objdump命令的常见用法
1 objdump简介
1.1 简介
objdump 是一个在类Unix系统中广泛使用的命令行工具,它是GNU Binutils套件的一部分,主要用于显示编译后的对象文件、可执行文件、共享库等二进制文件的详细信息。objdump 是一个极其灵活和多功能的工具,对软件开发者、安全研究人员以及任何想要深入了解二进制文件内部结构的人来说都非常有用。
1.2 主要功能
- 反汇编:
将机器码转换回汇编语言。使用 -d 或 -D 选项可以实现这一功能,有时会结合 -S 选项来混合显示源代码和对应的汇编代码。
- 文件头信息
使用 -f 选项可以显示文件的格式、体系结构、入口点等基本信息。
- 节头部信息
通过 -h 或 -x 选项可以查看文件中各节(section)的布局和属性,如代码段(.text)、数据段(.data)、BSS段等。
符号表: 使用 -t 选项来列出目标文件中的符号信息,包括全局变量、函数名及其地址。
- 重定位信息
-r 选项展示了文件中的重定位条目,这对于理解链接过程非常有帮助。
- 动态信息
对于动态链接的可执行文件或库,-p, -R, -T, 和 -D 等选项可以分别显示其程序头表、需要的动态库、动态符号表及动态反汇编信息。
- 调试信息
-g 选项可以展示调试信息,如果编译时包含了调试信息的话。
- 不同格式和架构支持
objdump 支持多种二进制格式(如 ELF, COFF, Mach-O)和处理器架构,并且可以通过选项指定不同的反汇编风格或架构。
2 objdump命令
rlk@rlk:~$ objdump --help
Usage: objdump <option(s)> <file(s)>
Display information from object <file(s)>.
At least one of the following switches must be given:
-a, --archive-headers Display archive header information
-f, --file-headers Display the contents of the overall file header
-p, --private-headers Display object format specific file header contents
-P, --private=OPT,OPT... Display object format specific contents
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers Display the contents of all headers
-d, --disassemble Display assembler contents of executable sections
-D, --disassemble-all Display assembler contents of all sections
--disassemble=<sym> Display assembler contents from <sym>
-S, --source Intermix source code with disassembly
--source-comment[=<txt>] Prefix lines of source code with <txt>
-s, --full-contents Display the full contents of all sections requested
-g, --debugging Display debug information in object file
-e, --debugging-tags Display debug information using ctags style
-G, --stabs Display (in raw form) any STABS info in the file
-W[lLiaprmfFsoRtUuTgAckK] or
--dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames,
=frames-interp,=str,=loc,=Ranges,=pubtypes,
=gdb_index,=trace_info,=trace_abbrev,=trace_aranges,
=addr,=cu_index,=links,=follow-links]
Display DWARF info in the file
--ctf=SECTION Display CTF info from SECTION
-t, --syms Display the contents of the symbol table(s)
-T, --dynamic-syms Display the contents of the dynamic symbol table
-r, --reloc Display the relocation entries in the file
-R, --dynamic-reloc Display the dynamic relocation entries in the file
@<file> Read options from <file>
-v, --version Display this program's version number
-i, --info List object formats and architectures supported
-H, --help Display this information
The following switches are optional:
-b, --target=BFDNAME Specify the target object format as BFDNAME
-m, --architecture=MACHINE Specify the target architecture as MACHINE
-j, --section=NAME Only display information for section NAME
-M, --disassembler-options=OPT Pass text OPT on to the disassembler
-EB --endian=big Assume big endian format when disassembling
-EL --endian=little Assume little endian format when disassembling
--file-start-context Include context from start of file (with -S)
-I, --include=DIR Add DIR to search list for source files
-l, --line-numbers Include line numbers and filenames in output
-F, --file-offsets Include file offsets when displaying information
-C, --demangle[=STYLE] Decode mangled/processed symbol names
The STYLE, if specified, can be `auto', `gnu',
`lucid', `arm', `hp', `edg', `gnu-v3', `java'
or `gnat'
--recurse-limit Enable a limit on recursion whilst demangling. [Default]
--no-recurse-limit Disable a limit on recursion whilst demangling
-w, --wide Format output for more than 80 columns
-z, --disassemble-zeroes Do not skip blocks of zeroes when disassembling
--start-address=ADDR Only process data whose address is >= ADDR
--stop-address=ADDR Only process data whose address is < ADDR
--prefix-addresses Print complete address alongside disassembly
--[no-]show-raw-insn Display hex alongside symbolic disassembly
--insn-width=WIDTH Display WIDTH bytes on a single line for -d
--adjust-vma=OFFSET Add OFFSET to all displayed section addresses
--special-syms Include special symbols in symbol dumps
--inlines Print all inlines for source line (with -l)
--prefix=PREFIX Add PREFIX to absolute paths for -S
--prefix-strip=LEVEL Strip initial directory names for -S
--dwarf-depth=N Do not display DIEs at depth N or greater
--dwarf-start=N Display DIEs starting with N, at the same depth
or deeper
--dwarf-check Make additional dwarf internal consistency checks.
