Difference between revisions of "gdb notes"

From Noah.org
Jump to navigationJump to search
m
m
 
(One intermediate revision by the same user not shown)
Line 23: Line 23:
 
0xc0104067 <ldt_ss+55>: lss    (%esp),%esp
 
0xc0104067 <ldt_ss+55>: lss    (%esp),%esp
 
0xc010406b <ldt_ss+59>: jmp    0xc010401b <restore_nocheck_notrace>
 
0xc010406b <ldt_ss+59>: jmp    0xc010401b <restore_nocheck_notrace>
 +
End of assembler dump.
 +
</pre>
 +
 +
 +
== Disassemble and strace running programs ==
 +
 +
<pre>
 +
cat /dev/random >/dev/null &
 +
PID=$!
 +
CMDLINE="!-2"
 +
CMD=${CMDLINE%% *}
 +
WCHAN=$(cat /proc/${PID}/wchan)
 +
echo "command: ${CMD}, pid: ${PID}, wchan: ${WCHAN}"
 +
strace -p ${PID}
 +
gdb ${CMD} ${PID}
 +
(gdb) disassemble
 +
Dump of assembler code for function __kernel_vsyscall:
 +
0xb7f6b420 <__kernel_vsyscall+0>:      push  %ecx
 +
0xb7f6b421 <__kernel_vsyscall+1>:      push  %edx
 +
0xb7f6b422 <__kernel_vsyscall+2>:      push  %ebp
 +
0xb7f6b423 <__kernel_vsyscall+3>:      mov    %esp,%ebp
 +
0xb7f6b425 <__kernel_vsyscall+5>:      sysenter
 +
0xb7f6b427 <__kernel_vsyscall+7>:      nop   
 +
0xb7f6b428 <__kernel_vsyscall+8>:      nop   
 +
0xb7f6b429 <__kernel_vsyscall+9>:      nop   
 +
0xb7f6b42a <__kernel_vsyscall+10>:      nop   
 +
0xb7f6b42b <__kernel_vsyscall+11>:      nop   
 +
0xb7f6b42c <__kernel_vsyscall+12>:      nop   
 +
0xb7f6b42d <__kernel_vsyscall+13>:      nop   
 +
0xb7f6b42e <__kernel_vsyscall+14>:      jmp    0xb7f6b423 <__kernel_vsyscall+3>
 +
0xb7f6b430 <__kernel_vsyscall+16>:      pop    %ebp
 +
0xb7f6b431 <__kernel_vsyscall+17>:      pop    %edx
 +
0xb7f6b432 <__kernel_vsyscall+18>:      pop    %ecx
 +
0xb7f6b433 <__kernel_vsyscall+19>:      ret   
 
End of assembler dump.
 
End of assembler dump.
 
</pre>
 
</pre>
Line 30: Line 64:
 
[[File:phrack-0x3a-0x07.txt‎]]
 
[[File:phrack-0x3a-0x07.txt‎]]
  
<pre>
 
 
http://phrack.org/archives/58/p58_0x07_Linux%20on-the-fly%20kernel%20patching%20without%20LKM_by_devik%20&%20sd.txt
 
http://phrack.org/archives/58/p58_0x07_Linux%20on-the-fly%20kernel%20patching%20without%20LKM_by_devik%20&%20sd.txt
</pre>
 

Latest revision as of 03:27, 30 April 2010


Disassemble kernel system_call

aptitude -q -y install build-essential
aptitude -q -y install linux-source
gdb -q /usr/src/linux-source-`uname -r`/vmlinux
(gdb) disassemble system_call
Dump of assembler code for function system_call:
0xc0103fa0 <system_call+0>:     push   %eax
0xc0103fa1 <system_call+1>:     cld    
0xc0103fa2 <system_call+2>:     push   %fs
0xc0103fa4 <system_call+4>:     push   %es
0xc0103fa5 <system_call+5>:     push   %ds
0xc0103fa6 <system_call+6>:     push   %eax
0xc0103fa7 <system_call+7>:     push   %ebp
---Type <return> to continue, or q <return> to quit---
   ...
0xc0104065 <ldt_ss+53>: pop    %edi
0xc0104066 <ldt_ss+54>: pop    %eax
0xc0104067 <ldt_ss+55>: lss    (%esp),%esp
0xc010406b <ldt_ss+59>: jmp    0xc010401b <restore_nocheck_notrace>
End of assembler dump.


Disassemble and strace running programs

cat /dev/random >/dev/null &
PID=$!
CMDLINE="!-2"
CMD=${CMDLINE%% *}
WCHAN=$(cat /proc/${PID}/wchan)
echo "command: ${CMD}, pid: ${PID}, wchan: ${WCHAN}"
strace -p ${PID}
gdb ${CMD} ${PID}
(gdb) disassemble
Dump of assembler code for function __kernel_vsyscall:
0xb7f6b420 <__kernel_vsyscall+0>:       push   %ecx
0xb7f6b421 <__kernel_vsyscall+1>:       push   %edx
0xb7f6b422 <__kernel_vsyscall+2>:       push   %ebp
0xb7f6b423 <__kernel_vsyscall+3>:       mov    %esp,%ebp
0xb7f6b425 <__kernel_vsyscall+5>:       sysenter 
0xb7f6b427 <__kernel_vsyscall+7>:       nop    
0xb7f6b428 <__kernel_vsyscall+8>:       nop    
0xb7f6b429 <__kernel_vsyscall+9>:       nop    
0xb7f6b42a <__kernel_vsyscall+10>:      nop    
0xb7f6b42b <__kernel_vsyscall+11>:      nop    
0xb7f6b42c <__kernel_vsyscall+12>:      nop    
0xb7f6b42d <__kernel_vsyscall+13>:      nop    
0xb7f6b42e <__kernel_vsyscall+14>:      jmp    0xb7f6b423 <__kernel_vsyscall+3>
0xb7f6b430 <__kernel_vsyscall+16>:      pop    %ebp
0xb7f6b431 <__kernel_vsyscall+17>:      pop    %edx
0xb7f6b432 <__kernel_vsyscall+18>:      pop    %ecx
0xb7f6b433 <__kernel_vsyscall+19>:      ret    
End of assembler dump.

Phrack article

File:phrack-0x3a-0x07.txt

http://phrack.org/archives/58/p58_0x07_Linux%20on-the-fly%20kernel%20patching%20without%20LKM_by_devik%20&%20sd.txt