还是有一种方法可以仅在程序的地址空间中进行功能跟踪,而不能在系统库中进行功能跟踪?
#1 楼
是的,你可以这样做。下面附有适当注释的python脚本。#!/usr/bin/env python3
import r2pipe
r = r2pipe.open('programName', flags=['-d'])
r.cmd('aei')
modules = r.cmd('dmm') #list all modules along with start and end addresses
modules2 = [] #modules' start addresses
moduleNames = []
#since modules is just one big string, we need to extract relevant information from it
i = 0
j = 0
while i < len(modules):
modules2.append('')
while modules[i] != ' ':
modules2[j] += modules[i]
i += 1
while modules[i] == ' ':
i += 1
while modules[i] != ' ':
i += 1
while modules[i] == ' ':
i += 1
moduleNames.append('')
while modules[i] != '\n':
moduleNames[j] += modules[i]
i += 1
i += 1
j += 1
moduleNames = [x.split('/')[len(x.split('/')) - 1] for x in moduleNames]
systemModules = {} #put here all libraries you don't want breakpoints in
systemModules['ld-2.27.so'] = 1
for i in range(len(moduleNames)):
if moduleNames[i] not in systemModules:
r.cmd('s ' + modules2[i]) #go to start of module i
calls = r.cmd('/am call') #find all call instructions in this module; you can use other commands of type /a for more flexibility
calls2 = [] #all addresses in module i where we want to put breakpoints
k = 0
j = 0
while k < len(calls):
calls2.append('')
while calls[k] != ' ':
calls2[j] += calls[k]
k += 1
while calls[k] != '\n':
k += 1
k += 1
j += 1
for k in range(len(calls2)):
r.cmd('db ' + calls2[k]) #put breakpoint at given address
#all breakpoints set; you can now continue execution and do what you want to do at each breakpoint
print(r.cmd('db')) #list all breakpoints set
脚本不是很好,但是可以完成工作。它会在相关模块中搜索所有
call指令,并在每个指令处都添加断点。 br />