flat assembler
Message board for the users of flat assembler.

Index > Linux > Exception handling

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
well i finally managed to install fasm (well nasm conversion was still spitting some parse errors and i got bored and installed fasm Smile

fine your code simply assembles without any problems Smile

well the code starts form mov eax,SignalSigAction

it was at
Code:
0x8048084:      mov    eax,0x43
0x8048089:      mov    ebx,0xb
0x804808e:      mov    ecx,0x8048074
0x8048093:      xor    edx,edx
0x8048095:      int    0x80
    


i set a bp on gdb at 8048084
but i get a warning
and it doesnt break on there (dont know why and didnt look further
first run

this is the warning
gdb> r
warning: shared library handler failed to enable breakpoint

Program received signal SIGSEGV, Segmentation fault.

and after sigsegv gdb stops on do_dirty first instruction

0x804809d: push ds:0x0
0x80480a3: mov ds:0x0,eax
0x80480a8: push fs:0x0
0x0804809d in ?? ()
gdb>
gdb> si
Hmmm, SIGSEGV signal received
what ever i do si s ni ni all prints out the hmmmmmmm
but i cant seem to single step into the exception handler at least at the first glance
any way ill try later and post back
also
objdump -d doesnt seem to disassemble this at all ??
just returns to the pronmpt
gdb -disassemble 0x8048084 also fails

i had to do x/i to even look at the disassembly Sad

i miss my ollydbg Sad

anyway just for ref here is the disassembly
Code:
gdb> x/25i 0x08048084
0x8048084:      mov    eax,0x43
0x8048089:      mov    ebx,0xb
0x804808e:      mov    ecx,0x8048074
0x8048093:      xor    edx,edx
0x8048095:      int    0x80
0x8048097:      test   eax,eax
0x8048099:      mov    ebx,eax
0x804809b:      jne    0x80480c7
0x804809d:      push   ds:0x0
0x80480a3:      mov    ds:0x0,eax
0x80480a8:      push   fs:0x0
0x80480af:      mov    eax,0x4
0x80480b4:      mov    ebx,0x2
0x80480b9:      mov    ecx,0x804910b
0x80480be:      mov    edx,0x14
0x80480c3:      int    0x80
0x80480c5:      xor    ebx,ebx
0x80480c7:      mov    eax,0x1
0x80480cc:      int    0x80
0x80480ce:      mov    eax,0x4
0x80480d3:      mov    ebx,0x2
0x80480d8:      mov    ecx,0x80490ed
0x80480dd:      mov    edx,0x1e
    
Post 01 Oct 2005, 13:32
View user's profile Send private message Reply with quote
Endre



Joined: 29 Dec 2003
Posts: 212
Location: Budapest, Hungary
Endre
Yes, debugging assembly is a weakness of linux. It's because there are just very few debuggers on linux. Fasm doesn't generate debug info into the binary. It makes debugging with gdb a bit hard. That's why I don't use gdb for such a task. Once I found a hacked version of nasm which was able to generate quite correct debug info but it was not the best eihter. Then I found ald (see: http://ald.sourceforge.net/) which has not too much comfort (no symbols, etc.), but it's usable really well. When I work on my OS then I use bochs' debugging facilities which are similar to that of ald.
Objdump was/is/will be unable to interpret ELF binary generated by fasm. I don't know why. For disassembling I either use ndisassm (nasm) or disassembler features of the above mentioned tools. I acknowledge ollydbg is a great tool that we unfortunately have to miss under unices Sad.
Another opportunity is to use gas which now accepts also intel syntax, and can generate perfect debug info (http://www.cs.pdx.edu/~bjorn/CS200/linux_tutorial/).

P.S.: when debbugging the code with ald then you can debug also the signal handler.[/url]
Post 01 Oct 2005, 14:15
View user's profile Send private message Reply with quote
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
hi endre,
sorry to be pestish and noobish
but did you leave out the url for an ald tutorial ? Smile

