Menu
I want to find the address of a string in memory. In this case, I'm looking for "/bin/sh". Its an initialized variable, so its in the .data section and after compilation, it has a fixed address. So what do I do in GDB to find out its memory address? And I do not know the name of the variable its stored in.
814
You can use the command x (for "examine") to examine memory in any of several formats, independently of your program's data types. Use the x command to examine memory.
The ptype [ARG] command will print the type.
x/d ADDRESS will print the value as an integer; x/i ADDRESS as an instruction; x/s ADDRESS as a string. x/8xw ADDRESS will print 8 four-byte words in hexadecimal format.
Using info proc map sounds like a better approach to me.
(gdb) info proc map process 930 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x400000 0x401000 0x1000 0x0 /myapp 0x600000 0x601000 0x1000 0x0 /myapp 0x601000 0x602000 0x1000 0x1000 /myapp 0x7ffff7a1c000 0x7ffff7bd2000 0x1b6000 0x0 /usr/lib64/libc-2.17.so 0x7ffff7bd2000 0x7ffff7dd2000 0x200000 0x1b6000 /usr/lib64/libc-2.17.so 0x7ffff7dd2000 0x7ffff7dd6000 0x4000 0x1b6000 /usr/lib64/libc-2.17.so 0x7ffff7dd6000 0x7ffff7dd8000 0x2000 0x1ba000 /usr/lib64/libc-2.17.so (gdb) find 0x7ffff7a1c000,0x7ffff7bd2000,"/bin/sh" 0x7ffff7b98489 1 pattern found. (gdb) x /s 0x7ffff7b98489 0x7ffff7b98489: "/bin/sh" (gdb) x /xg 0x7ffff7b98489 0x7ffff7b98489: 0x0068732f6e69622f If you want to search in the whole address space of the process, you need to get the memory mapping for your process and use the start address the end address with the find command in gdb.
for instance, if cat /proc/$PID/maps shows that your process's virtual memory ranges from 0x08048000 to 0xc0000000 you can search as follows:(gdb) find 0x80048000, 0xc0000000, "/bin/sh"
Another way to get the memory mapping of your process is using the gdb's embedded command :
(gdb) info proc map If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
