Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

Similar documents
Binghamton University. CS-220 Spring X86 Debug. Computer Systems Section 3.11

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

Lab 7 Linux Debugging. EECS 448: Software Engineering I Mark Calnon October 17, 2011

CS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:

CS-220 Spring 2018 Final Exam Version Practice May 10, Name:

Machine Program: Procedure. Zhaoguo Wang

CSCI 2021: x86-64 Control Flow

Buffer Overflow. An Introduction

+ Machine Level Programming: x86-64 History

CS 261 Fall Binary Information (convert to hex) Mike Lam, Professor

CSE 351 Section 4 GDB and x86-64 Assembly Hi there! Welcome back to section, we re happy that you re here

void P() {... y = Q(x); print(y); return; } ... int Q(int t) { int v[10];... return v[t]; } Computer Systems: A Programmer s Perspective

CS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri

Buffer Overflow Attack

CS 107 Lecture 10: Assembly Part I

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012)

CSE 351 Midterm - Winter 2017

C to Assembly SPEED LIMIT LECTURE Performance Engineering of Software Systems. I-Ting Angelina Lee. September 13, 2012

CS429: Computer Organization and Architecture

Do not turn the page until 5:10.

How Software Executes

18-600: Recitation #3

Instruction Set Architectures

CSE 351 Midterm - Winter 2015 Solutions

CSE 351 Midterm - Winter 2015

Download the tarball for this session. It will include the following files:

Machine Programming 3: Procedures

Machine-Level Programming I: Basics

1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-64 assembly code is produced:

Simple C Program. Assembly Ouput. Using GCC to produce Assembly. Assembly produced by GCC is easy to recognize:

Recitation: Attack Lab

1 Number Representation(10 points)

Machine-level Representation of Programs. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow Attack (AskCypert CLaaS)

Computer Systems C S Cynthia Lee

University of Washington

Recitation 4: Bomb Lab

Machine/Assembler Language Putting It All Together

MACHINE-LEVEL PROGRAMMING I: BASICS COMPUTER ARCHITECTURE AND ORGANIZATION

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Today: Machine Programming I: Basics

18-600: Recitation #4 Exploits

CS 33. Linkers. CS33 Intro to Computer Systems XXV 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

6.1. CS356 Unit 6. x86 Procedures Basic Stack Frames

Credits and Disclaimers

Compiler Design IIIT Kalyani, West Bengal 1. Introduction. Goutam Biswas. Lect 1

Princeton University Computer Science 217: Introduction to Programming Systems. Assembly Language: Function Calls

Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition. Carnegie Mellon

CSE 351 Midterm Exam

Assembly I: Basic Operations. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Carnegie Mellon. 5 th Lecture, Jan. 31, Instructors: Todd C. Mowry & Anthony Rowe

Machine-Level Programming III: Procedures

CS , Fall 2007 Exam 1

Review addressing modes

Machine-level Programs Procedure

Download the tarball for this session. It will include the following files:

CS356: Discussion #15 Review for Final Exam. Marco Paolieri Illustrations from CS:APP3e textbook

Meet & Greet! Come hang out with your TAs and Fellow Students (& eat free insomnia cookies) When : TODAY!! 5-6 pm Where : 3rd Floor Atrium, CIT

Recitation: Bomb Lab. September 17 th 2018


CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2018 Lecture 4

CS377P Programming for Performance Single Thread Performance In-order Pipelines

Registers. Ray Seyfarth. September 8, Bit Intel Assembly Language c 2011 Ray Seyfarth

Today: Machine Programming I: Basics. Machine Level Programming I: Basics. Intel x86 Processors. Intel x86 Evolution: Milestones

Computer Architecture and System Programming Laboratory. TA Session 3

Machine Language, Assemblers and Linkers"

Generation. representation to the machine

The Hardware/Software Interface CSE351 Spring 2015

How Software Executes

Assembly Language: Function Calls

CS377P Programming for Performance Leveraging the Compiler for Performance

Assembly Programmer s View Lecture 4A Machine-Level Programming I: Introduction

IA-32 & AMD64. Crash Dump Analysis 2015/2016. CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics.

18-600: Recitation #4 Exploits (Attack Lab)

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Procedures and the Call Stack

Chapter 3 Machine-Level Programming I: Basics. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition

MACHINE-LEVEL PROGRAMMING I: BASICS

Function Call Convention

15-213/18-213, Fall 2011 Exam 1

Lab 10: Introduction to x86 Assembly

CSE 351 Spring 2017 Midterm Exam (8 May 2017)

15-213/18-243, Fall 2010 Exam 1 - Version A

Do not turn the page until 5:10.

CSE351 Spring 2018, Midterm Exam April 27, 2018

Do not turn the page until 5:10.

Machine Level Programming: Basics

%r8 %r8d. %r9 %r9d. %r10 %r10d. %r11 %r11d. %r12 %r12d. %r13 %r13d. %r14 %r14d %rbp. %r15 %r15d. Sean Barker

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

Systems Programming and Computer Architecture ( )

CS 107. Lecture 13: Assembly Part III. Friday, November 10, Stack "bottom".. Earlier Frames. Frame for calling function P. Increasing address

Changelog. Assembly (part 1) logistics note: lab due times. last time: C hodgepodge

Corrections made in this version not seen in first lecture:

Return Oriented Programming

Computer Systems C S Cynthia Lee

CSE351 Autumn 2014 Midterm Exam (29 October 2014)

The Stack & Procedures

CS527 Software Security

CS 33. Machine Programming (2) CS33 Intro to Computer Systems XII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

15-213/18-243, Spring 2011 Exam 1

Transcription:

X86 Debug Computer Systems Section 3.11

GDB is a Source Level debugger We have learned how to debug at the C level But the machine is executing X86 object code! How does GDB play the shell game? Makes it seem like we execute C code Actually we are executing X86 Assembler Code How do we debug at the X86 level?

Simple C Function int add(int x, int y) { int op1=x; int op2=y; int res=op1+op2; return res; }

gcc -O0 -S x86math.c x86math.c int add(int x, int y) { int op1=x; int op2=y; int res=op1+op2; return res; } x86math.s add:.lfb3:.lfe3:.globl.type add add, @function.cfi_startproc pushq %rbp.cfi_def_cfa_offset 16.cfi_offset 6, -16 movq %rsp, %rbp.cfi_def_cfa_register 6 movl -12(%rbp), %eax popq %rbp.cfi_def_cfa 7, 8 ret.cfi_endproc.size add,.-add

gcc O0 -g -Wall -fverbose-asm -Wa,-adhln=x86Math.s x86math.c x86math.c int add(int x, int y) { int op1=x; int op2=y; int res=op1+op2; return res; } x86math.s 132.globl add 134 add: 32:x86Math.c **** int add(int x, int y) { 136.loc 1 32 0 137.cfi_startproc 138 00db 55 pushq %rbp # 139.cfi_def_cfa_offset 16 140.cfi_offset 6, -16 141 00dc 4889E5 movq %rsp, %rbp #, 36:x86Math.c **** return res; 156.loc 1 36 0 157 00fc 8B45F4 movl -12(%rbp), %eax # res, D.2781 37:x86Math.c **** } 158.loc 1 37 0 159 00ff 5D popq %rbp # 160.cfi_def_cfa 7, 8 161 0100 C3 ret 162.cfi_endproc

add x86 view Memory xffff E860 int add(int x, int y) { int op1=x; int op2=y; int res=op1+op2; return res; } pushq movq movl movl movl movl movl movl movl movl addl movl movl popq ret %rbp %rsp, %rbp %edi, -20(%rbp) %esi, -24(%rbp) -20(%rbp), %eax %eax, -4(%rbp) -24(%rbp), %eax %eax, -8(%rbp) -4(%rbp), %edx -8(%rbp), %eax %edx, %eax %eax, -12(%rbp) -12(%rbp), %eax %rbp op1 xffff E85C x0000 0000 op2 xffff E858 x0000 0004 res xffff E854 x0000 0004 xffff E850 x xffff E84C x0000 0000 y xffff E848 x0000 0004 Reg Value rbp x7fff FFFFF FFFF E860 rdi x0000 0000 0000 0000 rsi x0000 0000 0000 0004 rax temp-> x0000 0004 rdx temp

Instruction in Memory 400621: 55 push %rbp 400622: 48 89 e5 mov %rsp,%rbp 400625: 89 7d ec mov %edi,-0x14(%rbp) 400628: 89 75 e8 mov %esi,-0x18(%rbp) 40062b: 8b 45 ec mov -0x14(%rbp),%eax 40062e: 89 45 fc mov %eax,-0x4(%rbp) 400631: 8b 45 e8 mov -0x18(%rbp),%eax 400634: 89 45 f8 mov %eax,-0x8(%rbp) 400637: 8b 55 fc mov -0x4(%rbp),%edx 40063a: 8b 45 f8 mov -0x8(%rbp),%eax 40063d: 01 d0 add %edx,%eax Memory xffff E860 op1 xffff E85C x0000 0004 op2 xffff E858 x0000 0003 xffff E854 xffff E850 x xffff E84C x0000 0000 y xffff E848 x0000 0004 35 0040 0638 x55fc 8b45 0040 0634 x8945 f88b 34 0040 0630 xfc8b 45e8 0040 062C x45ec 8945 33 0040 0628 x8975 e88b 0040 0624 xe589 7dec 32 0040 0620 x??55 4889

