Linux Kernel analysis-executable program loading

Linked process

• First, run the C preprocessor CPP and translate the C source program (A.C) into an ASCII intermediate file (A.I)
• Then C compiler CCL, translate A.I into ASCII assembly language file A.s
• Then run assembler as to translate the A.S to a relocatable target file a.o
• Eventually fully linked to an executable file a.out

Target file

• There are three forms of the target file:
  • relocatable Target Files
  • Executable Target file
  • Share destination file

• The structure of the relocatable target file in elf format is as follows:
  

• . Text: Machine code for compiled programs
• . Rodata: Read-only data
• . Data: Initialized global C variable
• . BSS: Uninitialized global C variable. In the destination file, this section does not occupy the actual space, only a placeholder.
• . sysmtab: A symbol table that holds information about functions and global variables that are defined and referenced in the program.
• . Rel.text: When the linker combines this target file with other files, many of the locations in the. Text section need to be modified. In general, any directives that invoke an external function or reference a global variable are modified. Another aspect, the instruction that calls the local function does not need to be modified.
• . Rel//.data: Information about any global variables that are defined or referenced by the module.
• . Debug: A Debug Symbol table
• . Line: The mapping between the row numbers in the original C source program and the machine directives in the. Text section.
• . strtab: A string table that includes the symbol table in the. Symtab and. Debug sections, and the section name in the section header.

• Header information for elf files that can be viewed through the readelf-h process

How to save the data of a new program

• Call Execve through the shell program to pass command-line arguments and environment parameters to the main function of the executable program. The execve then presses the parameters in the main function onto the stack when creating a new user-state stack. The final implementation of the SYS_EXECVE to truly implement the parameters in the system delivery.

• When the new executable is called, the space occupied by the old executable is taken up by the new executable, so that when Execve returns, the data returned is not the result of the old executable, but the return data of the newly loaded executable file, so that the new executable can be executed.

Related points of the executable file

• Start_thread by modifying the value of an EIP in the kernel stack as a starting point for a new program

• Depending on the statically linked executable, Elf_entry is the starting point in the header of the executable file entry, which is the location of the main function.

• If you need to rely on a dynamic link library, then elf_entry points to the starting point of the dynamic linker, the CPU control is given to LD to load the dependent library and complete the dynamic link

• An EIP that needs to be pressed into the kernel stack by modifying the int 0x80 before the new executable is called

• The elf executable is mapped to the 0x8048000 address by default.

Execve execution process in the kernel

• Execve The main steps to run an executable program:

  • Delete an existing user area: Deletes the stack space in the user portion of the current executable file

  • Hide private zones: Creates new space for new program text, data, and stacks that are private to the new executable and are copy-on-write.

  • Map shared areas: If the elf file is connected to a shared destination, it needs to be dynamically linked and mapped to a shared area in the user's virtual address space.

  • Set Program counter: Set the EIP to point to the entry address of the new executable file

  • Such as:
    

The EXECVE function executes the process in the kernel

• Call Execve () in the user state to cause the system to break and execute the corresponding function in the kernel state sys_execve

• The SYS_EXECVE function calls the DO_EXECVE function, which reads into the executable file.

• The system then calls Search_binary_handler to find the appropriate handler based on the type of executable file. Create a struct-linux_binfmt structure based on each file and connect it to a list of IQ, and the system will traverse the list to find the corresponding structure.
  The corresponding load_binary function is called to begin loading the executable file.

• The system uses Load_elf_binary to load an elf-type executable file. The function reads the head of the elf file and reads the data into the header of the elf file.

• If there is a dynamic link library, you need to map the dynamic link to the shared zone. At this point, you need to use LOAD_ELF_INTERP to load the image and set the return address to the portal of the LOAD_ELF_INTERP dynamic linker.

• As shown in the following:

Experimental purpose of Experiment part

Use GDB to track the processing of SYS_EXECVE kernel functions, analyze the system call processing of the exec* function, and understand how the Linux kernel loads and launches an executable program.

Experimental process

• Executes the menuos, which loads the Execve
  

• Set breakpoints
  

• The order in which to mount and run an executable file is:

Sys_execve (), Do_execve (), Do_execve_common (), EXEC_BINPRM (), Search_binary_handler () _binary (), Start_thread ()

Summarize

• When a Linux kernel or program (such as a shell) uses the fork function to create a child process, the child process often calls an EXEC function to execute another program.

• When a process invokes an EXEC function, the process executes a program that is completely replaced with a new program, and the new program starts with its main function

Linux Kernel analysis-executable program loading