GOT & PLT 실습

유튜브를 보고 따라하면서 실습해보았다. 참고한 유튜브 영상은 제일 하단에 출처를 달았다.

 

 

1. 연습 경로 생성

mkdir liveoverflow_youtube
cd liveoverflow_youtube

┌──(root㉿kali)-[~/study]
└─# mkdir liveoverflow_youtube

┌──(root㉿kali)-[~/study]
└─# cd liveoverflow_youtube

┌──(root㉿kali)-[~/study/liveoverflow_youtube]

 

 

2. 테스트 코드 생성

vi test.c

int main() {
printf("Hellow World!\n");
printf("This is LiveOverflow\n");
return 1;
}

 

 

3. 컴파일

gcc test.c -o test

└─# gcc test.c -o test
test.c: In function ‘main’:
test.c:2:9: warning: implicit declaration of function ‘printf’ [-Wimplicit-function-declaration]
    2 |         printf("Hellow World!\n");
      |         ^~~~~~
test.c:1:1: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’
  +++ |+#include <stdio.h>
    1 | int main() {
test.c:2:9: warning: incompatible implicit declaration of built-in function ‘printf’ [-Wbuiltin-declaration-mismatch]
    2 |         printf("Hellow World!\n");
      |         ^~~~~~
test.c:2:9: note: include ‘<stdio.h>’ or provide a declaration of ‘printf’


소스코드 상단에 # include <stdio.h> 를 안해서 컴파일 오류인 것처럼 보인다. 그러나 ls 로 해보면 test 라는 실행파일이 생성되어 있다. 실행을 해보자.

 

 

4. 실행

./test

test 라고 했더니 반응이 없다. ./test 를 하니 결과가 나온다.

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# test

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# ./test
Hellow World!
This is LiveOverflow

5. ldd

 ldd test

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# ldd test
        linux-vdso.so.1 (0x00007ffdda909000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f783fa8c000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f783fc8b000)

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# ldd test
        linux-vdso.so.1 (0x00007ffdea980000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fd627f56000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fd628155000)

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# ldd test
        linux-vdso.so.1 (0x00007ffde09a9000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f53b0279000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f53b0478000)


libc 주소가 0x00007f783fa8c000 0x00007fd627f56000 0x00007f53b0279000 과 같이 매번 달라진다. base of libc is random. randomize_va_space 를 0 로 하면 고정될 것이다.

 

5. hopper disassembler
일단 skip 한다. 나중에 여유가 되면 설치해보자.

got plt 의 핵심인데 윈도우즈나 리눅스용이 아니다!

https://cafe.naver.com/inmacbook/2278135

맥용 리버스 엔지니어링 툴 하나 소개합니다.

 

6. strace 

strace ./test

strace... 설치되어 있지 않아 설치했다.

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# strace ./test
Command 'strace' not found, but can be installed with:
apt install strace
Do you want to install it? (N/y)y
apt install strace
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libmongocrypt0 libncurses5 libtinfo5 pipewire-alsa python3-jaraco.classes python3-pytz-deprecation-shim python3-texttable
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  strace
0 upgraded, 1 newly installed, 0 to remove and 374 not upgraded.
Need to get 1,314 kB of archives.
After this operation, 2,907 kB of additional disk space will be used.
Get:1 http://mirror.anigil.com/kali kali-rolling/main amd64 strace amd64 6.1-0.1 [1,314 kB]
Fetched 1,314 kB in 5s (249 kB/s)
Selecting previously unselected package strace.
(Reading database ... 405946 files and directories currently installed.)
Preparing to unpack .../strace_6.1-0.1_amd64.deb ...
Unpacking strace (6.1-0.1) ...
Setting up strace (6.1-0.1) ...
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for kali-menu (2023.3.3) ...

 

 

strace ./test

 

┌──(root㉿kali)-[~/study/liveoverflow_youtube/0x12]
└─# strace ./test
execve("./test", ["./test"], 0x7ffc56f2a340 /* 32 vars */) = 0
brk(NULL)                               = 0x55d4d063d000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=88634, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 88634, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f7052121000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f705211f000
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220x\2\0\0\0\0\0"..., 832) = 832
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
newfstatat(3, "", {st_mode=S_IFREG|0755, st_size=1926256, ...}, AT_EMPTY_PATH) = 0
pread64(3, "\6\0\0\0\4\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0@\0\0\0\0\0\0\0"..., 784, 64) = 784
mmap(NULL, 1974096, PROT_READ, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f7051f3d000
mmap(0x7f7051f63000, 1396736, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x26000) = 0x7f7051f63000
mmap(0x7f70520b8000, 344064, PROT_READ, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x17b000) = 0x7f70520b8000
mmap(0x7f705210c000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1cf000) = 0x7f705210c000
mmap(0x7f7052112000, 53072, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f7052112000
close(3)                                = 0
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f7051f3b000
arch_prctl(ARCH_SET_FS, 0x7f7052120680) = 0
set_tid_address(0x7f7052120950)         = 1215
set_robust_list(0x7f7052120960, 24)     = 0
rseq(0x7f7052120fa0, 0x20, 0, 0x53053053) = 0
mprotect(0x7f705210c000, 16384, PROT_READ) = 0
mprotect(0x55d4cf85f000, 4096, PROT_READ) = 0
mprotect(0x7f7052167000, 8192, PROT_READ) = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
munmap(0x7f7052121000, 88634)           = 0
newfstatat(1, "", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}, AT_EMPTY_PATH) = 0
getrandom("\xfd\xbe\x74\x5e\x96\x78\x8e\xed", 8, GRND_NONBLOCK) = 8
brk(NULL)                               = 0x55d4d063d000
brk(0x55d4d065e000)                     = 0x55d4d065e000
write(1, "Hellow World!\n", 14Hellow World!
)         = 14
write(1, "This is LiveOverflow\n", 21This is LiveOverflow
)  = 21
exit_group(1)                           = ?
+++ exited with 1 +++

 

 

 

 

 

출처 : https://youtu.be/kUk5pw4w0h4 (Global Offset Table (GOT) and Procedure Linkage Table (PLT) - bin 0x12)