检测目标程序ELF bit是32还是64
Posted Jojodru
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了检测目标程序ELF bit是32还是64相关的知识,希望对你有一定的参考价值。
android操作系统在5.0之后加入了对64位程序的支持,同时兼容运行32位的进程
android的进程绝大部分是zygote父进程fork出来的子进程
zygote进程fork出来的进程是32位进程
zygote64进程fork出来的进程是64位进程
但是有一些在zygote启动之前的进程,那就是init进程fork出来的,都属于64bit进程
zygote进程在fork出子进程之后,更改了进程的名字(setNiceName)
如果想根据进程名找到进程文件,通过读取elf头的方法来判断目标进程的elf bit
不是太理想
通过man proc查阅文档可以知道,解析目标进程的auxv文件可以判断elf bit
内核支持从2.6开始,android的内核版本在这之后,检测auxv文件判断elf bit是可靠的
先上makefile,Application.mk
APP_ABI := arm64-v8a APP_PLATFORM := android-21
只编译64位的版本,如果系统无法跑64位程序,证明整个系统都是32位的
Android.mk
# Copyright (C) 2009 The Android Open Source Project # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # LOCAL_PATH := $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := auxv LOCAL_SRC_FILES := auxv.c LOCAL_ARM_MODE := arm include $(BUILD_EXECUTABLE)
源码auxv.c
#include <stdio.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> /* * Parsing auxv: if you parse the auxv structure yourself (not relying on the dynamic loader), then there‘s * a bit of a conundrum: the auxv structure follows the rule of the process it describes, so sizeof(unsigned * long) will be 4 for 32-bit processes and 8 for 64-bit processes. We can make this work for us. In * order for this to work on 32-bit systems, all key codes must be 0xffffffff or less. On a 64-bit system, * the most significant 32 bits will be zero. Intel machines are little endians, so these 32 bits follow * the least significant ones in memory. * As such, all you need to do is: * 1. Read 16 bytes from the `auxv` file. * 2. Is this the end of the file? * 3. Then it‘s a 64-bit process. * 4. Done. * 5. Is buf[4], buf[5], buf[6] or buf[7] non-zero? * 6. Then it‘s a 32-bit process. * 7. Done. * 8. Go to 1. */ int check_auxv(int pid) { if(pid < 0) { printf("invalid process id\n"); return -1; } char auxv[256]; snprintf(auxv, 256, "/proc/%d/auxv", pid); int fd = open(auxv, O_RDONLY); if(fd < 0) { printf("%s does not exist\nprocess %d maybe running in 32 bit elf mode", auxv, pid); return 0; } const int SIZE = 16; char buf[SIZE]; do { int nread = read(fd, buf, SIZE); if(nread < SIZE) { printf("process %d running in 64 bit elf mode\n", pid); break; } if(buf[4] && buf[5] && buf[6]) { printf("process %d running in 32 bit elf mode @ line %d\n", pid, __LINE__); printf("%x, %x, %x, %x\n", buf[4], buf[5], buf[6], buf[7]); break; } else if(buf[7]) { printf("process %d running in 32 bit elf mode\n", pid); break; } } while(1); close(fd); return 0; } int main(int argc, char* argv[]) { if(argc <= 1) { printf("usage:auxv pid1 [pid2 pid3 ...]\n"); return 0; } int i = 0; for(i = 1; i < argc; ++i) { int pid = atoi(argv[i]); check_auxv(pid); } return 0; }
编译命令
call ndk-build NDK_PROJECT_PATH=. NDK_APPLICATION_MK=./Application.mk
目录结构
|---Application.mk |---build.bat |---jni ||---Android.mk ||---auxv.c
以上是关于检测目标程序ELF bit是32还是64的主要内容,如果未能解决你的问题,请参考以下文章
Android中Native ELF的反汇编与破解的一些经验
-bash: /usr/bin/ls: /lib64/ld-linux-x86-64.so.2: bad ELF interpreter: No such file or directory(代码片段