eax Instructions’ position Varliables’ addresses Functions’ entry points HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Directives: Linker Script • The simplest form of linker script contains only a SECTIONS directive; • The SECTIONS directive describes memory layout of the linker-generated file. SECTIONS { . = 0x10000; .text : { *(.text) } . = 0x8000000; .data : { *(.data) } .bss : { *(.bss) } } Sets location counter’s value Places all input files’s .text sections in the output file’s .text section at the address specified by the location counter. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: C code #include <stdio.h> int xx, yy; int main(void) { xx = 1; yy = 2; printf ("xx %d yy %d\n", xx, yy); } HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: ELF Header $ objdump -x esempio-elf esempio-elf: file format elf32-i386 architecture: i386, flags 0x00000112: EXEC_P, HAS_SYMS, D_PAGED start address 0x08048310 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: Program Header PHDR off filesz INTERP off filesz LOAD off filesz LOAD off filesz DYNAMIC off filesz NOTE off filesz STACK off filesz RELRO off filesz 0x00000034 0x00000100 0x00000134 0x00000013 0x00000000 0x000004f4 0x00000f0c 0x00000108 0x00000f20 0x000000d0 0x00000148 0x00000020 0x00000000 0x00000000 0x00000f0c 0x000000f4 vaddr memsz vaddr memsz vaddr memsz vaddr memsz vaddr memsz vaddr memsz vaddr memsz vaddr memsz 0x08048034 0x00000100 0x08048134 0x00000013 0x08048000 0x000004f4 0x08049f0c 0x00000118 0x08049f20 0x000000d0 0x08048148 0x00000020 0x00000000 0x00000000 0x08049f0c 0x000000f4 paddr flags paddr flags paddr flags paddr flags paddr flags paddr flags paddr flags paddr flags 0x08048034 r-x 0x08048134 r-0x08048000 r-x 0x08049f0c rw0x08049f20 rw0x08048148 r-0x00000000 rw0x08049f0c r-- align 2**2 align 2**0 align 2**12 align 2**12 align 2**2 align 2**2 align 2**2 align 2**0 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: Dynamic Section NEEDED INIT FINI HASH STRTAB SYMTAB STRSZ SYMENT DEBUG PLTGOT PLTRELSZ PLTREL JMPREL libc.so.6 0x08048298 0x080484bc 0x08048168 0x08048200 0x080481b0 0x0000004c 0x00000010 0x00000000 0x08049ff4 0x00000018 0x00000011 0x08048280 There is the need to link to this shared library to use printf() HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: Sections Header Idx Name 2 .hash 10 .init 11 .plt 12 .text 13 .fini 14 .rodata 22 .data 23 .bss Size 00000028 CONTENTS, 00000030 CONTENTS, 00000040 CONTENTS, 000001ac CONTENTS, 0000001c CONTENTS, 00000015 CONTENTS, 00000008 CONTENTS, 00000010 ALLOC VMA LMA File off 08048168 08048168 00000168 ALLOC, LOAD, READONLY, DATA 08048298 08048298 00000298 ALLOC, LOAD, READONLY, CODE 080482c8 080482c8 000002c8 ALLOC, LOAD, READONLY, CODE 08048310 08048310 00000310 ALLOC, LOAD, READONLY, CODE 080484bc 080484bc 000004bc ALLOC, LOAD, READONLY, CODE 080484d8 080484d8 000004d8 ALLOC, LOAD, READONLY, ATA 0804a00c 0804a00c 0000100c ALLOC, LOAD, DATA 0804a014 0804a014 00001014 Algn 2**2 2**2 2**2 2**4 2**2 2**2 2**2 2**2 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Example: Symbol Table ... 00000000 08049f0c 08049f0c 08049f20 0804a00c 08048420 08048310 00000000 ... 08049f18 08048430 00000000 0804a01c 0804a014 0804a024 0804a014 0804848a 080483c4 08048298 0804a020 l l l l w g g w g g g g g g g g g g df *ABS* .ctors .ctors O .dynamic .data F .text F .text *UND* O F F O F F F O .dtors .text *UND* .bss *ABS* *ABS* *ABS* .text .text .init .bss 00000000 00000000 00000000 00000000 00000000 00000005 00000000 00000000 00000000 0000005a 00000000 00000004 00000000 00000000 00000000 00000000 0000004d 00000000 00000004 esempio-elf.c .hidden __init_array_end .hidden __init_array_start .hidden _DYNAMIC data_start __libc_csu_fini _start __gmon_start__ .hidden __DTOR_END__ __libc_csu_init printf@@GLIBC_2.0 yy __bss_start _end _edata .hidden __i686.get_pc_thunk.bx main _init xx HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Symbols Visibility ● ● weak symbols: ➢ More module can have a simbol with the same name of a weak one; ➢ The declared entity cannot be overloaded by other modules; ➢ It is useful for libraries which want to avoid conflicts with user programs. gcc version 4.0 gives the command line option -fvisibility: ➢ default: normal behaviour, the symbol is seen by other modules; ➢ hidden: two declarations of an object refer the same object only if they are in the same shared object; ➢ internal: an entity declared in a module cannot be referenced even by pointer; ➢ protected: the symbol is weak; HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Symbols Visibility (2) int variable __attribute__ ((visibility (“hidden”))); #pragma GCC visibility push(hidden) int variable; int increment(void) { return ++variable; } #pragma GCC visibility pop HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Linux Loader ● In fs/exec.c: ➢ do_execve(): About 50 lines of code; Performs some error checks and fill the structure struct linux_binprm; Looks for a binary file handler. ➢ ● search_binary_handler(): Scans a list of binary file hanlders registered in the kernel; If no handler is able to recognize the image format, syscall returs the ENOEXEC error (“Exec Format Error”); In fs/binfmt_elf.c: ➢ load_elf_binary(): Load image file to memory using mmap; Reads the program header and sets permissions accordingly HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter an ELF: Reordering ELF Header ELF Header Section 1 Section 2 Sec. Header Table Section n Section 3 ... Section 4 Section 4 ... Section 3 Section n Sec. Header Table Section 2 Section 1 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter an ELF: Reordering #include #include #include #include #include #include <stdio.h> <stdlib.h> <string.h> <unistd.h> <fcntl.h> <elf.h> To access structures describing and ELF file int main(int argc, char **argv) { int elf_src, elf_dst, file_size, i; char *src_image, *dst_image, *ptr; Elf32_Ehdr *ehdr_src, *ehdr_dst; Elf32_Shdr *shdr_src, *shdr_dst; if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1); if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1); file_size = lseek(elf_src, 0L, SEEK_END); lseek(elf_src, 0L, SEEK_SET); src_image = malloc(file_size); ptr = dst_image = malloc(file_size); read(elf_src, src_image, file_size); ehdr_src = (Elf32_Ehdr *)src_image; The ehdr_dst = (Elf32_Ehdr *)dst_image; memcpy(ptr, src_image, sizeof(Elf32_Ehdr)); ptr += sizeof(Elf32_Ehdr); two ELF header are (mostly) the same HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Modificare un ELF: Riordino shdr_dst = (Elf32_Shdr *)ptr; shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff); ehdr_dst->e_shoff = sizeof(Elf32_Ehdr); ptr += ehdr_src->e_shnum * ehdr_dst->e_shentsize; Corrects the header position in the file memcpy(shdr_dst, shdr_src, sizeof(Elf32_Shdr)); Copies sections and headers for(i = ehdr_src->e_shnum - 1; i > 0; i--) { memcpy(shdr_dst + ehdr_src->e_shnum - i, shdr_src + i, sizeof(Elf32_Shdr)); memcpy(ptr, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); shdr_dst[ehdr_src->e_shnum - i].sh_offset = ptr - dst_image; if(shdr_src[i].sh_link > 0) shdr_dst[ehdr_src->e_shnum - i].sh_link = ehdr_src->e_shnum - shdr_src[i].sh_link; if(shdr_src[i].sh_info > 0) shdr_dst[ehdr_src->e_shnum - i].sh_info = ehdr_src->e_shnum - shdr_src[i].sh_info; ptr += shdr_src[i].sh_size; } ehdr_dst->e_shstrndx = ehdr_src->e_shnum - ehdr_src->e_shstrndx; write(elf_dst, dst_image, file_size); close(elf_src); close(elf_dst); HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: Reordering $ readelf -S esempio-elf.o There are 11 section headers, starting at offset 0x108: Section Headers: [Nr] Name [ 0] [ 1] .text [ 2] .rel.text [ 3] .data [ 4] .bss [ 5] .rodata [ 6] .comment [ 7] .note.GNU-stack [ 8] .shstrtab [ 9] .symtab [10] .strtab Type NULL PROGBITS REL PROGBITS NOBITS PROGBITS PROGBITS PROGBITS STRTAB SYMTAB STRTAB Addr 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 Off 000000 000034 0003a4 000084 000084 000084 000091 0000b6 0000b6 0002c0 000380 Size 000000 00004d 000030 000000 000000 00000d 000025 000000 000051 0000c0 000021 ES Flg Lk Inf Al 00 0 0 0 00 AX 0 0 4 08 9 1 4 00 WA 0 0 4 00 WA 0 0 4 00 A 0 0 1 00 0 0 1 00 0 0 1 00 0 0 1 10 10 8 4 00 0 0 1 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: Reordering $ readelf -S riordinato.o There are 11 section headers, starting at offset 0x34: Section Headers: [Nr] Name [ 0] [ 1] .strtab [ 2] .symtab [ 3] .shstrtab [ 4] .note.GNU-stack [ 5] .comment [ 6] .rodata [ 7] .bss [ 8] .data [ 9] .rel.text [10] .text Type NULL STRTAB SYMTAB STRTAB PROGBITS PROGBITS PROGBITS NOBITS PROGBITS REL PROGBITS Addr 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 Off 000000 0001ec 00020d 0002cd 00031e 00031e 000343 000350 000350 000350 000380 Size 000000 000021 0000c0 000051 000000 000025 00000d 000000 000000 000030 00004d ES Flg Lk Inf Al 00 0 0 0 00 0 0 1 10 1 3 4 00 0 0 1 00 0 0 1 00 0 0 1 00 A 0 0 1 00 WA 0 0 4 00 WA 0 0 4 08 2 10 4 00 AX 0 0 4 HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop ELF Header Sezione 1 Sezione 2 Sezione 3 Sezione 4 ... ELF Header Sezione 1 Sezione 2 Sezione 3 nop Sezione 4 ... Sezione n Tabella Header Sez. Sezione n Tabella Header Sez. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (2) #include #include #include #include #include #include <stdio.h> <stdlib.h> <string.h> <unistd.h> <fcntl.h> <elf.h> #define NOP_NUM 10 #define NOP_CODE 0x90 // 1 byte #define SEC_NUM 1 int main(int argc, char **argv) { int elf_src, elf_dst, file_size, i; char *src_image, *dst_image; Elf32_Ehdr *ehdr_src; Elf32_Shdr *shdr_src, *shdr_dst; if((elf_src = open(argv[1], O_RDONLY)) == -1) exit(-1); if((elf_dst = creat(argv[2], 0644)) == -1) exit(-1); file_size = lseek(elf_src, 0L, SEEK_END); lseek(elf_src, 0L, SEEK_SET); src_image = malloc(file_size); dst_image = malloc(file_size + NOP_NUM); read(elf_src, src_image, file_size); ehdr_src = (Elf32_Ehdr *)src_image; shdr_src = (Elf32_Shdr *)(src_image + ehdr_src->e_shoff); HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (3) shdr_dst = (Elf32_Shdr *)(dst_image + ehdr_src->e_shoff + NOP_NUM); Inserts nops memcpy(dst_image, src_image, sizeof(Elf32_Ehdr)); ((Elf32_Ehdr *)dst_image)->e_shoff += NOP_NUM; for(i = 0; i <= SEC_NUM; i++) memcpy(dst_image + shdr_src[i].sh_offset, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); memset(dst_image + shdr_src[SEC_NUM].sh_offset + shdr_src[SEC_NUM].sh_size, NOP_CODE, NOP_NUM); for(i = SEC_NUM + 1; i < ehdr_src->e_shnum; i++) memcpy(dst_image + shdr_src[i].sh_offset + NOP_NUM, src_image + shdr_src[i].sh_offset, shdr_src[i].sh_size); for(i = 0; i <= SEC_NUM; i++) memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr)); shdr_dst[SEC_NUM].sh_size += NOP_NUM; Corrects section’s size for(i = SEC_NUM + 1; i < ehdr_src->e_shnum; i++) { memcpy(shdr_dst + i, shdr_src + i, sizeof(Elf32_Shdr)); shdr_dst[i].sh_offset += NOP_NUM; } write(elf_dst, dst_image, file_size + NOP_NUM); close(elf_src); close(elf_dst); Moves forward other sections HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (4) $ objdump -S esempio-elf.o Disassembly of section .text: 00000000 <main>: 0: 8d 4c 24 04 lea 4: 83 e4 f0 and 7: ff 71 fc pushl a: 55 push [...] 