What is Post-Mortem/Core dump?
When a program crashes while in execution especially a C program running on LINUX/RTOS/UNIX it usually creates a post-mortem dump. In LINUX this crash/post-mortem dump is called CORE dump.
Core Dump is nothing but the dump of main memory while process execution.
Core dump main content used while in analysis are:
- Process image at the time of crash
- General purpose resister state/Values
- Dump of Stack -Helps in backtracking the program execution
- Signal details which caused crash
Core Dump file is nothing but an ELF file. ELF file parser or LINUX Bin-Utils of GNU can be used for getting crash information.
How to create core dump?
This is based on shell you are using below are the command to used.These command sets permissible to size of core dump to unlimited so that core file can be created
In bash shell –
$ ulimit -c unlimited
Example Output of core dump using readelf utility of bin-utils
----------------------------------------------------------------------------------------------------------
vikram@vikram-desktop:~/testProgs$ readelf -a ./core
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: CORE (Core file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x0
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 18
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
NOTE 0x0000000000000430 0x0000000000000000 0x0000000000000000
0x0000000000000558 0x0000000000000000 0
LOAD 0x0000000000001000 0x0000000000400000 0x0000000000000000
0x0000000000000000 0x0000000000001000 R E 1000
LOAD 0x0000000000001000 0x0000000000600000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 1000
LOAD 0x0000000000002000 0x0000000000601000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000003000 0x00007f38bf2c3000 0x0000000000000000
0x0000000000000000 0x000000000017d000 R E 1000
LOAD 0x0000000000003000 0x00007f38bf440000 0x0000000000000000
0x0000000000000000 0x00000000001ff000 1000
LOAD 0x0000000000003000 0x00007f38bf63f000 0x0000000000000000
0x0000000000004000 0x0000000000004000 R 1000
LOAD 0x0000000000007000 0x00007f38bf643000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000008000 0x00007f38bf644000 0x0000000000000000
0x0000000000005000 0x0000000000005000 RW 1000
LOAD 0x000000000000d000 0x00007f38bf649000 0x0000000000000000
0x0000000000000000 0x0000000000020000 R E 1000
LOAD 0x000000000000d000 0x00007f38bf84a000 0x0000000000000000
0x0000000000003000 0x0000000000003000 RW 1000
LOAD 0x0000000000010000 0x00007f38bf865000 0x0000000000000000
0x0000000000003000 0x0000000000003000 RW 1000
LOAD 0x0000000000013000 0x00007f38bf868000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 1000
LOAD 0x0000000000014000 0x00007f38bf869000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000015000 0x00007f38bf86a000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000016000 0x00007fffafff0000 0x0000000000000000
0x0000000000016000 0x0000000000016000 RW 1000
LOAD 0x000000000002c000 0x00007fffb002c000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R E 1000
LOAD 0x000000000002d000 0xffffffffff600000 0x0000000000000000
0x0000000000000000 0x0000000000001000 R E 1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
Notes at offset 0x00000430 with length 0x00000558:
Owner Data size Description
CORE 0x00000150 NT_PRSTATUS (prstatus structure)
CORE 0x00000088 NT_PRPSINFO (prpsinfo structure)
CORE 0x00000130 NT_AUXV (auxiliary vector)
CORE 0x00000200 NT_FPREGSET (floating point registers)
-------------------------------------------------------------------------------------------------------------
Analysis with help of EMNTECH tool:
When a program crashes while in execution especially a C program running on LINUX/RTOS/UNIX it usually creates a post-mortem dump. In LINUX this crash/post-mortem dump is called CORE dump.
Core Dump is nothing but the dump of main memory while process execution.
Core dump main content used while in analysis are:
- Process image at the time of crash
- General purpose resister state/Values
- Dump of Stack -Helps in backtracking the program execution
- Signal details which caused crash
Core Dump file is nothing but an ELF file. ELF file parser or LINUX Bin-Utils of GNU can be used for getting crash information.
How to create core dump?
This is based on shell you are using below are the command to used.These command sets permissible to size of core dump to unlimited so that core file can be created
In bash shell –
$ ulimit -c unlimited
In CSH C shell -
$ limit coredumpsize unlimited
One can have look in core command of linux man pages to have a better idea of setting filter for core dump.
Analyzing core Dump: Example Output of core dump using readelf utility of bin-utils
----------------------------------------------------------------------------------------------------------
vikram@vikram-desktop:~/testProgs$ readelf -a ./core
ELF Header:
Magic: 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: CORE (Core file)
Machine: Advanced Micro Devices X86-64
Version: 0x1
Entry point address: 0x0
Start of program headers: 64 (bytes into file)
Start of section headers: 0 (bytes into file)
Flags: 0x0
Size of this header: 64 (bytes)
Size of program headers: 56 (bytes)
Number of program headers: 18
Size of section headers: 0 (bytes)
Number of section headers: 0
Section header string table index: 0
There are no sections in this file.
There are no sections in this file.
Program Headers:
Type Offset VirtAddr PhysAddr
FileSiz MemSiz Flags Align
NOTE 0x0000000000000430 0x0000000000000000 0x0000000000000000
0x0000000000000558 0x0000000000000000 0
LOAD 0x0000000000001000 0x0000000000400000 0x0000000000000000
0x0000000000000000 0x0000000000001000 R E 1000
LOAD 0x0000000000001000 0x0000000000600000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 1000
LOAD 0x0000000000002000 0x0000000000601000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000003000 0x00007f38bf2c3000 0x0000000000000000
0x0000000000000000 0x000000000017d000 R E 1000
LOAD 0x0000000000003000 0x00007f38bf440000 0x0000000000000000
0x0000000000000000 0x00000000001ff000 1000
LOAD 0x0000000000003000 0x00007f38bf63f000 0x0000000000000000
0x0000000000004000 0x0000000000004000 R 1000
LOAD 0x0000000000007000 0x00007f38bf643000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000008000 0x00007f38bf644000 0x0000000000000000
0x0000000000005000 0x0000000000005000 RW 1000
LOAD 0x000000000000d000 0x00007f38bf649000 0x0000000000000000
0x0000000000000000 0x0000000000020000 R E 1000
LOAD 0x000000000000d000 0x00007f38bf84a000 0x0000000000000000
0x0000000000003000 0x0000000000003000 RW 1000
LOAD 0x0000000000010000 0x00007f38bf865000 0x0000000000000000
0x0000000000003000 0x0000000000003000 RW 1000
LOAD 0x0000000000013000 0x00007f38bf868000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R 1000
LOAD 0x0000000000014000 0x00007f38bf869000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000015000 0x00007f38bf86a000 0x0000000000000000
0x0000000000001000 0x0000000000001000 RW 1000
LOAD 0x0000000000016000 0x00007fffafff0000 0x0000000000000000
0x0000000000016000 0x0000000000016000 RW 1000
LOAD 0x000000000002c000 0x00007fffb002c000 0x0000000000000000
0x0000000000001000 0x0000000000001000 R E 1000
LOAD 0x000000000002d000 0xffffffffff600000 0x0000000000000000
0x0000000000000000 0x0000000000001000 R E 1000
There is no dynamic section in this file.
There are no relocations in this file.
There are no unwind sections in this file.
No version information found in this file.
Notes at offset 0x00000430 with length 0x00000558:
Owner Data size Description
CORE 0x00000150 NT_PRSTATUS (prstatus structure)
CORE 0x00000088 NT_PRPSINFO (prpsinfo structure)
CORE 0x00000130 NT_AUXV (auxiliary vector)
CORE 0x00000200 NT_FPREGSET (floating point registers)
-------------------------------------------------------------------------------------------------------------
Analysis with help of EMNTECH tool:
Decoding note section of Core dump:
Usually note section of core dump contains
- Stack pointer
- Process state and details
- Signal details caused this crash
Get tool from location copy code and compile the same. it should compile with some warning on both 32/64 bit platform.
Command to compile should be
$gcc corenotes.c -o cdumptrace
Below is the example to extract note section of core dump:
1. Here core dump generated
--------------------------------------------------------------------------------------------------------------------------
vikram@vikram-OptiPlex-740:~/test/cda$ ./chkEndianNess
I am Little Endian Processor
Segmentation fault (core dumped)
-------------------------------------------------------------------------------------------------------------------------
2. File listing in dir:
file "checkEndianNess.c" check endianess of processor, same file is used to create core dump.
coredumpnotetrace.c can be take from location.
-------------------------------------------------------------------------------------------------------
vikram@vikram-OptiPlex-740:~/test/cda$ ls -l
total 96
-rwxr-xr-x 1 vikram vikram 7515 2013-07-30 19:18 cdumptrace
-rw-r--r-- 1 vikram vikram 624 2013-07-30 19:19 checkEndianNess.c
-rwxr-xr-x 1 vikram vikram 7224 2013-07-30 19:19 chkEndianNess
-rw------- 1 vikram vikram 204800 2013-07-30 19:21 core
-rw-r--r-- 1 vikram vikram 4369 2013-07-30 19:16 coredumpnotetrace.c
total 96
-rwxr-xr-x 1 vikram vikram 7515 2013-07-30 19:18 cdumptrace
-rw-r--r-- 1 vikram vikram 624 2013-07-30 19:19 checkEndianNess.c
-rwxr-xr-x 1 vikram vikram 7224 2013-07-30 19:19 chkEndianNess
-rw------- 1 vikram vikram 204800 2013-07-30 19:21 core
-rw-r--r-- 1 vikram vikram 4369 2013-07-30 19:16 coredumpnotetrace.c
---------------------------------------------------------------------------------------------------------
3. Final Output of note section.
---------------------------------------------------------------------------------------------------
vikram@vikram-OptiPlex-740:~/test/cda$ ./cdumptrace core
CORE
Program Received 11
Pending Signals 00000000
Hold Signals 00000000
PID of the process 2213
PPID of the process 2114
EBX: 00e6bff4
ECX: 00e6c4e0
EDX: 00e6d360
ESI: 00000000
EDI: 00000000
EBP: bfa95d68
EAX: 00000000
XDS: 0000007b
XES: 0000007b
XFS: 00000000
XGS: 00000033
ORG_EAX: ffffffff
EIP: 08048445
ECS: 00000073
EFLAGS: 00010246
ESP: bfa95d40
XSS: 0000007b
NT_PRPSINF
Name of the Exe chkEndianNess
CORE
Program Received 11
Pending Signals 00000000
Hold Signals 00000000
PID of the process 2213
PPID of the process 2114
EBX: 00e6bff4
ECX: 00e6c4e0
EDX: 00e6d360
ESI: 00000000
EDI: 00000000
EBP: bfa95d68
EAX: 00000000
XDS: 0000007b
XES: 0000007b
XFS: 00000000
XGS: 00000033
ORG_EAX: ffffffff
EIP: 08048445
ECS: 00000073
EFLAGS: 00010246
ESP: bfa95d40
XSS: 0000007b
NT_PRPSINF
Name of the Exe chkEndianNess
----------------------------------------------------------------------------------------------------
With help of GDB and binutils
Command to use with gdb
$gdb ./executable-file-name core
./executable file name is - name of executable file
core - core dump obtain after crash
No comments:
Post a Comment