ELF动态信息详解<\/h1>

1. ELF动态信息概述<\/h2>
ELF动态信息存储在ELF文件的.dynamic段中，用于描述动态链接器运行时所需的信息。动态链接器使用这些信息来加载和链接程序所需的共享库。<\/p>

1.1 .dynamic段包含的主要信息<\/h3>

动态链接库的路径 (DT_NEEDED)<\/li>
动态符号表的位置 (DT_SYMTAB)<\/li>
字符串表的位置 (DT_STRTAB)<\/li>
动态重定位表的位置 (DT_REL或DT_RELA)<\/li>
GOT表的地址 (DT_PLTGOT)<\/li>

哈希表信息 (DT_HASH或DT_GNU_HASH)<\/li> <\/ul>

1.2 Elf64_Dyn结构<\/h3>

每条动态信息是一个Elf64_Dyn结构(32位为Elf32_Dyn)，包含两个字段：<\/p>

typedef<\/span> struct<\/span> {
<\/span><\/span>    Elf64_Sxword d_tag;  \/\/ 类型标识符
<\/span><\/span><\/span><\/span>    Elf64_Xword d_val;   \/\/ 值或指针
<\/span><\/span><\/span><\/span>} Elf64_Dyn;
<\/span><\/span><\/code><\/pre>2. GNU_HASH表<\/h2>
GNU_HASH表是ELF文件中用于优化符号查找的哈希表，相比传统的.hash表提供了更高效的符号查找算法。<\/p>
2.1 GNU_HASH表组成<\/h3>

nbuckets<\/strong>：哈希桶(bucket)的数量<\/li>
symbias<\/strong>：符号偏移量，定义符号表中实际存储的符号起始位置<\/li>
bitmask_nwords<\/strong>：Bloom Filter中的位图单词数量(每个单词64位)<\/li>
shift<\/strong>：计算Bloom Filter哈希值时使用的位移量<\/li>
indexes<\/strong>：Bloom Filter的位图数据，每个值64位(8字节)<\/li>
bucket<\/strong>：每个值表示某个哈希桶中符号链表的起始索引<\/li>
chain<\/strong>：存储符号的链表哈希值，用于解决哈希冲突<\/li>
<\/ol>
2.2 符号查找算法<\/h3>

计算符号名的哈希值<\/li>
使用Bloom Filter快速检查符号是否存在<\/li>
根据哈希值找到对应的bucket<\/li>
遍历chain链表查找匹配的符号<\/li>
<\/ol>
哈希计算函数(Python实现)<\/h4>
def<\/span> get_hash<\/span>(self, name):
<\/span><\/span>    h =<\/span> 5381<\/span>
<\/span><\/span>    for<\/span> c in<\/span> name:
<\/span><\/span>        h =<\/span> (h <<<\/span> 5<\/span>) +<\/span> h +<\/span> ord(c)
<\/span><\/span>        h &=<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span>    return<\/span> h &<\/span> 0xFFFFFFFF<\/span>
<\/span><\/span><\/code><\/pre>完整查找过程(Python实现)<\/h4>
def<\/span> find_symbol<\/span>(self, name):
<\/span><\/span>    hash_value =<\/span> self.<\/span>get_hash(name)
<\/span><\/span>    if<\/span> not<\/span> self.<\/span>check(hash_value):
<\/span><\/span>        return<\/span> None<\/span>
<\/span><\/span>    idx =<\/span> self.<\/span>get_idx(hash_value)
<\/span><\/span>    if<\/span> idx ==<\/span> -<\/span>1<\/span>:
<\/span><\/span>        return<\/span> None<\/span>
<\/span><\/span>    return<\/span> idx
<\/span><\/span><\/code><\/pre>3. 重定位表(Relocation Table)<\/h2>
重定位表描述程序在加载时需要调整的地址信息。<\/p>
3.1 重定位表类型<\/h3>