38: c7 04 24 00 00 00 00 movl 3f: e8 fc ff ff ff call 44: 83 c4 14 add 47: 59 pop 48: 5d pop 49: 8d 61 fc lea 4c: c3 ret 0x4(%esp),%ecx $0xfffffff0,%esp -0x4(%ecx) %ebp $0x0,(%esp) 40 <main+0x40> $0x14,%esp %ecx %ebp -0x4(%ecx),%esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Alter and ELF: nop (5) $ objdump -S nop.o Disassembly of section .text: 00000000 <main>: 0: 8d 4c 24 04 lea 4: 83 e4 f0 and 7: ff 71 fc pushl a: 55 push [...] 38: c7 04 24 00 00 00 00 movl 3f: e8 fc ff ff ff call 44: 83 c4 14 add 47: 59 pop 48: 5d pop 49: 8d 61 fc lea 4c: c3 ret 4d: 90 nop 4e: 90 nop 4f: 90 nop 50: 90 nop [...] 0x4(%esp),%ecx $0xfffffff0,%esp -0x4(%ecx) %ebp $0x0,(%esp) 40 <main+0x40> $0x14,%esp %ecx %ebp -0x4(%ecx),%esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Lin/Glaurung.676/666 • Its an appending virus; • Changes the fiels EI_PAD at offset (0x0007-0x000f) changing its value from 0 to 21; • File’s entry value is the position of the injected code (0x08049bd4 instead of 0x8048320); • Infects every ELF file found in PWD and in /bin; • The analyzed infected file passed from 3028 bytes (0x0bd3) to 3694 bytes (0xe6e), an increment of 666 bytes (0x29a). 0x0000 0x0000 • ELF file’s size is incremented Entry .ELF .ELF point (p_filesize and p_memsize Codice Prog. become 0x0a1e instead of Codice Prog. 0xbd3 0x00e0 e 0x00f8, respectively) 0x0bd3 0xbd4 Codice Virus 0xe6e HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Lin/Glaurung.676/666 (2) 00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070 00000080 00000090 000000A0 000000B0 000000C0 000000D0 000000E0 000000F0 00000100 7F 02 EC 19 34 04 F4 01 00 00 50 00 90 04 08 01 78 45 00 07 00 80 00 80 00 00 10 94 10 94 00 81 00 2E 4C 03 00 18 04 00 04 00 04 00 04 00 04 00 04 00 73 46 00 00 00 08 00 08 00 00 00 08 00 08 00 08 00 6F 01 01 00 00 C0 03 13 01 50 01 1E 02 A0 04 20 2F 2E 01 00 00 06 00 00 00 00 04 00 0A 00 00 00 00 6C 32 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 69 00 21 00 00 00 00 00 00 00 00 00 00 00 00 00 00 62 00 00 D4 34 34 C0 F4 13 00 50 50 1E 90 A0 08 20 2F 04 00 9B 00 00 00 00 00 00 04 04 0A 04 00 01 00 6C 00 00 04 20 00 00 00 00 00 00 00 00 00 00 00 00 64 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 2D 00 00 34 06 34 05 F4 C4 C0 05 50 C6 90 C6 C8 C4 6C 10 00 00 00 80 00 80 00 80 00 94 C0 94 00 81 00 69 00 00 00 20 04 00 04 00 04 00 04 00 04 00 04 00 6E 00 00 00 00 08 00 08 00 08 00 08 00 08 00 08 00 75 00 ▌ELF...!........ ........Ô▌..4... i.......4.....(. ........4...4▌.. 4▌..À...À....... ........ô...ô▌.. ô▌.............. .............▌.. .▌..P...P....... ........P...P▌.. P▌.............. ........▌...▌▌.. ▌▌.............. .............▌.. .▌.............. ..../lib/ld-linu x.so.2.......... HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Code Instrumentation • If it is possible to alter an ELF file’s structure, then it is possible to modify the original behavior of the code: this technique is called instrumentation. • Problems of this technique: • Must work at machine-code level: it is necessary to insert in an ELF file a byte stream which corresponds to particular assembly instructions; • To instrument transparently to the the user, it is important to keep references coherence in the code; • It is necessary as well the ability to interpret the original program’s code, to find the right positions in the code where to inject instrumentation code. • This technique is highly used in debugging and in vulnerability assessment. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Instruction Set i386 Prefixes Opcode Up to 4, 1 byte each 1, 2 or 3 byte Mod 7 ModR/M SIB 1 byte (if present) Reg / Opcode 6 5 Displacement Immediate 1 byte 0, 1, 2 or 4 byte 0, 1, 2 or 4 byte (if present) R/M 3 2 Scale 0 7 Index 6 5 Base 3 2 0 Instructions are therefore of variable length (with an upper bound of 15 bytes): 85 75 c7 eb 8b 8d 0f c0 09 45 59 45 4c b7 ec 00 00 00 00 08 24 04 40 2e test jnz movl jmp mov lea movzwl %eax,%eax 4c $0x0,-0x14(%ebp) a5 0x8(%ebp),%eax 0x4(%esp),%ecx 0x2e(%eax),%eax Opcode, ModR/M, SIB, Displacement, Immediate HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Instruction Set i386 (2) R/M fields in ModR/M byte and Scale /Index fields in SIB byte identify registers; ● General purpose registers are numbered from da 0 a 7 in this order: eax (000), ecx (001), edx (010), ebx (011), esp (100), ebp (101), esi (110), edi (111). ● HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering ELF File Altering: an Example • Section Header Table is scanned looking for sections containing code (type: PROGBITS, flag: EXECINSTR); • Each section is parsed one byte by one; • Using an opcode-family table the instructions are disassembled, identifying the instructions which have as destination operand a memory location (global variables or dynamically allocated memory); • Destination operand is decomposed in base, indice, scale and offset. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Instruction Table Generation • To add a minimal overhead to the program, two choices are made: • Monitoring routine is written directly in assembly; • No runtime intepretation of instruction is made. • During th parsing phase, interesting information is cached in a table: struct insn_entry { unsigned long ret_addr; unsigned int size; char flags; char base; char idx; char scala; long offset; }; • This table can be searched using a binary search in O(log n) time. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Monitor Hooking • Monitoring routine is hooked by injecting before any memory-write instruction a call to a routine called monitor; a1 90 60 04 08 83 c0 01 a3 90 60 04 08 mov add mov 0x8046090,%eax $0x1,%eax %eax,0x8046090 a1 83 e8 a3 90 c0 fc 90 60 04 08 01 ff ff ff 60 04 08 mov add call mov 0x8046090,%eax $0x1,%eax monitor %eax,0x8046090 • We use a call instead of a less costly jump because, by relying on th ereturn value, it is possible to know which original instruction caused the invocation of the monitor; • Due to this calls insertion, the original sections must be resized (using techniques previously seen) and relocation tables must be corrected. HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering References Correction • Due to the insertion of instructions, references between portions of code/data are now inconsistent; • We must therefore: Correct functions entry points; Correct every branch instruction • Intra-segment jumps in i386 are expressed as offsets starting from the current value of eip register, when executing the instruction; • To correct them, it is necessary to scan the program text a second time and apply a correction to this offest, depending on the amount of bytes inserted in the code; HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Dynamic Branch Correction • A particular type of branch (indirect branch, or register branch) allows to specify a branch destination by the value stored in a particular register or in a memory location; • This instruction’s sematic depends of the actual exectuion flow: it cannot be corrected statically; • These instructions are handled as memory-write instructions: they are replaced with a function call (correct_branch) that, using the information stored in two tables, creates a correct jump. 8b 04 95 2c 00 00 00 ff e0 mov jmp 0x2c(,%edx,4),%eax *%eax 8b 04 95 2c 00 00 00 e8 fc ff ff ff e9 00 00 00 00 mov call jmp 0x2c(,%edx,4),%eax correct_branch ?? ?? ?? ?? HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … applicazione EAX: ????????????? EBX: ????????????? ECX: ????????????? EDX: ????????????? ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: ????????????? EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: ????????????? EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp corrente EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp originale EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: ESP EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp originale EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp originale EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: ????????????? EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp originale EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP push push push push mov sub add mov push push push pushfw mov sub mov %eax %ecx %edx %ebx %esp, %eax $4, %esp $16, %eax %eax, (%esp) %ebp %esi %edi 14(%esp), %ebp $4, %ebp 4(%ebp), %esi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: esp originale EBX: low ECX: high EDX: ????????????? monitor applicazione ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP xor %ebx, %ebx mov $DIM, %ecx jmp .Cerca .HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae .Trovato .Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb .HighHalf .LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb .Cerca .Trovato: HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: offset nella tab. EBX: low ECX: high EDX: mediano monitor applicazione ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP xor %ebx, %ebx mov $DIM, %ecx jmp .Cerca .HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae .Trovato .Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb .HighHalf .LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb .Cerca .Trovato: HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: offset nella tab. EBX: low ECX: high EDX: nuovo low monitor applicazione ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP xor %ebx, %ebx mov $DIM, %ecx jmp .Cerca .HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae .Trovato .Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb .HighHalf .LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb .Cerca .Trovato: HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: offset nella tab. EBX: low ECX: nuovo high EDX: mediano monitor applicazione ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? monitor: EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP xor %ebx, %ebx mov $DIM, %ecx jmp .Cerca .HighHalf: lea 0x1(%edx), %ebx cmp %ecx, %ebx jae .Trovato .Cerca: lea (%ecx,%ebx,1), %edx shr %edx mov %edx, %eax shl $0x4,%eax cmp %esi, insn_table(%eax) jb .HighHalf .LowHalf: mov %edx, %ecx cmp %ecx, %ebx jb .Cerca .Trovato: HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: campo flags EBX: low ECX: nuovo high EDX: offset tabella monitor applicazione EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP monitor: lea shl movsbl xor testb jz movsbl negl movl movsbl imul ESI: chiave di ricerca EDI: ????????????? EBP:indirizzo eax orig. ESP:????????????? (,%ecx,4), %edx $0x2, %edx insn_table+8(%edx),%eax %edi, %edi $4, %al .NoIndex insn_table+10(%edx),%ecx %ecx (%ebp, %ecx, 4), %edi insn_table+11(%edx),%ecx %ecx, %edi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: campo flags EBX: low ECX: - reg. indice EDX: offset tabella monitor applicazione EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP monitor: lea shl movsbl xor testb jz movsbl negl movl movsbl imul ESI: chiave di ricerca EDI: idx EBP:indirizzo eax orig. ESP:????????????? (,%ecx,4), %edx $0x2, %edx insn_table+8(%edx),%eax %edi, %edi $4, %al .NoIndex insn_table+10(%edx),%ecx %ecx (%ebp, %ecx, 4), %edi insn_table+11(%edx),%ecx %ecx, %edi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: campo flags EBX: low ECX: scala EDX: offset tabella monitor applicazione EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP monitor: lea shl movsbl xor testb jz movsbl negl movl movsbl imul ESI: chiave di ricerca EDI: idx * scala EBP:indirizzo eax orig. ESP:????????????? (,%ecx,4), %edx $0x2, %edx insn_table+8(%edx),%eax %edi, %edi $4, %al .NoIndex insn_table+10(%edx),%ecx %ecx (%ebp, %ecx, 4), %edi insn_table+11(%edx),%ecx %ecx, %edi HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: campo flags EBX: low ECX: - reg. base EDX: offset tabella monitor applicazione EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP ESI: chiave di ricerca EDI: base + idx * scala EBP:indirizzo eax orig. ESP:????????????? monitor: .NoIndex: testb jz movsbl negl addl $2, %al .NoBase insn_table+9(%edx), %ecx %ecx (%ebp, %ecx, 4), %edi .NoBase: add movsbl insn_table+12(%edx),%edi insn_table+4(%edx),%esi push push call addl %esi %edi dirty_mem $8, %esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: campo flags EBX: low ECX: - reg. base EDX: mediano monitor applicazione EBP EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP ESI: taglia EDI: bs + idx * scl + off EBP:indirizzo eax orig. ESP:????????????? monitor: .NoIndex: testb jz movsbl negl addl $2, %al .NoBase insn_table+9(%edx), %ecx %ecx (%ebp, %ecx, 4), %edi .NoBase: add movsbl insn_table+12(%edx),%edi insn_table+4(%edx),%esi push push call addl %esi %edi dirty_mem $8, %esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … monitor memory_trace applicazione EBP Destination Size EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP EAX: campo flags EBX: low ECX: - reg. base EDX: mediano ESI: taglia EDI: bs + idx * scl + off EBP:indirizzo eax orig. ESP:????????????? monitor: .NoIndex: testb jz movsbl negl addl $2, %al .NoBase insn_table+9(%edx), %ecx %ecx (%ebp, %ecx, 4), %edi .NoBase: add movsbl insn_table+12(%edx),%edi insn_table+4(%edx),%esi push push call addl %esi %edi dirty_mem $8, %esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: ????????????? EBX: ????????????? ECX: ????????????? EDX: ????????????? monitor applicazione EBP Destinazione Taglia EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESP ESI: ????????????? EDI: ????????????? EBP:????????????? ESP:????????????? monitor: .NoIndex: testb jz movsbl negl addl $2, %al .NoBase insn_table+9(%edx), %ecx %ecx (%ebp, %ecx, 4), %edi .NoBase: add movsbl insn_table+12(%edx),%edi insn_table+4(%edx),%esi push push call addl %esi %edi dirty_mem $8, %esp HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … EAX: eax originale EBX: ebx originale ECX: ecx originale EDX: edx originale monitor applicazione EBP Destinazione Taglia EFLAGS EDI ESI EBP ESP EBX EDX ECX EAX Return Value ESI: esi originale EDI: edi originale EBP:ebp originale ESP:????????????? monitor: popfw pop pop pop add pop pop pop pop ret %edi %esi %ebp $4, %esp %ebx %edx %ecx %eax ESP HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Memory Trace Execution CPU … call monitor mov %eax, i … controllo EAX: eax originale EBX: ebx originale ECX: ecx originale EDX: edx originale ESI: esi originale EDI: edi originale EBP:ebp originale ESP:esp originale applicazione monitor: popfw pop pop pop add pop pop pop pop ret %edi %esi %ebp $4, %esp %ebx %edx %ecx %eax HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering Summary preprocessor compiler assembler C/C++ Soruces Sorgenti C/C++ e and File Header Header Files Relocatable Object File Parser & Instrumentor Instruction Table Instrumented Object File Monitoring Module Linker Executable File HPDCS Research Group http://www.dis.uniroma1.it/~hpdcs Operating Systems II - Laurea Magistrale in Computer Engineering