flat assembler
Message board for the users of flat assembler.
Index
> Linux > Exception handling Goto page Previous 1, 2, 3 Next |
Author |
|
Endre 01 Oct 2005, 14:15
Yes, debugging assembly is a weakness of linux. It's because there are just very few debuggers on linux. Fasm doesn't generate debug info into the binary. It makes debugging with gdb a bit hard. That's why I don't use gdb for such a task. Once I found a hacked version of nasm which was able to generate quite correct debug info but it was not the best eihter. Then I found ald (see: http://ald.sourceforge.net/) which has not too much comfort (no symbols, etc.), but it's usable really well. When I work on my OS then I use bochs' debugging facilities which are similar to that of ald.
Objdump was/is/will be unable to interpret ELF binary generated by fasm. I don't know why. For disassembling I either use ndisassm (nasm) or disassembler features of the above mentioned tools. I acknowledge ollydbg is a great tool that we unfortunately have to miss under unices . Another opportunity is to use gas which now accepts also intel syntax, and can generate perfect debug info (http://www.cs.pdx.edu/~bjorn/CS200/linux_tutorial/). P.S.: when debbugging the code with ald then you can debug also the signal handler.[/url] |
|||
01 Oct 2005, 14:15 |
|
nixnoob 04 Oct 2005, 15:05
hi endre,
sorry to be pestish and noobish but did you leave out the url for an ald tutorial ? any way after struggling to compile it (cant find readline and the rpms that i wgot into the shells were spitting more errors than i could handle i some how got another friend of mine to install it in his shell and tried it out seems fine but how do you break into the handler ?? i cant seem to find a way i tried the idiotic way of setting a break on handler hopin it would break there when i hit s but it doesnt seem to be the case Code: ald> disassemble 0x80480ce -num 5 080480CE B804000000 mov eax, 0x4 080480D3 BB02000000 mov ebx, 0x2 080480D8 B9ED900408 mov ecx, 0x80490ed 080480DD BA1E000000 mov edx, 0x1e 080480E2 CD80 int 0x80 ald> examine 0x80490ed Dumping 64 bytes of memory starting at 0x080490ED in hex 080490ED: 48 6D 6D 6D 2C 20 53 49 47 53 45 47 56 20 73 69 Hmmm, SIGSEGV si 080490FD: 67 6E 61 6C 20 72 65 63 65 69 76 65 64 0A 62 75 gnal received.bu 0804910D: 74 20 49 27 6D 20 73 74 69 6C 6C 20 61 6C 69 76 t I'm still aliv 0804911D: 65 0A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e............... ald> Code: ald> break 080480CE Invalid symbol: 080480CE ald> break 0x80480CE Breakpoint 1 set for 0x080480CE ald> s Program received signal SIGSEGV (Segmentation fault) Location: 0x0804809D eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x0804809D eflags = 0x00010346 Flags: PF ZF TF IF RF 0804809D FF3500000000 push dword [] ald> lbreak Num Type Enabled Address IgnoreCount HitCount 1 Breakpoint y 0x080480CE none 0 ald> s Hmmm, SIGSEGV signal received eax = 0x00000004 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFFB80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x080480B4 eflags = 0x00000346 Flags: PF ZF TF IF 080480B4 BB02000000 mov ebx, 0x2 ald> could you post a little tutorial well the main reason for me behind this course is to land on the handler and write a little trampoline inline to some blankspace in the exe jump there and try the pokeusr sytem call and jump back to the flow yeah too much hackish way i sense but i want to do it that way thanks and regards |
|||
04 Oct 2005, 15:05 |
|
Endre 04 Oct 2005, 21:48
Here it works quite seamlessly. I had no problem when compiling ald. Without readline it's perhaps a pain to work with - I never tried yet. I guess libreadline should be a component of every distribution.
