Accessing Stack to get Function Arguments

Hi

[Working on LINUX]

I have an a.out file( compiled without debugging info  I.E. gcc <filename>). Source is not availbale.
I want to find out the details of the user defined function parameters( not system call parameters or library call parameters.)
I know that with the help of EBP + offset, i can get the function parameters.
Right now i am using ptrace to trace my a.out object file. But i am not able to get the values properly. Can anyone direct me to a source of information on this aspect or suggest me a tool. I have tried fenris which gives only first function parameter but not all. Even if the tool is a binary instrumentation tool, i dont mind using it.


Thanks
Sreeram
uday_bayanAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
sunnycoderConnect With a Mentor Commented:
hi Sreeram,

>what i need is the run time values of the user defined function arguments.
No ... this will not work to get you run time values .... For these values you have to turn to a good debugger like gdb ...

Set a break point at the specific function and you can examine the values at that point of time .... however, if the executable is not a debug build and has symbol information stripped then the task becomes lot more difficult.
0
 
sunnycoderCommented:
Hi Sreeram,

check these
tools
www.backerstreet.com/rec/rec.htm

theory
http://www.acm.uiuc.edu/sigmil/RevEng/

There was one particular book I used sometime ago .. cant find it now ... It had several referneces to some good tools (Yes, I used them too) ... will try to look for it in the meanwhile ....

for your purpose, rec should be some good help

cheers
sunnycoder
0
 
uday_bayanAuthor Commented:
Hi Sunny,

Can i get the values of the function arguments  using the above ?  what i need is the run time values of the user defined function arguments.

int main()
{
int i=100,j;
scanf("%d", &j);
if(j==20)
foo(i,j);
else
foobar(j);
}

what i need is something like this

suppose i=20
main()
foo(100,20)


if i not equal to 20
main()
foobar(30) {some arbitary value other than 20}


The main thing is the value of the function parameters. I was able to get the trace of the user defined functions using fenris, but not the values of the parameters.

Thanks,
Sreeram






0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
pratap_rConnect With a Mentor Commented:
hmm.. reminds me of a small trick.. i used in my college days to debug binaries

if you know the function address probably you can put a breakpoint there and examine the stack once the breakpoint is hit.

another cool method is to patch the function call with your own function call (in assembly of course) and examine the stack programatically.. havn't come across any tools for this though..

0
 
georg74Commented:
if you know the function signature, than it's easy.
use the debugger, set breakpoint on the function.
on hit, read params from the stack.

if the function signature is not known, or the function accepts variable parameters
(like printf), then you have to analyse the way parameters are put on the stack
before the function is called.

once you do that and make your assumptions about the signature, you can
let the debugger write the actual arguments into a log file when the breakpoint is hit.
then let the program run and you will get a log file almost the way you want it,
something like:
b_foobar 30
b_foobar 45
b_foo 100, 20
...

HTH,
georg
0
 
uday_bayanAuthor Commented:
Hi Pratap & Georg


I have put a break point at the function name. Format of the stack is also known. The first paramet er of the function  is located at location EBP+8.
i used the following to print the parameters
print $EBP
THe value of EBP is printed.( Some value in Hexadecimal)
I added 8 to that value and printed again.
print $(added value)

But i was not able to see the value of the parameter instead i saw  assembly  code of mov instuction.

Any suggestions how to print it.


Thanks,
Sreeram.
0
 
pratap_rCommented:
oh that could be a memory address, try dumping the memory at that address specified in EBP+8 see if thats what you are expecting

Pratap
0
 
sunnycoderCommented:
>The first paramet er of the function  is located at location EBP+8.
Are you sure that your stack is growing down and not up? Check EBP-8. Also, could it be that the hex value at that address just happens to correspond to mov.
0
 
pratap_rCommented:
you mean the opcodes for mov?? hopefully sreeram is looking at the disassembly rather than a hex dump!!!!!
0
 
uday_bayanAuthor Commented:
Hi SunnyCoder,

I tried using the REC tool but it doesnt seem to give me the function signature. Are u aware of any decompilation tools that gives the function definition. I need to know
some thing like this

foo(int,float, char *, double)

what type of parameters does a function have ?

Thanks,
Sreeram
0
 
georg74Connect With a Mentor Commented:
hi Sreeram,

theoretically speaking, it is not possible to make a tool that could
decompile a binary and give you 100% correct function declarations.

you have ti investigate a bit. make a disassembly of the code and
find your function(s). find all places where this function is called from
(a good disassembler will give you this information). analyse how
the parameters are put onto stack.

analyse the target function and find out how the parameters are used.
pointers will be loaded into a register, eventually an offset is added
and they will be dereferenced. often there is a test fror 0.
doubles and floats get loaded into FPU registers.

then return to debugging and inspect the actual parameters.
for char pointer, you'll find the string at the address.
usually, pointers don't contain small numbers, as ints do.
etc.

code few sample functions in C, compile them and
analyse the produced assembly.

after some practice in reading assembly code, you
will be able to translate it simultaneously in C :-)

gl,
georg
0
All Courses

From novice to tech pro — start learning today.