1、静态反汇编线性汇编:objdump
递归汇编:IDA
线性分析 :简单、顺序扫描,不考虑控制流,适用于快速、粗略的分析。
递归分析 :复杂、基于控制流,考虑执行路径,适用于深入、精确的分析。
2、动态反汇编root@zb-tes8-40-115:~# readelf -hs /bin/ls | grep "start"
53: 0000000000000000 0 FUNC GLOBAL DEFAULT UND __libc_start_main@GLIBC_2.2.5 (3)
65: 0000000000000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__Shellroot@z:~# sudo gdb /usr/bin/ls
GNU gdb (Ubuntu 9.2-0ubuntu1~20.04.2) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/ls...
(No debugging symbols found in /usr/bin/ls)
(gdb) info files
Symbols from "/usr/bin/ls".
Local exec file:
`/usr/bin/ls', file type elf64-x86-64.
Entry point: 0x67d0 二进制文件的入口点地址,这个是PIE的格式
0x0000000000000318 - 0x0000000000000334 is .interp
0x0000000000000338 - 0x0000000000000358 is .note.gnu.property
0x0000000000000358 - 0x000000000000037c is .note.gnu.build-id
0x000000000000037c - 0x000000000000039c is .note.ABI-tag
0x00000000000003a0 - 0x0000000000000484 is .gnu.hash
0x0000000000000488 - 0x0000000000001190 is .dynsym
0x0000000000001190 - 0x00000000000017dc is .dynstr
0x00000000000017dc - 0x00000000000018f2 is .gnu.version
0x00000000000018f8 - 0x0000000000001968 is .gnu.version_r
0x0000000000001968 - 0x0000000000002cb8 is .rela.dyn
0x0000000000002cb8 - 0x00000000000036a8 is .rela.plt
0x0000000000004000 - 0x000000000000401b is .init
0x0000000000004020 - 0x00000000000046d0 is .plt
0x00000000000046d0 - 0x0000000000004700 is .plt.got
0x0000000000004700 - 0x0000000000004da0 is .plt.sec
0x0000000000004da0 - 0x0000000000017572 is .text
0x0000000000017574 - 0x0000000000017581 is .fini
0x0000000000018000 - 0x000000000001d249 is .rodata
0x000000000001d24c - 0x000000000001db78 is .eh_frame_hdr
0x000000000001db78 - 0x0000000000020b50 is .eh_frame
0x0000000000022010 - 0x0000000000022018 is .init_array
0x0000000000022018 - 0x0000000000022020 is .fini_array
0x0000000000022020 - 0x0000000000022a58 is .data.rel.ro
0x0000000000022a58 - 0x0000000000022c58 is .dynamic
0x0000000000022c58 - 0x0000000000022ff8 is .got
0x0000000000023000 - 0x0000000000023268 is .data
0x0000000000023280 - 0x0000000000024558 is .bss
(gdb) break __libc_start_main
Function "__libc_start_main" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (__libc_start_main) pending.
(gdb) set pagination off
(gdb) set logging on
Copying output to gdb.txt.
Copying debug output to gdb.txt.
(gdb) set logging redirect on
warning: Currently logging to gdb.txt. Turn the logging off and on to make the new setting effective.
(gdb) run
Starting program: /usr/bin/ls
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, __libc_start_main (main=0x555555558df0, argc=1, argv=0x7fffffffe6b8, init=0x55555556b4e0, fini=0x55555556b550, rtld_fini=0x7ffff7fe0d60 <_dl_fini>, stack_end=0x7fffffffe6a8) at ../csu/libc-start.c:137
137 ../csu/libc-start.c: No such file or directory.
(gdb) display /i $pc
1: x/i $pc
=> 0x7ffff7dc6f90 <__libc_start_main>: endbr64
(gdb) while 1
>si
>end
141 in ../csu/libc-start.c
1: x/i $pc
=> 0x7ffff7dc6f94 <__libc_start_main+4>: push %r15
0x00007ffff7dc6f96 141 in ../csu/libc-start.c
1: x/i $pc
=> 0x7ffff7dc6f96 <__libc_start_main+6>: xor %eax,%eax
0x00007ffff7dc6f98 141 in ../csu/libc-start.c
1: x/i $pc
=> 0x7ffff7dc6f98 <__libc_start_main+8>: push %r14
0x00007ffff7dc6f9a 141 in ../csu/libc-start.c
1: x/i $pc
=> 0x7ffff7dc6f9a <__libc_start_main+10>: push 命令解释:
1、info files : 可以列出加载到GDB中的文件信息
2、b *0x67d0 或者 break __libc_start_main : 打断点
3、set pagination off 、 set logging on 、set logging redirect on : 然后设置禁用分页并配置GDB,使其将记录输 出到文件而不是标准输出
4、run :启动二进制文件,执行到断点就会挂起,这样就有机会告诉gdb记录第一条指令到文件中
5、 display/i $pc :第一条指令记录到文件中
6、while 1 :进入循环
7、si :单步执行
8、end: 结束
查看gdb.txt文件记录的指令
egrep '^=> 0x[0-9a-f]+:' gdb.txt | head -n 20
1、测试文件makefile文件
2、模糊测试还有一种工具,称为Fuzzer,可以通过自动生成输入来覆盖给定 二进制文件中的新代码路径。使用较多的Fuzzer包括AFL、Microsoft 的Project Springfield及Google的OSS-Fuzz。从广义上来说,模糊测 试工具根据其输