search

rizinorg / rizin

UNIX-like reverse engineering framework and command-line toolset.
https://rizin.re
GNU Lesser General Public License v3.0
2.72k stars 363 forks source link

Combine output of `ir`, `is`, `ii` commands into one table with multiple columns for symbols that are in all three. #900

Open XVilka opened 3 years ago

XVilka commented 3 years ago

Currently Rizin parses the contents of rel.dyn for the symbols but the information is available only in the flag values or relocations (ir output). I think, if we also expose this information in is or ii output or some new command, it would become some binary analysis easier. Please note, that sym. and rel.dyn, even PLT/GOT all could have different values for these, so we should handle this situation gracefully, maybe showing all possible values in a separate columns

This is the current output of Rizin:

rizin sample_f_noplt.so
[0x00001040]> is~imp.
1   0x00000000 0x00000000 GLOBAL FUNC   16       imp.getenv
2   0x00000000 0x00000000 WEAK   NOTYPE 16       imp._ITM_deregisterTMCloneTable
3   0x00000000 0x00000000 GLOBAL FUNC   16       imp.printf
4   0x00000000 0x00000000 WEAK   NOTYPE 16       imp.__gmon_start__
5   0x00000000 0x00000000 GLOBAL FUNC   16       imp.malloc
6   0x00000000 0x00000000 WEAK   NOTYPE 16       imp._ITM_registerTMCloneTable
7   0x00000000 0x00000000 WEAK   FUNC   16       imp.__cxa_finalize
[0x00001040]> f~reloc
0x00003fc8 8 reloc.getenv
0x00003fd0 8 reloc._ITM_deregisterTMCloneTable
0x00003fd8 8 reloc.printf
0x00003fe0 8 reloc.__gmon_start
0x00003fe8 8 reloc.malloc
0x00003ff0 8 reloc._ITM_registerTMCloneTable
0x00003ff8 8 reloc.__cxa_finalize
[0x00001040]> ii
[Imports]
nth vaddr      bind   type   lib name
―――――――――――――――――――――――――――――――――――――
1   0x00000000 GLOBAL FUNC       getenv
2   0x00000000 WEAK   NOTYPE     _ITM_deregisterTMCloneTable
3   0x00000000 GLOBAL FUNC       printf
4   0x00000000 WEAK   NOTYPE     __gmon_start__
5   0x00000000 GLOBAL FUNC       malloc
6   0x00000000 WEAK   NOTYPE     _ITM_registerTMCloneTable
7   0x00000000 WEAK   FUNC       __cxa_finalize

[0x00001040]> ir
[Relocations]

vaddr      paddr      type   name
―――――――――――――――――――――――――――――――――
0x00003e28 0x00002e28 ADD_64  0x000010f0
0x00003e30 0x00002e30 ADD_64  0x000010b0
0x00003fc8 0x00002fc8 SET_64 getenv
0x00003fd0 0x00002fd0 SET_64 _ITM_deregisterTMCloneTable
0x00003fd8 0x00002fd8 SET_64 printf
0x00003fe0 0x00002fe0 SET_64 __gmon_start__
0x00003fe8 0x00002fe8 SET_64 malloc
0x00003ff0 0x00002ff0 SET_64 _ITM_registerTMCloneTable
0x00003ff8 0x00002ff8 SET_64 __cxa_finalize
0x00004018 0x00003018 ADD_64  0x00004018

Describe the solution you'd like

We need to show the addresses parsed from rel.dyn. I suggest to combine information from ii, ir, is into one table with multiple columns for the symbols that are presented in all three. Not sure in what command to put this output.

