Comments on: Examining the Linux VDSO http://anomit.com/2010/04/18/examining-the-linux-vdso/ Sun, 07 Aug 2011 08:30:12 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Brandon Potter http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-8062 Brandon Potter Thu, 21 Jul 2011 19:57:40 +0000 http://anomit.com/?p=200#comment-8062 I looked at using the "dd" command for a bit. I couldn't figure out how to get it to work with the /proc/pid/mem file. I don't know what "dd" is using internally to read from the file, but I ended up getting output similar to Ezra; dropping to root does nothing to resolve the issue. I know that for /proc/pid/pagemap that you can extract the page frame numbers using lseek and read which is similar to the python script above; I could be that "mem" uses something similar. It probably only has a few methods defined and "dd" might use something that is not supported. This is just speculation for /proc/pid/mem as I don't have any proof. For /proc/pid/pagemap, see the following LXR link for its operations: http://lxr.linux.no/linux+v2.6.39/fs/proc/task_mmu.c#L854 It would be interesting to see if anyone has a method that works directly from a command line and doesn't require a script or C program. I looked at using the “dd” command for a bit. I couldn’t figure out how to get it to work with the /proc/pid/mem file. I don’t know what “dd” is using internally to read from the file, but I ended up getting output similar to Ezra; dropping to root does nothing to resolve the issue.

I know that for /proc/pid/pagemap that you can extract the page frame numbers using lseek and read which is similar to the python script above; I could be that “mem” uses something similar. It probably only has a few methods defined and “dd” might use something that is not supported. This is just speculation for /proc/pid/mem as I don’t have any proof. For /proc/pid/pagemap, see the following LXR link for its operations:
http://lxr.linux.no/linux+v2.6.39/fs/proc/task_mmu.c#L854

It would be interesting to see if anyone has a method that works directly from a command line and doesn’t require a script or C program.

]]> By: Brandon Potter http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-8056 Brandon Potter Thu, 21 Jul 2011 18:29:17 +0000 http://anomit.com/?p=200#comment-8056 You probably have Address Space Layout Randomization (ASLR) turned on. It randomizes the virtual addresses within the kernel for security reasons. To check to see if it is enabled, try: sudo cat /proc/sys/kernel/randomize_va_space If it returns 2, the default, then ASLR is turned on. To turn it off, try: sudo su sudo echo 0 > /proc/sys/kernel/randomize_va_space This overcomes the need to write a clever script to extract the virtual address; the address will remain constant on subsequent runs. I am not sure what you're doing with the "dd" command because you're opening up a snapshot of the "dd" process internals. Previously, you were opening up the "cat" internals. The two should be completely different. You might try to write a small C program that contains an infinite loop; you can look at the process ID of that program and then look in /proc/PID/maps for the VDSO page offset. I think that "dd" uses the decimal offset for the number of pages, the reason why you used "4096". The "dd" command becomes: dd if=/proc/PID_C_PROGRAM/mem of=linux-gate.dso bs=4096 skip=CALCULATED_OFFSET_IN_PAGES count=1 objdump -d linux-gate.dso You might try something like the above. I don't really use objdump for anything other than looking at ELF executables. I don't really know what /proc/PID/mem contains so I have no idea what the output would look like. It might work though. You probably have Address Space Layout Randomization (ASLR) turned on. It randomizes the virtual addresses within the kernel for security reasons.

To check to see if it is enabled, try:
sudo cat /proc/sys/kernel/randomize_va_space

If it returns 2, the default, then ASLR is turned on.

To turn it off, try:
sudo su
sudo echo 0 > /proc/sys/kernel/randomize_va_space

This overcomes the need to write a clever script to extract the virtual address; the address will remain constant on subsequent runs.

I am not sure what you’re doing with the “dd” command because you’re opening up a snapshot of the “dd” process internals. Previously, you were opening up the “cat” internals. The two should be completely different.

You might try to write a small C program that contains an infinite loop; you can look at the process ID of that program and then look in /proc/PID/maps for the VDSO page offset. I think that “dd” uses the decimal offset for the number of pages, the reason why you used “4096″.

The “dd” command becomes:
dd if=/proc/PID_C_PROGRAM/mem of=linux-gate.dso bs=4096 skip=CALCULATED_OFFSET_IN_PAGES count=1
objdump -d linux-gate.dso

You might try something like the above. I don’t really use objdump for anything other than looking at ELF executables. I don’t really know what /proc/PID/mem contains so I have no idea what the output would look like. It might work though.

]]> By: Igor http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-5540 Igor Thu, 14 Apr 2011 18:18:48 +0000 http://anomit.com/?p=200#comment-5540 For readability /proc//mem see very good explanation here: http://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux For readability /proc//mem see very good explanation here: http://unix.stackexchange.com/questions/6301/how-do-i-read-from-proc-pid-mem-under-linux

]]> By: Igor http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-5539 Igor Thu, 14 Apr 2011 18:14:56 +0000 http://anomit.com/?p=200#comment-5539 Suresh's on-liner doesn't work, because there are different 'selfs' there. 'cat /proc/self/maps | ...' produces mapping for 'cat', not necessarily identical to that of 'dd'. Suresh’s on-liner doesn’t work, because there are different ‘selfs’ there.

‘cat /proc/self/maps | …’ produces mapping for ‘cat’, not necessarily identical to that of ‘dd’.

]]> By: Ezra Gilbert http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3629 Ezra Gilbert Wed, 01 Sep 2010 14:04:18 +0000 http://anomit.com/?p=200#comment-3629 The code in the last comment did not come out very well. Here is a link to a fork of anomit's gist above that works with python 2.4.3: http://gist.github.com/560719 The code in the last comment did not come out very well. Here is a link to a fork of anomit’s gist above that works with python 2.4.3: http://gist.github.com/560719

]]> By: Ezra Gilbert http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3628 Ezra Gilbert Wed, 01 Sep 2010 13:57:45 +0000 http://anomit.com/?p=200#comment-3628 Here is a version of the python script that works with python 2.4.3 (maybe 2.4.x). I basically removed the un-supported "with" statements and replaced os.SEEK_SET with 0 (per http://docs.python.org/library/os.html) Also, I think the reason Suresh's 1-line script does not work is because the address read for vdso is for process 'cat' and it is not a valid address when process 'dd' tries to read from /proc/self/mem. For it to work, the same process that reads the vdso address from /proc/self/maps needs to read linux-gate.so from /proc/self/mem. -Ezra [python] #!/usr/bin/python """ http://anomit.com/2010/04/18/examining-the-linux-vdso/ http://gist.github.com/369785 This script writes the VDSO to the file linux-gate.dso.1 . Use `objdump -d linux-gate.dso.1` to examine it. You might also want to play around more with the other objdump options and the readelf tool :) LICENSE: MIT License ( http://www.opensource.org/licenses/mit-license.php ) """ #from __future__ import with_statement import os import re ## regex pattern for finding out the memory address range from the output line pattern = re.compile(r'[\w\d]+-[\w\d]+') file = open('/proc/self/maps', 'r') for line in file: line = line.rstrip() if '[vdso]' in line: addr_range = pattern.findall(line)[0] start_addr, end_addr = [int(addr, 16) for addr in addr_range.split('-')] break fd = os.open('/proc/self/mem', os.O_RDONLY) os.lseek(fd, start_addr, 0) buf = os.read(fd, (end_addr-start_addr)) file = open('linux-gate.dso.1', 'w') file.write(buf) file.close() os.close(fd) [/python] Here is a version of the python script that works with python 2.4.3 (maybe 2.4.x). I basically removed the un-supported “with” statements and replaced os.SEEK_SET with 0 (per http://docs.python.org/library/os.html)

Also, I think the reason Suresh’s 1-line script does not work is because the address read for vdso is for process ‘cat’ and it is not a valid address when process ‘dd’ tries to read from /proc/self/mem. For it to work, the same process that reads the vdso address from /proc/self/maps needs to read linux-gate.so from /proc/self/mem.

