How to extract all functions out of a compiled elf

2019-09-21 06:29发布

IDA can do this:some function with no symbol will named with 'sub_address'. How can I do this at runtime.

enter image description here

2条回答
成全新的幸福
2楼-- · 2019-09-21 07:06

How to extract all functions out of a compiled elf file,even the function has no symbol

You don't define what is a function for you (and you really should).

Notice that if the compiler has inlined a function, it does not appear in the ELF file, even if of course it exists in the source code (the entire program could have been built with link-time optimization, e.g. g++ -flto -O2 at both compile and link time; then you would have many inlined functions, including several which are not marked inline in the source code).

The original source code could have been compiled with visibility tricks.

The software build might have used some code obfuscation techniques.

If some function is called only indirectly (think of a virtual method in C++, always called thru some vtable; or think of some static function whose address is put into some function pointer variable or struct field) then you practically cannot detect it, since to reliably do that on the binary executable requires a precise analysis of all the possible (function pointer) values of some register or memory location (and that is undecidable, see Rice's theorem).

A program can also load a plugin at runtime (e.g. using dlopen) and call functions in it. It could also generate some machine code when running (e.g. with the help of GNU lightning, asmjit, libgccjit, etc...) and call such a generated function.

So in general you cannot achieve your goal (especially if you assume that your "adversary", the software writer, use clever techniques to make that function extraction difficult). In general, decompilation is impossible (if you want it to be precise and complete).

However, arrowd's answer is proposing some crude and incomplete approximation. You need to decide if that is enough (and even IDA is giving approximate results).

At last, in some legal systems, decompilation or reverse engineering of a binary executable is forbidden (even when technically possible); check the EULA or contract (or law) related to your binary software and your situation. You really should verify that what you are trying to do is legal (and it might not be, and in some cases you could risk jail).

BTW, all these reasons is why I prefer to always use free software, whose source code is published and can be studied and improved. I am willingly avoiding proprietary software.

查看更多
甜甜的少女心
3楼-- · 2019-09-21 07:19

In short, you disassemble all exported functions and look for call instructions. For each call instruction you take the address operand and mark it as another function, and disassemble it too. Ditto recursively.

Such functions, found from call operands, are what IDA calls sub_XXXX.

查看更多
登录 后发表回答