Additional context

This is what IDA Pro 7.6 shows:

OAD:00000000000002F0 ; ELF GNU Hash Table
LOAD:00000000000002F0 elf_gnu_hash_nbuckets dd 2
LOAD:00000000000002F4 elf_gnu_hash_symbias dd 8
LOAD:00000000000002F8 elf_gnu_hash_bitmask_nwords dd 1
LOAD:00000000000002FC elf_gnu_hash_shift dd 6
LOAD:0000000000000300 elf_gnu_hash_indexes dq 4000008000h
LOAD:0000000000000308 elf_gnu_hash_bucket dd 8, 0
LOAD:0000000000000310 elf_gnu_hash_chain dd 0FEA63E7h, 0
LOAD:0000000000000318 ; ELF Symbol Table
LOAD:0000000000000318                 Elf64_Sym <0>
LOAD:0000000000000330                 Elf64_Sym <offset aGetenv - offset unk_3F0, 12h, 0, 0, offset dword_0,\ ; "getenv"
LOAD:0000000000000330                            0>
LOAD:0000000000000348                 Elf64_Sym <offset aItmDeregistert - offset unk_3F0, 20h, 0, 0, \ ; "_ITM_deregisterTMCloneTable"
LOAD:0000000000000348                            offset dword_0, 0>
LOAD:0000000000000360                 Elf64_Sym <offset aPrintf - offset unk_3F0, 12h, 0, 0, offset dword_0,\ ; "printf"
LOAD:0000000000000360                            0>
LOAD:0000000000000378                 Elf64_Sym <offset aGmonStart - offset unk_3F0, 20h, 0, 0, \ ; "__gmon_start__"
LOAD:0000000000000378                            offset dword_0, 0>
LOAD:0000000000000390                 Elf64_Sym <offset aMalloc - offset unk_3F0, 12h, 0, 0, offset dword_0,\ ; "malloc"
LOAD:0000000000000390                            0>
LOAD:00000000000003A8                 Elf64_Sym <offset aItmRegistertmc - offset unk_3F0, 20h, 0, 0, \ ; "_ITM_registerTMCloneTable"
LOAD:00000000000003A8                            offset dword_0, 0>
LOAD:00000000000003C0                 Elf64_Sym <offset aCxaFinalize - offset unk_3F0, 22h, 0, 0, \ ; "__cxa_finalize"
LOAD:00000000000003C0                            offset dword_0, 0>
LOAD:00000000000003D8                 Elf64_Sym <offset aMagic - offset unk_3F0, 12h, 0, 0Ch, offset magic, \ ; "magic"
LOAD:00000000000003D8                            46h>
LOAD:00000000000003F0 ; ELF String Table
LOAD:00000000000003F0 unk_3F0         db    0                 ; DATA XREF: LOAD:0000000000000330↑o
LOAD:00000000000003F0                                         ; LOAD:0000000000000348↑o ...
LOAD:00000000000003F1 aGmonStart      db '__gmon_start__',0   ; DATA XREF: LOAD:0000000000000378↑o
LOAD:0000000000000400 aItmDeregistert db '_ITM_deregisterTMCloneTable',0
LOAD:0000000000000400                                         ; DATA XREF: LOAD:0000000000000348↑o
LOAD:000000000000041C aItmRegistertmc db '_ITM_registerTMCloneTable',0
LOAD:000000000000041C                                         ; DATA XREF: LOAD:00000000000003A8↑o
LOAD:0000000000000436 aCxaFinalize    db '__cxa_finalize',0   ; DATA XREF: LOAD:00000000000003C0↑o
