CS444 Finding UNIX/Linux System Calls
Using linux1.cs.umb.edu, a 64-bit Linux system
Script
started on Sun 09 Sep 2012 01:05:21 PM EDT
eoneil@vm22:~/444$ cat hi.c
int main(void)
{
write(1, "hi!!!\n", 6); Our tiny test program
return 0;
}
eoneil@vm22:~/444$ gcc -g hi.c
eoneil@vm22:~/444$ gdb a.out
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/eoneil/444/a.out...done.
(gdb) disas main
Dump of assembler code for function main: Set up arguments in
0x00000000004004f4
<+0>: push %rbp registers
edx, esi, and edi
0x00000000004004f5 <+1>: mov %rsp,%rbp (loads rdx, rsi, rdi by extension)
0x00000000004004f8 <+4>: mov
$0x6,%edx
0x00000000004004fd <+9>: mov $0x40060c,%esi
0x0000000000400502 <+14>: mov $0x1,%edi
0x0000000000400507 <+19>: mov $0x0,%eax Machine code for program
0x000000000040050c <+24>: callq 0x4003f0 <write@plt>
0x0000000000400511 <+29>: mov $0x0,%eax
0x0000000000400516 <+34>: pop %rbp
0x0000000000400517 <+35>: retq
End of assembler dump.
(gdb) disas write
Dump of assembler code for function write@plt: <---initial “write” sets up
dynamic linkage to C library
0x00000000004003f0 <+0>: jmpq *0x200c0a(%rip) # 0x601000 <write@got.plt>
0x00000000004003f6 <+6>: pushq $0x0
0x00000000004003fb <+11>: jmpq 0x4003e0
End of assembler dump.
(gdb) b main ß- set breakpoint at main
Breakpoint 1 at 0x4004f8: file hi.c, line 3.
(gdb) r <---start program
Starting program: /home/eoneil/444/a.out
Breakpoint 1, main () at hi.c:3 <---hit breakpoint at main
3 write(1, "hi!!!\n", 6);
(gdb) disas write
Dump of assembler code for function write: <--now “write” is in high memory! (DLL)
0x00007ffff7b108e0 <+0>: cmpl $0x0,0x2ca78d(%rip) # 0x7ffff7ddb074
0x00007ffff7b108e7 <+7>: jne 0x7ffff7b108f9 <write+25>
0x00007ffff7b108e9 <+9>: mov $0x1,%eax
0x00007ffff7b108ee <+14>: syscall ßsyscall instruction
0x00007ffff7b108f0 <+16>: cmp $0xfffffffffffff001,%rax
0x00007ffff7b108f6 <+22>: jae 0x7ffff7b10929 <write+73>
0x00007ffff7b108f8 <+24>: retq
0x00007ffff7b108f9 <+25>: sub $0x8,%rsp
…
End of assembler dump.
(gdb) b write
Breakpoint 2 at 0x7ffff7b108e0
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7b108e0 in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) i reg
rax 0x0 0
rbx 0x0 0
rcx 0x400520 4195616
rdx 0x6 6
rsi 0x40060c 4195852 arguments to write in regs rdx, rsi, rdi
rdi 0x1 1
rbp 0x7fffffffe6e0 0x7fffffffe6e0
rsp 0x7fffffffe6d8 0x7fffffffe6d8 ß stack pointer
r8 0x4005b0 4195760
r9 0x7ffff7deaf40 140737351954240
r10 0x7fffffffe470 140737488348272
r11 0x7ffff7b108e0 140737348962528
r12 0x400410 4195344
r13 0x7fffffffe7c0 140737488349120
r14 0x0 0
r15 0x0 0
rip 0x7ffff7b108e0 0x7ffff7b108e0 <write> ß instruction pointer
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/s $rsi ßcheck string at address in rsi
0x40060c: "hi!!!\n"
(gdb) si ßsingle instruction step
0x00007ffff7b108e7 in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) ß <cr> repeats previous command in gdb
0x00007ffff7b108e9 in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7b108ee in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
hi!!!
0x00007ffff7b108f0 in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7b108f6 in write () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) disas write
Dump of assembler code for function write:
0x00007ffff7b108e0 <+0>: cmpl $0x0,0x2ca78d(%rip) # 0x7ffff7ddb074
0x00007ffff7b108e7 <+7>: jne 0x7ffff7b108f9 <write+25>
0x00007ffff7b108e9 <+9>: mov $0x1,%eax
0x00007ffff7b108ee <+14>: syscall ß- this caused the output
0x00007ffff7b108f0 <+16>: cmp $0xfffffffffffff001,%rax
=> 0x00007ffff7b108f6 <+22>: jae 0x7ffff7b10929 <write+73> ßwhere we are now
0x00007ffff7b108f8 <+24>: retq
0x00007ffff7b108f9 <+25>: sub $0x8,%rsp
…
End of assembler dump.
