I have a .a file with a bunch of symbols and objects. There is a section which
libunwind.o:
00000184 T _Unwind_Backtrace
00000160 T _Unwind_ForcedUnwind
000000f4 T _Unwind_RaiseException
00000118 T _Unwind_Resume
0000013c T _Unwind_Resume_or_Rethrow
00000184 T ___Unwind_Backtrace
00000160 T ___Unwind_ForcedUnwind
000000f4 T ___Unwind_RaiseException
00000118 T ___Unwind_Resume
0000013c T ___Unwind_Resume_or_Rethrow
U __gnu_Unwind_Backtrace
U __gnu_Unwind_ForcedUnwind
U __gnu_Unwind_RaiseException
00000014 T __gnu_Unwind_Restore_VFP
00000024 T __gnu_Unwind_Restore_VFP_D
00000034 T __gnu_Unwind_Restore_VFP_D_16_to_31
000000cc T __gnu_Unwind_Restore_WMMXC
00000044 T __gnu_Unwind_Restore_WMMXD
U __gnu_Unwind_Resume
U __gnu_Unwind_Resume_or_Rethrow
0000001c T __gnu_Unwind_Save_VFP
0000002c T __gnu_Unwind_Save_VFP_D
0000003c T __gnu_Unwind_Save_VFP_D_16_to_31
000000e0 T __gnu_Unwind_Save_WMMXC
00000088 T __gnu_Unwind_Save_WMMXD
00000000 T __restore_core_regs
00000000 T restore_core_regs
Which binutil tool I could use to remove the entire section?
If you mean that you want to remove the entire file libunwind.o, you can use:
ar d libwhateveritis.a libunwind.o
Related
So i was recently trying to exploit a kernel mode driver (HEVD) and I encountered a problem which doesn't make sense to me.
After i jumped to my shellcode (which resides in usermode and was made executable by VirtualProtect), the thread keeps generating a pagefault. Then the Thread keeps generating this pagefault in an endless loop (it doesn't throw an exception).
So i investegated what kind of page fault was triggered and i got the following output for the pagefault-handler:
Breakpoint 0 hit
nt!KiPageFault+0x8:
fffff806`7d201d08 488dac2480000000 lea rbp,[rsp+80h]
0: kd> dd %rsp + 0x158
ffff9307`717e9768 51dce820 ffffad82 00000011 00000000
ffff9307`717e9778 ee49cf8e 000001a4 00000010 00000000
ffff9307`717e9788 00010206 00000000 717e97a0 ffff9307
ffff9307`717e9798 00000018 00000000 00000003 00000000
ffff9307`717e97a8 c00000bb 00000000 0000004d 00000000
ffff9307`717e97b8 00000018 00000000 00000003 00000000
ffff9307`717e97c8 7a0e643b fffff806 00000000 00000000
ffff9307`717e97d8 55555555 55555555 7a0e8b10 fffff806
Here we see the stack after the page fault occured. The Breakpoint is triggered immediatly after i resume the execution (and yes, the breakpoint is conditional for only this thread). The frame is exactly the same every time the breakpoint was triggered.
So I tried to decode the stackframe. A pagefault pushes some infomation on the stack. I decoded it manually (I don't know a better way to do this) and I got that the following:
RFLAGS 10206
CS 10
RIP 000001a4ee49cf8e
Errcode 11 --> P, I bits set
CR2 000001a4ee49cf8e
This should be right decoded (maybe it's erroneous. The top of the stack was ffff9307`717e9770, so the 0x...11 was the last thing pushed onto the stack). So the errocodes says that the exception is thrown while the page was present and it was during an instruction fetch.
