Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Similar documents
Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

X86 Stack Calling Function POV

Buffer Overflow Attack

Simple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

Machine Programming 1: Introduction

CPS104 Recitation: Assembly Programming

W4118: PC Hardware and x86. Junfeng Yang

Intro x86 Part 3: Linux Tools & Analysis

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

ANITA S SUPER AWESOME RECITATION SLIDES

Homework. In-line Assembly Code Machine Language Program Efficiency Tricks Reading PAL, pp 3-6, Practice Exam 1

Assembly Language: Function Calls

Turning C into Object Code Code in files p1.c p2.c Compile with command: gcc -O p1.c p2.c -o p Use optimizations (-O) Put resulting binary in file p

Assembly Language: Function Calls" Goals of this Lecture"

Program Exploitation Intro

Assembly Language: Function Calls" Goals of this Lecture"

x86 Assembly Tutorial COS 318: Fall 2017

Systems I. Machine-Level Programming I: Introduction

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

War Industries Presents: An Introduction to Programming for Hackers Part V - Functions. By Lovepump, Visit:

Lab 10: Introduction to x86 Assembly

Machine-Level Programming I: Introduction Jan. 30, 2001

Instruction Set Architectures

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

Instruction Set Architectures

1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College February 9, 2016

CS 31: Intro to Systems ISAs and Assembly. Kevin Webb Swarthmore College September 25, 2018

CSE 351: Week 4. Tom Bergan, TA

CSCI 192 Engineering Programming 2. Assembly Language

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

Dr. Ramesh K. Karne Department of Computer and Information Sciences, Towson University, Towson, MD /12/2014 Slide 1

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CMSC Lecture 03. UMBC, CMSC313, Richard Chang

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

Control flow. Condition codes Conditional and unconditional jumps Loops Switch statements

Machine Language, Assemblers and Linkers"

ICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017

CS241 Computer Organization Spring 2015 IA

buffer overflow exploitation

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only

Sistemi Operativi. Lez. 16 Elementi del linguaggio Assembler AT&T

CSE2421 FINAL EXAM SPRING Name KEY. Instructions: Signature

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CISC 360. Machine-Level Programming I: Introduction Sept. 18, 2008

The Microprocessor and its Architecture

Using the GNU Debugger

Using the GNU Debugger

ROP It Like It s Hot!

Homework / Exam. Return and Review Exam #1 Reading. Machine Projects. Labs. S&S Extracts , PIC Data Sheet. Start on mp3 (Due Class 19)

CS 3843 Final Exam Fall 2012

Assembly Language Programming Debugging programs

Carnegie Mellon. 5 th Lecture, Jan. 31, Instructors: Todd C. Mowry & Anthony Rowe

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Meet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : TODAY!! 5-6 pm Where : 3rd Floor Atrium, CIT

CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here

System calls and assembler

x86 architecture et similia

CSCE 212H, Spring 2008 Lab Assignment 3: Assembly Language Assigned: Feb. 7, Due: Feb. 14, 11:59PM

GDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32

Scott M. Lewandowski CS295-2: Advanced Topics in Debugging September 21, 1998

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

MACHINE-LEVEL PROGRAMMING I: BASICS

A short session with gdb verifies a few facts; the student has made notes of some observations:

Chapter 11. Addressing Modes

The Instruction Set. Chapter 5

Computer Systems Architecture I. CSE 560M Lecture 3 Prof. Patrick Crowley

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

CS / ECE , Spring 2010 Exam 1

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

CS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill

CS429: Computer Organization and Architecture

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

Compila(on, Disassembly, and Profiling

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Complex Instruction Set Computer (CISC)

x86 assembly CS449 Fall 2017

System Programming and Computer Architecture (Fall 2009)

Buffer Overflow. An Introduction

Computer Architecture and Assembly Language. Practical Session 3

We can study computer architectures by starting with the basic building blocks. Adders, decoders, multiplexors, flip-flops, registers,...

EXPERIMENT WRITE UP. LEARNING OBJECTIVES: 1. Get hands on experience with Assembly Language Programming 2. Write and debug programs in TASM/MASM

15-213/18-213, Fall 2011 Exam 1

Return-orientated Programming

Machine Level Programming II: Arithmetic &Control

Machine-level Programming (3)

Assembly Language Programming - III

Today: Machine Programming I: Basics

Basic Execution Environment

CS , Fall 2009 Exam 1

Transcription:

X86 Debug Computer Systems Section 3.11

GDB is a Source Level debugger We have learned how to debug at the C level Now, C has been translated to X86 assembler! How does GDB play the shell game? Makes it seem like we execute C code Actually we are executing X86 Assembler Code How do we debug at the X86 level?

