Re: ktrace interpretation

Tue, 21 Nov 2006 17:49:08 -0800 

Most of what you see is the libc setting up default signal stuff.
After the ELF is loaded mprotect is used to make the area executable,
so when EIP is set to the starting point, the program does not SEGV.

As to understanding, I would read the appropriate code in the kernel.

On 11/21/06, Jan Stary <[EMAIL PROTECTED]> wrote:

Hi all,

being interested in the system's internals, I ktraced a trivial 'program':

int
main(void)
{
        return 0;
}

cc -o prog prog.c
strip prog
ktrace ./prog
kdump -f ktrace.out

The output shows things one would expect: ktrace execve's the ./prog,
libc.so is read, permisions are checked, the executable itself is read,
...


  9465 ktrace   RET   ktrace 0
  9465 ktrace   CALL  execve(0xcfbf6be7,0xcfbf6a58,0xcfbf6a60)
  9465 ktrace   NAMI  "./prog"
  9465 prog     NAMI  "/usr/libexec/ld.so"
  9465 prog     EMUL  "native"
  9465 prog     RET   execve 0
  9465 prog     CALL  issetugid()
  9465 prog     RET   issetugid 0
  9465 prog     CALL  mprotect(0x25060000,0x1000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
  9465 prog     RET   mmap -2113363968/0x8208a000
  9465 prog     CALL  open(0x2505e723,0,0)
  9465 prog     NAMI  "/var/run/ld.so.hints"
  9465 prog     RET   open 3
  9465 prog     CALL  fstat(0x3,0xcfbcbb40)
  9465 prog     RET   fstat 0
  9465 prog     CALL  mmap(0,0x2e4f,0x1,0x2,0x3,0,0,0)
  9465 prog     RET   mmap 2129707008/0x7ef0c000
  9465 prog     CALL  close(0x3)
  9465 prog     RET   close 0
  9465 prog     CALL  open(0x7ef0da80,0,0)
  9465 prog     NAMI  "/usr/lib/libc.so.39.0"
  9465 prog     RET   open 3
  9465 prog     CALL  fstat(0x3,0xcfbcaff0)
  9465 prog     RET   fstat 0
  9465 prog     CALL  read(0x3,0xcfbcb060,0x1000)
  9465 prog     GIO   fd 3 read 4088 bytes
       "\^?ELF\^A\^A\^A\0\0\0\0\0\0\0\0\0\^C\0\^C\0\^A\0\0\0\M-(:\^A\0004\0\0\
        \0\^TA:\0\0\0\0\0004\0 \0\^F\0(\0)\0&\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
        [...]
  9465 prog     GIO   fd 3 read 8 bytes
       "\0\0\0\0\M-1\^E\0\0"
  9465 prog     RET   read 4096/0x1000

Then comes stuff I don't really understand -

  9465 prog     CALL  mquery(0,0x82000,0x5,0,0x3,0,0,0)
  9465 prog     RET   mquery 217501696/0xcf6d000
  9465 prog     CALL  mquery(0x2cf6d000,0xd000,0x1,0x10,0xffffffff,0,0,0)
  9465 prog     RET   mquery 754372608/0x2cf6d000
  9465 prog     CALL  mquery(0x2cf7a000,0x3000,0x3,0x10,0xffffffff,0,0,0)
  9465 prog     RET   mquery 754425856/0x2cf7a000
  9465 prog     CALL  mquery(0x2cf7d000,0x2000,0x3,0x10,0xffffffff,0,0,0)
  9465 prog     RET   mquery 754438144/0x2cf7d000
  9465 prog     CALL  mquery(0x2cf7f000,0x1000,0x3,0x10,0xffffffff,0,0,0)
  9465 prog     RET   mquery 754446336/0x2cf7f000
  9465 prog     CALL  mquery(0x2cf80000,0x1e000,0x3,0x10,0xffffffff,0,0,0)
  9465 prog     RET   mquery 754450432/0x2cf80000
  9465 prog     CALL  mmap(0xcf6d000,0x82000,0x5,0x12,0x3,0,0,0)
  9465 prog     RET   mmap 217501696/0xcf6d000
  9465 prog     CALL  mmap(0x2cf6d000,0xd000,0x1,0x12,0x3,0,0x82000,0)
  9465 prog     RET   mmap 754372608/0x2cf6d000
  9465 prog     CALL  mmap(0x2cf7a000,0x3000,0x3,0x12,0x3,0,0x8f000,0)
  9465 prog     RET   mmap 754425856/0x2cf7a000
  9465 prog     CALL  mmap(0x2cf7d000,0x2000,0x3,0x12,0x3,0,0x91000,0)
  9465 prog     RET   mmap 754438144/0x2cf7d000
  9465 prog     CALL  mmap(0x2cf7f000,0x1000,0x3,0x12,0x3,0,0x92000,0)
  9465 prog     RET   mmap 754446336/0x2cf7f000
  9465 prog     CALL  mmap(0x2cf80000,0x1e000,0x3,0x1012,0xffffffff,0,0,0)
  9465 prog     RET   mmap 754450432/0x2cf80000
  9465 prog     CALL  close(0x3)
  9465 prog     RET   close 0

- is this the ELF being loaded into memory?

  9465 prog     CALL  mmap(0,0x5000,0x3,0x1002,0xffffffff,0,0,0)
  9465 prog     RET   mmap -2099654656/0x82d9d000
  9465 prog     CALL  mprotect(0xcf6d000,0x81d56,0x7)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf6d000,0xc3a1,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0xcf6d000,0x81d56,0x5)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf6d000,0xc3a1,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0xcf6d000,0x81d56,0x7)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf6d000,0xc3a1,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0xcf6d000,0x81d56,0x5)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf6d000,0xc3a1,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  munmap(0x82d9d000,0x5000)
  9465 prog     RET   munmap 0
  9465 prog     CALL  mprotect(0x3c002000,0x1000,0x1)
  9465 prog     RET   mprotect 0

- and then being "protected" in the memory, whatever that means?

What puzles me most is the subsequent storm of sigprocmask():
what are these really for? Who is really doing this - my prog
doesn't really chagnge its sigset.

  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  __sysctl(0.0,0x3c0030e0,0xcfbcc120,0,0)
  9465 prog     RET   __sysctl 0
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  __sysctl(0.0,0x2cf973ec,0xcfbcc164,0,0)
  9465 prog     RET   __sysctl 0
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
  9465 prog     RET   mmap -2000723968/0x88bf6000
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  mprotect(0x88bf6000,0x1000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x3c002000,0x1000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x3c002000,0x1000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  mprotect(0x88bf6000,0x1000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x88bf6000,0x1000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x3c002000,0x1000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x3c002000,0x1000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  munmap(0x88bf6000,0x1000)
  9465 prog     RET   munmap 0
  9465 prog     CALL  sigprocmask(0x1,0xffffffff)
  9465 prog     RET   sigprocmask 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x3)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  mprotect(0x2cf7d000,0x2000,0x1)
  9465 prog     RET   mprotect 0
  9465 prog     CALL  sigprocmask(0x3,0)
  9465 prog     RET   sigprocmask -65793/0xfffefeff
  9465 prog     CALL  exit(0)

Would someone please point me to an appropriate piece of literature? I
would like to understand what really is happening behind the curtains.

        Thanks

                Jan





--
-----------------------
Olivier V. Meyer
Congress shall make no law respecting an establishment of religion, or
prohibiting the free exercise thereof; or abridging the freedom of
speech, or of the press; or the right of the people peaceably to
assemble, and to petition the government for a redress of grievances.

Reply via email to