I need to find the offset of an instruction inside a program. Let's say I wanna find the position of open *system_call* in the program cat.
I used objdump to find the position inside the bin file.
objdump -T /bin/cat | grep open :
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 fdopen
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 open
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.2.5 iconv_ope
Unfortunately, analyzing the sible table I cannot retrieve that information because the open function is linked dynamically. The open function is implemented in glibc.
Using the same approach on the Glibc library I retrieved the offset of the open function, though this offset refers to the position inside the /lib/libc.so.6 So this is not useful for me.
00000000000778d0 g DF .text 00000000000004e3 GLIBC_2.2.5 _IO_file_fopen
000000000006be50 g DF .text 000000000000000a GLIBC_2.2.5 fopen
0000000000073540 g DF .text 00000000000000f6 GLIBC_2.4 open_wmemstream
0000000000121cf0 w DF .text 0000000000000107 GLIBC_2.2.5 posix_openpt
000000000006d480 g DF .text 00000000000003bf GLIBC_2.2.5 _IO_proc_open
00000000000e38b0 g DF .text 0000000000000021 GLIBC_2.7 __open64_2
000000000006bfe0 g DF .text 00000000000000fa GLIBC_2.2.5 fopencookie
000000000006d840 g DF .text 0000000000000098 GLIBC_2.2.5 popen
00000000000ddd30 w DF .text 000000000000005e GLIBC_2.2.5 __open64
000000000006be50 g DF .text 000000000000000a GLIBC_2.2.5 _IO_fopen
00000000000de020 w DF .text 0000000000000020 GLIBC_2.7 __openat64_2
00000000000e84d0 g DF .text 0000000000000066 GLIBC_2.2.5 openlog
00000000000ddd30 w DF .text 000000000000005e GLIBC_2.2.5 open64
00000000003aa630 g DO .bss 0000000000000008 GLIBC_PRIVATE _dl_open_hook
00000000000ec840 g DF .text 000000000000005e GLIBC_2.14 open_by_handle_at
0000000000034250 g DF .text 0000000000000254 GLIBC_2.2.5 catopen
000000000006d840 g DF .text 0000000000000098 GLIBC_2.2.5 _IO_popen
0000000000075330 g DF .text 0000000000000355 GLIBC_2.2.5 freopen64
0000000000075eb0 g DF .text 00000000000001d8 GLIBC_2.2.5 fmemopen
00000000000b5b90 w DF .text 000000000000008b GLIBC_2.4 fdopendir
00000000000de020 g DF .text 0000000000000020 GLIBC_2.7 __openat_2
00000000000b5640 w DF .text 000000000000000d GLIBC_2.2.5 opendir
00000000000e3880 g DF .text 0000000000000021 GLIBC_2.7 __open_2
00000000000ddd30 w DF .text 000000000000005e GLIBC_2.2.5 __open
00000000000777f0 g DF .text 00000000000000d2 GLIBC_2.2.5 _IO_file_open
0000000000074370 g DF .text 00000000000000e6 GLIBC_2.2.5 open_memstream
0000000000073ab0 g DF .text 000000000000035d GLIBC_2.2.5 freopen
00000000000345a0 g DF .text 0000000000000837 GLIBC_PRIVATE __open_catalog
00000000000ddd30 w DF .text 000000000000005e GLIBC_2.2.5 open
000000000006b540 g DF .text 0000000000000249 GLIBC_2.2.5 fdopen
0000000000022b20 g DF .text 000000000000020a GLIBC_2.2.5 iconv_open
00000000000e2130 g DF .text 0000000000000373 GLIBC_2.2.5 fts_open
00000000000ddf80 w DF .text 0000000000000092 GLIBC_2.4 openat
000000000006be50 w DF .text 000000000000000a GLIBC_2.2.5 fopen64
00000000000ddf80 w DF .text 0000000000000092 GLIBC_2.4 openat64
0000000000122f30 g DF .text 0000000000000046 GLIBC_PRIVATE __libc_dlopen_mode
00000000000dc650 g DF .text 00000000000000b8 GLIBC_2.2.5 posix_spawn_file_actions_addopen
000000000006b540 g DF .text 0000000000000249 GLIBC_2.2.5 _IO_fdopen
I need the offset to set a tracer when the open function is called by the cat program. If I put a tracer on the Glibc lib I will trace that syscall each time it will be called.
