当前位置: 文江博客话题详情

GDB:列出崩溃进程的所有映射内存区域

发布于 2024-11-02 00:40:29 字数 646 浏览 0 评论 0原文

我从 x86 Linux 机器(内核 2.6.35-22,如果重要的话)上的死进程中获得了全堆核心转储,我正在尝试在 GDB 中对其进行调试。

是否有一个我可以使用的 GDB 命令,意思是“显示该进程分配的所有内存地址区域的列表?”换句话说,我能否找出可以在此转储中检查的所有可能的有效内存地址?

我问的原因是我需要在整个进程堆中搜索某个二进制字符串,并且为了使用find命令,我需要有一个开始和结束地址。简单地从 0x00 到 0xff 进行搜索是行不通的,因为 find 一旦遇到无法访问的地址就会停止:

(gdb) 查找 /w 0x10000000, 0xff000000, 0x12345678

警告:无法访问 0x105ef883 处的目标内存,正在停止 搜索。

因此,我需要获取内存中所有可读地址区域的列表,以便一次可以搜索它们。

(我需要这样做的原因是我需要找到内存中指向某个地址的所有结构。)

没有一个 show memshow procinfo meminfo proc似乎可以满足我的需要。

原文

I've got a full-heap core dump from a dead process on an x86 Linux machine (kernel 2.6.35-22 if it matters), which I'm attempting to debug in GDB.

Is there a GDB command I can use that means "show me a list of all the memory address regions allocated by this process?" In other words, can I figure out what all the possible valid memory addresses are that I can examine in this dump?

The reason I ask is that I need to search across the entire process heap for a certain binary string, and in order to use the find command, I need to have a start and end address. Simply searching from 0x00 to 0xff.. doesn't work because find halts as soon as it encounters an address it can't access:

(gdb) find /w 0x10000000, 0xff000000,
0x12345678

warning: Unable to access target memory at 0x105ef883, halting
search.

So I need to get a list of all the readable address regions in memory so I can search them one at a time.

(The reason I need to do that is I need to find all the structs in memory that point at a certain address.)

None of show mem, show proc, info mem, info proc seem to do what I need.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

拍不死你 2024-11-09 00:40:29

在 GDB 7.2 中:

(gdb) help info proc
Show /proc process information about any running process.
Specify any process id, or use the program being debugged by default.
Specify any of the following keywords for detailed info:
  mappings -- list of mapped memory regions.
  stat     -- list a bunch of random process info.
  status   -- list a different bunch of random process info.
  all      -- list all available /proc info.

您需要 info proc 映射,但在没有 /proc 时(例如在事后调试期间)它不起作用。

请尝试使用维护信息部分

In GDB 7.2:

(gdb) help info proc
Show /proc process information about any running process.
Specify any process id, or use the program being debugged by default.
Specify any of the following keywords for detailed info:
  mappings -- list of mapped memory regions.
  stat     -- list a bunch of random process info.
  status   -- list a different bunch of random process info.
  all      -- list all available /proc info.

You want info proc mappings, except it doesn't work when there is no /proc (such as during pos-mortem debugging).

Try maintenance info sections instead.

回复 原文
指尖微凉心微凉 2024-11-09 00:40:29

如果您有程序和核心文件,则可以执行以下步骤。

1) 在程序上运行 gdb 以及 core 文件

 $gdb ./test core

2) 输入 info 文件并查看 core 文件中有哪些不同的段。

    (gdb)info files

示例输出:

    (gdb)info files 

    Symbols from "/home/emntech/debugging/test".
    Local core dump file:
`/home/emntech/debugging/core', file type elf32-i386.
  0x0055f000 - 0x0055f000 is load1
  0x0057b000 - 0x0057c000 is load2
  0x0057c000 - 0x0057d000 is load3
  0x00746000 - 0x00747000 is load4
  0x00c86000 - 0x00c86000 is load5
  0x00de0000 - 0x00de0000 is load6
  0x00de1000 - 0x00de3000 is load7
  0x00de3000 - 0x00de4000 is load8
  0x00de4000 - 0x00de7000 is load9
  0x08048000 - 0x08048000 is load10
  0x08049000 - 0x0804a000 is load11
  0x0804a000 - 0x0804b000 is load12
  0xb77b9000 - 0xb77ba000 is load13
  0xb77cc000 - 0xb77ce000 is load14
  0xbf91d000 - 0xbf93f000 is load15

在我的例子中,我有 15 个段。每个段都有地址的开始和地址的结束。选择要搜索数据的任何段。例如,让我们选择 load11 并搜索模式。 Load11 的起始地址为 0x08049000,结束地址为 0x804a000。

3) 在段中搜索模式。

(gdb) find /w 0x08049000 0x0804a000 0x8048034
 0x804903c
 0x8049040
 2 patterns found

如果您没有可执行文件,则需要使用一个程序来打印核心文件所有段的数据。然后您可以在某个地址搜索特定数据。我没有找到任何这样的程序,您可以使用以下链接中的程序来打印核心或可执行文件的所有段的数据。

 http://emntech.com/programs/printseg.c

If you have the program and the core file, you can do the following steps.

