1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

  
yum install -y python3-devel  
  
pip3 install git+https://github.com/marin-m/vmlinux-to-elf  
  
  
[root@localhost ~]# vmlinux-to-elf /usr/lib/debug/lib/modules/3.10.0-229.1.2.el7.x86_64/vmlinux vmlinux.elf  
[+] Version string: Linux version 3.10.0-229.1.2.el7.x86_64 ([email protected]) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Fri Mar 27 03:04:26 UTC 2015  
[+] Guessed architecture: x86_64 successfully in 3.01 seconds  
[+] Found kallsyms_token_table at file offset 0x00a13598  
[+] Found kallsyms_token_index at file offset 0x00a13928  
[+] Found kallsyms_markers at file offset 0x00a12d08  
[+] Found kallsyms_names at file offset 0x00946478 (69961 symbols)  
[+] Found kallsyms_num_syms at file offset 0x00946470  
[i] Null addresses overall: 0.00285874 %  
[+] Found kallsyms_addresses at file offset 0x008bda28  
[+] Successfully wrote the new ELF kernel to vmlinux.elf  
  
  
  
  
  
cd /serverspeeder/bin  
bin="acce-3.10.61.12-[CentOS_3.10.0-229.1.2.el7.x86_64]"  
gdb -q "./$bin"  
  
# 1）如果程序会 fork（很多这类安装器会），建议先跟踪子进程  
set follow-fork-mode child  
set detach-on-fork off  
  
# 2）设置 syscall 断点  
catch syscall init_module  
  
  
# 3）直接跑程序（不要用 start，用 run）  
run  
# 应该能看到下面的内容  
# Starting program: /serverspeeder/bin/./acce-3.10.61.12-[CentOS_3.10.0-229.1.2.el7.x86_64]  
# (license 7603574CEB4C8210d3fb605d)  
# Catchpoint 1 (call to syscall init_module), 0x00000000004b2f3a in ?? ()  
  
info registers rdi rsi rdx  
#应该看到：  
# rdi = 0x0000000000403000（或者你 strace 里看到的那个地址，比如 0x403000）  
# rsi = 439240（长度）  
# rdx 指向 "engineId=0 cpuId=0 cpuMaskNum=1" 字符串  
  
#确认是这次 init_module 之后，按下面步骤 dump：  
# 定义起始和结束地址  
set $addr = (void*)$rdi  
set $len = $rsi  
set $end = $addr + $len  
  
# 把这一段写到当前目录的文件里  
dump memory appex_module.bin $addr $end  
#然后退出 gdb：  
quit  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

[root@localhost bin]# file appex_module.bin  
appex_module.bin: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), BuildID[sha1]=4198d57426226e1e8e03ec63c34e0188b8cebdab, not stripped  
[root@localhost bin]#  
[root@localhost bin]# readelf -h appex_module.bin  
ELF Header:  
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  
Class: ELF64  
Data: 2's complement, little endian  
Version: 1 (current)  
OS/ABI: UNIX - System V  
ABI Version: 0  
Type: REL (Relocatable file)  
Machine: Advanced Micro Devices X86-64  
Version: 0x1  
Entry point address: 0x0  
Start of program headers: 0 (bytes into file)  
Start of section headers: 305040 (bytes into file)  
Flags: 0x0  
Size of this header: 64 (bytes)  
Size of program headers: 0 (bytes)  
Number of program headers: 0  
Size of section headers: 64 (bytes)  
Number of section headers: 37  
Section header string table index: 34  
[root@localhost bin]#  
[root@localhost bin]# readelf -S appex_module.bin | head -40  
There are 37 section headers, starting at offset 0x4a790:  
  
Section Headers:  
[Nr] Name Type Address Offset  
Size EntSize Flags Link Info Align  
[ 0] NULL 0000000000000000 00000000  
0000000000000000 0000000000000000 0 0 0  
[ 1] .note.gnu.build-i NOTE 0000000000000000 00000040  
0000000000000024 0000000000000000 A 0 0 4  
[ 2] .text PROGBITS 0000000000000000 00000070  
0000000000040c2b 0000000000000000 AX 0 0 16  
[ 3] .rela.text RELA 0000000000000000 00051448  
00000000000157f8 0000000000000018 35 2 8  
[ 4] .text.unlikely PROGBITS 0000000000000000 00040c9b  
000000000000158e 0000000000000000 AX 0 0 1  
[ 5] .rela.text.unlike RELA 0000000000000000 00066c40  
00000000000002b8 0000000000000018 35 4 8  
[ 6] .altinstr_replace PROGBITS 0000000000000000 00042229  
0000000000000006 0000000000000000 AX 0 0 1  
[ 7] .init.text PROGBITS 0000000000000000 0004222f  
00000000000004d2 0000000000000000 AX 0 0 1  
[ 8] .rela.init.text RELA 0000000000000000 00066ef8  
00000000000006f0 0000000000000018 35 7 8  
[ 9] .rodata PROGBITS 0000000000000000 00042720  
0000000000002620 0000000000000000 A 0 0 32  
[10] .rela.rodata RELA 0000000000000000 000675e8  
0000000000001020 0000000000000018 35 9 8  
[11] __mcount_loc PROGBITS 0000000000000000 00044d40  
0000000000000a78 0000000000000000 A 0 0 8  
[12] .rela__mcount_loc RELA 0000000000000000 00068608  
0000000000001f68 0000000000000018 35 11 8  
[13] .rodata.str1.1 PROGBITS 0000000000000000 000457b8  
00000000000014f9 0000000000000001 AMS 0 0 1  
[14] .rodata.str1.8 PROGBITS 0000000000000000 00046cb8  
0000000000000c59 0000000000000001 AMS 0 0 8  
[15] .smp_locks PROGBITS 0000000000000000 00047914  
0000000000000128 0000000000000000 A 0 0 4  
[16] .rela.smp_locks RELA 0000000000000000 0006a570  
00000000000006f0 0000000000000018 35 15 8  
[17] .modinfo PROGBITS 0000000000000000 00047a3c  

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

  
[root@localhost bin]# modinfo appex_module.ko  
filename: /serverspeeder/bin/appex_module.ko  
author: AppEx Networks  
license: AppEx  
rhelversion: 7.1  
srcversion: 533BB7E5866E52F63B9ACCB  
depends:  
vermagic: 3.10.0-229.1.2.el7.x86_64 SMP mod_unload modversions  
parm: packetPoolSizeKP:uint  
parm: pmtuTimeoutMS:uint  
parm: shortRttMS:uint  
parm: engineId:int  
parm: cpuId:int  
parm: cpuMaskNum:int  
parm: gApxPcapMaxBufLen:int  
parm: gApxTraceMaxBufLen:int  
parm: gApxTraceFileLen:ulong  
parm: uapiUid:uint  
parm: uapiGid:uint  
parm: uapiPerm:uint