Simple C Function int myfunc(int a,int b) { int c; c = a + 3; c = c + b; return c; }

gcc -m32 -O0 -S prog.c prog.c 2. int myfunc(int a,int b) { 3. int c; 4. c = a + 3; 5. c = c + b; 6. return c; 7. } prog.s myfunc: pushl movl subl movl addl movl movl addl movl leave ret %ebp %esp, %ebp $16, %esp 8(%ebp), %eax $3, %eax %eax, -4(%ebp) 12(%ebp), %eax %eax, -4(%ebp) -4(%ebp), %eax

myfunc x86 view int myfunc(int a,int b) { int c; c = a + 3; c = c + b; return c; } myfunc: pushl movl subl movl addl movl movl addl movl leave ret %ebp %esp, %ebp $16, %esp 8(%ebp), %eax $3, %eax %eax, -4(%ebp) 12(%ebp), %eax v %eax, -4(%ebp) -4(%ebp), %eax Memory xffff FFF0 b xffff FFEC x0000 0004 a xffff FFE8 x0000 0003 xffff FFE4 xffff FFE0 c xffff FFDC x0000 000A xffff FFD8 Reg Value ebp xffff FFE0 eax x0000 000A

Cross Reference Information Function Cross Reference Always keep a list of function names, and the location of the first instruction in that function in the executable command The g flag to the compiler tells the compiler to generate and save more cross reference information For each line of code, the address of the first instruction associated with that code For each variable, the location and type of the variable stored in memory For each function, the parameter list

Example Cross Reference xffff FFF0 b xffff FFEC x0000 0004 a xffff FFE8 x0000 0003 xffff FFE4 xffff FFE0 c xffff FFDC x0000 000A xffff FFD8 add $0x3,%eax x0804 839d 83c003 mov 0x8(%ebp),%eax x0804 839a 8b4508 sub $0x10,%esp x08048 397 83ec10 mov %esp,%ebp x0804 8395 89e5 pushl %ebp x0804 8394 55 Func Location Parms myfn x0804 839a a,b main argc,argv Fn/Line Location myfn.4 x0804 839a myfn.5 myfn.6 Variable Location Type myfn.a xffff FFE8 int myfn.b xffff FFEC int myfn.c xffff FFDC int

Breakpoint Processing When you set a breakpoint GDB looks up address of first instruction at that breakpoint Replaces the beginning of the instruction with a TRAP (e.g. 1/0) When the trap is executed, it causes the OS to transfer to the trap handler (in this case, gdb has registered a trap handler) The trap handler invokes the GDB prompt On continue, replace trap with correct instruction, single step, then replace trap

Example break 4 xffff FFF0 b xffff FFEC x0000 0004 a xffff FFE8 x0000 0003 xffff FFE4 xffff FFE0 c xffff FFDC x0000 000A xffff FFD8 add $0x3,%eax x0804 839d 83c003 mov 0x8(%ebp),%eax x0804 839a TRAP; 8b4508 sub $0x10,%esp x08048 397 83ec10 mov %esp,%ebp x0804 8395 89e5 pushl %ebp x0804 8394 55 Func Location Parms myfn x0080 483b1 a,b main x0804 839a Fn/Line Location myfn.4 x0804 839a myfn.5 myfn.6 main.11 main.12 Variable Location Type myfn.a xffff FFE8 int myfn.b xffff FFEC int myfn.c xffff FFDC int

Displaying x86 instructions (gdb) disas[semble] [/m] prints object and x86 assembler version of current function /m include C symbols/instructions when available

Example of disassemble with debug Address of Instruction Offset from start of function x86 instruction (gdb) disassemble /m Dump of assembler code for function main: 9 int main() { 0x080483ae <main+0>: push %ebp 0x080483af <main+1>: mov %esp,%ebp 0x080483b1 <main+3>: sub $0x18,%esp 10 int ma; 11 ma=myfunc(3,4); 0x080483b4 <main+6>: movl $0x4,0x4(%esp) 0x080483bc <main+14>: movl $0x3,(%esp) 0x080483c3 <main+21>: call 0x8048394 <myfunc> 0x080483c8 <main+26>: mov %eax,-0x4(%ebp) 12 return 0; 0x080483cb <main+29>: mov $0x0,%eax 13 } 0x080483d0 <main+34>: 0x080483d1 <main+35>: leave ret End of assembler dump. (gdb)

Example of disassemble without debug (gdb) b main Breakpoint 1 at 0x80483b4 (gdb) run Starting program: /import/linux/home/tbarten1/cs220/examples/xmp_x86/prog Breakpoint 1, 0x080483b4 in main () (gdb) disassemble Dump of assembler code for function main: 0x080483ae <main+0>: push %ebp 0x080483af <main+1>: mov %esp,%ebp 0x080483b1 <main+3>: sub $0x18,%esp 0x080483b4 <main+6>: movl $0x4,0x4(%esp) 0x080483bc <main+14>: movl $0x3,(%esp) 0x080483c3 <main+21>: call 0x8048394 <myfunc> 0x080483c8 <main+26>: mov %eax,-0x4(%ebp) 0x080483cb <main+29>: mov $0x0,%eax 0x080483d0 <main+34>: leave 0x080483d1 <main+35>: ret End of assembler dump. (gdb) Notice break in main AFTER function entry!

