From owner-freebsd-hackers@FreeBSD.ORG Wed Apr 28 08:59:30 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3423616A4CE for ; Wed, 28 Apr 2004 08:59:30 -0700 (PDT) Received: from 15pc221.sshunet.nl (15pc221.sshunet.nl [131.211.221.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62A3B43D2D for ; Wed, 28 Apr 2004 08:59:29 -0700 (PDT) (envelope-from pieter@thelostparadise.com) Received: from thedarkside.nl ([172.16.0.4]) by 15pc221.sshunet.nl (8.12.8p2/8.12.8) with ESMTP id i3SFxNKM098032 for ; Wed, 28 Apr 2004 17:59:23 +0200 (CEST) (envelope-from pieter@thelostparadise.com) Received: from [10.0.0.3] (edinburgh [10.0.0.3]) by thedarkside.nl (8.12.8p2/8.12.8) with ESMTP id i3SFxMPQ011311 for ; Wed, 28 Apr 2004 17:59:22 +0200 (CEST) (envelope-from pieter@thelostparadise.com) From: "P. de Boer" To: freebsd-hackers@freebsd.org Content-Type: text/plain Organization: The Lost Paradise Message-Id: <1083167960.653.23.camel@edinburgh.thedarkside.tix> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Wed, 28 Apr 2004 17:59:21 +0200 Content-Transfer-Encoding: 7bit X-TheLostParadise-MailScanner-Information: Please contact the ISP for more information X-TheLostParadise-MailScanner: Found to be clean X-Mailman-Approved-At: Thu, 29 Apr 2004 05:15:13 -0700 Subject: Extracting symbol info out of processes at runtime X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: pieter@thelostparadise.com List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Apr 2004 15:59:30 -0000 Hello -hackers, This is going to be a bit lengthy, but bear with me please, it's an interesting topic if I may say so :) For a little private project I'm working at, I need to find the address of a function which is inside a shared library of a running process, OR the base address the library is running at (in that case, I can simply do a base_address+known_offset_of_function). The executable nor libraries have their symbols stripped. To find the address of a certain function, I tried the ptrace program from http://www.linuxgazette.com/issue85/sandeep.html (which tries to find a link_map at GOT+4 by finding GOT in the dynamic section found in the program header), but that didn't seem to work out too well: strcpy() was found, but the symbol I was looking for wasn't. I am a bit unsure why, but perhaps it was because the symbol is probably only local to the library, if that's even possible. Because I lacked ELF clue and couldn't figure out what was going on, I started to write an elf-info program, which uses ptrace() to extract the ELF header, the program header table and the section header table from a running process. However, when I dump the section header table, all I get is garbage. man 5 elf states that the e_shoff field of the ELF header defines the offset of the section header table. When I dump the memory of 0x08048000+e_shoff in gdb, I'm getting different data than I'm seeing in the file on disk at offset e_shoff. So, apparantly the section header table isn't stored there at runtime, despite what the field e_shoff may say. Is there anyone here who might shed a light on this? Where has it gone? I started this e-mail stating I wanted to find the address of a symbol or the base address of a shared library. I don't know yet if I really need to have the section header table for this, or rather go to the dynamic section found in the program header. I was going to find that out writing my elf-info program, but that wasn't really a success as you see. If anyone can elaborate on that issue as well, I would be most thankful. PS: The sources to the program can be found at http://thelostparadise.com/troep/elfinfo.c -- With regards, Pieter de Boer