diff --git a/doc/1.1_ctf.md b/doc/1.1_ctf.md index 03d1649..c30202d 100644 --- a/doc/1.1_ctf.md +++ b/doc/1.1_ctf.md @@ -4,6 +4,7 @@ - [赛事介绍](#赛事介绍) - [题目类别](#题目类别) - [高质量的比赛](#高质量的比赛) +- [竞赛小贴士](#竞赛小贴士) - [搭建 CTF 比赛平台](#搭建-ctf-比赛平台) @@ -49,6 +50,46 @@ CTF竞赛模式具体分为以下三类: ## 高质量的比赛 详见:[ctftime.org](http://www.ctftime.org) +- Pwn2Own + - 世界最难的黑客挑战赛 + - 针对主流浏览器的远程攻击 + - 要求沙箱逃逸 +- CyberGrandChallenge + - 机器人的CTF攻防比赛 + - 自动化漏洞挖掘、漏洞利用、程序分析、程序补丁 + + +## 竞赛小贴士 +- 寻找团队 + - 彼此激励24小时以上的连续作战 + - 彼此分享交流技术与心得是最快的成长途径 + - 强有力的团队可以让你安心专注于某一领域 + - 在黑暗中前行不会感到孤独 +- 有效训练 + - 坚持不懈地训练是成为强者的必经途径 + - wargame + - 经典赛题配合writeup加以总结 + - https://github.com/ctfs + 以赛代练 + 总结与分享 +- wargame推荐 + - 漏洞挖掘与利用 + - pwnable.kr + - https://exploit-exercises.com/ + - https://io.netgarage.org/ + - 逆向工程与软件破解 + - reversing.kr + - http://crackmes.de/ + - web渗透 + - webhacking.kr + - https://xss-game.appspot.com/ + - 综合类 + - http://overthewire.org/wargames/ + - https://w3challs.com/ + - https://chall.stypr.com/?chall + - https://pentesterlab.com/ + - id0-rsa.pub + ## 搭建 CTF 比赛平台 - [FBCTF](https://github.com/facebook/fbctf) - The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style Capture the Flag competitions. diff --git a/doc/1.5.3_elf.md b/doc/1.5.3_elf.md index f51507c..621010c 100644 --- a/doc/1.5.3_elf.md +++ b/doc/1.5.3_elf.md @@ -3,6 +3,7 @@ - [一个实例](#一个实例) - [elfdemo.o](#elfdemoo) - [ELF 文件结构](#elf-文件结构) +- [参考资料](#参考资料) ## 一个实例 @@ -243,25 +244,43 @@ Elf32_Sword | 4 | 4 | 有符号整型 | int32_t Elf32_Word | 4 | 4 | 无符号整型 | uint32_t #### 文件头 -32位 ELF 文件头必然存在于 ELF 文件的开头,表明这是一个 ELF 文件。定义如下: -```text +ELF 文件头必然存在于 ELF 文件的开头,表明这是一个 ELF 文件。定义如下: +```C typedef struct { - unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ - Elf32_Half e_type; /* Object file type */ - Elf32_Half e_machine; /* Architecture */ - Elf32_Word e_version; /* Object file version */ - Elf32_Addr e_entry; /* Entry point virtual address */ - Elf32_Off e_phoff; /* Program header table file offset */ - Elf32_Off e_shoff; /* Section header table file offset */ - Elf32_Word e_flags; /* Processor-specific flags */ - Elf32_Half e_ehsize; /* ELF header size in bytes */ - Elf32_Half e_phentsize; /* Program header table entry size */ - Elf32_Half e_phnum; /* Program header table entry count */ - Elf32_Half e_shentsize; /* Section header table entry size */ - Elf32_Half e_shnum; /* Section header table entry count */ - Elf32_Half e_shstrndx; /* Section header string table index */ + unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ + Elf32_Half e_type; /* Object file type */ + Elf32_Half e_machine; /* Architecture */ + Elf32_Word e_version; /* Object file version */ + Elf32_Addr e_entry; /* Entry point virtual address */ + Elf32_Off e_phoff; /* Program header table file offset */ + Elf32_Off e_shoff; /* Section header table file offset */ + Elf32_Word e_flags; /* Processor-specific flags */ + Elf32_Half e_ehsize; /* ELF header size in bytes */ + Elf32_Half e_phentsize; /* Program header table entry size */ + Elf32_Half e_phnum; /* Program header table entry count */ + Elf32_Half e_shentsize; /* Section header table entry size */ + Elf32_Half e_shnum; /* Section header table entry count */ + Elf32_Half e_shstrndx; /* Section header string table index */ } Elf32_Ehdr; + +typedef struct +{ + unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ + Elf64_Half e_type; /* Object file type */ + Elf64_Half e_machine; /* Architecture */ + Elf64_Word e_version; /* Object file version */ + Elf64_Addr e_entry; /* Entry point virtual address */ + Elf64_Off e_phoff; /* Program header table file offset */ + Elf64_Off e_shoff; /* Section header table file offset */ + Elf64_Word e_flags; /* Processor-specific flags */ + Elf64_Half e_ehsize; /* ELF header size in bytes */ + Elf64_Half e_phentsize; /* Program header table entry size */ + Elf64_Half e_phnum; /* Program header table entry count */ + Elf64_Half e_shentsize; /* Section header table entry size */ + Elf64_Half e_shnum; /* Section header table entry count */ + Elf64_Half e_shstrndx; /* Section header string table index */ +} Elf64_Ehdr; ``` `e_ident` 保存着 ELF 的幻数和其他信息,最前面四个字节是幻数,用字符串表示为 `\177ELF`,其后的字节如果是 32 位则是 ELFCLASS32 (1),如果是 64 位则是 ELFCLASS64 (2),再其后的字节表示端序,小端序为 ELFDATA2LSB (1),大端序为 ELFDATA2LSB (2)。最后一个字节则表示 ELF 的版本。 @@ -294,18 +313,30 @@ ELF Header: 程序头表是由 ELF 头的 `e_phoff` 指定的偏移量和 `e_phentsize`、`e_phnum` 共同确定大小的表格组成。`e_phentsize` 表示表格中程序头的大小,`e_phnum` 表示表格中程序头的数量。 程序头的定义如下: -``` +```C typedef struct { - Elf32_Word p_type; /* Segment type */ - Elf32_Off p_offset; /* Segment file offset */ - Elf32_Addr p_vaddr; /* Segment virtual address */ - Elf32_Addr p_paddr; /* Segment physical address */ - Elf32_Word p_filesz; /* Segment size in file */ - Elf32_Word p_memsz; /* Segment size in memory */ - Elf32_Word p_flags; /* Segment flags */ - Elf32_Word p_align; /* Segment alignment */ + Elf32_Word p_type; /* Segment type */ + Elf32_Off p_offset; /* Segment file offset */ + Elf32_Addr p_vaddr; /* Segment virtual address */ + Elf32_Addr p_paddr; /* Segment physical address */ + Elf32_Word p_filesz; /* Segment size in file */ + Elf32_Word p_memsz; /* Segment size in memory */ + Elf32_Word p_flags; /* Segment flags */ + Elf32_Word p_align; /* Segment alignment */ } Elf32_Phdr; + +typedef struct +{ + Elf64_Word p_type; /* Segment type */ + Elf64_Word p_flags; /* Segment flags */ + Elf64_Off p_offset; /* Segment file offset */ + Elf64_Addr p_vaddr; /* Segment virtual address */ + Elf64_Addr p_paddr; /* Segment physical address */ + Elf64_Xword p_filesz; /* Segment size in file */ + Elf64_Xword p_memsz; /* Segment size in memory */ + Elf64_Xword p_align; /* Segment alignment */ +} Elf64_Phdr; ``` 使用 readelf 来查看程序头: @@ -344,20 +375,34 @@ Program Headers: #### 段 段表(Section Header Table)是一个以 `Elf32_Shdr` 结构体为元素的数组,每个结构体对应一个段,它描述了各个段的信息。ELF 文件头的 `e_shoff` 成员给出了段表在 ELF 中的偏移,`e_shnum` 成员给出了段描述符的数量,`e_shentsize` 给出了每个段描述符的大小。 -```text +```C typedef struct { - Elf32_Word sh_name; /* Section name (string tbl index) */ - Elf32_Word sh_type; /* Section type */ - Elf32_Word sh_flags; /* Section flags */ - Elf32_Addr sh_addr; /* Section virtual addr at execution */ - Elf32_Off sh_offset; /* Section file offset */ - Elf32_Word sh_size; /* Section size in bytes */ - Elf32_Word sh_link; /* Link to another section */ - Elf32_Word sh_info; /* Additional section information */ - Elf32_Word sh_addralign; /* Section alignment */ - Elf32_Word sh_entsize; /* Entry size if section holds table */ + Elf32_Word sh_name; /* Section name (string tbl index) */ + Elf32_Word sh_type; /* Section type */ + Elf32_Word sh_flags; /* Section flags */ + Elf32_Addr