LOAD:0000000000000445 aMagic          db 'magic',0            ; DATA XREF: LOAD:00000000000003D8↑o
LOAD:000000000000044B aGetenv         db 'getenv',0           ; DATA XREF: LOAD:0000000000000330↑o
LOAD:0000000000000452 aMalloc         db 'malloc',0           ; DATA XREF: LOAD:0000000000000390↑o
LOAD:0000000000000459 aPrintf         db 'printf',0           ; DATA XREF: LOAD:0000000000000360↑o
LOAD:0000000000000460 aLibcSo6        db 'libc.so.6',0        ; DATA XREF: LOAD:0000000000000488↓o
LOAD:000000000000046A aGlibc225       db 'GLIBC_2.2.5',0      ; DATA XREF: LOAD:0000000000000498↓o
LOAD:0000000000000476 ; ELF GNU Symbol Version Table
LOAD:0000000000000476                 dw 0
LOAD:0000000000000478                 dw 2                    ; getenv@@GLIBC_2.2.5
LOAD:000000000000047A                 dw 0                    ; local  symbol: _ITM_deregisterTMCloneTable
LOAD:000000000000047C                 dw 2                    ; printf@@GLIBC_2.2.5
LOAD:000000000000047E                 dw 0                    ; local  symbol: __gmon_start__
LOAD:0000000000000480                 dw 2                    ; malloc@@GLIBC_2.2.5
LOAD:0000000000000482                 dw 0                    ; local  symbol: _ITM_registerTMCloneTable
LOAD:0000000000000484                 dw 2                    ; __cxa_finalize@@GLIBC_2.2.5
LOAD:0000000000000486                 dw 1                    ; global symbol: magic
LOAD:0000000000000488 ; ELF GNU Symbol Version Requirements
LOAD:0000000000000488                 Elf64_Verneed <1, 1, offset aLibcSo6 - offset unk_3F0, 10h, 0> ; "libc.so.6"
LOAD:0000000000000498                 Elf64_Vernaux <9691A75h, 0, 2, offset aGlibc225 - offset unk_3F0, 0> ; "GLIBC_2.2.5"
LOAD:00000000000004A8 ; ELF RELA Relocation Table
LOAD:00000000000004A8                 Elf64_Rela <3E28h, 8, 10F0h> ; R_X86_64_RELATIVE +10F0h
LOAD:00000000000004C0                 Elf64_Rela <3E30h, 8, 10B0h> ; R_X86_64_RELATIVE +10B0h
LOAD:00000000000004D8                 Elf64_Rela <4018h, 8, 4018h> ; R_X86_64_RELATIVE +4018h
LOAD:00000000000004F0                 Elf64_Rela <3FC8h, 100000006h, 0> ; R_X86_64_GLOB_DAT getenv
LOAD:0000000000000508                 Elf64_Rela <3FD0h, 200000006h, 0> ; R_X86_64_GLOB_DAT _ITM_deregisterTMCloneTable
LOAD:0000000000000520                 Elf64_Rela <3FD8h, 300000006h, 0> ; R_X86_64_GLOB_DAT printf
LOAD:0000000000000538                 Elf64_Rela <3FE0h, 400000006h, 0> ; R_X86_64_GLOB_DAT __gmon_start__
LOAD:0000000000000550                 Elf64_Rela <3FE8h, 500000006h, 0> ; R_X86_64_GLOB_DAT malloc
LOAD:0000000000000568                 Elf64_Rela <3FF0h, 600000006h, 0> ; R_X86_64_GLOB_DAT _ITM_registerTMCloneTable
LOAD:0000000000000580                 Elf64_Rela <3FF8h, 700000006h, 0> ; R_X86_64_GLOB_DAT __cxa_finalize
LOAD:0000000000000580 LOAD            ends
LOAD:0000000000000580