Code: $ ldd /usr/local/bin/ald linux-gate.so.1 => (0xffffe000) libreadline.so.4 => /usr/lib/libreadline.so.4 (0xb7f92000) libtermcap.so.2 => /lib/libtermcap.so.2 (0xb7f8e000) libc.so.6 => /lib/libc.so.6 (0xb7e74000) /lib/ld-linux.so.2 (0xb7fc8000) $ Code: ald> d ... 080480C3 CD80 int 0x80 080480C5 31DB xor ebx, ebx 080480C7 B801000000 mov eax, 0x1 080480CC CD80 int 0x80 080480CE B804000000 mov eax, 0x4 ; <--- here starts the signal handler 080480D3 BB02000000 mov ebx, 0x2 080480D8 B9ED900408 mov ecx, 0x80490ed 080480DD BA1E000000 mov edx, 0x1e 080480E2 CD80 int 0x80 Hit <return> to continue, or <q> to quitq ald> b 0x080480CE Breakpoint 1 set for 0x080480CE ald> c Program received signal SIGSEGV (Segmentation fault) Location: 0x0804809D eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBF8CEC80 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x007B es = 0x007B fs = 0x0000 gs = 0x0000 ss = 0x007B cs = 0x0073 eip = 0x0804809D eflags = 0x00210246 Flags: PF ZF IF RF ID 0804809D FF3500000000 push dword [] ald> c ; <--- debugger detected this error as well, so continue Breakpoint 1 encountered at 0x080480CE eax = 0x0000000B ebx = 0x00000000 ecx = 0xBF8CE990 edx = 0xBF8CE910 esp = 0xBF8CE900 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x007B es = 0x007B fs = 0x0000 gs = 0x0000 ss = 0x007B cs = 0x0073 eip = 0x080480CE eflags = 0x00200246 Flags: PF ZF IF ID 080480CE B804000000 mov eax, 0x4 ald> |
|||
04 Oct 2005, 21:48 |
|
nixnoob 05 Oct 2005, 08:00
Hi Endre.
thanks for replying you use c while i used s and if i use c it breaks on handler Code: 0804809D FF3500000000 push dword [] ald> c Breakpoint 1 encountered at 0x080480CE eax = 0x00000000 ebx = 0x00000000 ecx = 0x08048074 edx = 0x00000000 esp = 0xBFFFF800 ebp = 0x00000000 esi = 0x00000000 edi = 0x00000000 ds = 0x002B es = 0x002B fs = 0x0000 gs = 0x0000 ss = 0x002B cs = 0x0023 eip = 0x080480CE eflags = 0x00000246 Flags: PF ZF IF 080480CE B804000000 mov eax, 0x4 ald> so now one head ache is over i tried to find some space in the executable but i see the executable is very compact no padding zeroes etc where can i insert my trampoline code can i add a section to the end ?? you know windows breaks the sections into .data .code .rsrc. .reloc .wahatever etc so if you have a massive code addition to do via binary editing (not coding compiling) you can add a section at the end and then divert the flow there like wise now instead of mov eax,04 i want to put code this jmp far somewhere //<addr of trampoline pushad //<save regs pushfd //<save flags so hope fully we can trash anything from here onwards mov eax,pokeusr addr or whatever it takes ... ... ... int 0x80 parse the data code here; do whatever you fancy code here; cleanup the mess code here; popfd popad execute the trashed instruction that accomadated the trampoline jmp; jmp back to instruction next to trampoline // continue as if nothing happened Code: xxd endre 0000000: 7f45 4c46 0101 0100 0000 0000 0000 0000 .ELF............ 0000010: 0200 0300 0100 0000 8480 0408 3400 0000 ............4... 0000020: 0000 0000 0000 0000 3400 2000 0200 2800 ........4. ...(. 0000030: 0000 0000 0100 0000 7400 0000 7480 0408 ........t...t... 0000040: 7480 0408 7900 0000 7900 0000 0500 0000 t...y...y....... 0000050: 0010 0000 0100 0000 ed00 0000 ed90 0408 ................ 0000060: ed90 0408 3200 0000 3200 0000 0600 0000 ....2...2....... 0000070: 0010 0000 ce80 0408 0000 0000 0400 0000 ................ 0000080: 0000 0000 b843 0000 00bb 0b00 0000 b974 .....C.........t 0000090: 8004 0831 d2cd 8085 c089 c375 2aff 3500 ...1.......u*.5. 00000a0: 0000 00a3 0000 0000 64ff 3500 0000 00b8 ........d.5..... 00000b0: 0400 0000 bb02 0000 00b9 0b91 0408 ba14 ................ 00000c0: 0000 00cd 8031 dbb8 0100 0000 cd80 b804 .....1.......... 00000d0: 0000 00bb 0200 0000 b9ed 9004 08ba 1e00 ................ 00000e0: 0000 cd80 8b44 240c 8340 4c12 c348 6d6d .....D$..@L..Hmm 00000f0: 6d2c 2053 4947 5345 4756 2073 6967 6e61 m, SIGSEGV signa 0000100: 6c20 7265 6365 6976 6564 0a62 7574 2049 l received.but I 0000110: 276d 2073 7469 6c6c 2061 6c69 7665 0a 'm still alive. so shall i just shift and insert some 0000 between 0xe0 and 0xf0 will it be ok (oh yeah i am going to do those shady things but it would be good if i have some answers beforehand so that i dont have to reinvent the wheel thank you Best Regards |
|||
05 Oct 2005, 08:00 |
|
Endre 05 Oct 2005, 12:17
I don't know I exactly understood what you want to do, but you can compile in an aptly sized area:
Code: ... my_signal_handler: ; print exception message jmp trampoline ; jump into the nothing mov eax, SYSCALL_WRITE mov ebx, STDERR mov ecx, signal_handler_msg mov edx, signal_handler_msg_size int 0x80 ; get parameter ucontext mov eax, [esp+12] ; modify eip add dword [eax+ucontext.uc_mcontext+sigcontext.eip], sizeof.do_dirty ret db 0xff, 0xff ; arbitrary marker trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline ; define section for data section readable writeable signal_handler_msg db 'Hmmm, SIGSEGV signal received', 0xa signal_handler_msg_size = $-signal_handler_msg reborn_msg db "but I'm still alive", 0xa reborn_msg_size = $-reborn_msg |
|||
05 Oct 2005, 12:17 |
|
nixnoob 05 Oct 2005, 14:18
ok ill compile that and do a file compare between the existing version
and the new version i think that would shed some light jfyi i just want to inline assemble inplace on the binary without compiling assume i have this binary only and i dont have its source and i still want to add some extra code inside that binary so that it works the way i want it to work (never heard of adding functionality rock music to crippled ware stuff ) ok edit i tried compiling that but it seems to spit lot of erros here is a diff ill try it later but if you find my mistake inbettween post back thanks diff endre.asm endremod.asm 147a148,149 > db 0xff, 0xff ; arbitrary marker > trampoline: times 1024 db 0 ; alloc 1024 bytes for the trampoline |
|||
05 Oct 2005, 14:18 |
|
Endre 06 Oct 2005, 06:33
nixnoob wrote:
Sorry, I could have been a bit more verbosive . So it's about to compile in an empty 'pool' area. BTW you cannot modify contents of this pool from the program itself since the given section was defined to be readable and runable but not writable. On the other hand from another application which is able to overwrite this file on the disk you can put in it a little code. |
|||
06 Oct 2005, 06:33 |
|
nixnoob 07 Oct 2005, 12:26
Hi Endre,
well that was compiling well sorry but i was using a nasm assemble.bat earlier stupid me i think you misunderstood me when i said i wanted to add code i am not going to ask the program write it i meant when i have the program open in debugger and when it broke on handler i use the debuggers assemble capability to assemble code in place (some thing similar to set write on set byte 0x80### == 0x90 (nopping code) in gdb ) well ald doesnt have assemble capacity so its out of question i wont think of doing it in gdb btw does ald skip instructions ? i cant see it stoppping on your test eax,eax after setting seh handler it directly passes to mov ebx,eax is it normal behaviour for that debugger ? or is it a bug ? Quote:
what ever its a nice debugger with nice format and in intel syntax thanks for suggesting it i think i am too much confused it seems i can genrate any kind of useless errors even with gdb too just to compare the sequence i fired up gdb it seems gdb errs in many other ways or i do not understand jack about linux debuggers i dont know whats the fact Code: (gdb) break *0x8048089 Breakpoint 1 at 0x8048089 (gdb) set di i (gdb) r Starting program: /home/bluffer/myfirst/myfirstasm/endre warning: shared library handler failed to enable breakpoint Breakpoint 1, 0x08048089 in ?? () (gdb) x/6i $eip 0x8048089: mov ebx,0xb 0x804808e: mov ecx,0x8048074 0x8048093: xor edx,edx 0x8048095: int 0x80 0x8048097: test eax,eax 0x8048099: mov ebx,eax (gdb) si 0x0804808e in ?? () (gdb) si 0x08048093 