I'm trying to find a string value stored in memory by a binary (possibly written in C) that won't show up when I perform "strings a.out". I have tried examining particular memory addresses of interest that I have picked out from the assembly code but with no success. Thus, I am looking to try and print all the string values stored in memory (or char* arrays) by the program. Is there a way to do this? (note: the file does not contain debugging info). Thanks!
1 Answer
If the executable is not compiled statically, I think the easiest way is to inject a shared object (.so) with LD_PRELOAD to hook/overload the function which prints it and display the address of the buffer. If you disable ASLR, you should be able to set a memory breakpoint on the string address and then figure out how it was 'encrypted'. Another solution is to print the return address using __builtin_return_address.
strings
on a memory dump or the memory virtual files linux exposes.