.rel<\/strong>：不带附加值的重定位表<\/li>
.rela<\/strong>：包含附加重定位值的重定位表<\/li>
<\/ol>
3.2 重定位条目结构<\/h3>
typedef<\/span> struct<\/span> {
<\/span><\/span>    Elf64_Addr r_offset;  \/\/ 需要重定位的地址
<\/span><\/span><\/span><\/span>    Elf64_Xword r_info;   \/\/ 符号表索引和重定位类型
<\/span><\/span><\/span><\/span>    Elf64_Sxword r_addend; \/\/ 附加值
<\/span><\/span><\/span><\/span>} Elf64_Rela;
<\/span><\/span><\/code><\/pre>3.3 重定位表类型<\/h3>

RELA Relocation Table<\/strong>：通用重定位表，可包含任何类型的重定位信息<\/li>
JMPREL Relocation Table<\/strong>：与动态链接相关的重定位条目，特别是首次调用外部函数时需要解析的符号<\/li>
<\/ol>
4. 全局偏移表(GOT)<\/h2>
GOT(Global Offset Table)是动态链接中的关键表，用于存储每个动态库函数的实际地址。<\/p>
4.1 GOT特点<\/h3>

每个条目都是指向函数的指针<\/li>
动态链接器在运行时解析符号表，将函数实际地址填入条目<\/li>
避免多次动态解析的开销<\/li>
<\/ul>
5. 字符串表和符号表<\/h2>
5.1 字符串表(String Table)<\/h3>

存储符号名和其他字符串<\/li>
以\x00字符分隔字符串<\/li>
动态符号表使用字符串表中的索引引用符号名<\/li>
<\/ul>
5.2 符号表(Symbol Table)<\/h3>
存储程序中的符号信息(变量、函数名等)。<\/p>
符号条目结构<\/h4>
typedef<\/span> struct<\/span> {
<\/span><\/span>    Elf64_Word st_name;   \/\/ 符号名在字符串表中的偏移
<\/span><\/span><\/span><\/span>    unsigned<\/span> char<\/span> st_info; \/\/ 符号类型和绑定信息
<\/span><\/span><\/span><\/span>    unsigned<\/span> char<\/span> st_other; \/\/ 符号可见性
<\/span><\/span><\/span><\/span>    Elf64_Half st_shndx; \/\/ 节头索引
<\/span><\/span><\/span><\/span>    Elf64_Addr st_value;  \/\/ 符号地址或值
<\/span><\/span><\/span><\/span>    Elf64_Xword st_size;  \/\/ 符号大小
<\/span><\/span><\/span><\/span>} Elf64_Sym;
<\/span><\/span><\/code><\/pre>符号类型(st_info低4位)<\/h4>

STT_NOTYPE (0)<\/li>
STT_OBJECT (1)<\/li>
STT_FUNC (2)<\/li>
STT_SECTION (3)<\/li>
<\/ul>
符号绑定(st_info高4位)<\/h4>

STB_LOCAL (0)<\/li>
STB_GLOBAL (1)<\/li>
<\/ul>
6. 实践应用<\/h2>
6.1 通过符号名查找共享库中的符号<\/h3>