any way after struggling to compile it (cant find readline and the rpms that i wgot into the shells were spitting more errors than i could handle
i some how got another friend of mine to install it in his shell and tried it out
seems fine Smile but how do you break into the handler ??
i cant seem to find a way i tried the idiotic way of setting a break on handler
hopin it would break there when i hit s Smile
but it doesnt seem to be the case
Code:
ald> disassemble 0x80480ce -num 5
080480CE                      B804000000           mov eax, 0x4
080480D3                      BB02000000           mov ebx, 0x2
080480D8                      B9ED900408           mov ecx, 0x80490ed
080480DD                      BA1E000000           mov edx, 0x1e
080480E2                      CD80                 int 0x80
ald> examine 0x80490ed
Dumping 64 bytes of memory starting at 0x080490ED in hex
080490ED:  48 6D 6D 6D 2C 20 53 49 47 53 45 47 56 20 73 69    Hmmm, SIGSEGV si
080490FD:  67 6E 61 6C 20 72 65 63 65 69 76 65 64 0A 62 75    gnal received.bu
0804910D:  74 20 49 27 6D 20 73 74 69 6C 6C 20 61 6C 69 76    t I'm still aliv
0804911D:  65 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00    e...............
ald>
    


Code:

ald> break 080480CE
Invalid symbol: 080480CE
ald> break 0x80480CE
Breakpoint 1 set for 0x080480CE
ald> s

Program received signal SIGSEGV (Segmentation fault)
Location: 0x0804809D
eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000
esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
ss  = 0x002B cs  = 0x0023 eip = 0x0804809D eflags = 0x00010346

Flags: PF ZF TF IF RF


0804809D                      FF3500000000         push dword []
ald> lbreak
Num   Type         Enabled   Address      IgnoreCount  HitCount
1     Breakpoint   y         0x080480CE   none         0
ald> s
Hmmm, SIGSEGV signal received
eax = 0x00000004 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000
esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
ss  = 0x002B cs  = 0x0023 eip = 0x080480B4 eflags = 0x00000346

Flags: PF ZF TF IF


080480B4                      BB02000000           mov ebx, 0x2
ald>
    


could you post a little tutorial Smile

well the main reason for me behind this course is to
land on the handler and write a little trampoline inline to some blankspace
in the exe
jump there and try the pokeusr sytem call and jump back to the flow

yeah too much hackish way i sense but i want to do it that way Smile
thanks and regards
Post 04 Oct 2005, 15:05
View user's profile Send private message Reply with quote
Endre



Joined: 29 Dec 2003
Posts: 212
Location: Budapest, Hungary
Endre
Here it works quite seamlessly. I had no problem when compiling ald. Without readline it's perhaps a pain to work with - I never tried yet. I guess libreadline should be a component of every distribution.
Code:
$ ldd /usr/local/bin/ald
        linux-gate.so.1 =>  (0xffffe000)
        libreadline.so.4 => /usr/lib/libreadline.so.4 (0xb7f92000)
        libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7f8e000)
        libc.so.6 => /lib/libc.so.6 (0xb7e74000)
        /lib/ld-linux.so.2 (0xb7fc8000)
$ 
    

Code:
ald> d
...
080480C3                      CD80                 int 0x80                  
080480C5                      31DB                 xor ebx, ebx              
080480C7                      B801000000           mov eax, 0x1              
080480CC                      CD80                 int 0x80                  
080480CE                      B804000000           mov eax, 0x4 ; <--- here starts the signal handler             
080480D3                      BB02000000           mov ebx, 0x2              
080480D8                      B9ED900408           mov ecx, 0x80490ed        
080480DD                      BA1E000000           mov edx, 0x1e             
080480E2                      CD80                 int 0x80                  
Hit <return> to continue, or <q> to quitq

ald> b 0x080480CE
Breakpoint 1 set for 0x080480CE
ald> c

Program received signal SIGSEGV (Segmentation fault)
Location: 0x0804809D
eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 
esp = 0xBF8CEC80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 
ds  = 0x007B es  = 0x007B fs  = 0x0000 gs  = 0x0000 
ss  = 0x007B cs  = 0x0073 eip = 0x0804809D eflags = 0x00210246 

Flags: PF ZF IF RF ID 


0804809D                      FF3500000000         push dword []
ald> c ; <--- debugger detected this error as well, so continue
Breakpoint 1 encountered at 0x080480CE
eax = 0x0000000B ebx = 0x00000000 ecx = 0xBF8CE990 edx = 0xBF8CE910 
esp = 0xBF8CE900 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 
ds  = 0x007B es  = 0x007B fs  = 0x0000 gs  = 0x0000 
ss  = 0x007B cs  = 0x0073 eip = 0x080480CE eflags = 0x00200246 

