本文探讨了Linux 环境下两个特殊的宏,*RET_IP*和_THIS_IP_,它们分别用于获取当前函数的返回地址和当前指令指针的地址。
1、宏定义
我们先看它们的宏定义
objectivec
include./linux/kernel.h
#define _RET_IP_ (unsigned long)__builtin_return_address(0)
#define _THIS_IP_ ({ __label__ __here; __here: (unsigned long)&&__here; })2、测试
下面我们写个简单的程序测试下
objectivec
#include <stdio.h>
#include <stdlib.h>
#define _RET_IP_ (unsigned long)__builtin_return_address(0)
#define _THIS_IP_ ({ __label__ __here; __here: (unsigned long)&&__here; })
void bar(void)
{
/*This is bar (400638,400608) */
printf("This is bar (%x,%x) \012",_RET_IP_,_THIS_IP_);
return ;
}
int main()
{
bar();
return 0;
}上面程序输出结果是:This is bar (400638,400608)
我们将上面程序反汇编结果如下:
objectivec
objdump -S xxx > xx.S
test_retip: file format elf64-littleaarch64
Disassembly of section .init:
0000000000400440 <_init>:
400440: a9bf7bfd stp x29, x30, [sp, #-16]!
400444: 910003fd mov x29, sp
400448: 94000032 bl 400510 <call_weak_fn>
40044c: a8c17bfd ldp x29, x30, [sp], #16
400450: d65f03c0 ret
Disassembly of section .plt:
0000000000400460 <.plt>:
400460: a9bf7bf0 stp x16, x30, [sp, #-16]!
400464: 90000090 adrp x16, 410000 <__FRAME_END__+0xf788>
400468: f947fe11 ldr x17, [x16, #4088]
40046c: 913fe210 add x16, x16, #0xff8
400470: d61f0220 br x17
400474: d503201f nop
400478: d503201f nop
40047c: d503201f nop
0000000000400480 <__libc_start_main@plt>:
400480: b0000090 adrp x16, 411000 <__libc_start_main@GLIBC_2.17>
400484: f9400211 ldr x17, [x16]
400488: 91000210 add x16, x16, #0x0
40048c: d61f0220 br x17
0000000000400490 <__gmon_start__@plt>:
400490: b0000090 adrp x16, 411000 <__libc_start_main@GLIBC_2.17>
400494: f9400611 ldr x17, [x16, #8]
400498: 91002210 add x16, x16, #0x8
40049c: d61f0220 br x17
00000000004004a0 <abort@plt>:
4004a0: b0000090 adrp x16, 411000 <__libc_start_main@GLIBC_2.17>
4004a4: f9400a11 ldr x17, [x16, #16]
4004a8: 91004210 add x16, x16, #0x10
4004ac: d61f0220 br x17
00000000004004b0 <printf@plt>:
4004b0: b0000090 adrp x16, 411000 <__libc_start_main@GLIBC_2.17>
4004b4: f9400e11 ldr x17, [x16, #24]
4004b8: 91006210 add x16, x16, #0x18
4004bc: d61f0220 br x17
Disassembly of section .text:
00000000004004c0 <_start>:
4004c0: d280001d mov x29, #0x0 // #0
4004c4: d280001e mov x30, #0x0 // #0
4004c8: aa0003e5 mov x5, x0
4004cc: f94003e1 ldr x1, [sp]
4004d0: 910023e2 add x2, sp, #0x8
4004d4: 910003e6 mov x6, sp
4004d8: d2e00000 movz x0, #0x0, lsl #48
4004dc: f2c00000 movk x0, #0x0, lsl #32
4004e0: f2a00800 movk x0, #0x40, lsl #16
4004e4: f280c580 movk x0, #0x62c
4004e8: d2e00003 movz x3, #0x0, lsl #48
4004ec: f2c00003 movk x3, #0x0, lsl #32
4004f0: f2a00803 movk x3, #0x40, lsl #16
4004f4: f280c903 movk x3, #0x648
4004f8: d2e00004 movz x4, #0x0, lsl #48
