Searching for pattern in memory from GDB?

Searching for pattern in memory from GDB?

[James Nordby]

Hi,

I'm trying to put together a fast, internal-circular-buffer-type tracing
package.  I want to get able to extract the traces from either a running
program or a core file, but our binaries are normally sent out stripped.
I thought if I put a word or two with a particular pattern at the
beginning
of the trace buffer, I could look for that with gdb and use gdb to
format
the rest of the buffer.

Do you know of any way to say 'search for pattern in <BSS,heap> space'
in gdb?

If not, can you think of any other way to find a buffer in a stripped
binary?

Thanks,
Jim

P.S. - Please respond to my e-mail addr as well as the list...

Re: Searching for pattern in memory from GDB?

[Daniel Jacobowitz]

On Mon, Apr 08, 2002 at 01:41:22PM -0500, James Nordby wrote:
> 
> Hi,
> 
> I'm trying to put together a fast, internal-circular-buffer-type tracing
> package.  I want to get able to extract the traces from either a running
> program or a core file, but our binaries are normally sent out stripped.
> I thought if I put a word or two with a particular pattern at the
> beginning
> of the trace buffer, I could look for that with gdb and use gdb to
> format
> the rest of the buffer.
> 
> Do you know of any way to say 'search for pattern in <BSS,heap> space'
> in gdb?
> 
> If not, can you think of any other way to find a buffer in a stripped
> binary?

Nope.  There's no command like this at the moment.  I'd appreciate it
if you filed an enhancement request in the GDB GNATS system about this:
  http://sources.redhat.com/gdb/bugs/

-- 
Daniel Jacobowitz                           Carnegie Mellon University
MontaVista Software                         Debian GNU/Linux Developer

Re: Searching for pattern in memory from GDB?

[Michael Snyder]

James Nordby wrote:
> 
> Hi,
> 
> I'm trying to put together a fast, internal-circular-buffer-type tracing
> package.  I want to get able to extract the traces from either a running
> program or a core file, but our binaries are normally sent out stripped.
> I thought if I put a word or two with a particular pattern at the
> beginning
> of the trace buffer, I could look for that with gdb and use gdb to
> format
> the rest of the buffer.
> 
> Do you know of any way to say 'search for pattern in <BSS,heap> space'
> in gdb?
> 
> If not, can you think of any other way to find a buffer in a stripped
> binary?

Or, you could just write a gdb macro, something like

define search
  set $start = (char *) $arg0
  set $end = (char *) $arg1
  set $pattern = (int) $arg2
  set $p = $start
  while $p < $end
    if (*(int *) $p) == $pattern
      printf "pattern 0x%x found at 0x$x\n", $pattern, $p
    end
    set $p++
  end
end

Re: Searching for pattern in memory from GDB?

[Michael Elizabeth Chastain]

You can build your executable file with symbols, then strip the symbols
and ship it.  Then run gdb on the unstripped executable and the core
dump from the stripped executable.

You could do this:

  static char signpost [64];
  sprintf (signpost, "\nFOO_BUFFER_ADDRESS=0x%p\n", foo_buffer_address);

Then when you get the core dump, you can do:

  strings -a core | grep FOO_BUFFER_ADDRESS

If your target operating system(s) support mmap at a fixed address,
then you can mmap to that address.  Obviously that is not portable but
if it works, it works.  That would make it exceptionally easy to attach
to a running process.

Hope this helps,

Michael C