On Tue, 21 Nov 2006, Olivier Meyer wrote:
> Most of what you see is the libc setting up default signal stuff.
> After the ELF is loaded mprotect is used to make the area executable,
> so when EIP is set to the starting point, the program does not SEGV.
>
> As to understanding, I would read the appropriate code in the kernel.
Things get a lot less complicated if you run a statically compiled
program, or use lazy binding (see ld.so(1)).
-Otto
>
> On 11/21/06, Jan Stary <[EMAIL PROTECTED]> wrote:
> > Hi all,
> >
> > being interested in the system's internals, I ktraced a trivial 'program':
> >
> > int
> > main(void)
> > {
> > return 0;
> > }
> >
> > cc -o prog prog.c
> > strip prog
> > ktrace ./prog
> > kdump -f ktrace.out
> >
> > The output shows things one would expect: ktrace execve's the ./prog,
> > libc.so is read, permisions are checked, the executable itself is read,
> > ...
> >
> >
> > 9465 ktrace RET ktrace 0
> > 9465 ktrace CALL execve(0xcfbf6be7,0xcfbf6a58,0xcfbf6a60)
> > 9465 ktrace NAMI "./prog"
> > 9465 prog NAMI "/usr/libexec/ld.so"
> > 9465 prog EMUL "native"
> > 9465 prog RET execve 0
> > 9465 prog CALL issetugid()
> > 9465 prog RET issetugid 0
> > 9465 prog CALL mprotect(0x25060000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
> > 9465 prog RET mmap -2113363968/0x8208a000
> > 9465 prog CALL open(0x2505e723,0,0)
> > 9465 prog NAMI "/var/run/ld.so.hints"
> > 9465 prog RET open 3
> > 9465 prog CALL fstat(0x3,0xcfbcbb40)
> > 9465 prog RET fstat 0
> > 9465 prog CALL mmap(0,0x2e4f,0x1,0x2,0x3,0,0,0)
> > 9465 prog RET mmap 2129707008/0x7ef0c000
> > 9465 prog CALL close(0x3)
> > 9465 prog RET close 0
> > 9465 prog CALL open(0x7ef0da80,0,0)
> > 9465 prog NAMI "/usr/lib/libc.so.39.0"
> > 9465 prog RET open 3
> > 9465 prog CALL fstat(0x3,0xcfbcaff0)
> > 9465 prog RET fstat 0
> > 9465 prog CALL read(0x3,0xcfbcb060,0x1000)
> > 9465 prog GIO fd 3 read 4088 bytes
> >
> > "\^?ELF\^A\^A\^A\0\0\0\0\0\0\0\0\0\^C\0\^C\0\^A\0\0\0\M-(:\^A\0004\0\0\
> > \0\^TA:\0\0\0\0\0004\0
> > \0\^F\0(\0)\0&\0\^A\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> > [...]
