http://tech.sina.com.cn/s/s/2005-02-27/1033536743.shtml
http://www.52z.com/soft/10463.Html
http://topic.csdn.net/t/20020909/13/1008278.html
lots of software
http://www.slime.com.tw/d-6.htm
Friday, February 26, 2010
Thursday, February 25, 2010
How to find all processes in Linux manually
How to find all processes in Linux manually
Linux kernel already provides a MACRO called for_each_process to go through each process. However, you may need to find all the processes manually sometimes. Following is the method:
Environment:
QEMU 0.10.2
QEMU VM: Cent OS 5.3 (Linux 2.6.18)
ARCH :X86-32
Basic idea:
We know that every process has a task_struct in Linux. The task_struct has a member called “tasks”. It is a list_head and all the processes are linked together by task_struct.tasks.
Therefore, to find out all the processes, we could find one task_struct and then follow the tasks member. Other useful members in task_struct are: pid (it is similar to thread id on Windows), tgid ( it is similar to process id on Windows), comm (command line, can be used as process name ).
Next, we are going to use QEMU to find all the processes manually from QEMU monitor. In GDB, we could use “p task->tgid” command to print out the tgid. But QEMU does not support that. So we have to know the exact offset for each interesting member of task_struct.
To find out the offset for members such as tasks, pid, I use a kernel module to print out them. Following is the result: (pid =0xbc means the offset of pid in tasks_struct is at 0xbc)
pid = 0Xbc
tgid = 0Xc0
comm = 0X1AC
tasks = 0X80
The next thing we need to know is how to find the first task_struct. You can read ULK3 or LKD2 to find the answer. In sum, find esp first, in QEMU, esp can be obtained by using “p $esp”, let’s say it is 0xc100,4566. Set the low 13bit of the esp to 0, we get 0xc100,4000. This is the value of “current”, and it’s first member is the *task_struct.
OK, let’s do a real experiment :
1) Setup a QEMU VM with CentOS 5.3 installed as the guest OS. And run it.
2) Press alt+ctrl+2 to switch to QEMU monitor. Then type “stop” in the QEMU monitor. This stops the QEMU emulation so that we don’t need to worry about the memory changes due to a process exit.
3) Type p$esp to find esp. It is 0xc3a94f78 in my experiment.
4) Find THEAD_INFO . That is to set the low 13bit of esp to 0. We got 0xc3a94000
5) x /20w 0xc3a94000 . This will show the content of THREAD_INFO. The first member is the *task. The result is 0xc3aaa370. (Note that, sometimes the value here might be 0, just press “c” to let QEMU continue and “stop” to try more times.)
6) Now we know the address for task_struct, then it is easy to find tgid, tasks and comm. For example, pid is at 0xc3aaa42c (task_struct+0XBC). Note that when checking the content of “comm”, use following command in QEMU : x /20b 0xc3aaa51c. Otherwise, the byte order is reversed by QEMU.
7) Now we know the info about the current process. To find out the next one, just follow task_struct->tasks. Note that the address of task_struct->tasks->next is not the base address of task_struct. The base address of next task_strcut is 0x80 smaller. Then you can repeat the above steps to find out all the processes.
Linux kernel already provides a MACRO called for_each_process to go through each process. However, you may need to find all the processes manually sometimes. Following is the method:
Environment:
QEMU 0.10.2
QEMU VM: Cent OS 5.3 (Linux 2.6.18)
ARCH :X86-32
Basic idea:
We know that every process has a task_struct in Linux. The task_struct has a member called “tasks”. It is a list_head and all the processes are linked together by task_struct.tasks.
Therefore, to find out all the processes, we could find one task_struct and then follow the tasks member. Other useful members in task_struct are: pid (it is similar to thread id on Windows), tgid ( it is similar to process id on Windows), comm (command line, can be used as process name ).
Next, we are going to use QEMU to find all the processes manually from QEMU monitor. In GDB, we could use “p task->tgid” command to print out the tgid. But QEMU does not support that. So we have to know the exact offset for each interesting member of task_struct.
To find out the offset for members such as tasks, pid, I use a kernel module to print out them. Following is the result: (pid =0xbc means the offset of pid in tasks_struct is at 0xbc)
pid = 0Xbc
tgid = 0Xc0
comm = 0X1AC
tasks = 0X80
The next thing we need to know is how to find the first task_struct. You can read ULK3 or LKD2 to find the answer. In sum, find esp first, in QEMU, esp can be obtained by using “p $esp”, let’s say it is 0xc100,4566. Set the low 13bit of the esp to 0, we get 0xc100,4000. This is the value of “current”, and it’s first member is the *task_struct.
OK, let’s do a real experiment :
1) Setup a QEMU VM with CentOS 5.3 installed as the guest OS. And run it.
2) Press alt+ctrl+2 to switch to QEMU monitor. Then type “stop” in the QEMU monitor. This stops the QEMU emulation so that we don’t need to worry about the memory changes due to a process exit.
3) Type p$esp to find esp. It is 0xc3a94f78 in my experiment.
4) Find THEAD_INFO . That is to set the low 13bit of esp to 0. We got 0xc3a94000
5) x /20w 0xc3a94000 . This will show the content of THREAD_INFO. The first member is the *task. The result is 0xc3aaa370. (Note that, sometimes the value here might be 0, just press “c” to let QEMU continue and “stop” to try more times.)
6) Now we know the address for task_struct, then it is easy to find tgid, tasks and comm. For example, pid is at 0xc3aaa42c (task_struct+0XBC). Note that when checking the content of “comm”, use following command in QEMU : x /20b 0xc3aaa51c. Otherwise, the byte order is reversed by QEMU.