Now: I think this should mean a access violation because of the NX-Bit. But this cannot be because the address is executable, as this snippet shows:
VA 000001a4ee49cf8e
PXE at FFFFA8D46A351018 PPE at FFFFA8D46A203498 PDE at FFFFA8D440693B90 PTE at
FFFFA880D27724E0
contains 8A00000027704867 contains 0A0000010DA05867 contains 0A0000010F9BE867 contains
0100000119B6C825
pfn 27704 ---DA--UW-V pfn 10da05 ---DA--UWEV pfn 10f9be ---DA--UWEV pfn 119b6c ----A-
UREV
The executable bit is set for the pte. So I asked myself why this happens. It's a bit weird also that it doesn't throw a access-violation and create a bugcheck.
Also the OS runs on virtualbox. I looked up the settings and I noticed that SMEP and SMAP aren't supported by my virtual machine (but by my host system. VirtualBox catches cpuid-Instructions and pretends that this feature is disabled). So this shoudn't be the problem either. Also if you dump the register, the SMEP/SMAP bits in CR4 are not set.
I have really no clue what could be the cause of this problem. Maybe it's because of the virtual machine. It could also be because Windows gets confused when a thread runs userocde or something else. I really thought a long time about it but maybe I just overlookeda a simple reason.
Thanks in advance
Background
I have a function where a user can upload and send over an image from my ios to my rails app and it works for .jpg files. I would like to make it work for all image types. All I need to do is send over the image type in the API POST.
So far the user uploads the image and its an NSData, then I encoded into a image.base64EncodedStringWithOptions and put it into a JSON and send it over. This works for .jpg's.
Question
How do I get the image's type from the NSData or the encoded string of an image?
Examples
Here is the NSData of a very small .png that the user might try to upload.
<89504e47 0d0a1a0a 0000000d 49484452 0000000a 0000000a 08060000 008d32cf bd000000 01735247 4200aece 1ce90000 00097048 59730000 16250000 16250149 5224f000 00001c69 444f5400 00000200 00000000 00000500 00002800 00000500 00000500 00005ec1 07ed5500 00002a49 44415428 1562f88f 04181818 fea36398 34038c01 a2d11581 f8308060 11ab109b 691826e2 5284ac10 000000ff ff232a1e 6b000000 27494441 5463f80f 040c0c0c 3831481e 0418c004 0e856015 5002a742 644560c3 c0041613 c9560800 782fe719 4293f838 00000000 49454e44 ae426082>
Here is output of
strBase64:String = image.base64EncodedStringWithOptions(.Encoding64CharacterLineLength)
print(strBase64)
iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAYAAACNMs+9AAAAAXNSR0IArs4c6QAA\r\nAAlwSFlzAAAWJQAAFiUBSVIk8AAAABxpRE9UAAAAAgAAAAAAAAAFAAAAKAAAAAUA\r\nAAAFAAAAXsEH7VUAAAAqSURBVCgVYviPBBgYGP6jY5g0A4wBotEVgfgwgGARqxCb\r\naRgm4lKErBAAAAD//yMqHmsAAAAnSURBVGP4DwQMDAw4MUgeBBjABA6FYBVQAqdC\r\nZEVgw8AEFhPJVggAeC/nGUKT+DgAAAAASUVORK5CYII=
You should check your Base 64 encoded string for magic numbers in files.
https://en.m.wikipedia.org/wiki/Magic_number_(programming)#Magic_numbers_in_files
For example for PNG:
PNG image files begin with an 8-byte signature which identifies the file as a PNG file and allows detection of common file transfer problems: \211 P N G \r \n \032 \n (89 50 4E 47 0D 0A 1A 0A).
For JPEG:
JPEG image files begin with FF D8 and end with FF D9. JPEG/JFIF files contain the ASCII code for "JFIF" (4A 46 49 46) as a null terminated string. JPEG/Exif files contain the ASCII code for "Exif" (45 78 69 66) also as a null terminated string, followed by more metadata about the file.
So parse your string, detect matching of any magic number, map magic number to image file type.