Can you help me?
Have I been clear explaining my problem?
Thanks
Well, cat itself doesn't contain the open system call. It lives in glibc.so. cat calls the library to make use of the function. That's why when you look inside cat, there is no open function in it, it's "undefined" and refers to glibc.so.
You can of course find where cat calls open:
If you search for the symbol open#plt in the symbol table, that's where it calls open. For example objdump -dwhich cat|grep open#plt shows 0000000000401910 <open#plt>:, which is where the jump to the glibc function takes place.
I hope this helps.
Use /proc/$PID/maps to see where a shared object library's segments are loaded in the process memory. E.g.:
# grep libc /proc/$$/maps
7f3243879000-7f3243a2e000 r-xp 00000000 08:01 270246 /lib/x86_64-linux-gnu/libc-2.15.so
7f3243a2e000-7f3243c2d000 ---p 001b5000 08:01 270246 /lib/x86_64-linux-gnu/libc-2.15.so
7f3243c2d000-7f3243c31000 r--p 001b4000 08:01 270246 /lib/x86_64-linux-gnu/libc-2.15.so
7f3243c31000-7f3243c33000 rw-p 001b8000 08:01 270246 /lib/x86_64-linux-gnu/libc-2.15.so
-- so there are 4 segments of libc.so loaded into the address space of the process, we need an executable one, which is marked r-xp ("Read, no write, eXecute, Private"), its start is at *0x7f3243879000. You already know how to get relative offset for a symbols, e.g. freopen from your example is at 000000000000035d from the start of the executable segment, so in my example the symbol can be found at 7f3243879000 + 35d = *0x7f324387935d in the process memory.
A debugger with decent dynamic linker integration should handle this for you, resolving the symbolic name at which you wish to set a breakpoint. It can even do this when the library hasn't yet been loaded at the time you attempt to set the breakpoint.
However, be aware that there's not much of a syscall you can trace with a user-mode debugger. You can trace through the little libc stub which might do something such as re-order paramaters between the platform's C calling convention and its often different syscall convention, or implement a deprecated syscall as a wrapper around a new one, but the actual kernel mode implementation can only be traced with a kernel debugger.
You might also be interested in the strace program, which prints out the paramaters and return values of all syscalls. Another thing usefull in some cases is dynamic library interception, for example using LD_PRELOAD.
Related
I am using the linux capabilities by cap_set_flag.
It's published like , capabilities of the process would be reflected in /proc/$$/task/$$/status
But with cap_set_flag, it won't reflect . Only with capset API ,the capabilities are getting recorded in this status file.
Any reason for this.
Does this depend on kernel version which I am using (4.19.183).
I tried using cap_set_flag as below
cap_list[0] = CAP_CHOWN;
if (cap_set_flag(cap, CAP_EFFECTIVE, 1, cap_list, CAP_SET) == -1) {
perror("cap_set_flag cap_chown");
cap_free(cap);
exit(-1);
}
want this to be reflected in status file
$ grep Cap /proc/$$/task/$$/status
CapInh: 00000000a80425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
I am trying to build a shared object (.so) on AIX, using the IBM xlclang++ compiler (v16.1). The .so uses C++11 concurrency, and I have defined some global variables as thread_local. The linker gives Undefined symbol errors for those variables (and for another symbol: .__pt_atexit_np).
There are also some thread_local static variables inside a function. (See DoSomething below.) The linker does not complain about those, but the above-mentioned symbol .__pt_atexit_np might have something to with this.
This code compiles, links, and runs fine on Windows (as a DLL), both when using MS Visual C++ 2019 and clang++ (v9.0.0).
To enable multithreaded code on AIX (I hoped), I added the compiler/linker options -qthreaded and -qtls=global-dynamic.
// --- In GlobData.h: ---
extern thread_local bool GLOB_bTracingEnabled;
// --- In GlobData.cpp: --- (Error: Undefined symbol)
thread_local bool GLOB_bTracingEnabled;
// --- In Calculations.cpp: --- (Error?)
int DoSomething() {
thread_local static int _staticVar;
// ...
}
#--- In makefile: ---
INCL1=.