readelf output:

[i] ℤ readelf -sW sample_f_noplt.so                                                                                                                                                                                               20:46:48 

Symbol table '.dynsym' contains 9 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND getenv@GLIBC_2.2.5 (2)
     2: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterTMCloneTable
     3: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND printf@GLIBC_2.2.5 (2)
     4: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
     5: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND malloc@GLIBC_2.2.5 (2)
     6: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMCloneTable
     7: 0000000000000000     0 FUNC    WEAK   DEFAULT  UND __cxa_finalize@GLIBC_2.2.5 (2)
     8: 00000000000010f9    70 FUNC    GLOBAL DEFAULT   12 magic

Symbol table '.symtab' contains 52 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 00000000000002a8     0 SECTION LOCAL  DEFAULT    1 
     2: 00000000000002c8     0 SECTION LOCAL  DEFAULT    2 
     3: 00000000000002f0     0 SECTION LOCAL  DEFAULT    3 
     4: 0000000000000318     0 SECTION LOCAL  DEFAULT    4 
     5: 00000000000003f0     0 SECTION LOCAL  DEFAULT    5 
     6: 0000000000000476     0 SECTION LOCAL  DEFAULT    6 
     7: 0000000000000488     0 SECTION LOCAL  DEFAULT    7 
     8: 00000000000004a8     0 SECTION LOCAL  DEFAULT    8 
     9: 0000000000001000     0 SECTION LOCAL  DEFAULT    9 
    10: 0000000000001020     0 SECTION LOCAL  DEFAULT   10 
    11: 0000000000001030     0 SECTION LOCAL  DEFAULT   11 
    12: 0000000000001040     0 SECTION LOCAL  DEFAULT   12 
    13: 0000000000001140     0 SECTION LOCAL  DEFAULT   13 
    14: 0000000000002000     0 SECTION LOCAL  DEFAULT   14 
    15: 0000000000002014     0 SECTION LOCAL  DEFAULT   15 
    16: 0000000000002038     0 SECTION LOCAL  DEFAULT   16 
    17: 0000000000003e28     0 SECTION LOCAL  DEFAULT   17 
    18: 0000000000003e30     0 SECTION LOCAL  DEFAULT   18 
    19: 0000000000003e38     0 SECTION LOCAL  DEFAULT   19 
    20: 0000000000003fc8     0 SECTION LOCAL  DEFAULT   20 
    21: 0000000000004000     0 SECTION LOCAL  DEFAULT   21 
    22: 0000000000004018     0 SECTION LOCAL  DEFAULT   22 
    23: 0000000000004020     0 SECTION LOCAL  DEFAULT   23 
    24: 0000000000000000     0 SECTION LOCAL  DEFAULT   24 
    25: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS crtstuff.c
    26: 0000000000001040     0 FUNC    LOCAL  DEFAULT   12 deregister_tm_clones
    27: 0000000000001070     0 FUNC    LOCAL  DEFAULT   12 register_tm_clones
    28: 00000000000010b0     0 FUNC    LOCAL  DEFAULT   12 __do_global_dtors_aux
    29: 0000000000004020     1 OBJECT  LOCAL  DEFAULT   23 completed.0
    30: 0000000000003e30     0 OBJECT  LOCAL  DEFAULT   18 __do_global_dtors_aux_fini_array_entry
    31: 00000000000010f0     0 FUNC    LOCAL  DEFAULT   12 frame_dummy
    32: 0000000000003e28     0 OBJECT  LOCAL  DEFAULT   17 __frame_dummy_init_array_entry
    33: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS a.c
    34: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS crtstuff.c
    35: 00000000000020b0     0 OBJECT  LOCAL  DEFAULT   16 __FRAME_END__
    36: 0000000000000000     0 FILE    LOCAL  DEFAULT  ABS 
    37: 0000000000001140     0 FUNC    LOCAL  DEFAULT   13 _fini
    38: 0000000000004018     0 OBJECT  LOCAL  DEFAULT   22 __dso_handle
    39: 0000000000003e38     0 OBJECT  LOCAL  DEFAULT   19 _DYNAMIC
    40: 0000000000002014     0 NOTYPE  LOCAL  DEFAULT   15 __GNU_EH_FRAME_HDR
    41: 0000000000004020     0 OBJECT  LOCAL  DEFAULT   22 __TMC_END__
    42: 0000000000004000     0 OBJECT  LOCAL  DEFAULT   21 _GLOBAL_OFFSET_TABLE_
    43: 0000000000001000     0 FUNC    LOCAL  DEFAULT    9 _init
    44: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND getenv@@GLIBC_2.2.5
    45: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_deregisterTMCloneTable
    46: 00000000000010f9    70 FUNC    GLOBAL DEFAULT   12 magic
    47: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND printf@@GLIBC_2.2.5
    48: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND __gmon_start__
    49: 0000000000000000     0 FUNC    GLOBAL DEFAULT  UND malloc@@GLIBC_2.2.5
    50: 0000000000000000     0 NOTYPE  WEAK   DEFAULT  UND _ITM_registerTMCloneTable
    51: 0000000000000000     0 FUNC    WEAK   DEFAULT  UND __cxa_finalize@@GLIBC_2.2.5