I'm having problem to form the field section's structure into xfd files after analyse by issuing commnad "vutil32.exe -i -kx pogl.dad". I hope somebody could help me out how to form out field structure as highlighted in below. I've uploaded sample of my file known as "pglc.dad" i hope soneone could guide me how to form .xfd file from his expert skills and guide me.Thanks
Result from vutil32.exe
file size: 250880
record size (min/max): 121/1024 compressed(80%)
# of keys: 4
key size: 16:02 31:03 56:03 15
key offset: 0 0 0 1
duplicates okay: N N N N
block size: 512
blocks per granule: 1
tree height: 4/2/2.7
# of nodes: 200
# of deleted nodes: 1
total node space: 101800
node space used: 67463 (66%)
user count: 0
Key Dups Seg-1 Seg-2 Seg-3 Seg-4 Seg-5 Seg-6
(sz/of) (sz/of) (sz/of) (sz/of) (sz/of) (sz/of)
0 N 1/0 15/1
1 N 1/0 15/66 15/1
2 N 1/0 40/81 15/1
3 N 15/1
Here is my further construction of .xfd file.
XFD,02,PGLC,PGLC
00300,00041,004
1,0,013,00000
01
PGSTAT
3,0,004,00004,020,00021,004,00000
3
PGSTAT
PGDESC
PGLINE
3,0,004,00004,008,00013,004,00000
03
PGSTAT
PGDESC
PGLINE
1,0,012,00021
01
PGSTAT
000
0150,00150,00003 =================>> How can i form this field section.
00000,00013,16,00016,+00,000,000,PGSTAT
00000,00001,16,00001,+00,000,000,PGDESC
00001,00015,16,00015,+00,000,000,PGLINE
here is the link for my pglc.dad : http://files.engineering.com/getfile.aspx?folder=080fdad6-b1d5-4a37-8dd0-b89f9a985c69&file=PGLC.DAD
Thanks appopriate to someone could helps.
I know the XFD format intimately as I have written a couple of parsers of this file format in both Perl and Cobol.
Having said that, I would strongly recommend that you do not try to hand craft an XFD file from scratch.
If you have an AcuCobol (MicroFocus) compiler, and the source of the file's SELECT and FD definitions, then you can create a very small Cobol program that has just the SELECT and FD definitions and then compile the program using:
ccbl32.exe -Fx <program>
That will create an XFD file for the indexed file definition. Note, you can specify a directory for the created XFD file using the -Fo <directory> option.
If you don't have the source of the file definitions, then you are just going to be guessing what and where the fields are. The indexed file by itself will not tell you that information. I can see from extracting the data in your file (using the vutil -e option) that the file contains binary data as well as text, so without knowing exactly what PICture those fields are (COMP-?) you will be struggling to figure out the structure of those fields.
I have several hex-values that I try to write to a file. It seems that Lua doesn't support that out of the box, since they are all treated as strings instead of values. I figured I would have to break up a longer hex-value, for example AABBCC into AA, BB, CC and use string.char() on all of their decimal values consecutively to get the job done.
Is there a built in function that allows me to write such values directly without converting them first? I used escape characters such as "0xAA" and "\xAA", but those didn't work out.
Edit: Let me give you an example. I'm looking at a test file in a hex editor:
00000000 00 00 00 00 00 00 ......
And I want to write to it in the following fashion with the string "AABBCC":
00000000 AA BB CC 00 00 00 ......
What I get though with the escape characters is:
00000000 41 41 42 42 43 43 AABBCC
I use the following functions to convert between a hex string and a "raw binary":
function string.fromhex(str)
return (str:gsub('..', function (cc)
return string.char(tonumber(cc, 16))
end))
end
function string.tohex(str)
return (str:gsub('.', function (c)
return string.format('%02X', string.byte(c))
end))
end
They can be used as follows:
("Hello world!"):tohex() --> 48656C6C6F20776F726C6421
("48656C6C6F20776F726C6421"):fromhex() --> Hello world!
So you have a string like this:
value = 'AABBCC'
And you want to print it (or turn it into a string) like this?
