Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is the address of __libc_start_main always the same inside GDB even though ASLR is on?

Tags:

c

linux

gdb

libc

aslr

Breakpoint 1, 0x00007ffff7de8060 in __libc_start_main () from /usr/lib/libc.so.6
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/firstlove/projects/org-ioslide/example/a.out 

Breakpoint 1, 0x00007ffff7de8060 in __libc_start_main () from /usr/lib/libc.so.6
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/firstlove/projects/org-ioslide/example/a.out 

Breakpoint 1, 0x00007ffff7de8060 in __libc_start_main () from /usr/lib/libc.so.6
(gdb) Quit
(gdb) quit
A debugging session is active.

        Inferior 1 [process 16372] will be killed.

Quit anyway? (y or n) y
firstlove-pc% cat /proc/sys/kernel/randomize_va_space
2

IIUC, ASLR should randomize all address, including the one of libc.so, but I found that the address of __libc_start_main() is always 0x00007ffff7de8060 on my Linux machine, why? What is wrong?

like image 901
Chen Li Avatar asked Jan 16 '20 15:01

Chen Li

People also ask

How to check if my executable is running under ASLR?

You can easily check this by running gdb-->b main-->info proc mappings a couple of times and comparing the offsets. If they are different, your executable is probably running under ASLR. Assuming there is no ASLR protection, using gdb-->b main-->info proc mappings should give you the base address of the libc SO.

How to get the offset of a string in libc?

Here are two methods: 1. strings -t x -a /path/to/libc | grep "/bin/sh" --> this outputs the offset of the string in libc. Thanks for contributing an answer to Information Security Stack Exchange!

What is the default address of an executable under Linux?

The address of an executable under linux is usually 0x400000 for 64 bit executables and 0x08048000 for 32 bit executables as defined by the gnu linker. But there's nothing stopping someone from changing the entry point to a different address.

Video Answer

1 Answers

When you run a program inside gdb, gdb tries to help you debugging by disabling address randomization. You can use the following command to enable it (effective from the next run of the program):

set disable-randomization off
like image 55
Marco Bonelli Avatar answered Sep 19 '22 14:09

Marco Bonelli
Sign in to Comment

Related questions

Using stat to check if a file is executable in C
Static functions in Linux device driver
Initializing "a pointer to an array of integers"
Direction Vector To Rotation Matrix
Why is it not cost effective to inline functions with loops or switch statements?
Enumerate factors of a number directly in ascending order without sorting?
Converting typeof to string
What are the IDEs available for gtk+ development [closed]
Bind error while recreating socket
calculating double integrals in R quickly
How to properly inline for static libraries
Why am I able to perform floating point operations inside a Linux kernel module?
Are gnu syslog(), openlog() and closelog() thread-safe?
"Assume" clause in gcc
The right type for handles in C interfaces
Old style C function declaration
What's the difference between static inline void and void?
What does gdb 'x' command do?
Expression must be a pointer to a complete object type using simple pointer arithmetic [duplicate]
Use of redefining void pointer to pointer to an anonymous structure?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!