获取DT_JMPREL和DT_PLTRELSZ获取JMPREL重定位表的偏移和大小<\/li>
获取DT_SYMTAB获取符号表偏移<\/li>
获取DT_STRTAB获取字符串表偏移<\/li>
遍历JMPREL重定位表查找目标符号<\/li>
<\/ol>
IDA Python实现<\/h4>
def<\/span> find_symbol<\/span>(name):
<\/span><\/span>    symtab =<\/span> get_symtab_addr()
<\/span><\/span>    strtab, strtab_size =<\/span> get_strtab_addr()
<\/span><\/span>    jmprel, jmprel_size =<\/span> get_jmprel_addr()
<\/span><\/span>    
<\/span><\/span>    for<\/span> i in<\/span> range(jmprel_size):
<\/span><\/span>        sym_idx =<\/span> idaapi.<\/span>get_dword(jmprel +<\/span> 12<\/span> +<\/span> i *<\/span> 0x18<\/span>)
<\/span><\/span>        str_offset =<\/span> idaapi.<\/span>get_dword(symtab +<\/span> sym_idx *<\/span> 0x18<\/span>)
<\/span><\/span>        sym_name =<\/span> idc.<\/span>get_strlit_contents(strtab +<\/span> str_offset)
<\/span><\/span>        if<\/span> name.<\/span>encode() ==<\/span> sym_name:
<\/span><\/span>            addr =<\/span> idaapi.<\/span>get_qword(jmprel +<\/span> i *<\/span> 0x18<\/span>)
<\/span><\/span>            return<\/span> addr
<\/span><\/span><\/code><\/pre>6.2 通过符号名查找程序自带符号<\/h3>

计算符号名的哈希值<\/li>
使用Bloom Filter检查符号是否存在<\/li>
根据哈希值找到符号在符号表中的索引<\/li>
根据索引获取符号地址<\/li>
<\/ol>
IDA Python实现<\/h4>
def<\/span> find_symbol<\/span>(name):
<\/span><\/span>    gnu_hash =<\/span> GnuHash()
<\/span><\/span>    hash_value =<\/span> gnu_hash.<\/span>get_hash(name)
<\/span><\/span>    if<\/span> not<\/span> gnu_hash.<\/span>check(hash_value):
<\/span><\/span>        return<\/span> None<\/span>
<\/span><\/span>    idx =<\/span> gnu_hash.<\/span>get_idx(hash_value)
<\/span><\/span>    if<\/span> idx ==<\/span> -<\/span>1<\/span>:
<\/span><\/span>        return<\/span> None<\/span>
<\/span><\/span>    symtab =<\/span> get_symtab_addr()
<\/span><\/span>    target =<\/span> symtab +<\/span> idx *<\/span> 0x18<\/span> +<\/span> 8<\/span>
<\/span><\/span>    return<\/span> idaapi.<\/span>get_qword(target)
<\/span><\/span><\/code><\/pre>7. CTF实例分析<\/h2>
以N1CTF的ezapk为例，分析如何通过动态信息hook函数。<\/p>
7.1 关键步骤<\/h3>

获取libnative2.so的基地址<\/li>
解析ELF头部和程序头表<\/li>
找到PT_DYNAMIC段<\/li>
遍历动态段获取各种表的信息<\/li>
查找目标函数(如rand)并进行hook<\/li>
<\/ol>
7.2 动态信息结构体<\/h3>
struct<\/span> dynamic_info {
<\/span><\/span>    void<\/span> *<\/span>libbase;
<\/span><\/span>    void<\/span> *<\/span>symbolTable;
<\/span><\/span>    void<\/span> *<\/span>stringTable;
<\/span><\/span>    void<\/span> *<\/span>gru_hash_table;
<\/span><\/span>    void<\/span> *<\/span>dt_STRSZ;
<\/span><\/span>    _DWORD gnu_hash_nbuckets;
<\/span><\/span>    _DWORD gnu_hash_symbias;
<\/span><\/span>    _DWORD gnu_hash_bitmask_nwords;
<\/span><\/span>    _DWORD gnu_hash_shift;
<\/span><\/span>    _QWORD *<\/span>gnu_hash_indexes_pointer;
<\/span><\/span>    _DWORD *<\/span>gnu_hash_bucket;
<\/span><\/span>    _DWORD *<\/span>gnu_hash_chain;
<\/span><\/span>    struct<\/span> relocation_item *<\/span>relocationTable;
<\/span><\/span>    _QWORD relocationTableSize;
<\/span><\/span>    void<\/span> *<\/span>global_offset_table;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>7.3 函数hook流程<\/h3>