sh_addr; /* Section virtual addr at execution */ + Elf32_Off sh_offset; /* Section file offset */ + Elf32_Word sh_size; /* Section size in bytes */ + Elf32_Word sh_link; /* Link to another section */ + Elf32_Word sh_info; /* Additional section information */ + Elf32_Word sh_addralign; /* Section alignment */ + Elf32_Word sh_entsize; /* Entry size if section holds table */ } Elf32_Shdr; + +typedef struct +{ + Elf64_Word sh_name; /* Section name (string tbl index) */ + Elf64_Word sh_type; /* Section type */ + Elf64_Xword sh_flags; /* Section flags */ + Elf64_Addr sh_addr; /* Section virtual addr at execution */ + Elf64_Off sh_offset; /* Section file offset */ + Elf64_Xword sh_size; /* Section size in bytes */ + Elf64_Word sh_link; /* Link to another section */ + Elf64_Word sh_info; /* Additional section information */ + Elf64_Xword sh_addralign; /* Section alignment */ + Elf64_Xword sh_entsize; /* Entry size if section holds table */ +} Elf64_Shdr; ``` 使用 readelf 命令查看目标文件中完整的段: @@ -440,16 +485,26 @@ Hex dump of section '.shstrtab': #### 符号表 目标文件的符号表保存了定位和重定位程序的符号定义和引用所需的信息。符号表索引是这个数组的下标。索引0指向表中的第一个条目,作为未定义的符号索引。 -```text +```C typedef struct { - Elf32_Word st_name; /* Symbol name (string tbl index) */ - Elf32_Addr st_value; /* Symbol value */ - Elf32_Word st_size; /* Symbol size */ - unsigned char st_info; /* Symbol type and binding */ - unsigned char st_other; /* Symbol visibility */ - Elf32_Section st_shndx; /* Section index */ + Elf32_Word st_name; /* Symbol name (string tbl index) */ + Elf32_Addr st_value; /* Symbol value */ + Elf32_Word st_size; /* Symbol size */ + unsigned char st_info; /* Symbol type and binding */ + unsigned char st_other; /* Symbol visibility */ + Elf32_Section st_shndx; /* Section index */ } Elf32_Sym; + +typedef struct +{ + Elf64_Word st_name; /* Symbol name (string tbl index) */ + unsigned char st_info; /* Symbol type and binding */ + unsigned char st_other; /* Symbol visibility */ + Elf64_Section st_shndx; /* Section index */ + Elf64_Addr st_value; /* Symbol value */ + Elf64_Xword st_size; /* Symbol size */ +} Elf64_Sym; ``` 查看符号表: @@ -482,21 +537,19 @@ Symbol table '.symtab' contains 20 entries: #### 重定位 重定位是连接符号定义与符号引用的过程。可重定位文件必须具有描述如何修改段内容的信息,从而运行可执行文件和共享对象文件保存进程程序映像的正确信息。 -```text -/* Relocation table entry without addend (in section of type SHT_REL). */ +```C typedef struct { - Elf32_Addr r_offset; /* Address */ - Elf32_Word r_info; /* Relocation type and symbol index */ + Elf32_Addr r_offset; /* Address */ + Elf32_Word r_info; /* Relocation type and symbol index */ } Elf32_Rel; -/* Relocation table entry with addend (in section of type SHT_RELA). */ typedef struct { - Elf32_Addr r_offset; /* Address */ - Elf32_Word r_info; /* Relocation type and symbol index */ - Elf32_Sword r_addend; /* Addend */ -} Elf32_Rela; + Elf64_Addr r_offset; /* Address */ + Elf64_Xword r_info; /* Relocation type and symbol index */ + Elf64_Sxword r_addend; /* Addend */ +} Elf64_Rela; ``` 查看重定位表: @@ -521,3 +574,8 @@ Relocation section '.rel.eh_frame' at offset 0x380 contains 3 entries: 00000044 00000202 R_386_PC32 00000000 .text 00000070 00000802 R_386_PC32 00000000 .text.__x86.get_pc_thu ``` + + +## 参考资料 +- `$ man elf` +- [Acronyms relevant to Executable and Linkable Format (ELF)](https://www.cs.stevens.edu/~jschauma/631/elf.html)