Following my question about manually creating a core dump file , I decided to dive into it and lost my hands.
I can build the basic structure of the core dump and return the dead program memory back to the main dump in the large LOAD section. When debugging in GDB, my variables are returned, no problem. Here's the hard part, how do I get GDB to get information about where the program was when it crashed.
I know that the core dump notes section contains this information (in particular, processor registers). Here is what objdump -h gives for a βrealβ kernel dump:
core.28339: file format elf32-i386 Sections: Idx Name Size VMA LMA File off Algn 0 note0 000001e8 00000000 00000000 000000f4 2**0 CONTENTS, READONLY 1 .reg/28339 00000044 00000000 00000000 00000150 2**2 CONTENTS 2 .reg 00000044 00000000 00000000 00000150 2**2 CONTENTS 3 .auxv 000000a0 00000000 00000000 0000023c 2**2 CONTENTS 4 load1a 00001000 08010000 00000000 00001000 2**12 CONTENTS, ALLOC, LOAD, READONLY, CODE .. other load sections ...
I realized due to the fact that these .reg sections contain data displayed from some structures:
Notes at offset 0x000000f4 with length 0x000001e8: Owner Data size Description CORE 0x00000090 NT_PRSTATUS (prstatus structure) CORE 0x0000007c NT_PRPSINFO (prpsinfo structure) CORE 0x000000a0 NT_AUXV (auxiliary vector)
Can someone give me directions on how the Notes section is structured? I tried writing these structures directly to my file, this did not work, and I obviously donβt see something here. I looked at the Google Coredumper code and took some snippets of it, but writing the comments section is not so simple and any detailed information that it exactly contains and its format is welcome.
Edit # 1: after 1st comment
I realized that the Elf file should be structured as follows:
- Elf header ElfW (Ehdr)
- Program headers (Ehdr.e_phnum times ElfW (Phdr)), here I mainly used one PT_NOTE and one PT_LOAD header.
- Sections of notes:
- Section Header (ElfW (Nhdr))
- Section Name (.n_namesz long)
- Section data (.n_descsz long)
- Program section containing all my program memory
Then I will need to put 3 notes records, one for prstatus, one for prpsinfo and one for the auxiliary vector.
This seems to be the right way, since readelf gives me a similar result, like what I got above with a real core dump.
Edit # 2: after getting the correct structure
Now I'm struggling with the various structures that make up notes.
Here is what I get when running eu-readelf --notes on my main dump:
Note segment of 540 bytes at offset 0x74: Owner Data size Type CORE 336 PRSTATUS CORE 136 PRPSINFO CORE 8 AUXV NULL
Here is what I get when I run the same command in a real core dump:
Note segment of 488 bytes at offset 0xf4: Owner Data size Type CORE 144 PRSTATUS info.si_signo: 11, info.si_code: 0, info.si_errno: 0, cursig: 11 sigpend: <> sighold: <> pid: 28339, ppid: 41446, pgrp: 28339, sid: 41446 utime: 0.000000, stime: 0.000000, cutime: 0.000000, cstime: 0.000000 orig_eax: -1, fpvalid: 0 ebx: -1 ecx: 0 edx: 0 esi: 0 edi: 0 ebp: 0xffb9fcbc eax: -1 eip: 0x08014b26 eflags: 0x00010286 esp: 0xffb9fcb4 ds: 0x002b es: 0x002b fs: 0x0000 gs: 0x0000 cs: 0x0023 ss: 0x002b CORE 124 PRPSINFO state: 0, sname: R, zomb: 0, nice: 0, flag: 0x00400400 uid: 9432, gid: 6246, pid: 28339, ppid: 41446, pgrp: 28339, sid: 41446 fname: pikeos_app, psargs: ./pikeos_app CORE 160 AUXV SYSINFO: 0xf7768420 SYSINFO_EHDR: 0xf7768000 HWCAP: 0xbfebfbff <fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe> PAGESZ: 4096 CLKTCK: 100 PHDR: 0x8010034 PHENT: 32 PHNUM: 2 BASE: 0 FLAGS: 0 ENTRY: 0x80100be UID: 9432 EUID: 9432 GID: 6246 EGID: 6246 SECURE: 0 RANDOM: 0xffb9ffab EXECFN: 0xffba1feb PLATFORM: 0xffb9ffbb NULL
Does anyone have any hints or explanations why my note notes are not being read correctly? I thought this might be due to incorrect offsets, but then why would the entries be correctly listed?
Thanks!