linux如何分析系统的堆栈,Linux内核分析:操作系统是如何工作的?
函數調用堆棧
堆棧是C語言程序運行時必須的一個記錄調用路徑和參數的空間
堆棧的幾個重要功能
函數調用框架
傳遞參數
保存返回地址
提供局部變量空間
等等
C語言編譯器對堆棧的使用有一套的規則
了解堆棧存在的目的和編譯器對堆棧使用的規則是理解操作系統一些關鍵性代碼的基礎
堆棧相關的寄存器
esp
ebp
相關操作
push 棧頂地址減少4個字節(32位)
pop 棧頂地址增加4個字節(32位)
32位模式下段寄存器出入棧都是用4個字節
ebp在C語言中用作記錄當前函數調用的基址
其他關鍵寄存器
cs:eip 總是指向下一條的指令地址
call xxx
1. push cs:eip
2. 將xxx指向cs:eip
3. enter xxx
pushl %ebp
movl %esp, %ebp
do something
4. leave xxx
movl %ebp, %esp
popl %ebp
ret
一個例子
// test.c
#include
void p1(char c)
{
printf("%c\n", c);
}
int p2(int x, int y)
{
return x + y;
}
int main(void)
{
char c = 'a';
int x, y, z;
x = 1;
y = 2;
p1(c);
z = p2(x, y);
printf("%d=%d+%d\n", z, x, y);
}
編譯
gcc -g -m32 -o test.o test.c
獲得反匯編文件
objdump -S test.o
test.c完整的反匯編代碼
test.o: 文件格式 elf32-i386
Disassembly of section .init:
080482b4 <_init>:
80482b4: 53 push %ebx
80482b5: 83 ec 08 sub $0x8,%esp
80482b8: e8 93 00 00 00 call 8048350 <__x86.get_pc_thunk.bx>
80482bd: 81 c3 43 1d 00 00 add $0x1d43,%ebx
80482c3: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax
80482c9: 85 c0 test %eax,%eax
80482cb: 74 05 je 80482d2 <_init>
80482cd: e8 2e 00 00 00 call 8048300 <__gmon_start__>
80482d2: 83 c4 08 add $0x8,%esp
80482d5: 5b pop %ebx
80482d6: c3 ret
Disassembly of section .plt:
080482e0 :
80482e0: ff 35 04 a0 04 08 pushl 0x804a004
80482e6: ff 25 08 a0 04 08 jmp *0x804a008
80482ec: 00 00 add %al,(%eax)
...
080482f0 :
80482f0: ff 25 0c a0 04 08 jmp *0x804a00c
80482f6: 68 00 00 00 00 push $0x0
80482fb: e9 e0 ff ff ff jmp 80482e0 <_init>
08048300 <__gmon_start__>:
8048300: ff 25 10 a0 04 08 jmp *0x804a010
8048306: 68 08 00 00 00 push $0x8
804830b: e9 d0 ff ff ff jmp 80482e0 <_init>
08048310 <__libc_start_main>:
8048310: ff 25 14 a0 04 08 jmp *0x804a014
8048316: 68 10 00 00 00 push $0x10
804831b: e9 c0 ff ff ff jmp 80482e0 <_init>
Disassembly of section .text:
08048320 <_start>:
8048320: 31 ed xor %ebp,%ebp
8048322: 5e pop %esi
8048323: 89 e1 mov %esp,%ecx
8048325: 83 e4 f0 and $0xfffffff0,%esp
8048328: 50 push %eax
8048329: 54 push %esp
804832a: 52 push %edx
804832b: 68 30 85 04 08 push $0x8048530
8048330: 68 c0 84 04 08 push $0x80484c0
8048335: 51 push %ecx
8048336: 56 push %esi
8048337: 68 4c 84 04 08 push $0x804844c
804833c: e8 cf ff ff ff call 8048310 <__libc_start_main>
8048341: f4 hlt
8048342: 66 90 xchg %ax,%ax
8048344: 66 90 xchg %ax,%ax
8048346: 66 90 xchg %ax,%ax
8048348: 66 90 xchg %ax,%ax
804834a: 66 90 xchg %ax,%ax
804834c: 66 90 xchg %ax,%ax
