Menu
▾
▴
[coLinux-devel] Measures to analyze a dump.
|
From: Digital I. Inc. <ok...@di...> - 2004-02-01 16:06:56
|
Hello every great hacker.
We apparently have to get some measures to get information about
what is going on under a blue screen of death. One way is using
a memory dump. And there must be many ideas, papers, codes to do it.
To prevent re-inventing the wheel, I ask you to post ideas,
URLs, papers,,,, about this issue.
I post my idea. this is taken from a private mail to Aloni.
I hope you post your idea or your knowledge or URLs,,,,.
Any information is useful.
It is better than nothing.
--- Okajima.
-----------------------
1. see trace log.
do like this:
1. get some physical pages.
2. set "signature" on the top of them.
3. use the pages as a ring buffer of trace log.
4. when BSOD, there is a memory dump.
you get the file and look for the "signature" inside it.
after the signature, there must be trace log.
2. see back trace of stack.
first, change the source like this pseudo code:
--------------
#pragma LD_OPTION use before_main() as usual main().
char signature_header[] = "DAN ALONI, THE HACKER";
const int signature_magic = 1000;
before_main()
{
char *buf, void *func;
buf = alloca(256);
// add time stamp and magic.
// for reducing a miss-detection, write magic
// by different format than an ELF binary.
// In this case, written by 32bit int in the binary, and ascii in a dump.
snprintf( buf, 256,
"%s %d %d", signature_header, signature_magic, get_tick());
// by this, you can know where the code stays.
func = before_main;
main();
}
main()
{
.... same as current one.
}
---------------
and how to see back trace is:
1. get a memory dump.
2. find the address of signatures.
3. Probably you find more than one.
Signature that have the latest time stamp is right.
4. then you can fix start address of stack area.
5. using 'nm' and some perl utilities, you can get plenty of information.
|
