C代码

Posted on Edited on
个人见解
1
2
3
<!-- 随笔,想啥写啥,遇见啥选择性收录啥 -->

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
 
void func1()
{
    printf("func1\n");
}
 
void hack()
{
    printf("hack\n");
}
 
struct Pfunc
{
    void (*p)();
};
 
 
int main()
{
    struct Pfunc* lpfunc = malloc(8);
    lpfunc->p = func1;
    lpfunc->p();
 
    free(lpfunc);
 
 
    long* hack_point = malloc(8);
    *hack_point = hack;
 
    lpfunc->p();
    return 0;
}

//gcc -g -m32 test.c

two

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#include<stdio.h>
#include<stdlib.h> 

//#define NULL 0  //redefine
#define xy 666;

int a();

// 经ida反编译查看bss段: ib、ie、ii、ia、sc、sa、il、id  
// data段:ic、i_f、ig、ih、im、io
// text段:a、main、ij、aaa、in
// 失踪:*ik、

int ia;      //未赋值变量,存在bss段 
int ib = 0;  //赋值为0,存在 bss段 ? -------------------- 
int ic = 1;  //赋值变量, 数据,存在data段
int id[10];  //未赋值数组,存在 bss段 ?------------------ 
int ie[]  = {0,0,0};    //赋值为0,存在 bss段 ? --------------------
int i_f[] = {12,13,14}; //赋值数组变量,
int *ig = id + 1;     //指向未赋值数组  ,存在 bss段?------------- 
int *ih = i_f;       //指向赋值数组   
int *ii = NULL;      //空指针,存在bss段?

int (ij)();  //名为 (ij) 的函数 ,后面有定义,可执行,存在text段
int *ik();   //名为 *ik 的函数 ,后面无定义,存在 bss 段? 
int (*il)(); //名为 il 的函数指针 ,所以为了区分函数与函数指针,函数指针变量的外面要套一层 ()   
//void ik() = a();
int (* im)() = a;  //名为 im 的函数指针 ,有赋值,存在哪?
int *in();  // 名为 *in 的函数 
int (* io)() = (ij);

// ia = ib;     //不放在函数里面会报错 
//*ik() = a();  //不放在函数里面会报错

/*
struct Pfunc
{
    int (*p)();
}sa,sb*,sc[]; *///sb* 加入会报错  ,自己体会 

struct Pfunc
{
    void (*p)();
}sa,sc[10]; 


void aaa();


int main()
{
	//*ik() = a();   // 理想:函数 a() 地址赋给 函数 *ik()   现实:error 
	ia = ib;
 
	
    int ma = 10;  //函数内部变量,存在栈上
    
    struct Pfunc* lpfunc;
	printf("1\n");
	
	//lpfunc->p = aaa;  //理想:pc指针指向这,执行代码将 *ik 函数地址赋值给 p   现实:估计触发了安全检测机制 ,程序到这就停了,没有达到想要的结果 
	printf("2\n");
	//lpfunc->p();      //pc指针执行到这时,执行lpfunc结构体的 p() 函数指针参数 ,最后一步步指向把 a()函数执行了   现实:同上 
    printf("3\n");
    
    //ma = aaa();
	a(); 
	(* im)();
	aaa();
	
    /**
    char mb;
    char *md ="this is rodata.";
    char mc[]="this is stack.";
    
    printf("\n d = %s , &d = %x",md,&md);
    printf("\n&c = 0x%x , c = %s , c = %d",&mc,mc,mc);
    **/
    
    return 0;
}

void aaa(){
	printf("\n I'm func aaa() ^_^ \n");
}

int a()
{
	printf("\n I'm func a() ^_^ \n");
	return 0;
}

int (ij)()
{
	printf("\n I'm (ij)() func \n");
	return 0;
 } 
 
int *in()
{
	printf("\n I'm *in() func :) \n");
	return 0;
}

// gcc -o yj1 yj1.c -fno-stack-protector -no-pie

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#bss段: ib、ie、ii、ia、sc、sa、il、id 、unk_404144(不知道是个啥)
.bss:0000000000404080 ; ===========================================================================
.bss:0000000000404080
.bss:0000000000404080 ; Segment type: Uninitialized
.bss:0000000000404080 ; Segment permissions: Read/Write
.bss:0000000000404080 _bss            segment align_32 public 'BSS' use64
.bss:0000000000404080                 assume cs:_bss
.bss:0000000000404080                 ;org 404080h
.bss:0000000000404080                 assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.bss:0000000000404080 completed_8061  db ?                    ; DATA XREF: __do_global_dtors_aux+4↑r
.bss:0000000000404080                                         ; __do_global_dtors_aux+16↑w
.bss:0000000000404081                 align 8
.bss:0000000000404088                 public ib
.bss:0000000000404088 ib              dd ?                    ; DATA XREF: main+C↑r
.bss:000000000040408C                 align 10h
.bss:0000000000404090                 public ie
.bss:0000000000404090 ie              db    ? ;
........
.bss:00000000004040A0                 public ii
.bss:00000000004040A0 ii              db    ? ;
........
.bss:00000000004040C0                 public ia
.bss:00000000004040C0 ia              dd ?                    ; DATA XREF: main+12↑w
.bss:00000000004040C4                 align 20h
.bss:00000000004040E0                 public sc
.bss:00000000004040E0 sc              db    ? ;
.bss:00000000004040E1                 db    ? ;
........
.bss:0000000000404130 sa              db    ? ;
........
.bss:0000000000404138 il              db    ? ;
........             
.bss:0000000000404140                 public id
.bss:0000000000404140 id              db    ? ;
.bss:0000000000404141                 db    ? ;
.bss:0000000000404142                 db    ? ;
.bss:0000000000404143                 db    ? ;
.bss:0000000000404144 unk_404144      db    ? ;               ; DATA XREF: .data:ig↑o
.bss:0000000000404145                 db    ? ;
.bss:0000000000404146                 db    ? ;
........
.bss:0000000000404167                 db    ? ;
.bss:0000000000404167 _bss            ends
.bss:0000000000404167