遍历重定位表查找目标函数(如rand)<\/li>
修改GOT表中对应条目指向自定义函数<\/li>
使用mprotect修改内存权限<\/li>
<\/ol>
\/\/ 查找rand函数
<\/span><\/span><\/span><\/span>while<\/span> (strcmp(&<\/span>stringTable[symbolTable[6<\/span> *<\/span> info[1<\/span>]]], "rand"<\/span>)) {
<\/span><\/span>    info +=<\/span> 6<\/span>;
<\/span><\/span>    if<\/span> (!--<\/span>relocationSize) goto<\/span> LABEL_10;
<\/span><\/span>}
<\/span><\/span>v10 =<\/span> *<\/span>((_QWORD *<\/span>)info -<\/span> 1<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ 修改GOT表
<\/span><\/span><\/span><\/span>v11 =<\/span> (_QWORD *<\/span>)(v10 +<\/span> v5);
<\/span><\/span>result =<\/span> mprotect(v11, 8uLL<\/span>, 3<\/span>);
<\/span><\/span>*<\/span>v11 =<\/span> sub_75E1245140;  \/\/ 自定义函数
<\/span><\/span><\/span><\/code><\/pre>8. 加密函数分析<\/h2>
通过动态信息分析找到的三个加密函数：<\/p>

iusp9aVAyoMI<\/strong>：异或随机值<\/li>
SZ3pMtlDTA7Q<\/strong>：RC4加密<\/li>
UqhYy0F049n5<\/strong>：Base64编码<\/li>
<\/ol>
8.1 异或加密函数<\/h3>
_BYTE *<\/span>__fastcall<\/span> iusp9aVAyoMI<\/span>(__int64<\/span> a1, size_t a2) {
<\/span><\/span>    v4 =<\/span> malloc(a2);
<\/span><\/span>    __memcpy_chk(v4, a1, a2, -<\/span>1LL<\/span>);
<\/span><\/span>    for<\/span> (i =<\/span> 0LL<\/span>; i <<\/span> a2; ++<\/span>i)
<\/span><\/span>        v4[i] ^=<\/span> rand();  \/\/ 使用随机值异或
<\/span><\/span><\/span><\/span>    return<\/span> v4;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>8.2 RC4加密函数<\/h3>
_BYTE *<\/span>__fastcall<\/span> SZ3pMtlDTA7Q<\/span>(__int64<\/span> a1, int<\/span> a2) {
<\/span><\/span>    \/\/ 初始化S盒
<\/span><\/span><\/span><\/span>    for<\/span> (j =<\/span> 0<\/span>; j <=<\/span> 255<\/span>; ++<\/span>j)
<\/span><\/span>        v19[j] =<\/span> j;
<\/span><\/span>    
<\/span><\/span>    \/\/ KSA算法
<\/span><\/span><\/span><\/span>    for<\/span> (k =<\/span> 0<\/span>; k <=<\/span> 255<\/span>; ++<\/span>k) {
<\/span><\/span>        v2 =<\/span> (v10 +<\/span> v19[k] +<\/span> *<\/span>((_BYTE *<\/span>)v20 +<\/span> k %<\/span> 16<\/span>));
<\/span><\/span>        v10 =<\/span> v2;
<\/span><\/span>        swap(v19[k], v19[v2]);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ PRGA算法
<\/span><\/span><\/span><\/span>    for<\/span> (m =<\/span> 0<\/span>; m <<\/span> a2; ++<\/span>m) {
<\/span><\/span>        v14 =<\/span> (v14 +<\/span> 1<\/span>);
<\/span><\/span>        v11 =<\/span> (v11 +<\/span> v19[v3]);
<\/span><\/span>        swap(v19[v3], v19[v5]);
<\/span><\/span>        v16[m] ^=<\/span> v19[(v19[v3] +<\/span> v19[v5])];
<\/span><\/span>    }
<\/span><\/span>    return<\/span> v16;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>8.3 Base64编码函数<\/h3>
_BYTE *<\/span>__fastcall<\/span> UqhYy0F049n5<\/span>(__int64<\/span> a1, unsigned<\/span> __int64<\/span> a2) {
<\/span><\/span>    qmemcpy(v23, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+\/"<\/span>, sizeof<\/span>(v23));
<\/span><\/span>    
<\/span><\/span>    \/\/ Base64编码过程
<\/span><\/span><\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> a2; ++<\/span>i) {
<\/span><\/span>        v13 =<\/span> *<\/span>(_BYTE *<\/span>)(a1 +<\/span> i);
<\/span><\/span>        if<\/span> (v19) {
<\/span><\/span>            \/\/ 处理第二个和第三个字节
<\/span><\/span><\/span><\/span>        } else<\/span> {
<\/span><\/span>            \/\/ 处理第一个字节
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>        v12 =<\/span> v13;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 处理填充
<\/span><\/span><\/span><\/span>    if<\/span> (v19 ==<\/span> 1<\/span>) {
<\/span><\/span>        \/\/ 添加两个==
<\/span><\/span><\/span><\/span>    } else<\/span> if<\/span> (v19 ==<\/span> 2<\/span>) {
<\/span><\/span>        \/\/ 添加一个=
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    return<\/span> v20;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>9. 总结<\/h2>
ELF动态信息是理解动态链接过程的关键，掌握这些信息可以：<\/p>