7) Now we know the info about the current process. To find out the next one, just follow task_struct->tasks. Note that the address of task_struct->tasks->next is not the base address of task_struct. The base address of next task_strcut is 0x80 smaller. Then you can repeat the above steps to find out all the processes.
Friday, February 19, 2010
Function-call Conventions
Ref:
Assembly view:http://unixwiz.net/techtips/win32-callconv-asm.html
C view:http://unixwiz.net/techtips/win32-callconv.html
code from MS VS:
1.1 cdecl callee
void __cdecl ccall(int arg1)
{
004115A0 push ebp
004115A1 mov ebp,esp //前面2行是标准的函数入口开头,LINUX也这样
004115A3 sub esp,0C0h //留一段STACK空间
004115A9 push ebx
004115AA push esi
004115AB push edi //前面3行以前总是不明白。现在清楚了,因为后面要用到那些寄存器,所以这里先保存到堆栈上。
004115AC lea edi,[ebp-0C0h]
004115B2 mov ecx,30h
004115B7 mov eax,0CCCCCCCCh //这个 CCCCCCCC 是不是很熟悉?如果是,那么说明你经常犯没有初始话局部变量的错误
004115BC rep stos dword ptr es:[edi] //到这里,目的就是把堆栈上的局部变量设定一个初始值 CCCCCCCCh ,这样出了问题好查。 这些是WINDOWS特有的。或者是MS VS 特有的。
arg1++;
004115BE mov eax,dword ptr [arg1]
004115C1 add eax,1
004115C4 mov dword ptr [arg1],eax
}
004115C7 pop edi
004115C8 pop esi
004115C9 pop ebx //一堆POP,把之前保存的寄存器恢复。注意顺序很重要。
004115CA mov esp,ebp
004115CC pop ebp
004115CD ret //终于返回了。
1.2 cdecl 的caller
ccall(2);
00411670 push 2
00411672 call ccall (41114Ah)
00411677 add esp,4
很明显的可以看到 1.2 里的最后一行,就是caller在清堆栈。
下面再看看stdcall的例子
2.1 stdcall callee
void __stdcall stcall(int arg1)
{
004115E0 push ebp
004115E1 mov ebp,esp
004115E3 sub esp,0C0h
004115E9 push ebx
004115EA push esi
004115EB push edi
004115EC lea edi,[ebp-0C0h]
004115F2 mov ecx,30h
004115F7 mov eax,0CCCCCCCCh
004115FC rep stos dword ptr es:[edi]
arg1++;
004115FE mov eax,dword ptr [arg1]
00411601 add eax,1
00411604 mov dword ptr [arg1],eax
}
00411607 pop edi
00411608 pop esi
00411609 pop ebx
0041160A mov esp,ebp
0041160C pop ebp
0041160D ret 4 //这个地方和前面的CDECL CALL不一样了。终于发现你了!
2.2 stdcall caller
stcall(3);
0041167A push 3
0041167C call stcall (411203h)
Assembly view:http://unixwiz.net/techtips/win32-callconv-asm.html
C view:http://unixwiz.net/techtips/win32-callconv.html
code from MS VS:
1.1 cdecl callee
void __cdecl ccall(int arg1)
{
004115A0 push ebp
004115A1 mov ebp,esp //前面2行是标准的函数入口开头,LINUX也这样
004115A3 sub esp,0C0h //留一段STACK空间
004115A9 push ebx
004115AA push esi
004115AB push edi //前面3行以前总是不明白。现在清楚了,因为后面要用到那些寄存器,所以这里先保存到堆栈上。
004115AC lea edi,[ebp-0C0h]
004115B2 mov ecx,30h
004115B7 mov eax,0CCCCCCCCh //这个 CCCCCCCC 是不是很熟悉?如果是,那么说明你经常犯没有初始话局部变量的错误
004115BC rep stos dword ptr es:[edi] //到这里,目的就是把堆栈上的局部变量设定一个初始值 CCCCCCCCh ,这样出了问题好查。 这些是WINDOWS特有的。或者是MS VS 特有的。
arg1++;
004115BE mov eax,dword ptr [arg1]
004115C1 add eax,1
004115C4 mov dword ptr [arg1],eax
}
004115C7 pop edi
004115C8 pop esi
004115C9 pop ebx //一堆POP,把之前保存的寄存器恢复。注意顺序很重要。
004115CA mov esp,ebp
004115CC pop ebp
004115CD ret //终于返回了。
1.2 cdecl 的caller
ccall(2);
00411670 push 2
00411672 call ccall (41114Ah)
00411677 add esp,4
很明显的可以看到 1.2 里的最后一行,就是caller在清堆栈。
下面再看看stdcall的例子
2.1 stdcall callee
void __stdcall stcall(int arg1)
{
004115E0 push ebp
004115E1 mov ebp,esp
004115E3 sub esp,0C0h
004115E9 push ebx
004115EA push esi
004115EB push edi
004115EC lea edi,[ebp-0C0h]
004115F2 mov ecx,30h
004115F7 mov eax,0CCCCCCCCh
004115FC rep stos dword ptr es:[edi]
arg1++;
004115FE mov eax,dword ptr [arg1]
00411601 add eax,1
00411604 mov dword ptr [arg1],eax
}
00411607 pop edi
00411608 pop esi
00411609 pop ebx
0041160A mov esp,ebp
0041160C pop ebp
0041160D ret 4 //这个地方和前面的CDECL CALL不一样了。终于发现你了!
2.2 stdcall caller
stcall(3);
0041167A push 3
0041167C call stcall (411203h)
Subscribe to:
Posts (Atom)