论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2009-01-02 19:36 |只看该作者 |倒序浏览

因为有人讨论起linux的共享库的函数调用地址的问题,为了能简单的进行探讨,特就两段简单的代码进行比较来说明linux下plt的一写简单特点:
testdll.c

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
char buffer[100];
int main()
{
int handle;
handle=open("myfile",O_RDONLY);
close(handle);
return(0);
}

复制代码

testdll2.c

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
char buffer[100];
int main()
{
int handle;
printf("hello! world");
handle=open("myfile",O_RDONLY);
close(handle);
return(0);
}

复制代码

[root@localhost test]# gdb testdll
GNU gdb Red Hat Linux (6.5-25.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/i686/nosegneg/libthread_db.so.1".

(gdb) b main
Breakpoint 1 at 0x80483c5: file testdll.c, line 12.
(gdb) r
Starting program: /test/testdll

Breakpoint 1, main () at testdll.c:12
12       handle=open("myfile",O_RDONLY);
(gdb) disass main
Dump of assembler code for function main:
0x080483b4 <main+0>: lea 0x4(%esp),%ecx
0x080483b8 <main+4>: and $0xfffffff0,%esp
0x080483bb <main+7>: pushl  0xfffffffc(%ecx)
0x080483be <main+10>: push %ebp
0x080483bf <main+11>: mov %esp,%ebp
0x080483c1 <main+13>: push %ecx
0x080483c2 <main+14>: sub $0x24,%esp
0x080483c5 <main+17>: movl $0x0,0x4(%esp)
0x080483cd <main+25>: movl $0x80484d0,(%esp)
0x080483d4 <main+32>: call 0x8048294 <open@plt>
0x080483d9 <main+37>: mov %eax,0xfffffff8(%ebp)
0x080483dc <main+40>: mov 0xfffffff8(%ebp),%eax
0x080483df <main+43>: mov %eax,(%esp)
0x080483e2 <main+46>: call 0x80482c4 <close@plt>
0x080483e7 <main+51>: mov $0x0,%eax
0x080483ec <main+56>: add $0x24,%esp
0x080483ef <main+59>: pop %ecx
0x080483f0 <main+60>: pop %ebp
0x080483f1 <main+61>: lea 0xfffffffc(%ecx),%esp
0x080483f4 <main+64>: ret
End of assembler dump.
(gdb) n
13       close(handle);
(gdb) disass main
Dump of assembler code for function main:
0x080483b4 <main+0>: lea 0x4(%esp),%ecx
0x080483b8 <main+4>: and $0xfffffff0,%esp
0x080483bb <main+7>: pushl  0xfffffffc(%ecx)
0x080483be <main+10>: push %ebp
0x080483bf <main+11>: mov %esp,%ebp
0x080483c1 <main+13>: push %ecx
0x080483c2 <main+14>: sub $0x24,%esp
0x080483c5 <main+17>: movl $0x0,0x4(%esp)
0x080483cd <main+25>: movl $0x80484d0,(%esp)
0x080483d4 <main+32>: call 0x8048294 <open@plt> //调用open，这个地址不是真正的open地址
0x080483d9 <main+37>: mov %eax,0xfffffff8(%ebp)
0x080483dc <main+40>: mov 0xfffffff8(%ebp),%eax
0x080483df <main+43>: mov %eax,(%esp)
0x080483e2 <main+46>: call 0x80482c4 <close@plt>
0x080483e7 <main+51>: mov $0x0,%eax
0x080483ec <main+56>: add $0x24,%esp
0x080483ef <main+59>: pop %ecx
0x080483f0 <main+60>: pop %ebp
0x080483f1 <main+61>: lea 0xfffffffc(%ecx),%esp
0x080483f4 <main+64>: ret
End of assembler dump.
(gdb) disass 0x8048294
Dump of assembler code for function open@plt:
0x08048294 <open@plt+0>:       jmp *0x80495c8
0x0804829a <open@plt+6>:       push $0x0
0x0804829f <open@plt+11>:    jmp 0x8048284
End of assembler dump.
(gdb) x 0x80495c8
0x80495c8 <_GLOBAL_OFFSET_TABLE_+12>: 0x0090cf20 //open函数的地址
(gdb)

gdb testdll2
GNU gdb Red Hat Linux (6.5-25.el5rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/i686/nosegneg/libthread_db.so.1".

