关于堆栈状态
我有一个程序,我想了解堆栈在执行期间的状态。我的示例程序非常简单,
#include <stdio.h>
int main(){
setuid(0);
system("/bin/bash");
return 1;
}
现在当我用 gdb 调试这个程序时,我得到了 setuid() 函数的地址,但是当我查看堆栈时,我无法计算出它的地址。
开始执行 main() 后我的堆栈状态,
Ajai@ubuntu:/tmp$ gdb -q mal
Reading symbols from /tmp/mal...done.
(gdb) b 2
Breakpoint 1 at 0x80483fd: file mal.c, line 2.
(gdb) r
Starting program: /tmp/mal
Breakpoint 1, main () at mal.c:4
4 setuid(0);
(gdb) x/32xw $esp
0xbffff3a0: 0x0015ed35 0x0011ea50 0x0804842b 0x0028bff4
0xbffff3b0: 0x08048420 0x00000000 0xbffff438 0x00145e37
0xbffff3c0: 0x00000001 0xbffff464 0xbffff46c 0x0012e414
0xbffff3d0: 0xffffffff 0x0012cff4 0x08048243 0x00000001
0xbffff3e0: 0xbffff420 0x0011da31 0x0012dad0 0xb7fffb48
0xbffff3f0: 0x00000001 0x0028bff4 0x00000000 0x00000000
0xbffff400: 0xbffff438 0xb68cac87 0x61d0d5f8 0x00000000
0xbffff410: 0x00000000 0x00000000 0x00000001 0x08048340
(gdb) p setuid
$1 = {<text variable, no debug info>} 0x1c8ee0 <setuid>
我看堆栈是否错误?
我还想知道当main()函数开始执行时,setuid()函数调用及其参数和system()函数调用及其参数的地址将如何存储在堆栈中。
如果已经有人问过此类问题,我很抱歉,但我找不到。
I have a program for which I wanted to understand the state the stack will be during its execution. My sample program is simple enough,
#include <stdio.h>
int main(){
setuid(0);
system("/bin/bash");
return 1;
}
Now when I debug this program with gdb I get the address of setuid() function but when I look at the stack I am not able to figure its address.
My stack's state after starting to execute main(),
Ajai@ubuntu:/tmp$ gdb -q mal
Reading symbols from /tmp/mal...done.
(gdb) b 2
Breakpoint 1 at 0x80483fd: file mal.c, line 2.
(gdb) r
Starting program: /tmp/mal
Breakpoint 1, main () at mal.c:4
4 setuid(0);
(gdb) x/32xw $esp
0xbffff3a0: 0x0015ed35 0x0011ea50 0x0804842b 0x0028bff4
0xbffff3b0: 0x08048420 0x00000000 0xbffff438 0x00145e37
0xbffff3c0: 0x00000001 0xbffff464 0xbffff46c 0x0012e414
0xbffff3d0: 0xffffffff 0x0012cff4 0x08048243 0x00000001
0xbffff3e0: 0xbffff420 0x0011da31 0x0012dad0 0xb7fffb48
0xbffff3f0: 0x00000001 0x0028bff4 0x00000000 0x00000000
0xbffff400: 0xbffff438 0xb68cac87 0x61d0d5f8 0x00000000
0xbffff410: 0x00000000 0x00000000 0x00000001 0x08048340
(gdb) p setuid
$1 = {<text variable, no debug info>} 0x1c8ee0 <setuid>
Am I looking at the stack wrong ?
I also wanted to know how will the address of setuid() function call and its parameter and system() function call and its parameter will be stored in the stack when main() function starts to execute.
I am sorry if this kind of question has already been asked but I could not find one.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您的问题非常不清楚,可能是因为您不了解堆栈和调用如何工作和交互。
不知何故,您希望在调用该函数之前在堆栈上找到 setuid 的地址。但该地址根本不存在(无论是在呼叫之前、呼叫进行中还是呼叫完成之后)。
如果您在 setuid 本身上设置断点,请运行到该断点并检查堆栈。然后,您将看到
main中的地址(不是main本身的地址,而是main中紧随 CALL 指令的指令的地址,首先输入setuid)。正如我所说,您的假设是不正确的:堆栈上没有“调用 setuid”(但 2. 和 3. 是正确的)。
Your question is exceedingly unclear, likely because you do not understand how stack and calls work and interact.
Somehow you are expecting to find the address of setuid on the stack before that function has been called. But that address wouldn't be there at all (neither before the call, nor while the call is in progress, nor after it has finished).
If you set a breakpoint on
setuiditself, run to that breakpoint, and examine the stack. Then, you'll see the address inmain(not ofmainitself, but of the instruction inmainthat follows the CALL instruction that got you intosetuidin the first place).As I said, your assumptions are incorrect: there is no "call to setuid" on the stack (but 2. and 3. are correct).
正如 ER 所指出的,单步执行汇编指令。被调用函数的地址通常在函数调用之前放入 EAX 寄存器中。检查一下,或者你的编译器放入的其他内容。
As ER points out, single step through the assembly instructions. The address of the function called is usually put into the EAX register prior to function call. Check that, or whatever else your compiler puts it in.