本文主要取自Debugging with GDB中第10部分的一些技巧
1.程序里产生Core文件
How to Produce a Core File from Your Program
A core file or core dump is a file that records the memory image of a running process and its process status (register values etc.). Its primary use is post-mortem debugging of a program that crashed while it ran outside a debugger. A program that crashes automatically produces a core file, unless this feature is disabled by the user. See Files, for information on invoking gdb in the post-mortem debugging mode.
Occasionally, you may wish to produce a core file of the program you are debugging in order to preserve a snapshot of its state. gdb has a special command for that.
generate-core-file [file]
gcore [file]
Produce a core dump of the inferior process. The optional argument file specifies the file name where to put the core dump. If not specified, the file name defaults to core.pid, where pid is the inferior process ID.
Note that this command is implemented only for some systems (as of this writing, gnu/Linux, FreeBSD, Solaris, Unixware, and S390).
如果希望在调试程序期间产生core文件来保存进程的状态快照。GDB提供了一个特殊的命令
generate-core-file [file]
gcore [file]
为调试进程产生core dump.
2.Search Memory
Memory can be searched for a particular sequence of bytes with the find command.
find [/sn] start_addr, +len, val1 [, val2, ...]
find [/sn] start_addr, end_addr, val1 [, val2, ...]
Search memory for the sequence of bytes specified by val1, val2, etc. The search begins at address start_addr and continues for either len bytes or through to end_addr inclusive.
s and n are optional parameters. They may be specified in either order, apart or together.
s, search query size
The size of each search query value.
b
bytes
h
halfwords (two bytes)
w
words (four bytes)
g
giant words (eight bytes)
All values are interpreted in the current language. This means, for example, that if the current source language is C/C++ then searching for the string “hello” includes the trailing '\0'.
If the value size is not specified, it is taken from the value's type in the current language. This is useful when one wants to specify the search pattern as a mixture of types. Note that this means, for example, that in the case of C-like languages a search for an untyped 0x42 will search for `(int) 0x42' which is typically four bytes.
n, maximum number of finds
The maximum number of matches to print. The default is to print all finds.
You can use strings as search values. Quote them with double-quotes ("). The string value is copied into the search pattern byte by byte, regardless of the endianness of the target and the size specification.
The address of each match found is printed as well as a count of the number of matches found.
The address of the last value found is stored in convenience variable `$_'. A count of the number of matches is stored in `$numfound'.
For example, if stopped at the printf in this function:
void hello ()
{
static char hello[] = "hello-hello";
static struct { char c; short s; int i; }
__attribute__ ((packed)) mixed
= { 'c', 0x1234, 0x87654321 };
printf ("%s\n", hello);
}
you get during debugging:
(gdb) find &hello[0], +sizeof(hello), "hello"
0x804956d <hello.1620+6>
1 pattern found
(gdb) find &hello[0], +sizeof(hello), 'h', 'e', 'l', 'l', 'o'
0x8049567 <hello.1620>
0x804956d <hello.1620+6>
2 patterns found
(gdb) find /b1 &hello[0], +sizeof(hello), 'h', 0x65, 'l'
0x8049567 <hello.1620>
1 pattern found
(gdb) find &mixed, +sizeof(mixed), (char) 'c', (short) 0x1234, (int) 0x87654321
0x8049560 <mixed.1625>
1 pattern found
(gdb) print $numfound
$1 = 1
(gdb) print $_
$2 = (void *) 0x8049560
//这里有个问题,就是如果当前源语言是C/C++,然后寻找字符串“Hello”,会包括末尾的'\ 0'。
3.摘自scz的内存搜索技巧,当然现在GDB中已经实现了
这里介绍另一个技巧,如何进行内存搜索:
(gdb) define find <start> <end> <step> <count> <value> <- 尖括号部分不要输入
set $count=0
set $find_result=$arg0
while ((((unsigned int)$count)<((unsigned int)$arg3))&&(((unsigned int)$find_result)<=((unsigned int)$arg1)))
if (*(unsigned int *)$find_result==$arg4)
set $count=$count+1
x/wx $find_result
end
set $find_result=$find_result+$arg2
end
end
(gdb) find 0xbffff000 0xbfffff00 4 16 0x90909090 <- 后面直接使用find就可以了
0xbffff3fc: 0x90909090
0xbffff400: 0x90909090
(gdb) find 0xbffff000 0xbfffff00 4 8 0x0820518c <- 搜索pname变量位置
0xbffff348: 0x0820518c