> > 9465 prog GIO fd 3 read 8 bytes
> > "\0\0\0\0\M-1\^E\0\0"
> > 9465 prog RET read 4096/0x1000
> >
> > Then comes stuff I don't really understand -
> >
> > 9465 prog CALL mquery(0,0x82000,0x5,0,0x3,0,0,0)
> > 9465 prog RET mquery 217501696/0xcf6d000
> > 9465 prog CALL mquery(0x2cf6d000,0xd000,0x1,0x10,0xffffffff,0,0,0)
> > 9465 prog RET mquery 754372608/0x2cf6d000
> > 9465 prog CALL mquery(0x2cf7a000,0x3000,0x3,0x10,0xffffffff,0,0,0)
> > 9465 prog RET mquery 754425856/0x2cf7a000
> > 9465 prog CALL mquery(0x2cf7d000,0x2000,0x3,0x10,0xffffffff,0,0,0)
> > 9465 prog RET mquery 754438144/0x2cf7d000
> > 9465 prog CALL mquery(0x2cf7f000,0x1000,0x3,0x10,0xffffffff,0,0,0)
> > 9465 prog RET mquery 754446336/0x2cf7f000
> > 9465 prog CALL mquery(0x2cf80000,0x1e000,0x3,0x10,0xffffffff,0,0,0)
> > 9465 prog RET mquery 754450432/0x2cf80000
> > 9465 prog CALL mmap(0xcf6d000,0x82000,0x5,0x12,0x3,0,0,0)
> > 9465 prog RET mmap 217501696/0xcf6d000
> > 9465 prog CALL mmap(0x2cf6d000,0xd000,0x1,0x12,0x3,0,0x82000,0)
> > 9465 prog RET mmap 754372608/0x2cf6d000
> > 9465 prog CALL mmap(0x2cf7a000,0x3000,0x3,0x12,0x3,0,0x8f000,0)
> > 9465 prog RET mmap 754425856/0x2cf7a000
> > 9465 prog CALL mmap(0x2cf7d000,0x2000,0x3,0x12,0x3,0,0x91000,0)
> > 9465 prog RET mmap 754438144/0x2cf7d000
> > 9465 prog CALL mmap(0x2cf7f000,0x1000,0x3,0x12,0x3,0,0x92000,0)
> > 9465 prog RET mmap 754446336/0x2cf7f000
> > 9465 prog CALL mmap(0x2cf80000,0x1e000,0x3,0x1012,0xffffffff,0,0,0)
> > 9465 prog RET mmap 754450432/0x2cf80000
> > 9465 prog CALL close(0x3)
> > 9465 prog RET close 0
> >
> > - is this the ELF being loaded into memory?
> >
> > 9465 prog CALL mmap(0,0x5000,0x3,0x1002,0xffffffff,0,0,0)
> > 9465 prog RET mmap -2099654656/0x82d9d000
> > 9465 prog CALL mprotect(0xcf6d000,0x81d56,0x7)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0xcf6d000,0x81d56,0x5)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0xcf6d000,0x81d56,0x7)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0xcf6d000,0x81d56,0x5)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf6d000,0xc3a1,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL munmap(0x82d9d000,0x5000)
> > 9465 prog RET munmap 0
> > 9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> >
> > - and then being "protected" in the memory, whatever that means?
> >
> > What puzles me most is the subsequent storm of sigprocmask():
> > what are these really for? Who is really doing this - my prog
> > doesn't really chagnge its sigset.
> >
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL __sysctl(0.0,0x3c0030e0,0xcfbcc120,0,0)
> > 9465 prog RET __sysctl 0
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL __sysctl(0.0,0x2cf973ec,0xcfbcc164,0,0)
> > 9465 prog RET __sysctl 0
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL mmap(0,0x1000,0x3,0x1002,0xffffffff,0,0,0)
> > 9465 prog RET mmap -2000723968/0x88bf6000
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL mprotect(0x88bf6000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x3c002000,0x1000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL mprotect(0x88bf6000,0x1000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x88bf6000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x3c002000,0x1000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x3c002000,0x1000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL munmap(0x88bf6000,0x1000)
> > 9465 prog RET munmap 0
> > 9465 prog CALL sigprocmask(0x1,0xffffffff)
> > 9465 prog RET sigprocmask 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x3)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL mprotect(0x2cf7d000,0x2000,0x1)
> > 9465 prog RET mprotect 0
> > 9465 prog CALL sigprocmask(0x3,0)
> > 9465 prog RET sigprocmask -65793/0xfffefeff
> > 9465 prog CALL exit(0)
> >
> > Would someone please point me to an appropriate piece of literature? I
> > would like to understand what really is happening behind the curtains.
> >
> > Thanks
> >
> > Jan
> >
> >
>
>
> --
> -----------------------
> Olivier V. Meyer
> Congress shall make no law respecting an establishment of religion, or
> prohibiting the free exercise thereof; or abridging the freedom of
> speech, or of the press; or the right of the people peaceably to
> assemble, and to petition the government for a redress of grievances.