in ?? () (gdb) 0x08048095 in ?? () <----------------------skips 0x8048097 test eax,eax (gdb) 0x08048099 in ?? () (gdb) 0x08048099 in ?? () (gdb) q The program is running. Exit anyway? (y or n) y bluffer@server:~/myfirst/myfirstasm> (gdb) set di i (gdb) b *0x8048089 Breakpoint 1 at 0x8048089 (gdb) r Starting program: /home/bluffer/myfirst/myfirstasm/endre warning: shared library handler failed to enable breakpoint Breakpoint 1, 0x08048089 in ?? () (gdb) x/i 0x8048097 0x8048097: test eax,eax (gdb) b *0x8048097 Breakpoint 2 at 0x8048097 (gdb) info break Num Type Disp Enb Address What 1 breakpoint keep y 0x08048089 breakpoint already hit 1 time 2 breakpoint keep y 0x08048097 (gdb) (gdb) si 0x0804808e in ?? () (gdb) si 0x08048093 in ?? () (gdb) si 0x08048095 in ?? () (gdb) si <----- wtf ? ??? breaks on 98 ? 0x08048098 in ?? () (gdb) (gdb) info reg eip eip 0x8048098 0x8048098 (gdb) (gdb) si Program received signal SIGSEGV, Segmentation fault. 0x08048098 in ?? () |
|||
07 Oct 2005, 12:26 |
|
nixnoob 10 Oct 2005, 06:57
ok it seems it is a feature that may or may not be fixed in kernel
http://www.ussg.iu.edu/hypermail/linux/kernel/0406.3/1126.html there are arguments and counter arguments saying it slows down etc i am not a guru in these debates but i know if i single step and if gdb breaks in the middle of an instruction completely fucking up the disassembly and screwing a seg fault that is nasty behaviour to force break on 0x8048097 i set a breakpoint on 0x8048097 and the result as follows Code: Breakpoint 2, 0x08048089 in ?? () (gdb) si 0x0804808e in ?? () (gdb) si 0x08048093 in ?? () (gdb) si 0x08048095 in ?? () (gdb) si 0x08048098 in ?? () (gdb) x/i $eip 0x8048098: rorb $0x35,0xff2a75c3(%ecx) (gdb) si Program received signal SIGSEGV, Segmentation fault. 0x08048098 in ?? () hope linus torvalds sees this thread and compiles the code and runs it on gdb and i should thank Isomer at #wlug undernet for finding this post |
|||
10 Oct 2005, 06:57 |
|
f0dder 13 Sep 2006, 11:57
So... signals are the way of exception handling on *u*x. What about thread safety?
|
|||
13 Sep 2006, 11:57 |
|
vid 13 Sep 2006, 12:20
|
|||
13 Sep 2006, 12:20 |
|
f0dder 13 Sep 2006, 22:26
Hm, seems sucky. There's no default, standardized, and solid per-thread exception routine? Christ. That's even worse than a single global 'errno'. Bad design.
|
|||
13 Sep 2006, 22:26 |
|
vid 14 Sep 2006, 05:23
yup - seems it was designed before exceptions were
most linuxers are wondering what is reason not to kill "bad program" immediately but at least you can request exception info (where, register values) as extra bonus |
|||
14 Sep 2006, 05:23 |
|
f0dder 14 Sep 2006, 11:28
Quote:
iiiiichhhnorantz! Linus should've had a clue and copied VMS instead of MINIX. |
|||
14 Sep 2006, 11:28 |
|
vid 25 Sep 2006, 14:45
http://www.linuxjournal.com/article/2121
now someone just make an example of multithreaded linux exception handling |
|||
25 Sep 2006, 14:45 |
|
arafel 25 Sep 2006, 18:25
f0dder wrote: That's even worse than a single global 'errno'. Bad design. Leave this 'errno' to C coders. They made it, they shall suffer. |
|||
25 Sep 2006, 18:25 |
|
vid 25 Sep 2006, 18:31
i've heard "errno" is a macro emulating global variable, after they realized design wasn't very good for multithreading
|
|||
25 Sep 2006, 18:31 |
|
arafel 25 Sep 2006, 19:19
yep, defined something like iirc: #define errno (*__errno_location())
I think that this faulty design is not much a result of multithreading since it's global-per-thread, in multi threaded environments anyway. |
|||
25 Sep 2006, 19:19 |
|
vid 03 Oct 2006, 10:55
someone should write new thread with article and example how to do linux exception handling, and then i will make it sticky in Linux, and move interesting links there. It would be nicer than having to read through 10 posts to find one working etc...
|
|||
03 Oct 2006, 10:55 |
|
Goto page Previous 1, 2, 3 Next < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.