How to find the address of a string in memory using GDB?

Question

I want to find the address of a string in memory. In this case, I'm looking for "/bin/sh". Its an initialized variable, so its in the .data section and after compilation, it has a fixed address. So what do I do in GDB to find out its memory address? And I do not know the name of the variable its stored in.

Answer 1

Using info proc map sounds like a better approach to me.

(gdb) info proc map process 930 Mapped address spaces:        Start Addr           End Addr       Size     Offset objfile         0x400000           0x401000     0x1000        0x0 /myapp         0x600000           0x601000     0x1000        0x0 /myapp         0x601000           0x602000     0x1000     0x1000 /myapp   0x7ffff7a1c000     0x7ffff7bd2000   0x1b6000        0x0 /usr/lib64/libc-2.17.so   0x7ffff7bd2000     0x7ffff7dd2000   0x200000   0x1b6000 /usr/lib64/libc-2.17.so   0x7ffff7dd2000     0x7ffff7dd6000     0x4000   0x1b6000 /usr/lib64/libc-2.17.so   0x7ffff7dd6000     0x7ffff7dd8000     0x2000   0x1ba000 /usr/lib64/libc-2.17.so  (gdb) find 0x7ffff7a1c000,0x7ffff7bd2000,"/bin/sh" 0x7ffff7b98489 1 pattern found. (gdb) x /s 0x7ffff7b98489 0x7ffff7b98489: "/bin/sh" (gdb) x /xg 0x7ffff7b98489 0x7ffff7b98489: 0x0068732f6e69622f 

Answer 2

If you want to search in the whole address space of the process, you need to get the memory mapping for your process and use the start address the end address with the find command in gdb.

for instance, if cat /proc/$PID/maps shows that your process's virtual memory ranges from 0x08048000 to 0xc0000000 you can search as follows:

(gdb) find 0x80048000, 0xc0000000, "/bin/sh"

Another way to get the memory mapping of your process is using the gdb's embedded command :

(gdb) info proc map