2004-04-23 15:18 PM
Authors: from: Linux knowledge base Contact: anonymous 1. Introduction GNU debugger, called gdb, the program is an interactive tool, work in character mode. In the X WINDOW system, there is a front-end graphics tool for GDB, called XXGDB. GDB is a powerful debugger that completes the following debug tasks: * Sets breakpoints; * Monitor the value of the program variable; * Single step execution of the program; * Modify the value of the variable. You must compile the source file with the -g option before you can use the GDB debugger. CFLAGS variables can be defined in makefile: cflags = -g When running a GDB debugger, use the following command: GDB ProgName typed Help at the GDB prompt, will list the classification of commands, the main classification is: * aliases: command Alias * Breakpoints: breakpoint definition; * data: Data View; * files: Specify and view files; * Internals: maintenance command; * Running: Program execution; * Stack: Call stack View; * Statu: status View; * TRACEPOINTS: Track the program execution. Type the classification name of the command after Help, you can get a detailed list of this class command. 2. Common command table 1-4 Commonly used GDB command commands Explain that Break Num sets breakpoints on the specified row. BT displays all call stack frames. This command can be used to display the call sequence of the function. CLEAR Deletes the breakpoints set on a specific source file. The usage is: Clear FileName: Num. Continue continues to perform the program being debugging. This command is used to stop running due to processing signals or breakpoints. Display Expr is displayed for each program to stop the value of the expression. The expression consists of a variable defined by the program. File File loads the specified executable for debugging. Help name shows the help information of the specified command. Info Break displays the current breakpoint list, including the number of times at the breakpoint. Info files displays details of the debugged file. INFO FUNC displays all function names. INFO LOCAL displays local variable information in a function. INFO PROG displays the execution status of the debugged program. INFO VAR displays all global and static variable names. Kill terminates the procedure being debugged. List Displays the source code segment. Make Runs the Make tool without exiting GDB. NEXT performs a row source code forward without single step to enter other functions. Print EXPR displays the value of Expression EXPR. 3.GDB Examples ---------------- list a wrong C source program bugging.c ----------------- #include
The program uses a string String that has not been initialized, so after compiling and running, Segment Fault error will appear: $ gcc -o test -g test.c $ ./test please input a string: asfd segmentation fault ( Core Dumped) In order to find problems in the program, we use GDB and proceed as follows: 1. Run the gdb bugging command to load the bugging executable; 2. Perform the loaded bugging command; 3. Use the where command to view the place where the program is wrong; 4. Use the list command to view the code near the CENS function; 5. The only factor that can cause a gets function error is the variable string. Use the print command to view the value of String; 6. In GDB, we can directly modify the value of the variable, as long as the String takes a legal pointer value, for this, we set a breakpoint at the 11th line; 7. The program is running to the 11th row. At this time, we can use the set variable command to modify the value of the String; 8. Then continue to run, will see the correct program operation results. [table of Contents] ----------------------------------------------- --------------------------------- GCC common option to code influence BY ALERT7 2001-12-21 Test Environment RedHat 6.2 ★ Preface This article discusses some of GCC's common compilation options on code. Of course, the code has changed, and its memory layout will change, and the Exploit will make a corresponding change. GCC's compilation option is too much, and this text is verified for several most common options.
