From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4241 invoked by alias); 26 Mar 2008 20:57:31 -0000 Received: (qmail 4233 invoked by uid 22791); 26 Mar 2008 20:57:30 -0000 X-Spam-Check-By: sourceware.org Received: from gv-out-0910.google.com (HELO gv-out-0910.google.com) (216.239.58.188) by sourceware.org (qpsmtpd/0.31) with ESMTP; Wed, 26 Mar 2008 20:57:08 +0000 Received: by gv-out-0910.google.com with SMTP id n40so944820gve.39 for ; Wed, 26 Mar 2008 13:57:04 -0700 (PDT) Received: by 10.151.145.5 with SMTP id x5mr337127ybn.12.1206565022901; Wed, 26 Mar 2008 13:57:02 -0700 (PDT) Received: by 10.150.215.20 with HTTP; Wed, 26 Mar 2008 13:57:02 -0700 (PDT) Message-ID: Date: Wed, 26 Mar 2008 21:09:00 -0000 From: "gdb guy" To: gdb Subject: Why won't gdb stop on packed (UPX) file breakpoint at entrypoint? MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-IsSubscribed: yes Mailing-List: contact gdb-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: gdb-owner@sourceware.org X-SW-Source: 2008-03/txt/msg00251.txt.bz2 I am hoping someone can suggest a solution around this, because it seems like it limits malware analysis on *nix systems where you want to use gdb rather than some windows tool... I wanted to see what UPX was doing for linux files, so I went and got UPX v 3.02 (http://upx.sourceforge.net/#download). I compiled it, and did $ upx `which ps` -o UPXps and got my UPXps which functions just fine as a normal ps command. Then I did $ readelf -a UPXps ELF Header: Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - Linux ABI Version: 0 Type: EXEC (Executable file) Machine: Intel 80386 Version: 0x1 Entry point address: 0xc07fd0 Start of program headers: 52 (bytes into file) Start of section headers: 0 (bytes into file) Flags: 0x0 Size of this header: 52 (bytes) Size of program headers: 32 (bytes) Number of program headers: 2 Size of section headers: 40 (bytes) Number of section headers: 0 Section header string table index: 0 There are no sections in this file. There are no sections in this file. Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00c01000 0x00c01000 0x077b8 0x077b8 R E 0x1000 LOAD 0x000df4 0x08078df4 0x08078df4 0x00000 0x00000 RW 0x1000 There is no dynamic section in this file. There are no relocations in this file. There are no unwind sections in this file. No version information found in this file. Next comes $gdb ./UPXps GNU gdb 6.4 Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found) Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". (gdb) b *0xc07fd0 Breakpoint 1 at 0xc07fd0 (gdb) r Starting program: /home/user/ELF/upx-3.02-src/UPXps warning: shared library handler failed to enable breakpoint Failed to read a valid object file image from memory. PID TTY TIME CMD 11524 pts/7 00:00:00 bash 17683 pts/7 00:00:00 gdb 17688 pts/7 00:00:00 UPXps 17690 pts/7 00:00:00 gdb Program exited normally. So my question is, is there any way to *force* gdb to just load the program and just break at the entry point address? Also, just for my own benefit, and those who google after me, on GDB 6.3 (which I have on another older VM) what does DSO stand for when it says "Loading system supplied DSO at 0xc00000"? Thanks Gary Guy