This is the mail archive of the gdb@sourceware.org mailing list for the GDB project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?

From: "gdb guy" <gdb dot guy1 at gmail dot com>
To: gdb <gdb at sourceware dot org>
Date: Wed, 26 Mar 2008 16:57:02 -0400
Subject: Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?

I am hoping someone can suggest a solution around this, because it
seems like it limits malware analysis on *nix systems where you want
to use gdb rather than some windows tool...

I wanted to see what UPX was doing for linux files, so I went and got
UPX v 3.02 (http://upx.sourceforge.net/#download). I compiled it, and
did
$ upx `which ps` -o UPXps
and got my UPXps which functions just fine as a normal ps command.
Then I did
$ readelf -a UPXps
ELF Header:
  Magic:   7f 45 4c 46 01 01 01 03 00 00 00 00 00 00 00 00
  Class:                             ELF32
  Data:                              2's complement, little endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - Linux
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           Intel 80386
  Version:                           0x1
  Entry point address:               0xc07fd0
  Start of program headers:          52 (bytes into file)
  Start of section headers:          0 (bytes into file)
  Flags:                             0x0
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         2
  Size of section headers:           40 (bytes)
  Number of section headers:         0
  Section header string table index: 0
There are no sections in this file.
There are no sections in this file.
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00c01000 0x00c01000 0x077b8 0x077b8 R E 0x1000
  LOAD           0x000df4 0x08078df4 0x08078df4 0x00000 0x00000 RW  0x1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.

Next comes
$gdb ./UPXps
GNU gdb 6.4
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) b *0xc07fd0
Breakpoint 1 at 0xc07fd0
(gdb) r
Starting program: /home/user/ELF/upx-3.02-src/UPXps
warning: shared library handler failed to enable breakpoint
Failed to read a valid object file image from memory.
  PID TTY          TIME CMD
11524 pts/7    00:00:00 bash
17683 pts/7    00:00:00 gdb
17688 pts/7    00:00:00 UPXps
17690 pts/7    00:00:00 gdb
Program exited normally.

So my question is, is there any way to *force* gdb to just load the
program and just break at the entry point address?

Also, just for my own benefit, and those who google after me, on GDB
6.3 (which I have on another older VM) what does DSO stand for when it
says "Loading system supplied DSO at 0xc00000"?

Thanks

Gary Guy

Follow-Ups:
- Re: Why won't gdb stop on packed (UPX) file breakpoint at entrypoint?
  - From: Daniel Jacobowitz

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]