★ Demo [Alert7 @ redhat62 alert7] $ cat> test.c #include void hi (void) {printf ("hi");} int main (int Argc, char * argv [}) {hi (); returnograph ; } [table of Contents] --------------------------------------------- ----------------------------------- General situation ★ General situation [Alert7 @ redhat62 alert7] $ gcc-@ test test.c [alert7 @ redhat62 alert7] $ wc -c test 11773 test [alert7 @ redhat62 alert7] $ gdb -q test (gdb) disass main Dump of assembler code for function main: 0x80483e4: push% ebp 0x80483e5: mov% esp,% ebp 0x80483e7: call 0x80483d0 0x80483ec: xor% eax,% eax 0x80483ee: jmp 0x80483f0 0x80483f0: leave 0x80483f1: ret .... End of assembler dump (gdb) disass hi dump of assembler code for function hi:. 0x80483d0: push% ebp 0x80483d1: mov% esp,% ebp 0x80483d3: push $ 0x8048450 0x80483d8: call 0x8048308 0x80483dd: add $ 0x4,% esp 0x80483e0: leave 0x80483e1: ret 0x80483e2:. mov% esi,% esi End of assembler dump a look Partial memory image (memory high site) ------ | bffffbc4 | ARGV address (ie argv [0] address) 0xBffFFB84 -------- | 00000001 | Argc Value 0xBFFF fb80 -------- | 400309cb | main return address 0xbffffb7c -------- <- before calling the main function esp | bffffb98 | call the main function before ebp 0xbffffb78 - ------ <- Main function EBP | 080483EC | Hi () return address 0xBffffb74 -------- | BffB78 | Call Hi () ESP 0xBffFFFFB70 --- ----- | 08048450 | "hi" address 0xBffffb6c -------- | ... | (Memory low site) Leave instructions Pregs equivalent to MOV ESP, EBP Then the Pop EBP RET instruction is equivalent to POP EIP [Contents] -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -------------------------------------------- -O compilation option ★ -o compile option with `-o ', The Compiler Tries To Reduce Code Size and Execution Time. When You Specify` -o', The Two Options `-fthread-jumps 'and` -fdefer-pop'
Are Turned ON ON ON ON ON Time [Alert7 @ redhat62 alert7] $ gcc -o -o test test.c [alert7 @ redhat62 alert7] $ wc -c test 11757 test [alert7 @ redhat62 alert7] $ gdb - q test (gdb) disass main Dump of assembler code for function main: 0x80483d8: push% ebp 0x80483d9: mov% esp,% ebp 0x80483db: call 0x80483c8 0x80483e0: xor% eax,% eax 0x80483e2: leave 0x80483e3: ret 0x80483e4: nop. .. End of assembler dump (gdb) disass hi Dump of assembler code for function hi:. 0x80483c8: push% ebp 0x80483c9: mov% esp,% ebp 0x80483cb: push $ 0x8048440 0x80483d0: call 0x8048308 0x80483d5: leave 0x80483d6: ret 0x80483d7: Nop end of assembler dump. In main (), an JMP instruction is optimized, it is clear that this instruction can be unwanted. In hi (), put the add $ 0x4,% ESP, will this not balance the Stack? Take a look at the memory image (memory high site) ------ | Bffffbc4 | ARGV address (ie argv [0] address) 0xBffffB84 -------- | 00000001 | ARGC value 0xBffffb80 -------- | 400309CB | Main return address 0xBffffb7c -------- <- ESP | bffb98 before calling the main function | before calling the main function EBP 0xBFFFFB78 ------ <- Main function EBP | 080483E0 | Hi () return address 0xBffffb74 -------- | bffffb78 | Call Hi () ESP 0xBffffb70 -------- | 08048440 | "Hi" address 0xBffffb6c -------- | ... | (Memory low) Leave instructions are comparable The MOV ESP, EBP then POP EBP. Seeing the Leave instruction does not operate, first put EBP -> ESP, then POP EBP, so even if the stack of ESPs in the process, EBP is unbalanced, but as long as it returns to the Leave instruction, it will balance, so There is no problem with add $ 0x4,% ESP optimization.
[table of Contents] ----------------------------------------------- ------------------------------- -O2 compile options ★ -O2 compile options -O2 Optimize Even More. Nearly All supported optimizations that do not involve a space-speed tradeoff are performed. Loop unrolling and function inlining are not done, for example. As compared to -O, this option increases both compilation time and the performance of the generated code. [alert7 @ redhat62 Alert7] $ gcc -o2 -o test test.c [alert7 @ redhat62 alert7] $ wc -c test 11757 test [alert7 @ redhat62 alert7] $ gdb -q test (gdb) Disass main dump of askeMbler code for function main: 0x80483d8 : push% ebp 0x80483d9: mov% esp,% ebp 0x80483db: call 0x80483c8 0x80483e0: xor% eax,% eax 0x80483e2: leave 0x80483e3: ret ... 0x80483ef: nop End of assembler dump (gdb) disass hi dump of assembler code. for function hi: 0x80483c8: push% ebp 0x80483c9: mov% esp,% ebp 0x80483cb: push $ 0x8048440 0x80483d0: call 0x8048308 0x80483d5: leave 0x80483d6: ret 0x80483d7: nop End of assembler dump Since the program is relatively simple, the optimization is not optimized, so it is the same as -O. [table of Contents] ----------------------------------------------- ------------------------------- -Fomit-frame-pointer compile option ★ -FOMIT-FRAME-POINTER Compilation option -fomit-frame-pointer do not keep the frame pointer in a register for functions that do not need one This avoids the instructions to save, set up and restore frame pointers;. it also makes an extra register available in many functions. IT Also Makes Debugging Impossible on Most Machines. Ignore the frame pointer. This does not need to save, install, and restore EBP in the program. This way, EBP is also a Free's register, and you can use it in a function.
