Difference between revisions of "gdb notes"
From Noah.org
Jump to navigationJump to searchm (→Phrack article) |
m |
||
Line 23: | Line 23: | ||
0xc0104067 <ldt_ss+55>: lss (%esp),%esp | 0xc0104067 <ldt_ss+55>: lss (%esp),%esp | ||
0xc010406b <ldt_ss+59>: jmp 0xc010401b <restore_nocheck_notrace> | 0xc010406b <ldt_ss+59>: jmp 0xc010401b <restore_nocheck_notrace> | ||
+ | End of assembler dump. | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | == Disassemble and strace running programs == | ||
+ | |||
+ | <pre> | ||
+ | cat /dev/random >/dev/null & | ||
+ | PID=$! | ||
+ | CMDLINE="!-2" | ||
+ | CMD=${CMDLINE%% *} | ||
+ | WCHAN=$(cat /proc/${PID}/wchan) | ||
+ | echo "command: ${CMD}, pid: ${PID}, wchan: ${WCHAN}" | ||
+ | strace -p ${PID} | ||
+ | gdb ${CMD} ${PID} | ||
+ | (gdb) disassemble | ||
+ | Dump of assembler code for function __kernel_vsyscall: | ||
+ | 0xb7f6b420 <__kernel_vsyscall+0>: push %ecx | ||
+ | 0xb7f6b421 <__kernel_vsyscall+1>: push %edx | ||
+ | 0xb7f6b422 <__kernel_vsyscall+2>: push %ebp | ||
+ | 0xb7f6b423 <__kernel_vsyscall+3>: mov %esp,%ebp | ||
+ | 0xb7f6b425 <__kernel_vsyscall+5>: sysenter | ||
+ | 0xb7f6b427 <__kernel_vsyscall+7>: nop | ||
+ | 0xb7f6b428 <__kernel_vsyscall+8>: nop | ||
+ | 0xb7f6b429 <__kernel_vsyscall+9>: nop | ||
+ | 0xb7f6b42a <__kernel_vsyscall+10>: nop | ||
+ | 0xb7f6b42b <__kernel_vsyscall+11>: nop | ||
+ | 0xb7f6b42c <__kernel_vsyscall+12>: nop | ||
+ | 0xb7f6b42d <__kernel_vsyscall+13>: nop | ||
+ | 0xb7f6b42e <__kernel_vsyscall+14>: jmp 0xb7f6b423 <__kernel_vsyscall+3> | ||
+ | 0xb7f6b430 <__kernel_vsyscall+16>: pop %ebp | ||
+ | 0xb7f6b431 <__kernel_vsyscall+17>: pop %edx | ||
+ | 0xb7f6b432 <__kernel_vsyscall+18>: pop %ecx | ||
+ | 0xb7f6b433 <__kernel_vsyscall+19>: ret | ||
End of assembler dump. | End of assembler dump. | ||
</pre> | </pre> |
Latest revision as of 03:27, 30 April 2010
Disassemble kernel system_call
aptitude -q -y install build-essential aptitude -q -y install linux-source gdb -q /usr/src/linux-source-`uname -r`/vmlinux (gdb) disassemble system_call Dump of assembler code for function system_call: 0xc0103fa0 <system_call+0>: push %eax 0xc0103fa1 <system_call+1>: cld 0xc0103fa2 <system_call+2>: push %fs 0xc0103fa4 <system_call+4>: push %es 0xc0103fa5 <system_call+5>: push %ds 0xc0103fa6 <system_call+6>: push %eax 0xc0103fa7 <system_call+7>: push %ebp ---Type <return> to continue, or q <return> to quit--- ... 0xc0104065 <ldt_ss+53>: pop %edi 0xc0104066 <ldt_ss+54>: pop %eax 0xc0104067 <ldt_ss+55>: lss (%esp),%esp 0xc010406b <ldt_ss+59>: jmp 0xc010401b <restore_nocheck_notrace> End of assembler dump.
Disassemble and strace running programs
cat /dev/random >/dev/null & PID=$! CMDLINE="!-2" CMD=${CMDLINE%% *} WCHAN=$(cat /proc/${PID}/wchan) echo "command: ${CMD}, pid: ${PID}, wchan: ${WCHAN}" strace -p ${PID} gdb ${CMD} ${PID} (gdb) disassemble Dump of assembler code for function __kernel_vsyscall: 0xb7f6b420 <__kernel_vsyscall+0>: push %ecx 0xb7f6b421 <__kernel_vsyscall+1>: push %edx 0xb7f6b422 <__kernel_vsyscall+2>: push %ebp 0xb7f6b423 <__kernel_vsyscall+3>: mov %esp,%ebp 0xb7f6b425 <__kernel_vsyscall+5>: sysenter 0xb7f6b427 <__kernel_vsyscall+7>: nop 0xb7f6b428 <__kernel_vsyscall+8>: nop 0xb7f6b429 <__kernel_vsyscall+9>: nop 0xb7f6b42a <__kernel_vsyscall+10>: nop 0xb7f6b42b <__kernel_vsyscall+11>: nop 0xb7f6b42c <__kernel_vsyscall+12>: nop 0xb7f6b42d <__kernel_vsyscall+13>: nop 0xb7f6b42e <__kernel_vsyscall+14>: jmp 0xb7f6b423 <__kernel_vsyscall+3> 0xb7f6b430 <__kernel_vsyscall+16>: pop %ebp 0xb7f6b431 <__kernel_vsyscall+17>: pop %edx 0xb7f6b432 <__kernel_vsyscall+18>: pop %ecx 0xb7f6b433 <__kernel_vsyscall+19>: ret End of assembler dump.