objdump output:

[i] ℤ objdump -t sample_f_noplt.so                                                                                                                                                                                                20:48:51 

sample_f_noplt.so:     file format elf64-x86-64

SYMBOL TABLE:
00000000000002a8 l    d  .note.gnu.property     0000000000000000              .note.gnu.property
00000000000002c8 l    d  .note.gnu.build-id     0000000000000000              .note.gnu.build-id
00000000000002f0 l    d  .gnu.hash      0000000000000000              .gnu.hash
0000000000000318 l    d  .dynsym        0000000000000000              .dynsym
00000000000003f0 l    d  .dynstr        0000000000000000              .dynstr
0000000000000476 l    d  .gnu.version   0000000000000000              .gnu.version
0000000000000488 l    d  .gnu.version_r 0000000000000000              .gnu.version_r
00000000000004a8 l    d  .rela.dyn      0000000000000000              .rela.dyn
0000000000001000 l    d  .init  0000000000000000              .init
0000000000001020 l    d  .plt   0000000000000000              .plt
0000000000001030 l    d  .plt.got       0000000000000000              .plt.got
0000000000001040 l    d  .text  0000000000000000              .text
0000000000001140 l    d  .fini  0000000000000000              .fini
0000000000002000 l    d  .rodata        0000000000000000              .rodata
0000000000002014 l    d  .eh_frame_hdr  0000000000000000              .eh_frame_hdr
0000000000002038 l    d  .eh_frame      0000000000000000              .eh_frame
0000000000003e28 l    d  .init_array    0000000000000000              .init_array
0000000000003e30 l    d  .fini_array    0000000000000000              .fini_array
0000000000003e38 l    d  .dynamic       0000000000000000              .dynamic
0000000000003fc8 l    d  .got   0000000000000000              .got
0000000000004000 l    d  .got.plt       0000000000000000              .got.plt
0000000000004018 l    d  .data  0000000000000000              .data
0000000000004020 l    d  .bss   0000000000000000              .bss
0000000000000000 l    d  .comment       0000000000000000              .comment
0000000000000000 l    df *ABS*  0000000000000000              crtstuff.c
0000000000001040 l     F .text  0000000000000000              deregister_tm_clones
0000000000001070 l     F .text  0000000000000000              register_tm_clones
00000000000010b0 l     F .text  0000000000000000              __do_global_dtors_aux
0000000000004020 l     O .bss   0000000000000001              completed.0
0000000000003e30 l     O .fini_array    0000000000000000              __do_global_dtors_aux_fini_array_entry
00000000000010f0 l     F .text  0000000000000000              frame_dummy
0000000000003e28 l     O .init_array    0000000000000000              __frame_dummy_init_array_entry
0000000000000000 l    df *ABS*  0000000000000000              a.c
0000000000000000 l    df *ABS*  0000000000000000              crtstuff.c
00000000000020b0 l     O .eh_frame      0000000000000000              __FRAME_END__
0000000000000000 l    df *ABS*  0000000000000000              
0000000000001140 l     F .fini  0000000000000000              _fini
0000000000004018 l     O .data  0000000000000000              __dso_handle
0000000000003e38 l     O .dynamic       0000000000000000              _DYNAMIC
0000000000002014 l       .eh_frame_hdr  0000000000000000              __GNU_EH_FRAME_HDR
0000000000004020 l     O .data  0000000000000000              __TMC_END__
0000000000004000 l     O .got.plt       0000000000000000              _GLOBAL_OFFSET_TABLE_
0000000000001000 l     F .init  0000000000000000              _init
0000000000000000       F *UND*  0000000000000000              getenv@@GLIBC_2.2.5
0000000000000000  w      *UND*  0000000000000000              _ITM_deregisterTMCloneTable
00000000000010f9 g     F .text  0000000000000046              magic
0000000000000000       F *UND*  0000000000000000              printf@@GLIBC_2.2.5
0000000000000000  w      *UND*  0000000000000000              __gmon_start__
0000000000000000       F *UND*  0000000000000000              malloc@@GLIBC_2.2.5
0000000000000000  w      *UND*  0000000000000000              _ITM_registerTMCloneTable
0000000000000000  w    F *UND*  0000000000000000              __cxa_finalize@@GLIBC_2.2.5
[i] ℤ objdump -T sample_f_noplt.so                                                                                                                                                                                                20:49:04 

