ELF 文件中的 build-id 数据偏移量
build-id data offset in the ELF file
我需要修改ELF笔记部分的build-id。我发现这是可能的. Also found out that I can do it 。我无法弄清楚的是数据位置。这就是我要说的。
$ eu-readelf -S myelffile
Section Headers:
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
...
[ 2] .note.ABI-tag NOTE 000000000000028c 0000028c 00000020 0 A 0 0 4
[ 3] .note.gnu.build-id NOTE 00000000000002ac 000002ac 00000024 0 A 0 0 4
...
$ eu-readelf -n myelffile
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x28c:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.14.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2ac:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: d75a086c288c582036b0562908304bc3a8033235
.note.gnu.build-id 部分是 36 字节。构建 ID 为 20 个字节。其他16个字节是什么?
我稍微玩了一下代码,在偏移 0x2ac 处读取了 myelffile 的 36 个字节。得到以下 040000001400000003000000474e5500d75a086c288c582036b0562908304bc3a8033235.
然后我决定使用Elf64_Shdr definition, so I read data at address 0x2ac + sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) and I got my build id, d75a086c288c582036b0562908304bc3a8033235. It does makes sense why I got it, sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) = 16 bytes, but according to Elf64_Shdr definition我应该指向Elf64_Addr sh_addr,即节虚拟地址。
所以我不清楚该部分的其他 16 个字节是什么?他们代表什么?我无法调和 Elf64_Shdr definition 和我从实验中得到的结果。
.note.gnu.build-id section is 36 bytes. The build id is 20 bytes. What are the other 16 bytes?
每个 .note.* 部分以 Elf64_Nhdr(12 字节)开始,然后是(4 字节对齐)可变大小的注释名称(此处为 GNU[=14=]),然后是 (4 -字节对齐)实际音符数据。 Documentation.
在我的系统上查看 /bin/date:
eu-readelf -Wn /bin/date
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x2c4:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.2.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2e4:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: 979ae4616ae71af565b123da2f994f4261748cc9
偏移 0x2e4 处的字节是多少?
dd bs=1 skip=$((0x2e4)) count=36 < /bin/date | xxd
00000000: 0400 0000 1400 0000 0300 0000 474e 5500 ............GNU.
00000010: 979a e461 6ae7 1af5 65b1 23da 2f99 4f42 ...aj...e.#./.OB
00000020: 6174 8cc9 at..
所以我们有:.n_namesz == 4、.n_descsz == 20、.n_type == 3 == NT_GNU_BUILD_ID,然后是 4 字节 GNU[=14=] 注释名称,然后是 20 个字节的实际 build-id字节0x97、0x9a等
我需要修改ELF笔记部分的build-id。我发现这是可能的
$ eu-readelf -S myelffile
Section Headers:
[Nr] Name Type Addr Off Size ES Flags Lk Inf Al
...
[ 2] .note.ABI-tag NOTE 000000000000028c 0000028c 00000020 0 A 0 0 4
[ 3] .note.gnu.build-id NOTE 00000000000002ac 000002ac 00000024 0 A 0 0 4
...
$ eu-readelf -n myelffile
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x28c:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.14.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2ac:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: d75a086c288c582036b0562908304bc3a8033235
.note.gnu.build-id 部分是 36 字节。构建 ID 为 20 个字节。其他16个字节是什么?
我稍微玩了一下代码,在偏移 0x2ac 处读取了 myelffile 的 36 个字节。得到以下 040000001400000003000000474e5500d75a086c288c582036b0562908304bc3a8033235.
然后我决定使用Elf64_Shdr definition, so I read data at address 0x2ac + sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) and I got my build id, d75a086c288c582036b0562908304bc3a8033235. It does makes sense why I got it, sizeof(Elf64_Shdr.sh_name) + sizeof(Elf64_Shdr.sh_type) + sizeof(Elf64_Shdr.sh_flags) = 16 bytes, but according to Elf64_Shdr definition我应该指向Elf64_Addr sh_addr,即节虚拟地址。
所以我不清楚该部分的其他 16 个字节是什么?他们代表什么?我无法调和 Elf64_Shdr definition 和我从实验中得到的结果。
.note.gnu.build-id section is 36 bytes. The build id is 20 bytes. What are the other 16 bytes?
每个 .note.* 部分以 Elf64_Nhdr(12 字节)开始,然后是(4 字节对齐)可变大小的注释名称(此处为 GNU[=14=]),然后是 (4 -字节对齐)实际音符数据。 Documentation.
在我的系统上查看 /bin/date:
eu-readelf -Wn /bin/date
Note section [ 2] '.note.ABI-tag' of 32 bytes at offset 0x2c4:
Owner Data size Type
GNU 16 GNU_ABI_TAG
OS: Linux, ABI: 3.2.0
Note section [ 3] '.note.gnu.build-id' of 36 bytes at offset 0x2e4:
Owner Data size Type
GNU 20 GNU_BUILD_ID
Build ID: 979ae4616ae71af565b123da2f994f4261748cc9
偏移 0x2e4 处的字节是多少?
dd bs=1 skip=$((0x2e4)) count=36 < /bin/date | xxd
00000000: 0400 0000 1400 0000 0300 0000 474e 5500 ............GNU.
00000010: 979a e461 6ae7 1af5 65b1 23da 2f99 4f42 ...aj...e.#./.OB
00000020: 6174 8cc9 at..
所以我们有:.n_namesz == 4、.n_descsz == 20、.n_type == 3 == NT_GNU_BUILD_ID,然后是 4 字节 GNU[=14=] 注释名称,然后是 20 个字节的实际 build-id字节0x97、0x9a等