(gdb) b main
Breakpoint 1 at 0x80483f5: file testdll.c, line 10.
(gdb) r
Starting program: /testdll2

Breakpoint 1, main () at testdll.c:10
10       printf("hello! world");
(gdb) disass main
Dump of assembler code for function main:
0x080483e4 <main+0>: lea 0x4(%esp),%ecx
0x080483e8 <main+4>: and $0xfffffff0,%esp
0x080483eb <main+7>: pushl  0xfffffffc(%ecx)
0x080483ee <main+10>: push %ebp
0x080483ef <main+11>: mov %esp,%ebp
0x080483f1 <main+13>: push %ecx
0x080483f2 <main+14>: sub $0x24,%esp
0x080483f5 <main+17>: movl $0x8048510,(%esp)
0x080483fc <main+24>: call 0x80482e8 <printf@plt>
0x08048401 <main+29>: movl $0x0,0x4(%esp)
0x08048409 <main+37>: movl $0x804851d,(%esp)
0x08048410 <main+44>: call 0x80482b8 <open@plt> //调用open，这个地址不是真正的open地址
0x08048415 <main+49>: mov %eax,0xfffffff8(%ebp)
0x08048418 <main+52>: mov 0xfffffff8(%ebp),%eax
0x0804841b <main+55>: mov %eax,(%esp)
0x0804841e <main+58>: call 0x80482f8 <close@plt>
0x08048423 <main+63>: mov $0x0,%eax
0x08048428 <main+68>: add $0x24,%esp
0x0804842b <main+71>: pop %ecx
0x0804842c <main+72>: pop %ebp
0x0804842d <main+73>: lea 0xfffffffc(%ecx),%esp
0x08048430 <main+76>: ret
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) n
12       handle=open("myfile",O_RDONLY);
(gdb) n
13       close(handle);
(gdb) disass main
Dump of assembler code for function main:
0x080483e4 <main+0>: lea 0x4(%esp),%ecx
0x080483e8 <main+4>: and $0xfffffff0,%esp
0x080483eb <main+7>: pushl  0xfffffffc(%ecx)
0x080483ee <main+10>: push %ebp
0x080483ef <main+11>: mov %esp,%ebp
0x080483f1 <main+13>: push %ecx
0x080483f2 <main+14>: sub $0x24,%esp
0x080483f5 <main+17>: movl $0x8048510,(%esp)
0x080483fc <main+24>: call 0x80482e8 <printf@plt>
0x08048401 <main+29>: movl $0x0,0x4(%esp)
0x08048409 <main+37>: movl $0x804851d,(%esp)
0x08048410 <main+44>: call 0x80482b8 <open@plt>
0x08048415 <main+49>: mov %eax,0xfffffff8(%ebp)
0x08048418 <main+52>: mov 0xfffffff8(%ebp),%eax
0x0804841b <main+55>: mov %eax,(%esp)
0x0804841e <main+58>: call 0x80482f8 <close@plt>
0x08048423 <main+63>: mov $0x0,%eax
0x08048428 <main+68>: add $0x24,%esp
0x0804842b <main+71>: pop %ecx
0x0804842c <main+72>: pop %ebp
0x0804842d <main+73>: lea 0xfffffffc(%ecx),%esp
0x08048430 <main+76>: ret
---Type <return> to continue, or q <return> to quit---disass 80482b8
End of assembler dump.
(gdb) disass 0x80482b8
Dump of assembler code for function open@plt:
0x080482b8 <open@plt+0>:       jmp *0x8049614
0x080482be <open@plt+6>:       push $0x0
0x080482c3 <open@plt+11>:    jmp 0x80482a8
End of assembler dump.
(gdb) x 0x8049614
0x8049614 <_GLOBAL_OFFSET_TABLE_+12>: 0x0090cf20 //open函数的地址
(gdb)

文库|博客

system888net

腰缠万贯

论坛徽章:: 0

2楼 [报告]

发表于 2009-01-02 19:48 |只看该作者

在testdll.c中
0x080483d4 <main+32>: call 0x8048294 <open@plt>

0x08048294 <open@plt+0>:       jmp *0x80495c8
0x0804829a <open@plt+6>:       push $0x0
0x0804829f <open@plt+11>:    jmp 0x8048284

(gdb) x 0x80495c8
0x80495c8 <_GLOBAL_OFFSET_TABLE_+12>: 0x0090cf20
open@plt在0x080483d4地址处,而真正的open地址在0x80495c8处(从jmp *0x80495c8可以的出), 可以看到0x080495c8地址处的是0x0090cf20这是指向了真正open的映射.