4004fc: f2c00004 movk x4, #0x0, lsl #32
400500: f2a00804 movk x4, #0x40, lsl #16
400504: f280d904 movk x4, #0x6c8
400508: 97ffffde bl 400480 <__libc_start_main@plt>
40050c: 97ffffe5 bl 4004a0 <abort@plt>
0000000000400510 <call_weak_fn>:
400510: 90000080 adrp x0, 410000 <__FRAME_END__+0xf788>
400514: f947f000 ldr x0, [x0, #4064]
400518: b4000040 cbz x0, 400520 <call_weak_fn+0x10>
40051c: 17ffffdd b 400490 <__gmon_start__@plt>
400520: d65f03c0 ret
0000000000400524 <deregister_tm_clones>:
400524: b0000080 adrp x0, 411000 <__libc_start_main@GLIBC_2.17>
400528: 9100c001 add x1, x0, #0x30
40052c: b0000080 adrp x0, 411000 <__libc_start_main@GLIBC_2.17>
400530: 9100c000 add x0, x0, #0x30
400534: eb00003f cmp x1, x0
400538: 54000160 b.eq 400564 <deregister_tm_clones+0x40> // b.none
40053c: d10043ff sub sp, sp, #0x10
400540: 90000001 adrp x1, 400000 <_init-0x440>
400544: f9437421 ldr x1, [x1, #1768]
400548: f90007e1 str x1, [sp, #8]
40054c: b4000081 cbz x1, 40055c <deregister_tm_clones+0x38>
400550: aa0103f0 mov x16, x1
400554: 910043ff add sp, sp, #0x10
400558: d61f0200 br x16
40055c: 910043ff add sp, sp, #0x10
400560: d65f03c0 ret
400564: d65f03c0 ret
0000000000400568 <register_tm_clones>:
400568: b0000080 adrp x0, 411000 <__libc_start_main@GLIBC_2.17>
40056c: 9100c001 add x1, x0, #0x30
400570: b0000080 adrp x0, 411000 <__libc_start_main@GLIBC_2.17>
400574: 9100c000 add x0, x0, #0x30
400578: cb000021 sub x1, x1, x0
40057c: d2800042 mov x2, #0x2 // #2
400580: 9343fc21 asr x1, x1, #3
400584: 9ac20c21 sdiv x1, x1, x2
400588: b4000161 cbz x1, 4005b4 <register_tm_clones+0x4c>
40058c: d10043ff sub sp, sp, #0x10
400590: 90000002 adrp x2, 400000 <_init-0x440>
400594: f9437842 ldr x2, [x2, #1776]
400598: f90007e2 str x2, [sp, #8]
40059c: b4000082 cbz x2, 4005ac <register_tm_clones+0x44>
4005a0: aa0203f0 mov x16, x2
4005a4: 910043ff add sp, sp, #0x10
4005a8: d61f0200 br x16
4005ac: 910043ff add sp, sp, #0x10
4005b0: d65f03c0 ret
4005b4: d65f03c0 ret
00000000004005b8 <__do_global_dtors_aux>:
4005b8: a9be7bfd stp x29, x30, [sp, #-32]!
4005bc: 910003fd mov x29, sp
4005c0: f9000bf3 str x19, [sp, #16]
4005c4: b0000093 adrp x19, 411000 <__libc_start_main@GLIBC_2.17>
4005c8: 3940c260 ldrb w0, [x19, #48]
4005cc: 35000080 cbnz w0, 4005dc <__do_global_dtors_aux+0x24>
4005d0: 97ffffd5 bl 400524 <deregister_tm_clones>
4005d4: 52800020 mov w0, #0x1 // #1
4005d8: 3900c260 strb w0, [x19, #48]
4005dc: f9400bf3 ldr x19, [sp, #16]
4005e0: a8c27bfd ldp x29, x30, [sp], #32
4005e4: d65f03c0 ret
00000000004005e8 <frame_dummy>:
4005e8: 17ffffe0 b 400568 <register_tm_clones>
00000000004005ec <bar>:
4005ec: a9bf7bfd stp x29, x30, [sp, #-16]!