804834e: 66 90 xchg %ax,%ax
08048350 <__x86.get_pc_thunk.bx>:
8048350: 8b 1c 24 mov (%esp),%ebx
8048353: c3 ret
8048354: 66 90 xchg %ax,%ax
8048356: 66 90 xchg %ax,%ax
8048358: 66 90 xchg %ax,%ax
804835a: 66 90 xchg %ax,%ax
804835c: 66 90 xchg %ax,%ax
804835e: 66 90 xchg %ax,%ax
08048360 :
8048360: b8 23 a0 04 08 mov $0x804a023,%eax
8048365: 2d 20 a0 04 08 sub $0x804a020,%eax
804836a: 83 f8 06 cmp $0x6,%eax
804836d: 77 01 ja 8048370
804836f: c3 ret
8048370: b8 00 00 00 00 mov $0x0,%eax
8048375: 85 c0 test %eax,%eax
8048377: 74 f6 je 804836f
8048379: 55 push %ebp
804837a: 89 e5 mov %esp,%ebp
804837c: 83 ec 18 sub $0x18,%esp
804837f: c7 04 24 20 a0 04 08 movl $0x804a020,(%esp)
8048386: ff d0 call *%eax
8048388: c9 leave
8048389: c3 ret
804838a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
08048390 :
8048390: b8 20 a0 04 08 mov $0x804a020,%eax
8048395: 2d 20 a0 04 08 sub $0x804a020,%eax
804839a: c1 f8 02 sar $0x2,%eax
804839d: 89 c2 mov %eax,%edx
804839f: c1 ea 1f shr $0x1f,%edx
80483a2: 01 d0 add %edx,%eax
80483a4: d1 f8 sar %eax
80483a6: 75 01 jne 80483a9
80483a8: c3 ret
80483a9: ba 00 00 00 00 mov $0x0,%edx
80483ae: 85 d2 test %edx,%edx
80483b0: 74 f6 je 80483a8
80483b2: 55 push %ebp
80483b3: 89 e5 mov %esp,%ebp
80483b5: 83 ec 18 sub $0x18,%esp
80483b8: 89 44 24 04 mov %eax,0x4(%esp)
80483bc: c7 04 24 20 a0 04 08 movl $0x804a020,(%esp)
80483c3: ff d2 call *%edx
80483c5: c9 leave
80483c6: c3 ret
80483c7: 89 f6 mov %esi,%esi
80483c9: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi
080483d0 <__do_global_dtors_aux>:
80483d0: 80 3d 20 a0 04 08 00 cmpb $0x0,0x804a020
80483d7: 75 13 jne 80483ec <__do_global_dtors_aux>
80483d9: 55 push %ebp
80483da: 89 e5 mov %esp,%ebp
80483dc: 83 ec 08 sub $0x8,%esp
80483df: e8 7c ff ff ff call 8048360
80483e4: c6 05 20 a0 04 08 01 movb $0x1,0x804a020
80483eb: c9 leave
80483ec: f3 c3 repz ret
80483ee: 66 90 xchg %ax,%ax
080483f0 :
80483f0: a1 10 9f 04 08 mov 0x8049f10,%eax
80483f5: 85 c0 test %eax,%eax
80483f7: 74 1f je 8048418
80483f9: b8 00 00 00 00 mov $0x0,%eax
80483fe: 85 c0 test %eax,%eax
8048400: 74 16 je 8048418
8048402: 55 push %ebp
8048403: 89 e5 mov %esp,%ebp
8048405: 83 ec 18 sub $0x18,%esp
8048408: c7 04 24 10 9f 04 08 movl $0x8049f10,(%esp)
804840f: ff d0 call *%eax
8048411: c9 leave
8048412: e9 79 ff ff ff jmp 8048390
8048417: 90 nop
8048418: e9 73 ff ff ff jmp 8048390
0804841d :
#include
void p1(char c)
{
804841d: 55 push %ebp
