堆栈内存溢出
  简体   繁体   English

gdb转储内存和错误?

[英]gdb dump memory & errors?

 原文  2014-03-13 19:19:40       python/ debugging/ memory/ gdb

问题描述

I am attempting to bind to a process, create a memory snapshot, then use /proc/pid/maps & /proc/pid/mem to look at items passing through memory for the running process. 我试图绑定到一个进程,创建一个内存快照,然后使用/ proc / pid / maps/ proc / pid / mem查看正在运行的进程通过内存的项目。

A python script is used in gdb to perform the operations which seems to work fine. gdb中使用了一个python脚本来执行似乎正常的操作。 Some information: 一些信息:

  1. The process I wish to view memory segments on is running a regular unprivileged user. 我希望查看内存段的进程正在运行普通的非特权用户。
  2. The gdb instance which binds to the process is run as a root/privileged user. 绑定到该进程的gdb实例以root /特权用户身份运行。
  3. The python script running gdb performs the following: 运行gdb的python脚本执行以下操作:
    • Creates a snapshot of /dev/mem (ie dd if=/dev/mem of=/tmp/mem.bin) 创建/ dev / mem的快照(即dd if = / dev / mem of = / tmp / mem.bin)
    • Examines the /proc/pid/maps & /proc/pid/mem to extract start and end memory addresses to search 检查/ proc / pid / maps/ proc / pid / mem以提取开始和结束内存地址以进行搜索
    • It then relies on gdb and runs the following: (gdb) memory dump /tmp/mem.bin [start] [end] 然后,它依赖gdb并运行以下命令: (gdb)内存转储/tmp/mem.bin [开始] [结束]

The problem is that every memory segment examined returns errors: 问题是检查的每个内存段都返回错误: 

%> # gdb -x mem.py --pid 24204
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-60.el6_4.1)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Attaching to process 24204
ptrace: Operation not permitted.
dd: reading `/dev/mem': Operation not permitted
2056+0 records in
2056+0 records out
1052672 bytes (1.1 MB) copied, 0.0903829 s, 11.6 MB/s
Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000
Examining: 15306752 15396864
Error: Cannot access memory at address 0xe99000
Examining: 15396864 15429632
Error: Cannot access memory at address 0xeaf000
Examining: 34545664 36294656
Error: Cannot access memory at address 0x20f2000
Examining: 10833544417280 10833546514432
Error: Cannot access memory at address 0x61911000
Examining: 18212460691456 18212461740032
Error: Cannot access memory at address 0x6b400000
Examining: 23029163552768 23029163556864
Error: Cannot access memory at address 0xe51cf000
Examining: 24071492337664 24071492358144
Error: Cannot access memory at address 0x1eaba000
Examining: 140278443610112 140278443614208
Error: Cannot access memory at address 0x1ecd1000
Examining: 140278443614208 140278443618304
Error: Cannot access memory at address 0x1ecd2000
Examining: 140278443618304 140278443634688
Error: Cannot access memory at address 0x1faa3000
Examining: 140278458105856 140278458109952
Error: Cannot access memory at address 0x1faa4000
Examining: 140736783110144 140736783196160
Error: Cannot access memory at address 0xd5f6d000
Examining: 140736783654912 140736783659008
Error: Cannot access memory at address 0xd5ff2000
Examining: 18446744073699065856 18446744073699069952
Error: Cannot access memory at address 0xff600000

I am aware that the kernel does protect system memory, however for a userland process to have root user not able to access ALL memory segments seems to be inaccurate. 我知道内核确实可以保护系统内存,但是,对于使root用户无法访问所有内存段的userland进程而言,这似乎是不准确的。 Any help is appreciated. 任何帮助表示赞赏。

2 个解决方案

解决方案1
 2  2014-03-13 19:59:28

dd: reading `/dev/mem': Operation not permitted

/dev/mem maps to physical memory and is disabled for security reasons by default on most distros so that is no surprising. /dev/mem映射到物理内存,并且在大多数发行版中默认出于安全原因被禁用,因此不足为奇。 Assuming the latter errors like 假设后面的错误像 

Examining: 4194304 13213696
Error: Cannot access memory at address 0x400000

is caused by accessing /dev/<PID>/mem , you may need to pause the process first by using PTRACE_ATTACH. 是由于访问/dev/<PID>/mem ,您可能需要先使用PTRACE_ATTACH暂停该过程。 eg 例如 

sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDONLY);
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
lseek(mem_fd, offset, SEEK_SET);
read(mem_fd, buf, _SC_PAGE_SIZE);
ptrace(PTRACE_DETACH, pid, NULL, NULL);

See https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux 参见https://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux

解决方案2
 1 已采纳  2014-03-25 12:41:23

While @scott is correct, the answer here was that I didn't account for a snapshot of the memory at the time of the process running. 尽管@scott是正确的,但这里的答案是,在进程运行时,我没有考虑内存的快照。

I had to implement a loop to perform the a comparative analysis of the current memory allocated to the process id found in /proc//mem. 我必须实现一个循环来对分配给/ proc // mem中的进程ID的当前内存执行比较分析。

Here is a gist of the total solution. 这是整体解决方案的要点

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 内存转储格式如gdb中的xxd - Memory dump formatted like xxd from gdb 使用GDB进行Python内存调试 - Python memory debugging with GDB 使用Python进行内存转储 - memory dump using Python 芹菜转储内存到变量 - Celery Dump Memory into variable Memory 转储运行程序 - Memory Dump a Running Program Python Pickle Dump Memory错误 - Python pickle dump memory error 内存核心转储C ++ - Memory Core Dump C++ 使用gunicorn核心转储时,GDB为空回溯 - GDB empty backtrace when using gunicorn core dump 在gdb漂亮打印机错误中获取backtrace - Getting backtrace in gdb pretty printer errors 在gdb漂亮的打印机中检查内存 - examining memory in gdb pretty-printer
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM