Hacker Bits, Issue 11

More documents

Recommendations

Info

I am fascinated by the debuggers. I love them so much that I wrote a small and very basic debugger as one of my projects recently. In this post I am going to write down what I’ve learned about how can a debugger set a breakpoint.. This post can be divided into these following sections. 1. What’s a breakpoint? 2. What’s a debugger? 3. What does the debugger need to do to set a breakpoint? 4. How can the debugger make the debuggee process halt? What’s a breakpoint? A breakpoint makes your program stop whenever a certain point in the program is reached. What’s a debugger? You can consider your debugger to be a program which forks() to create a child process and then calls execl() to load the process we want to debug. I used execl() in my code, but any of the system calls from the exec family of functions can be used. The debugger process And here’s the run_child() function which calls the execl() with the debuggee process’s executable name and path. We see a call to ptrace() in run_child() function before calling execl(). Let’s, for the moment, not go into what ptrace() is, even though it’s very important to understand how does a debugger work. We will eventually come to it. Now we have two processes running:
1. The debugger as the parent process. 2. And the debugee as the child process. Let’s now try to think abstractly in a sort of hand-wavy manner what does a debugger need to do to set a breakpoint in the child process. The debugger needs the child process to stop where the breakpoint has been set. But how? What does the debugger need to do to set a breakpoint? Let’s examine the phrase “setting a breakpoint” a little closely. We say a process is running when the instructions of the process are being executed by the processor. Where are those instructions located? In the text/code section of the process’s virtual memory. By setting a breakpoint we expect the debuggee process to halt at a certain point. Which means that we expect the debuggee process to stop just before executing some instruction. What can that instruction be? Well, if the user has set a breakpoint at the beginning of a function, it’s the first instruction at the start of the function. If the user has set a breakpoint at some line number in some file, the instruction is the first instruction in the series of instructions that correspond to that line. Therefore the debugger needs to make the process halt right before executing that instruction. In my project, I chose the instruction underlined in the following screenshot. How can the debugger make the debuggee process halt right before executing a particular instruction? The debugger replaces the instruction (at least part of the instruction) at the start of the debuggee process with an instruction that generates a software interrupt. Hence, when this modified instruction is executed by the processor, the SIGTRAP signal is delivered and that is all that is needed to make the process stop. I have skipped a lot of details here, but we will discover them as we go. But let’s first discover how does the debugger modify an instruction? The instructions reside at the process’s text section which is mapped to the virtual memory when a process is loaded. Hence to modify the instruction the debugger needs to know the address of that instruction. hacker bits 43
Page 1 and 2: hacker bits Issue 11
Page 3 and 4: content bits Issue 11 06 10 33 What
Page 5 and 6: Henrique Bucher Henrique owns Vitor
Page 7 and 8: This is something I’ve personally
Page 9 and 10: Code cannot easily be undone, both
Page 11 and 12: One of the more embarrassing and se
Page 13 and 14: note: Inbox When Ready hides your i
Page 15 and 16: One Friday afternoon, early in my c
Page 17 and 18: Over the last few years, static typ
Page 19 and 20: • Static types highlight bad inte
Page 21 and 22: Run mypy in continuous integration.
Page 23 and 24: down files/directories that reach 1
Page 25 and 26: Programming "database plan" by tec_
Page 27 and 28: Naming conventions General • Ensu
Page 29 and 30: Although not exhaustive always incl
Page 31 and 32: available in older versions of the
Page 33 and 34: Programming Reflections of an "old"
Page 35 and 36: I still use in 2026 (long live SQL!
Page 37 and 38: Programming The programmer's guide
Page 39 and 40: Reducing overhead Chances are that
Page 41: Programming How breakpoints are set
Page 45 and 46: The default behaviour of SIGTRAP is
Page 47 and 48: Programming Why I don't spend time
Page 49 and 50: sonal experience, by no reputable p
Page 51 and 52: Programming Books programmers don't
Page 53 and 54: ysis, syntax analysis, type checkin

Hacker Bits, Issue 11

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?