mirror of
https://github.com/nganhkhoa/CTF-All-In-One.git
synced 2024-12-24 19:21:15 +07:00
update 4.3
This commit is contained in:
parent
1c42f754e2
commit
15d4252ec2
@ -1,6 +1,11 @@
|
||||
# 4.3 GCC 编译参数解析
|
||||
|
||||
- [常用选择](#常用选项)
|
||||
- [Address sanitizer](#address-sanitizer)
|
||||
- [参考资料](#参考资料)
|
||||
|
||||
|
||||
## 常用选项
|
||||
#### 控制标准版本的编译选项
|
||||
- `-ansi`:告诉编译器遵守 C 语言的 ISO C90 标准。
|
||||
- `-std=`:通过使用一个参数来设置需要的标准。
|
||||
@ -22,3 +27,78 @@
|
||||
- `Wswitch-default`:检查是否所有的 switch 语句都包含一个 default case。
|
||||
- `Wunused`:检查诸如声明静态函数但没有定义、未使用的参数和丢弃返回结果等情况。
|
||||
- `Wall`:启用绝大多数 gcc 的警告选项,包括所有以 -W 为前缀的选项。
|
||||
|
||||
|
||||
## Address sanitizer
|
||||
Address sanitizer 是一种用于检测内存错误的技术,GCC 从 4.8 版本开始支持了这一技术。ASan 在编译时插入额外指令到内存访问操作中,同时通过 Shadow memory 来记录和检测内存的有效性。ASan 其实只是 Sanitizer 一系列工具中的一员,其他工具比如 memory leak 检测在 LeakSanitizer 中,uninitialized memory read 检测在 MemorySanitizer 中等等。
|
||||
|
||||
举个例子,很明显下面这个程序存在栈溢出:
|
||||
```C
|
||||
#include<stdio.h>
|
||||
void main() {
|
||||
int a[10] = {0};
|
||||
int b = a[11];
|
||||
}
|
||||
```
|
||||
编译时加上参数 `-fsanitize=address`,如果使用 Makefile,则将参数加入到 CFLAGS 中:
|
||||
```
|
||||
$ gcc -fsanitize=address santest.c
|
||||
```
|
||||
然后运行:
|
||||
```
|
||||
$ ./a.out
|
||||
=================================================================
|
||||
==9399==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc03f4d64c at pc 0x565515082ad6 bp 0x7ffc03f4d5e0 sp 0x7ffc03f4d5d0
|
||||
READ of size 4 at 0x7ffc03f4d64c thread T0
|
||||
#0 0x565515082ad5 in main (/home/firmy/a.out+0xad5)
|
||||
#1 0x7fb4c04c0f69 in __libc_start_main (/usr/lib/libc.so.6+0x20f69)
|
||||
#2 0x565515082899 in _start (/home/firmy/a.out+0x899)
|
||||
|
||||
Address 0x7ffc03f4d64c is located in stack of thread T0 at offset 76 in frame
|
||||
#0 0x565515082989 in main (/home/firmy/a.out+0x989)
|
||||
|
||||
This frame has 1 object(s):
|
||||
[32, 72) 'a' <== Memory access at offset 76 overflows this variable
|
||||
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
|
||||
(longjmp and C++ exceptions *are* supported)
|
||||
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/firmy/a.out+0xad5) in main
|
||||
Shadow bytes around the buggy address:
|
||||
0x1000007e1a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
=>0x1000007e1ac0: f1 f1 f1 f1 00 00 00 00 00[f2]f2 f2 00 00 00 00
|
||||
0x1000007e1ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
0x1000007e1b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
Container overflow: fc
|
||||
Array cookie: ac
|
||||
Intra object redzone: bb
|
||||
ASan internal: fe
|
||||
Left alloca redzone: ca
|
||||
Right alloca redzone: cb
|
||||
==9399==ABORTING
|
||||
```
|
||||
确实检测出了问题。在实战篇中,为了更好地分析软件漏洞,我们可能会经常用到这个选项。
|
||||
|
||||
参考:https://en.wikipedia.org/wiki/AddressSanitizer
|
||||
|
||||
|
||||
## 参考资料
|
||||
- [GCC online documentation](https://gcc.gnu.org/onlinedocs/)
|
||||
|
Loading…
Reference in New Issue
Block a user