CCC=/opt/IBM/xlC/16.1.0/bin/xlclang++
CCFLAGS1=-q64 -qrtti -qthreaded -qtls=global-dynamic -qmkshrobj -bE:MyDLL.exp -DNDEBUG -I$(INCL1)
CCFLAGS=$(CCFLAGS1) -c
LD=/opt/IBM/xlC/16.1.0/bin/xlclang++
LDFLAGS=$(CCFLAGS1)
LIB_FILE=mydll.so
SOURCEDIR1=.
OBJ_FILES=StdAfx.o GlobData.o Calculations.o
VPATH=$(SOURCEDIR1)
.SUFFIXES: .cpp .o
#Make all:
all :: $(LIB_FILE)
#Compile rule:
.cpp.o:
$(CCC) $(CCFLAGS) -o$# $<
#Link rule:
$(LIB_FILE) : $(OBJ_FILES)
$(LD) $(LDFLAGS) -o $# $(OBJ_FILES)
strip -t -X64 $#
Link errors:
ld: 0711-317 ERROR: Undefined symbol: .ZTH20GLOB_bTracingEnabled
ld: 0711-317 ERROR: Undefined symbol: .__pt_atexit_np
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
Compiling/linking with option -bnoquiet (as suggested above) gave the following info (tidied up a bit). (Hoping it's useful for someone...)
/opt/IBM/xlC/16.1.0/bin/xlclang++ -O3 -q64 -qchars=signed -qrtti -qthreaded -qtls=global-dynamic -bnoquiet -qmkshrobj -qmaxmem=-1 -bE:mydll.exp -DNDEBUG -DAIX -DBPC_DLL_EXPORTS -I../Common -I../../../aks/source -I. -o ./mydll.so StdAfx.o GlobData.o Calculations.o [...]
(ld): setopt 64
(ld): halt 4
(ld): setfflag 4
(ld): cdtors 1 all 0 s
(ld): savename ./bpc-urm.so
(ld): filelist 92 2
(ld): setopt noprogram
(ld): noentry
NOENTRY: There is no entry point.
(ld): i /lib/crti_64.o
(ld): i StdAfx.o
(ld): i GlobData.o
(ld): i Calculations.o
[...]
(ld): lib /opt/IBM/xlc/16.1.0/lib/libxlopt.a
(ld): lib /opt/IBM/xlc/16.1.0/lib/libxlipa.a
(ld): lib /opt/IBM/xlc/16.1.0/lib/libxl.a
(ld): lib /usr/lib/libc++.a
(ld): lib /opt/IBM/xlC/16.1.0/lib/libCcore.a
(ld): lib /usr/lib/libpthreads.a
(ld): lib /usr/lib/libm.a
(ld): lib /usr/lib/libatomic.a
(ld): lib /usr/lib/libc.a
LIBRARY: Symbols imported from import file /usr/lib/libc++.a[shr.imp]: 0
LIBRARY: Symbols imported from import file /usr/lib/libc++.a[shr_64.imp]: 1834
LIBRARY: Symbols imported from import file /usr/lib/libc++.a[cxxabi.imp]: 0
LIBRARY: Symbols imported from import file /usr/lib/libc++.a[cxxabi_64.imp]: 354
LIBRARY: Symbols imported from import file /opt/IBM/xlC/16.1.0/lib/libCcore.a[shrcore_32.imp]: 0
LIBRARY: Symbols imported from import file /opt/IBM/xlC/16.1.0/lib/libCcore.a[ansicore_32.imp]: 0
LIBRARY: Symbols imported from import file /opt/IBM/xlC/16.1.0/lib/libCcore.a[shrcore_64.imp]: 131
LIBRARY: Symbols imported from import file /opt/IBM/xlC/16.1.0/lib/libCcore.a[ansicore_64.imp]: 81
LIBRARY: Shared object libpthreads.a[shr_xpg5_64.o]: 346 symbols imported.
LIBRARY: Shared object libatomic.a[libatomic.so.1]: 40 symbols imported.
LIBRARY: Shared object libc.a[shr_64.o]: 3110 symbols imported.
LIBRARY: Shared object libc.a[posix_aio_64.o]: 20 symbols imported.
LIBRARY: Shared object libc.a[aio_64.o]: 18 symbols imported.
LIBRARY: Shared object libc.a[pse_64.o]: 8 symbols imported.
LIBRARY: Shared object libc.a[dl_64.o]: 4 symbols imported.