Symbol Table Created by compiler, kept in binary executable file One row per symbol Columns: name, location, attributes, type of symbol C compiler always keeps all function names in symbol table! Location is address of first instruction in the function The g flag causes compiler to add more to the symbol table Local and Global variables Function parameters C File and Line Numbers

Symbol Table plus Debug Info Symbol Type Attributes Location main F 0040 0546 add F 0040 0621 x P local -0x14(%rbp) y P local -0x18(%rbp) op1 V local -0x4(%rbp) op2 V local -0x8(%rbp) res V local -0xC(%rbp) x86math.c:32 L 0040 0621 x86math.c:33 L 0040 062b subtract F 0040 0647 mult F 0040 0672 Relative location to accommodate multiple invocations

Breakpoint Processing When you set a breakpoint GDB looks up address of first instruction at that breakpoint Replaces the beginning of the instruction with a TRAP (e.g. 1/0) When the trap is executed, it causes the OS to transfer to the trap handler (in this case, gdb has registered a trap handler) The trap handler invokes the GDB prompt On continue, replace trap with correct instruction, single step, then restore trap, then continue

Example: break 33 Symbol Type Attributes Location add F 0040 0621 x P local -0x14(%rbp) x86math.c:32 L 0040 0621 x86math.c:33 L 0040 062b Replaced with TRAP Memory xffff E860 xffff E85C x0000 0004 xffff E858 x0000 0003 xffff E854 xffff E850 xffff E84C x0000 0000 xffff E848 x0000 0004 0040 0638 x55fc 8b45 0040 0634 x8945 f88b 0040 0630 xfc8b 45e8 0040 062C x45ec 8945 0040 0628 x8975 e88b 0040 0624 xe589 7dec 0040 0620 x??55 4889

Displaying x86 instructions (gdb) disas[semble] [/m] prints object and x86 assembler version of current function /m include C symbols/instructions when available

Example of disassemble with debug C line number Next instruction waiting to execute Address of x86 Instruction (gdb) disassemble /m Dump of assembler code for function add: 32 int add(int x, int y) { 0x0000000000400621 <+0>: push %rbp 0x0000000000400622 <+1>: mov %rsp,%rbp 0x0000000000400625 <+4>: mov %edi,-0x14(%rbp) 0x0000000000400628 <+7>: mov %esi,-0x18(%rbp) 33 int op1=x; => 0x000000000040062b <+10>: mov -0x14(%rbp),%eax 0x000000000040062e <+13>: mov %eax,-0x4(%rbp) 34 int op2=y; 0x0000000000400631 <+16>: mov -0x18(%rbp),%eax 0x0000000000400634 <+19>: mov %eax,-0x8(%rbp) 35 int res=op1+op2; 0x0000000000400637 <+22>: mov -0x4(%rbp),%edx 0x000000000040063a <+25>: mov -0x8(%rbp),%eax 0x000000000040063d <+28>: add %edx,%eax 0x000000000040063f <+30>: mov %eax,-0xc(%rbp) 36 return res; 0x0000000000400642 <+33>: mov -0xc(%rbp),%eax 37 } 0x0000000000400645 <+36>: pop %rbp 0x0000000000400646 <+37>: retq End of assembler dump. C Instruction x86 instruction Offset from start of function

gdb w/o debug Notice break in add AFTER function entry! (gdb) b add Breakpoint 1 at 0x400625 (gdb) run 4 Starting program: /import/linux/home/tbartens/cs220/lab07_sol/x86math 4 Breakpoint 1, 0x0000000000400625 in add () (gdb) disassemble /m Dump of assembler code for function add: 0x0000000000400621 <+0>: push %rbp 0x0000000000400622 <+1>: mov %rsp,%rbp => 0x0000000000400625 <+4>: mov %edi,-0x14(%rbp) 0x0000000000400628 <+7>: mov %esi,-0x18(%rbp) 0x000000000040062b <+10>: mov -0x14(%rbp),%eax 0x000000000040062e <+13>: mov %eax,-0x4(%rbp) 0x0000000000400631 <+16>: mov -0x18(%rbp),%eax 0x0000000000400634 <+19>: mov %eax,-0x8(%rbp) 0x0000000000400637 <+22>: mov -0x4(%rbp),%edx 0x000000000040063a <+25>: mov -0x8(%rbp),%eax 0x000000000040063d <+28>: add %edx,%eax 0x000000000040063f <+30>: mov %eax,-0xc(%rbp) 0x0000000000400642 <+33>: mov -0xc(%rbp),%eax 0x0000000000400645 <+36>: pop %rbp 0x0000000000400646 <+37>: retq End of assembler dump.