4005f0: 910003fd mov x29, sp
4005f4: aa1e03e0 mov x0, x30
4005f8: aa0003fe mov x30, x0
4005fc: d50320ff xpaclri
400600: aa1e03e0 mov x0, x30
400604: aa0003e1 mov x1, x0
400608: 90000000 adrp x0, 400000 <_init-0x440>
40060c: 91182000 add x0, x0, #0x608
400610: aa0003e2 mov x2, x0
400614: 90000000 adrp x0, 400000 <_init-0x440>
400618: 911be000 add x0, x0, #0x6f8
40061c: 97ffffa5 bl 4004b0 <printf@plt>
400620: d503201f nop
400624: a8c17bfd ldp x29, x30, [sp], #16
400628: d65f03c0 ret
000000000040062c <main>:
40062c: a9bf7bfd stp x29, x30, [sp, #-16]!
400630: 910003fd mov x29, sp
400634: 97ffffee bl 4005ec <bar>
400638: 52800000 mov w0, #0x0 // #0
40063c: a8c17bfd ldp x29, x30, [sp], #16
400640: d65f03c0 ret
400644: d503201f nop
0000000000400648 <__libc_csu_init>:
400648: a9bc7bfd stp x29, x30, [sp, #-64]!
40064c: 910003fd mov x29, sp
400650: a90153f3 stp x19, x20, [sp, #16]
400654: 90000094 adrp x20, 410000 <__FRAME_END__+0xf788>
400658: 9137c294 add x20, x20, #0xdf0
40065c: a9025bf5 stp x21, x22, [sp, #32]
400660: 90000095 adrp x21, 410000 <__FRAME_END__+0xf788>
400664: 9137a2b5 add x21, x21, #0xde8
400668: cb150294 sub x20, x20, x21
40066c: 2a0003f6 mov w22, w0
400670: a90363f7 stp x23, x24, [sp, #48]
400674: aa0103f7 mov x23, x1
400678: aa0203f8 mov x24, x2
40067c: 97ffff71 bl 400440 <_init>
400680: eb940fff cmp xzr, x20, asr #3
400684: 54000160 b.eq 4006b0 <__libc_csu_init+0x68> // b.none
400688: 9343fe94 asr x20, x20, #3
40068c: d2800013 mov x19, #0x0 // #0
400690: f8737aa3 ldr x3, [x21, x19, lsl #3]
400694: aa1803e2 mov x2, x24
400698: 91000673 add x19, x19, #0x1
40069c: aa1703e1 mov x1, x23
4006a0: 2a1603e0 mov w0, w22
4006a4: d63f0060 blr x3
4006a8: eb13029f cmp x20, x19
4006ac: 54ffff21 b.ne 400690 <__libc_csu_init+0x48> // b.any
4006b0: a94153f3 ldp x19, x20, [sp, #16]
4006b4: a9425bf5 ldp x21, x22, [sp, #32]
4006b8: a94363f7 ldp x23, x24, [sp, #48]
4006bc: a8c47bfd ldp x29, x30, [sp], #64
4006c0: d65f03c0 ret
4006c4: d503201f nop
00000000004006c8 <__libc_csu_fini>:
4006c8: d65f03c0 ret
Disassembly of section .fini:
00000000004006cc <_fini>:
4006cc: a9bf7bfd stp x29, x30, [sp, #-16]!
4006d0: 910003fd mov x29, sp
4006d4: a8c17bfd ldp x29, x30, [sp], #16
4006d8: d65f03c0 retRET_IP:返回的是当前函数的返回地址,当前函数的返回地址保存在X30寄存器(LR寄存器)中(调用bl指令将返回地址保存在X30寄存器中,X30保存的是PC+4)。
THIS_IP:返回的是当前指令指针的地址。