LIBRARY: Shared object libc.a[pty_64.o]: 1 symbols imported.
LIBRARY: Shared object libc.a[cthread_64.o]: 25 symbols imported.
LIBRARY: Shared object libc.a[uchar_64.o]: 4 symbols imported.
FILELIST: Number of previously inserted files processed: 92
(ld): exports mydll.exp
EXPORTS: Symbols exported: 59
(ld): resolve
RESOLVE: 6667 of 30031 symbols were kept.
(ld): addgl /usr/lib/glink64.o
ADDGL: Glink code added for 116 symbols.
(ld): er full
ld: 0711-318 ERROR: Undefined symbols were found.
The following symbols are in error:
Symbol Inpndx TY CL Source-File(Object-File) OR Import-File{Shared-object}
RLD: Address Section Rld-type Referencing Symbol
----------------------------------------------------------------------------------------------
._ZTH20GLOB_bTracingEnabled [240] ER PR File0.cpp(File0.o)
00000cbc .text R_RBR [54] <.GLOB_EnableTracing#AF26_2>
._ZTH20GLOB_bTracingEnabled [386] ER PR File1.cpp(File1.o)
0000004c .text R_RBR [8] <._ZTW20GLOB_bTracingEnabled>
00001564 .text R_RBR [24] .Namespace2::Function1(...)
0000162c .text R_RBR [24] .Namespace2::Function1(...)
00001690 .text R_RBR [24] .Namespace2::Function1(...)
._ZTH20GLOB_bTracingEnabled [563] ER PR File2.cpp(File2.o)
000013dc .text R_RBR [26] .Class1::Function2(...) const
00001400 .text R_RBR [26] .Class1::Function2(...) const
._ZTH20GLOB_bTracingEnabled [782] ER PR File3.cpp(File3.o)
00001710 .text R_RBR [22] .Class2::Function3(...) const
00001788 .text R_RBR [22] .Class2::Function3(...) const
00001800 .text R_RBR [22] .Class2::Function3(...) const
00001878 .text R_RBR [22] .Class2::Function3(...) const
00001910 .text R_RBR [22] .Class2::Function3(...) const
00001928 .text R_RBR [22] .Class2::Function3(...) const
00001940 .text R_RBR [22] .Class2::Function3(...) const
0000202c .text R_RBR [27] <._ZTW20GLOB_bTracingEnabled>
0000286c .text R_RBR [38] .Class2::Function4(...) const
00003064 .text R_RBR [43] .Class2::Function5(...) const
._ZTH20GLOB_bTracingEnabled [283] ER PR File4.cpp(File4.o)
00000260 .text R_RBR [11] .Class3::Function6(...) const
00000370 .text R_RBR [11] .Class3::Function6(...) const
00000604 .text R_RBR [15] <.IPRA.$Function7(...)>
0000069c .text R_RBR [15] <.IPRA.$Function7(...)>
[...]
.__pt_atexit_np [1033] ER PR Calculations.cpp(Calculations.o)
00003720 .text R_RBR [55] .Namespace1::DoSomething(...)
00003750 .text R_RBR [55] .Namespace1::DoSomething(...)
ER: The return code is 8.
ld: 0711-317 ERROR: Undefined symbol: ._ZTH20GLOB_bTracingEnabled
[...]
ld: 0711-317 ERROR: Undefined symbol: .__pt_atexit_np
make: 1254-004 The error code from the last command is 8.
If I do something like this:
dumpbin myexe.exe
I got output similar to:
Dump of file myexe.exe
File Type: EXECUTABLE IMAGE
Summary
21000 .data
1000 .gfids
3C9000 .rdata
4F000 .reloc
B4000 .rsrc
325000 .text
1000 .tls
Second column (.data, .gfids, .rdata...) represents section name.
But what is first column? Section size?
This value is actually the aligned section size.
If you do dumpbin /headers myexe.exe, you will get a more verbose output. For example, dumpbin C:\Windows\explorer.exe on my system produces:
Dump of file c:\Windows\explorer.exe
File Type: EXECUTABLE IMAGE
Summary
4000 .data
1000 .didat
1000 .imrsiv
18000 .pdata
7B000 .rdata
6000 .reloc
1EA000 .rsrc
1C5000 .text
dumpbin /headers C:\Windows\explorer.exe, contains the output for the .text section as follows (... = lines omitted):
...
