本文介绍了用ptrace解析Call和Ret.的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我尝试使用ptrace解析可执行文件中的所有Calls和Rets.符合 x64opcode ,我发现了 Calls:0xe8 Rets:0xc3、0xc2、0xca,0xcb .

I try to parse all the Calls and Rets from an executable with ptrace.Conforming the the x64opcode, I found opcodes for Calls: 0xe8 and for Rets: 0xc3, 0xc2, 0xca, 0xcb.

自从对它们进行解析以来,我发现Rets比Calls多.

Since I parsed them I found more Rets than Calls.

有我跟踪的程序

void func()
{
  write(1, "i", 1);
}

int main(int ac)
{
  func();
  return(0);
}

有我的追踪器:

int                     tracer(t_info *info)
{
  int                   status;
  long                  ptr;
  int                   ret = 0;
  int                   call = 0;


  waitpid(info->pid, &status, 0);
  while (WIFSTOPPED(status))
    {
      ptrace(PTRACE_GETREGS, info->pid, NULL, info->regs);
      ptr = ptrace(PTRACE_PEEKDATA, info->pid, info->regs->rip);
      if (((ptr & 0x000000ff) == 0xe8)) // Opcode for call
        {
          call++;
        }
      else if (((ptr & 0x000000ff) == 0xc3) // Opcodes for rets
               || ((ptr & 0x000000ff) == 0xc2)
               || ((ptr & 0x000000ff) == 0xca)
               || ((ptr & 0x000000ff) == 0xcb))
        {
          ret++;
        }
      ptrace(PTRACE_SINGLESTEP, info->pid, 0, 0);
      waitpid(info->pid, &status, 0);
    }
  printf("Calls: %i\nRets: %i\nDiff: %i\n", call, ret, call - ret);
  return (0);
}

这是我的输出:

Calls: 656
Rets: 666
Diff: -10

为什么 rets calls 的数量不相同?我会错过一些操作码吗?有没有不返回的函数吗?

Why is there not the same number of rets and calls ?Do I miss some opcodes ?Is there functions that not return?

推荐答案

例如,您错过了间接呼叫,例如

You for example miss indirect calls like

callq *(<expr>)

使用其他操作码. Libc标准初始化例程使用了这些.根据表达式的不同,可能会有几个操作码,这是两个示例:

which use other opcodes. Libc standard initialization routines make use of these. Depending on the expression several opcodes are possible, two examples:

ff d0                   callq  *%rax
41 ff 14 dc             callq  *(%r12,%rbx,8)

要全部获取它们可能并不容易.也许使用libbfd和libopcodes之类的库对指令进行解码会更容易,更干净

It's probably not easy to get them all. Maybe it would be easier and cleaner to decode the instructions with a library like libbfd and libopcodes

这篇关于用ptrace解析Call和Ret.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-11 02:04