"Linux kernel principle and Analysis" in the eighth week of work
. One week of content:
- Understand the process of compiling and linking of ELF executable file format
- Two ways to use the dynamic link library programming exercises
- Gdb trace analysis using a execve kernel system call handler sys_execve
. Two weeks learning content:
1. Understand the process of compiling and linking of ELF executable file format
ELF (Executable and Linking Format) is a format object file that defines the different types of object file (Object files) are put anything, and are in what format to put these things. Since it first appeared on System V systems, it is widely accepted by the world xNIX to use as the default binary file format.
The so-called object files (Object files) There are three categories:
- Relocatable object files (Relocatable file)
- Executable object file (Executable file)
- May be shared object files (the Shared Object File)
ELF file format is shown:
ELF file consists of four parts, namely ELF header (ELF header), the program header table (Program header table), section (Section) and Section header table (Section header table). In fact, a file not necessarily contain the entire content, but their locations may not be so arranged as shown, only the position of the ELF header is fixed, the position of the remaining portion, the size and other information has a value in the ELF header to decide.
ELF file: ELF (Excutable and Linking Format) is a standard file format. View head executable file hello by readelf-h hello (-a See all available data, -h to see only header information), the head of which indicate the target file type ELF32. Entry point address is a program entry address 0x400440
2. laboratory building Experiment: a follow-up analysis using gdb execve kernel system call handler
Exec family of functions role is to find the specified file name of the executable file, and use it to replace the contents of the calling process, in other words, is the implementation of an executable file inside the calling process. Here's an executable file can be either a binary file or script file executable under any Linux, you can execute the file if it is not, then the file interpreted as a shell, shell execution.
- Under the menu update linux / kernel, and test_exec test.c into
practice shots are as follows:
- Into the kernel to see if the exec command to add into the kernel
practice shots are as follows:
- Horizontal screen open another terminal performs tracking gdb
file linux-3.18.6/vmlinux remote target:1234
practice shots are as follows:
- Sys_execve disposed at places other breakpoints, single-step and
Practice shots are as follows:
- Finally, enter redelf -h hello after exiting commissioning can view the status of the EIF hello head
practice shots are as follows:
- elf header analyzing
visible elf header size is 52 bytes, the read command hex dump 52 bytes before analysis
hexdump –x hello –n 52
practice shots are as follows:
Analysis:
first row, corresponding to e_ident [EI_NIDENT]. Little-Endian actual content expressed as 7f454c46010101000000000000000000, the first four bytes at the beginning of the fixed elf 7f454c46 (0x45,0x4c, 0x46 is 'e', 'l', 'f' corresponding to the encoded ascii), which represents an ELF object. The next byte 01 represents a 32-bit object, the following representation is a little endian byte 01 represents the law, then the next byte 01 indicates a version of the file header. The remaining defaults are set to 0.
The second line, e_type value of 0x0002, indicate an executable file. e_machine value 0x0003, represents a intel80386 processor architecture. e_version value 0x00000001, represents the current version. e_entry value 0x04080a8d, represents the entry point. e_phoff value 0x00000034, the program header table represents the offset is 52 bytes 0x34 i.e. exactly elf header size.
Third row, e_shoff value 0x000a20f0, showing the section header table offset address. e_flags value 0x00000000, specific flag indicating an unknown processor. e_ehsize value 0x0034, elf file header indicates the size of 52 bytes. e_phentsize entry indicates the length of a program header table (application head), i.e. the value of 0x0020 is 32 bytes. e_phnum values 0x0006, given the number of entries in the program header table. e_shentsize value of 0x0028 indicates the section header table entry (header section) size is 40 bytes.
Fourth row, e_shnum value 0x001f, the section header table showing the entrance 31. e_shstrndx value 0x001c, represents the index number in the section name string table section table in.
III. Summary and difficult
Learning experiment last week, I learned a fork () the number of single-step execution, and saw the structure fork () function. As for the exec () function of the structure of learning this week, I have been viewing and analysis: do_ execve call do_ execve_ common, but do_ execve_ common and mainly rely on the exec_ binprm, there is another crucial in exec_ binprm in function, called search_binary_ handler. This is the internal sys_execve processing.
Process file processing include:
- Pretreatment: gcc -E -o hello.cpp hello.c -m32 (responsible for the include file that contains in, macro substitution);
- Compile: gcc -x cpp-output -S hello.s -o hello.cpp -m32 (gcc -S call ccl, compiled into assembly code);
- Compilation: gcc -x assembler -c hello.s -o hello.o; (gcc -c call as, to get binary files);
- Links: gcc -o hello hello.o; gcc -o (ld call form the target executable file)
IV. Next week program
- [] After-school exercise books on completion
- [] Continue to use the kernel virtual machine environment research
November 8, 2019