-Ezra

#!/usr/bin/python

"""
http://anomit.com/2010/04/18/examining-the-linux-vdso/
http://gist.github.com/369785

This script writes the VDSO to the file linux-gate.dso.1 .
Use `objdump -d linux-gate.dso.1` to examine it.
You might also want to play around more with the other objdump options and
the readelf tool :) 

LICENSE: MIT License ( http://www.opensource.org/licenses/mit-license.php )
"""
#from __future__ import with_statement
import os
import re

## regex pattern for finding out the memory address range from the output line
pattern = re.compile(r'[\w\d]+-[\w\d]+')
file = open('/proc/self/maps', 'r')
for line in file:
    line = line.rstrip()
    if '[vdso]' in line:
        addr_range = pattern.findall(line)[0]
        start_addr, end_addr = [int(addr, 16)
                                for addr in addr_range.split('-')]
        break

fd = os.open('/proc/self/mem', os.O_RDONLY)
os.lseek(fd, start_addr, 0)
buf = os.read(fd, (end_addr-start_addr))

file = open('linux-gate.dso.1', 'w')
file.write(buf)
file.close()
os.close(fd)
]]> By: anomit http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3627 anomit Wed, 01 Sep 2010 13:09:01 +0000 http://anomit.com/?p=200#comment-3627 Ezra, you need Python version 2.5 and above to support the context manager concept used by the `with' statement. More here: http://docs.python.org/release/2.5.2/lib/typecontextmanager.html Sorry for that. You can create just a simple file object using the normal open() and work with it :). Ezra, you need Python version 2.5 and above to support the context manager concept used by the `with’ statement. More here: http://docs.python.org/release/2.5.2/lib/typecontextmanager.html

Sorry for that. You can create just a simple file object using the normal open() and work with it :) .

]]> By: Ezra Gilbert http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3626 Ezra Gilbert Wed, 01 Sep 2010 13:05:20 +0000 http://anomit.com/?p=200#comment-3626 Suresh, Your dd 1-liner gives me the following error: dd if=/proc/self/mem of=vdso skip=$((0x`cat /proc/self/maps | grep vdso | cut -d'-' -f1`/0x1000)) count=1 bs=$((0x1000)) dd: reading `/proc/self/mem': Input/output error 0+0 records in 0+0 records out 0 bytes (0 B) copied, 0.000162585 seconds, 0.0 kB/s Do I need to do something to make /proc/self/mem readable? I am on 2.6.18 kernel. Thanks. Suresh,

Your dd 1-liner gives me the following error:

dd if=/proc/self/mem of=vdso skip=$((0x`cat /proc/self/maps | grep vdso | cut -d’-’ -f1`/0×1000)) count=1 bs=$((0×1000))
dd: reading `/proc/self/mem’: Input/output error
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.000162585 seconds, 0.0 kB/s

Do I need to do something to make /proc/self/mem readable? I am on 2.6.18 kernel.

Thanks.

]]> By: Ezra Gilbert http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3625 Ezra Gilbert Wed, 01 Sep 2010 13:03:28 +0000 http://anomit.com/?p=200#comment-3625 Thanks for posting this article. I read the original posting and was stuck on these very same issues. But when I try to run your script I get error: [root@asm-99 ~]# ./vdso.py File "./vdso.py", line 20 with open('/proc/self/maps', 'r') as file: ^ SyntaxError: invalid syntax Do I need a particular version of python ? I am using 2.4.3. Thanks Thanks for posting this article. I read the original posting and was stuck on these very same issues. But when I try to run your script I get error:

[root@asm-99 ~]# ./vdso.py
File “./vdso.py”, line 20
with open(‘/proc/self/maps’, ‘r’) as file:
^
SyntaxError: invalid syntax

Do I need a particular version of python ? I am using 2.4.3.

Thanks

]]> By: Suresh Kumar http://anomit.com/2010/04/18/examining-the-linux-vdso/comment-page-1/#comment-3465 Suresh Kumar Wed, 21 Jul 2010 12:12:10 +0000 http://anomit.com/?p=200#comment-3465 Updated Seem to have missed objdump <code> dd if=/proc/self/mem of=- skip=$((0x`cat /proc/self/maps | grep vdso | cut -d'-' -f1`/0x1000)) count=1 bs=$((0x1000)) | objdump -d --start-address=0xffffe000 - </code> Updated

Seem to have missed objdump


dd if=/proc/self/mem of=- skip=$((0x`cat /proc/self/maps | grep vdso | cut -d'-' -f1`/0x1000)) count=1 bs=$((0x1000)) | objdump -d --start-address=0xffffe000 -

]]>