SECTION HEADER #1
.text name
1C4737 virtual size
1000 virtual address (0000000140001000 to 00000001401C5736)
1C4800 size of raw data
400 file pointer to raw data (00000400 to 001C4BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
...
It also gives 1000 section alignment in the OPTIONAL HEADER VALUES section.
As you can see, the size of the .text section is actually 1C4737, when aligned, it becomes 1C5000, as reported in the /summary (which is the default option for dumpbin).
I have a user mode dump from Win 8.1/64, the dump was taken by attaching Windbg when the Wer dialogue. The .ecxr shows then ntdll!DbgBreakPoint for the Windbg injected thread. (As normal)
I have identified the thread by examine all stack, and finding the one which has :
# Call Site
00 ntdll!NtWaitForMultipleObjects
01 KERNELBASE!WaitForMultipleObjectsEx
02 kernel32!WerpReportFaultInternal
03 kernel32!WerpReportFault
04 KERNELBASE!UnhandledExceptionFilter
05 ntdll!RtlUserThreadStart$filt$0
06 ntdll!_C_specific_handler
07 ntdll!RtlpExecuteHandlerForException
08 ntdll!RtlDispatchException
09 ntdll!KiUserExceptionDispatch
10 <My faulty code which generated the exception>
The kvn aslo dispays a TrapFrame # 00000000`0379ed28)
09 00000000`0379e900 00000000`00250bc8 : 00000000`00000000 00000000`0026ca09 00000000`0379f160 00000000`0379f168 : ntdll!KiUserExceptionDispatch+0x2e (TrapFrame # 00000000`0379ed28)
Is there a way to use the trap frame to get the context record to feed into .cxr ?
Or is it other possibilities to find the exception context?
I see a KERNELBASE!UnhandledExceptionFilter on the stack. That seems like a good thing to focus on.
If this were x86, you could easily get an EXCEPTION_POINTERS struct out of the first parameter to KERNELBASE!UnhandledExceptionFilter. From there, you would have access to the EXCEPTION_RECORD and CONTEXT. The procedure is described in this KB article.
The same method works for x64 processes with one caveat. Due to the nature of the x64 calling convention, it is harder to retrieve the actual argument to KERNELBASE!UnhandledExceptionFilter since it is stored in a register rather than on the stack.
I recently found a debugger extension called CMKD that automates the task of hunting for the first 4 args in the x64 calling convention rather than blindly displaying stack values like kb and kv. This can be done by hand but it is a rather lengthy and error-prone process -- better to let an extension take a crack at it first.
With it, you can do something like this:
0:000> !cmkd.stack -p
Call Stack : 15 frames
## Stack-Pointer Return-Address Call-Site
[...]
03 000000aea3dae7e0 00007fff1e906b14 KERNELBASE!UnhandledExceptionFilter+196
Parameter[0] = 000000aea3dae930
Parameter[1] = (unknown)
Parameter[2] = (unknown)
Parameter[3] = (unknown)
[...]
And, now we have an EXCEPTION_POINTERS* in Parameter[0].
0:000> dt 000000ae`a3dae930 EXCEPTION_POINTERS
ConsoleApplication2!EXCEPTION_POINTERS
+0x000 ExceptionRecord : 0x000000ae`a3daf850 _EXCEPTION_RECORD
+0x008 ContextRecord : 0x000000ae`a3daf240 _CONTEXT
We can see in my example that a C++ exception was thrown...