--ctf-parent=SECTION Use SECTION as the CTF parent
--visualize-jumps Visualize jumps by drawing ASCII art lines
--visualize-jumps=color Use colors in the ASCII art
--visualize-jumps=extended-color Use extended 8-bit color codes
--visualize-jumps=off Disable jump visualization
objdump: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64 pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 srec symbolsrec verilog tekhex binary ihex plugin
objdump: supported architectures: i386 i386:x86-64 i386:x64-32 i8086 i386:intel i386:x86-64:intel i386:x64-32:intel i386:nacl i386:x86-64:nacl i386:x64-32:nacl iamcu iamcu:intel l1om l1om:intel k1om k1om:intel
The following i386/x86-64 specific disassembler options are supported for use
with the -M switch (multiple options should be separated by commas):
x86-64 Disassemble in 64bit mode
i386 Disassemble in 32bit mode
i8086 Disassemble in 16bit mode
att Display instruction in AT&T syntax
intel Display instruction in Intel syntax
att-mnemonic
Display instruction in AT&T mnemonic
intel-mnemonic
Display instruction in Intel mnemonic
addr64 Assume 64bit address size
addr32 Assume 32bit address size
addr16 Assume 16bit address size
data32 Assume 32bit data size
data16 Assume 16bit data size
suffix Always display instruction suffix in AT&T syntax
amd64 Display instruction in AMD64 ISA
intel64 Display instruction in Intel64 ISA
Report bugs to <http://www.sourceware.org/bugzilla/>.
rlk@rlk:~$
3 objdump测试程序
3.1 C语言测试程序
// objdump_test.c
#include <stdio.h>
void greet() {
printf("Hello, World!\n");
}
int main() {
greet();
return 0;
}
3.2 编译方法
此编译命令在显示调试信息时更全面
gcc -o objdump_test objdump_test.c
or
该命令在编译完通过objdump反汇编之后只关注当前测试程序包含的内容
gcc -c objdump_test.c -o objdump_test
4 objdump命令解释和演示
4.1 objdump -d
反汇编可执行部分
rlk@rlk:test$ objdump -d objdump_test
objdump_test: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <greet>:
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 8d 3d 00 00 00 00 lea 0x0(%rip),%rdi # b <greet+0xb>
b: e8 00 00 00 00 callq 10 <greet+0x10>
10: 90 nop
11: 5d pop %rbp
12: c3 retq
0000000000000013 <main>:
13: 55 push %rbp
14: 48 89 e5 mov %rsp,%rbp
17: b8 00 00 00 00 mov $0x0,%eax
1c: e8 00 00 00 00 callq 21 <main+0xe>
21: b8 00 00 00 00 mov $0x0,%eax
26: 5d pop %rbp
27: c3 retq
rlk@rlk:test$
4.2 objdump -a
显示档案头信息
rlk@rlk:test$ objdump -a objdump_test
objdump_test: file format elf64-x86-64
objdump_test
rlk@rlk:test$
4.3 objdump -f
显示文件头信息
rlk@rlk:test$ objdump -f objdump_test
objdump_test: file format elf64-x86-64
architecture: i386:x86-64, flags 0x00000011:
HAS_RELOC, HAS_SYMS
start address 0x0000000000000000
rlk@rlk:test$
4.4 objdump -p
显示私有头信息
rlk@rlk:test$ objdump -p objdump_test
objdump_test: file format elf64-x86-64
rlk@rlk:test$
4.5 objdump -D
反汇编所有节区
rlk@rlk:test$ objdump -D objdump_test
objdump_test: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <greet>:
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 8d 3d 00 00 00 00 lea 0x0(%rip),%rdi # b <greet+0xb>
b: e8 00 00 00 00 callq 10 <greet+0x10>
10: 90 nop
11: 5d pop %rbp
12: c3 retq
0000000000000013 <main>:
13: 55 push %rbp
14: 48 89 e5 mov %rsp,%rbp
17: b8 00 00 00 00 mov $0x0,%eax
1c: e8 00 00 00 00 callq 21 <main+0xe>
21: b8 00 00 00 00 mov $0x0,%eax
