GDB: Listing all mapped memory regions for a crashed process
I've got a full-heap core dump from a dead process on an x86 Linux machine (kernel 2.6.35-22 if it matters), which I'm attempting to debug in GDB.
Is there a GDB command I can use that means "show me a list of all the memory address regions allocated by this process?" In other words, can I figure out what all the possible valid memory addresses are that I can examine in this dump?
The reason I ask is that I need to search across the entire process heap for a certain binary string, and in order to use the find command, I need to have a start and end address. Simply searching from 0x00 to 0xff.. doesn't work because find halts as soon as it encounters an address it can't access:
(gdb) find /w 0x10000000, 0xff000000, 0x12345678
warning: Unable to access target memory at 0x105ef883, halting search.
So I need to get a list of all the readable address regions in memory so I can search them one at a time.
(The reason I need to do that is I need to find all the structs in memory that point at a certain address.)
None of show mem, show proc, info mem, info proc seem to do what I need.
Solution 1:
In GDB 7.2:
(gdb) help info proc
Show /proc process information about any running process.
Specify any process id, or use the program being debugged by default.
Specify any of the following keywords for detailed info:
mappings -- list of mapped memory regions.
stat -- list a bunch of random process info.
status -- list a different bunch of random process info.
all -- list all available /proc info.
You want info proc mappings, except it doesn't work when there is no /proc (such as during pos-mortem debugging).
Try maintenance info sections instead.
Solution 2:
If you have the program and the core file, you can do the following steps.
1) Run the gdb on the program along with core file
$gdb ./test core
2) type info files and see what different segments are there in the core file.
(gdb)info files
A sample output:
(gdb)info files
Symbols from "/home/emntech/debugging/test".
Local core dump file:
`/home/emntech/debugging/core', file type elf32-i386.
0x0055f000 - 0x0055f000 is load1
0x0057b000 - 0x0057c000 is load2
0x0057c000 - 0x0057d000 is load3
0x00746000 - 0x00747000 is load4
0x00c86000 - 0x00c86000 is load5
0x00de0000 - 0x00de0000 is load6
0x00de1000 - 0x00de3000 is load7
0x00de3000 - 0x00de4000 is load8
0x00de4000 - 0x00de7000 is load9
0x08048000 - 0x08048000 is load10
0x08049000 - 0x0804a000 is load11
0x0804a000 - 0x0804b000 is load12
0xb77b9000 - 0xb77ba000 is load13
0xb77cc000 - 0xb77ce000 is load14
0xbf91d000 - 0xbf93f000 is load15
In my case I have 15 segments. Each segment has start of the address and end of the address. Choose any segment to search data for. For example lets select load11 and search for a pattern. Load11 has start address 0x08049000 and ends at 0x804a000.
3) Search for a pattern in the segment.
(gdb) find /w 0x08049000 0x0804a000 0x8048034
0x804903c
0x8049040
2 patterns found
If you don't have executable file you need to use a program which prints data of all segments of a core file. Then you can search for a particular data at an address. I don't find any program as such, you can use the program at the following link which prints data of all segments of a core or an executable file.
http://emntech.com/programs/printseg.c