uday_bayan
asked on
Accessing Stack to get Function Arguments
Hi
[Working on LINUX]
I have an a.out file( compiled without debugging info I.E. gcc <filename>). Source is not availbale.
I want to find out the details of the user defined function parameters( not system call parameters or library call parameters.)
I know that with the help of EBP + offset, i can get the function parameters.
Right now i am using ptrace to trace my a.out object file. But i am not able to get the values properly. Can anyone direct me to a source of information on this aspect or suggest me a tool. I have tried fenris which gives only first function parameter but not all. Even if the tool is a binary instrumentation tool, i dont mind using it.
Thanks
Sreeram
[Working on LINUX]
I have an a.out file( compiled without debugging info I.E. gcc <filename>). Source is not availbale.
I want to find out the details of the user defined function parameters( not system call parameters or library call parameters.)
I know that with the help of EBP + offset, i can get the function parameters.
Right now i am using ptrace to trace my a.out object file. But i am not able to get the values properly. Can anyone direct me to a source of information on this aspect or suggest me a tool. I have tried fenris which gives only first function parameter but not all. Even if the tool is a binary instrumentation tool, i dont mind using it.
Thanks
Sreeram
ASKER
Hi Sunny,
Can i get the values of the function arguments using the above ? what i need is the run time values of the user defined function arguments.
int main()
{
int i=100,j;
scanf("%d", &j);
if(j==20)
foo(i,j);
else
foobar(j);
}
what i need is something like this
suppose i=20
main()
foo(100,20)
if i not equal to 20
main()
foobar(30) {some arbitary value other than 20}
The main thing is the value of the function parameters. I was able to get the trace of the user defined functions using fenris, but not the values of the parameters.
Thanks,
Sreeram
Can i get the values of the function arguments using the above ? what i need is the run time values of the user defined function arguments.
int main()
{
int i=100,j;
scanf("%d", &j);
if(j==20)
foo(i,j);
else
foobar(j);
}
what i need is something like this
suppose i=20
main()
foo(100,20)
if i not equal to 20
main()
foobar(30) {some arbitary value other than 20}
The main thing is the value of the function parameters. I was able to get the trace of the user defined functions using fenris, but not the values of the parameters.
Thanks,
Sreeram
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
if you know the function signature, than it's easy.
use the debugger, set breakpoint on the function.
on hit, read params from the stack.
if the function signature is not known, or the function accepts variable parameters
(like printf), then you have to analyse the way parameters are put on the stack
before the function is called.
once you do that and make your assumptions about the signature, you can
let the debugger write the actual arguments into a log file when the breakpoint is hit.
then let the program run and you will get a log file almost the way you want it,
something like:
b_foobar 30
b_foobar 45
b_foo 100, 20
...
HTH,
georg
use the debugger, set breakpoint on the function.
on hit, read params from the stack.
if the function signature is not known, or the function accepts variable parameters
(like printf), then you have to analyse the way parameters are put on the stack
before the function is called.
once you do that and make your assumptions about the signature, you can
let the debugger write the actual arguments into a log file when the breakpoint is hit.
then let the program run and you will get a log file almost the way you want it,
something like:
b_foobar 30
b_foobar 45
b_foo 100, 20
...
HTH,
georg
ASKER
Hi Pratap & Georg
I have put a break point at the function name. Format of the stack is also known. The first paramet er of the function is located at location EBP+8.
i used the following to print the parameters
print $EBP
THe value of EBP is printed.( Some value in Hexadecimal)
I added 8 to that value and printed again.
print $(added value)
But i was not able to see the value of the parameter instead i saw assembly code of mov instuction.
Any suggestions how to print it.
Thanks,
Sreeram.
I have put a break point at the function name. Format of the stack is also known. The first paramet er of the function is located at location EBP+8.
i used the following to print the parameters
print $EBP
THe value of EBP is printed.( Some value in Hexadecimal)
I added 8 to that value and printed again.
print $(added value)
But i was not able to see the value of the parameter instead i saw assembly code of mov instuction.
Any suggestions how to print it.
Thanks,
Sreeram.
oh that could be a memory address, try dumping the memory at that address specified in EBP+8 see if thats what you are expecting
Pratap
Pratap
>The first paramet er of the function is located at location EBP+8.
Are you sure that your stack is growing down and not up? Check EBP-8. Also, could it be that the hex value at that address just happens to correspond to mov.
Are you sure that your stack is growing down and not up? Check EBP-8. Also, could it be that the hex value at that address just happens to correspond to mov.
you mean the opcodes for mov?? hopefully sreeram is looking at the disassembly rather than a hex dump!!!!!
ASKER
Hi SunnyCoder,
I tried using the REC tool but it doesnt seem to give me the function signature. Are u aware of any decompilation tools that gives the function definition. I need to know
some thing like this
foo(int,float, char *, double)
what type of parameters does a function have ?
Thanks,
Sreeram
I tried using the REC tool but it doesnt seem to give me the function signature. Are u aware of any decompilation tools that gives the function definition. I need to know
some thing like this
foo(int,float, char *, double)
what type of parameters does a function have ?
Thanks,
Sreeram
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
check these
tools
www.backerstreet.com/rec/rec.htm
theory
http://www.acm.uiuc.edu/sigmil/RevEng/
There was one particular book I used sometime ago .. cant find it now ... It had several referneces to some good tools (Yes, I used them too) ... will try to look for it in the meanwhile ....
for your purpose, rec should be some good help
cheers
sunnycoder