{"id":194,"date":"2024-08-02T11:59:03","date_gmt":"2024-08-02T03:59:03","guid":{"rendered":"http:\/\/39.104.51.85\/?p=194"},"modified":"2024-08-02T15:30:37","modified_gmt":"2024-08-02T07:30:37","slug":"ret2dl%e7%90%86%e8%ae%ba%e5%ad%a6%e4%b9%a0","status":"publish","type":"post","link":"http:\/\/39.104.51.85\/index.php\/2024\/08\/02\/ret2dl%e7%90%86%e8%ae%ba%e5%ad%a6%e4%b9%a0\/","title":{"rendered":"ret2dl\u7406\u8bba\u5b66\u4e60"},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code>struct link_map {\n    Elf64_Addr l_addr;\n    char *l_name;\n    Elf64_Dyn *l_ld;\/\/Dynamic\u7684\u5730\u5740\n    struct link_map *l_next;\n    struct link_map *l_prev;\n    struct link_map *l_real;\n    Lmid_t l_ns;\n    struct libname_list *l_libname;\n    Elf64_Dyn *l_info&#91;76];\/\/l_info \u91cc\u9762\u5305\u542b\u7684\u5c31\u662f\u52a8\u6001\u94fe\u63a5\u7684\u5404\u4e2a\u8868\u7684\u4fe1\u606f\uff0c\u5b9e\u9645\u5c31\u662f.dynmic\u8282\n    const Elf64_Phdr *l_phdr;\n    Elf64_Addr l_entry;\n    Elf64_Half l_phnum;\n    Elf64_Half l_ldnum;\n    struct r_scope_elem l_searchlist;\n    struct r_scope_elem l_symbolic_searchlist;\n    struct link_map *l_loader;\n    struct r_found_version *l_versions;\n    unsigned int l_nversions;\n    Elf_Symndx l_nbuckets;\n    Elf32_Word l_gnu_bitmask_idxbits;\n    Elf32_Word l_gnu_shift;\n    const Elf64_Addr *l_gnu_bitmask;\n    union {\n        const Elf32_Word *l_gnu_buckets;\n        const Elf_Symndx *l_chain;\n    };\n    union {\n        const Elf32_Word *l_gnu_chain_zero;\n        const Elf_Symndx *l_buckets;\n    };\n    unsigned int l_direct_opencount;\n    enum {lt_executable, lt_library, lt_loaded} l_type : 2;\n    unsigned int l_relocated : 1;\n    unsigned int l_init_called : 1;\n    unsigned int l_global : 1;\n    unsigned int l_reserved : 2;\n    unsigned int l_phdr_allocated : 1;\n    unsigned int l_soname_added : 1;\n    unsigned int l_faked : 1;\n    unsigned int l_need_tls_init : 1;\n    unsigned int l_auditing : 1;\n    unsigned int l_audit_any_plt : 1;\n    unsigned int l_removed : 1;\n    unsigned int l_contiguous : 1;\n    unsigned int l_symbolic_in_local_scope : 1;\n    unsigned int l_free_initfini : 1;\n    struct r_search_path_struct l_rpath_dirs;\n    struct reloc_result *l_reloc_result;\n    Elf64_Versym *l_versyms;\n    const char *l_origin;\n    Elf64_Addr l_map_start;\n    Elf64_Addr l_map_end;\n    Elf64_Addr l_text_end;\n    struct r_scope_elem *l_scope_mem&#91;4];\n    size_t l_scope_max;\n    struct r_scope_elem **l_scope;\n    struct r_scope_elem *l_local_scope&#91;2];\n    struct r_file_id l_file_id;\n    struct r_search_path_struct l_runpath_dirs;\n    struct link_map **l_initfini;\n    struct link_map_reldeps *l_reldeps;\n    unsigned int l_reldepsmax;\n    unsigned int l_used;\n    Elf64_Word l_feature_1;\n    Elf64_Word l_flags_1;\n    Elf64_Word l_flags;\n    int l_idx;\n    struct link_map_machine l_mach;\n    struct {\n        const Elf64_Sym *sym;\n        int type_class;\n        struct link_map *value;\n        const