[Alert7 @ redhat62 alert7] $ gcc -fomit-frame-pointer -o test test.c [alert7 @ redhat62 alert7] $ wc -c test 11773 test [alert7 @ redhat62 alert7] $ gdb -q test (gdb) Disass Main Dump of assembler code for function main: 0x80483e0: call 0x80483d0 0x80483e5: xor% eax,% eax 0x80483e7: jmp 0x80483f0 0x80483e9: lea 0x0 (% esi, 1),% esi 0x80483f0: ret .... End of assembler dump (gdb. ) disass hi dump of assembler code for function hi: 0x80483d0: push $ 0x8048450 0x80483d5: call 0x8048308 0x80483da: add $ 0x4,% esp 0x80483dd: ret 0x80483de: mov% esi,% esi End of assembler dump in main () and the hi. () In the following instructions, PUSH% EBP MOV% ESP,% EBP // These two instructions are removed to install Leave // This instruction is restored to see partial memory images (memory high site) --- --- | Bffffbc4 | ARGV address (ie argv [0] address) 0xBffffb84 -------- | 00000001 | ARGC value 0xBffFFFB80 ------ | 400309CB | Main return address 0xBffffb7c -------- | 080483E5 | Hi () return address 0xBffffb78 -------- | 08048450 | "hi" string address 0xBfffb74 --- ----- | ... | (Memory low) does not save EBPs in the upper execution environment. [Contents] ---------------------------------------------------- ---------------------------------------------- -------------- -FOMIT-FRAME-POINTER && -O2 ★ -Fomit-frame-point &&-★fomit-frame-Pointer Compile option removes PUSH% EBP MOV% ESP, % EBP // These two instructions Install Leave // This instruction recovery -O2 compile option removes Add $ 0x4,% ESP does not add together to go together, so that Stack is unbalanced? [alert7 @ redhat62 alert7] $ gcc -fomit-frame-pointer -o2 -o test test.c [alert7 @ redhat62 alert7] $ wc -c test 11741 test [Alert7 @
redhat62 alert7] $ gdb -q test (gdb) disass main Dump of assembler code for function main: 0x80483d8: call 0x80483c8 0x80483dd: xor% eax,% eax 0x80483df: ret End of assembler dump (gdb) disass hi Dump of assembler code. for function hi: 0x80483c8: push $ 0x8048430 0x80483cd: call 0x8048308 0x80483d2: add $ 0x4,% esp 0x80483d5: ret 0x80483d6: mov% esi,% esi End of assembler dump a look at part of the memory image (high memory address). ------ | Bffffbc4 | ARGV address (ie argv [0] address) 0xBffffb84 -------- | 00000001 | ARGC value 0xBffffB80 ------------ - | 400309CB | Main return address 0xBffffb7c -------- | 080483DD | Hi () return address 0xBffffb78 -------- | 08048430 | "hi" string Address 0xBffFFFB74 -------- | ... | (Memory low) At this time, the Add $ 0x4,% ESP is optimized. If you optimize it, the whole stack will change. Unbalanced, thereby causing a process error. [table of Contents] ----------------------------------------------- --------------------------------- -FPIC compilation option ★ -fpic compilation option -fpic if supported for the target machine Emit Position-Independent Code, Suitable for Dynamic Linking, Even if Branches Need LINKING, EVEN IF BRANCHES NEED LARGE DISPLACEments. Generating a location-independent code (PIC), usually used when you create a shared library. On x86, the symbolic reference of the PIC's code is operated by EBX.
[Alert7 @ redhat62 alert7] $ gcc-fpic -o test test.c [alert7 @ redhat62 alert7] $ wc -c test 11805 test [alert7 @ redhat62 alert7] $ gdb -q test (gdb) Disass main dump of askeMbler code for Function main: 0x80483f8: push% EBP 0X80483F9: MOV% ESP,% EBP 0x80483FB: PUSH% EBX 0x80483FC: CALL 0X8048401 0X8048401: POP% EBX / / Address 0x8048402: Add $ 0x1093,% EBX / / At this time EBX GOT address is stored inside the table 0x8048408: call 0x80483d0 0x804840d: xor% eax,% eax 0x804840f: jmp 0x8048411 0x8048411: mov 0xfffffffc (% ebp),% ebx 0x8048414: leave 0x8048415: ret ... End of assembler dump (. gdb) disass hi Dump of assembler code for function hi: 0x80483d0: push% ebp 0x80483d1: mov% esp,% ebp 0x80483d3: push% ebx 0x80483d4: call 0x80483d9 0x80483d9: pop% ebx 0x80483da: add $ 0x10bb,% ebx 0x80483e0: lea 0xffffefdc (% ebx),% edx 0x80483e6: mov% edx,% eax 0x80483e8: push% eax 0x80483e9: call 0x8048308 0x80483ee: add $ 0x4,% esp 0x80483f1: mov 0xfffffffc (% ebp),% ebx 0x80483f4: leave 0x80483f5: ret 0x80483F6: MOV% ESI,% ESI end of A SSEMBLER DUMP. Take a look at the memory image (memory high site) ------ | Bffffbc4 | argv's address (ie argv [0] address) 0xBfffB84 ------- - | 00000001 | ARGC value 0xBfffffb80 -------- | 400309CB | Main return address 0xBffffb7c -------- <- ESP before the main function is called | bffffb98 | call EBP 0xBFFFFB78 ------ <- Main function before the main function EBP | 401081 EC | Save EBX 0xBffFFFB74 -------- | 0804840D | (Solving Call 0x8048401) One instruction address) 0xBffffb70 -------- | Bffffb78 | Call Hi () ESP 0xBffffB6C ------ | 08049494 | GOT table address 0xBfffffB68 ------------------------ - | 08048470 | (Store the next instruction address of Call 0x80483D9) 0xBffffb64 ------