1) Run the gdb on the program along with core file

 $gdb ./test core

2) type info files and see what different segments are there in the core file.

    (gdb)info files

A sample output:

    (gdb)info files 

    Symbols from "/home/emntech/debugging/test".
    Local core dump file:
`/home/emntech/debugging/core', file type elf32-i386.
  0x0055f000 - 0x0055f000 is load1
  0x0057b000 - 0x0057c000 is load2
  0x0057c000 - 0x0057d000 is load3
  0x00746000 - 0x00747000 is load4
  0x00c86000 - 0x00c86000 is load5
  0x00de0000 - 0x00de0000 is load6
  0x00de1000 - 0x00de3000 is load7
  0x00de3000 - 0x00de4000 is load8
  0x00de4000 - 0x00de7000 is load9
  0x08048000 - 0x08048000 is load10
  0x08049000 - 0x0804a000 is load11
  0x0804a000 - 0x0804b000 is load12
  0xb77b9000 - 0xb77ba000 is load13
  0xb77cc000 - 0xb77ce000 is load14
  0xbf91d000 - 0xbf93f000 is load15

In my case I have 15 segments. Each segment has start of the address and end of the address. Choose any segment to search data for. For example lets select load11 and search for a pattern. Load11 has start address 0x08049000 and ends at 0x804a000.

3) Search for a pattern in the segment.

(gdb) find /w 0x08049000 0x0804a000 0x8048034
 0x804903c
 0x8049040
 2 patterns found

If you don't have executable file you need to use a program which prints data of all segments of a core file. Then you can search for a particular data at an address. I don't find any program as such, you can use the program at the following link which prints data of all segments of a core or an executable file.

 http://emntech.com/programs/printseg.c
回复 原文
夏天碎花小短裙 2024-11-09 00:40:29
(gdb) maintenance info sections 
Exec file:
    `/path/to/app.out', file type elf32-littlearm.
    0x0000->0x0360 at 0x00008000: .intvecs ALLOC LOAD READONLY DATA HAS_CONTENTS

这是来自上面 phihag 的评论,值得单独回答。这可以工作,但 info proc 不适用于 gcc-arm-none-eabi Ubuntu 软件包中的 arm-none-eabi-gdb v7.4.1.20130913-cvs。

(gdb) maintenance info sections 
Exec file:
    `/path/to/app.out', file type elf32-littlearm.
    0x0000->0x0360 at 0x00008000: .intvecs ALLOC LOAD READONLY DATA HAS_CONTENTS

This is from comment by phihag above, deserves a separate answer. This works but info proc does not on the arm-none-eabi-gdb v7.4.1.20130913-cvs from the gcc-arm-none-eabi Ubuntu package.

回复 原文
话少心凉 2024-11-09 00:40:29

您还可以使用 info files 列出进程二进制文件中加载的所有二进制文件的所有部分。

You can also use info files to list all the sections of all the binaries loaded in process binary.

回复 原文
纵山崖 2024-11-09 00:40:29

我刚刚看到以下内容:

set mem inaccessible-by-default [on|off]

此处

它可能允许您进行搜索而无需考虑内存是否可访问。

I have just seen the following:

set mem inaccessible-by-default [on|off]

here

It might allow you to search without regard if the memory is accessible.

回复 原文
愿得七秒忆 2024-11-09 00:40:29

请注意,如果您想确定进程的共享内存段、mmap() 区域等映射到其地址空间的位置,那么这些都不会帮助您。

此信息似乎不包含在核心中。 maintenance info target-sectionsmaintenance info target 都没有显示它。

(所以它可能根本不存在,或者充其量是在 gdb 不使用的核心部分中。也许可以从内部 libc 簿记状态中找出一些信息,但不是以通用方式)。

Note that none of these will help you if you want to identify where the process had shared-memory segments, mmap()ed regions, etc mapped into its address space.

This info doesn't seem to be included in the core. Neither maintenance info target-sections nor maintenance info target show it.

(So it probably just doesn't exist, or at best is in a core section gdb doesn't use. It might be possible to figure some out from internal libc book-keeping state, but not in a generic way).

回复 原文
饮惑 2024-11-09 00:40:29

维护信息节的问题是该命令尝试从二进制文件的节头中提取信息。如果二进制文件被触发(例如通过sstrip),或者当加载程序在加载后可能更改内存权限时给出错误信息(例如RELRO的情况),则它不起作用。

The problem with maintenance info sections is that command tries to extract information from the section header of the binary. It does not work if the binary is tripped (e.g by sstrip) or it gives wrong information when the loader may change the memory permission after loading (e.g. the case of RELRO).

回复 原文
~没有更多了~

关于作者

玩世

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

烙印

文章 0 评论 0

singlesman

文章 0 评论 0

给自己一个微笑

文章 0 评论 0

独孤求败

文章 0 评论 0

晨钟暮鼓

文章 0 评论 0

我是自愿种绣球花的

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文