Hi all,
being interested in the system's internals, I ktraced a trivial 'program':
int
main(void)
{
return 0;
}
cc -o prog prog.c
strip prog
ktrace ./prog
kdump -f ktrace.out
The output shows things one would expect: ktrace execve's the ./prog,
libc.so is read, permisions are checked, the executable itself is read,
...
9465 ktrace RET ktrace 0
9465 ktrace CALL execve(0xcfbf6be7,0xcfbf6a58,0xcfbf6a60)
9465 ktrace NAMI "./prog"
9465 prog NAMI "/usr/libexec/ld.so"
9465 prog EMUL "native"
9465 prog RET execve 0
9465 prog CALL issetugid()
9465 prog RET issetugid 0
9465 prog CALL mprotect(0x25060000,0x1000,0x1)
9465 prog RET mprotect 0
9465 prog CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
9465 prog RET mmap -2113363968/0x8208a000
9465 prog CALL open(0x2505e723,0,0)
9465 prog NAMI "/var/run/ld.so.hints"
9465 prog RET open 3
9465 prog CALL fstat(0x3,0xcfbcbb40)
9465 prog RET fstat 0
9465 prog CALL mmap(0,0x2e4f,0x1,0x2,0x3,0,0,0)
9465 prog RET mmap 2129707008/0x7ef0c000
9465 prog CALL close(0x3)
9465 prog RET close 0
9465 prog CALL open(0x7ef0da80,0,0)
9465 prog NAMI "/usr/lib/libc.so.39.0"
9465 prog RET open 3
9465 prog CALL fstat(0x3,0xcfbcaff0)
9465 prog RET fstat 0
9465 prog CALL read(0x3,0xcfbcb060,0x1000)
9465 prog GIO fd 3 read 4088 bytes
"\^?ELF\^A\^A\^A\0\0\0\0\0\0\0\0\0\^C\0\^C\0\^A\0\0\0\M-(:\^A\0004\0\0\
\0\^TA:\0\0\0\0\0004\0 \0\^F\0(\0)\0&\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
[...]
9465 prog GIO fd 3 read 8 bytes
"\0\0\0\0\M-1\^E\0\0"
9465 prog RET read 4096/0x1000
Then comes stuff I don't really understand -
9465 prog CALL mquery(0,0x82000,0x5,0,0x3,0,0,0)
9465 prog RET mquery 217501696/0xcf6d000
9465 prog CALL mquery(0x2cf6d000,0xd000,0x1,0x10,0xffffffff,0,0,0)
9465 prog RET mquery 754372608/0x2cf6d000
9465 prog CALL mquery(0x2cf7a000,0x3000,0x3,0x10,0xffffffff,0,0,0)
9465 prog RET mquery 754425856/0x2cf7a000
9465 prog CALL mquery(0x2cf7d000,0x2000,0x3,0x10,0xffffffff,0,0,0)
9465 prog RET mquery 754438144/0x2cf7d000
9465 prog CALL mquery(0x2cf7f000,0x1000,0x3,0x10,0xffffffff,0,0,0)
9465 prog RET mquery 754446336/0x2cf7f000
9465 prog CALL mquery(0x2cf80000,0x1e000,0x3,0x10,0xffffffff,0,0,0)
9465 prog RET mquery 754450432/0x2cf80000
9465 prog CALL mmap(0xcf6d000,0x82000,0x5,0x12,0x3,0,0,0)
9465 prog RET mmap 217501696/0xcf6d000
9465 prog CALL mmap(0x2cf6d000,0xd000,0x1,0x12,0x3,0,0x82000,0)
9465 prog RET mmap 754372608/0x2cf6d000
9465 prog CALL mmap(0x2cf7a000,0x3000,0x3,0x12,0x3,0,0x8f000,0)
9465 prog RET mmap 754425856/0x2cf7a000
9465 prog CALL mmap(0x2cf7d000,0x2000,0x3,0x12,0x3,0,0x91000,0)
9465 prog RET mmap 754438144/0x2cf7d000
9465 prog CALL mmap(0x2cf7f000,0x1000,0x3,0x12,0x3,0,0x92000,0)
9465 prog RET mmap 754446336/0x2cf7f000
9465 prog CALL mmap(0x2cf80000,0x1e000,0x3,0x1012,0xffffffff,0,0,0)
9465 prog RET mmap 754450432/0x2cf80000
9465 prog CALL close(0x3)
9465 prog RET close 0
- is this the ELF being loaded into memory?
9465 prog CALL mmap(0,0x5000,0x3,0x1002,0xffffffff,0,0,0)
9465 prog RET mmap -2099654656/0x82d9d000
9465 prog CALL mprotect(0xcf6d000,0x81d56,0x7)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0xcf6d000,0x81d56,0x5)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x1)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0xcf6d000,0x81d56,0x7)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0xcf6d000,0x81d56,0x5)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x1)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL munmap(0x82d9d000,0x5000)
9465 prog RET munmap 0
9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
9465 prog RET mprotect 0
- and then being "protected" in the memory, whatever that means?
What puzles me most is the subsequent storm of sigprocmask():
what are these really for? Who is really doing this - my prog
doesn't really chagnge its sigset.
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL __sysctl(0.0,0x3c0030e0,0xcfbcc120,0,0)
9465 prog RET __sysctl 0
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL __sysctl(0.0,0x2cf973ec,0xcfbcc164,0,0)
9465 prog RET __sysctl 0
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
9465 prog RET mmap -2000723968/0x88bf6000
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL mprotect(0x88bf6000,0x1000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x3c002000,0x1000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL mprotect(0x88bf6000,0x1000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x88bf6000,0x1000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x3c002000,0x1000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL munmap(0x88bf6000,0x1000)
9465 prog RET munmap 0
9465 prog CALL sigprocmask(0x1,0xffffffff)
9465 prog RET sigprocmask 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
9465 prog RET mprotect 0
9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
9465 prog RET mprotect 0
9465 prog CALL sigprocmask(0x3,0)
9465 prog RET sigprocmask -65793/0xfffefeff
9465 prog CALL exit(0)
Would someone please point me to an appropriate piece of literature? I
would like to understand what really is happening behind the curtains.
Thanks
Jan