Merge de520fb into 5b0bec0

Gallopsled · Jun 2, 2021 · 27c1eae · 27c1eae
2 parents 5b0bec0 + de520fb
commit 27c1eae
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -92,6 +92,7 @@ The table below shows which release corresponds to each branch, and what date th
 
 ## 4.5.1 (`stable`)
 
+- [#1911][1911] Use `ld` to retrieve libraries for ELF files
 - [#1902][1902] Always specify -F and -P for tmux in run_in_new_termianl
 
 [1902]: https://github.com/Gallopsled/pwntools/pull/1902

diff --git a/pwnlib/elf/elf.py b/pwnlib/elf/elf.py
@@ -718,8 +718,8 @@ def _populate_libraries(self):
         >>> any(map(lambda x: 'libc' in x, bash.libs.keys()))
         True
         """
-        # Patch some shellcode into the ELF and run it.
-        maps = self._patch_elf_and_read_maps()
+        # Use LD to trace loaded libraries
+        maps = self._trace_and_read_libraries()
 
         self._maps = maps
         self._libs = {}
@@ -854,6 +854,37 @@ def _patch_elf_and_read_maps(self):
 
         return result
 
+    def _trace_and_read_libraries(self):
+        r"""trace_and_read_libraries(self) -> dict
+
+        Uses the `LD_TRACE_LOADED_OBJECTS` variable to detect object files loaded by the executable.
+
+        Returns:
+            A ``dict`` mapping file paths to the lowest address they appear at.
+            Does not do any translation for e.g. QEMU emulation, the raw results
+            are returned.
+        """
+
+        maps = {}
+        with context.silent:
+            io = process(self.path, env={"LD_TRACE_LOADED_OBJECTS": "1"})
+            data = io.recvall(timeout=2).decode()
+
+        # Data looks like
+        # 	linux-vdso.so.1 (0x00007ffe6b3d9000)
+        # 	libc.so.6 => /usr/lib/libc.so.6 (0x00007fa6f94a2000)
+        # 	/lib64/ld-linux-x86-64.so.2 (0x00007fa6f969b000)
+
+        for line in data.split("\x0a"):
+            # Remove tab character
+            line = line[1:]
+            if '/' in line:
+                link, address = line.split(" ")[-2:]
+                address = int(address[1:-1], 16)
+                # Resolve symlinks and get the real library file
+                maps.setdefault(os.path.realpath(link), address)
+        return maps
+
     def _populate_functions(self):
         """Builds a dict of 'functions' (i.e. symbols of type 'STT_FUNC')
         by function name that map to a tuple consisting of the func address and size