I am seeing some so file in IDA
by the way I saw some word that "ELF Initialization Function table" in IDA-View
so my question is what is Initalization Function?
ELF
Pointers to functions which will be executed when program starts
Related
I am using QFile map function in an application in on linux. The default behaviour is of course mmap's default, lazy loading of data. I'd prefer to map the file with mmap MAP_POPULATE flag, but can't find any way to do so in Qt API. Any suggestions? Thanks in advance.
Using QFile::readAll() will do the trick.
After opening the file, and then mapping it, just call the readAll() function on the QFile object. This will read all of the file in advance. Amazingly, this is only done once. After closing the application, if you re-run it, you'll see that that the readAll() will be finished in a fraction of second for even quite large files.
Is there a way to get the file path/file name of the .so that is currently under execution by a thread? The program is written in c++ and run on a 64-bit Linux 3.0 machine.
You can sequentially read (from inside your process) the file /proc/self/maps to get the memory mapping (including those for shared objects) of the current process.
Then you could get your program counter (or those of the caller) and find in which segment it is. Perhaps backtrace or GCC builtin_return_address is relevant.
You might also use the dladdr function.
See proc(5), backtrace(3), dladdr(3) man pages, and also this answer.
addenda
From a signal handler you could get the program counter when the signal was sent by using sigaction(2) with SA_SIGINFO. The sa_sigaction function pointers gets a ucontext_t from which you could get the program counter register (using machine dependent C code). Then you could handle it.
I suggest looking into detail into what GCC is doing
I think the closes thing is to get a list of all shared libraries loaded by your process. You can do that either by using pmap or lsof.
I am running some benchmarks in Linux, and I am looking for some indication that the program has completed loading and started running. Is it reasonable to expect that main() would always be at the same EIP?
Is the EIP of main() dependent on the language? Is it dependent on the compiler?
Is there any EIP that a program can always be expected to start at?
Nope. In C, the entry point is actually _start, which comes from libc; _start does some libc initialization, then calls main.
main is just a regular function. The linker can choose to rearrange it anyway it likes in the process image. Furthermore, with things like relocation tables at the start of the executable, the start of the .text section might not even be constant. Heck, if you're writing the program in assembly, main might not even exist.
A program, however, can always be trusted to start at the entry point address declared in its ELF header (assuming it's an ELF executable). So, use that. readelf can tell you the value.
I need to compare two strings,
One will be taken as am argument from the gdb command line interface
The other is stored in a variable
for a core dump
can anyone suggest a way to do so?
Thanks in advance. :)
Without a running process your best bet would probably be the Python GDB Extension.
all,
I want to know how to replace a kernel static function in a module without modifying linux kernel.
I have known that Linux hook can replace some functions, but the
problem is that I want to replace a static function without modifying linux kernel.
Would you please help me ?
Thank you.
Generally the way the Linux kernel is compiled, replacing / hooking a static function at runtime isn't possible (short of unloading / reloading the entire module if you're talking module code).
That is because the compile inlines static functions much of the time (unless you take the address of it somewhere), and therefore they won't even show up in the symbol table. There's no way after the compile to find out where in the generated binary the static code ended up - not unlikely, you'll find several inlined versions of it in all the call sites invoking the func.
So the basic question: Why does the function have to be static ? What exactly is it you're attempting to do that mandates the use of static ?
If it's actually compiled as a module (not built-in), then just recompile the code, rmmod the module, and insmod the new .ko file. Easy as... some kind of cliche pastry.
In general, you may use some of this techniques:
kprobes/jprobes, that allows you to hook a function with int3
modifying the function's code (for ex., prologue) to jump to your handler and get back, later
If you don't wish to modify the kernel's code at all, you might set up the debugging registers and watch for an access exceptions (in your exception handler, of course). Besides that, you can try to find and invalidate some of the kernel's internal variables so the access to them from the kernel causes the invalid pointer dereference exception. In that case you can handle such an exception and do a back-trace to achive target function.