当我strace
检查程序时,我经常很难找到动态加载程序的系统调用在哪里结束以及程序的系统调用在哪里开始。
strace ./hello
一个hello
简单的 hello world C 程序的输出有 36 行。这是一个示例:
execve("./hello", ["./hello"], 0x7fffb38f4a30 /* 73 vars */) = 0
brk(NULL) = 0x1304000
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffe6715fe60) = -1 EINVAL (Invalid argument)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=92340, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 92340, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f78d9fbd000
close(3) = 0
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260|\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
pread64(3, "\4\0\0\0 \0\0\0\5\0\0\0GNU\0\2\0\0\300\4\0\0\0\3\0\0\0\0\0\0\0"..., 48, 848) = 48
有没有办法忽略动态加载器系统调用?
答案1
在 x86_64 上,主程序在arch_prctl(ARCH_SET_FS)
几秒后启动mprotect()
,因此您可以sed 1,/ARCH_SET_FS/d
查看strace
的输出。
您可以在所有平台上使用的一个技巧是使用LD_PRELOAD
一个小型库,它会覆盖__libc_start_main()
并执行无意义的系统调用,就像write(-1, "IT_STARTS_HERE", 14)
调用原始__libc_start_main()
.
cat >hack.c <<'EOT'
#define _GNU_SOURCE
#include <dlfcn.h>
#include <unistd.h>
#include <errno.h>
#include <err.h>
int __libc_start_main(
int (*main)(int,char**,char**), int ac, char **av,
int (*init)(int,char**,char**), void (*fini)(void),
void (*rtld_fini)(void), void *stack_end)
{
typeof(__libc_start_main) *next = dlsym(RTLD_NEXT, "__libc_start_main");
write(-1, "IT_STARTS_HERE", 14); errno = 0;
return next(main, ac, av, init, fini, rtld_fini, stack_end);
}
EOT
cc -shared -ldl hack.c -o hack.so
hack_strace(){ strace -E LD_PRELOAD=./hack.so "$@" 2>&1 >&3 3>&- | sed 1,/IT_STARTS_HERE/d >&2; } 3>&1
# usage
hack_strace sh -c 'echo LOL'
getuid() = 2000
getgid() = 2000
getpid() = 11443
rt_sigaction(SIGCHLD, {sa_handler=0x55eba5c19380, sa_mask=~[RTMIN RT_1], sa_flags=SA_RESTORER, sa_restorer=0x7fae5c55f840}, NULL, 8) = 0
geteuid() = 2000