Continuous x86 Assembler Print When I debug at the C level, gdb prints out the C instruction it is about to execute When I do stepi or nexti, all I get is an address Until I execute: (gdb) set disassemble-next-line on

Stepping through C/x86 code With debug, step executes to next (debugged) C instruction If you invoke a function that was compiled without debug, skips that function! Without debug, step moves to next (debugged) C instruction Often, OS function that invokes main! Practically Useless! Alternatives : nexti and stepi Executes to the next x86 instruction nexti skips function calls stepi can step into protected (invisible) code!

Avoid Stepping Into Protected/Lib Code If you do, stepi continues to work But you can t see where you are You can t see the instructions you are executing You may use the finish command to continue this function until it returns to its caller

stepi with disassemble-next-line library function x86 instructions (gdb) set disassemble-next-line on => 0x0000000000400615 <main+207>: e8 f6 fd ff ff callq 0x400410 <printf@plt> (gdb) stepi 0x0000000000400410 in printf@plt () => 0x0000000000400410 <printf@plt+0>: ff 25 52 07 20 00 jmpq *0x200752(%rip) # 0x600b68 <printf@got.plt> (gdb) 0x0000000000400416 in printf@plt () => 0x0000000000400416 <printf@plt+6>: 68 00 00 00 00 pushq $0x0 (gdb) finish Run till exit from #0 printf@plt () at../sysdeps/x86_64/dl-trampoline.s:41 x=4, x squared - 4x + 4 =4 divided by x-2=2 0x000000000040061a in main () => 0x000000000040061a <main+212>: b8 00 00 00 00 mov $0x0,%eax (gdb)

Breakpoints in X86 Its no fun to step through an entire program. I want to set a breakpoint but there is no line number Especially if there is no debug turned on! (gdb) break *<address> Sets a breakpoint at a specific instruction address To specify a hexadecimal address, use 0x prefix!

break at addr (gdb) disassemble Dump of assembler code for function add: 0x0000000000400621 <+0>: push %rbp 0x0000000000400622 <+1>: mov %rsp,%rbp => 0x0000000000400625 <+4>: mov %edi,-0x14(%rbp) 0x0000000000400628 <+7>: mov %esi,-0x18(%rbp) End of assembler dump. (gdb) break *0x400621 Breakpoint 3 at 0x400621 (gdb) run 4 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /import/linux/home/tbartens/cs220/lab07_sol/x86math 4 Breakpoint 3, 0x0000000000400621 in add () => 0x0000000000400621 <add+0>: 55 push %rbp (gdb)

Register Information (gdb) info reg Displays x86 regs and values Individual registers can be used like variables Use $ prefix e.g. print $eax or print *((int *)$rbp-4) (gdb) info reg rax 0x0 0 rbx 0x0 0 rcx 0x0 0 rdx 0x10 16 rsi 0x4 4 rdi 0x0 0 rbp 0x7fffffffe860 0x7fffffffe860 rsp 0x7fffffffe838 0x7fffffffe838 r8 0x7ffff7dd6f20 140737351872288 r9 0x7fffffffebf0 140737488350192 r10 0x0 0 r11 0x4 4 r12 0x400450 4195408 r13 0x7fffffffe940 140737488349504 r14 0x0 0 r15 0x0 0 rip 0x400621 0x400621 <add> eflags 0x246 [ PF ZF IF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0

Memory (gdb) x /nfu address_expression examines memory starting at address_expression using format nfu n - Number of values to print f - Format: u - Unit size address_expression can be Constant, e.g. (gdb) x /4i 0x1004011b5 Register, e.g. (gdb) x /4i $eip Pointer variable, e.g. (gdb) x /8cb argv[0] x f hexadecimal d decimal u unsigned dec f a c s i floating point address character string instruction u b 1 h 2 w 4 q 8

Examine Examples 10 decimal 4 byte numbers starting at %rbp-32 same, but in hex null terminated string starting at 0x400760 next 4 x86 instructions (gdb) p $rbp $2 = (void *) 0x7fffffffe860 (gdb) x /10dw $rbp-32 0x7fffffffe840: -5816 32767 4195408 2 0x7fffffffe850: -5824 16 0 4 0x7fffffffe860: 0 0 (gdb) x /10xw $rbp-32 0x7fffffffe840: 0xffffe948 0x00007fff 0x00400450 0x00000002 0x7fffffffe850: 0xffffe940 0x00000010 0x00000000 0x00000004 0x7fffffffe860: 0x00000000 0x00000000 (gdb) x /s 0x400760 0x400760: "x=%d, x squared - 4x + 4 =%d divided by x-2=%d\n" (gdb) x /4i $rip => 0x400621 <add>: push %rbp 0x400622 <add+1>: mov %rsp,%rbp 0x400625 <add+4>: mov %edi,-0x14(%rbp) 0x400628 <add+7>: mov %esi,-0x18(%rbp)

Don t Forget Other Cool GDB stuff (gdb)break *0x080483c3 if $eax > 13 (gdb) commands x /4dw $rsp stepi end (gdb)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback