Mirror of the gdb mailing list
 help / color / mirror / Atom feed
* Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?
@ 2008-03-26 21:09 gdb guy
  2008-03-26 21:11 ` Daniel Jacobowitz
  0 siblings, 1 reply; 6+ messages in thread
From: gdb guy @ 2008-03-26 21:09 UTC (permalink / raw)
  To: gdb

I am hoping someone can suggest a solution around this, because it
seems like it limits malware analysis on *nix systems where you want
to use gdb rather than some windows tool...

I wanted to see what UPX was doing for linux files, so I went and got
UPX v 3.02 (http://upx.sourceforge.net/#download). I compiled it, and
did
$ upx `which ps` -o UPXps
and got my UPXps which functions just fine as a normal ps command.
Then I did
$ readelf -a UPXps
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - Linux
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0xc07fd0
  Start of program headers:          52 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         0
  Section header string table index: 0
There are no sections in this file.
There are no sections in this file.
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00c01000 0x00c01000 0x077b8 0x077b8 R E 0x1000
  LOAD           0x000df4 0x08078df4 0x08078df4 0x00000 0x00000 RW  0x1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.

Next comes
$gdb ./UPXps
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) b *0xc07fd0
Breakpoint 1 at 0xc07fd0
(gdb) r
Starting program: /home/user/ELF/upx-3.02-src/UPXps
warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
  PID TTY          TIME CMD
11524 pts/7    00:00:00 bash
17683 pts/7    00:00:00 gdb
17688 pts/7    00:00:00 UPXps
17690 pts/7    00:00:00 gdb
Program exited normally.

So my question is, is there any way to *force* gdb to just load the
program and just break at the entry point address?

Also, just for my own benefit, and those who google after me, on GDB
6.3 (which I have on another older VM) what does DSO stand for when it
says "Loading system supplied DSO at 0xc00000"?

Thanks

Gary Guy


^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-03-26 21:18 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-03-26 21:09 Why won't gdb stop on packed (UPX) file breakpoint at entrypoint? gdb guy
2008-03-26 21:11 ` Daniel Jacobowitz
2008-03-26 21:14   ` gdb guy
2008-03-26 21:18     ` Daniel Jacobowitz
2008-03-26 21:22       ` gdb guy
2008-03-26 22:36         ` Daniel Jacobowitz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox