Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep

Ghetto Profiling

Although several texts reference the ability to enable profiling by rebuilding the xnu kernel under OS X, that never seemed to work correctly for me. For this reason, the author kept a written list of interesting offsets and profile other information. For example, when you break in sta_add, ECX contains a pointer to the packet that is about to parse. To use this as a ghetto profiler, the author would set a breakpoint at the beginning of sta_add. Using this command's feature, a conditional is used to make sure ECX is not NULL and, if not, print the first 20 bytes of it. The debugger is then told to continue.

(gdb) break sta_add
Breakpoint 1 at 0x8f2e35
(gdb) commands
Type your commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
> if $ecx > 0x100
 >x/20x $ecx

Every time this breakpoint is hit it will print the first 20 bytes of ECX and then continue. This is useful because when the machine does crash one can see the packet it was processing at the time. This is what it looks like when running.

Breakpoint 1, 0x008f2e35 in sta_add ()
2: x/i $eip  0x8f2e35 <sta_add+6>:      sub    esp,0x3c
0x1e34f000:     0x013a0050      0x04cb1600      0x110062a3      0xfeaffb50
0x1e34f010:     0xfb501100      0x2ef0feaf      0xf6773728      0x00000192
0x1e34f020:     0x04110064      0x68730700      0x656b6e69      0x8204016e
0x1e34f030:     0x03968b84      0x16dd0b01      0x01f25000      0x50000001
0x1e34f040:     0x000102f2      0x02f25000      0x50000001      0x060402f2

Breakpoint 1, 0x008f2e35 in sta_add ()
2: x/i $eip  0x8f2e35 <sta_add+6>:      sub    esp,0x3c
0x1e36a000:     0x00000080      0xffffffff      0x6161ffff      0x8710ec61
0x1e36a010:     0xec616161      0xc1c08710      0xc5962377      0xa185eaae
0x1e36a020:     0xa9b1ffff      0x55441300      0x30455362      0x34634972
0x1e36a030:     0x4530614a      0x6f557678      0x82080137      0x0c968b84
0x1e36a040:     0x03483018      0xf0320b01      0x41414141      0x41414141

The first packet is a probe response which can be determined keying off the 50 that starts the packet. The integer format should be read in reverse byte-order such that 0x013a0050 is actually 0x50 0x0x3a 0x01. The next packet is 0x80 0x00 0x00 0x00 which is a beacon frame with a BSSID of 0x61 0x61 0x61 0xec 0x10 0x87. This represents a packet that was created by the packet generation script.

The ghetto profiling works great on less frequently invoked breakpoints. The more hits a breakpoint receives, the greater the load to a machine.