Is there any way to only show the functions that have been implemented by the binary being debugged in GDB? It doesn't seem that 'info functions' has any other options than a regex filter. I was thinking that it may be possible to view the memory addresses where the binary is located, then based on the location of the function address in a full 'info functions' determine if each is part of the binary, or part of something else. However, I dont know how to do that in gdb - I know vmmap shows this sort of information.
Anyone know how to do this? Suggestions?
Related
I am using gdb to trace a program's execution flow. I am using an open source codebase and using certain library functions for my task. I am interested to know the path the program takes to reach the particular function, where I have placed a breakpoint. Is there a way in gdb to list all the functions called before the breakpoint is reached. I am looking to add a field to a particular data structure and it can be done only if I know in which exact function is the data structure being modified.
I am interested to know the path the program takes to reach the particular function, where I have placed a breakpoint.
This is possible by setting a breakpoint on every function, with something like rbreak ., but is not a viable approach for anything larger than tiny toy programs.
Is there a way in gdb to list all the functions called before the breakpoint is reached.
No.
I am looking to add a field to a particular data structure and it can be done only if I know in which exact function is the data structure being modified.
You are holding it wrong. You are trying to replace code understanding and indexing tool with GDB, but GDB is not such a tool.
Further, knowing all functions that have been called before the breakpoint in no way answers "which exact function(s) modified the structure" -- you get a superset instead. That superset can be 1000 times larger than the set you are interested in.
TL;DR: read the source, use tools that help with code understanding and indexing, and don't try to use GDB as such a tool (you'll fail).
Is it possible to 'peek' at the stack enough to deduce, perhaps by mapping an address to the debug .map file or something, what the calling function is programmatically?
I have a function that is called from a ton of different places, and basically if possible I would like to be able to programmatically log out who called the function so that I can trace the progression of parameter values over time, and be able to connect them back to where they may be going wrong. I could add a parameter so that the caller must provide a user string or something, but I'd like to do something less intrusive if it's possible.
GCC has features for this, such as __builtin_return_address (see http://gcc.gnu.org/onlinedocs/gcc/Return-Address.html). They should be used only for debugging or special testing purposes and not as part of production code.
You can generate MiniDump files using windows API and load them later in the debugger and if symbols are available you should be able to debug the crash and investigate values of variables.
I'm currently working on some system level code where I would like to be able to identify the memory section(s) that are from the loaded binary in order to detect things like corrupted or modified instructions;
Essentially what I'm after is a way, in Win32 using C++, to get a pointer to the range of instructions. This is somewhat similar to asking for a function pointer to the .text section's start and end. My understanding of the exe format is that the .text section is where instructions are stored, versus the .data section which holds things like global variables. Unfortunately I've found 0 hints on where this might be (I've seen no win32 function calls, nothing in the TIB, etc.)
Can anyone direct me to where I could find/calculate this information?
P.S. I do understand that if anyone changes code maliciously that they may find this code and change it; I'm still interested in the details of how to get at this information for my own curiosity.
You can't really expect this to work with an in memory binary. Any function calls to imported DLLs will get modified by the loader to point to the actual locations of the target procedures in the DLL that is loaded.
For example suppose you call a function in kernel32.dll. Then a Windows update happens which changes kernel32.dll. The next time you run your app, the jump to the function in kernel32.dll is going to be to a different memory address than the before the Windows update was applied.
And of course this all assumes that DLLs load at their preferred address. And then you may have some self-modifying code.
And so on, and so on.
You can find the entry-point to your code in the PE header. Download the PE (Portable Executable) file definition from MSDN - it has all the information. The format of the program in memory is virtually the same as it is on disk. From within the code, you can get a pointer to the PE header in memory via the GetModuleHandle() function (the handle is really a pointer to the first page).
This doesn't directly answer your question, but for your overall solution, you could look into Code Signing. If you like this solution, there are existing implementations on Windows.
As you said, binary verification alone won't solve your problem. You should also look into installing your application in an area of the file system that requires elevation/admin rights to write to, such as Program Files, or deploy it somewhere a user can't directly modify it, like a web server.
How to find address of function pointers in a running process?
I am currently using C++ under Windows XP and wish to find the address of a function. Could somebody help me please? If you could, please give me an example. Thanks.
Simplest way: Use the debug symbols.
If there are no symbols, you're going to have to figure out where your functions are the hard way (reverse compile, find entry points, find function which looks like the one you want). Software such as IDA Pro is your best bet.
I have the location/offset of a particular function present inside an executable. Would it be possible to call such a function (while suppressing the CRT's execution of the executable's entry point, hopefully) ?
In effect, you can simulate the Windows loader, assuming you run under Windows, but the basics should be the same on any platform. See e.g. http://msdn.microsoft.com/en-us/magazine/cc301805.aspx.
Load the file into memory,
Replace all relative addresses of functions that are called by the loaded executable with the actual function addresses.
Change the memory page to "executable" (this is the difficult and platform-dependent part)
Initialize the CRT in order to, e.g., initialize static variables.
Call.
However, as the commenters point out correctly, this might only be practical as an exercise using very simple functions. There are many, many things that can go wrong if you don't manage to emulate the complete OS loader.
PS: You could also ask the Google: http://www.cultdeadcow.com/tools/pewrap.html
PPS: You may also find helpful advice in the "security" community: https://www.blackhat.com/presentations/bh-usa-07/Harbour/Whitepaper/bh-usa-07-harbour-WP.pdf
Yes, you can call it, if you will initialize all global variables which this function uses. Probably including CRT global variables. As alternative way, you can hook and replace all CRT functions that callee uses. See disassembly of that function to get right solution.
1) Take a look at the LoadLibraryEx() API. It has some flags that could be able to do all the dirty work described by Sebastian.
2) Edit the executable. Several modified bytes will do the job. Here is some documentation on the file format: http://docsrv.sco.com:507/en/topics/COFF.html