Truth, Computing and Fail

[...] This post was mentioned on Twitter by Anomit Ghosh, PlanetManipal. PlanetManipal said: Examining the Linux VDSO: I have been recently looking into the sysenter/sysexit way of implementing system calls … http://bit.ly/dBrTcP [...]

Great post. I’ve been looking for something like that for weeks. Thank you.

[...] this blog post from Johan Petersson for another treatment of the first 3/5 of this, and this blog post from Anomit Ghosh for a Python version of [...]

hmm, why not
dd if=/proc/self/mem of=vdso skip=$((0x`cat /proc/self/maps | grep vdso | cut -d'-' -f1`/0x1000)) count=1 bs=$((0x1000))

Updated

Seem to have missed objdump


dd if=/proc/self/mem of=- skip=$((0x`cat /proc/self/maps | grep vdso | cut -d'-' -f1`/0x1000)) count=1 bs=$((0x1000)) | objdump -d --start-address=0xffffe000 -

Thanks for posting this article. I read the original posting and was stuck on these very same issues. But when I try to run your script I get error:

[root@asm-99 ~]# ./vdso.py
File “./vdso.py”, line 20
with open(‘/proc/self/maps’, ‘r’) as file:
^
SyntaxError: invalid syntax

Do I need a particular version of python ? I am using 2.4.3.

Thanks

Suresh,

Your dd 1-liner gives me the following error:

dd if=/proc/self/mem of=vdso skip=$((0x`cat /proc/self/maps | grep vdso | cut -d’-’ -f1`/0×1000)) count=1 bs=$((0×1000))
dd: reading `/proc/self/mem’: Input/output error
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000162585 seconds, 0.0 kB/s

Do I need to do something to make /proc/self/mem readable? I am on 2.6.18 kernel.

Thanks.

Here is a version of the python script that works with python 2.4.3 (maybe 2.4.x). I basically removed the un-supported “with” statements and replaced os.SEEK_SET with 0 (per http://docs.python.org/library/os.html)

Also, I think the reason Suresh’s 1-line script does not work is because the address read for vdso is for process ‘cat’ and it is not a valid address when process ‘dd’ tries to read from /proc/self/mem. For it to work, the same process that reads the vdso address from /proc/self/maps needs to read linux-gate.so from /proc/self/mem.

-Ezra

#!/usr/bin/python

"""
http://anomit.com/2010/04/18/examining-the-linux-vdso/
http://gist.github.com/369785

This script writes the VDSO to the file linux-gate.dso.1 .
Use `objdump -d linux-gate.dso.1` to examine it.
You might also want to play around more with the other objdump options and
the readelf tool  

LICENSE: MIT License ( http://www.opensource.org/licenses/mit-license.php )
"""
#from __future__ import with_statement
import os
import re

## regex pattern for finding out the memory address range from the output line
pattern = re.compile(r'[\w\d]+-[\w\d]+')
file = open('/proc/self/maps', 'r')
for line in file:
    line = line.rstrip()
    if '[vdso]' in line:
        addr_range = pattern.findall(line)[0]
        start_addr, end_addr = [int(addr, 16)
                                for addr in addr_range.split('-')]
        break

fd = os.open('/proc/self/mem', os.O_RDONLY)
os.lseek(fd, start_addr, 0)
buf = os.read(fd, (end_addr-start_addr))

file = open('linux-gate.dso.1', 'w')
file.write(buf)
file.close()
os.close(fd)

The code in the last comment did not come out very well. Here is a link to a fork of anomit’s gist above that works with python 2.4.3: http://gist.github.com/560719

Suresh’s on-liner doesn’t work, because there are different ‘selfs’ there.

‘cat /proc/self/maps | …’ produces mapping for ‘cat’, not necessarily identical to that of ‘dd’.

For readability /proc//mem see very good explanation here: http://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux

You probably have Address Space Layout Randomization (ASLR) turned on. It randomizes the virtual addresses within the kernel for security reasons.

To check to see if it is enabled, try:
sudo cat /proc/sys/kernel/randomize_va_space

If it returns 2, the default, then ASLR is turned on.

To turn it off, try:
sudo su
sudo echo 0 > /proc/sys/kernel/randomize_va_space

This overcomes the need to write a clever script to extract the virtual address; the address will remain constant on subsequent runs.

I am not sure what you’re doing with the “dd” command because you’re opening up a snapshot of the “dd” process internals. Previously, you were opening up the “cat” internals. The two should be completely different.

You might try to write a small C program that contains an infinite loop; you can look at the process ID of that program and then look in /proc/PID/maps for the VDSO page offset. I think that “dd” uses the decimal offset for the number of pages, the reason why you used “4096″.

The “dd” command becomes:
dd if=/proc/PID_C_PROGRAM/mem of=linux-gate.dso bs=4096 skip=CALCULATED_OFFSET_IN_PAGES count=1
objdump -d linux-gate.dso

You might try something like the above. I don’t really use objdump for anything other than looking at ELF executables. I don’t really know what /proc/PID/mem contains so I have no idea what the output would look like. It might work though.

I looked at using the “dd” command for a bit. I couldn’t figure out how to get it to work with the /proc/pid/mem file. I don’t know what “dd” is using internally to read from the file, but I ended up getting output similar to Ezra; dropping to root does nothing to resolve the issue.

I know that for /proc/pid/pagemap that you can extract the page frame numbers using lseek and read which is similar to the python script above; I could be that “mem” uses something similar. It probably only has a few methods defined and “dd” might use something that is not supported. This is just speculation for /proc/pid/mem as I don’t have any proof. For /proc/pid/pagemap, see the following LXR link for its operations:
http://lxr.linux.no/linux+v2.6.39/fs/proc/task_mmu.c#L854

It would be interesting to see if anyone has a method that works directly from a command line and doesn’t require a script or C program.