Saturday 17 December 2011

Your dtrace fell into my dtrace :-)

Having validated we have the dtrace print() function, we can
do a CTF-style structure dump print.

You are partially on your own - go find a structure to print out.
(You can't have mine, because its mine! All mine!)

This simple example shows the ctf-style print in action:

Reference: Eric Schrocks dtrace blog:

http://dtrace.org/blogs/eschrock/2011/10/26/your-mdb-fell-into-my-dtrace/



$ build/dtrace -n 'BEGIN{print(*((struct file *)0xfff
fffff81a156a0)); exit(0);}'
dtrace: description 'BEGIN' matched 1 probe
CPU     ID                    FUNCTION:NAME
  1      1                           :BEGIN struct file {
    union f_u = {
        struct list_head fu_list = {
            struct list_head *next = 0
            struct list_head *prev = 0
        }
        struct rcu_head fu_rcuhead = {
            struct rcu_head *next = 0
            void (*)() func = 0
        }
    }
    struct path f_path = {
        struct vfsmount *mnt = 0
        struct dentry *dentry = 0
    }
    const struct file_operations *f_op = 0xcf
    spinlock_t f_lock = {
        union  {
            struct raw_spinlock rlock = {
                arch_spinlock_t raw_lock = {
                    unsigned int slock = 0
                }
            }
        }
    }
    int f_sb_list_cpu = 0
    atomic_long_t f_count = {
        long counter = 0
    }
    unsigned int f_flags = 0
    fmode_t f_mode = 0
    loff_t f_pos = 0
    struct fown_struct f_owner = {
        rwlock_t lock = {
            arch_rwlock_t raw_lock = {
                s32 lock = 0
                s32 write = 0
            }
        }
        struct pid *pid = 0
        enum pid_type pid_type = PIDTYPE_PID
        uid_t uid = 0
        uid_t euid = 0
        int signum = 0
    }
    const struct cred *f_cred = 0xffffffff810267c4
    struct file_ra_state f_ra = {
        unsigned long start = 0
        unsigned int size = 0x17d436
        unsigned int async_size = 0x8
        unsigned int ra_pages = 0x3e8
        unsigned int mmap_miss = 0
        loff_t prev_pos = 0x200fffd058
    }
    u64 f_version = 0x700000000
    void *f_security = 0
    void *private_data = 0xffffffff810267dd
    struct list_head f_ep_links = {
        struct list_head *next = 0xffffffff81026995
        struct list_head *prev = 0
    }
    struct list_head f_tfile_llink = {
        struct list_head *next = 0
        struct list_head *prev = 0xffffffff817ae848
    }
    struct address_space *f_mapping = 0xffffffff00000064
}


For those of you who are observing, I picked a random symbol
in the kernel to prove this works ok, so dont treat that file structure
as having any meaning !


Post created by CRiSP v10.0.20a-b6134


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)