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#data段:ic、i_f、ig、ih、im、io
.data:0000000000404020 ; ===========================================================================
.data:0000000000404020
.data:0000000000404020 ; Segment type: Pure data
.data:0000000000404020 ; Segment permissions: Read/Write
.data:0000000000404020 _data           segment qword public 'DATA' use64
.data:0000000000404020                 assume cs:_data
.data:0000000000404020                 ;org 404020h
.data:0000000000404020                 public __data_start ; weak
.data:0000000000404020 __data_start    db    0                 ; Alternative name is '__data_start'
.data:0000000000404020                                         ; data_start
......
.data:0000000000404028                 public __dso_handle
.data:0000000000404028 __dso_handle    db    0
.data:0000000000404029                 db    0
......
.data:0000000000404030                 public ic
.data:0000000000404030 ic              db    1
.data:0000000000404031                 db    0
......
.data:0000000000404038                 public i_f
.data:0000000000404038 i_f             db  0Ch                 ; DATA XREF: .data:ih↓o
.data:0000000000404039                 db    0
......
.data:0000000000404048                 public ig
.data:0000000000404048 ig              dq offset unk_404144
.data:0000000000404050                 public ih
.data:0000000000404050 ih              dq offset i_f
.data:0000000000404058                 public im
.data:0000000000404058 ; __int64 (*im)(void)
.data:0000000000404058 im              dq offset a             ; DATA XREF: main+4D↑r
.data:0000000000404060                 public io
.data:0000000000404060 io              dq offset ij
.data:0000000000404060 _data           ends
.data:0000000000404060


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#rodata:存字符串的
.rodata:0000000000402000 ; ===========================================================================
.rodata:0000000000402000
.rodata:0000000000402000 ; Segment type: Pure data
.rodata:0000000000402000 ; Segment permissions: Read
.rodata:0000000000402000 _rodata         segment dword public 'CONST' use64
.rodata:0000000000402000                 assume cs:_rodata
.rodata:0000000000402000                 ;org 402000h
.rodata:0000000000402000                 public _IO_stdin_used
.rodata:0000000000402000 _IO_stdin_used  db    1                 ; DATA XREF: LOAD:0000000000400130↑o
.rodata:0000000000402001                 db    0
.rodata:0000000000402002                 db    2
.rodata:0000000000402003                 db    0
.rodata:0000000000402004 ; const char s[]
.rodata:0000000000402004 s:                                      ; DATA XREF: main+1F↑o
.rodata:0000000000402004                                         ; main+2B↑o ...
.rodata:0000000000402004                 text "UTF-16LE", '123'
.rodata:000000000040200A ; const char aIMFuncAaa[]
.rodata:000000000040200A aIMFuncAaa      db 0Ah                  ; DATA XREF: aaa+8↑o
.rodata:000000000040200A                 db ' I',27h,'m func aaa() ^_^ ',0
.rodata:0000000000402020 ; const char aIMFuncA[]
.rodata:0000000000402020 aIMFuncA        db 0Ah                  ; DATA XREF: a+8↑o
.rodata:0000000000402020                 db ' I',27h,'m func a() ^_^ ',0
.rodata:0000000000402034 ; const char aIMIjFunc[]
.rodata:0000000000402034 aIMIjFunc       db 0Ah                  ; DATA XREF: ij+8↑o
.rodata:0000000000402034                 db ' I',27h,'m (ij)() func ',0
.rodata:0000000000402047 ; const char aIMInFunc[]
.rodata:0000000000402047 aIMInFunc       db 0Ah                  ; DATA XREF: in+8↑o
.rodata:0000000000402047                 db ' I',27h,'m *in() func :) ',0
.rodata:0000000000402047 _rodata         ends
.rodata:0000000000402047

1
#text段上有很多其他函数,就不列出了

1
#在main函数ia = ib下方加一句ia = ic;后bss段变化如下,自己体会

图1:

image-20220811164044550

图2:

image-20220811164028199

1
2
3
4
5
6
7
8
9
10
11
#int小结:(个人理解)
#注:全局变量
常量a:未赋值、赋值为0时,存储在bss段,赋值后存在data段
数组a[n]:数组未赋值、赋值为0时,存储在bss段,赋值后存在data段
指针 *a :空指针存在bss段,赋值后存在data段
函数a() :不管有无定义,函数变量都不在bss段,有定义的函数写在代码段(text段),无定义的函数无了,*ik
函数指针(* a)():未赋值存储在bss段,赋值则存在data段

#其次,对于函数内部变量,上面的是针对全局变量的
运行时存储在栈上

图3:

image-20220811164848543