Flags: PF ZF IF ID 


080480CE                      B804000000           mov eax, 0x4              
ald>    
Post 04 Oct 2005, 21:48
View user's profile Send private message Reply with quote
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
Hi Endre.

thanks for replying
you use c while i used s
and if i use c it breaks on handler Smile

Code:
0804809D                      FF3500000000         push dword []
ald> c
Breakpoint 1 encountered at 0x080480CE
eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000
esp = 0xBFFFF800 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000
ds  = 0x002B es  = 0x002B fs  = 0x0000 gs  = 0x0000
ss  = 0x002B cs  = 0x0023 eip = 0x080480CE eflags = 0x00000246

Flags: PF ZF IF


080480CE                      B804000000           mov eax, 0x4
ald>
    


so now one head ache is over
i tried to find some space in the executable but i see the executable is very compact no padding zeroes etc
where can i insert my trampoline code
can i add a section to the end ?? you know windows breaks the sections
into .data .code .rsrc. .reloc .wahatever etc
so if you have a massive code addition to do via binary editing (not coding compiling) you can add a section at the end and then divert the flow there

like wise now instead of mov eax,04
i want to put code this

jmp far somewhere //<addr of trampoline
pushad //<save regs
pushfd //<save flags so hope fully we can trash anything from here onwards
mov eax,pokeusr addr or whatever it takes
...
...
...
int 0x80
parse the data code here;
do whatever you fancy code here;
cleanup the mess code here;
popfd
popad
execute the trashed instruction that accomadated the trampoline jmp;
jmp back to instruction next to trampoline // continue as if nothing happened

Code:
xxd endre
0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000  .ELF............
0000010: 0200 0300 0100 0000 8480 0408 3400 0000  ............4...
0000020: 0000 0000 0000 0000 3400 2000 0200 2800  ........4. ...(.
0000030: 0000 0000 0100 0000 7400 0000 7480 0408  ........t...t...
0000040: 7480 0408 7900 0000 7900 0000 0500 0000  t...y...y.......
0000050: 0010 0000 0100 0000 ed00 0000 ed90 0408  ................
0000060: ed90 0408 3200 0000 3200 0000 0600 0000  ....2...2.......
0000070: 0010 0000 ce80 0408 0000 0000 0400 0000  ................
0000080: 0000 0000 b843 0000 00bb 0b00 0000 b974  .....C.........t
0000090: 8004 0831 d2cd 8085 c089 c375 2aff 3500  ...1.......u*.5.
00000a0: 0000 00a3 0000 0000 64ff 3500 0000 00b8  ........d.5.....
00000b0: 0400 0000 bb02 0000 00b9 0b91 0408 ba14  ................
00000c0: 0000 00cd 8031 dbb8 0100 0000 cd80 b804  .....1..........
00000d0: 0000 00bb 0200 0000 b9ed 9004 08ba 1e00  ................
00000e0: 0000 cd80 8b44 240c 8340 4c12 c348 6d6d  .....D$..@L..Hmm
00000f0: 6d2c 2053 4947 5345 4756 2073 6967 6e61  m, SIGSEGV signa
0000100: 6c20 7265 6365 6976 6564 0a62 7574 2049  l received.but I
0000110: 276d 2073 7469 6c6c 2061 6c69 7665 0a    'm still alive.
    


so shall i just shift and insert some 0000 between 0xe0 and 0xf0 will it
be ok (oh yeah i am going to do those shady things but it would be good if i have some answers beforehand so that i dont have to reinvent the wheel Smile

thank you
Best Regards
Post 05 Oct 2005, 08:00
View user's profile Send private message Reply with quote
Endre



Joined: 29 Dec 2003
Posts: 212
Location: Budapest, Hungary
Endre
I don't know I exactly understood what you want to do, but you can compile in an aptly sized area:

Code:
...
my_signal_handler: 
; print exception message
        jmp     trampoline ; jump into the nothing
        mov     eax, SYSCALL_WRITE 
        mov     ebx, STDERR 
        mov     ecx, signal_handler_msg 
        mov     edx, signal_handler_msg_size 
        int     0x80 
; get parameter ucontext 
        mov     eax, [esp+12] 
; modify eip 
        add     dword [eax+ucontext.uc_mcontext+sigcontext.eip], sizeof.do_dirty 
        ret

db 0xff, 0xff ; arbitrary marker
trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline

; define section for data 
section readable writeable 
signal_handler_msg db 'Hmmm, SIGSEGV signal received', 0xa 
signal_handler_msg_size = $-signal_handler_msg 
reborn_msg db "but I'm still alive", 0xa 
reborn_msg_size = $-reborn_msg
    
Post 05 Oct 2005, 12:17
View user's profile Send private message Reply with quote
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
ok ill compile that and do a file compare between the existing version
and the new version Smile
i think that would shed some light


jfyi i just want to inline assemble inplace on the binary without compiling
assume i have this binary only and i dont have its source
and i still want to add some extra code inside that binary so that it works the way i want it to work (never heard of adding functionality rock music Twisted Evil to crippled ware stuff Smile)

ok edit i tried compiling that but it seems to spit lot of erros

here is a diff ill try it later but if you find my mistake inbettween post back
thanks
diff endre.asm endremod.asm
147a148,149
> db 0xff, 0xff ; arbitrary marker
> trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline
Post 05 Oct 2005, 14:18
View user's profile Send private message Reply with quote
Endre



Joined: 29 Dec 2003
Posts: 212
Location: Budapest, Hungary
Endre
nixnoob wrote:

diff endre.asm endremod.asm
147a148,149
> db 0xff, 0xff ; arbitrary marker
> trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline

Sorry, I could have been a bit more verbosive Sad. So it's about to compile in an empty 'pool' area. BTW you cannot modify contents of this pool from the program itself since the given section was defined to be readable and runable but not writable. On the other hand from another application which is able to overwrite this file on the disk you can put in it a little code.
Post 06 Oct 2005, 06:33
View user's profile Send private message Reply with quote
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
Hi Endre,

well that was compiling well sorry but i was using a nasm assemble.bat earlier stupid me Sad

i think you misunderstood me when i said i wanted to add code i am not going to ask the program write it i meant when i have the program open in debugger and when it broke on handler i use the debuggers assemble
capability to assemble code in place (some thing similar to set write on
set byte 0x80### == 0x90 (nopping code) in gdb ) well ald doesnt have assemble capacity so its out of question Smile i wont think of doing it in gdb Smile

btw does ald skip instructions ?
i cant see it stoppping on your test eax,eax after setting seh handler
it directly passes to mov ebx,eax
is it normal behaviour for that debugger ? or is it a bug ?

Quote:

Assembly Language Debugger 0.1.7
Copyright (C) 2000-2004 Patrick Alken

../../endre: ELF Intel 80386 (32 bit), LSB - little endian, Executable, Version 1 (Current)
Loading debugging symbols...(no symbols found)
ald> s

08048089 BB0B000000 mov ebx, 0xb
ald> s

0804808E B974800408 mov ecx, 0x8048074
ald> s

08048093 31D2 xor edx, edx
ald> s

08048095 CD80 int 0x80
ald> s

08048099 89C3 mov ebx, eax
ald>


what ever its a nice debugger with nice format and in intel syntax
thanks for suggesting it

i think i am too much confused it seems i can genrate any kind of useless errors even with gdb too Smile just to compare the sequence i fired up gdb

it seems gdb errs in many other ways or i do not understand jack about
linux debuggers i dont know whats the fact

Code:

(gdb) break *0x8048089
Breakpoint 1 at 0x8048089
(gdb) set di i
(gdb) r
Starting program: /home/bluffer/myfirst/myfirstasm/endre
warning: shared library handler failed to enable breakpoint

Breakpoint 1, 0x08048089 in ?? ()
(gdb) x/6i $eip
0x8048089:      mov    ebx,0xb
0x804808e:      mov    ecx,0x8048074
0x8048093:      xor    edx,edx
0x8048095:      int    0x80
0x8048097:      test   eax,eax
0x8048099:      mov    ebx,eax
(gdb) si
0x0804808e in ?? ()
(gdb) si
0x08048093 in ?? ()
(gdb)
0x08048095 in ?? () 
<----------------------skips 0x8048097 test eax,eax Sad
(gdb)
0x08048099 in ?? ()
(gdb)
0x08048099 in ?? ()
(gdb) q
The program is running.  Exit anyway? (y or n) y
bluffer@server:~/myfirst/myfirstasm>


