OSDev.org

The Place to Start for Operating System Developers
It is currently Thu Mar 28, 2024 2:34 pm

All times are UTC - 6 hours




Post new topic Reply to topic  [ 15 posts ] 
Author Message
 Post subject: debugger ???
PostPosted: Sun Apr 15, 2012 10:46 pm 
Offline
Member
Member
User avatar

Joined: Mon Nov 03, 2008 6:06 pm
Posts: 385
I have been reading thru the intel manual on debugging.
As well as I found this article to give me the general theory of how a debugger can be created/ how they work.
http://www.alexonlinux.com/how-debugger-works#table_of_contents

I am surprised that to step thru code the debugger has to modify each line first byte with the code 0xcc = int 3 to call the debugger handler
So in theory once the program that is to be debugged is loaded into memory and the debugger run on it.... the debugger modifies the code of
of the debuggie process putting that 0xcc (int 3 ) finishing that instruction and repeating to create breakpoints or stopping points in the program.

Questions
1) In linux debugging userland programs can be broken down into ptrace syscalls/int 3 and signals along with a few other things
But I am curious if you are debugging in kernel land how this all works since at that point you are no longer having a parent process and child process issue. (i.e no fork() ,...etc)
See in user land you grant gdb debugger access to debug a program thru ptrace syscalls and signals.h (i.e gdb can modify the process with 0xcc)
But in kernel land there is no gdb , or useland api so either one would have to build the functionality of a debugger into the kernels process loader
Or build a kernel level program that can be executed by the kernel process loader and have the ability to fork / have the ability to modify the child process code or something.

I am really curious about clearing this issue up.
What I am think is a kernel debugger <--(I believe that is there name for a debugger in kernel land) is that they are easier in theory because you don't have to ask permission for memory reads/writes normally since you are already in ring0 so you could in theory just have the debugger just be the same as your loader but instead of jumping to the code once loaded it would first set break points with 0xcc to maintain control of the kernel application.


2)
In terms of security
I know bufferoverflow days are coming to an end but could one still use ptrace to allow or write a kernel module to allow him to modify a process's instructions not just placing 0xcc's for break points like debuggers do. But it could be some rude/malicous debugger program that
places machine code like ret or push some address ,..etc At this point the theory of how to write a debugger could be used to implement a malicous debugger that does this. Thus giving you the same control as buffer overflows back in the day ;)
sssssssssshhhhhhh I won't tell


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Sun Apr 15, 2012 11:12 pm 
Offline
Member
Member

Joined: Thu Jan 29, 2009 9:13 am
Posts: 95
1) debugging in this case is all done in your debug interupt handler.

2)didn't read like a question , but yes that is possible, use tools you trust.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Sun Apr 15, 2012 11:34 pm 
Offline
Member
Member
User avatar

Joined: Mon Nov 03, 2008 6:06 pm
Posts: 385
Quote:
1) debugging in this case is all done in your debug interupt handler.


Ok , but then a kernel debugger could only debug the kernel at the point of the IDT being setup before that no debugging could ever by done
So a kernel debugger will only ever be good to debug passed the point of at least the interrupts being setup.
So the only true way to step thru your kernel step by step is to run it in a virtual machine thus making it an application level program for that particular run.

2) Is there an equivalent way that windows and mac debuggers work I know in theory the use the same mechanism as linux or any other os's would int 3 ,..etc
But I am more wondering if there is an article that goes thru the function equivalent to ptrace for windows and mac?
Would be nice to know what win32 api or other api functions I can used to do the equivalent gdb ptrace() /signal.h thing a m bob


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 2:35 am 
Offline
Member
Member
User avatar

Joined: Tue Feb 08, 2011 1:58 pm
Posts: 496
Not necessary to use int 3. You can use the debugger registers to invoke the debug handler. And if you use some vm (like bochs or virtualbox) which has an internal debugger, no IDT and debugger handler needed at all, it can debug any point without modifying the code (since vm is aware of guest's full state).


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 3:25 am 
Offline
Member
Member
User avatar

Joined: Thu Nov 16, 2006 12:01 pm
Posts: 7612
Location: Germany
It is also possible to use GDB in conjunction with QEMU.

_________________
Every good solution is obvious once you've found it.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 4:15 am 
Offline
Member
Member

Joined: Thu Mar 25, 2010 11:26 pm
Posts: 1801
Location: Melbourne, Australia
GDB also works with VMWare.

