[dtrace-discuss] Tracing user-land memory buffers
Jim Fiori
jim.fiori at sun.com
Tue Aug 1 15:44:33 PDT 2006
Nicolas Williams wrote:
> So, suppose I'm trying to dump data in a user-land process and have no
> opportunity to catch that data in a system call (e.g., write(2)).
>
> Specifically I'm trying to dump a DER-encoded Kerberos V 'Authenticator'
> before/after it is encrypted/decrypted.
>
> I know where to find this data. E.g., it's output through a krb5_data
> ** argument to encode_krb5_authenticator().
>
> typedef struct _krb5_data {
> krb5_magic magic;
> unsigned int length;
> char *data;
> } krb5_data;
>
>
> I can save the krb5_data ** value in arg1 on entry to
> encode_krb5_authenticator(). But what do I when that returns to
> actually follow all the pointer values to get at the buffer pointed by
> the data field of the krb5_data?
>
> And once I have done a copyinto(), how do I hexdump the buffer?
>
> This, and various variants I've been trying doesn't work:
>
> pid$target::encode_krb5_authenticator:entry
> {
> trace(1); self->trace_asn1_eui = 1;
> self->codepp = (krb5_data **)arg1;
> }
>
> pid$target::encode_krb5_authenticator:return
Nicolas,
You want a predicate here:
/self->trace_asn1_eui/
But that's not the problem...
> {
> trace(0); self->trace_asn1_eui = 0;
> this->codep = (krb5_data *)copyin((uintptr_t)self->codepp, 4);
OK, so now you have a ptr to a krb5_data (assuming the app is 32-bit). Simply "teach"
DTrace what a krb_data is by #including the proper header files and use the -C
option, or cut-and-paste the structure definition into your script. Then reference
the 'data' element to perform a tracemem() from:
tracemem (copyin (this->codep->data, 100), 100);
or however many bytes you want to dump.
Jim
> this->buf = (char *)copyin((uintptr_t)this->codep+2, 4);
> /* We've only done one dereference... */
> printf("The authenticator is at krb5_data ** %p, krb5_data * %p\n",
> self->codepp, this->codep);
> }
>
>
> Nico
More information about the dtrace-discuss
mailing list