Elf64_Sym *ret;\n    } l_lookup_cache;\n    void *l_tls_initimage;\n    size_t l_tls_initimage_size;\n    size_t l_tls_blocksize;\n    size_t l_tls_align;\n    size_t l_tls_firstbyte_offset;\n    ptrdiff_t l_tls_offset;\n    size_t l_tls_modid;\n    size_t l_tls_dtor_count;\n    Elf64_Addr l_relro_addr;\n    size_t l_relro_size;\n    unsigned long long l_serial;\n    struct auditstate l_audit&#91;];\n}<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>typedef struct\n{\n  Elf64_Word\tst_name;\t\t\/* \u5728.Dynstr\u4e2d\u7684\u504f\u79fb\uff0c\u6307\u5411\u4e00\u4e2astr\uff0c\u53604\u5b57\u8282*\/\n  unsigned char\tst_info;\t\t\/* Symbol type and binding \u53601\u5b57\u8282*\/\n  unsigned char st_other;\t\t\/* Symbol visibility \u53601\u5b57\u8282*\/\n  Elf64_Section\tst_shndx;\t\t\/* Section index \u53602\u5b57\u8282*\/\n  Elf64_Addr\tst_value;\t\t\/* Symbol value \u53608\u5b57\u8282*\/\n  Elf64_Xword\tst_size;\t\t\/* Symbol size \u53608\u5b57\u8282*\/\n} Elf64_Sym;<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>typedef struct\n{\n  Elf64_Sxword\td_tag;\t\t\t\/* Dynamic entry type *\/\n  union\n    {\n      Elf64_Xword d_val;\t\t\/* Integer value *\/\n      Elf64_Addr d_ptr;\t\t\t\/* Address value *\/\n    } d_un;\n} Elf64_Dyn;<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>typedef struct\n{\n  Elf64_Addr\tr_offset;\t\t\/*r_offset+l_addr\u4e3a\u4e00\u4e2a\u6307\u5411got\u8868\u7684\u6307\u9488\uff0c\u8bb0\u5f55\u7740\u8be5\u51fd\u6570\u5728got\u8868\u4e2d\u7684\u4f4d\u7f6e\uff0c\u6b63\u5e38\u60c5\u51b5\u4e0bl_addr=0*\/\n  Elf64_Xword\tr_info;\t\t\t\/*r_info>>32\u5c31\u662f\u5728dynsym\u4e2d\u7684\u4e0b\u6807\uff0c\u6700\u4f4e\u4f4d\u8981\u4e3a7*\/\n  Elf64_Sxword  r_append                \/*Addend *\/\n} Elf64_Rela;<\/code><\/pre>\n\n\n\n<p>Dynmic\u8282\u7531Elf64_Dyn\u7ed3\u6784\u4f53\u6784\u6210<\/p>\n\n\n\n<p>Dynsym\u8282\u7531Elf64_Sym\u7ed3\u6784\u4f53\u6784\u6210<\/p>\n\n\n\n<p>.rel.plt\u8282\u7531Elf64_Rela\u7ed3\u6784\u4f53\u6784\u6210<\/p>\n\n\n\n<p>_dl_runtime_resolve(link_map,reloc_arg)\u5b9e\u9645\u4e0a\u5c31\u662f\u6267\u884c\u4e86_dl_fixup<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"343\" height=\"176\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-195\"  sizes=\"(max-width: 343px) 100vw, 343px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image-1.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"346\" height=\"149\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image-1.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-196\"  sizes=\"(max-width: 346px) 100vw, 346px\" \/><\/div><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image-2.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" width=\"725\" height=\"169\" data-original=\"http:\/\/39.104.51.85\/wp-content\/uploads\/2024\/08\/image-2.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-197\"  sizes=\"(max-width: 725px) 100vw, 725px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fdb\u884c\u52a8\u6001\u94fe\u63a5\u7684\u6d41\u7a0b\uff1a<\/p>\n\n\n\n<p>1.