0:000> .exr 000000ae`a3daf850
ExceptionAddress: 00007fff1bfeab78 (KERNELBASE!RaiseException+0x0000000000000068)
ExceptionCode: e06d7363 (C++ EH exception)
ExceptionFlags: 00000001
NumberParameters: 4
Parameter[0]: 0000000019930520
Parameter[1]: 000000aea3daf9b0
Parameter[2]: 00007ff6f50024a8
Parameter[3]: 00007ff6f5000000
pExceptionObject: 000000aea3daf9b0
_s_ThrowInfo : 00007ff6f50024a8
Hopefully this helps. Good luck. :)
Another method fox x64 case doesn't require extension but is relying on two unstable facts:
windbg ability to reconstruct registers for a specific frame
the fact that WerpReportFault stores EXCEPTION_POINTERS address in rdi before passing it to WerpReportFaultInternal (it is the case at least for kernel32.dll 6.1.7601.23915 (win7sp1_ldr.170913-0600)
Exception pointer can be extracted as an rdi value of the WerpReportFault's frame:
0:007> k
# Child-SP RetAddr Call Site
00 00000000`0868dcd8 000007fe`fcf61430 ntdll!NtWaitForMultipleObjects+0xa
01 00000000`0868dce0 00000000`76fb16e3 KERNELBASE!WaitForMultipleObjectsEx+0xe8
02 00000000`0868dde0 00000000`7702b8b5 kernel32!WaitForMultipleObjectsExImplementation+0xb3
03 00000000`0868de70 00000000`7702ba37 kernel32!WerpReportFaultInternal+0x215
04 00000000`0868df10 00000000`7702ba8f kernel32!WerpReportFault+0x77
05 00000000`0868df40 00000000`7702bcac kernel32!BasepReportFault+0x1f
06 00000000`0868df70 00000000`77230108 kernel32!UnhandledExceptionFilter+0x1fc
07 00000000`0868e050 00000000`771c7958 ntdll! ?? ::FNODOBFM::`string'+0x2025
08 00000000`0868e080 00000000`771d812d ntdll!_C_specific_handler+0x8c
09 00000000`0868e0f0 00000000`771c855f ntdll!RtlpExecuteHandlerForException+0xd
0a 00000000`0868e120 00000000`771fbcb8 ntdll!RtlDispatchException+0x45a
0b 00000000`0868e800 000007fe`fe03df54 ntdll!KiUserExceptionDispatch+0x2e
0c 00000000`0868ef00 000007fe`fe03e1b6 gdi32!pmfAllocMF+0x2b0
0d 00000000`0868ef70 000007fe`fb10a646 gdi32!GetEnhMetaFileW+0x32
0e 00000000`0868efb0 000007fe`fb0c4959 GdiPlus!GpMetafile::GpMetafile+0x1c6
0f 00000000`0868f150 00000001`40001c35 GdiPlus!GdipCreateBitmapFromFile+0xc5
0:007> .frame /r 04
04 00000000`0868df10 00000000`7702ba8f kernel32!WerpReportFault+0x77
rax=00000000c0000001 rbx=0000000000000000 rcx=0000000002660000
rdx=0000000000000001 rsi=0000000000000001 rdi=000000000868e0b0
rip=000000007702ba37 rsp=000000000868df10 rbp=000000000868ff90
r8=000000000868d3f8 r9=000000000868d560 r10=0000000000000000
r11=0000000000000246 r12=000000000868e0b0 r13=0000000000000000
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000244
kernel32!WerpReportFault+0x77:
00000000`7702ba37 8b0d27ff0600 mov ecx,dword ptr [kernel32!RestrictedUserHandle+0xc (00000000`7709b964)] ds:00000000`7709b964=00000000
0:007> .exptr 000000000868e0b0
----- Exception record at 00000000`0868ecf0:
ExceptionAddress: 000007fefe03df54 (gdi32!pmfAllocMF+0x00000000000002b0)
ExceptionCode: c0000006 (In-page I/O error)
ExceptionFlags: 00000000
NumberParameters: 3
Parameter[0]: 0000000000000000
Parameter[1]: 0000000002610028
Parameter[2]: 00000000c00000be
Inpage operation failed at 0000000002610028, due to I/O error 00000000c00000be
----- Context record at 00000000`0868e800:
rax=0000000002610000 rbx=000000000e5fe7c0 rcx=0000000000006894
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=000007fefe03df54 rsp=000000000868ef00 rbp=0000000000000104
r8=000000000868ee38 r9=0000000000000104 r10=0000000000000000
r11=0000000000000286 r12=0000000000000001 r13=000000006d9cf760
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
gdi32!pmfAllocMF+0x2b0:
000007fe`fe03df54 81782820454d46 cmp dword ptr [rax+28h],464D4520h ds:00000000`02610028=????????
I did some research and found two ways of getting it without any plugins, relying on WinDBG magic, etc.