'101010101011101111001100'
How about this?
function hex2bin(str)
local map = {
['0'] = '0000'
['1'] = '0001'
['2'] = '0010'
-- etc. up to 'F'
}
return str:gsub('[0-9A-F]', map)
end
Note that it leaves untouched any characters which could not be interpreted as hex.
There is so such function because it's that easy to write one.
function writeHex(str,fh)
for byte in str:gmatch'%x%x' do
fh:write(string.char(tonumber(byte,16)))
end
end
This just plainly writes the values to the file pointed to by the fh filehandle.
When using copy-on-write semantics to share memory among processes, how can you test if a memory page is writable or if it is marked as read-only? Can this be done by calling a specific assembler code, or reading a certain spot in memory, or through the OS's API?
On Linux you can examine /proc/pid/maps:
$ cat /proc/self/maps
002b3000-002cc000 r-xp 00000000 68:01 143009 /lib/ld-2.5.so
002cc000-002cd000 r-xp 00018000 68:01 143009 /lib/ld-2.5.so
002cd000-002ce000 rwxp 00019000 68:01 143009 /lib/ld-2.5.so
002d0000-00407000 r-xp 00000000 68:01 143010 /lib/libc-2.5.so
00407000-00409000 r-xp 00137000 68:01 143010 /lib/libc-2.5.so
00409000-0040a000 rwxp 00139000 68:01 143010 /lib/libc-2.5.so
0040a000-0040d000 rwxp 0040a000 00:00 0
00c6f000-00c70000 r-xp 00c6f000 00:00 0 [vdso]
08048000-0804d000 r-xp 00000000 68:01 379298 /bin/cat
0804d000-0804e000 rw-p 00004000 68:01 379298 /bin/cat
08326000-08347000 rw-p 08326000 00:00 0
b7d1b000-b7f1b000 r--p 00000000 68:01 226705 /usr/lib/locale/locale-archive
b7f1b000-b7f1c000 rw-p b7f1b000 00:00 0
b7f28000-b7f29000 rw-p b7f28000 00:00 0
bfe37000-bfe4d000 rw-p bfe37000 00:00 0 [stack]
The first column is the virtual memory address range, the second column contains the permissions (read, write, execute, and private), columns 3-6 contain the offset, major and minor device numbers, the inode, and the name of memory mapped files.
On Win32, the best way is to use VirtualQuery. It returns a MEMORY_BASIC_INFORMATION for the page an address falls in. One of the members is Protect, which is some combination of these flags, which contain the possible protection modes. The function also tells you if the memory is free, committed, reserved, and whether it is private, part of an image or shared memory section.
The OS's API is the best way to detirmine the a page's protection. The CPU reads the protection mode from a page descriptor, which is only accessible from kernel mode.
Are you talking abou the variety of shared memory allocated via shmget (on Unix)? I.e.
int shmget(key_t, size_t, int);
If so, you can query that memory using
int shmctl(int, int, struct shmid_ds *);
For example:
key_t key = /* your choice of memory api */
int flag = /* set of flags for your app */
int shmid = shmget(key, 4096, flag);
struct shmid_ds buf;
int result = shmctl(shmid, IPC_STAT, &buf);
/* buf.ipc_perm.mode contains the permissions for the memory segment */
If you're using Win32, there are the calls IsBadReadPtr and IsBadWritePtr. However, their use is discouraged:
"The general consensus is that the IsBad family of functions (IsBadReadPtr, IsBadWritePtr, and so forth) is broken and should not be used to validate pointers."
The title of Raymond Chen's take on this says it all: "IsBadXxxPtr should really be called CrashProgramRandomly"
Chen has some helpful advice about how to deal with this issue here.
The upshot is, you shouldn't be testing this kind of thing at run-time. Code so that you know what you're being handed, and if it's not what's expected, treat it as a bug. If you really have no choice, look into SEH for handling the exception.