\u6839\u636e\u60f3\u8981\u8fde\u63a5\u7684\u51fd\u6570\u786e\u5b9a\u504f\u79fbreloc_arg\uff08\u4f53\u73b0\u5728plt[1]\u8868\u91cc\u9762\u7684push\uff09<\/p>\n\n\n\n<p>2.\u627e\u5230.rel.plt\u91cc\u5bf9\u5e94\u7684ELF64_Rela\u8868\u9879<\/p>\n\n\n\n<p>3.\u6839\u636eELF64_Rela\u91cc\u7684r_info\u786e\u5b9a\u8be5\u51fd\u6570\u5bf9\u5e94.dynsym\u91cc\u7684\u54ea\u4e00\u4e2aElf64_sym\u9879\uff08\u572864\u4f4d\u4e2dr_info&gt;&gt;32\u5373\u4e3a\u8868\u9879\u4e0b\u6807\uff09<\/p>\n\n\n\n<p>4.\u572832\u4f4d\u7a0b\u5e8f\u4e2d\u4f1a\u6839\u636eElf32_sym\u91cc\u7684st_name\u5728\u8df3\u8f6c\u5230.dynstr\u91cc\u5bfb\u627e\u5b57\u7b26\u4e32\uff0c\u518d\u6839\u636e\u8fd9\u4e2a\u5b57\u7b26\u4e32\u5230libc\u4e2d\u53bb\u8fdb\u884c\u5339\u914d\u67e5\u8be2\uff0c\u6700\u540e\u628alibc\u57fa\u5740+st_value\u4f5c\u4e3a\u8be5\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\u5199\u5165r_offset\u8fd9\u4e00\u6307\u9488\u6307\u5411\u7684\u4f4d\u7f6e\uff0c\u6b63\u5e38\u60c5\u51b5\u4e0b\u8be5\u6307\u9488\u6307\u5411got\u8868\u5bf9\u5e94\u7684\u8868\u9879<\/p>\n\n\n\n<p>5.\u800c\u572864\u4f4d\u7a0b\u5e8f\u4e2d\uff0c\u7531\u4e8e\u8981\u7ed5\u5f00\u4fdd\u62a4\uff08\u4ee4st_other!=0\uff09\uff0c\u6240\u4ee5\u4e0d\u4f1a\u7ecf\u8fc7\u67e5\u627e\u5b57\u7b26\u4e32\u8fd9\u4e00\u6b65\u9aa4\uff0c\u6700\u7ec8\u5730\u5740\u7684\u8ba1\u7b97\u65b9\u5f0f\u53d8\u6210\u4e86l_addr+st_value\u3002\u5728Elf64_sym\u7ed3\u6784\u4f53\u4e2d\uff0cst_value\u4e0e\u8868\u5934\u7684\u95f4\u9694\u4e3a8\u5b57\u8282\uff0c\u6240\u4ee5\u5982\u679c\u80fd\u8ba9sym\u6307\u5411a\u51fd\u6570\u7684got-8\u4f4d\u7f6e\uff08\u5047\u8bbea\u662f\u4efb\u610f\u4e00\u4e2a\u5df2\u89e3\u6790\u7684\u51fd\u6570\uff09\uff0c\u90a3\u4e48st_value\u6070\u597d\u5c31\u662fa\u7684got\u4f4d\u7f6e\uff0c\u5176\u503c\u5c31\u662fa\u51fd\u6570\u7684\u771f\u5b9e\u5730\u5740\uff0c\u90a3\u4e48\u53ea\u8981\u8ba9l_addr\u4e3asystem\u51fd\u6570\u4e0ea\u51fd\u6570\u5728libc\u91cc\u9762\u7684\u504f\u79fboffset\uff0c\u6700\u7ec8\u89e3\u6790\u51fa\u6765\u7684\u5730\u5740\u5c31\u662f\u771f\u6b63\u7684system\u5730\u5740\u4e86<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Dynmic\u8282\u7531Elf64_Dyn\u7ed3\u6784\u4f53\u6784\u6210 Dynsym\u8282\u7531Elf64_Sym\u7ed3\u6784\u4f53\u6784\u6210 .rel.plt\u8282 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[31],"class_list":["post-194","post","type-post","status-publish","format-standard","hentry","category-pwn","tag-ret2dl"],"_links":{"self":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/comments?post=194"}],"version-history":[{"count":3,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/194\/revisions"}],"predecessor-version":[{"id":202,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/posts\/194\/revisions\/202"}],"wp:attachment":[{"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/media?parent=194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/categories?post=194"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/39.104.51.85\/index.php\/wp-json\/wp\/v2\/tags?post=194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}