ELF 文件中的 build-id 数据偏移量
[英]build-id data offset in the ELF file
问题描述
I need to modify the build-id of the ELF notes section.
我需要修改 ELF 注释部分的build-id 。 I found out that it is possible here .我发现这里是可能的。 Also found out that I can do it by modifying this code .还发现我可以通过修改此代码来做到这一点。 What I can't figure out is data location.我无法弄清楚的是数据位置。 Here is what I'm talking about.这就是我要说的。
$ eu-readelf -S myelffile
Section Headers:
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
...
[ 2] .note.ABI-tag NOTE 000000000000028c 0000028c 00000020 0 A 0 0 4
[ 3] .note.gnu.build-id NOTE 00000000000002ac 000002ac 00000024 0 A 0 0 4
...
$ eu-readelf -n myelffile
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x28c:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.14.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2ac:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: d75a086c288c582036b0562908304bc3a8033235
.note.gnu.build-id section is 36 bytes. .note.gnu.build-id部分是 36 个字节。 The build id is 20 bytes.构建 ID 为 20 个字节。 What are the other 16 bytes?其他 16 个字节是什么?
I played with the code a bit and read 36 bytes of myelffile at offset 0x2ac .我稍微玩了一下代码,并在偏移量0x2ac myelffile Got the following 040000001400000003000000474e5500d75a086c288c582036b0562908304bc3a8033235 .得到以下040000001400000003000000474e5500d75a086c288c582036b0562908304bc3a8033235 。
Then I decided to use Elf64_Shdr definition , so I read data at address 0x2ac + sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) and I got my build id, d75a086c288c582036b0562908304bc3a8033235 .然后我决定使用Elf64_Shdr定义,所以我读取地址0x2ac + sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags)的数据,我得到了我的构建 id, d75a086c288c582036b0562908304bc3a8033235 It does makes sense why I got it, sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) = 16 bytes , but according to Elf64_Shdr definition I should be pointing to Elf64_Addr sh_addr , ie section virtual address.为什么我得到它是有道理的, sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) = 16 bytes ,但根据Elf64_Shdr定义,我应该指向Elf64_Addr sh_addr ,即节虚拟地址.
So what is not clear to me is what are the other 16 bytes of the section?那么我不清楚的是该部分的其他 16 个字节是什么? What do they represent?它们代表什么? I can't reconcile the Elf64_Shdr definition and the results I'm getting from my experiments.我无法协调Elf64_Shdr的定义和我从实验中得到的结果。
1 个解决方案
解决方案1
1 已采纳 2020-08-18 02:07:04
.note.gnu.build-id section is 36 bytes.
Each .note.* section starts with Elf64_Nhdr (12 bytes), followed by (4-byte aligned) note name of variable size ( GNU\0 here), followed by (4-byte aligned) actual note data.每个 .note .note.*部分以Elf64_Nhdr (12 字节)开头,后跟(4 字节对齐)可变大小的音符名称(此处为GNU\0 ),然后是(4 字节对齐)实际音符数据。 Documentation . 文档。
Looking at /bin/date on my system:查看我系统上的/bin/date :
eu-readelf -Wn /bin/date
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x2c4:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.2.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2e4:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: 979ae4616ae71af565b123da2f994f4261748cc9
What are the bytes at offset 0x2e4 ?偏移量0x2e4的字节是多少?
dd bs=1 skip=$((0x2e4)) count=36 < /bin/date | xxd
00000000: 0400 0000 1400 0000 0300 0000 474e 5500 ............GNU.
00000010: 979a e461 6ae7 1af5 65b1 23da 2f99 4f42 ...aj...e.#./.OB
00000020: 6174 8cc9 at..
So we have: .n_namesz == 4 , .n_descsz == 20 , .n_type == 3 == NT_GNU_BUILD_ID , followed by 4-byte GNU\0 note name, followed by 20 bytes of actual build-id bytes 0x97 , 0x9a , etc.所以我们有: .n_namesz == 4 , .n_descsz == 20 , .n_type == 3 == NT_GNU_BUILD_ID ,后跟 4 字节GNU\0注释名称,后跟 20 字节的实际 build-id 字节0x97 , 0x9a ,等等
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.