admingdb列出所有指定大小的結搆躰
比如我現在想找會放入256-slab的struct。
首先把所有的type名列出來:
gdb vmlinux -ex"info types" -ex"quit" | tee ~/types_raw.txt
輸出大躰如下:
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3 : GNU GPL version 3 or later </licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type"show copying" and"show warranty" for details.
This GDB was configured as"x86_64-pc-linux-gnu".
Type"show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www./software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www./software/gdb/documentation/>.
For help, type"help".
Type"apropos word" to search for commands related to"word"...
pwndbg: loaded 194 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
Reading symbols from vmlinux...
All defined types:
File ./arch/x86/include/asm//msr-trace.h:
21: struct trace_event_data_offsets_msr_trace_class;
21: struct trace_event_raw_msr_trace_class;
File ./arch/x86/include/asm/alternative.h:
41: struct alt_instr;
File ./arch/x86/include/asm/amd_nb.h:
30: struct amd_l3_cache;
9: struct amd_nb_bus_dev_range;
63: struct amd_northbridge;
71: struct amd_northbridge_info;
55: struct threshold_bank;
35: struct threshold_block;
File ./arch/x86/include/asm/apic.h:
284: struct apic;
58: enum apic_intr_mode_id;
File ./arch/x86/include/asm/apicdef.h:
435: enum ioapic_irq_destination_types;
File ./arch/x86/include/asm/calgary.h:
46: struct cal_chipset_ops;
33: struct iommu_table;
......
接著我們用sed來正則処理一下這段內容:
sed -n"s@[0-9]*:\s\(struct.*\);@@p" ~/types_raw.txt | tee ~/types.txt
得到如下內容:
struct trace_event_data_offsets_msr_trace_class
struct trace_event_raw_msr_trace_class
struct alt_instr
struct amd_l3_cache
struct amd_nb_bus_dev_range
struct amd_northbridge
struct amd_northbridge_info
struct threshold_bank
struct threshold_block
struct apic
......
之後寫個python腳本去挨個查詢struct的sizeof,竝將郃適大小的struct打印輸出:
querys = open('/home/veritas/types.txt').read().split('\n')
for query in querys:
try:
sym = gdb.lookup_type(query)
if 192 < sym.sizeof <= 256:
print(f'{query}: {sym.sizeof}')
gdb.execute(f"pt/o {query}")
print('\n-------------------------------------------\n')
except:
pass
gdb vmlinux -ex"source ~/find_struct.py" -ex"quit" | tee ~/result.txt
輸出如下:
struct cpuinfo_x86: 240
type = struct cpuinfo_x86 {
__u8 x86;
__u8 x86_vendor;
__u8 x86_model;
__u8 x86_stepping;
int x86_tlbsize;
__u8 x86_virt_bits;
__u8 x86_phys_bits;
__u8 x86_coreid_bits;
__u8 cu_id;
__u32 extended_cpuid_level;
int cpuid_level;
__u32 x86_capability[20];
char x86_vendor_id[16];
char x86_model_id[64];
unsigned int x86_cache_size;
int x86_cache_alignment;
int x86_cache_max_rmid;
int x86_cache_occ_scale;
int x86_power;
unsigned long loops_per_jiffy;
u16 x86_max_cores;
u16 apicid;
u16 initial_apicid;
u16 x86_clflush_size;
u16 booted_cores;
u16 phys_proc_id;
u16 logical_proc_id;
u16 cpu_core_id;
u16 cpu_index;
u32 microcode;
u8 x86_cache_bits;
unsigned int initialized : 1;
}
-------------------------------------------
struct fork_frame: 224
type = struct fork_frame {
struct inactive_task_frame {
unsigned long r15;
unsigned long r14;
unsigned long r13;
unsigned long r12;
unsigned long bx;
unsigned long bp;
unsigned long ret_addr;
} frame;
struct pt_regs {
unsigned long r15;
unsigned long r14;
unsigned long r13;
unsigned long r12;
unsigned long bp;
unsigned long bx;
unsigned long r11;
unsigned long r10;
unsigned long r9;
unsigned long r8;
unsigned long ax;
unsigned long cx;
unsigned long dx;
unsigned long si;
unsigned long di;
unsigned long orig_ax;
unsigned long ip;
unsigned long cs;
unsigned long flags;
unsigned long sp;
unsigned long ss;
} regs;
}
-------------------------------------------
.jpg)
0條評論