Virtual memory addresses objdump vs / proc / pid / maps?

Question

Virtual memory addresses objdump vs / proc / pid / maps?

I am trying to understand exactly where the executable assembly of the program is executed when the program is loaded / running. I found two resources that talked about this, but they are somewhat difficult to read:

Understanding ELF using readelf and objdump Linux article (formatting code broken)
Michael Giver, Assembly required *: Moving, Moving (many assemblies that I don’t know exactly)

So here is a brief example; I am interested in where the executable section of the program ends tail. Basically, objdump tells me this:

$ objdump -dj .text /usr/bin/tail | head -10

/usr/bin/tail:     file format elf32-i386
Disassembly of section .text:

08049100 <.text>:
 8049100:   31 ed                   xor    %ebp,%ebp
 8049102:   5e                      pop    %esi
 8049103:   89 e1                   mov    %esp,%ecx
...

, tail 'main()', . , , , 0x08049100; , .

tail , pid:

$ /usr/bin/tail -f & echo $!
28803

... /proc/pid/maps:

$ cat /proc/28803/maps
00547000-006a8000 r-xp 00000000 08:05 3506       /lib/i386-linux-gnu/libc-2.13.so
...
008c6000-008c7000 r-xp 00000000 00:00 0          [vdso]
08048000-08054000 r-xp 00000000 08:05 131469     /usr/bin/tail
08054000-08055000 r--p 0000b000 08:05 131469     /usr/bin/tail
08055000-08056000 rw-p 0000c000 08:05 131469     /usr/bin/tail
08af1000-08b12000 rw-p 00000000 00:00 0          [heap]
b76de000-b78de000 r--p 00000000 08:05 139793     /usr/lib/locale/locale-archive
...
bf845000-bf866000 rw-p 00000000 00:00 0          [stack]

tail , r-xp ( .text?), -, 0x08048000 (, , -, SYSV x86, . : Gustavo Duarte )

gnuplot script , :

( ) " " objdump ( 0x0); "VMA" ( ) objdump, /proc/pid/maps - 0x08048000; .

, , - " " VMA ( ); ( .text) 0x08048000.

, , , , .text " " 0x08048000 - !

, , - , - ( ): (, , 4096 ), . , , , , "" ( , ?)

, - , /proc/pid/maps .text objdump?

mem.gp gnuplot script:

#!/usr/bin/env gnuplot
set term wxt size 800,500

exec = "/usr/bin/tail" ;

# cannot do - apparently gnuplot waits for children to exit, so locks here:
#runcmd = "bash -c '" . exec . " -f & echo $!'"
#print runcmd
#pid = system(runcmd) ;
#print runcmd, "pid", pid

# run tail -f & echo $! in another shell; then enter pid here:
pid = 28803

# $1 Idx $2 Name $3 Size $4 VMA $5 LMA $6 File off
cmdvma = "<objdump -h ".exec." | awk '$1 ~ \"^[0-9]+$\" && $2 !~ \".gnu_debuglink\" {print $1, $2, \"0X\"$3, \"0X\"$4;}'" ;
cmdfo = "<objdump -h ".exec." | awk '$1 ~ \"^[0-9]+$\" && $2 !~ \".gnu_debuglink\" {print $1, $2, \"0X\"$3, \"0X\"$6;}'" ;
cmdmaps = "<cat /proc/".pid."/maps | awk '{split($1,a,\"-\");b1=strtonum(\"0x\"a[1]);b2=strtonum(\"0x\"a[2]);printf(\"%d \\\"%s\\\" 0x%08X 0x%08X\\n\",  NR,$6,b2-b1,b1);}'"

print cmdvma
print cmdfo
print cmdmaps

set format x "0x%08X" # "%016X";
set xtics rotate by -45 font ",7";
unset ytics
unset colorbox
set cbrange [0:25]
set yrange [0.5:1.5]

set macros

set multiplot layout 3,1 columnsfirst

# 0x08056000-0x08048000 = 0xe000
set xrange [0:0xe000]

set tmargin at screen 1
set bmargin at screen 0.667+0.1

plot \
  cmdfo using 4:(1+$0*0.01):4:($4+$3):0 with xerrorbars lc palette t "File off", \
  cmdfo using 4:(1):2 with labels font ",6" left rotate by -45 t ""

set xrange [0x08048000:0x08056000]

set tmargin at screen 0.667
set bmargin at screen 0.333+0.1

plot \
  cmdvma using 4:(1+$0*0.01):4:($4+$3):0 with xerrorbars lc palette t "VMA", \
  cmdvma using 4:(1):2 with labels font ",6" left rotate by -45 t ""

set tmargin at screen 0.333
set bmargin at screen 0+0.1

plot \
  cmdmaps using 4:(1+$0*0.01):4:($4+$3):0 with xerrorbars lc palette t "/proc/pid/maps" , \
  cmdmaps using 4:(1):2 with labels font ",6" left rotate by -45 t ""


unset multiplot

#system("killall -9 " . pid) ;

+3

c linux memory virtual-memory

sdaau 24 . '14 23:43

2

@KerrekSB, ELF readelf objdump - Linux , , ( , - ).

, , 08048000-08054000 r-xp 00000000 08:05 131469 /usr/bin/tail /proc/pid/maps .text; , , (PHT), readelf. tail:

$ readelf -l /usr/bin/tail 

Elf file type is EXEC (Executable file)
Entry point 0x8049100
There are 9 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
[00]  PHDR           0x000034 0x08048034 0x08048034 0x00120 0x00120 R E 0x4
[01]  INTERP         0x000154 0x08048154 0x08048154 0x00013 0x00013 R   0x1
        [Requesting program interpreter: /lib/ld-linux.so.2]
[02]  LOAD           0x000000 0x08048000 0x08048000 0x0b9e8 0x0b9e8 R E 0x1000
[03]  LOAD           0x00bf10 0x08054f10 0x08054f10 0x00220 0x003f0 RW  0x1000
[04]  DYNAMIC        0x00bf24 0x08054f24 0x08054f24 0x000c8 0x000c8 RW  0x4
[05]  NOTE           0x000168 0x08048168 0x08048168 0x00044 0x00044 R   0x4
[06]  GNU_EH_FRAME   0x00b918 0x08053918 0x08053918 0x00024 0x00024 R   0x4
[07]  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RW  0x4
[08]  GNU_RELRO      0x00bf10 0x08054f10 0x08054f10 0x000f0 0x000f0 R   0x1

 Section to Segment mapping:
  Segment Sections...
   00     
   01     .interp 
   02     .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   03     .ctors .dtors .jcr .dynamic .got .got.plt .data .bss 
   04     .dynamic 
   05     .note.ABI-tag .note.gnu.build-id 
   06     .eh_frame_hdr 
   07     
   08     .ctors .dtors .jcr .dynamic .got

[0x] " :" ; Section to Segment mapping: . : " ,... LOAD: ." Offset " , ." FileSiz " , . ( ELF...)"

, objdump :

08049100 <.text>:

... .text 0x08049100.

readelf :

[02]  LOAD           0x000000 0x08048000 0x08048000 0x0b9e8 0x0b9e8 R E 0x1000

... / [02] 0x08048000; R E - .

, readelf :

02     .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame

... , / [02] - , .text; objdump, .text 0x08048000.

, /proc/pid/maps :

08048000-08054000 r-xp 00000000 08:05 131469     /usr/bin/tail

... (r-xp) 0x08048000 - , "", , - ( objdump); "/", readelf ( , / [02], ).

, , (, , - , :))

+4

sdaau Feb 25 '14 at 0:48

source share

djp · Accepted Answer · 2014-02-25T01:18:33+0000

, ELF PT_LOAD.

PT_LOAD - , p_filesz p_memsz. . (p_memsz) (p_filesz), `` extra '' , 0 . , . , p_vaddr.

, CentOS 6.4:

objdump -x `which tail`

Program Header:
    LOAD off    0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12
         filesz 0x0000e4d4 memsz 0x0000e4d4 flags r-x
    LOAD off    0x0000e4d4 vaddr 0x080574d4 paddr 0x080574d4 align 2**12
         filesz 0x000003b8 memsz 0x0000054c flags rw-

/proc/pid/maps:

cat /proc/2671/maps | grep `which tail`
08048000-08057000 r-xp 00000000 fd:00 133669     /usr/bin/tail
08057000-08058000 rw-p 0000e000 fd:00 133669     /usr/bin/tail

, , objdump , , , , . 0x08048000 0x0000e4d4, , 0x08048000 0x080564d4, 2 ^ 12- . , 0x8057000, /proc/pid/maps. , 0x8057000 0x0000054c ( 0x805754c), 0x8058000, /proc/pid/maps.

Virtual memory addresses objdump vs / proc / pid / maps?

More articles: