![]() |
Informative Information for the Uninformed | ![]() |
||||||||||||
![]() |
![]() |
|||||||||||||
![]() ![]() |
![]() |
|
||||||||||||
![]() |
Ghetto ProfilingAlthough several texts reference the ability to enable profiling by rebuilding the xnu kernel under OS X, that never seemed to work correctly for me. For this reason, the author kept a written list of interesting offsets and profile other information. For example, when you break in sta_add, ECX contains a pointer to the packet that is about to parse. To use this as a ghetto profiler, the author would set a breakpoint at the beginning of sta_add. Using this command's feature, a conditional is used to make sure ECX is not NULL and, if not, print the first 20 bytes of it. The debugger is then told to continue.
(gdb) break sta_add Breakpoint 1 at 0x8f2e35 (gdb) commands Type your commands for when breakpoint 1 is hit, one per line. End with a line saying just "end". > if $ecx > 0x100 >x/20x $ecx >end >continue >end Every time this breakpoint is hit it will print the first 20 bytes of ECX and then continue. This is useful because when the machine does crash one can see the packet it was processing at the time. This is what it looks like when running.
Breakpoint 1, 0x008f2e35 in sta_add () 2: x/i $eip 0x8f2e35 <sta_add+6>: sub esp,0x3c 0x1e34f000: 0x013a0050 0x04cb1600 0x110062a3 0xfeaffb50 0x1e34f010: 0xfb501100 0x2ef0feaf 0xf6773728 0x00000192 0x1e34f020: 0x04110064 0x68730700 0x656b6e69 0x8204016e 0x1e34f030: 0x03968b84 0x16dd0b01 0x01f25000 0x50000001 0x1e34f040: 0x000102f2 0x02f25000 0x50000001 0x060402f2 Breakpoint 1, 0x008f2e35 in sta_add () 2: x/i $eip 0x8f2e35 <sta_add+6>: sub esp,0x3c 0x1e36a000: 0x00000080 0xffffffff 0x6161ffff 0x8710ec61 0x1e36a010: 0xec616161 0xc1c08710 0xc5962377 0xa185eaae 0x1e36a020: 0xa9b1ffff 0x55441300 0x30455362 0x34634972 0x1e36a030: 0x4530614a 0x6f557678 0x82080137 0x0c968b84 0x1e36a040: 0x03483018 0xf0320b01 0x41414141 0x41414141 The first packet is a probe response which can be determined keying off the 50 that starts the packet. The integer format should be read in reverse byte-order such that 0x013a0050 is actually 0x50 0x0x3a 0x01. The next packet is 0x80 0x00 0x00 0x00 which is a beacon frame with a BSSID of 0x61 0x61 0x61 0xec 0x10 0x87. This represents a packet that was created by the packet generation script. The ghetto profiling works great on less frequently invoked breakpoints. The more hits a breakpoint receives, the greater the load to a machine.
|