ELF核心文件格式

发布于 2024-11-07 02:49:57 字数 499 浏览 4 评论 0原文

如果没有深入研究 GDB 源代码,我在哪里可以找到有关用于创建核心文件的格式的文档?

ELF 规范使核心文件格式保持开放,所以我想这应该是 GDB 规范的一部分!遗憾的是,我没有从 GNU 的 gdb 文档中找到这方面的任何帮助。

这就是我想要做的:将虚拟地址映射到包含正在运行的进程的可执行文件/库中的函数名称。为此,我首先想从核心文件中找出从虚拟地址空间到可执行文件/库名称的映射,然后深入相关文件以获取符号信息。

现在“readelf -a core”告诉我,核心文件中的几乎所有段都是“load”类型——我猜这些是来自所有参与文件的.text和.bss/.data段,加上堆栈段。除了这些负载段之外,还有一个注释段,但似乎不包含地图。那么一个段对应哪个文件的信息,是如何存储在core文件中的呢?这些“加载”段格式是否以特定方式包含文件信息?

Short of digging through GDB source, where can I find documentation about the format used to create core files?

The ELF specification leaves the core file format open, so I guess this should be part of the GDB specifications! Sadly, I did not find any help in this regard from GNU's gdb documentation.

Here's what I am trying to do: Map virtual addresses to function names in executable/libraries that comprised the running process. To do that, I would first like to figure out, from the core file, the map from virtual address space to the name of the executable file/libraries, and then dig into the relevant file to get the symbolic information.

Now 'readelf -a core' tells me that nearly all the segments in the core file are of the type 'load' -- I'd guess these are the .text and .bss/.data segments from all the participating files, plus a stack segment. Barring these load segments, there is one note segment, but that does not seem to contain the map. So how is the information about which file a segment corresponds to, stored in the core file? Are those 'load' segments format in a particular way to include the file information?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

走野 2024-11-14 02:49:57

核心转储文件格式使用 ELF 格式,但 ELF 标准中没有描述。 AFAIK,这方面没有权威参考。

那么一个段对应哪个文件的信息是如何存储在核心文件中的呢?

ELF 注释中包含许多额外信息。您可以使用 readelf -n 来查看它们。

CORE/NT_FILE 注释定义了内存地址范围和文件(+ 偏移量)之间的关联:

Page size: 1
             Start                 End         Page Offset
0x0000000000400000  0x000000000049d000  0x0000000000000000
    /usr/bin/xchat
0x000000000069c000  0x00000000006a0000  0x000000000009c000
    /usr/bin/xchat
0x00007f2490885000  0x00007f24908a1000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908a1000  0x00007f24908bd000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908bd000  0x00007f2490eb0000  0x0000000000000000
    /usr/share/fonts/opentype/ipafont-gothic/ipag.ttf
[...]

对于每个线程,您应该有一个 CORE/NT_PRSTATUS 注释,它为您提供线程的寄存器(包括堆栈)指针)。您也许可以从中推断出堆栈的位置。

有关 ELF 核心文件格式的更多信息:

The core dump file format is using the ELF format but is not described in the ELF standard. AFAIK, there is no authoritative reference on this.

so how is the information about which file a segment corresponds to, stored in the core file?

A lot of extra information is contained within the ELF notes. You can use readelf -n to see them.

The CORE/NT_FILE note defines the association between memory address range and file (+ offset):

Page size: 1
             Start                 End         Page Offset
0x0000000000400000  0x000000000049d000  0x0000000000000000
    /usr/bin/xchat
0x000000000069c000  0x00000000006a0000  0x000000000009c000
    /usr/bin/xchat
0x00007f2490885000  0x00007f24908a1000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908a1000  0x00007f24908bd000  0x0000000000000000
    /usr/share/icons/gnome/icon-theme.cache
0x00007f24908bd000  0x00007f2490eb0000  0x0000000000000000
    /usr/share/fonts/opentype/ipafont-gothic/ipag.ttf
[...]

For each thread, you should have a CORE/NT_PRSTATUS note which gives you the registers of the thread (including the stack pointer). You might be able to infer the position of the stacks from this.

More information about format of ELF core files:

暗恋未遂 2024-11-14 02:49:57

核心转储是进程崩溃时的内存中映像。它包括程序段、栈、堆和其他数据。您仍然需要原始程序才能理解内容:符号表和其他数据使内存映像中的原始地址和结构有意义。

A core dump is the in-memory image of the process when it crashed. It includes the program segments, the stack, the heap and other data. You'll still need the original program in order to make sense of the contents: the symbol tables and other data make the raw addresses and structures in the memory image meaningful.

[浮城] 2024-11-14 02:49:57

与其说是 gdb,不如说是 gdb、binutils 等使用的 bfd 库。

Not so much gdb as the bfd library used by gdb, binutils, etc.

凯凯我们等你回来 2024-11-14 02:49:57

有关生成核心文件的进程的附加信息存储在 ELF 注释部分中,尽管是以操作系统特定的方式。例如,请参阅 core(5) 手册页了解 NetBSD

Additional information about the process that generated the core file is stored in an ELF note section, albeit in an operating system specific manner. For example, see the core(5) manual page for NetBSD.

风月客 2024-11-14 02:49:57

解决问题的一个更简单的解决方案可能是解析 /proc/$pid/maps 中的文本以确定给定的虚拟地址映射到哪个文件。然后就可以解析对应的文件了。

Kenshoto 的开源 VDB(调试器)就使用了这种方法,如果你能读懂 python,它就是一个很好的例子。

A simpler solution to your problem may be to parse text from /proc/$pid/maps to determine what file a given virtual address maps to. You could then parse the corresponding file.

Kenshoto's open source VDB (debugger) uses this approach, if you can read python it is a good example.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文