在testdll2.c中
0x08048410 <main+44>: call 0x80482b8 <open@plt>

0x080482b8 <open@plt+0>:       jmp *0x8049614
0x080482be <open@plt+6>:       push $0x0
0x080482c3 <open@plt+11>:    jmp 0x80482a8

(gdb) x 0x8049614
0x8049614 <_GLOBAL_OFFSET_TABLE_+12>: 0x0090cf20
open@plt在0x080482b8地址处,而真正的open地址在0x8049614处(从jmp *0x8049614可以的出), 可以看到0x8049614地址处的是0x0090cf20这是指向了真正open的映射.

需要说明的是0x8049614处的值在程序(这里是testdll2)运行第一此调用open的时候由stub程序修改为实际指向open的地址.  而stub程序就是

0x080482b8 <open@plt+0>: jmp *0x8049614
0x080482be <open@plt+6>: push $0x0
0x080482c3 <open@plt+11>: jmp 0x80482a8

复制代码

开始的这段代码,当第一此修改0x8049614的值后,以后由于jmp *0x8049614直接可以访问到open函数,因此加快了访问速度.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

system888net

腰缠万贯

论坛徽章:: 0

3楼 [报告]

发表于 2009-01-02 20:02 |只看该作者

为了证实stub程序是否修改jmp *xxxx中xxxx处的值,我们继续看没有运行到的close@plt

0x0804841e <main+58>: call 0x80482f8 <close@plt>

复制代码

(gdb) disass 0x80482f8
Dump of assembler code for function close@plt:
0x080482f8 <close@plt+0>:    jmp *0x8049624
0x080482fe <close@plt+6>:    push $0x20
0x08048303 <close@plt+11>:    jmp 0x80482a8
End of assembler dump.
(gdb) x 0x8049624
0x8049624 <_GLOBAL_OFFSET_TABLE_+28>: 0x080482fe
(gdb)
如上大家看到的jmp *0x8049624 中 *0x8049624实际上就是0x080482fe,也就是一个没有指向close的地址,这个地址需要stub程序去填写.

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

system888net

腰缠万贯

论坛徽章:: 0

4楼 [报告]

发表于 2009-01-02 20:10 |只看该作者

当call 0x80482f8 <close@plt>完成后
(gdb) x 0x8049624
0x8049624 <_GLOBAL_OFFSET_TABLE_+28>: 0x0090d5a0
(gdb)

此处的值已经被修改了。

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

mik

荣誉版主

论坛徽章:: 0

5楼 [报告]

发表于 2009-01-02 22:30 |只看该作者

原帖由 system888net 于 2009-1-2 19:48 发表
在testdll.c中
0x080483d4 <main+32>: call 0x8048294 <open@plt>

0x08048294 <open@plt+0>:       jmp *0x80495c8
0x0804829a <open@plt+6>:       push $0x0
0x0804829f <open@plt+11>:    jmp 0x8048284

(gdb) x 0x80495c8
0x80495c8 <_GLOBAL_OFFSET_TABLE_+12>: 0x0090cf20
open@plt在0x080483d4地址处,而真正的open地址在0x80495c8处(从jmp *0x80495c8可以的出), 可以看到0x080495c8地址处的是0x0090cf20这是指向了真正open的映射. ...

jmp *0x80495c8　这条语句应该是来到 0x0804829a 才对

(gdb) x 0x80495c8
应该得到值为 0x0804829a 才对

>>> 不知道你这样的 0x0090cf20 是怎么得来的？？？？

需要说明的是0x8049614处的值在程序(这里是testdll2)运行第一此调用open的时候由stub程序修改为实际指向open的地址.  而stub程序就是

[Copy to clipboard] [ - ]CODE:
0x080482b8 <open@plt+0>:       jmp *0x8049614
0x080482be <open@plt+6>:       push $0x0
0x080482c3 <open@plt+11>:    jmp 0x80482a8
开始的这段代码,当第一此修改0x8049614的值后,以后由于jmp *0x8049614直接可以访问到open函数,因此加快了访问速度.

这个解释毫不靠谱！！

实战分享：从技术角度谈机器学习入门| 【大话IT】RadonDB低门槛向MySQL集群下战书 | ChinaUnix打赏功能已上线！ | 新一代分布式关系型数据库RadonDB知多少？

system888net

腰缠万贯

论坛徽章:: 0

6楼 [报告]

发表于 2009-01-04 12:14 |只看该作者

原帖由 mik 于 2009-1-2 22:30 发表

jmp *0x80495c8　这条语句应该是来到 0x0804829a 才对

(gdb) x 0x80495c8
应该得到值为 0x0804829a 才对

>>> 不知道你这样的 0x0090cf20 是怎么得来的？？？？

这个解释毫不靠谱！！