_________________
If a trainstation is where trains stop, what is a workstation ?


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 9:39 am 
Offline
Member
Member

Joined: Wed Oct 01, 2008 1:55 pm
Posts: 3192
Most environments have different interfaces for applications and kernel debugging, and few of them are able to use the same debugger to trace calls from application to kernel for this reason. Applications typically use signals (Unix) or a DLL-interface (Win32), and these things don't exist in the kernel.

I solved this by not using application-only interfaces for debugging, rather implementing debugging at the kernel level, and then emulating the Win32 PE interface for the application and using the native interface for kernel in the debug-engine, so I can easily trace calls from application to kernel. AFAIK, Linux cannot do this, but I know Windows CE can (OTOH, the Windows CE version I used run everything in ring 0, so that might be why it worked).

Another issue with typical debuggers is that they freeze the process they are debugging, and this is not a good design for tracing calls into kernel, as you cannot freeze the kernel when debugging it.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 9:48 am 
Offline
Member
Member
User avatar

Joined: Tue Oct 17, 2006 9:29 pm
Posts: 2426
Location: Canada
Linux has quite a few utilities for that.. and for BSD, there is ktrace(1).

_________________
Image
Twitter: @canadianbryan. Award by smcerm, I stole it. Original was larger.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 11:11 am 
Offline
Member
Member

Joined: Wed Oct 01, 2008 1:55 pm
Posts: 3192
Brynet-Inc wrote:
Linux has quite a few utilities for that.. and for BSD, there is ktrace(1).


It has, but they are not integrated into the application debugger.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 3:05 pm 
Offline
Member
Member
User avatar

Joined: Tue Oct 17, 2006 9:29 pm
Posts: 2426
Location: Canada
rdos wrote:
It has, but they are not integrated into the application debugger.

I don't recall saying they were, but in some cases, they might be. See DTrace.

_________________
Image
Twitter: @canadianbryan. Award by smcerm, I stole it. Original was larger.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 8:37 pm 
Offline
Member
Member
User avatar

Joined: Mon Nov 03, 2008 6:06 pm
Posts: 385
[url]http://www.alexonlinux.com/how-debugger-works#table_of_contents
[/url]

also from the above link

it shows you the typical flow of how a debugger works to set a breakpoint but it doesn't show how you can dump registers or view varibles / memory/ the stack. Is there a general procedure like 0xcc for the registers/stack...etc dumps.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Mon Apr 16, 2012 11:51 pm 
Offline
Member
Member

Joined: Wed Oct 01, 2008 1:55 pm
Posts: 3192
Sam111 wrote:
[url]http://www.alexonlinux.com/how-debugger-works#table_of_contents
[/url]

also from the above link

it shows you the typical flow of how a debugger works to set a breakpoint but it doesn't show how you can dump registers or view varibles / memory/ the stack. Is there a general procedure like 0xcc for the registers/stack...etc dumps.


The OS needs to store the registers of threads somewhere so the debugger can read them. As the debugged thread hits a break-point or exception, the kernel needs to save it's register state and inform the debugger what happened. The debugger would then use some syscall to read registers.

In my design, saving/loading register in the scheduler uses the same area as when breakpoints or exceptions are hit. That's how the kernel debug-interface is done. The kernel also has a special "debug-queue" where threads that are debugged or stopped on exceptions are blocked.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Wed Apr 18, 2012 12:41 am 
Offline
Member
Member
User avatar

Joined: Mon Nov 03, 2008 6:06 pm
Posts: 385
O, I see

then I am curious what the DWARF / debugging additional sections in an ELF binary actually
enhance.... i.e int 3 or int 1 would be used to set break point or read registers / memory (variables) / stack stuff.

what exactly does the addition DWARF/debugging additional sections provide.
Since in theory you can debug any application even one without any debugging sections or symbol tables.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Wed Apr 18, 2012 2:24 am 
Offline
Member
Member

Joined: Thu Jan 29, 2009 9:13 am
Posts: 95
adding debug information allows you to see in the debugger your using what the higher level code was that failed. for example recreating C code from assembly is dodgy because compiler version is not known, optimizations are not known, spacing is not preserved, function/variable names and comments are not kept, etc. using just the registers at any given moment can work, but the more information you have the better.


Top
 Profile  
 
 Post subject: Re: debugger ???
PostPosted: Wed Apr 18, 2012 9:20 am 
Offline
Member
Member

Joined: Wed Oct 01, 2008 1:55 pm
Posts: 3192
It is often possible to relate a register-only dump to the original C/C++ code (by the use of a map-file), but it is not a very attractive way of doing it. A debugger with full symbolic support is much easier to use.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 15 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group