First, invoke k command in WinDBG. Find a portion of stack like this:
Child-SP RetAddr
00000000`0ab7d9d0 00007ff9`98baed2d exception handler
00000000`0ab7da10 00007ff9`98b16c86 ntdll!RtlpExecuteHandlerForException+0xd
00000000`0ab7da40 00007ff9`98badc5e ntdll!RtlDispatchException+0x3c6
00000000`0ab7e140 00007ff9`98b5b48a ntdll!KiUserExceptionDispatch+0x2e
00000000`0ab7e860 00007ff9`96925531 Function that crashed
Now you can find what you want in local variables:
Option 1: Use EXCEPTION_POINTERS structure saved on stack
.exptr 00000000`0ab7da10 - 0x20
Option 2: Use CONTEXT and EXCEPTION_RECORD separately
.cxr 00000000`0ab7e140
.exr 00000000`0ab7e140 + ##c++(sizeof(ntdll!_CONTEXT)) + 0x20
I get this error while loading a lib with dlopen():
Cannot dlopen load module '/usr/lib/pa20_64/libpthread.1' because it contains thread specific data.
I looked this up on google and the following export fixed it.
export LD_PRELOAD=/usr/lib/hpux64/libpthread.so.1
Can anybody tell me what exactly LD_PRELOAD does and why I have to preload this lib? Why does the linker not load it?
Compiling with -lpthread does not help either.
ENV: HP-UX hhtenb1 B.11.31 U ia64 3881169896 unlimited-user license
I can't tell you all the details on HPUX, but try linking your program with -lpthread - that may solve your problem.
As is, the library you're dlopen()ing seems to be digging around at run-time to find a version of libpthread. LD_PRELOAD just loads the specified library as if you'd dlopened them, but it does it before the program has a chance to start running.
Not sure of details, but a vague guess: some library you're using has called the pthread static data functions before your dlopen triggers a load of libpthread (but why would it try to load pthread then if the first library had it as a dependency? - not sure / maybe that indicates the former library statically linked some pthread content?).
We had this error below on hpux-11.31 IA64 running DB2-10.1.2 and doing the
"export LD_PRELOAD=/usr/lib/hpux64/libpthread.so.1"
fixed it.
DATA #2 : String, 49 bytes
/home/db2inst1/sqllib/lib64/icc/libgsk8iccs_64.so
CALLSTCK: (Static functions may not be resolved correctly, as they are resolved to the nearest symbol)
[0] 0xC000000032488900 pdOSSeLoggingCallback + 0x980
[1] 0xC000000010CC5A00 ossLog + 0x4E0
[2] 0xC000000010CC5610 ossLog + 0xF0
[3] 0xC00000003255E100 _Z27cryptDynamicLoadGSKitCryptoPc + 0x5F0
[4] 0xC00000003255F460 cryptContextRealInit + 0x200
[5] 0xC000000032561950 cryptContextCheckAndInit + 0x130
[6] 0xC000000032561B70 cryptDHInit + 0x120
[7] 0xC00000003384FBD0 sqlexSlcServerEncryptAccsec + 0x170
[8] 0xC00000003384F7B0 _Z33sqlexSlcServerEncryptAuthenticateP14db2UCinterfacelPj + 0xF0
[9] 0xC0000000321FB7D0 _Z20sqlexAppAuthenticateP14db2UCinterface + 0x1A60
[10] 0xC0000000321F8920 _Z18sqljrDrdaArConnectP14db2UCinterface + 0x140
[11] 0xC0000000321E96F0 _Z16sqleUCdrdaARinitP14db2UCconHandle + 0x230
[12] 0xC000000032238CD0 sqleUCappConnect + 0x13C0
[13] 0xC000000032647B20 _Z14CLI_sqlConnectP15CLI_CONNECTINFOP5sqlcaP19CLI_ERRORHEADERINFO + 0x32A0
[14] 0xC0000000325D5710 _Z11SQLConnect2P15CLI_CONNECTINFOPhsS1_sS1_sS1_sh + 0xA10
[15] 0xC0000000325ADB90 _Z17SQLDriverConnect2P15CLI_CONNECTINFOPvPhsS2_sPsthhP19CLI_ERRORHEADERINFO + 0x26E0
[16] 0xC0000000325AAC00 _Z11SQLConnect1P15CLI_CONNECTINFOPhsS1_sS1_s + 0xB60
[17] 0xC0000000325A8E30 SQLConnect + 0xC10
[18] 0x4000000000001EA0 main + 0x620
[19] 0xC00000000006E9B0 _DYNAMIC + 0xC00000000006E993