Before we look at buffer overflows and examining memory locations etc in Linux GDB we need to get a primer on Assembly language. We will soon be looking at and understanding memory locations in GDB and then follow them in assembly language.
When we need to stop the execution on a program we use breakpoints. Breakpoints are techniques used to pause and examine the program during execution based upon certain user defined criteria. GDB then allows you to inspect/modify CPU registers, memory locations and data.
Using breakpoint within GDB to pause at the main function we do the following
(gdb) break main
Breakpoint 1 at 0x80484e4: file tst3.c, line 14.
(gdb)
Now when our program hits the breakpoint we examine the CPU registers
(gdb) run 12345677 (Run the program giving the arguments which are 12345677
Starting program:GDB/tst3 12345677
Breakpoint 1, main (argc=2, argv=0xbffff364) at tst3.c:14 (argc =2 means the first argument is the program name and the second argument is the value 12345677)
14 echoinput(argv[1]);
Examining the CPU registers we see the following input. The two important CPU registers for reverse engineers are the esp and the eip CPU registers.
(gdb) info registers
eax 0x2 2
ecx 0xbffff364 -1073745052
edx 0xbffff2f4 -1073745164
ebx 0xb7fc0000 -1208221696
esp 0xbffff2b0 0xbffff2b0
ebp 0xbffff2c8 0xbffff2c8
esi 0x0 0
edi 0x0 0
eip 0x80484e4 0x80484e4 <main+9>
eflags 0x282 [ SF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
We can have as many breakpoints as needed in our executable. We will now set up a breakpoint in our function at echoinput function.
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x080484e4 in main at tst3.c:14
breakpoint already hit 1 time
(gdb) break echoinput (Setting up another break point at function echoinput)
Breakpoint 2 at 0x8048498: file tst3.c, line 6.
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x080484e4 in main at tst3.c:14
breakpoint already hit 1 time
2 breakpoint keep y 0x08048498 in echoinput at tst3.c:6
Now as you can see both breakpoints are displayed and showing up as enabled. Disabling is the break point is equally easy as shown below.
Breakpoint 2 at 0x8048498: file tst3.c, line 6.
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x080484e4 in main at tst3.c:14
breakpoint already hit 1 time
2 breakpoint keep y 0x08048498 in echoinput at tst3.c:6
(gdb) disable 1
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep n 0x080484e4 in main at tst3.c:14 (1st Break point disabled)
breakpoint already hit 1 time
2 breakpoint keep y 0x08048498 in echoinput at tst3.c:6
No comments:
Post a Comment