1

I am on ubuntu 13.10 and have this little stripped+packed elf file. I need to dump various pieces of information from its process in an automated way, so i hacked together a tiny tracer that traces my progress, similar to strace. Three questions arose:

1) after attaching to my process, how can i get it's imagebase?

2) where does the process break first? Apparently it is not the EP of the program.

3) any way i can be notified when a .so/.lib file is loaded? GDB can do this somehow, i think.

The first question really is the most important one. Any help is appreciated.

bernd feinman
  • 324
  • 2
  • 11
  • I don't know for sure, but I believe you have to work out the answer to (1) for yourself by parsing the executable image for the process. And the program will only break where you tell it to break (using either `PTRACE_SETREGSET` or `PTRACE_POKEUSER`, depending on OS and CPU, to set the debug control registers to establish a hardware breakpoint, or `PTRACE_POKETEXT` to inject a breakpoint instruction). `ptrace` is an extremely "bare metal" API - it does very little for you, and you have to know the hardware and the ABI inside and out to make effective use of it. – zwol Nov 14 '13 at 18:14
  • how would i go about parsing the executable process? – bernd feinman Nov 14 '13 at 18:59
  • Investigate [libelf](http://www.mr511.de/software/english.html). – zwol Nov 14 '13 at 19:06
  • i can do that, but it wont give me the current imagebase for the process, which is not necessarily the same as the "default" one from the file (ASLR). – bernd feinman Nov 14 '13 at 19:25

1 Answers1

2

1) /proc/<PID>/maps contains list of everything the process mapped and from where, including pages mapped from an executable. By reading executable ELF headers you should be able to figure out where .text is.

2) Execution of dynamically linked binary typically starts with an interpreter. INTERP program header in an ELF executable (dump with readelf -e) will have its name. It's interpreter's entry point where execution starts. Typically it's a runtime linker ld-<some-variant>.so. It maps in executable's sections and may also map required shared libraries.

3) GDB has fairly detailed knowledge how runtime linker is implemented so it's able to intercept dynamic object loading by setting breakpoints in the right places. You can do the same. dlopen() seems like a good candidate for an interception point. As I noted in #2, shared objects may have been pre-loaded before the executable gets control.

ArtemB
  • 3,496
  • 17
  • 18
  • 1) i'll look into that right now. However, i'd essentially be parsing *text* to find the imagebase. Doesnt feel clean. But thanks, i'll look into all that right now. – bernd feinman Nov 14 '13 at 20:19