(gdb) set di i
(gdb) b *0x8048089
Breakpoint 1 at 0x8048089
(gdb) r
Starting program: /home/bluffer/myfirst/myfirstasm/endre
warning: shared library handler failed to enable breakpoint

Breakpoint 1, 0x08048089 in ?? ()
(gdb) x/i 0x8048097
0x8048097:      test   eax,eax
(gdb) b *0x8048097
Breakpoint 2 at 0x8048097
(gdb) info break
Num Type           Disp Enb Address    What
1   breakpoint     keep y   0x08048089
        breakpoint already hit 1 time
2   breakpoint     keep y   0x08048097
(gdb)

(gdb) si
0x0804808e in ?? ()
(gdb) si
0x08048093 in ?? ()
(gdb) si
0x08048095 in ?? ()
(gdb) si
<----- wtf ? ??? breaks on 98 ?
0x08048098 in ?? ()
(gdb)
(gdb) info reg eip
eip            0x8048098        0x8048098
(gdb)
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
0x08048098 in ?? ()
    
Post 07 Oct 2005, 12:26
View user's profile Send private message Reply with quote
nixnoob



Joined: 23 Sep 2005
Posts: 10
nixnoob
ok it seems it is a feature that may or may not be fixed in kernel
http://www.ussg.iu.edu/hypermail/linux/kernel/0406.3/1126.html

there are arguments and counter arguments saying it slows down etc
i am not a guru in these debates
but i know if i single step and if gdb breaks in the middle of an
instruction completely fucking up the disassembly
and screwing a seg fault
that is nasty behaviour

to force break on 0x8048097 i set a breakpoint
on 0x8048097
and the result as follows
Code:
Breakpoint 2, 0x08048089 in ?? ()
(gdb) si
0x0804808e in ?? ()
(gdb) si
0x08048093 in ?? ()
(gdb) si
0x08048095 in ?? ()
(gdb) si
0x08048098 in ?? ()
(gdb) x/i $eip
0x8048098:      rorb   $0x35,0xff2a75c3(%ecx)
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
0x08048098 in ?? ()

    

hope linus torvalds sees this thread and compiles the code and runs it on gdb Smile

and i should thank Isomer at #wlug undernet for finding this post
Post 10 Oct 2005, 06:57
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
So... signals are the way of exception handling on *u*x. What about thread safety?
Post 13 Sep 2006, 11:57
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
from what i have read/heard, everyone is feared of this.

here might be something useful
Post 13 Sep 2006, 12:20
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Hm, seems sucky. There's no default, standardized, and solid per-thread exception routine? Christ. That's even worse than a single global 'errno'. Bad design.
Post 13 Sep 2006, 22:26
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
yup - seems it was designed before exceptions were Smile
most linuxers are wondering what is reason not to kill "bad program" immediately

but at least you can request exception info (where, register values) as extra bonus Wink
Post 14 Sep 2006, 05:23
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Quote:

most linuxers are wondering what is reason not to kill "bad program" immediately

iiiiichhhnorantz! Wink

Linus should've had a clue and copied VMS instead of MINIX.
Post 14 Sep 2006, 11:28
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
http://www.linuxjournal.com/article/2121

now someone just make an example of multithreaded linux exception handling Wink
Post 25 Sep 2006, 14:45
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
arafel



Joined: 29 Aug 2006
Posts: 131
Location: Jerusalem, Israel
arafel
f0dder wrote:
That's even worse than a single global 'errno'. Bad design.


Leave this 'errno' to C coders. They made it, they shall suffer. Rolling Eyes
Post 25 Sep 2006, 18:25
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
i've heard "errno" is a macro emulating global variable, after they realized design wasn't very good for multithreading
Post 25 Sep 2006, 18:31
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
arafel



Joined: 29 Aug 2006
Posts: 131
Location: Jerusalem, Israel
arafel
yep, defined something like iirc: #define errno (*__errno_location())

I think that this faulty design is not much a result of multithreading since it's global-per-thread, in multi threaded environments anyway.
Post 25 Sep 2006, 19:19
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
someone should write new thread with article and example how to do linux exception handling, and then i will make it sticky in Linux, and move interesting links there. It would be nicer than having to read through 10 posts to find one working etc...
Post 03 Oct 2006, 10:55
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.