804841e: 89 e5 mov %esp,%ebp
8048420: 83 ec 18 sub $0x18,%esp
8048423: 8b 45 08 mov 0x8(%ebp),%eax
8048426: 88 45 f4 mov %al,-0xc(%ebp)
printf("%c\n", c);
8048429: 0f be 45 f4 movsbl -0xc(%ebp),%eax
804842d: 89 44 24 04 mov %eax,0x4(%esp)
8048431: c7 04 24 50 85 04 08 movl $0x8048550,(%esp)
8048438: e8 b3 fe ff ff call 80482f0
}
804843d: c9 leave
804843e: c3 ret
0804843f :
int p2(int x, int y)
{
804843f: 55 push %ebp
8048440: 89 e5 mov %esp,%ebp
return x + y;
8048442: 8b 45 0c mov 0xc(%ebp),%eax
8048445: 8b 55 08 mov 0x8(%ebp),%edx
8048448: 01 d0 add %edx,%eax
}
804844a: 5d pop %ebp
804844b: c3 ret
0804844c :
int main(void)
{
804844c: 55 push %ebp
804844d: 89 e5 mov %esp,%ebp
804844f: 83 e4 f0 and $0xfffffff0,%esp
8048452: 83 ec 20 sub $0x20,%esp
char c = 'a';
8048455: c6 44 24 13 61 movb $0x61,0x13(%esp)
int x, y, z;
x = 1;
804845a: c7 44 24 14 01 00 00 movl $0x1,0x14(%esp)
8048461: 00
y = 2;
8048462: c7 44 24 18 02 00 00 movl $0x2,0x18(%esp)
8048469: 00
p1(c);
804846a: 0f be 44 24 13 movsbl 0x13(%esp),%eax
804846f: 89 04 24 mov %eax,(%esp)
8048472: e8 a6 ff ff ff call 804841d
z = p2(x, y);
8048477: 8b 44 24 18 mov 0x18(%esp),%eax
804847b: 89 44 24 04 mov %eax,0x4(%esp)
804847f: 8b 44 24 14 mov 0x14(%esp),%eax
8048483: 89 04 24 mov %eax,(%esp)
8048486: e8 b4 ff ff ff call 804843f
804848b: 89 44 24 1c mov %eax,0x1c(%esp)
printf("%d=%d+%d\n", z, x, y);
804848f: 8b 44 24 18 mov 0x18(%esp),%eax
8048493: 89 44 24 0c mov %eax,0xc(%esp)
8048497: 8b 44 24 14 mov 0x14(%esp),%eax
804849b: 89 44 24 08 mov %eax,0x8(%esp)
804849f: 8b 44 24 1c mov 0x1c(%esp),%eax
80484a3: 89 44 24 04 mov %eax,0x4(%esp)
80484a7: c7 04 24 54 85 04 08 movl $0x8048554,(%esp)
80484ae: e8 3d fe ff ff call 80482f0
}
80484b3: c9 leave
80484b4: c3 ret
80484b5: 66 90 xchg %ax,%ax
80484b7: 66 90 xchg %ax,%ax
80484b9: 66 90 xchg %ax,%ax
80484bb: 66 90 xchg %ax,%ax
80484bd: 66 90 xchg %ax,%ax
80484bf: 90 nop
080484c0 <__libc_csu_init>:
80484c0: 55 push %ebp
80484c1: 57 push %edi
80484c2: 31 ff xor %edi,%edi
80484c4: 56 push %esi
80484c5: 53 push %ebx
80484c6: e8 85 fe ff ff call 8048350 <__x86.get_pc_thunk.bx>
80484cb: 81 c3 35 1b 00 00 add $0x1b35,%ebx
80484d1: 83 ec 1c sub $0x1c,%esp
80484d4: 8b 6c 24 30 mov 0x30(%esp),%ebp
80484d8: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi
80484de: e8 d1 fd ff ff call 80482b4 <_init>
80484e3: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax
80484e9: 29 c6 sub %eax,%esi
80484eb: c1 fe 02 sar $0x2,%esi
80484ee: 85 f6 test %esi,%esi
80484f0: 74 27 je 8048519 <__libc_csu_init>
80484f2: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80484f8: 8b 44 24 38 mov 0x38(%esp),%eax
80484fc: 89 2c 24 mov %ebp,(%esp)
80484ff: 89 44 24 08 mov %eax,0x8(%esp)
8048503: 8b 44 24 34 mov 0x34(%esp),%eax
8048507: 89 44 24 04 mov %eax,0x4(%esp)
804850b: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4)
8048512: 83 c7 01 add $0x1,%edi
8048515: 39 f7 cmp %esi,%edi
8048517: 75 df jne 80484f8 <__libc_csu_init>
8048519: 83 c4 1c add $0x1c,%esp
804851c: 5b pop %ebx
804851d: 5e pop %esi
804851e: 5f pop %edi
804851f: 5d pop %ebp
8048520: c3 ret
8048521: eb 0d jmp 8048530 <__libc_csu_fini>
8048523: 90 nop
8048524: 90 nop
8048525: 90 nop
8048526: 90 nop
8048527: 90 nop
8048528: 90 nop
8048529: 90 nop
804852a: 90 nop
804852b: 90 nop
804852c: 90 nop
804852d: 90 nop
804852e: 90 nop
804852f: 90 nop
08048530 <__libc_csu_fini>:
8048530: f3 c3 repz ret
Disassembly of section .fini:
08048534 <_fini>:
8048534: 53 push %ebx
8048535: 83 ec 08 sub $0x8,%esp
8048538: e8 13 fe ff ff call 8048350 <__x86.get_pc_thunk.bx>
804853d: 81 c3 c3 1a 00 00 add $0x1ac3,%ebx
8048543: 83 c4 08 add $0x8,%esp
8048546: 5b pop %ebx
8048547: c3 ret
C代碼嵌入匯編代碼
內嵌匯編語法
__asm__(
匯編語句模板:
輸出部分:
輸入部分:
破壞描述部分
);
即格式為 asm("statements":output_regs:input_regs:clobbered_regs);
asm是__asm__的別名
volatile是__volatile__的別名,表示編譯器不要優化代碼
asm.c
// asm.c
#include
int main()
{
/*val1+val2=val3*/
unsigned int val1 = 1;
unsigned int val2 = 2;
unsigned int val3 = 0;
printf("val1:%d,val2:%d,val3:%d\n",val1,val2,val3);
asm volatile(
"movl $0,%%eax\n\t" /*clear %eax to 0*/
"addl %1,%%eax\n\t" /*%eax += val1*/
"addl %2,%%eax\n\t" /*%eax += val2*/
"movl %%eax,%0\n\t" /*val2 = %eax*/
: "=m" (val3) /* output =m mean only write output memory variable*/
: "c" (val1),"d" (val2) /*input c or d mean %ecx/%edx*/
);
printf("val1:%d+val2:%d=val3:%d\n",val1,val2,val3);
return 0;
}
內嵌匯編常用限定符
c_asm.png
asm2.c
int main(void)
{
int input, output, temp;
input = 1;
__asm__ __volatile__(
"movl $0, %%eax;\n\t"
"movl %%eax, %1;\n\t"
"movl %2, %%eax;\n\t"
"movl %%eax, %0;\n\t"
: "=m"(output), "=m"(temp)
: "r"(input)
: "eax"
);
printf("%d %d\n", temp, output);
return 0;
}
// %0代表output, %1代表temp, %2代表input
總結
以上是生活随笔為你收集整理的linux如何分析系统的堆栈,Linux内核分析:操作系统是如何工作的?的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: linux摄像头内核驱动开发,FS_S5
- 下一篇: redis linux无法启动服务,Ce