This is the mail archive of the
gdb@sourceware.org
mailing list for the GDB project.
Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?
- From: "gdb guy" <gdb dot guy1 at gmail dot com>
- To: gdb <gdb at sourceware dot org>
- Date: Wed, 26 Mar 2008 16:57:02 -0400
- Subject: Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?
I am hoping someone can suggest a solution around this, because it
seems like it limits malware analysis on *nix systems where you want
to use gdb rather than some windows tool...
I wanted to see what UPX was doing for linux files, so I went and got
UPX v 3.02 (http://upx.sourceforge.net/#download). I compiled it, and
did
$ upx `which ps` -o UPXps
and got my UPXps which functions just fine as a normal ps command.
Then I did
$ readelf -a UPXps
ELF Header:
Magic: 7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - Linux
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0xc07fd0
Start of program headers: 52 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 2
Size of section headers: 40 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x00c01000 0x00c01000 0x077b8 0x077b8 R E 0x1000
LOAD 0x000df4 0x08078df4 0x08078df4 0x00000 0x00000 RW 0x1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
Next comes
$gdb ./UPXps
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) b *0xc07fd0
Breakpoint 1 at 0xc07fd0
(gdb) r
Starting program: /home/user/ELF/upx-3.02-src/UPXps
warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
PID TTY TIME CMD
11524 pts/7 00:00:00 bash
17683 pts/7 00:00:00 gdb
17688 pts/7 00:00:00 UPXps
17690 pts/7 00:00:00 gdb
Program exited normally.
So my question is, is there any way to *force* gdb to just load the
program and just break at the entry point address?
Also, just for my own benefit, and those who google after me, on GDB
6.3 (which I have on another older VM) what does DSO stand for when it
says "Loading system supplied DSO at 0xc00000"?
Thanks
Gary Guy