sample_f_noplt.so:     file format elf64-x86-64

DYNAMIC SYMBOL TABLE:
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 getenv
0000000000000000  w   D  *UND*  0000000000000000              _ITM_deregisterTMCloneTable
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 printf
0000000000000000  w   D  *UND*  0000000000000000              __gmon_start__
0000000000000000      DF *UND*  0000000000000000  GLIBC_2.2.5 malloc
0000000000000000  w   D  *UND*  0000000000000000              _ITM_registerTMCloneTable
0000000000000000  w   DF *UND*  0000000000000000  GLIBC_2.2.5 __cxa_finalize
00000000000010f9 g    DF .text  0000000000000046  Base        magic
[i] ℤ objdump -R sample_f_noplt.so                                                                                                                                                                                                20:51:17 

sample_f_noplt.so:     file format elf64-x86-64

DYNAMIC RELOCATION RECORDS
OFFSET           TYPE              VALUE 
0000000000003e28 R_X86_64_RELATIVE  *ABS*+0x00000000000010f0
0000000000003e30 R_X86_64_RELATIVE  *ABS*+0x00000000000010b0
0000000000004018 R_X86_64_RELATIVE  *ABS*+0x0000000000004018
0000000000003fc8 R_X86_64_GLOB_DAT  getenv@GLIBC_2.2.5
0000000000003fd0 R_X86_64_GLOB_DAT  _ITM_deregisterTMCloneTable
0000000000003fd8 R_X86_64_GLOB_DAT  printf@GLIBC_2.2.5
0000000000003fe0 R_X86_64_GLOB_DAT  __gmon_start__
0000000000003fe8 R_X86_64_GLOB_DAT  malloc@GLIBC_2.2.5
0000000000003ff0 R_X86_64_GLOB_DAT  _ITM_registerTMCloneTable
0000000000003ff8 R_X86_64_GLOB_DAT  __cxa_finalize@GLIBC_2.2.5

sample_f_noplt.so.zip

ret2libc commented 3 years ago

I'm removing this from 0.3.0, because there is not a proposed solution yet. I think to move this forward we should propose concrete rizin commands/output with examples.

DhruvaG2000 commented 2 years ago
I would like to suggest, iA where A could stand for "all" - ii, ir, is? The output would look something like: [0x00001040]> iA ii ir is
nth vaddr bind type lib name paddr target type vaddr size
1 0x00000000
2 0x000eefbee
3 0.00xx0x0x0

(pardon my terrible formatting as I have done it by hand.) But I hope I was able to get the idea across.

ret2libc commented 2 years ago

To be honest it is not clear to me what @XVilka is suggesting exactly. Could you provide more details about this and a concrete example of what you had in mind?