分析程序的动态链接行为<\/li>
实现函数hook和补丁<\/li>
逆向分析加密算法<\/li>
解决CTF中的ELF相关题目<\/li>
<\/ol>
通过解析.dynamic段、GNU_HASH表、重定位表、GOT表等结构，可以深入理解ELF文件的动态链接机制，并应用于实际的分析和修改工作中。<\/p>

ELF动态信息详解<\/h1>

1. ELF动态信息概述<\/h2> ELF动态信息存储在ELF文件的.dynamic段中，用于描述动态链接器运行时所需的信息。动态链接器使用这些信息来加载和链接程序所需的共享库。<\/p>

2. GNU_HASH表<\/h2> GNU_HASH表是ELF文件中用于优化符号查找的哈希表，相比传统的.hash表提供了更高效的符号查找算法。<\/p>

3. 重定位表(Relocation Table)<\/h2> 重定位表描述程序在加载时需要调整的地址信息。<\/p>

4. 全局偏移表(GOT)<\/h2> GOT(Global Offset Table)是动态链接中的关键表，用于存储每个动态库函数的实际地址。<\/p>

5. 字符串表和符号表<\/h2>

5.2 符号表(Symbol Table)<\/h3> 存储程序中的符号信息(变量、函数名等)。<\/p>

6. 实践应用<\/h2>

7. CTF实例分析<\/h2> 以N1CTF的ezapk为例，分析如何通过动态信息hook函数。<\/p>

1. ELF动态信息概述<\/h2>
ELF动态信息存储在ELF文件的.dynamic段中，用于描述动态链接器运行时所需的信息。动态链接器使用这些信息来加载和链接程序所需的共享库。<\/p>

2. GNU_HASH表<\/h2>
GNU_HASH表是ELF文件中用于优化符号查找的哈希表，相比传统的.hash表提供了更高效的符号查找算法。<\/p>

3. 重定位表(Relocation Table)<\/h2>
重定位表描述程序在加载时需要调整的地址信息。<\/p>

4. 全局偏移表(GOT)<\/h2>
GOT(Global Offset Table)是动态链接中的关键表，用于存储每个动态库函数的实际地址。<\/p>

5.2 符号表(Symbol Table)<\/h3>
存储程序中的符号信息(变量、函数名等)。<\/p>

7. CTF实例分析<\/h2>
以N1CTF的ezapk为例，分析如何通过动态信息hook函数。<\/p>