(gdb) disas start
No symbol "start" in current context.
(gdb) disas _start
Dump of assembler code for function _start:
0x0000000000400410 <+0>: xor %ebp,%ebp
0x0000000000400412 <+2>: mov %rdx,%r9
0x0000000000400415 <+5>: pop %rsi
0x0000000000400416 <+6>: mov %rsp,%rdx
0x0000000000400419 <+9>: and $0xfffffffffffffff0,%rsp
0x000000000040041d <+13>: push %rax
0x000000000040041e <+14>: push %rsp
0x000000000040041f <+15>: mov $0x4005b0,%r8
0x0000000000400426 <+22>: mov $0x400520,%rcx
0x000000000040042d <+29>: mov $0x4004f4,%rdi
0x0000000000400434 <+36>: callq 0x400400 <__libc_start_main@plt>
0x0000000000400439 <+41>: hlt
0x000000000040043a <+42>: nop
0x000000000040043b <+43>: nop
End of assembler dump.
(gdb) disas __libc_start_main
Dump of assembler code for function __libc_start_main:
0x00007ffff7a5c220 <+0>: push %r14
0x00007ffff7a5c222 <+2>: push %r13
0x00007ffff7a5c224 <+4>: push %r12
… (page of code)
0x00007ffff7a5c2fd <+221>: mov 0x8(%rsp),%rsi
0x00007ffff7a5c302 <+226>: mov 0x14(%rsp),%edi
0x00007ffff7a5c306 <+230>: mov (%rax),%rdx
0x00007ffff7a5c309 <+233>: callq *0x18(%rsp)
0x00007ffff7a5c30d <+237>: mov %eax,%edi
0x00007ffff7a5c30f <+239>: callq 0x7ffff7a76890 <exit>
0x00007ffff7a5c314 <+244>: xor %edx,%edx
…
(gdb) disas _exit
Dump of assembler code for function _exit:
0x00007ffff7aea570 <+0>: movslq %edi,%rdx
0x00007ffff7aea573 <+3>: mov 0x2ea89e(%rip),%r9 # 0x7ffff7dd4e18
0x00007ffff7aea57a <+10>: mov $0xe7,%r8d
0x00007ffff7aea580 <+16>: mov $0x3c,%esi
0x00007ffff7aea585 <+21>: jmp 0x7ffff7aea5a0 <_exit+48>
0x00007ffff7aea587 <+23>: nopw 0x0(%rax,%rax,1)
0x00007ffff7aea590 <+32>: mov %rdx,%rdi
0x00007ffff7aea593 <+35>: mov %esi,%eax
0x00007ffff7aea595 <+37>: syscall ßthe exit syscall instruction
0x00007ffff7aea597 <+39>: cmp $0xfffffffffffff000,%rax
0x00007ffff7aea59d <+45>: ja 0x7ffff7aea5b8 <_exit+72>
…
End of assembler dump.
(gdb) b _exit
Breakpoint 2 at 0x7ffff7aea570
(gdb) c
Continuing.
Breakpoint 2, 0x00007ffff7aea570 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) si
0x00007ffff7aea573 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea57a in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea580 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea585 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea5a0 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea5a3 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
0x00007ffff7aea5a6 in _exit () from /lib/x86_64-linux-gnu/libc.so.6
(gdb)
[Inferior 1 (process 8291) exited normally] ßexecution of exit syscall
(gdb)
The program is not being run.
(gdb) q
vm22$ ls -l a.out
-rwxr-xr-x 1 eoneil man 8375 2012-09-09 15:00 a.out
vm22$ nm -n a.out
…
00000000004003c8 T _init ßstart of code area, at 0x400xxx = 4MB
0000000000400410 T _start
000000000040043c t call_gmon_start
0000000000400460 t __do_global_dtors_aux
00000000004004d0 t frame_dummy
00000000004004f4 T main
0000000000400520 T __libc_csu_init
00000000004005b0 T __libc_csu_fini
00000000004005c0 t __do_global_ctors_aux
00000000004005f8 T _fini
…
0000000000601010 D __data_start ß start of data area, at 6MB
0000000000601010 W data_start
0000000000601018 D __dso_handle
0000000000601020 A __bss_start ß start of BSS, blank data area, at 6MB
0000000000601020 A _edata
0000000000601020 b completed.6458
0000000000601028 b dtor_idx.6460
0000000000601030 A _end ß end of data areas, end of nm –n output
Picture of program image:
Code data DLL stack
--- -- ---- ß---
|-----------|--------|-----------------….. big gap ---------------------|
7ffff7b108e0
0 0x400000 0x600000 0x7fffffffe6d8