26: 5d pop %rbp
27: c3 retq
Disassembly of section .rodata:
0000000000000000 <.rodata>:
0: 48 rex.W
1: 65 6c gs insb (%dx),%es:(%rdi)
3: 6c insb (%dx),%es:(%rdi)
4: 6f outsl %ds:(%rsi),(%dx)
5: 2c 20 sub $0x20,%al
7: 57 push %rdi
8: 6f outsl %ds:(%rsi),(%dx)
9: 72 6c jb 77 <main+0x64>
b: 64 21 00 and %eax,%fs:(%rax)
Disassembly of section .comment:
0000000000000000 <.comment>:
0: 00 47 43 add %al,0x43(%rdi)
3: 43 3a 20 rex.XB cmp (%r8),%spl
6: 28 55 62 sub %dl,0x62(%rbp)
9: 75 6e jne 79 <main+0x66>
b: 74 75 je 82 <main+0x6f>
d: 20 37 and %dh,(%rdi)
f: 2e 35 2e 30 2d 36 cs xor $0x362d302e,%eax
15: 75 62 jne 79 <main+0x66>
17: 75 6e jne 87 <main+0x74>
19: 74 75 je 90 <main+0x7d>
1b: 32 29 xor (%rcx),%ch
1d: 20 37 and %dh,(%rdi)
1f: 2e cs
20: 35 .byte 0x35
21: 2e 30 00 xor %al,%cs:(%rax)
Disassembly of section .eh_frame:
0000000000000000 <.eh_frame>:
0: 14 00 adc $0x0,%al
2: 00 00 add %al,(%rax)
4: 00 00 add %al,(%rax)
6: 00 00 add %al,(%rax)
8: 01 7a 52 add %edi,0x52(%rdx)
b: 00 01 add %al,(%rcx)
d: 78 10 js 1f <.eh_frame+0x1f>
f: 01 1b add %ebx,(%rbx)
11: 0c 07 or $0x7,%al
13: 08 90 01 00 00 1c or %dl,0x1c000001(%rax)
19: 00 00 add %al,(%rax)
1b: 00 1c 00 add %bl,(%rax,%rax,1)
1e: 00 00 add %al,(%rax)
20: 00 00 add %al,(%rax)
22: 00 00 add %al,(%rax)
24: 13 00 adc (%rax),%eax
26: 00 00 add %al,(%rax)
28: 00 41 0e add %al,0xe(%rcx)
2b: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi)
31: 4e 0c 07 rex.WRX or $0x7,%al
34: 08 00 or %al,(%rax)
36: 00 00 add %al,(%rax)
38: 1c 00 sbb $0x0,%al
3a: 00 00 add %al,(%rax)
3c: 3c 00 cmp $0x0,%al
3e: 00 00 add %al,(%rax)
40: 00 00 add %al,(%rax)
42: 00 00 add %al,(%rax)
44: 15 00 00 00 00 adc $0x0,%eax
49: 41 0e rex.B (bad)
4b: 10 86 02 43 0d 06 adc %al,0x60d4302(%rsi)
51: 50 push %rax
52: 0c 07 or $0x7,%al
54: 08 00 or %al,(%rax)
...
rlk@rlk:test$
4.6 objdump -S
混合源代码与反汇编
rlk@rlk:test$ objdump -S objdump_test
objdump_test: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <greet>:
0: 55 push %rbp
1: 48 89 e5 mov %rsp,%rbp
4: 48 8d 3d 00 00 00 00 lea 0x0(%rip),%rdi # b <greet+0xb>
b: e8 00 00 00 00 callq 10 <greet+0x10>
10: 90 nop
11: 5d pop %rbp
12: c3 retq
0000000000000013 <main>:
13: 55 push %rbp
14: 48 89 e5 mov %rsp,%rbp
17: b8 00 00 00 00 mov $0x0,%eax
1c: e8 00 00 00 00 callq 21 <main+0xe>
21: b8 00 00 00 00 mov $0x0,%eax
26: 5d pop %rbp
27: c3 retq
rlk@rlk:test$
4.7 objdump -s
显示section内容
rlk@rlk:test$ objdump -s objdump_test
objdump_test: file format elf64-x86-64
Contents of section .text:
0000 554889e5 488d3d00 000000e8 00000000 UH..H.=.........
0010 905dc355 4889e5b8 00000000 e8000000 .].UH...........
0020 00b80000 00005dc3 ......].
Contents of section .rodata:
0000 48656c6c 6f2c2057 6f726c64 2100 Hello, World!.
Contents of section .comment:
0000 00474343 3a202855 62756e74 7520372e .GCC: (Ubuntu 7.
0010 352e302d 36756275 6e747532 2920372e 5.0-6ubuntu2) 7.
0020 352e3000 5.0.
Contents of section .eh_frame:
0000 14000000 00000000 017a5200 01781001 .........zR..x..
0010 1b0c0708 90010000 1c000000 1c000000 ................
0020 00000000 13000000 00410e10 8602430d .........A....C.
0030 064e0c07 08000000 1c000000 3c000000 .N..........<...
0040 00000000 15000000 00410e10 8602430d .........A....C.
0050 06500c07 08000000 .P......
rlk@rlk:test$
4.8 objdump -t
显示符号表内容
rlk@rlk:test$ objdump -t objdump_test
objdump_test: file format elf64-x86-64
SYMBOL TABLE:
0000000000000000 l df *ABS* 0000000000000000 objdump_test.c
0000000000000000 l d .text 0000000000000000 .text
0000000000000000 l d .data 0000000000000000 .data
0000000000000000 l d .bss 0000000000000000 .bss
0000000000000000 l d .rodata 0000000000000000 .rodata
0000000000000000 l d .note.GNU-stack 0000000000000000 .note.GNU-stack
0000000000000000 l d .eh_frame 0000000000000000 .eh_frame
0000000000000000 l d .comment 0000000000000000 .comment
0000000000000000 g F .text 0000000000000013 greet
0000000000000000 *UND* 0000000000000000 _GLOBAL_OFFSET_TABLE_
0000000000000000 *UND* 0000000000000000 puts
0000000000000013 g F .text 0000000000000015 main
rlk@rlk:test$
4.9 objdump -g
显示调试信息
rlk@rlk:test$ objdump -g objdump_test
objdump_test: file format elf64-x86-64
Contents of the .eh_frame section (loaded from objdump_test):
00000000 0000000000000014 00000000 CIE
Version: 1
Augmentation: "zR"
Code alignment factor: 1
Data alignment factor: -8
Return address column: 16
Augmentation data: 1b
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_offset: r16 (rip) at cfa-8
DW_CFA_nop
DW_CFA_nop
00000018 000000000000001c 0000001c FDE cie=00000000 pc=0000000000000000..0000000000000013
DW_CFA_advance_loc: 1 to 0000000000000001
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r6 (rbp) at cfa-16
DW_CFA_advance_loc: 3 to 0000000000000004
DW_CFA_def_cfa_register: r6 (rbp)
DW_CFA_advance_loc: 14 to 0000000000000012
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
00000038 000000000000001c 0000003c FDE cie=00000000 pc=0000000000000013..0000000000000028
DW_CFA_advance_loc: 1 to 0000000000000014
DW_CFA_def_cfa_offset: 16
DW_CFA_offset: r6 (rbp) at cfa-16
DW_CFA_advance_loc: 3 to 0000000000000017
DW_CFA_def_cfa_register: r6 (rbp)
DW_CFA_advance_loc: 16 to 0000000000000027
DW_CFA_def_cfa: r7 (rsp) ofs 8
DW_CFA_nop
DW_CFA_nop
DW_CFA_nop
rlk@rlk:test$
4.10 objdump -h
显示各个section的头信息
rlk@rlk:test$ objdump -h objdump_test
objdump_test: file format elf64-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000028 0000000000000000 0000000000000000 00000040 2**0
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
1 .data 00000000 0000000000000000 0000000000000000 00000068 2**0
CONTENTS, ALLOC, LOAD, DATA
2 .bss 00000000 0000000000000000 0000000000000000 00000068 2**0
ALLOC
3 .rodata 0000000e 0000000000000000 0000000000000000 00000068 2**0
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 .comment 00000024 0000000000000000 0000000000000000 00000076 2**0
CONTENTS, READONLY
5 .note.GNU-stack 00000000 0000000000000000 0000000000000000 0000009a 2**0
CONTENTS, READONLY
6 .eh_frame 00000058 0000000000000000 0000000000000000 000000a0 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
rlk@rlk:test$
4.11 objdump -r
显示重定位条目
rlk@rlk:test$ objdump -r objdump_test
objdump_test: file format elf64-x86-64
RELOCATION RECORDS FOR [.text]:
OFFSET TYPE VALUE
0000000000000007 R_X86_64_PC32 .rodata-0x0000000000000004
000000000000000c R_X86_64_PLT32 puts-0x0000000000000004
000000000000001d R_X86_64_PLT32 greet-0x0000000000000004
RELOCATION RECORDS FOR [.eh_frame]:
OFFSET TYPE VALUE
0000000000000020 R_X86_64_PC32 .text
0000000000000040 R_X86_64_PC32 .text+0x0000000000000013
rlk@rlk:test$
4.12 objdump -s -j .text
查看特定section的信息
rlk@rlk:test$ objdump -s -j .text objdump_test
objdump_test: file format elf64-x86-64
Contents of section .text:
0000 554889e5 488d3d00 000000e8 00000000 UH..H.=.........
0010 905dc355 4889e5b8 00000000 e8000000 .].UH...........
0020 00b80000 00005dc3 ......].
rlk@rlk:test$ objdump -s -j .rodata objdump_test
objdump_test: file format elf64-x86-64
Contents of section .rodata:
0000 48656c6c 6f2c2057 6f726c64 2100 Hello, World!.
rlk@rlk:test$
扫一扫
4412
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