Stepping through C/x86 code With debug, step executes to next (debugged) C instruction If you invoke a function that was compiled without debug, skips that function! Without debug, step moves to next (debugged) C instruction Often, OS function that invokes main! Practically Useless! Alternatives : nexti and stepi Executes to the next x86 instruction nexti skips function calls stepi can step into protected (invisible) code!

Example of stepi without debug Breakpoint 1, 0x080483b4 in main () (gdb) disas Dump of assembler code for function main: 0x080483ae <main+0>: push %ebp 0x080483af <main+1>: mov %esp,%ebp 0x080483b1 <main+3>: sub $0x18,%esp 0x080483b4 <main+6>: movl $0x4,0x4(%esp) 0x080483bc <main+14>: movl $0x3,(%esp) 0x080483c3 <main+21>: call 0x8048394 <myfunc> 0x080483c8 <main+26>: mov %eax,-0x4(%ebp) 0x080483cb <main+29>: mov $0x0,%eax 0x080483d0 <main+34>: leave 0x080483d1 <main+35>: ret End of assembler dump. (gdb) stepi 0x080483bc in main () (gdb) stepi 0x080483c3 in main () (gdb) stepi 0x08048394 in myfunc () (gdb) starting location after 1 stepi after 2 stepi after 3 stepi

Avoid Stepping Into Protected Code If you do, stepi continues to work But you can t see where you are You can t see the instructions you are executing You may use the finish command to continue this function until it returns to its caller

Continuous x86 Assembler Print When I debug at the C level, gdb prints out the C instruction it is about to execute When I do stepi or nexti, all I get is an address Until I execute: (gdb) set disassemble-next-line on

stepi with disassemble-next-line (gdb) set disassemble-next-line on (gdb) b main object code Breakpoint 1 at 0x80483b4 (gdb) run Starting program: /import/linux/home/tbarten1/cs220/examples/xmp_x86/prog Breakpoint 1, 0x080483b4 in main () 0x080483b4 <main+6>: c7 44 24 04 04 00 00 00 movl $0x4,0x4(%esp) (gdb) stepi 0x080483bc in main () 0x080483bc <main+14>: c7 04 24 03 00 00 00 movl $0x3,(%esp) (gdb) stepi 0x080483c3 in main () 0x080483c3 <main+21>: e8 cc ff ff ff call 0x8048394 <myfunc> (gdb) stepi 0x08048394 in myfunc () 0x08048394 <myfunc+0>: 55 push %ebp (gdb)

Breakpoints in X86 Its no fun to step through an entire program. I want to set a breakpoint but there is no line number Especially if there is no debug turned on! (gdb) break *<address> Sets a breakpoint at a specific instruction address To specify a hexadecimal address, use 0x prefix!

break at addr Dump of assembler code for function main: 0x080483ae <main+0>: push %ebp 0x080483af <main+1>: mov %esp,%ebp 0x080483b1 <main+3>: sub $0x18,%esp 0x080483b4 <main+6>: movl $0x4,0x4(%esp) 0x080483bc <main+14>: movl $0x3,(%esp) 0x080483c3 <main+21>: call 0x8048394 <myfunc> 0x080483c8 <main+26>: mov %eax,-0x4(%ebp) 0x080483cb <main+29>: mov $0x0,%eax 0x080483d0 <main+34>: leave 0x080483d1 <main+35>: ret End of assembler dump. (gdb) b *080483c3 Invalid number "080483c3". (gdb) b *x080483c3 No symbol table is loaded. Use the "file" command. (gdb) b *0x080483c3 Breakpoint 2 at 0x80483c3 (gdb) c Continuing. Breakpoint 2, 0x080483c3 in main () 0x080483c3 <main+21>: e8 cc ff ff ff call 0x8048394 <myfunc> (gdb)

Register Information (gdb) info reg Displays x86 regs and values (gdb) info reg eax 0xffffdab4-9548 ecx 0x6a0e39fb 1779317243 edx 0x1 1 ebx 0xf7fafff4-134545420 esp 0xffffd9f0 0xffffd9f0 ebp 0xffffda08 0xffffda08 esi 0x0 0 edi 0x0 0 eip 0x80483c8 0x80483c8 <main+26> eflags 0x286[ PF SF IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99

Memory (gdb) x /<nfu> <address_expression> examines memory starting at <address_expression> using format <nfu> <n> - Number of values to print <f> - Format: <u> - Unit size Address expression can be Constant, e.g. (gdb) x /4i 0x1004011b5 Register, e.g. (gdb) x /4i $eip Pointer variable, e.g. (gdb) x /8cb argv[0] x hexadecimal f d decimal u unsigned dec f floating point a address c character s string i instruction u b 1 h 2 w 4 q 8

Don t Forget Other Cool GDB stuff (gdb)break *0x080483c3 if $eax > 13 (gdb) commands x /4dw $esp stepi end (gdb)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback