Stopping at the first machine code instruction in

2019-01-06 12:59发布

站内问答 / 前沿技术
492 5 4

After loading an executable into gdb, how do I break at the entry point, before the first instruction is executed?

The executable I'm analyzing is a piece of malware that's encrypted so break main does absolutely nothing.

5条回答
你好瞎i
2楼-- · 2019-01-06 13:46

After loading an executable into gdb, how do I break at the entry point, before the first instruction is executed?

You can find what functions are called before int main() with set backtrace past-main on and after finding them set a breakpoint on them and restart your program:

>gdb  -q  main
Reading symbols from /home/main...done.
(gdb) set backtrace past-main on
(gdb) b main
Breakpoint 1 at 0x40058a: file main.cpp, line 25.
(gdb) r
Starting program: /home/main

Breakpoint 1, main () at main.cpp:25
25        a();
(gdb) bt
#0  main () at main.cpp:25
#1  0x0000003a1d81ed1d in __libc_start_main () from /lib64/libc.so.6
#2  0x0000000000400499 in _start ()
(gdb) b _start
Breakpoint 2 at 0x400470
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/main

Breakpoint 2, 0x0000000000400470 in _start ()
查看更多
0人赞 添加讨论(0) 举报
男人必须洒脱
3楼-- · 2019-01-06 13:52

The info files command might give you an address you can break on:

(gdb) info files
    ...
    Entry point: 0x80000000
    ...
(gdb) break *0x80000000
(gdb) run
查看更多
0人赞 添加讨论(0) 举报
迷人小祖宗
4楼-- · 2019-01-06 13:55

"b _start" or "b start" might or might not work. If not, find out the entrypoint address with readelf/objdump and use "b *0x<hex address>".

查看更多
0人赞 添加讨论(0) 举报
Anthone
5楼-- · 2019-01-06 13:56

The no-brainer solution is to use the side-effect of failure to set a breakpoint:

$ gdb /bin/true
Reading symbols from /bin/true...(no debugging symbols found)...done.
(gdb) b *0
Breakpoint 1 at 0x0
(gdb) r
Starting program: /bin/true 
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x0

(gdb) disas
Dump of assembler code for function _start:
=> 0xf7fdd800 <+0>:     mov    eax,esp
   0xf7fdd802 <+2>:     call   0xf7fe2160 <_dl_start>
End of assembler dump.

Idea taken from this answer at RE.SE.

查看更多
0人赞 添加讨论(0) 举报
Deceive 欺骗
6楼-- · 2019-01-06 13:58

Starting with GDB 8.1, there's a special command for this: starti. Example GDB session:

$ gdb /bin/true
Reading symbols from /bin/true...(no debugging symbols found)...done.
(gdb) starti
Starting program: /bin/true 

Program stopped.
0xf7fdd800 in _start () from /lib/ld-linux.so.2
(gdb) x/5i $pc
=> 0xf7fdd800 <_start>: mov    eax,esp
   0xf7fdd802 <_start+2>:       call   0xf7fe2160 <_dl_start>
   0xf7fdd807 <_dl_start_user>: mov    edi,eax
   0xf7fdd809 <_dl_start_user+2>:       call   0xf7fdd7f0
   0xf7fdd80e <_dl_start_user+7>:       add    ebx,0x1f7e6
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)