[英]Why a stripped binary file can still have library call information in the disassembled file?
test platform is 32 bit Linux.测试平台为32位Linux。
I compile ac program without strip the symbol information, and use objdump to disassembly the elf executable file.我编译ac程序不带符号信息,使用objdump反汇编elf可执行文件。
Here is part of the results.这是部分结果。
804831c: e8 8c fe ff ff call 8048360 <printf@plt>
If I use:如果我使用:
strip binary
to remove the symbol info and use objdump to disassembly the elf executable file again, I can still see the results like:删除符号信息并使用objdump再次反汇编elf可执行文件,我仍然可以看到如下结果:
804831c: e8 8c fe ff ff call 8048360 <printf@plt>
So my question is:所以我的问题是:
How can disassembly tool like objdump know the name of certain library functions after I have stripped all the symbol information..?在我剥离了所有符号信息后,像 objdump 这样的反汇编工具如何知道某些库函数的名称..?
Thank you!谢谢!
ELF file has 2 symbol tables: .symtab and .dynsym. ELF 文件有 2 个符号表:.symtab 和 .dynsym。 The latter is for dynamic symbols needed for dynamic linking (relocation).
后者用于动态链接(重定位)所需的动态符号。 In your case, printf is in .dynsym and it may also be present in .symtab;
在你的情况下, printf 在 .dynsym 中,它也可能出现在 .symtab 中; by default strip would remove .symtab but not .dynsym which is needed for relocation.
默认情况下,strip 将删除 .symtab 而不是 .dynsym ,这是重新定位所需的。
You may try你可以试试
strip -R .dynsym your_binary
strip -R .dynsym your_binary
to remove the dynsym section manually and you will find it fails to run due to relocation failure.手动删除dynsym部分,你会发现它由于重定位失败而无法运行。
Imported calls will always have the name, it is needed to link at runtime.导入的调用将始终具有名称,需要在运行时链接。 If you stripped the import name, how would your application know what to call?
如果您去掉导入名称,您的应用程序如何知道该调用什么? Methods from external libraries may (and usually do) have a different address every time your application is executed.
每次执行应用程序时,来自外部库的方法可能(并且通常确实)具有不同的地址。
On another note, inlined or statically-linked methods can sometimes be identified and named even without symbol information.另一方面,即使没有符号信息,有时也可以识别和命名内联或静态链接的方法。 Many disassemblers look for common patterns associated with some standard library functions.
许多反汇编程序寻找与某些标准库函数相关的通用模式。
memcpy()
for example, can often be heuristically identified and labeled even without symbol info available.例如,即使没有可用的符号信息,
memcpy()
通常也可以启发式地识别和标记。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.