程序打开特定文件时gdb中断 [英] gdb break when program opens specific file
问题描述
Back story:在 strace 下运行程序时,我注意到'/ dev / urandom'正在打开 编。我想知道这个调用来自哪里(它不是程序本身的一部分,它是系统的一部分)。
所以,使用gdb,I当打开调用发出时,我试图破坏程序执行(使用 catch syscall open ),所以我可以看到回溯。问题在于 open 被称为很多,就像几百次一样,所以我无法缩小打开/ dev / urandom的。我应该如何着手缩小具体的呼叫范围?有没有一种方法可以通过参数进行过滤,如果有的话,我怎么做一个系统调用?
任何建议都会有所帮助 - 也许我会谈论这一切都是错误的。
GDB是一个非常强大的工具,但有一点学习曲线。
基本上,你想设置一个条件断点。 p>
首先使用-i标志strace或objdump -d来查找打开函数的地址,或者更实际地找到某个地址,例如在plt中。
在该地址设置断点(如果您有调试符号,则可以使用这些符号,省略*,但我假设您不这样做 - 尽管您如果没有别的,可能会有它们的库函数。
break * 0x080482c8
接下来,您需要使它成为条件
(理想情况下,您可以将字符串参数与期望字符串。我没有得到这个在尝试的前几分钟内工作)
让我们希望w e可以假定该字符串是程序中的某个常量或其中一个加载的库。你可以查看/ proc / pid / maps来了解什么是加载和在哪里,然后使用grep来验证字符串是否在文件中,objdump -s找到它的地址,然后用gdb来验证你已经实际上通过将地图的高部分与文件的低部分相结合来在内存中找到它。 (编辑:在可执行文件上使用ldd可能比在/ proc / pid / maps中查找要容易)
接下来,您需要了解平台的abi你正在努力,特别是如何通过参数。最近我一直在研究arm,这很好,因为前几个参数只是放在寄存器r0,r1,r2中......等等。x86不太方便 - 看起来它们在堆栈中,即* ($ esp + 4),*($ esp + 8),*($ esp + 12)。因此,让我们假设我们在x86上,并且我们要检查esp + 4中的第一个参数是否等于我们为我们想捕获的常量找到的地址它通过。只有,esp + 4是指向字符指针的指针。所以我们需要对它进行反引用来进行比较。
cond 1 *(char **)($ esp + 4)== 0x8048514
然后您可以输入运行,并希望获得最佳效果
如果您捕捉到断点条件,并且使用信息寄存器四处看看,并使用x命令检查内存是否正确,那么您可以使用return命令渗透备份调用堆栈,直到找到你认识的东西。
Back story: While running a program under strace I notice that '/dev/urandom' is being open'ed. I would like to know where this call is coming from (it is not part of the program itself, it is part of the system).
So, using gdb, I am trying to break (using catch syscall open) program execution when the open call is issued, so I can see a backtrace. The problem is that open is being called alot, like several hundred times so I can't narrow down the specific call that is opening /dev/urandom. How should I go about narrowing down the specific call? Is there a way to filter by arguments, and if so how do I do it for a syscall?
Any advice would be helpful -- maybe I am going about this all wrong.
GDB is a pretty powerful tool, but has a bit of a learning curve.
Basically, you want to set up a conditional breakpoint.
First use the -i flag to strace or objdump -d to find the address of the open function or more realistically something in the chain of getting there, such as in the plt.
set a breakpoint at that address (if you have debug symbols, you can use those instead, omitting the *, but I'm assuming you don't - though you may well have them for library functions if nothing else.
break * 0x080482c8
Next you need to make it conditional
(Ideally you could compare a string argument to a desired string. I wasn't getting this to work within the first few minutes of trying)
Let's hope we can assume the string is a constant somewhere in the program or one of the libraries it loads. You could look in /proc/pid/maps to get an idea of what is loaded and where, then use grep to verify the string is actually in a file, objdump -s to find it's address, and gdb to verify that you've actually found it in memory by combining the high part of the address from maps with the low part from the file. (EDIT: it's probably easier to use ldd on the executable than look in /proc/pid/maps)
Next you will need to know something about the abi of the platform you are working on, specifically how arguments are passed. I've been working on arm's lately, and that's very nice as the first few arguments just go in registers r0, r1, r2... etc. x86 is a bit less convenient - it seems they go on the stack, ie, *($esp+4), *($esp+8), *($esp+12).
So let's assume we are on an x86, and we want to check that the first argument in esp+4 equals the address we found for the constant we are trying to catch it passing. Only, esp+4 is a pointer to a char pointer. So we need to dereference it for comparison.
cond 1 *(char **)($esp+4)==0x8048514
Then you can type run and hope for the best
If you catch your breakpoint condition, and looking around with info registers and the x command to examine memory seems right, then you can use the return command to percolate back up the call stack until you find something you recognize.
这篇关于程序打开特定文件时gdb中断的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
